Compliance Management, Incident Response, Privacy, TDR

NSA hacks system admins to gain access through gatekeepers, leaks reveal

After collecting the email or social media accounts of system admins, the National Security Agency (NSA) uses its arsenal of surveillance tools to hack these network gatekeepers, leaks reveal.

On Thursday, The Intercept published the leaked documents obtained from whistleblower Edward Snowden, along with a coinciding article detailing the surveillance tactics.

The leaks were gleaned from an internal discussion board – posts from 2010 that were hosted on NSA's classified servers, the outlet revealed. The unnamed author of the posts (an NSA official), detailed the hacking exploits which targeted system administrators working for foreign phone and internet companies.

By targeting the admins who hold the “keys to the kingdom,” NSA was able to target login credentials, network maps, customer lists and other data normally accessed by admins, The Intercept reported.

Leaks detailed the process used by NSA to hack system admins.

First, the agency collected admins' IP addresses, then it ran the identifiers throughout its mass collection of signals intelligence data, or SIGINT, to match the address with users' personal accounts. With a positive email or Facebook account match, the NSA was then able to masquerade as a Facebook server to deliver malware to targets.

“The Snowden files reveal that the QUANTUM methods have been used to secretly inject surveillance malware into a Facebook page by sending malicious NSA data packets that appear to originate from a genuine Facebook server,” the article said. “This method tricks a target's computer into accepting the malicious packets, allowing the NSA to infect the targeted computer with a malware 'implant' and gain unfettered access to the data stored on its hard drive.”

Unavailable in the leaks, is an explanation of how the practice employs safeguards for American system admins working for foreign networks, which may fall in NSA's target list.

On Friday, Julian Waits Sr., CEO of ThreatTrack Security, a Clearwater, Fla.-based firm that helps organizations identify and thwart advanced attacks, told via email that “anytime our government does something that impedes a legitimate business' right to privacy, it's no better than the bad guys.”

Waits added that, without cause, the agency is “wrong” for its actions, if the allegations are true.

“Once a network administrator's credentials have been compromised, the sky's the limit in terms of what can be ascertained about a given environment's assets and information,” Waits said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.