OPERATION AURORAGOLD

HOW THE NSA HACKS CELLPHONE NETWORKS WORLDWIDE

 

In March 2011, two weeks before the Western intervention in Libya, a secret message was delivered to the National Security Agency. An intelligence unit within the U.S. military’s Africa Command needed help to hack into Libya’s cellphone networks and monitor text messages.

For the NSA, the task was easy. The agency had already obtained technical information about the cellphone carriers’ internal systems by spying on documents sent among company employees, and these details would provide the perfect blueprint to help the military break into the networks.

The NSA’s assistance in the Libya operation, however, was not an isolated case. It was part of a much larger surveillance program—global in its scope and ramifications—targeted not just at hostile countries.

According to documents contained in the archive of material provided toThe Intercept by whistleblower Edward Snowden, the NSA has spied on hundreds of companies and organizations internationally, including in countries closely allied to the United States, in an effort to find security weaknesses in cellphone technology that it can exploit for surveillance.

The documents also reveal how the NSA plans to secretly introduce new flaws into communication systems so that they can be tapped into—a controversial tactic that security experts say could be exposing the general population to criminal hackers.

Codenamed AURORAGOLD, the covert operation has monitored the content of messages sent and received by more than 1,200 email accounts associated with major cellphone network operators, intercepting confidential company planning papers that help the NSA hack into phone networks.

One high-profile surveillance target is the GSM Association, an influential U.K.-headquartered trade group that works closely with large U.S.-based firms including Microsoft, Facebook, AT&T, and Cisco, and is currently being funded by the U.S. government to develop privacy-enhancing technologies.

Karsten Nohl, a leading cellphone security expert and cryptographer who was consulted by The Intercept about details contained in the AURORAGOLD documents, said that the broad scope of information swept up in the operation appears aimed at ensuring virtually every cellphone network in the world is NSA accessible.

THE OPERATION APPEARS AIMED AT ENSURING VIRTUALLY EVERY CELLPHONE NETWORK IN THE WORLD IS NSA ACCESSIBLE.

“Collecting an inventory [like this] on world networks has big ramifications,” Nohl said, because it allows the NSA to track and circumvent upgrades in encryption technology used by cellphone companies to shield calls and texts from eavesdropping. Evidence that the agency has deliberately plotted to weaken the security of communication infrastructure, he added, was particularly alarming.

“Even if you love the NSA and you say you have nothing to hide, you should be against a policy that introduces security vulnerabilities,” Nohl said, “because once NSA introduces a weakness, a vulnerability, it’s not only the NSA that can exploit it.”

NSA spokeswoman Vanee’ Vines told The Intercept in a statement that the agency “works to identify and report on the communications of valid foreign targets” to anticipate threats to the United States and its allies.

Vines said: “NSA collects only those communications that it is authorized by law to collect in response to valid foreign intelligence and counterintelligence requirements—regardless of the technical means used by foreign targets, or the means by which those targets attempt to hide their communications.”

Network coverage

The AURORAGOLD operation is carried out by specialist NSA surveillance units whose existence has not been publicly disclosed: the Wireless Portfolio Management Office, which defines and carries out the NSA’s strategy for exploiting wireless communications, and the Target Technology Trends Center, which monitors the development of new communication technology to ensure that the NSA isn’t blindsided by innovations that could evade its surveillance reach. The center’s logo is a picture of the Earth overshadowed by a large telescope; its motto is “Predict – Plan – Prevent.”

tttc-logoThe NSA documents reveal that, as of May 2012, the agency had collected technical information on about 70 percent of cellphone networks worldwide—701 of an estimated 985—and was maintaining a list of 1,201 email “selectors” used to intercept internal company details from employees. (“Selector” is an agency term for a unique identifier like an email address or phone number.) From November 2011 to April 2012, between 363 and 1,354 selectors were “tasked” by the NSA for surveillance each month as part of AURORAGOLD, according to the documents. The secret operation appears to have been active since at least 2010.

The information collected from the companies is passed onto NSA “signals development” teams that focus on infiltrating communication networks. It is also shared with other U.S. Intelligence Community agencies and with the NSA’s counterparts in countries that are part of the so-called “Five Eyes” surveillance alliance—the United Kingdom, Canada, Australia, and New Zealand.

Aside from mentions of a handful of operators in Libya, China, and Iran, names of the targeted companies are not disclosed in the NSA’s documents. However, a top-secret world map featured in a June 2012 presentation on AURORAGOLD suggests that the NSA has some degree of “network coverage” in almost all countries on every continent, including in the United States and in closely allied countries such as the United Kingdom, Australia, New Zealand, Germany, and France.

map-coverage

One of the prime targets monitored under the AURORAGOLD program is the London-headquartered trade group, the GSM Association, or the GSMA, which represents the interests of more than 800 major cellphone, software, and internet companies from 220 countries.

The GSMA’s members include U.S.-based companies such as Verizon, AT&T, Sprint, Microsoft, Facebook, Intel, Cisco, and Oracle, as well as large international firms including Sony, Nokia, Samsung, Ericsson, and Vodafone.

The trade organization brings together its members for regular meetings at which new technologies and policies are discussed among various “working groups.” The Snowden files reveal that the NSA specifically targeted the GSMA’s working groups for surveillance.

Claire Cranton, a spokeswoman for the GSMA, said that the group would not respond to details uncovered by The Intercept until its lawyers had studied the documents related to the spying.

“If there is something there that is illegal then they will take it up with the police,” Cranton said.

By covertly monitoring GSMA working groups in a bid to identify and exploit security vulnerabilities, the NSA has placed itself into direct conflict with the mission of the National Institute for Standards and Technology, or NIST, the U.S. government agency responsible for recommending cybersecurity standards in the United States. NIST recently handed out a grant of more than $800,000 to GSMA so that the organization could research ways to address “security and privacy challenges” faced by users of mobile devices.

The revelation that the trade group has been targeted for surveillance may reignite deep-seated tensions between NIST and NSA that came to the fore following earlier Snowden disclosures. Last year, NIST was forced to urge people not to use an encryption standard it had previously approved after it emerged NSA had apparently covertly worked to deliberately weaken it.

Jennifer Huergo, a NIST spokewoman, told The Intercept that the agency was “not aware of any activities by NSA related to the GSMA.” Huergo said that NIST would continue to work towards “bringing industry together with privacy and consumer advocates to jointly create a robust marketplace of more secure, easy-to-use, privacy-enhancing solutions.”

gstreetview

Encryption attack

The NSA focuses on intercepting obscure but important technical documents circulated among the GSMA’s members known as “IR.21s.”

Most cellphone network operators share IR.21 documents among each other as part of agreements that allow their customers to connect to foreign networks when they are “roaming” overseas on a vacation or a business trip. An IR.21, according to the NSA documents, contains information “necessary for targeting and exploitation.”

The details in the IR.21s serve as a “warning mechanism” that flag new technology used by network operators, the NSA’s documents state. This allows the agency to identify security vulnerabilities in the latest communication systems that can be exploited, and helps efforts to introduce new vulnerabilities “where they do not yet exist.”

The IR.21s also contain details about the encryption used by cellphone companies to protect the privacy of their customers’ communications as they are transmitted across networks. These details are highly sought after by the NSA, as they can aid its efforts to crack the encryption and eavesdrop on conversations.

Last year, the Washington Post reported that the NSA had already managed to break the most commonly used cellphone encryption algorithm in the world, known as A5/1. But the information collected under AURORAGOLD allows the agency to focus on circumventing newer and stronger versions of A5 cellphone encryption, such as A5/3.

The documents note that the agency intercepts information from cellphone operators about “the type of A5 cipher algorithm version” they use, and monitors the development of new algorithms in order to find ways to bypass the encryption.

In 2009, the British surveillance agency Government Communications Headquarters conducted a similar effort to subvert phone encryption under a project called OPULENT PUP, using powerful computers to perform a “crypt attack” to penetrate the A5/3 algorithm, secret memos reveal. By 2011, GCHQ was collaborating with the NSA on another operation, called WOLFRAMITE, to attack A5/3 encryption. (GCHQ declined to comment for this story, other than to say that it operates within legal parameters.)

The extensive attempts to attack cellphone encryption have been replicated across the Five Eyes surveillance alliance. Australia’s top spy agency, for instance, infiltrated an Indonesian cellphone company and stole nearly 1.8 million encryption keys used to protect communications, the New York Times reported in February.

The NSA’s documents show that it focuses on collecting details about virtually all technical standards used by cellphone operators, and the agency’s efforts to stay ahead of the technology curve occasionally yield significant results. In early 2010, for instance, its operatives had alreadyfound ways to penetrate a variant of the newest “fourth generation” smartphone-era technology for surveillance, years before it became widely adopted by millions of people in dozens of countries.

The NSA says that its efforts are targeted at terrorists, weapons proliferators, and other foreign targets, not “ordinary people.” But the methods used by the agency and its partners to gain access to cellphone communications risk significant blowback.

According to Mikko Hypponen, a security expert at Finland-based F-Secure, criminal hackers and foreign government adversaries could be among the inadvertent beneficiaries of any security vulnerabilities or encryption weaknesses inserted by the NSA into communication systems using data collected by the AURORAGOLD project.

“If there are vulnerabilities on those systems known to the NSA that are not being patched on purpose, it’s quite likely they are being misused by completely other kinds of attackers,” said Hypponen. “When they start to introduce new vulnerabilities, it affects everybody who uses that technology; it makes all of us less secure.”

“IT AFFECTS EVERYBODY WHO USES THAT TECHNOLOGY; IT MAKES ALL OF US LESS SECURE.”

In December, a surveillance review panel convened by President Obama concludedthat the NSA should not “in any way subvert, undermine, weaken, or make vulnerable generally available commercial software.” The panel also recommended that the NSA should notify companies if it discovers previously unknown security vulnerabilities in their software or systems—known as “zero days” because developers have been given zero days to fix them—except in rare cases involving “high priority intelligence collection.”

In April, White House officials confirmed that Obama had ordered NSA to disclose vulnerabilities it finds, though qualified that with a loophole allowing the flaws to be secretly exploited so long as there is deemed to be “a clear national security or law enforcement” use.

Vines, the NSA spokeswoman, told The Intercept that the agency was committed to ensuring an “open, interoperable, and secure global internet.”

“NSA deeply values these principles and takes great care to honor them in the performance of its lawful foreign-intelligence mission,” Vines said.

She declined to discuss the tactics used as part of AURORAGOLD, or comment on whether the operation remains active.

BY RYAN GALLAGHER

ISIS Offers Cash Rewards for Foreign Spies

Offers $5,000 for Anyone Collaborating With US

With foreign airstrikes becoming an increasing problem in ISIS territory, the Islamist group’s leadership is stepping up efforts to track down spies working for the US and its allies.

SyriaToday, ISIS announced it is offering $5,000 to anyone who can capture an informant or provide information leading to such a capture. Fliers announcing the deal have been reported around ISIS territory in Syria.

While they will no doubt eagerly take any spies for foreign powers, the effort seems in particular to find the spotters on the ground helping US warplanes pick out targets to bomb.

Such efforts are risky. Early in the US occupation of Afghanistan they offered similar cash for enemies campaigns, and it fueled a rash of kidnappings by people hoping to profit from the scheme. It is unclear how ISIS will verify that the captives are actually spies.

by Jason Ditz

State Dept ‘Won’t Deny’ Reports of Massive Israeli Spying

Israeli Intelligence Minister Insists Story Aims to Harm US-Israel Ties

Questioned on growing media reports of Israel’s “unrivaled and unseemly” mass spying on the United States, the US State Department has conspicuously insisted they will neither confirm nor deny anything related to the story.

steinitzUS officials were quoted in the Israeli press saying that the Obama Administration was deliberately avoiding making any comments because it doesn’t want to “make a habit” of responding to media reports of foreign spying.

Newsweek’s Jeff Stein broke the story earlier this month, leading to furious Israeli condemnations, along with blanket denials to doing any spying at all inside the United States.

Intelligence Minister Yuval Steinitz insisted that the story is a “malicious” effort to intentionally jeopardize US-Israel relations. He reiterated the denials of any truth to the story.

by Jason Ditz

 

The Spy Files

WikiLeaks: The Spy Files

Mass interception of entire populations is not only a reality, it is a secret new industry spanning 25 countries

It sounds like something out of Hollywood, but as of today, mass interception systems, built by Western intelligence contractors, including for ’political opponents’ are a reality. Today WikiLeaks began releasing a database of hundreds of documents from as many as 160 intelligence contractors in the mass surveillance industry. Working with Bugged Planet and Privacy International, as well as media organizations form six countries – ARD in Germany, The Bureau of Investigative Journalism in the UK, The Hindu in India, L’Espresso in Italy, OWNI in France and the Washington Post in the U.S. Wikileaks is shining a light on this secret industry that has boomed since September 11, 2001 and is worth billions of dollars per year. WikiLeaks has released 287 documents today, but the Spy Files project is ongoing and further information will be released this week and into next year.

International surveillance companies are based in the more technologically sophisticated countries, and they sell their technology on to every country of the world. This industry is, in practice, unregulated. Intelligence agencies, military forces and police authorities are able to silently, and on mass, and secretly intercept calls and take over computers without the help or knowledge of the telecommunication providers. Users’ physical location can be tracked if they are carrying a mobile phone, even if it is only on stand by.

But the WikiLeaks Spy Files are more than just about ’good Western countries’ exporting to ’bad developing world countries’. Western companies are also selling a vast range of mass surveillance equipment to Western intelligence agencies. In traditional spy stories, intelligence agencies like MI5 bug the phone of one or two people of interest. In the last ten years systems for indiscriminate, mass surveillance have become the norm. Intelligence companies such as VASTech secretly sell equipment to permanently record the phone calls of entire nations. Others record the location of every mobile phone in a city, down to 50 meters. Systems to infect every Facebook user, or smart-phone owner of an entire population group are on the intelligence market.

Selling Surveillance to Dictators

When citizens overthrew the dictatorships in Egypt and Libya this year, they uncovered listening rooms where devices from Gamma corporation of the UK, Amesys of France, VASTech of South Africa and ZTE Corp of China monitored their every move online and on the phone.

Surveillance companies like SS8 in the U.S., Hacking Team in Italy and Vupen in France manufacture viruses (Trojans) that hijack individual computers and phones (including iPhones, Blackberries and Androids), take over the device, record its every use, movement, and even the sights and sounds of the room it is in. Other companies like Phoenexia in the Czech Republic collaborate with the military to create speech analysis tools. They identify individuals by gender, age and stress levels and track them based on ‘voiceprints’. Blue Coat in the U.S. and Ipoque in Germany sell tools to governments in countries like China and Iran to prevent dissidents from organizing online.

Trovicor, previously a subsidiary of Nokia Siemens Networks, supplied the Bahraini government with interception technologies that tracked human rights activist Abdul Ghani Al Khanjar. He was shown details of personal mobile phone conversations from before he was interrogated and beaten in the winter of 2010-2011.

How Mass Surveillance Contractors Share Your Data with the State

In January 2011, the National Security Agency broke ground on a $1.5 billion facility in the Utah desert that is designed to store terabytes of domestic and foreign intelligence data forever and process it for years to come.

Telecommunication companies are forthcoming when it comes to disclosing client information to the authorities – no matter the country. Headlines during August’s unrest in the UK exposed how Research in Motion (RIM), makers of the Blackberry, offered to help the government identify their clients. RIM has been in similar negotiations to share BlackBerry Messenger data with the governments of India, Lebanon, Saudi Arabia, and the United Arab Emirates.

Weaponizing Data Kills Innocent People

There are commercial firms that now sell special software that analyze this data and turn it into powerful tools that can be used by military and intelligence agencies.

For example, in military bases across the U.S., Air Force pilots use a video link and joystick to fly Predator drones to conduct surveillance over the Middle East and Central Asia. This data is available to Central Intelligence Agency officials who use it to fire Hellfire missiles on targets.

The CIA officials have bought software that allows them to match phone signals and voice prints instantly and pinpoint the specific identity and location of individuals. Intelligence Integration Systems, Inc., based in Massachusetts – sells a “location-based analytics” software called Geospatial Toolkit for this purpose. Another Massachusetts company named Netezza, which bought a copy of the software, allegedly reverse engineered the code and sold a hacked version to the Central Intelligence Agency for use in remotely piloted drone aircraft.

IISI, which says that the software could be wrong by a distance of up to 40 feet, sued Netezza to prevent the use of this software. Company founder Rich Zimmerman stated in court that his “reaction was one of stun, amazement that they (CIA) want to kill people with my software that doesn’t work.”

Orwell’s World

Across the world, mass surveillance contractors are helping intelligence agencies spy on individuals and ‘communities of interest’ on an industrial scale.

The Wikileaks Spy Files reveal the details of which companies are making billions selling sophisticated tracking tools to government buyers, flouting export rules, and turning a blind eye to dictatorial regimes that abuse human rights.

How to use the Spy Files

To search inside those files, click one of the link on the left pane of this page, to get the list of documents by type, company date or tag.

To search all these companies on a world map use the following tool from Owni

Get Involved...

Share ideas or articles.