NSA targets sysadmin personal accounts to exploit networks

NSA targets sysadmin personal accounts to exploit networks

Summary: The latest revelation from the cache of Snowden documents shows that the NSA targets sysadmins to gain access to the infrastructure that they are responsible for.

SHARE:

System administrators that are not necessarily the target of NSA surveillance are being targeted by the American spy agency because of their access to networks that the NSA wishes to gain entry into.

As reported by The Intercept, the NSA looks to track down the personal email and Facebook accounts of sysadmins to infiltrate networks and the data they carry.

"Sys admins are a means to an end," states the latest document from Snowden, entitled "I Hunt Sys Admins".

"Upfront, sysadmins generally are not my end target. My end target is the extremist/terrorist or government official that happens to be using the network some admins takes care of."

The document details its author's technique, whose name has been suppressed by The Intercept, for targeting suspected system administrators in order to gain access to infrastructure via the NSA's QUANTUM program, which uses malware and sometimes physical transmitters placed in hardware to return information to the NSA, even if the targeted computer is not networked.

For sysadmins that are still using Telnet, the NSA has a tool called DISCOROUTE that is "specially designed to suck up and database router configuration files seen in passively collected Telnet sessions". By looking at the whitelisted IP address in the access list of the router's configuration, the author explains that they then look for any logins to Hotmail, Yahoo, Facebook, and other monitored services in the recent past to create a "probable list of personal accounts" for sysadmins controlling a network that the NSA wants to access. At this point, QUANTUM is engaged and the NSA can then "proceed with pwnage".

Taking the program a step further, the author outlines a system where all the DISCOROUTE data could be used to create an address book that pairs up networks with personal accounts of system administrators to exploit.

"As soon as one of those networks becomes a target, all TAO has to do is query the database, see if we have any admins pre-identified for that network, and, if we do, automatically queue up tasking and go-go-CNE [computer network exploitation]" said the document.

"All of this can be done by tweaking the data that we already have at our fingertips!!!"

SSH is some protection to the monitoring of the NSA — in that, unlike Telnet, the NSA is not able to view the contents of communications between a server and a machine used by a sysadmins by passively monitoring a connection — but the author details a process based on monitoring the length of SSH sessions to determine the IP address of a potential system administrator: Sessions where an unsuccessful login occurs in the majority of cases would be of shorter duration than a successful connection were the sysadmins is performing tasks on the server.

"You can guesstimate whether an SSH session was successful or not purely based off of the size of the session in the server-to-client direction."

Since passive monitoring of communications allows the NSA to know the IP address of the machines attempting to connect to a server, the NSA can then use that IP address as a selector to search other NSA data and look for any social or email service logins.

"If a server IP is ever in a network that I want access to, I don't have to decrypt the admin's SSH session; all I have to do is hope he checked his Facebook/webmail within a certain timeframe of SSH'ing to the server. If he did, that selector is now tasked for QUANTUM, and we wait to get access to his box."

The author goes onto describe how hacking large routers, such as those sold by Cisco, Juniper, and Huawei, has been used by spying agencies in the US, the UK, New Zealand, Canada, and Australia for some time, but other, unnamed nation states are starting get in on the action.

The rest of the document has been removed by The Intercept, which said it was redacted to "prevent helping countries improve their ability to hack foreign routers and spy on people undetected".

Topics: Security, Data Centers, Government, Networking, Privacy

About

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • Not just the NSA

    We have noticed an uptick of phishing attacks on our IT folks, even our VP of IT got hit. These hackers are doing their research.
    Rann Xeroxx
    • My thoughts, too.

      "NSA targets sysadmins to gain access to the infrastructure that they are responsible for."

      Really? In other words, The NSA is doing the same thing that 100 million other people are doing.
      William.Farrel
  • If the NSA is doing it

    Then it's highly likely that private sector hackers, to include industrial spies, are doing it too.

    Sysadmins should consider themselves warned.
    John L. Ries
  • Telnet!?

    Mr. Duckett, please confirm that Loverock-Davidson is not an alter of yours. Or vice versa. :)
    Rabid Howler Monkey
  • Is it me?

    Or is it all just getting too much? Is the Internet going to collapse under the weight of the intrigues?
    Time Agora
  • Usenet had a collapse

    Usenet went through a collapse. The spamming of the newsgroups got wrose and worse and worse until it was no longer useable. There was a wide spread exodus.

    There's been some recovery because some of the major servers do extensive filtering, but it's never returned to its glory days.

    But with the ever worsening spying, criminal activity, intrigue and foolery seemingly ad infinitum, is the Internet going to become unusable? Will it get so bad as to start being a hindrance rather than a help, like what happened to Usenet?
    Time Agora