NSA targets sysadmin personal accounts to exploit networks

The latest revelation from the cache of Snowden documents shows that the NSA targets sysadmins to gain access to the infrastructure that they are responsible for.
Written by Chris Duckett, Contributor

System administrators that are not necessarily the target of NSA surveillance are being targeted by the American spy agency because of their access to networks that the NSA wishes to gain entry into.

As reported by The Intercept, the NSA looks to track down the personal email and Facebook accounts of sysadmins to infiltrate networks and the data they carry.

"Sys admins are a means to an end," states the latest document from Snowden, entitled "I Hunt Sys Admins".

"Upfront, sysadmins generally are not my end target. My end target is the extremist/terrorist or government official that happens to be using the network some admins takes care of."

The document details its author's technique, whose name has been suppressed by The Intercept, for targeting suspected system administrators in order to gain access to infrastructure via the NSA's QUANTUM program, which uses malware and sometimes physical transmitters placed in hardware to return information to the NSA, even if the targeted computer is not networked.

For sysadmins that are still using Telnet, the NSA has a tool called DISCOROUTE that is "specially designed to suck up and database router configuration files seen in passively collected Telnet sessions". By looking at the whitelisted IP address in the access list of the router's configuration, the author explains that they then look for any logins to Hotmail, Yahoo, Facebook, and other monitored services in the recent past to create a "probable list of personal accounts" for sysadmins controlling a network that the NSA wants to access. At this point, QUANTUM is engaged and the NSA can then "proceed with pwnage".

Taking the program a step further, the author outlines a system where all the DISCOROUTE data could be used to create an address book that pairs up networks with personal accounts of system administrators to exploit.

"As soon as one of those networks becomes a target, all TAO has to do is query the database, see if we have any admins pre-identified for that network, and, if we do, automatically queue up tasking and go-go-CNE [computer network exploitation]" said the document.

"All of this can be done by tweaking the data that we already have at our fingertips!!!"

SSH is some protection to the monitoring of the NSA — in that, unlike Telnet, the NSA is not able to view the contents of communications between a server and a machine used by a sysadmins by passively monitoring a connection — but the author details a process based on monitoring the length of SSH sessions to determine the IP address of a potential system administrator: Sessions where an unsuccessful login occurs in the majority of cases would be of shorter duration than a successful connection were the sysadmins is performing tasks on the server.

"You can guesstimate whether an SSH session was successful or not purely based off of the size of the session in the server-to-client direction."

Since passive monitoring of communications allows the NSA to know the IP address of the machines attempting to connect to a server, the NSA can then use that IP address as a selector to search other NSA data and look for any social or email service logins.

"If a server IP is ever in a network that I want access to, I don't have to decrypt the admin's SSH session; all I have to do is hope he checked his Facebook/webmail within a certain timeframe of SSH'ing to the server. If he did, that selector is now tasked for QUANTUM, and we wait to get access to his box."

The author goes onto describe how hacking large routers, such as those sold by Cisco, Juniper, and Huawei, has been used by spying agencies in the US, the UK, New Zealand, Canada, and Australia for some time, but other, unnamed nation states are starting get in on the action.

The rest of the document has been removed by The Intercept, which said it was redacted to "prevent helping countries improve their ability to hack foreign routers and spy on people undetected".

Editorial standards