National Security Agency (NSA)
May 6, 2019 – Symantec determines China used the same NSA hacking tools that were later dumped by the Shadow Brokers
“Chinese intelligence agents acquired National Security Agency hacking tools and repurposed them in 2016 to attack American allies and private companies in Europe and Asia, a leading cybersecurity firm has discovered. The episode is the latest evidence that the United States has lost control of key parts of its cybersecurity arsenal.
Based on the timing of the attacks and clues in the computer code, researchers with the firm Symantec believe the Chinese did not steal the code but captured it from an N.S.A. attack on their own computers — like a gunslinger who grabs an enemy’s rifle and starts blasting away.
The Chinese action shows how proliferating cyberconflict is creating a digital wild West with few rules or certainties, and how difficult it is for the United States to keep track of the malware it uses to break into foreign networks and attack adversaries’ infrastructure.
The losses have touched off a debate within the intelligence community over whether the United States should continue to develop some of the world’s most high-tech, stealthy cyberweapons if it is unable to keep them under lock and key.
The Chinese hacking group that co-opted the N.S.A.’s tools is considered by the agency’s analysts to be among the most dangerous Chinese contractors it tracks, according to a classified agency memo reviewed by The New York Times. The group is responsible for numerous attacks on some of the most sensitive defense targets inside the United States, including space, satellite and nuclear propulsion technology makers.
Now, Symantec’s discovery, unveiled on Monday, suggests that the same Chinese hackers the agency has trailed for more than a decade have turned the tables on the agency.
Some of the same N.S.A. hacking tools acquired by the Chinese were later dumped on the internet by a still-unidentified group that calls itself the Shadow Brokers and used by Russia and North Korea in devastating global attacks, although there appears to be no connection between China’s acquisition of the American cyberweapons and the Shadow Brokers’ later revelations.
But Symantec’s discovery provides the first evidence that Chinese state-sponsored hackers acquired some of the tools months before the Shadow Brokers first appeared on the internet in August 2016. (Read more: The New York Times, 5/06/2019)
February 25, 2016 – The Obama administration is set to expand sharing data that the NSA intercepts
“The Obama administration is on the verge of permitting the National Security Agency to share more of the private communications it intercepts with other American intelligence agencies without first applying any privacy protections to them, according to officials familiar with the deliberations.
The change would relax longstanding restrictions on access to the contents of the phone calls and email the security agency vacuums up around the world, including bulk collection of satellite transmissions, communications between foreigners as they cross network switches in the United States, and messages acquired overseas or provided by allies.
The idea is to let more experts across American intelligence gain direct access to unprocessed information, increasing the chances that they will recognize any possible nuggets of value. That also means more officials will be looking at private messages — not only foreigners’ phone calls and emails that have not yet had irrelevant personal information screened out, but also communications to, from, or about Americans that the N.S.A.’s foreign intelligence programs swept in incidentally.
Civil liberties advocates criticized the change, arguing that it will weaken privacy protections. They said the government should disclose how much American content the N.S.A. collects incidentally — which agency officials have said is hard to measure — and let the public debate what the rules should be for handling that information.
“Before we allow them to spread that information further in the government, we need to have a serious conversation about how to protect Americans’ information,” said Alexander Abdo, an American Civil Liberties Union lawyer.
Robert S. Litt, the general counsel in the office of the Director of National Intelligence, said that the administration had developed and was fine-tuning what is now a 21-page draft set of procedures to permit the sharing. (Read more: New York Times, 2/25/2016
February 19, 2019 – ODNI and NSA impede lawmakers review of Obama admin ‘unmasking’ requests
The Office of the Director of National Intelligence and the National Security Agency still have not granted access to Republican lawmakers to review hundreds of unmasking requests made on Americans by Senior Obama Administration officials, SaraACarter.com has learned.
Despite an order from President Trump more than a year ago, ranking member Rep. Devin Nunes, R-CA, on the House Permanent Select Committee on Intelligence said his committee has been stymied in its investigation into the unmasking requests that rocked Washington D.C. when discovered in 2017.
The ODNI and NSA were ordered by President Trump to make available the highly classified documents for congressional review. In order to make those classified documents available the ODNI needed to set up a secured repository for lawmakers on the committee to review the documents, added Nunes.
Ordinarily, Americans names are redacted or minimized by the NSA before being shared with outside intelligence sources. The names of Americans in these communications with foreign persons are considered highly classified and are rarely unmasked. However, it was discovered that many senior officials in the Obama Administration unmasked more frequently than previous administration. In some cases the names were unmasked, in other cases they were specific enough that the American’s identity was easily ascertained, intelligence sources had told this reporter.
“The NSA and ODNI were to put in safe guards – a repository so we could go and review (the documents)- they have yet to do it,” said Nunes. “The president ordered them to do it more than a year ago. We have yet to see that implemented.” (Read more: Sarah Carter, 2/19/2019)
December 18, 2018 – Four major blows to the credibility of the Steele dossier…why the lies in the Steele dossier matter
(…) “The continued and proven failures of the Steele dossier matter. Not only was it used in obtaining the Page FISA warrant, but was also used in intelligence-community documents provided to Obama and his administration.
Former CIA Director John Brennan has claimed he never used the dossier in the Intelligence Community assessment. That claim was later disputed by his co-author, former Director of National Intelligence James Clapper, who said on CNN that “some of the substantive content, not all of it, but some of the substantive content of the dossier, we were able to corroborate in our Intelligence Community assessment from other sources in which we had very high confidence to it.”
Former NSA Director Mike Rogers was more specific:
“In a March 5, 2018, letter to House Intelligence Committee Chairman Devin Nunes, Adm. Rogers informed the committee that a two-page summary of the dossier—described as ‘the Christopher Steele information’—was ‘added’ as an ‘appendix to the ICA [Intelligence Community Assessment] draft,’ and that consideration of that appendix was ‘part of the overall ICA review/approval process.’”
In August, Brennan did an interview with MSNBC’s Rachel Maddow that was discussed in an Epoch Times article, “Did Brennan Admit to Using Reverse Targeting to Spy on the Trump Campaign?” During that interview, Brennan repeatedly stated his knowledge of Russian contacts with U.S. citizens. Maddow pursued his conclusions from those contacts:
Maddow: While you were in office as CIA director, before you left on inauguration day, did you conclude that U.S. persons were successfully leveraged in that effort?
The look of shocked surprise on Maddow’s face was notable at Brennan’s denial that the Russians had successfully engaged Americans to obtain their goals.
The Steele dossier, written by a British national and former MI6 agent, was used by both the FBI and the CIA and a summary of the document was provided directly to Obama. And yet, for all the weight attached to this document, most of its assertions have never been proven to be factual, many have been proven to be false and it remains unverified to this day.
Which is perhaps fitting for a document that had its origination as something to be used by Hillary Clinton to challenge the election in the then-unlikely event she lost.” (Read more: The Epoch Times, 12/18/2018)
September 11, 2018 – Ex-NSA Director disputes report that Trump asked him to push back on collusion probe
Former National Security Agency Director Mike Rogers on Tuesday disputed a report published in May 2017 alleging that President Donald Trump asked him to push back against the FBI’s collusion investigation.
“I’ve never had a discussion with collusion with the president of the United States,” Rogers said at an event held at George Mason University, according to CBS News.
“I’ve never been directed to do anything, coerced — any time I had a discussion I felt I was able to say, ‘Hey, here’s my view on that.’”
The Washington Post reported May 22, 2017, that Trump separately asked Rogers and Dan Coats, the director of the office of national intelligence, to push back against the FBI’s investigation into possible collusion between the Trump campaign and Russian government.
The alleged request came after then-FBI Director James Comey testified that the bureau was investigating whether members of the Trump team conspired with the Kremlin to influence the 2016 presidential election.
Citing multiple anonymous sources, WaPo reported that Rogers refused to comply with Trump’s request. The newspaper also reported that a senior NSA official wrote a memo detailing the interaction between Trump and Rogers.” (Read more: The Daily Caller, 9/12/2018)
July 24, 2017 – Intel vets challenge ‘Russia Hack’ evidence
In a memo to President Trump, a group of former U.S. intelligence officers, including NSA specialists, cite new forensic studies to challenge the claim of the key Jan. 6 “assessment” that Russia “hacked” Democratic emails last year.
MEMORANDUM FOR: The President
FROM: Veteran Intelligence Professionals for Sanity (VIPS)
SUBJECT: Was the “Russian Hack” an Inside Job?
Forensic studies of “Russian hacking” into Democratic National Committee computers last year reveal that on July 5, 2016, data was leaked (not hacked) by a person with physical access to DNC computer. After examining metadata from the “Guccifer 2.0” July 5, 2016 intrusion into the DNC server, independent cyber investigators have concluded that an insider copied DNC data onto an external storage device.
Key among the findings of the independent forensic investigations is the conclusion that the DNC data was copied onto a storage device at a speed that far exceeds an Internet capability for a remote hack. Of equal importance, the forensics show that the copying was performed on the East coast of the U.S. Thus far, mainstream media have ignored the findings of these independent studies [see here and here].
Independent analyst Skip Folden, who retired after 25 years as the IBM Program Manager for Information Technology, US, who examined the recent forensic findings, is a co-author of this Memorandum. He has drafted a more detailed technical report titled “Cyber-Forensic Investigation of ‘Russian Hack’ and Missing Intelligence Community Disclaimers,” and sent it to the offices of the Special Counsel and the Attorney General. VIPS member William Binney, a former Technical Director at the National Security Agency, and other senior NSA “alumni” in VIPS attest to the professionalism of the independent forensic findings.
The recent forensic studies fill in a critical gap. Why the FBI neglected to perform any independent forensics on the original “Guccifer 2.0” material remains a mystery – as does the lack of any sign that the “hand-picked analysts” from the FBI, CIA, and NSA, who wrote the “Intelligence Community Assessment” dated January 6, 2017, gave any attention to forensics.” (Read more: Consortium News, 7/24/2017)
April 26, 2017 – An unsealed FISC ruling reveals systematic abuses in accessing 702 data
“A damning 99-page unsealed ruling from the FISC, dated April 26, 2017, and issued by presiding Judge Rosemary Collyer, provided further insight into additional FISA abuse engaged in by the Intelligence Community in relation to Section 702 data and minimization procedures.
Section 702 permits the government to surveil foreign persons located outside the United States for the purpose of acquiring foreign intelligence information. Minimization procedures are intended to protect any U.S. person’s information that is incidentally acquired in the course of Section 702 collection.
The FISA court found that the government had been engaging in a long pattern of significant abuses that were revealed to the court by then-National Security Agency Director Adm. Mike Rogers.
“On October 24, 2016, the government orally apprised the Court of significant non-compliance with the NSA’s minimization procedures involving queries of data acquired under Section 702 using U.S. person identifiers. The full scope of non-compliant querying practices had not been previously disclosed to the Court,” the FISC ruling read.
The court noted the government’s failure to previously notify the court of these issues, referring to the government’s actions as exhibiting an institutional “lack of candor” while emphasizing that “this is a very serious Fourth Amendment issue.”
The litany of abuses described in the April 26, 2017, ruling was shocking and detailed the use of private contractors by the FBI in relation to Section 702 data. The FBI was specifically singled out by the FISC numerous times in the ruling:
“The improper access previously afforded the contractors has been discontinued. The Court is nonetheless concerned about the FBI’s apparent disregard of minimization rules and whether the FBI may be engaging in similar disclosures of raw Section 702 information that have not been reported.”
The FISA process has been the target of ongoing abuse from various elements within the intelligence community, and the processes and procedures that we have been told protect us appear to be routinely compromised at will.
As a result of the April 2017 FISC ruling, changes to the FISA process have been made. Nevertheless, a complete re-examination of the entire FISA system appears to be not only warranted, but perhaps necessary.” (Read more: Epoch Times, 2/11/2019)
December 12, 2016 – US Intel vets dispute Russia hacking claims because the evidence should be there and is absent
“As the hysteria about Russia’s alleged interference in the U.S. election grows, a key mystery is why U.S. intelligence would rely on “circumstantial evidence” when it has the capability for hard evidence, say U.S. intelligence veterans.
Veteran Intelligence Professionals for Sanity
Allegations of Hacking Election Are Baseless
A New York Times report alluding to “overwhelming circumstantial evidence” leading the CIA to believe that Russian President Vladimir Putin “deployed computer hackers with the goal of tipping the election to Donald J. Trump” is, sadly, evidence-free. This is no surprise, because harder evidence of a technical nature points to an inside leak, not hacking – by Russians or anyone else.
Monday’s Washington Post reports that Sen. James Lankford, R-Oklahoma, a member of the Senate Intelligence Committee, has joined other senators in calling for a bipartisan investigation of suspected cyber-intrusion by Russia. Reading our short memo could save the Senate from endemic partisanship, expense and unnecessary delay.
In what follows, we draw on decades of senior-level experience – with emphasis on cyber-intelligence and security – to cut through uninformed, largely partisan fog. Far from hiding behind anonymity, we are proud to speak out with the hope of gaining an audience appropriate to what we merit – given our long labors in government and other areas of technology. And corny though it may sound these days, our ethos as intelligence professionals remains, simply, to tell it like it is – without fear or favor.
We have gone through the various claims about hacking. For us, it is child’s play to dismiss them. The email disclosures in question are the result of a leak, not a hack. Here’s the difference between leaking and hacking:
Leak: When someone physically takes data out of an organization and gives it to some other person or organization, as Edward Snowden and Chelsea Manning did.
Hack: When someone in a remote location electronically penetrates operating systems, firewalls or any other cyber-protection system and then extracts data.
All signs point to leaking, not hacking. If hacking were involved, the National Security Agency would know it – and know both sender and recipient.
In short, since leaking requires physically removing data – on a thumb drive, for example – the only way such data can be copied and removed, with no electronic trace of what has left the server, is via a physical storage device.
Awesome Technical Capabilities
Again, NSA is able to identify both the sender and recipient when hacking is involved. Thanks largely to the material released by Edward Snowden, we can provide a full picture of NSA’s extensive domestic data-collection network including Upstream programs like Fairview, Stormbrew and Blarney. These include at least 30 companies in the U.S. operating the fiber networks that carry the Public Switched Telephone Network as well as the World Wide Web. This gives NSA unparalleled access to data flowing within the U.S. and data going out to the rest of the world, as well as data transiting the U.S.
In other words, any data that is passed from the servers of the Democratic National Committee (DNC) or of Hillary Rodham Clinton (HRC) – or any other server in the U.S. – is collected by the NSA. These data transfers carry destination addresses in what are called packets, which enable the transfer to be traced and followed through the network.
Packets: Emails being passed across the World Wide Web are broken down into smaller segments called packets. These packets are passed into the network to be delivered to a recipient. This means the packets need to be reassembled at the receiving end.
To accomplish this, all the packets that form a message are assigned an identifying number that enables the receiving end to collect them for reassembly. Moreover, each packet carries the originator and ultimate receiver Internet protocol number (either IPV4 or IPV6) that enables the network to route data.
When email packets leave the U.S., the other “Five Eyes” countries (the U.K., Canada, Australia, and New Zealand) and the seven or eight additional countries participating with the U.S. in bulk-collection of everything on the planet would also have a record of where those email packets went after leaving the U.S.
These collection resources are extensive [see attached NSA slides 1, 2, 3, 4, 5]; they include hundreds of trace route programs that trace the path of packets going across the network and tens of thousands of hardware and software implants in switches and servers that manage the network. Any emails being extracted from one server going to another would be, at least in part, recognizable and traceable by all these resources.
The bottom line is that the NSA would know where and how any “hacked” emails from the DNC, HRC or any other servers were routed through the network. This process can sometimes require a closer look into the routing to sort out intermediate clients, but in the end sender and recipient can be traced across the network.
The various ways in which usually anonymous spokespeople for U.S. intelligence agencies are equivocating – saying things like “our best guess” or “our opinion” or “our estimate” etc. – shows that the emails alleged to have been “hacked” cannot be traced across the network. Given NSA’s extensive trace capability, we conclude that DNC and HRC servers alleged to have been hacked were, in fact, not hacked.
The evidence that should be there is absent; otherwise, it would surely be brought forward, since this could be done without any danger to sources and methods. Thus, we conclude that the emails were leaked by an insider – as was the case with Edward Snowden and Chelsea Manning. Such an insider could be anyone in a government department or agency with access to NSA databases, or perhaps someone within the DNC.” (Read more: Consortium News, December 12, 2016)
October 20, 2016 – The Uncovering – Mike Rogers’ Investigation, Section 702 FISA Abuse & the FBI
(…) “On January 7, 2016, the NSA Inspector General, George Ellard, released a report on NSA Controls & FISA compliance. Starting on page ii:
Agency controls for monitoring query compliance have not been completely developed.
The Agency has no process to reliably identify queries performed using selectors associated with 704 and 705(b) targets.
The rest of the highlights are fully redacted. But more information lay within the report (pages 6-7):
We identified another [redacted] queries that were performed outside the targeting authorization periods in E.O. 12333 data, which is prohibited by the E.O. 12333 minimization procedures. We also identified queries performed using USP selectors in FAA §702 upstream data, which is prohibited by the FAA §702 minimization procedures.
Downstream collection involves the government acquiring data from the companies providing service to the user – like Google or Facebook.
However, some Section 702 collection is obtained via “upstream” collection.
In simple parlance, upstream collection means the NSA accesses the high capacity fiber optic cables that carry Internet traffic and copies all the data flowing through those cables.
The agency is then supposed to filter out any “wholly domestic” communications that are between Americans located in the U.S.
Data collected “incidentally” on U.S. Citizens is generally not destroyed. It is minimized. As we will see later, this became a problem.
Intelligence Agencies can then search the data using “To”, “From” or “About” queries on a target of Section 702 collection.
“About” queries are particularly worrisome.
They occur when the target is neither the sender nor the recipient of the collected communication – but the target’s selector, such as an email address, is being passed between two other communicants.
For more information see, FISA Surveillance – Title I & III and Section 702.”
(…) “About” queries were abruptly halted by NSA Director Mike Rogers on October 20, 2016. This was formally announced by the NSA on April 28, 2017.
The events leading to this decision are described in this post.
Which brings us to a table from the Inspector General’s Report.
Table 3 (page 7) shows four types of violations. The most frequent violation – 5.2% of the total – came from Section 702 upstream “About” queries.
The Inspector General’s Report is heavily redacted – but even a casual reading indicates there were significant compliance and control issues within the NSA regarding the use of Section 702 data.
It’s unclear if NSA Director Rogers discovered the 702 violations and reported them in early 2015, or if it was the Inspector General who found them. Either way, Rogers became aware of Section 702 violations sometime in 2015.
Following NSA Inspector General Ellard’s report, Rogers implemented a tightening of internal rules at the NSA.
However, the NSA Inspector General’s report and Roger’s tightening of internal rules did not halt the Query Compliance Problems.
Outside Agencies – specifically the DOJ’s National Security Division and the FBI’s Counterintelligence Division – were still routinely violating Section 702 procedures.
In 2015, DOJ Inspector General Michael Horowitz (not to be confused with NSA IG Ellard) specifically requested oversight of the National Security Division. Deputy Attorney General Sally Yates responded with a 58 page Memorandum, that effectively told the Inspector General to go pound sand.
As noted earlier, John Carlin was the Head of the DOJ’s National Security Division and was responsible for filing the Government’s proposed 2016 Section 702 certifications.
This filing would be subject to intense criticism from the FISA Court following disclosures made by NSA Director Rogers. Significant changes to the handling of raw FISA data would result.
Bill Priestap remains the Head of the FBI’s Counterintelligence Division – appointed by FBI Director Comey in December 2015. See: FBI Counterintelligence Head Bill Priestap – A Cooperating Witness.”
(…) “On October 20 2016, Rogers was briefed by the NSA compliance officer on findings from the 702 NSA compliance audit. The audit had uncovered numerous “About” Query violations (Senate testimony).
On October 21, 2016, Rogers shut down all “About Query” activity. He reported his findings to the DOJ (Senate testimony & inferences from Court Ruling).
On October 21 2016, the DOJ & FBI seek and receive a Title I FISA probable cause order authorizing electronic surveillance on Carter Page from the FISA Court. At this point, the FISA Court is unaware of the Section 702 violations.
On October 24, 2016, Rogers verbally informed the FISA Court of his findings (Page 4 of Court Ruling). (Read more: themarketswork, 4/05/2018)
(Timeline editor’s note: Jeff Carlson at themarketswork.com, has done a remarkable job of reading the fine print and highlighting key details from Senate testimony, the NSA Inspector General’s report, and the FISC report that followed NSA Director Mike Rogers disclosure of 702 violations. This is a snippet of Carlson’s very informative piece and he has been kind enough to allow me to post far more than what Fair Use would normally allow. Please don’t miss the rest of his easy to understand, in-depth report.)
October 20, 2016 – NSA director Admiral Mike Rogers requests a full NSA compliance audit of FISA-702 use
Admiral Mike Rogers became NSA director in April 2014.
Sometime in early 2016 Admiral Rogers became aware of “ongoing” and “intentional” violations of Foreign Intelligence Surveillance Act (FISA), Section 702(17) surveillance. Specifically item #17 which includes the unauthorized upstream data collection of U.S. individuals within NSA surveillance through the use of “About Query”.
Section 702 – Item #17 “About Queries” are specifically the collection of electronic messaging, emails and upstream phone call surveillance data of U.S. persons.
The public doesn’t discover this issue, and Director Rogers action, until May 2017 when we learn that Rogers told the FISA court he became aware of unlawful surveillance and collection of U.S. persons.
Put into context, with the full back-story, it appears that 2016 surveillance was the political surveillance now in the headlines; the stuff Chairman Nunes is currently questioning. The dates here are important as they tell a story.
As a result of Rogers suspecting FISA 702(17) surveillance activity was being used for reasons he deemed unlawful, in mid 2016 Rogers ordered the NSA compliance officer to run a full audit on 702 NSA compliance.
Again, 702 is basically spying on Americans; the actual “spying” part is 702. Item 17 is “About Queries“, which allows user queries or searches of content (messaging, email and phone conversations) based on any subject matter put into the search field.
The NSA compliance officer identified several strange 702 “About Queries” were being conducted. These were violations of the fourth amendment (search and seizure), ie searches, privacy violations, and surveillance without a warrant. Admiral Rogers was briefed by the compliance officer on October 20th, 2016.
Admiral Mike Rogers ordered the “About Query” activity to stop, reported the activity to the DOJ, and then went to the FISA court.
On October 26th, 2016, full FISA court assembled, NSA Director Rogers personally informed the court of the 702(17) violations. Additionally, and as an outcome of the NSA systems inability to guarantee integrity, Rogers also stopped “About Query” permanently.
(Things to note: ♦Note the sequencing; ♦note that Rogers a career military person, followed the chain of command; ♦note the dates as they align with the Trump FISA application from the FBI and DOJ-NSD, (ie. early October 2016); ♦and note amid this sequence/time-line the head of DOJ-National Security Divsion, John P Carlin resigns.]
IMPORTANT – WATCH the first two and a half minutes of this video:
At the same time Christopher Steele was assembling his dossier information (May-October 2016), the NSA compliance officer was conducting an internal FISA-702 review as initiated by NSA Director Mike Rogers.
The NSA compliance officer briefed Admiral Mike Rogers on October 20th 2016.
On October 26th 2016, Admiral Rogers informed the FISA Court of numerous unauthorized FISA-702(17) “About Query” violations.
Subsequent to that FISC notification Mike Rogers stopped all FISA-702(17) “About Queries” permanently. They are no longer permitted.
Pg 83. “FBI gave raw Section 702–acquired information to a private entity that was not a federal agency and whose personnel were not sufficiently supervised by a federal agency for compliance minimization procedures.”
Please pay close attention to this section, pg 84, (Note the date April 18th):
Notice how it was FBI “private contractors” that were conducting the unauthorized FISA-702 Queries via access to information on FBI storage systems.
We have been tipped off that one of the FBI contractors in question was, unbelievably, Fusion-GPS.
It is almost certain this early 2016 series of FISA-702 compliance violations was the origin of NSA Director Admiral Mike Rogers concern.
Mike Rogers discovery becomes the impetus for him to request the 2016 full NSA compliance audit of FISA-702 use. It appears Fusion-GPS was the FBI contracted user identified in the final FISA court opinion/ruling on page 83.
Note the dates from the FISC opinion (above) – As soon as the FBI discovered Mike Rogers was looking at the searches, the FBI discontinued allowing their sub-contractor access to the raw FISA information. Effective April 18th, 2016.” (Read much more: Conservative Treehouse, 1/11/2018)
(Republished with special permission.)