More than 12 years after the start of the Snowden revelations in June 2013, there are still new details to be found in the ca. 1200 highly classified documents that have been released to the public.
The latest finds are the result of mostly technical analysis conducted by a collective called Libroot. Since December last year, they are publishing the results in a series of postings on their website.
The Libroot collective
The new results from analyzing the Snowden documents are published on the website Libroot.org, which is aimed at "spying back" at the NSA under the motto "surveillance in the crosshairs".
It's not known who are behind the Libroot website but they describe themselves as "a collective focused on exposing and resisting surveillance and oppressive digital infrastructures. We create tools, research, and archives that defend digital autonomy." Libroot works on various projects, some of which are published on their website.
One of their projects is called "Going Through Snowden Documents", for which the Libroot collective "systematically reviews each available document with particular attention to small details and information that has received little or no public attention since the initial 2013 disclosures."
Going Through Snowden Documents
So far, "Going Through Snowden Documents" resulted in seven postings, which are summarized below (when new postings appear, they will be added). The titles of these summaries link to the original postings on the Libroot website. Each of these postings is very detailed and interesting, so I highly recommend reading them in full.
Part 1: CNE analysis in XKEYSCORE (December 9, 2025)
In their first posting, the Libroot collective analyzed an NSA presentation titled CNE Analysis in XKEYSCORE from 2009. This presentation was part of a large set of slide decks about the XKEYSCORE system which were published by The Intercept in July 2015 but were never analyzed individually.
Libroot looked specifically at the screenshots shown in this presentation. This revealed evidence that the NSA hacked the computer network of the Chinese company Norinco or North Industries Corporation, which is one of the world's largest state-owned defense contractors.
Other targets of NSA hacking operations were the mail servers of the Mexican federal law enforcement agencies Secretaría de Seguridad Pública (SSP) and Policía Federal Preventiva (PFP).
Yet another screenshot included in the XKS presentation shows that NSA compromised a laptop that likely belonged to someone working in Iranian transportation or customs infrastructure.
Finally, the presentation includes some codewords which were not yet included in my extensive listing of NSA Nicknames and Codewords (but have been added now):
In their first posting, the Libroot collective analyzed an NSA presentation titled CNE Analysis in XKEYSCORE from 2009. This presentation was part of a large set of slide decks about the XKEYSCORE system which were published by The Intercept in July 2015 but were never analyzed individually.
Libroot looked specifically at the screenshots shown in this presentation. This revealed evidence that the NSA hacked the computer network of the Chinese company Norinco or North Industries Corporation, which is one of the world's largest state-owned defense contractors.
Other targets of NSA hacking operations were the mail servers of the Mexican federal law enforcement agencies Secretaría de Seguridad Pública (SSP) and Policía Federal Preventiva (PFP).
Yet another screenshot included in the XKS presentation shows that NSA compromised a laptop that likely belonged to someone working in Iranian transportation or customs infrastructure.
Finally, the presentation includes some codewords which were not yet included in my extensive listing of NSA Nicknames and Codewords (but have been added now):
- GREENCHAOS: A collection source feeding CNE data into XKEYSCORE?
- SHADOWQUEST: A collection source feeding CNE data into XKEYSCORE?
- TUCKER: An exploitation framework comparable to UNITEDRAKE, with sub-projects including OLYMPUS, EXPANDINGPULLY and UNIX.
- TURBOCHASER: An NSA database for profiles and future tasking, appearing alongside MARINA.
- WAYTIDE: A collection source feeding CNE data into XKEYSCORE?
- SHADOWQUEST: A collection source feeding CNE data into XKEYSCORE?
- TUCKER: An exploitation framework comparable to UNITEDRAKE, with sub-projects including OLYMPUS, EXPANDINGPULLY and UNIX.
- TURBOCHASER: An NSA database for profiles and future tasking, appearing alongside MARINA.
- WAYTIDE: A collection source feeding CNE data into XKEYSCORE?
Part 2: Central and South American politics (December 11, 2025)
This analysis by the Libroot collective is about two NSA presentations about operations to intercept the communications of Brazilian president Dilma Rousseff and the Mexican presidential candidate Enrique Peña Nieto.
One of the slides from those presentations listed "Geopolitical Trends: Key Challenges" but was almost fully redacted when it was published. Libroot, however, was able to reconstruct the full content of that slide based upon screenshots from Brazilian television.
In this posting, Libroot also provides a full transcription of a letter from the US State Department to NSA director Keith Alexander. This letter was shown shortly on Brazilian television and only a small section had been published in Glenn Greenwald's book No Place to Hide from 2014.
This analysis by the Libroot collective is about two NSA presentations about operations to intercept the communications of Brazilian president Dilma Rousseff and the Mexican presidential candidate Enrique Peña Nieto.
> See also on this weblog: An NSA eavesdropping case study
One of the slides from those presentations listed "Geopolitical Trends: Key Challenges" but was almost fully redacted when it was published. Libroot, however, was able to reconstruct the full content of that slide based upon screenshots from Brazilian television.
In this posting, Libroot also provides a full transcription of a letter from the US State Department to NSA director Keith Alexander. This letter was shown shortly on Brazilian television and only a small section had been published in Glenn Greenwald's book No Place to Hide from 2014.
Part 3: Compromised telecommunications providers (December 25, 2025)
The third analysis by Libroot is about the NSA's TREASURE MAP presentation, which was published by Der Spiegel in September 2014. The TREASURE MAP tool provides "a near real-time, interactive map of the global Internet".
Besides the networks that make up the internet, TREASURE MAP also shows in which networks NSA and GCHQ have access points. Der Spiegel had already identified some satellite and internet providers that had been compromised.
By close examination, Libroot found another 20 major telecommunications providers across three continents which appeared to have been compromised. A list of those providers is in the posting on the Libroot website.
The third analysis by Libroot is about the NSA's TREASURE MAP presentation, which was published by Der Spiegel in September 2014. The TREASURE MAP tool provides "a near real-time, interactive map of the global Internet".
Besides the networks that make up the internet, TREASURE MAP also shows in which networks NSA and GCHQ have access points. Der Spiegel had already identified some satellite and internet providers that had been compromised.
By close examination, Libroot found another 20 major telecommunications providers across three continents which appeared to have been compromised. A list of those providers is in the posting on the Libroot website.
Part 4: Intelligence facilities inside the US (January 10, 2026)
Libroot also found out that in two documents from the Snowden trove some entire sections had been deleted, presumably by people from Greenwald's media outlet The Intercept. In both cases, the deleted sections were about intelligence facilities inside the US, while information about similar facilities abroad was not redacted.
The first document is apparently from the Menwith Hill Satellite Classification Guide and was published by The Intercept in September 2016. Deleted from this document was text saying that "Classic Wizard Reporting and Testing Center" is an unclassified cover name for the Potomac Mission Ground Station (PMGS). This facility is located at the Naval Research Laboratory (NRL) in Washington DC and functions as a Mission Ground Station (MGS) for NRO surveillance satellites.
The second document is titled NRO SIGINT Guide Pine Gap and was published by The Intercept in collaboration with the Australian Broadcast Corporation (ABC) in August 2017. Deleted from this document was text saying that "Aerospace Data Facility" (ADF) is the unclassified cover name of the Consolidated Denver Mission Ground Station (CDMGS). This facility is located at Buckley Space Force Base in Aurora, Colorado, which is also home to one of the NSA's regional Cryptologic Centers.
Libroot also found out that in two documents from the Snowden trove some entire sections had been deleted, presumably by people from Greenwald's media outlet The Intercept. In both cases, the deleted sections were about intelligence facilities inside the US, while information about similar facilities abroad was not redacted.
The first document is apparently from the Menwith Hill Satellite Classification Guide and was published by The Intercept in September 2016. Deleted from this document was text saying that "Classic Wizard Reporting and Testing Center" is an unclassified cover name for the Potomac Mission Ground Station (PMGS). This facility is located at the Naval Research Laboratory (NRL) in Washington DC and functions as a Mission Ground Station (MGS) for NRO surveillance satellites.
The second document is titled NRO SIGINT Guide Pine Gap and was published by The Intercept in collaboration with the Australian Broadcast Corporation (ABC) in August 2017. Deleted from this document was text saying that "Aerospace Data Facility" (ADF) is the unclassified cover name of the Consolidated Denver Mission Ground Station (CDMGS). This facility is located at Buckley Space Force Base in Aurora, Colorado, which is also home to one of the NSA's regional Cryptologic Centers.
> See also on this weblog: The NSA's regional Cryptologic Centers
Part 5: Various redaction failures (January 17, 2026)
In their fifth posting, Libroot presents some additional redaction failures which they stumbled upon by conducting forensic analysis on PDF files from the Snowden trove. These failures are not very significant or spectacular, as in general the journalists redacted the files they published quite professionally.
The redaction failures include a total of some 20 usernames of NSA employees, as well as IP and email addresses of foreign targets. The NSA usernames, or Security Identifiers (SIDs), all consist of two initials followed by the first four or five letters of someone's surname. For example, Snowden's username at the NSA was "ejsnowd".
In their fifth posting, Libroot presents some additional redaction failures which they stumbled upon by conducting forensic analysis on PDF files from the Snowden trove. These failures are not very significant or spectacular, as in general the journalists redacted the files they published quite professionally.
The redaction failures include a total of some 20 usernames of NSA employees, as well as IP and email addresses of foreign targets. The NSA usernames, or Security Identifiers (SIDs), all consist of two initials followed by the first four or five letters of someone's surname. For example, Snowden's username at the NSA was "ejsnowd".
> See also on this weblog: E-mails from inside the NSA bureaucracy
Part 6: UNAMI router configurations (April 17, 2026)
This posting is about some screenshots included in an NSA presentation titled VPN SigDev Basics, which was published by Der Spiegel in December 2014. These screenshots show the interface of the NSA's DISCOROUTE program, which is a "project to acquire, parse, database and display configuration files from network devices."
In these screenshots, Libroot noticed a search for crypto keys from routers used by the United Nations Assistance Mission for Iraq (UNAMI). According to Libroot, this strongly indicates that the NSA had collected the full configuration data of at least eleven network routers used by UNAMI.
This posting is about some screenshots included in an NSA presentation titled VPN SigDev Basics, which was published by Der Spiegel in December 2014. These screenshots show the interface of the NSA's DISCOROUTE program, which is a "project to acquire, parse, database and display configuration files from network devices."
In these screenshots, Libroot noticed a search for crypto keys from routers used by the United Nations Assistance Mission for Iraq (UNAMI). According to Libroot, this strongly indicates that the NSA had collected the full configuration data of at least eleven network routers used by UNAMI.
Part 7: NSA presentation containing sensitive data (May 5, 2026)
The seventh posting by Libroot is about an NSA presentation from early or mid-2012 titled What Your Mother Never Told You About SIGDEV Analysis, which was published by Der Spiegel in December 2014 as part of a long story about internet encryption.
Libroot was able to undo almost every redaction in that presentation, which revealed the full names of at least 14 NSA employees, as well as IP addresses and names of companies and organizations that had been targeted by the agency (which Libroot didn't publish).
In the same NSA presentation is a screenshot which contains another screenshot, but so tiny that it was almost invisible. When restored to its original size, it appeared to be the NSA's internal WikiInfo page about TNS (Target Network Service).
The screenshots also contain some new NSA codewords:
The seventh posting by Libroot is about an NSA presentation from early or mid-2012 titled What Your Mother Never Told You About SIGDEV Analysis, which was published by Der Spiegel in December 2014 as part of a long story about internet encryption.
Libroot was able to undo almost every redaction in that presentation, which revealed the full names of at least 14 NSA employees, as well as IP addresses and names of companies and organizations that had been targeted by the agency (which Libroot didn't publish).
In the same NSA presentation is a screenshot which contains another screenshot, but so tiny that it was almost invisible. When restored to its original size, it appeared to be the NSA's internal WikiInfo page about TNS (Target Network Service).
The screenshots also contain some new NSA codewords:
- BLACKBEACH: (related to BLACKPEARL?)
- BLACKSAND: (related to BLACKPEARL?)
- DARKSUNRISE: VPN exploitation tool released in Fall 2012.
- POTLUCK: (internal NSA or IC search engine?)
- SHADOWNET: Tool for exploitation of VPN communications.*
- TROPICNET: ?
- BLACKSAND: (related to BLACKPEARL?)
- DARKSUNRISE: VPN exploitation tool released in Fall 2012.
- POTLUCK: (internal NSA or IC search engine?)
- SHADOWNET: Tool for exploitation of VPN communications.*
- TROPICNET: ?
On their website, Libroot writes that their examination of all the published documents leaked by Edward Snowden "will hopefully be complete and made public in mid-to-late 2026."
