September 5, 2013

An NSA eavesdropping case study

(Updated: December 7, 2015)

On September 1, the popular Brazilian television news magazine Fantástico reported about an NSA operation for wiretapping the communications of the presidents of Mexico and Brazil. Fantástico is part of the Globo network, which already disclosed various top secret NSA presentations last July.

Now, the Brazilian magazine showed some new top secret NSA documents, like a powerpoint presentation about the eavesdropping operation, which were all among the thousands of documents which Edward Snowden gave to Guardian journalist Glenn Greenwald in June.

Fantástico also published the slides on their website, but as that's only in portuguese, we show these slides too, because they give a nice graphical insight in how the NSA intercepts foreign communications.

The Fantástico news magazine started showing a cover sheet of a presentation which bears the logo of the SIGDEV Strategy and Governance division of the NSA, where SIGDEV stands for SIGINT Development. However, it's not quite clear whether this division is also responsible for the eavesdropping operation which is shown below.

The presentation was prepared in June 2012 by the Scalable Analytics Tradecraft Center (SATC) of NSA. Except for the abbreviation SATC, the full name of this unit was initially unknown, so the Fantástico website assumed it stood for "Secure and Trustworthy Cyberspace" (SaTC), but that's actually a program of the US National Science Foundation. Brazilian television briefly showed the name of the author of the presentation, but here we blacked that out.

This slide shows the overall classification level of the presentation: TOP SECRET // COMINT // REL TO USA, AUS, CAN, GBR, NZL. This means the information is Top Secret, contained in the COMINT (Communications Intelligence) control system and is only to be released to the US and it's "Five Eyes" or UKUSA partners: the UK, Canada, Australia and New Zealand.

The presentation starts with two slides, showing the benefits of searching for contacts by using graphs:

The next three slides show some more details of the specific elements of the process:

The Mexican target

The first target of the operation was the then Mexican candidate for the presidency, Enrique Peña Nieto. The information was analysed by NSA unit S2C41 which is the Mexican Leadership Team and is also part of the S2C production line for International Security Issues (ISI).

This slide shows the process of searching for contacts and communications of the mexican president:

1. Selectors, like known e-mail adresses or phone numbers related to EPN (Enrique Peña Nieto) are used as seeds to start the process.

2. The initial seeds lead to 2-hop graphs, apparently based upon metadata which are in the databases mentioned below the graph: MAINWAY is the NSA's database of bulk phone metadata, CIMBRI is seen here for the first time, and could be another kind of metadata database. JEMA probably stands for Joint Enterprise Modeling and Analytics, which is a tool that allows analysts to create more complex analytic scenarios.

3. Next, addresses discovered by creating the contact graphs can act as selectors for collecting SMS messages. For this the MAINWAY database is used too, just like ASSOCIATION, which, according to the Fantástico website, filters text messages (SMS) to mobile phones.

4. Finally, these messages go to DISHFIRE, which is NSA's database for text messages and can be searched for certain keywords.

This slide shows two "interesting messages", proving that content of text messages was collected. In the two quoted passages, the Mexican presidential candidate Enrique Peña Nieto is in discussion with some of the designated ministers of his future government. Parts of the messages are blacked out by Brazilian media.

The Brazilian target

The second target of the operation were the Brazilian president Dilma Rousseff and her key advisers. The information was analysed by NSA unit S2C42 which is focussed on the Brazilian leadership. This unit is part of the NSA's S2C production line for International Security.

This slide shows the process of searching for contacts and communications of the Brazilian president. The intelligence gathering starts with a few DNI Selectors (like e-mail or IP addresses) which act as seeds growing into a 2-hop contact graph. This graph shows all the addresses which had 2-hop or 2-step contacts with the original seed addresses.

Below the graph is the word SCIMITAR, seen here for the first time, which could be a tool to create such contact graphs, or maybe a database containing metadata from which these contacts can be derived.

From the 2-hop contact graph NSA apparently discovered new selectors (e-mail or IP addresses) associated with the Brazilian president and her advisers. Another slide, which was not published, is said to show all the names associated with the colored dots in this graph.

The presentation concludes that there was a successful cooperation between the mysterious unit SATC and the Latin American units from the S2C International Security division. This led to a successful implementation of contact filtering by using graphs, resulting in the interception of communications of high-profile, security-savvy Brazilian and Mexican targets.

This presentation gives insight in a specific eavesdropping operation, but also gives a good idea of how NSA is collecting information from the internet in general, for example through PRISM and various other programs which gather data from internet backbone cables.

Allthough the presentation is clarifying, it could also have been published without mentioning the specific targets involved. Showing that this operation targeted the presidents of Mexico and Brazil did not serve a public interest, but unnecessarily damaged the relationship between the United States and both countries.

Glenn Greenwald seemed to justify the publication by saying that the presentation proved that NSA was also intercepting the content of phone calls and e-mail messages. After earlier disclosures, the US had said that they only collect bulk metadata from Brazil and no content. But of course this statement only applied to ordinary citizens, as eavesdropping on foreign political and military leaders is generally considered to be a legal activity of (signals) intelligence agencies.

Greenwald, who lives in Rio de Janeiro, also said that "most of the spying they [= the US] do does not have anything to do with national security, it is to obtain an unfair advantage over other nations in their industrial and commerce economic agreements". But with this motive he also acts more in the national interest of Brazil, or at least like an activist, than as a journalist working for the public interest.

(Updated by rearranging the slide order and some related minor corrections - see the comment below)

> See also: How NSA targeted the Venezuelan oil company PdVSA

Links and Sources
- Documentos revelam esquema de agência dos EUA para espionar Dilma
- Translation in English
- The slides with Portuguese description: Veja os documentos ultrassecretos que comprovam espionagem a Dilma
- U.S. Spied on Presidents of Brazil and Mexico, Globo Reports


Anonymous said...

Slides out of order, this actually matters. (use the image numbers)

When viewed in the correct order, it tells a story first explains the contact graphs, and then shows 2 case studies. And gives conclusions. It says Nieto's email was read, but Rousseff's was not.

The evidence for this it the two one-time-work slides, one is for Rousseff, and the other for Nieto.

It shows that with Nieto, they generated the 2-hop contact graph, and extracted SMS, and dumped the results into DISHFIRE. DISHFIRE is definitely a database. It shows up in the Privacy violations report as such. And in the perhaps too reveling resume of a programmer. (I had to pull it from a google cache, he goes on about how he wrote a program to query 2 instances of the dishfire database that the last programmer couldn't get working)

BUT with Rousseff, only the contact graph was generated. Rousseff is a good deal madder then Nieto right now, though less was done to her. Though knowing that she was, in fact tortured by an oppressive regime may explain her reactions.

P/K said...

Thank you very much for this clarifying addition! I rearranged the slides in the order of the original numbering.

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties