Western spy agencies secretely rely on hackers for intel and expertise


The U.S., U.K. and Canadian governments characterize hackers as a criminal menace, warn of the threats they allegedly pose to critical infrastructure, and aggressively prosecute them, but they are also secretly exploiting their information and expertise, according to top secret documents.


“Hackers are stealing the emails of some of our targets… by collecting the hackers’ ‘take,’ we . . .  get access to the emails themselves,” reads one top secret 2010 National Security Agency document.


By looking out for hacking conducted “both by state-sponsored and freelance hackers” and riding on the coattails of hackers, Western intelligence agencies have gathered what they regard as valuable content:

“Recently, Communications Security Establishment Canada (CSEC) and Menwith Hill Station (MHS) discovered and began exploiting a target-rich data set being stolen by hackers. The hackers’ sophisticated email-stealing intrusion set is known as INTOLERANT. Of the traffic observed, nearly half contains category hits because the attackers are targeting email accounts of interest to the Intelligence Community. Although a relatively new data source, [Target Offices of Primary Interest] have already written multiple reports based on INTOLERANT collect.”

The hackers targeted a wide range of diplomatic corps, human rights and democracy activists and even journalists:

INTOLERANT traffic is very organized. Each event is labeled to identify and categorize victims. Cyber attacks commonly apply descriptors to each victim – it helps herd victims and track which attacks succeed and which fail. Victim categories make INTOLERANT interesting:

A = Indian Diplomatic & Indian Navy
B = Central Asian diplomatic
C = Chinese Human Rights Defenders
D = Tibetan Pro-Democracy Personalities
E = Uighur Activists
F = European Special Rep to Afghanistan and Indian photo-journalism
G = Tibetan Government in Exile

In those cases, the NSA and its partner agencies in the United Kingdom and Canada were unable to determine the identity of the hackers who collected the data, but suspect a state sponsor “based on the level of sophistication and the victim set.”


In a separate document, GCHQ officials discuss plans to use open source discussions among hackers to improve their own knowledge. “Analysts are potentially missing out on valuable open source information relating to cyber defence because of an inability to easily keep up to date with specific blogs and Twitter sources,” according to one document.

Credit and External Link : https://firstlook.org/theintercept/2015/02/04/demonize-prosecute-hackers-nsa-gchq-rely-intel-expertise/

Network Infrastructure

TORNSTEAK is a persistence solution for two firewall devices from a particular vendor. We need to port TORNSTEAK from the existing two firewalls to several more from the same vendor. This persistence effort would use one’s reverse engineering, computer architecture, “C” programming and
assembly language coding skills.

Read ► Persistence Division


STYLISHCHAMP is a tool that can create a HPA on a hard drive and then provide raw reads and writes to this area. This tool should incorporate latest TWISTEDKILT code so that it can support SATA drives. This will allow SWAP to be used on newer systems. Currently, only IDE drives
are used.

Read ► Persistence Division, ► Windows Tools


CENTRICDUD is a tool to read and writes bytes in the CMOS. It needs to be rewritten and productized so that it can be incorporated into a proper UR plug—in. The driver associated with this tool also needs to be redone as it is being flagged by PSPs for unknown reasons. This tool is used both by the BIOS team as well as the IT Geo team.

Read ► Persistence Division, ► Windows Tools


WISTFULTOLL is the premiere target survey tool for Windows that runs on almost all targets automatically. It brings back information about the target system’s machine and operating system that is invaluable for both the Persistence Division and analysts enterprise wide. New features
need to be added to WISTFULTOLL as well as it being refactored.

Read ► Persistence Division, ► Windows Tools


GOPHERRAGE is a project that seeks to develop a hypervisor implant that would leverage both AMD and Intel’s virtualization technology in order to provide both DNT implant persistence capabilities and a persistent back door.

Develop a hypervisor implant that would leverage both Intel’s and AMDS virtualization technology in order to provide both DNT implant persistence capabilities and a persistent back door access. The idea would be similar to what BERSERKR can do from SMM in that it should be able to use “the machine’s network interface card (NIC) to communicate independently of the host operating system (OS)”. Also, this hypervisor implant should have full read/write access of host memory so it will be possible to change Host OS behavior in ways that could allow code execution, OS injection, system
survye, VM break-in, etc.

GOPHERRAGE is the Persistence Division’s pilot program to apply industry best practices and agile development processes to internal projects. To this end, the project is managed via the Scrum process. Test Driven Development (TDD) practices are used as well in an effort to reduce code defects. The project also is looking to incorporate ideas from DNT such as their SCube build environment.

Read ► Persistence Division


BERSERKR is a persistent backdoor that is implanted into the BIOS and runs from SMM. Although the core of the code is stable, there are always new requirements against which to develop. This includes new network interface card parasitic drivers as well as applications. (TS//SI//REL) Some notable applications that need development:

  • KIRKBOMB — Windows kernel examination to detect loaded drivers, running processes as well. There is a prototype which works on Windows 7, this needs to work on XP and 2008 including
    64-bit systems.
  • SODAPRESSED — Linux application persistence. Given a running installation of Linux, install some application or inject something into memory which will. This currently works on certain
    Versions of Linux without SELinux enabled.

There may also be requirements in the near future for:

  • A Collection tool that runs from BERSERKR.

Read ► Persistence Division