George W. Bush
© J. Scott Applewhite/AP
NSA agents successfully targeted "the entire business chain" connecting foreign cafes to the internet, bragged about an "all-out effort" to spy on liberated Iraq, and began systematically trying to break into virtual private networks, according to a set of internal agency news reports dating to the first half of 2005.

British spies, meanwhile, were made to begin providing new details about their informants via a system of "Intelligence Source Descriptors" created in response to intelligence failures in Iraq. Hungary and the Czech Republic pulled closer to the National Security Agency.

And future Intercept backer Pierre Omidyar visited NSA headquarters for an internal conference panel on "human networking" and open-source intelligence.

These stories and more are contained in a batch of 294 articles from SIDtoday, the internal news website of the NSA's core Signals Intelligence Directorate. The Intercept is publishing the articles in redacted form as part of an ongoing project to release material from the files provided by NSA whistleblower Edward Snowden.

In addition to the aforementioned highlights, summarized in further detail below, the documents show how the NSA greatly expanded a secret eavesdropping partnership with Ethiopia's draconian security forces in the Horn of Africa, as detailed in an investigation by longtime Intercept contributor Nick Turse. They describe the NSA's operations at a base in Digby, England, where the agency worked with its British counterpart GCHQ to help direct drones in the Middle East and tap into communications through the Arab Spring uprisings, according to a separate article by Intercept reporter Ryan Gallagher. And they show how the NSA and GCHQ thwarted encryption systems used to protect peer-to-peer file sharing through the apps Kazaa and eDonkey, as explained here by Intercept technologist Micah Lee.

NSA did not comment for this article.

American Intelligence Agents Outed Themselves Online

Members of the U.S. intelligence community routinely thwarted a system designed to mask their identities online by using it for personal shopping and to log on to websites, according to an NSA information technology manager.

The system, called "AIRGAP," was run by "one of the world's largest ISPs" and created around 1998 at the behest of the NSA, according to NSA Internet Program Manager Charlie Speight, writing in SIDtoday. Its purpose was to allow "non-attribution internet access," Speight added, meaning that intelligence analysts could surf the internet without revealing that they were coming from U.S. spy agencies. By 2005, it was used by the whole U.S. intelligence community.

One early concern about the firewall was that it funneled all internet traffic through a single IP address, meaning that if any activity on the address was revealed to be associated with U.S. spies, a broad swath of other activity could then be attributed to other U.S. spies. More IP addresses were subsequently added, but "occasionally we find that the ISP reverts to one address, or does not effectively rotate those assigned," Speight wrote.

Speight added that the "greater security concern" was the very intelligence agents the system was designed to protect. "Despite rules and warnings to the contrary, all too frequently users will use AIRGAP for registering on web sites or for services, logging into other sites and services and even ordering personal items from on-line vendors," Speight wrote in a classified passage. "By doing so, these users reveal information about themselves and, potentially, other users on the network. So much for 'non-attribution.'"

This sort of sloppiness mirrors behavior that has undermined Russian intelligence operatives. A slide presentation by Canadian intelligence, dating to 2011 or later, labeled as "morons" members of a Russian hacking group code-named "MAKERSMARK," who thwarted a "really well-designed" system to hide their identities by using it to log on to their personal social and email accounts.

The two situations are not perfectly comparable; the U.S. system was managed as part of a network for obtaining unclassified information, while the Russian system was used for the more sensitive activity of staging hack attacks. But Speight hinted at aggressive use of the U.S. system, writing in his piece that the NSA had begun "using AIRGAP for reasons and in volumes not intended in its formation" - the agency thus began developing its own separate firewall.

The NSA had systems with the same goal as AIRGAP - anonymization - but for phone calls. According to a February 2005 SIDtoday article, the NSA controlled 40,000 telephone numbers, but these were almost all prefixed with area- and exchange-code combinations that were publicly associated with the agency. An analyst who needed to make a public phone call without leaking their affiliation could use "anonymous telephones," most of them registered to Department of Defense, or "cover telephones," registered using alias names and P.O. boxes. No security protocol lapses were described in connection with the old-fashioned voice networks.
Iraqi youth on internet cafe
© Ali Al-Saadi/AFP/Getty ImagesIraqi youth surf the web at an internet cafe in Baghdad’s impoverished district of Sadr City, Nov. 15 2007.
NSA Targeted "the Entire Business Chain" to Spy on Internet Cafes

While hiding, or at least trying to hide, its own online operations, the NSA launched an all-encompassing campaign to trace online activity in internet cafes, down to specific seats.

A program called "MASTERSHAKE" accomplished this by exploiting equipment used by the cafes, including satellite internet modems, according to top-secret information reported by SIDtoday. "MASTERSHAKE targets the entire business chain, from manufacturer to Internet café installation, to ascertain any and all available data regarding ... geolocation, the network connectivity of the modem, as well as the actual physical location of the installation," according to SIDtoday.

MASTERSHAKE data was "enriched" with other information, including "geolocatable phone events," as well as intelligence from throughout the NSA's Signals Intelligence Directorate and from the agency's XKeyscore search system.

The NSA knew the precise location of over 400 internet cafes. For over 50 of these cafes, it could locate a target to a specific seat within the cafe. One goal of the monitoring was to hunt down Al Qaeda leaders, like Abu Musab al-Zarqawi. SIDtoday focused on the use of MASTERSHAKE in Iraq, describing an incident in the city of Ramadi where two "counterterrorism targets" began using a messenger service at an internet cafe, and "within about 15 minutes the two men were arrested." But it also indicated the system was used more broadly, "in the Middle East and Africa."

As the Intercept previously reported, the NSA has surveilled internet cafes in Yemen, Afghanistan, Syria, Lebanon, and Iran, as detailed in agency documents.

Read the rest of the article here.