Title: INTOLERANT – Who Else Is Targeting Your Target? Collecting Data Stolen by Hackers

Release Date: 2015-02-04

Document Date: 2010-05-06

Document: DYNAMIC PAGE -- HIGHEST POSSIBLE CLASSIFICATION IS
TOP SECRET a/ SI / TK // REL TO USA AUS CAN GBR NZL

SID Today archi“s reedback
iBi ■ ■ ■
Welcome! Saturday, 10 Nov 2012 1 1

B

a

• SIDtoday Article

• Letter lo the Editor

• SIGINT-y Social Media Page

(TS//SI//REL) Who Else Is Targeting Your Target? Collecting Data Stolen by Hackers

FROM: (U//FOUO) Menwilh Hill Station (F77)

Run Dale: 05/06/201 0

(TS//SI//REL) Hackers are stealing the emails of some of our targets... by collecting the hackers' "lake," we 1) gel access lo the emails themselves and 2) gel insights into who's being hacked.

(TS//SI//REL) People who open attachments from unknown senders (gasp) or respond lo "Nigerian" money laundering emails aren't the only individuals on the intern el being hacked. Some of our targets are also being targeted by outside forces, both by slale-sponsored and freelance hackers. Could your target's communications be the
target of other countries or groups?

(TS//SI//REL) Recently, Communications Security Establishment Canada (CSEC) and Menwilh Hill Station (MHS) discovered and began exploiting a largel-rich data sel being stolen by hackers. The hackers' sophisticated email-stealing intrusion sel is known as INTOLERANT. Of the traffic observed, nearly half contains category hits
because lhe allackers are targeting email accounts of interest lo lhe Intelligence Community. Although a relatively new data source, TOPIs have already written multiple reports based on INTOLERANT collect.

(U) T echnique

(TS//SI//REL) To lhe analyst using SIGINT databases, collected INTOLERANT data looks like Simple Mail Transfer Protocol (SMTP) mail. In this case, though, lhe traffic fairy has been hard al work... To hide lhe traffic, lhe hackers' programs split a victim's email into pieces. Each piece is then obfuscated, given a different, spoofed,
source IP address and sent lo a different destination IP address. Having different destination IP addresses serves lo route lhe pieces across separate channels* 1 of a satellite signal. The channels being used carry large amounts of traffic, allowing INTOLERANT data lo hide as background noise. Much collaboration between CSE, MHS,
GCHQ and NSAW has brought about lhe transformation of INTOLERANT data we collect into "readable" SMTP mail.

(U/FOUO) Victim Set

(TS//SI//REL) INTOLERANT traffic is very organized. Each event is labeled lo identify and categorize victims. Cyber attacks commonly apply descriptors lo each victim - il helps herd victims and track which attacks succeed and which fail. Victim categories make INTOLERANT interesting:

A = Indian Diplomatic & Indian Navy
B = Central Asian diplomatic
C = Chinese Human Rights Defenders
D = Tibetan Pro-Democracy Personalities
E = Uighur Activists

F = European Special Rep lo Afghanistan and Indian photo-journalism
G = Tibetan Government in Exile

(TS//SI//REL) New victims appear lo Hood out lheir entire inbox, going back months or, even, years. Then only new mail is transmitted. Hundreds of emails are seen on an average day.

(U) Attribution

(TS//SI//REL) Within lhe world of cyber exploitation, attribution is always difficult and INTOLERANT is no exception. Initial analysis points toward a likely stale sponsor based on lhe level of sophistication and lhe victim sel. Determining which stale is sponsoring lhe activity has yel lo be done. Since lhe traffic is traveling over satellite,
lhe culprit must be within lhe satellite beam's footprint lo receive lhe stolen emails. There was hope lhe footprint would point lo which stale was responsible, but lhal hope was not realized as shown in lhe image.

H

(U) Way Forward

(TS//SI//REL) Analysis continues with lhe goal of learning more about lhe attacks as well as improving attribution. Efforts are also being made lo inform relevant parties, including NTOC, due lo lhe obvious operations security (OPSEC) concerns where US and UK authorities have contact with Indian diplomats or lhe European Special
Representative, for instance.

(TS//SI//REL) So the next time you scan your target's email, pay special attention to the case notation. If il contains 4PXFIL2 (E9BDJ4PXFILlargelNumber in lhe case of INTO LERANT), then lhe email is likely available because somebody else has hacked your target. For additional details, send an email lo mhsindex@nsa.ic.gov.
(U/FOUO) POCs: |REDACTED|; INDEX team (MHS)

(U) Notes:

1. (U/FOUO) Packet Identifiers, PIDs are used in satellite hub signals lo designate sub-channels.

2. (TS//SI//REL) 4PXFIL stands for "fourth party exfil" or "oul-sourcing SIGINT." These terms are used within lhe SIGINT

lU/'/FOUO) SIDuolay edilo.

a hI



■eprinled from MHS's Hor.
s about this article?



unity lo refer lo lhe practice of collecting data as il transits lhe Internet going from lhe victim's computer lo lhe allacker's.

"(U//FOUO) SIDtoday articles may not be republished or reposted outside NSANet without the consent of |REDACTED| (|REDACTED|)."

Information Owner: |REDACTED | Page Publisher: |REDACTED |

Last Modified: 11/10/2012 / Last Reviewed: 11/10/2012

DYNAMIC PAGE -- HIGHEST POSSIBLE CLASSIFICATION IS
TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL
DERIVED FROM: NSA/CSSM 1-52, DATED 08 JAN 2007 DECLASSIFY ON: 20320108

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh