When Canadian intelligence officials speak about today's spying, they can reveal great ambition.
Sometimes they speak of wanting to "master the Internet" or even "target the world" before switching to less evocative terms, such as "computer network operations" or CNO.
When pressed whether this is tantamount to "hacking," they avoid that word.
"We've got some bright young kids," retired spymaster John Adams once told The Globe in an interview. "Virtually everything – 90 per cent of what they do – is CNO now. It opens it up to where they can literally go out and target the world."
These previously unpublished remarks from Mr. Adams, chief of Communications Security Establishment Canada from 2005 to 2011, seemed cryptic at the time they were spoken late last year.
Yet they are a little less so now.
Recently released material suggest just how very good CSEC may be getting at its job –– avoiding the capture of Canadian communications even as it steps up its capacity to spy on countries around the world.
The German computer magazine c't has published what appears to be leaked details about a CSEC endeavour called Landmark. The slides, if genuine, showing how Canadian government "network exploitation analysts" actually do their jobs. The article suggests these details show how the Canadians seek to impose the will of their agency – and allied agencies – on thousands, potentially millions, of computers in "as many non 5-Eyes countries as possible."
The "Five Eyes" intelligence alliance – the U.S., U.K., Canada, Australia and New Zealand – is the club of English-speaking nations whose electronic-eavesdropping agencies agree not spy on each other, while working together to keep tabs on the rest of the world.
CSEC does not comment on reports of leaked documents, nor will it indicate whether or not an apparent leak is authentic.
CSEC "only collects foreign intelligence according to the intelligence priorities set regularly by the Government of Canada. This information is critical to protecting Canadians and Canadian interests against serious threats, such as terrorism, foreign espionage, and cyber threats," said spokesman Ryan Foreman in an e-mail.
‘An additional level of non-attribution’
Based on the briefing materials obtained by an unnamed leaker, the c’t article suggests Canada has been given the job of pinpointing vulnerable computers as a means to an end – “non-attribution,” or creating a cover of plausible deniability for the Five Eyes’ own cyber espionage campaigns.
The idea is not to achieve immediate results so much as build an “infrastructure” for future hacking – or, as the document puts it, a network that “can be subsequently used for exploits and exfiltration.”
The Landmark documents introduce a new term to the wider public – “ORBs” or “operational relay boxes” – a term that the Five Eyes apparently use for computers they compromise in third-party countries.
“This literally translates to ‘They hack you and then, from your machine, then they literally start hacking other machines, in order to be able to say ‘it wasn’t us,’ ” says German researcher Julian Kirsch, who made a video presentation about the leak.
Compromising computers in countries that are in themselves irrelevant to a mission can be worthwhile – if doing so can get you closer to the target.
Hackers – government-sponsored or otherwise – have long been known to route their attacks through third parties so as to better hide their intent and identities. Such cloaking techniques are typically linked to the world’s most notorious groups – such as Russian-affiliated cyber gangs, or technological units of the Chinese People’s Liberation Army.
Hunting for ORBs
According to the Landmark slides, one CSEC effort to compromise machines took place on a single day in February, 2010. Two dozen CSEC hackers took a few hours to come up with a pinpoint list of thousands of targets.
This was seen as a good start.
“They put up 24 people for one day and that gave them 3,000 machines. Then they said this was not productive enough,” says Christian Grothoff, another German researcher who studied the document.
Mr. Grothoff said he found it ironic that Prime Minister Stephen Harper and Foreign Minister John Baird have recently called out Beijing for alleged attempts to break into Canadian government computers. “What is always surprising is that societies that claim they have the moral high ground, are at the same time invading computer systems of innocent bystanders,” he told The Globe.
A co-writer of the c’t article, he added that “I had no problem to learn that of course the U.S is interested in [Chancellor] Merkel’s phone calls. That is not shocking. She has to expect that.
“What is surprising is going after everybody – innocents who aren’t legitimate targets,” he said.
Who better to take on the grunt work of finding vulnerable machines than machines?
According to the Landmark slides, the next step for CSEC was to essentially built an app. One slide says CSEC created an adaptation of the powerful Olympia knowledge engine, a suite of computer programs that is to CSEC what Google is to the rest of us – a deep repository of constantly collected communications data that can be searched and used for many purposes.
“Now they can do it faster, more efficiently, with fewer resources…. We don’t have data for what they got after automation,” says Mr. Grothoff.
CSEC officials do not comment on leaks. But its former chief suggested in The Globe interview last year that there is good reason for Canada to get more aggressive: Every state in the world is stepping up its cyber capabilities.
“Who was it that did the work for the Russians when the Russians invaded Georgia and Estonia?” Mr. Adams asked, referring to the hacking and denial-of-service attacks on major websites of those countries at the heights of conflicts with Russia. “The Russians will say they didn’t do it . ‘Wasn’t us.’ Because most of it was done using botnets that were run out of somewhere else in the world.
“So how the hell do you find that out, if you aren’t out there monitoring a whole host of countries?” he said. “You don’t.”
“That’s why you need these coalitions,” he added. “Because no one’s got that kind of coverage…. Even the Americans can’t cover everything.”
‘Gimme all you got’
CSEC analysts appear to take pride in being able to parse through haystacks and haystacks of raw communications data that U.S. and U.K. allies throw at them.
The fourth Landmark slide suggests that the British electronic security agency, GCHQ, was interested in finding vulnerable computers in Kenya. The raw data was relayed to CSEC so that it could follow up and pinpoint the best bets.
The ‘Gimme all you got’ tab seen here also appeared in a previous leak from last year –– when CSEC was accused of scouring communications traffic affiliated with Brazil’s Ministry of Mines and Energy.
Do you want to phone a friend?
One of the more intriguing slides suggests that when the world’s most powerful spy agency gets stumped, it calls Canada.
In the fifth slide, it appears that the elite American NSA hacking team known as TAO (Tailored Access Operations) wanted to get inside a mobile phone company.
To that end, they call CSEC for “assistance gaining access to the network.” The Canadian agency boasts that its analysts took less than five minutes to identify “vulnerable” devices in the targeted network.