There aren't many new revelations from the Snowden-documents anymore, but recently an NSA document was published telling how the agency prepared the interception of communications from the Venezuelan oil company Petróleos de Venezuela, S.A. (PdVSA).
It's not a very spectacular disclosure, but it gives a nice insight in what an NSA analyst actually does. The story was published on November 18 by the website The Intercept and the Latin-American broadcaster teleSUR.
Most people will have read The Intercept's report, but that misses one of the most interesting details of the story. Here, the disclosed NSA document will be discussed in full, with details explained based upon information from earlier disclosures.
Building of PdVSA in Maracaibo with on its facade Fidel Castro's motto
"Patria, Socialismo o Muerte" (Fatherland, Socialism or Death)
The document that was published is an excerpt from SIDtoday, the internal newsletter of the NSA's Signals Intelligence Division from March 23, 2011 (which was apparently accessed (by Snowden?) on Saturday, November 10, 2012). It contains a story that is told by a Signals Intelligence Development (SIGDEV) analyst from the NSA's Transnational & Strategic Partnerships SIGDEV branch.
A SIGDEV analyst is someone who looks for new targets or new means to access communications of existing targets. His unit S2C13 is part of the International Security Issues (ISI) Product Line, which is responsible for analysis and production of intelligence about countries in Europe, South-America and elsewhere.
As the analyst recalls, a year-end review had shown that there was no progress on the "Venezuelan Energy target set" as most reporting came from warranted collection. That could refer to PRISM and Upstream collection under section 702 FAA, but that only requires annual certifications approved by the FISA Court. Strictly spoken, individual warrants are only needed for "traditional FISA" collection, like for example for eavesdropping on the Venezuelan embassy in Washington.
The analyst decided to do a "target reboot", which he describes as "taking a fresh look at opportunities for collection". He first looked at specific Information Needs (INs) and used SURREY, which is the main NSA requirements database.
These requirements are the outcome of an administrative process, that starts with the US president setting the highest priorities for foreign intelligence collection. These priorities are then translated into the National Intelligence Priorities Framework (NIPF) for the US Intelligence Community as a whole.
Strategic Mission List
For Signals Intelligence (SIGINT), it's the National Signals Intelligence Committee (SIGCOM) that collects the requests for information from the various intelligence "consumers", checks whether they are consistent with the NIPF and assignes them a priority. An overview of the SIGINT priorities can be found in the 2007 Strategic Mission List, which was published in November 2013.
This document lists Venezuela as one of six countries that are treated as "enduring targets". According to this document, NSA should "Provide U.S. decision makers with a holistic SIGINT perspective of regional trends and developments" and also "Provide indicators of regime stability, particularly in the energy sector":
Economic or commercial espionage?
The Intercept makes a point out of NSA targeting a petroleum company "for economic espionage" - earlier disclosures had already brought up the names of the Brazilian company Petrobras and Gazprom from Russia. Why that should be a problem isn't explained however: all three companies are government-controlled and oil is an issue of strategic interest for almost any country.
The website also cites US Director of National Intelligence James Clapper, who explained the difference between gathering intelligence on economic issues for government policy makers (which the US admits doing), and stealing trade secrets of foreign companies to help individual American corporations (which the US strongly denies doing). And in this case, there's (again) no evidence for the latter.
The story of the analyst then continues with that he met with the Target Office of Primary Interest (TOPI) responsible for Venezuelan targets, in order to "re-assure myself that we were both on the same page in regards to our goals". A TOPI consists of analysts who analyse the communications that come in as a result of the collection process and who prepare the intelligence reports.
These first steps show that NSA analysts work within a bureaucratic framework that requires collaboration with colleagues and superiors who make sure their activities are in accordance with the goals set by the government - as a rule, they're not free to target anyone at will, which is the impression people can get when listening to Edward Snowden.
The TOPI analyst wanted information from the highest level of PdVSA, i.e. from the president and members of the Board of Directors, as much of it as possible in the form of internet communications, which, unlike phone calls, don't have to be transcribed. Also there was no time for "extensive target development".
Then the SIGDEV analyst started his work. He first visited the PdVSA website on the internet for the names of the Board of Directors. He put them into a new document in Analyst's Notebook, which is an analysis tool widely used by intelligence and law enforcement agencies all over the world.
Demonstration of a "Pattern-of-Life Analysis" using Analyst's Notebook
The next step was looking at what had already been collected about his targets. For this he first accessed the PINWALE database, which is NSA's main repository for all kinds internet content that was collected by using specific selectors (i.e. no bulk content collection).
A few queries, using the names he had found on the website, returned not much of interest: a lot of e-mails in which these persons were "cc-ed", but hardly anything to or from them personally. This also provided some e-mail addresses, but the analyst already knew these.
He entered the mail addresses into CADENCE, which is NSA's tasking tool for internet communications, and also into the Unified Targeting Tool (UTT). This would show whether these e-mail addreses were already tasked, which means whether the actual collection facilities had been instructed to collect the related communications.
Finding new selectors
Apparently collection against PdVSA did take place in the past, as PINWALE kept providing documents containing the target's names. This weren't communications, but some kind of information forms with contact details and organizational information about PdVSA employees.
The analyst says that these forms were similar to what is in NSA's SEARCHLIGHT database, which is the agency's internal personnel information system. As these information forms mention who within PdVSA is somebody's supervisor, they resulted in a whole tree of entries and names:
Internal PdVSA information form which shows president of the board
Rafael Ramirez as supervisor of another board member, Luis Vierma
Lots of them
The new selectors include business and private e-mail addresses and work, home and cell phone numbers. The newly found e-mail addresses could again be entered into CADENCE and the UTT, while the phone numbers could be used to enter them in OCTAVE, which is NSA's tasking tool to initiate the interception of telephone conversations. It's not said whether this happened or not - the TOPI analyst at least didn't prefer phone calls.
The Intercept writes that NSA apparently "collects so much communications data from around the world that it often fails to realize what it has". This however applies to most intelligence and law enforcement agencies that conduct automated eavesdropping: there are often way too many phone calls to listen in to, let alone digital communications to translate, read and analyse.
When the SIGDEV analyst was analysing the PdVSA forms (of which there were over 10.000 in the PINWALE database), he discovered that they all came from IP addresses starting with 10.x.x.x and 172.18.x.x, which are from address ranges that are reserved for use within private networks. The analyst now realised these entries came from the internal PdVSA network, and not from communications over the public internet.
One of the most interesting details of this whole story is how NSA had been able to get access to PdVSA's internal network - which isn't told in the report by The Intercept, but only in the one from teleSUR...
Special Collection Service
After the analyst discovered that he was looking at information from the internal PdVSA network, he "fired off a few emails to F6 here and in Caracas, and they confirmed it!"
F6 is the NSA's internal designator for the Special Collection Service (SCS) units in which specialists from NSA and CIA cooperate against targets that require "close access". These units operate out of some 80 US embassies all over the world.
This means it was the SCS unit from the US embassy in Caracas that had been able to get access to the internal network of PdVSA. The story doesn't tell how they did this, but probably they found a way to secretly tap a network cable or switch over which the oil company's computer network runs. If this access was still active, it has now has certainly been compromised.
From an earlier revelation we know that the SCS unit in the US embassy in Berlin was responsible for eavesdropping on the (non-secure) mobile phone of German chancellor Merkel. Maybe that was also done by tapping a local telephone network, or by just intercepting the cell phone's airwave signals.
For such wireless interception operations, many US embassies have a rooftop structure that conceals sophisticated antenna and other eavesdropping equipment. Such a structure is also clearly visible on the roof of the US embassy in Caracas:
Back side of the US embassy in Caracas, with the rooftop structure
(Photo: Carlos Garcia Rawlins/Reuters - Click to enlarge)
After finding out the source of those PdVSA forms, the SIGDEV analyst started to coordinate his work with the F6 unit in Caracas. Apparently they fed data from their network access into XKEYSCORE, which is NSA's system to buffer, index and search internet communications, not only from large submarine cables, but also from smaller accesses, like from the SCS units.
This enabled the analyst at NSA headquarters to search through a rolling buffer of several days worth of content, which is especially useful to find files which aren't directly associated with hard selectors like e-mail addresses.
This resulted in "several juicy pdf documents" and one of them was eventually used for preparing a serialized report (number 3/OO/505480-11) dated January 2011 and titled "Venezuela State-Owned Oil Company Information Shows a Decrease in Overall Oil Thefts and Losses" - which doesn't sound like a trade secret that would benefit individual US oil companies, but on the other hand shows that such high-level accesses are also used for rather general intelligence information.
Through XKEYSCORE, the analyst also found over 900 username and password combinations of PdVSA employees, which he handed over to NSA's hacking division, Tailored Access Operations (TAO). With a username and password one doesn't have to "break in" into a network, which makes the access almost impossible to detect.
The analyst also provided TAO with some other data along with a targeting request, especially aimed at getting access to the e-mail boxes of the PdVSA board members.
It is not known whether this was successful, but The Intercept and teleSUR mention that in May 2011, which is two months after the analyst's story in SIDtoday, the US State Department announced sanctions to be imposed on PdVSA because it had delivered at least two cargoes of reformate (used to produce gasoline) to Iran between December 2010 and March 2011, worth approximately $ 50 million.
> See also: An NSA eavesdropping case study about targeting the presidents of Mexico and Brazil.