NSA Targets Sysadmins in Pursuit of “Keys to the Kingdom”

According to documents published by First Look’s The Intercept, members of the NSA and GCHQ have spent the past several years specifically singling out system administrators of various companies in order to gain access to the networks they manage for whichever outfit they happen to be working for at the time of the intrusion.

nsa and gchq

The information comes from an internal message board where many different members of the agency could gather to discuss issues. The document reveals the exact methods that agents could use to target and exploit the personal information of IT professionals who ran the internal networks at their select company.

“My end target is the extremist/terrorist or government official that happens to be using the network some admin takes care of” writes someone under the classification “S/SI//REL” (Secret, COMINT, releasable to Five Eyes partners), who goes on to explain it’s hard to access the infrastructure needed to track their prey.

“Who better to target than the person who already has ‘the keys to the kingdom’?” the author continues. “Many times as soon as I see a target show up on a new network, one of my first goals is, ‘Can we CNE [computer network exploitation] access to the admins on that network, in order to get access to the infrastructure that the target is using’?”

The primary method for locating the admins was through social media. The agency would run bots that could automatically trawl the web for particular job titles, personal connections, and online interests that might pin someone as a viable target.

Once the person they needed was found, they could extract a variety of valuable pieces of data from their daily habits. Eventually the agency could use these patterns against them in order to subvert the security measures of whichever corporation happened to be in their crosshairs at the time.

This data includes but is not limited to: network maps off of their hard drive, full lists of customers (along with associated IP allocations), credentials from text files, emails with upstream providers detailing how their network is connected to the Internet at large

At this point, it wouldn’t be out of the realm of sanity to assume that if you have a job in tech, you’ve probably been looked at at least once or twice by the agency in Maryland.