A systematic analysis of previously unreported NSA surveillance operations targeting Chinese defense contractors, Mexican law enforcement, and Iranian infrastructure reveals the depth of Computer Network Exploitation capabilities documented in Snowden files.
The systematic examination of Edward Snowden's leaked documents continues to yield previously unreported intelligence operations, with the latest analysis revealing detailed evidence of NSA surveillance targeting major Chinese defense contractors, Mexican federal law enforcement, and Iranian transportation infrastructure. This comprehensive review, part of an ongoing archive project, demonstrates how careful scrutiny of published documents can uncover significant intelligence activities that received little to no public attention since the initial 2013 disclosures.
The XKEYSCORE Training Document: A Window into Active Hacking Operations
The document under examination is a 33-page internal NSA training presentation from October 15, 2009, demonstrating how analysts use XKEYSCORE to search and analyze data collected through Computer Network Exploitation (CNE). While presented as instructional material showing various search capabilities, the screenshots display real surveillance operations with identifiable targets and captured data.
The poor quality of the screenshots, with scrambled and difficult-to-read text, has likely contributed to why many documents haven't been studied more thoroughly in public. However, by examining context and surrounding text, the content can be inferred with high probability, revealing operations that have remained hidden for years.
Targeting Norinco: The Chinese Defense Contractor Operation
One of the most significant previously unreported findings involves evidence of NSA surveillance targeting Norinco, China North Industries Corporation. This state-owned defense contractor ranks among the world's top 100 defense companies by revenue and serves as a major exporter of military equipment to Pakistan, Iran, Venezuela, Zimbabwe, and dozens of other countries.
On page 18, a screenshot from XKEYSCORE's Metaviewer interface displays a "Histogram of @Domain" view showing email volume across 10 domain names. The query appears to be a converged search combining multiple distinct surveillance targets: Mexican federal agencies, Norinco-related domains, and two additional targets. This convergence demonstrates XKEYSCORE's ability to simultaneously analyze multiple surveillance operations.
The results table contains five entries from Norinco-related domains, all marked with the "CNE" highlight tag, indicating the data came from active hacking intrusions rather than passive network intercepts. Critically, all five entries share an identical "Chain" value, indicating this is a single email captured at multiple points as it traversed Norinco's email infrastructure.
The multiple domains represent the newsletter email's routing path through Norinco's network: businessmonitor.com (newsletter sender), bmi.msgfocus.com (newsletter delivery service), mail.ninco.cn (Norinco's mail server), zhenhuaoil.com (Norinco's subsidiary), and lms-ms-daemon (the default domain name for Sun Java Messaging Server commonly used in enterprise email infrastructure).
This indicates that NSA achieved deep network penetration with visibility across multiple servers and routing points within Norinco's corporate email infrastructure, not just a single interception point. The compromise extended to Zhenhua Oil, Norinco's oil exploration subsidiary, indicating enterprise-wide access.
The Redaction Failure: Exposing an NSA Agent
Most XKEYSCORE search interfaces display a welcoming message showing the analyst's internal NSA username. In this document, all usernames have been redacted from the screenshots except one left unredacted by mistake. On page 9, the username "cryerni" is visible in the screenshot.
This username most likely belongs to the NSA analyst who created the presentation. The seven-character length matches the redacted name on the first page, based on the surrounding unredacted font. This type of redaction failure, while seemingly minor, provides insight into the human element behind these surveillance operations and the operational security practices within the agency.
Mexican Federal Law Enforcement Surveillance
The same XKEYSCORE Metaviewer screenshot that showed Norinco data also revealed surveillance of Mexican federal law enforcement from domains ssp.gob.mx (Secretaría de Seguridad Pública) and pfp.local (Policía Federal Preventiva). Email subjects included intelligence reports from Mexican federal police units in Baja California's border region and Ciudad Juárez.
"EII" likely stands for "Estructura de Información de Inteligencia" or similar internal reporting format. The dates and locations indicate daily intelligence reports from Mexican federal police units in Baja California's border region and Ciudad Juárez, one of Mexico's most violent cities during the peak of cartel warfare under President Felipe Calderón's military-led offensive against drug cartels.
NSA surveillance of these communications likely supported US counter-narcotics operations, identified compromised Mexican officials, and monitored cartel structures and government response capabilities. However, this represents surveillance of a nominal ally's law enforcement agencies without apparent Mexican government knowledge or consent.
All entries were marked "CNE," again indicating active computer compromise rather than passive intercept. This distinction is crucial as it demonstrates the NSA's willingness to actively compromise allied nations' computer systems for intelligence gathering.
Iranian Customs and Rail Infrastructure Compromise
Another interesting finding appears on page 17, showing document metadata extraction results with the name "Iran OP Customs and Rail Extracted Docs." The results table displays documents captured from a file path containing "lap top drive" and "Private Inbox," with all entries marked "CNE" in the Highlights column.
This indicates NSA compromised a portable computer likely belonging to someone working in Iranian transportation or customs infrastructure. The implant performed a complete directory walk and extracted Word documents from the user's private folders. This type of comprehensive data extraction demonstrates the depth of access achieved through CNE operations and the breadth of intelligence targets pursued by the NSA.
New Surveillance Program Codenames and Infrastructure
The document reveals several program codenames that don't appear in any other published Snowden documents or in previous reporting. These include:
TURBOCHASER - Described as an NSA database for "profiles" and "future tasking," appearing alongside MARINA (the well-documented NSA metadata repository). The name suggests rapid-cycling or high-speed processing of pursuit targets. Based on context, TURBOCHASER likely handled specific metadata types or geographic regions that MARINA didn't cover.
TUCKER - References suggest TUCKER is an exploitation framework comparable to UNITEDRAKE, the well-documented full-featured Windows implant. The document lists TUCKER's sub-projects including OLYMPUS, EXPANDINGPULLY, and UNIX, indicating TUCKER was a platform hosting multiple specialized payloads and/or (post-)exploitation tools.
SHADOWQUEST, WAYTIDE, GREENCHAOS - These appear as collection source identifiers in the document, shown as input sources feeding CNE data into XKEYSCORE. Notably, FOXACID, the well-documented NSA exploit server system used to deliver malware to targets, also appears in this context with the suffix FOXACID6654, suggesting it functioned not just as an exploitation delivery mechanism but also as a collection source identifier once targets were compromised.
The input sources shown include FOXACID6654 collecting wireless survey data, SHADOWQUEST35 collecting wireless survey data, WAYTIDE1173 collecting wireless intelligence, and GREENCHAOS15 as the source of the Chinese keylogger data. The numeric suffixes likely designate specific servers or operational instances, possibly corresponding to geographic regions, operational theaters, or specific TAO teams.
Detailed Capabilities: From HTTP Surveillance to Keylogging
The document showcases several detailed cases of NSA's CNE capabilities, confirming and adding specific context to techniques that have been reported on more generally since 2013.
FOGGYBOTTOM: HTTP Activity Surveillance - Pages 19-20 showcase FOGGYBOTTOM for monitoring HTTP activity captured through CNE operations. This computer implant plug-in records logs of internet browsing histories and collects login details and passwords used to access websites and email accounts.
The surveillance captured detailed browser activity of a target identified by case notation YM.VALAGWAADTC (Yemen) on October 14, 2009. The system captured multiple Facebook login attempts, Arabic-language Facebook browsing, Saudi Arabian Google searches, Yemeni news sites, and Arabic sports forums.
Critically, since this data comes from a CNE implant running on the compromised computer itself – not passive network interception – it captures web traffic before encryption occurs. The implant sees the browsing data whether the connection uses HTTP or HTTPS, providing complete visibility into all browsing activity including encrypted sessions that would be opaque to network-level surveillance.
Windows Registry Surveillance - Page 26 demonstrates XKEYSCORE's capability to search and analyze Windows registry data extracted from compromised machines. The screenshots show registry queries returning UserAssist keys, Windows registry entries that record every program a user has executed, how many times, and when they last ran it.
This data, maintained by Windows for user interface optimization, becomes a detailed forensic record when captured by NSA implants. The ability to access this information provides comprehensive insight into a target's computing habits and potentially reveals patterns useful for further exploitation.
Multi-lingual Keylogger Capabilities - Pages 24-25 demonstrate XKEYSCORE's keylogger capabilities with actual captured keystrokes from a compromised computer identified as GREENCHAOS15 in China. The target was using QQ.exe (China's largest instant messaging platform owned by Tencent), Microsoft Excel, and Microsoft Access.
The keylogger captured complete Chinese character input, control key sequences, hexadecimal codes for special characters, window titles showing conversation participants, and even deleted text and editing actions. In Excel, the system recorded every keystroke including numerical entries, navigation inputs, and cell references.
The target appeared to be an office worker handling administrative tasks related to China's 3C certification system (China Compulsory Certificate for product safety/quality). This demonstrates NSA's ability to capture multi-lingual keystrokes across all applications with complete context preservation.
"vpn in docs" Keyword Scanning - The document also demonstrates how XKEYSCORE uses a generic "tech strings" search to automatically identify and flag arbitrary keywords that an analyst queries. This feature functions as a catchall system for finding terms of interest in data streams that lack a more specific parser.
The examples show XKEYSCORE tagging the strings "vpn" and "pptp" inside a wide variety of captured data, including the content of emails, the body of local documents, and other raw data payloads exfiltrated from implants. As nearly all entries are highlighted with "CNE," this reveals that NSA implants actively scan a target's private files and communications for these keywords.
The resulting intelligence allows analysts to discover a target's security posture, identify potential vulnerabilities, and find information such as credentials or server details that can be leveraged to gain access to privileged systems or map internal networks.
The Importance of Systematic Document Review
This document analysis reveals significant intelligence hiding in plain sight within the published Snowden documents. A detailed review can uncover significant, previously unreported intelligence operations, such as the CNE operation against a major Chinese defense contractor. These findings underscore the importance of systematic review of the documents.
However, it's important to acknowledge the inherent limitations of analyzing any single document in isolation. A single document analysis offers only a snapshot with limited context. The full picture of NSA operations requires examining multiple documents, understanding the relationships between different programs and capabilities, and recognizing the broader strategic objectives these operations serve.
The ongoing systematic review of Snowden documents continues to reveal the depth and breadth of NSA surveillance capabilities, the range of targets pursued, and the sophisticated technical means employed to achieve intelligence objectives. Each document examined adds to our understanding of the global surveillance apparatus and its impact on privacy, security, and international relations.
Comments
Please log in or register to join the discussion