29 May 2019
Meltdown showed extent of NSA Surveillance - and other Tales from hundreds of Intelligence Documents
By Margot Williams, Henrik Moltke, Micah Lee, Ryan Gallagher
The Intercept


A computer workstation inside the NSA Threat Operations Center in Fort Meade, Md., on Jan. 25, 2006.
Photo: Paul J. Richards/AFP/Getty Images

THE PROBLEM HAD been brewing for nearly a decade, intelligence sources had warned, as the National Security Agency vacuumed up more and more surveillance information into computer systems at its Fort Meade, Maryland, headquarters: There just wasn’t enough power coming through the local electric grid to support the rate at which the agency was hoarding other people’s communications.

“If there’s a major power failure out there, any backup systems would be inadequate to power the whole facility,” a former NSA manager told the Baltimore Sun in August 2006.

“It’s obviously worrisome, particularly on days like today.”

It turns out that manager, and other sources quoted in the Sun piece, were even more correct than was publicly known at the time: The NSA had, just the prior month, already experienced a major power outage and been forced for the first time to switch over its most critical monitoring — its nerve center, the National Security Operations Center — to a backup facility in Augusta, Georgia, according to an internal report classified “secret.” The culprit: hot weather and electric company problems generating sufficient power, according to an article posted on the internal agency news site known as SIDtoday.

For the NSA, the relatively smooth handoff was a triumph. But the incident marked an important turning point, underlining how the NSA was collecting too much information for its facilities to handle. The agency would go on to build a massive data center in a barren stretch of Utah desert, estimated to be capable of holding billions of gigabytes of information.

Indeed, the story of the 2006 Fort Meade brownout is one of several stories of overwhelming mass surveillance to emerge from a review of 287 SIDtoday articles, provided by NSA whistleblower Edward Snowden. Other tales, collected below, include how an NSA intern working in the English countryside marked for killing or capture nine people in Iraq; how a secret team of NSA commandos deployed to foreign countries to break codes; and how the NSA spied on satellite internet systems in the Middle East.

The Intercept is publishing three other articles taken from this cache of documents, including an investigation by Henrik Moltke into how revolutionary intelligence pooling technology first used by the U.S., Norway, and other allies in Afghanistan spread to the U.S.-Mexico border — raising questions about over-sharing at home and abroad. In another article, Miriam Pensack reveals how the sinking of the Russian submarine Kursk in 2000 was closely monitored by Norwegian (and eventually U.S.) intelligence, which knew more about the tragedy than was initially revealed. And Murtaza Hussain shows how the NSA drew up new rules in response to a request from its Israeli counterpart, which had sought to use U.S. intelligence to target killings, apparently at Hezbollah.

NSA Commando Unit Promised “Any Target, Anywhere, Any Time”

In 1966, a new NSA project was hatched to figure out why an electronic signal under surveillance was “exhibiting parameters outside normal operating conditions,” as an NSA history later put it. Members of “WEREWOLF,” as the project was to be called, concluded that the equipment used to monitor the signal was causing the abnormalities.

The team behind WEREWOLF would go on to conduct other “special deployment” missions, but not before a change of cover name. The unit chief decided that WEREWOLF, atop a list of automatically generated possibilities, wasn’t quite right and, reading further down, settled on the more heroic-sounding “MUSKETEEER.” At some point, the unit took on the credo “Any Target, Anywhere, Any Time.”

While technology, as well as the NSA’s mission, would change dramatically over the next 40 years, MUSKETEER teams would steadily “deploy on special collection and survey missions,” according to the NSA history, which ran in SIDtoday. They fixed signal monitoring problems, ran boutique surveillance operations from inside U.S. embassies, and surveyed transmissions in far-off places, often invited by other U.S. government entities.

In more colorful moments, they foiled an assassination attempt against a U.S. special operations commander in the Philippines and discovered vulnerabilities in a Russian-made anti-aircraft missile system, known as SA-6, as used by Bosnia during the Balkans conflict. The latter work resulted in the “neutralization of multiple batteries” of the missiles by U.S. fighter aircraft, according to the history. (The article does not mention whether MUSKETEER’s involvement was linked to the 1995 downing of U.S. fighter pilot Scott O’Grady by a Serbian SA-6 missile. The NSA was harshly criticized for failing to relay intelligence that could have prevented the shoot-down.)

Russian SA-6 self-propelled surface-to-air missiles systems, sans missiles, are loaded onto ships at a Russian military base in the Black Sea port of Batumi in Georgia, on Aug. 12, 2005. Photo: Seiran Baroyan/AP

One SIDtoday article recounts how a MUSKETEER team, having deployed to the U.S. embassy in Beijing, struck gold during a survey of Wi-Fi signals from “the embassies of India, Singapore, Pakistan, Colombia, and Mongolia.” At the Indian Embassy, the team discovered that someone, possibly sponsored by the Chinese government, had hacked computers inside and was transmitting “approximately 10 sensitive diplomatic documents” every day (“often Microsoft Office-compatible files or Adobe PDF documents”) to drop boxes on the “public internet.” The NSA began regularly collecting the information from these drop boxes for itself and “analyzing the Indian Embassy’s diplomatic communications,” according to SIDtoday.

Later, by analyzing “how the Chinese conduct computer-to-computer (C2C) operations against foreign targets,” the team was able to find hacking by China “in several other locations.”

This type of operation, in which a spy agency piggybacks off the work of a different spy agency against a shared target, is referred to as “fourth-party collection.”

Snooping on diplomatic communications is a violation of Article 27 of the 1961 Vienna Convention on Diplomatic Relations, which states that the “the official correspondence of the mission shall be inviolable.”

Angela Merkel, chancellor and chair of the German Christian Democrats, attends a reception in Berlin, on Dec. 16, 2013.
Photo: Sean Gallup/Getty Images

The Secret History of the NSA’s Joint Venture with the CIA

A twopart interview in SIDtoday provides new details about the Special Collection Service, the covert NSA joint effort with the CIA to collect signals intelligence from U.S. embassies abroad. The revelations include information on SCS’s history and examples of its missions.

Der Spiegel disclosed important details about SCS in 2013 using Snowden documents, including that SCS tapped the mobile phone of German Chancellor Angela Merkel.

Before SCS was created in 1979, the NSA and CIA ran independent, covert signals intelligence programs — sometimes “at opposite ends” of the same building — serving different missions, the director and deputy director of SCS told SIDtoday in the interview. Congress intervened, directing the CIA and NSA to run the SCS program together, presumably to save money and avoid duplicated efforts.

At the Indian Embassy in Beijing, the NSA discovered that someone, possibly the Chinese government, had hacked computers inside. The NSA began regularly collecting the information for itself.
Since then, the number of SCS sites has ebbed and flowed depending on budgets and operational needs. In 1988, before the Berlin Wall came down, SCS reached a peak of 88 sites worldwide, the director said. In the following years, the number decreased, only to drastically increase in the aftermath of 9/11, when no fewer than 12 new sites were added. At one point, the SCS Caracas site was shut down when it was no longer needed, only to be reopened when “anti-American Venezuelan President” Hugo Chávez was elected in 1998.

A separate SIDtoday article, written by two NSA managers, described an SCS operation conducted against Venezuelan communications. For years, an NSA facility in Yakima, Washington, had been spying on Venezuelan satellite signals, but the “large regional satellite beams” visible from there provided “only moderately successful results.” So agents from SCS, along with an NSA analyst from Yakima, traveled to an undisclosed location, presumably close to or in Venezuela, for a clandestine three-week survey of narrow “spot beam” satellite signals sent to the country. As they collected data from over 400 newly discovered signals, team members sent this information back to analysts in Yakima, as well as San Antonio, Texas, where “dozens of links carrying traffic for Venezuelan targets of interest” were discovered.

The most important SCS site is probably its headquarters, located in an “attractive (…) rural location outside Laurel, MD,” according to the interview. While the address of the “tree-lined corporate campus” was included in James Bamford’s 2008 book “The Shadow Factory,” and is identified as “Special Collection Service” on Google Maps, the SIDtoday article is the first public document confirming the existence of the joint NSA-CIA facility.

“You can’t tell NSAers and the CIA people here apart” as all SCS staff wear “purple badges, a sign of our status as a joint organization,” Ron Moultrie, the deputy SCS director, told SIDtoday.

The CIA uses SCS sites as places from which to monitor foreign intelligence services as they attempt to track CIA assets, a practice known as counterintelligence, according to the SCS directors. The NSA, meanwhile, uses SCS sites as a “platform” for a number of operations, including computer hacking, carried out in 2006 by a unit known as Tailored Access Operations (and today called Computer Network Operations).

Throughout the nine years of the SIDtoday archive, SCS is promoted as an assignment for those with “a sense of adventure” and a taste for “attractive” locations. Sometimes, as was the case at SCS Damascus on September 12, 2006, things get “a little hectic.”

According to a firsthand account by an SCS staffer of an attack on the U.S. Embassy in Damascus, published in SIDtoday, the sound of an explosion sent the SCS staff into lockdown mode and triggered “full emergency destruction” preparations. The attack was eventually subdued by Syrian security forces and the attackers killed. One casualty was SCS’s microwave search system: Bullets penetrated “maintenance sheds” on the embassy roof, which were actually concealing SCS antennas. One slug “severed a control cable” for the microwave searcher, “rendering the antenna inoperable,” according to SIDtoday.

The SCS staffer’s account stated that “two explosive-laden cars” were involved in the attack.

Publicly available media reports describing the incident painted a dark picture of what would have happened if a truck “loaded with pipe bombs strapped to large propane gas canisters outside the embassy” had not failed to detonate.

Former U.S. Vice President Dick Cheney, left, meets with Lithuanian President Valdas Adamkus at the presidential palace in Vilnius, Lithuania, on May 3, 2006.Photo: Shawn Thew/AFP/Getty Images

NSA Pioneers Use of “Stingray” Cellphone Spy Towers

In May 2006, the NSA made an early — and largely fruitless — attempt to use so-called Stingray devices to monitor local mobile phone conversations in Lithuania’s capital city of Vilnius, where Vice President Dick Cheney had traveled to attend a conference with regional leaders, according to an account in SIDtoday.

Stingrays mimic cellphone towers, tricking mobile phones into connecting to them instead of to legitimate towers. This allows the Stingrays to intercept calls and texts. Two NSA linguists, as part of an SCS team, used this Stingray-type device to try and eavesdrop on local cellular networks. They did not have much luck; SIDtoday noted that the device “did not provide a capability against the primary cellular systems found,” although agents were able to identify “relevant airport communications and police networks.”

It is not clear if the effort violated laws against wiretapping in Lithuania, a U.S. ally and member of NATO.

Unlike similar operations in which “teams need to work from unsecured hotel rooms or out-of-the-way locations such as unimproved attics,” SIDtoday said, this team worked from the comfort of a shielded enclosure within the U.S. Embassy, from which they could survey the “local wireless and [radio frequency] environment.”

Beginning a few days before Cheney landed in Vilnius, the SCS team monitored police communication 24 hours a day looking for “any indications of threats or problems on which the Secret Service might need to act.”

It didn’t find any.

Weather Takes Down NSA Headquarters

In summer 2006, a heat wave rendered the intelligence nerve center within the NSA’s headquarters inoperable. As the record-setting wave toasted the East Coast and brought triple-digit temperatures to the spy agency’s home in Fort Meade, Maryland, conditions “in the Baltimore area and problems with Baltimore Gas and Electric power generation caused server and communications failures around the NSA Washington complex,” SIDtoday reported. For the first time, the agency’s time-sensitive watch center functions were taken over by a backup installation of the National Security Operations Center at Fort Gordon in Augusta, Georgia.

The story of the NSA’s overall struggle to supply power to Fort Meade was reported by the Baltimore Sun around the time of the outage. Author James Bamford further discussed the issue in his book “Body of Secrets,” noting that energy problems at the NSA dated to the late 1990s and seemed to be coming to a head by 2006. Bamford wrote that abundant power and a “less vulnerable” electric grid in Texas led the NSA to decide in 2007 to place a new data center there.
"Problems with Baltimore Gas and Electric power generation caused server and communications failures around the NSA Washington complex."

But the 2006 outage and the switchover to Fort Gordon are revelations.

The National Security Operations Center, or NSOC, operates 24 hours a day, seven days a week, managing critical functions concerning possible foreign threats to national security.

What could have been a calamity was avoided by the emergency switch over to NSA Georgia, located at the Fort Gordon Army base near Augusta. On August 1, 2006, a backup high-priority operations center there, codenamed DECKPIN, was activated at 4:00 Zulu (Greenwich Mean Time), according to the SIDtoday story, written by the DECKPIN coordinator at Fort Gordon. Four hours later, Baltimore-area power was stabilized, and operations switched back to the NSOC at Fort Meade. The Georgia staff was put on standby again on August 3, “to ensure availability while the [electric company] work was completed.” The NSA around this time was Baltimore Gas and Electric’s biggest customer, using the same amount of power as half the city of Annapolis, according to Bamford.

Since 2006, new NSA facilities in Texas, Hawaii, Georgia, and Utah are sharing the load of the agency’s enormous power requirements.

U.K. Base, and NSA Intern, Facilitated Death or Capture of “Chicken Man” and Other Iraq Militants

In mid-2006, the NSA was closely watching a “most wanted” militant organization with a presence in Iraq, known as the Moroccan Islamic Fighting Group. The agency was struggling to eavesdrop on the group’s communications, which it said had led to a “critical gap” in intelligence.

However, the NSA got lucky when an intern working at the agency’s Menwith Hill surveillance base in England uncovered a network associated with the group. By tracking the communications of an Algerian bombmaker associated with the Moroccan organization, the NSA was able to identify other Islamist fighters working to manufacture explosives in Iraq, according to a July 2006 SIDtoday article. The NSA discovered chatter between militants, who were apparently fighting with the Moroccan jihadis against the U.S. and its allies in Iraq. One of the militants on an intercepted phone call referred to “chickens” falling from the sky, an apparent coded reference to the downing of U.S. helicopters that previous May. The man on the phone call became known to the NSA as “Chicken Man,” and his communications proved invaluable to the U.S. spies who were listening in.

The NSA passed the intelligence it gathered from the phone calls to U.S. forces in Iraq. The analysts at Menwith Hill — working with NSA employees at the agency’s base in Augusta, Georgia — continued to keep tabs on the jihadis. Then, between May 23 and May 25, 2006, the U.S. military launched operations that resulted in the killing and capture of nine mostly foreign fighters, including Chicken Man, according to the SIDtoday article.

Menwith Hill is the NSA’s largest overseas surveillance base and continues to play a key role in U.S. military operations around the world. As The Intercept has previously reported, the spy hub has been used to aid “a significant number of capture-kill operations” across the Middle East and North Africa, according to NSA documents, and is equipped with eavesdropping technology that can vacuum up more than 300 million emails and phone calls a day. Human rights groups and some British politicians have demanded more information about the role of Menwith Hill in controversial U.S. drone strikes and other lethal operations, arguing that the base is unaccountable to British citizens and is shrouded in too much secrecy.

Menwith Hill Station, located about nine miles west of the small town of Harrogate in North Yorkshire, is a vital part of the NSA’s sprawling global surveillance network. Photo: John Giles/PA Images/Getty Images

Breakthroughs in Locating Internet Cafes in Iraq

During the Iraq War, suspected insurgents often accessed the internet from public computers at internet cafes, as previous SIDtoday reporting described. Even when the NSA could intercept internet traffic from a cafe, the agency couldn’t always determine where the cafe was located. But in 2006, the NSA had two separate breakthroughs in how it conducted surveillance against internet service providers in Iraq, allowing them to pinpoint the exact location of many more cafes.

“We’ve had success in targeting cafes over the past year,” a July 2006 article stated, “but until recently there was a major gap in our capabilities.” The network run by a popular provider of internet service to cafes across Iraq was so complicated that, even when analysts knew the IP addresses of the cafes, they couldn’t narrow down their locations beyond what city they were in.

By surveilling satellite signals, and with the help of hackers at a division known as Tailored Access Operations, the NSA managed to intercept the internet service provider’s customer database. The agency also installed its system for searching signals intelligence, XKEYSCORE, at a new field site in Mosul, allowing it to conduct bulk surveillance of internet traffic traveling through the region. With the knowledge of who the ISP’s customers were, combined with internet surveillance, “previously un-locatable cafes have been found and at least four ‘wanted’ [alleged] terrorists have been captured.”

Another SIDtoday article, from December 2006, credited analysts working in the NSA’s British base at Menwith Hill with locating internet cafes in the Iraqi city of Ramadi that were allegedly used by associates of Al Qaeda leader Abu Ayyub Al-Masri. It did this through an intiative known as GHOSTHUNTER, which mapped locations of small, “VSAT” satellite dishes throughout the region.

“Terminals from the current top three VSAT technologies in the Middle East — DirecWay, Linkstar, and iDirect — have
all been successfully located as part of the GHOSTHUNTER initiative,” the article said, including 150 terminals “on networks of interest… in Baghdad, Ramadi, and neighboring cities.”

Intellipedia: the Intelligence Community’s Classified Wiki

A November 2006 article in SIDtoday described Intellipedia, a wiki for analysts throughout the intelligence community, with information limited based on clearance level. At the time, the tool had “only about 20 registered users” from the NSA, compared with over 200 at the CIA, which had been leading the charge to promote the wiki, even offering staff a six-day sabbatical to study it and other collaboration tools.

After hearing “rave reviews” about a CIA’s Intellipedia sabbatical, plans to adopt the training for NSA employees were in the works, according to an early 2007 article, and one of the CIA’s Intellipedia “pioneers” gave presentations to NSA analysts about the platform.

On January 28, 2014, the top-secret version of Intellipedia had 255,402 users and 113,379 pages; the secret version had 214,801 users and 107,349 pages; and the unclassified version had 127,294 users and 48,274 pages, according to the NSA’s response to a Freedom of Information Act request.

As part of an investigation into cyberattacks that target hardware supply chains, The Intercept published multiple top-secret Intellipedia wiki pages. These include the “Air-Gapped Network Threats” page, the “BIOS Threats” page, and “Supply Chain Cyber Threats” page.

According to SIDtoday, Intellipedia was introduced alongside two other tools to bring classified information into the internet age: a classified instant messaging system linking the NSA, CIA, and other intelligence agencies, as well as blog platform “for sharing your knowledge and your point of view with others.”

Global Network