Across the world, people who work as system administrators keep computer networks in order ā and this has turned them into unwitting targets of the National Security Agency for simply doing their jobs. According to a secret document provided by NSA whistleblower Edward Snowden, the agency tracks down the private email and Facebook accounts of system administrators (or sys admins, as they are often called), before hacking their computers to gain access to the networks they control.
The document consists of several posts ā one of them is titled āI hunt sys adminsā ā that were published in 2012 on an internal discussion board hosted on the agencyās classified servers. They were written by an NSA official involved in the agencyās effort to break into foreign network routers, the devices that connect computer networks and transport data across the Internet. By infiltrating the computers of system administrators who work for foreign phone and Internet companies, the NSA can gain access to the calls and emails that flow over their networks.
The classified posts reveal how the NSA official aspired to create a database that would function as an international hit list of sys admins to potentially target. Yet the document makes clear that the admins are not suspected of any criminal activity ā they are targeted only because they control access to networks the agency wants to infiltrate. āWho better to target than the person that already has the ākeys to the kingdomā?ā one of the posts says.
The NSA wants more than just passwords. The document includes a list of other data that can be harvested from computers belonging to sys admins, including network maps, customer lists, business correspondence and, the author jokes, āpictures of cats in funny poses with amusing captions.ā The posts, boastful and casual in tone, contain hacker jargonĀ (pwn, skillz, zomg, internetz) and are punctuated with expressions of mischief. āCurrent mood: devious,ā reads one, while another signs off, āCurrent mood: scheming.ā
The author of the posts, whose name is being withheld by The Intercept, is a network specialist in the agencyās Signals Intelligence Directorate, according to other NSA documents. The same author wrote secret presentations related to the NSAās controversial program to identify users of the Tor browser ā a privacy-enhancing tool that allows people to browse the Internet anonymously. The network specialist, who served as a private contractor prior to joining the NSA, shows little respect for hackers who do not work for the government. One post expresses disdain for the quality of presentations at Blackhat and Defcon, the computer worldās premier security and hacker conferences:
It is unclear how precise the NSAās hacking attacks are or how the agency ensures that it excludes Americans from the intrusions. The author explains in one post that the NSA scours the Internet to find people it deems āprobableā administrators, suggesting a lack of certainty in the process and implying that the wrong person could be targeted. It is illegal for the NSA to deliberately target Americans for surveillance without explicit prior authorization. But the employeeās posts make no mention of any measures that might be taken to prevent hacking the computers of Americans who work as sys admins for foreign networks. Without such measures, Americans who work on such networks could potentially fall victim to an NSA infiltration attempt.
The NSA declined to answer questions about its efforts to hack system administrators or explain how it ensures Americans are not mistakenly targeted. Agency spokeswoman Vaneeā Vines said in an email statement: āA key part of the protections that apply to both U.S. persons and citizens of other countries is the mandate that information be in support of a valid foreign intelligence requirement, and comply with U.S. Attorney General-approved procedures to protect privacy rights.ā
As The Intercept revealed last week, clandestine hacking has become central to the NSAās mission in the past decade. The agency is working to aggressively scale its ability to break into computers to perform what it calls ācomputer network exploitation,ā or CNE: the collection of intelligence from covertly infiltrated computer systems. Hacking into the computers of sys admins is particularly controversial because unlike conventional targets ā people who are regarded as threats ā sys admins are not suspected of any wrongdoing.
In a post calling sys admins āa means to an end,ā the NSA employee writes, āUp front, sys admins generally are not my end target. My end target is the extremist/terrorist or government official that happens to be using the network some admin takes care of.ā
The first step, according to the posts, is to collect IP addresses that are believed to be linked to a networkās sys admin. An IP address is a series of numbers allocated to every computer that connects to the Internet. Using this identifier, the NSA can then run an IP address through the vast amount of signals intelligence data, or SIGINT, that it collects every day, trying to match the IP address to personal accounts.
āWhat weād really like is a personal webmail or Facebook account to target,ā one of the posts explains, presumably because, whereas IP addresses can be shared by multiple people, āalternative selectorsā like a webmail or Facebook account can be linked to a particular target. You can ādumpster-dive for alternate selectors in the big SIGINT trash canā the author suggests. Or āpull out your wicked Google-fuā (slang for efficient Googling) to search for any āofficial and non-official e-mailsā that the targets may have posted online.
Once the agency believes it has identified a sys adminās personal accounts, according to the posts, it can target them with its so-called QUANTUM hacking techniques. The Snowden files reveal that the QUANTUM methods have been used to secretly inject surveillance malware into a Facebook page by sending malicious NSA data packets that appear to originate from a genuine Facebook server. This method tricks a targetās computer into accepting the malicious packets, allowing the NSA to infect the targeted computer with a malware āimplantā and gain unfettered access to the data stored on its hard drive.
āJust pull those selectors, queue them up for QUANTUM, and proceed with the pwnage,ā the author of the posts writes. (āPwnage,ā short for āpure ownage,ā is gamer-speak for defeating opponents.) The author adds, triumphantly, āYay! /throws confetti in the air.ā
In one case, these tactics were used by the NSAās British counterpart, Government Communications Headquarters, or GCHQ, to infiltrate the Belgian telecommunications company Belgacom. As Der Speigel revealed last year, Belgacomās network engineers were targeted by GCHQ in a QUANTUM mission named āOperation Socialistā ā with the British agency hacking into the companyās systems in an effort to monitor smartphones.
While targeting innocent sys admins may be surprising on its own, the āhunt sys adminsā document reveals how the NSA network specialist secretly discussed building a āmaster listā of sys admins across the world, which would enable an attack to be initiated on one of them the moment their network was thought to be used by a person of interest. One post outlines how this process would make it easier for the NSAās specialist hacking unit, Tailored Access Operations (TAO), to infiltrate networks and begin collecting, or ātasking,ā data:
Aside from offering up thoughts on covert hacking tactics, the author of these posts also provides a glimpse into internal employee complaints at the NSA. The posts describe how the agencyās spies gripe about having ādismal infrastructureā and a āBig Data Problemā because of the massive volume of information being collected by NSA surveillance systems. For the author, however, the vast data troves are actually something to be enthusiastic about.
āOur ability to pull bits out of random places of the Internet, bring them back to the mother-base to evaluate and build intelligence off of is just plain awesome!ā the author writes. āOne of the coolest things about it is how much data we have at our fingertips.ā
Micah Lee contributed to this report.
ZNetwork is funded solely through the generosity of its readers.
Donate

