Advertisement
FOIA

U.S. Counterintel Buys Access to the Backbone of the Internet to Hunt Foreign Hackers

Getting information from the NSA would take too long, according to internal documents from a counterintelligence agency. So it turned to Team Cymru to buy netflow data that can allow analysts to track activity through virtual private networks.
A photo of a Team Cymru video on Youtube.
A photo of a Team Cymru video on Youtube.
📄
This article was primarily reported using public records requests. We are making it available to all readers as a public service. FOIA reporting can be expensive. If you don't already, please consider subscribing to 404 Media to support this work.

A federal counterintelligence agency tracking hackers has bought data harvested from the backbone of the internet by a private company because it was easier and took less time than getting similar data from the NSA, according to internal U.S. government documents. According to the documents, going through an agency like the NSA could take “days,” whereas a private contractor could provide the same data instantly.

The news is yet another example of a government agency turning to the private sector for novel datasets that the public is likely unaware are being collected and then sold.

404 Media obtained the documents under a Freedom of Information Act (FOIA) request with the Defense Security Service (DSS)—now known as the Defence Counterintelligence and Security Agency (DCSA). According to procurement records, the agency has spent millions of dollars over several years on technology from cyber threat intelligence company Team Cymru.

🖥️
Do you know anything else about the sale or use of netflow data? I would love to hear from you. Using a non-work device, you can message me securely on Signal at +44 20 8133 5190. Otherwise, send me an email at joseph@404media.co.

Although Team Cymru obviously does not have the same capabilities as the NSA, one of the most powerful intelligence agencies in the world, the mention of the NSA in the procurement documents shows what can attract agencies to commercially purchase data rather than work with other parts of the government to obtain it—speed and ease of access. In some cases that can include data which may typically require a warrant, such as location data. The newly released documents also provide greater insight into what exactly some agencies want to use the internet data for, with the documents mentioning use cases that go beyond defending government networks.

The internal documents, which outline why DSS needed access to data, shows the agency went to a contractor that was an affiliate of Team Cymru which deals with public agencies. Team Cymru is a cybersecurity firm which harvests sensitive data through relationships with internet service providers (ISPs) without the informed consent of people or organizations using those ISPs. The sort of data that Team Cymru collects is called netflow, which can show what server communicated with another on the wider internet, and can potentially let analysts follow activity through virtual private networks. This sort of connection data may ordinarily only be available to the entity or individual that runs the server themselves or their ISP. Team Cymru, meanwhile, taps into a part of the internet that is invisible to most people but crucial for its functioning, collects that data, and then sells access to private industry and government agencies.

DSS writes in one part of the documents it is seeking the “ability to track malicious activity stemming from known foreign intelligence entities despite their attempts to obfuscate their activity,” providing more clarity on the use cases that some will see as legitimate exploitation of netflow data.

“Currently, forensic analysts spend a great deal of time attempting to de-conflict attacker IP addresses and domain names with ongoing attacks across the federal government,” one of the documents reads. “This process can be tedious and time consuming as there is no single source for deconfliction. Some sources that an analyst might check are US-CERT, NSA and various task force resources.” US-CERT is the country’s Computer Emergency Readiness Team, a defensive organization within the Department of Homeland Security.

“These sources are not ‘look up’ kinds of services and often entail making a request and waiting (sometimes for days) for a definitive response. As time passes, the potential for damage to the DSS and the cleared contractors increases,” the document continues.

DSS said it required access to a service that would let it target people “who are planning attacks, insider threats, laundering money, compromising systems, or discussing ways to exploit vulnerabilities.” Whether Team Cymru’s data would actually be useful for some of those other use cases is less clear, but those are some of the situations that DSS was seeking a solution to.

A screenshot of one of the documents explaining that getting information from NSA can take days.
A screenshot of one of the documents. Image: 404 Media.

As I’ve previously reported, Team Cymru’s primary product has been sold under the name Augury, which makes netflow and other data types available to analysts. The sale of netflow data is something of an open secret in the cybersecurity world. Multiple sources in the industry have told me netflow can be a useful tool for investigators to track down where hackers are launching attacks from. But its trade also makes some people in that same industry nervous, concerned that this data could fall into the wrong hands. At the time I granted those sources anonymity to speak about sensitive industry practices.

I’ve previously found that the IRS wanted to buy Team Cymru’s monitoring tool, and that the U.S. Navy, Army, and Cyber Command have collectively paid millions to access the tool. The FBI and Secret Service also have contracts with Argonne Ridge Group, the Team Cymru affiliate that handles contracts with public agencies.

I also previously reported that Senator Ron Wyden was contacted by a whistleblower about the alleged warrantless use and purchase of Team Cymru’s data by NCIS, a civilian law enforcement agency that is part of the Navy. That whistleblower contacted Wyden after already filing a complaint through the official reporting process at the Department of Defense, according to a letter Wyden sent to the Inspector General that I published at the time.

A screenshot of one of the documents explaining that buying data is cheaper than an alternative of placing collectors around the world.
A screenshot of one of the documents. Image: 404 Media.

Giving a sense of Augury’s scale, in another part of the newly released documents the DSS lays out what it believes is one alternative to buying access to Augury—placing sensors across the world to collect such data itself.

“A comparative solution was roughly quantified by determining the planning, acquisition, deployment, serving and maintenance efforts in supporting the deployment of [redacted] flow collector appliances across the world to cover the Internet,” the document reads, before adding that this plan would cost “substantially more” than the service offered by Team Cymru.

DSS did not need to do that because Team Cymru already has a global network of sensors. “The network data includes data from over 550 collection points worldwide, to include collection points in Europe, the Middle East, North/South America, Africa and Asia, and is updated with at least 100 billion new records each day,” a U.S. government procurement record I previously found reads. In all Augury provides access to “petabytes” of data, the record says.

One of the DSS documents is a “market research” report, in which employees survey the wider industry for solutions that might meet the agency’s needs. As part of that, the report says that Team Cymru also offers integrations of its products with the data analytics platform Palantir.

Cindy McGovern, chief of communications at the DCSA, told 404 Media in an email that “At this time, we have nothing further to add to the information you received under FOIA.”

Team Cymru acknowledged a request for comment but did not provide a statement in time for publication.

Advertisement