The Swedish Kings of Cyberwar

Forget GCHQ. The Swedish National Radio Defence Intelligence Agency has some remarkable technical capabilities.

On April 24, 2013, just weeks before Edward Snowden went public with his leaks about mass surveillance by the National Security Agency, General Keith B. Alexander, then the head of the NSA, welcomed a group of Swedish intelligence officials to a secret three-day meeting at NSA headquarters.

FRA Signal Monitoring Site at Kåseberga

In the delegation were Ingvar Åkesson, the longtime director of Sweden’s National Defense Radio Establishment (known as the FRA, for Försvarets radioanstalt), a shadowy Swedish government intelligence agency, and five members of Åkesson’s senior staff. One of the aims of the meeting was to discuss Sweden’s growing importance to the NSA.

In a 2008 law, the FRA had been given expansive powers by the Swedish government to vacuum up all communications traveling over fiber optic networks into and out of Sweden, including e-mails, text messages, and telephone calls.

This was of great interest to the NSA, not least because a large percentage of Russian communications traveled through Sweden. In 2011, the Swedes began sharing their surveillance data with the NSA, which included, as NSA officials described it at the time of the meeting, a “unique collection of communications data on high-priority Russian targets such as leadership, internal politics, and energy.”

Noting the Swedish spy agency’s unusual technical abilities and reputation for secrecy, NSA officials also viewed it as an ideal collaborator on its hacking and cyberwarfare project, called Quantum.

One of the Quantum programs was an ambitious operation called WINTERLIGHT, which aimed at secretly hacking into high-value foreign computers and computer networks to obtain not only communications data but also any information stored on the hard drives or servers in question.

Possible targets might be the administrators of foreign computer networks, government ministries, oil, defense, and other major corporations, as well as suspected terrorist groups or other designated individuals. Similar Quantum operations have targeted OPEC headquarters in Vienna, as well as Belgacom, a Belgian telecom company whose clients include the European Commission and the European Parliament.

According to NSA documents, WINTERLIGHT was using a complex attack strategy to secretly implant a malware program on the targeted computer or network.

The NSA’s malware would then divert any signals between those computers and the Internet through “rogue” high-speed surveillance servers, called “FoxAcid” servers, allowing the NSA to access in stealth almost any of the user’s personal data, and even to tamper with data traveling from one user to another. The implications for both spying and offensive cyber operations were far-reaching.

Wired has described how the attack on the Belgian telecom was able to map out the digital footprints of chosen workers, identifying the IP [internet protocol] addresses of work and personal computers as well as Skype, Gmail and social networking accounts such as Facebook and LinkedIn. Then they set up rogue pages, hosted on FoxAcid servers, to impersonate, for example, an employee’s legitimate LinkedIn profile page.

Significantly, while WINTERLIGHT was a joint effort between the NSA, the Swedish FRA, and the British GCHQ, the hacking attacks on computers and computer networks seem to have been initiated by the Swedes.

The FRA was setting up the implants on targeted computer, known in NSA parlance as “tipping”, to redirect their signals to the surveillance servers, thus allowing the GCHQ and the NSA to access their data, in what are called “shots.” At the time of the April 2013 meeting, the NSA reported that “last month, we received a message from our Swedish partner that GCHQ received FRA QUANTUM tips that led to 100 shots.”

Since the extraordinary revelations that the Russian government sought to influence the 2016 US presidential election with information hacked from the computers of the Democratic National Committee and top Democratic officials, cybersecurity has become an urgent national priority.

As US officials point out, the DNC hacking is only the latest in an accelerating series of Russia-linked cyberattacks aimed at political and other institutions in the West, including the Estonian government and media in 2007, the German Bundestag in 2015, Ukraine’s power grid in 2015, and the Swedish media in March 2016.

Far less noted, however, has been the extent to which the US itself has coordinated with Sweden and other allies to develop hacking and surveillance tools that are far more advanced than the e-mail “phishing” strategies used in the recent Russian attacks. A major target of this technology is Russia itself.

NSA officials describe their Swedish counterparts as “extremely competent, technically innovative, and trusted,” and praised them for being “proficient in collecting a wide variety of communications.” Notably, the Swedish FRA had been given access to the NSA’s most powerful analytic tool, called XKeyscore, which, according to NSA documents, enables the retrieval from mass surveillance data of “nearly everything a user does on the Internet.”

The NSA further noted in its April 2013 report that the FRA “continues to gain access to more data from additional telecommunications companies” and that new Swedish legislation had also given the FRA expanded counterterrorism powers.

According to the American agency, the broad leeway given to the FRA had made Sweden a more reliable surveillance ally than Great Britain. One document about the NSA’s WINTERLIGHT program reports that “continued GCHQ involvement may be in jeopardy due to British legal/policy restrictions, and in fact NSA’s goal all along has been…a bilateral arrangement, with the Swedish partner.”

In early June 2013, less than six weeks after the Swedish delegation visited Fort Meade, the first reports on NSA spying based on the Edward Snowden leaks were published in The Guardian and The Washington Post.

Over the following weeks and months, Snowden’s revelations about the NSA’s global surveillance efforts, and in particular its bulk data collection program, called PRISM, set off a protracted debate in the United States and ultimately prompted Congress to implement new restrictions on the NSA in 2015.

Similar scrutiny was brought to bear on Britain’s GCHQ and its own program called TEMPORA, which aimed to tap directly into transatlantic fiber optic cables to intercept what The Guardian described as “vast quantities of global email messages, Facebook posts, internet histories and calls,” which it was sharing with the NSA. But the controversy mostly ended there.

In the account that emerged in the British and American press, the NSA and GCHQ programs were generally portrayed as dangerous aberrations, cases of vast intelligence overreach by the two most powerful governments in the Western alliance.

To the extent that continental European governments were mentioned, it was as victims of British and American spying: the targets of one or the other had included France’s presidential palace and, most notoriously, the cell phone of German Chancellor Angela Merkel.

But what if some European governments were themselves pursuing bulk data collection on private citizens, using the exact same methods, and perhaps with even less oversight?

More recently, the current Swedish government, led by the center-left Social Democrats, has acknowledged that Sweden is pursuing “offensive” cyberwarfare capabilities, which would include hacking, as well as technology to defend against cyberattacks.

“The Snowden documents confirmed that there is a very intense cooperation between Sweden and the US,” Mark Klamberg, a Swedish legal scholar who has written about the FRA law, told me. “At the top you have the NSA, and below that the GCHQ, and below that you have…Sweden.”

Nor was Sweden the only Scandinavian country to have embraced mass surveillance in the years before the Snowden revelations. Several NSA documents also mention the Norwegian Intelligence Service (NIS), and in December 2013, the Norwegian newspaper Dagbladet, working with the American journalist Glenn Greenwald, reported that Norway was providing the NSA with tens of millions of communications every month.

Secret government eavesdropping has a long history in Scandinavia. By virtue of its position on Europe’s northern flank with Russia and the east, the Scandinavian Peninsula was crucial to Western intelligence officials during the cold war, and both Norway and Sweden developed sophisticated signals intelligence programs.

According to NSA documents, the US agency has had close ties to Norwegian intelligence as far back as the 1950s. With Norway’s position as NATO’s northern bridgehead against the East, the relationship continued until the Gorbachev period.

A Norwegian newspaper recently described a listening post in Vardø, in the far north of the country along Norway’s border with Russia, as a “giant ear to the east.”

In late November 2016, noting that two Trump appointees in law enforcement and intelligence, Jeff Sessions as attorney general and Mike Pompeo as director of the CIA, are “leading advocates for domestic government spying,” Bloomberg News reported:

In a reversal of curbs imposed after Edward Snowden’s revelations in 2013 about mass data-gathering by the NSA, Trump and Congress may move to reinstate the collection of bulk telephone records, renew powers to collect the content of e-mails and other internet activity, ease restrictions on hacking into computers and let the FBI keep preliminary investigations open longer.

Among the many paradoxes of the recent US presidential election, one must surely be that a wave of anti-establishment, populist anger has brought to power a government that stands poised to embark on what could be the greatest expansion of secret state surveillance since the September 11 attacks.

If it does so, it may find itself in concert with some of the most open and advanced democracies in Europe.

NYBooks:   A Peek Into French Signals Intelligence:      FBI access to PRISM surveillance program expands:

 

« Rome: Cyber Spying Rings Security Bells
It Was Not All Bad News In 2016 »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

UK Cyber Week Expo & Conference

UK Cyber Week Expo & Conference

Award-winning event organiser ROAR B2B announces the launch of UK Cyber Week and its inaugural event on 4 and 5 April 2023 at the Business Design Centre, London.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ACI Worldwide

ACI Worldwide

ACI Worldwide powers electronic payments for more than 5,000 organizations around the world.

IT Security House

IT Security House

IT Security House is a leading European supplier of Cyber Security Intelligence and eCrime services.

Dragos

Dragos

Dragos has built the first industrial cybersecurity ecosystem, the ultimate security defense.

Red Balloon Security (RBS)

Red Balloon Security (RBS)

Red Balloon Security is a leading embedded device security company, delivering deep host-based defense for all devices.

Asseco Group

Asseco Group

Asseco Poland stands at the forefront of the multinational Asseco Group. We are a leading provider of state-of-the-art IT solutions in Central and Eastern Europe.

T-REX

T-REX

T-REX is a coworking space, technology incubator, and entrepreneur resource center for technology startups.

Research Institute in Secure Hardware and Embedded Systems (RISE)

Research Institute in Secure Hardware and Embedded Systems (RISE)

The UK Research Institute in Secure Hardware and Embedded Systems (RISE) seeks to identify and address key issues that underpin our understanding of Hardware Security.

LogicalTrust

LogicalTrust

LogicalTrust security testing specialists find the weakest points in your company and show you how to fix them step-by-step, as well as how to improve your security.

European Cyber Competence Network

European Cyber Competence Network

The purpose of the European Cyber Competence Network is to retain and develop the cybersecurity technological and industrial capacities of the EU necessary to secure its Digital Single Market.

i-Trace

i-Trace

i-Trace is securing IoT, protecting it from threats and building trust in the infrastructure of tomorrow using blockchain and artificial intelligence.

NTT Group

NTT Group

NTT offers agile, scalable technology services to bring it all together seamlessly, securely, and sustainably. We help you adopt a holistic security approach across your network, clouds, applications.

Appsec Phoenix

Appsec Phoenix

Appsec Phoenix is an end to end vulnerability management platform that focuses on workflows, threat feed, and real time data.

Creative ITC

Creative ITC

Creative ITC is a leading infrastructure and cloud enablement company. We design and deliver exceptional managed services and cloud solutions.

Akto

Akto

Akto, the plug & play API security platform. Discover your APIs, run tests and find business logic vulnerabilities at ludicrous speed.

LastPass

LastPass

LastPass provides award-winning password and identity management solutions that are convenient, effortless, and easy to manage.

Europol - European Cybercrime Centre (EC3)

Europol - European Cybercrime Centre (EC3)

The European Cybercrime Centre (EC3) was set up by Europol to strengthen the law enforcement response to cybercrime in the EU.