(Latest UPDATE: October 14, 2016)
Since June 2013, numerous top secret documents from the American signals intelligence agency NSA and its British counterpart GCHQ have been disclosed. The overwhelming majority of them came from the former NSA contractor Edward Snowden.
But what many people probably didn't notice, is that some of these documents (some being very compromising and embarrassing for NSA) were not provided by Snowden, but by other leakers.
Often, the press reports didn't mention that very clear, and it was only by not attributing such documents to Snowden, that it became clear they apparently came from someone else.
So far, the following classified documents have been disclosed without having been attributed to Snowden:
- Chancellor Merkel tasking record
- TAO product catalog
- XKEYSCORE rules: TOR and TAILS
- NCTC watchlisting guidance
- NCTC terrorist watchlist report
- XKEYSCORE rules: New Zealand
- Ramstein AFB supporting drone operations
- NSA tasking & reporting: France
- NSA tasking & reporting: Germany
- NSA tasking & reporting: Brazil
- NSA tasking & reporting: Japan
- Chinese cyber espionage against the US
- XKEYSCORE agreement between NSA, BND and BfV
- The Drone Papers
- Cellphone surveillance catalogue
- US military documents: Iraq and Afghanistan
- NSA tasking & reporting: EU, Italy, UN
- TAO hacking tools leak
- Some thoughts on the form of the documents
- Some thoughts on the motives behind the leaks
- Conclusion
Document collections
The most user-friendly collection of all the leaked documents can be found on the website IC Off The Record (which started as a parody on IC On The Record, the official US government website on which declassified documents are published).
Other websites that collect leaked documents related to the Five Eyes agencies, so from Snowden as well as from other sources, are FVEY Docs and Cryptome. The Snowden-documents are also available and searchable through the Snowden Surveillance Archive.
Domestic US leaks
Here, only leaks related to foreign signals intelligence and related military topics will be listed. Not included are therefore documents about American domestic operations, like for example several revelations about the DEA.
Also not included are stories based upon leaks of information without original documents being published, like for example about NSA's interception efforts against Israel.
- Documents not attributed to Snowden - |
Chancellor Merkel tasking record
On October 23, 2013, the German magazine Der Spiegel revealed that the NSA may have eavesdropped on the cell phone of chancellor Merkel. This was based upon "the excerpt from an NSA database about Merkel's cell phone", which the magazine received.* A journalist from Der Spiegel made a transcription of the database record, and later on, a copy of this transcription was printed in some German newspapers.
Glenn Greenwald confirmed that this information didn't came from the Snowden archive, and also Bruce Schneier was convinced that this came from a second source.
Articles:
- Kanzler-Handy im US-Visier? Merkel beschwert sich bei Obama
- NSA-Überwachung: Merkels Handy steht seit 2002 auf US-Abhörliste
Document:
- http://lasvegasin.blogspot.com /2014/12/update-on-tapping-german-chancellor.html#transcription">Transcript of an NSA database record
> See also: http://lasvegasin.blogspot.com /2014/12/update-on-tapping-german-chancellor.html">Update on tapping German chancellor Merkel's phone
TAO product catalog
On December 29, 2013, the German magazine Der Spiegel published a 50-page catalog from the ANT-unit of NSA's hacking division TAO. It contains a wide range of sophisticated hacking and eavesdropping techniques. The next day, Jacob Appelbaum discussed them during his presentation at the CCC in Berlin.
According to Bruce Schneier this catalog came from the second source, who also leaked the Merkel tasking record and the XKEYSCORE rules.
Article:
- Shopping for Spy Gear: Catalog Advertises NSA Toolbox
Document:
- ANT Product Catalog (SECRET/COMINT)
XKEYSCORE rules: TOR and TAILS
On July 3, 2014, the German regional television magazine Reporter disclosed the transcripts of a set of rules used by the NSA's XKEYSCORE system to automatically execute frequently used search terms, including correlating different identities of a certain target.
According to Bruce Schneier, these rules could be leaked by the second source, which also provided the Merkel tasking record and the TAO catalog.
Article:
- NSA targets the privacy-conscious
Document:
- Transcript of XKeyscore Rules (classification not included)
NCTC watchlisting guidance
On July 23, 2014, the website The Intercept published a manual from the US National CounterTerrorism Center (NCTC) with rules and indications used for putting people in terrorist databases and no-fly lists.
The Intercept says this document was provided by a "source within the intelligence community".
Article:
- The Secret Government Rulebook for Labeling You as a Terrorist
Document:
- March 2013 Watchlisting Guidance (UNCLASSIFIED/FOUO)
NCTC terrorist watchlist report
On August 5, 2014, The Intercept published a report from the US National CounterTerrorism Center (NCTC) about terrorist watchlists and databases.
Just like the previous document, this was also obtained from a "source within the intelligence community". Bruce Schneier says this report is from August 2013, which is well after Snowden had fled the US, and therefore he assumes it was leaked by a third source.
Article:
- Watch Commander - Barack Obama’s Secret Terrorist-Tracking System, by the Numbers
Document:
- Directorate of Terrorist Identities (DTI) Strategic Accomplishments 2013 (SECRET/NOFORN)
XKEYSCORE rules: New Zealand
On March 14 and March 22, 2015, The New Zealand Herald published transcripts of two sets of XKEYSCORE fingerprints that define targets of the New Zealand signals intelligence agency GCSB. They were not attributed to Snowden, although in the weeks before, New Zealand media published several other documents that did come from the Snowden cache.
Articles:
- Revealed: The names NZ targeted using NSA's XKeyscore system
- How spy agency homed in on Groser's rivals
Documents:
- Fingerprint about the WTO (TOP SECRET/COMINT)
- Fingerprint about the Solomon Islands (TOP SECRET/COMINT)
> See also: http://lasvegasin.blogspot.com /2015/03/new-zealand-and-xkeyscore-not-much.html#gcsb-cable">New Zealand and XKEYSCORE: not much evidence for mass surveillance
Ramstein AFB supporting drone operations
On April 17, 2015, The Intercept and Der Spiegel published a series of slides showing the infrastructure which is used for operating drones, for which the US base in Ramstein, Germany, acts as a relay station.
In the Citizen Four we see Glenn Greenwald visiting Snowden in Moscow, telling him there's a new source which revealed the role of Ramstein AFB in the drone program.
Articles:
- Germany is the Tell-Tale Heart of America's Drone War
- Bündnisse: Der Krieg via Ramstein
Document:
- Architecture of U.S. Drone Operations (TOP SECRET/REL)
NSA tasking & reporting: France
On June 23, 2015, Wikileaks, in collaboration with the French paper Libération, the German newspaper Süddeutsche Zeitung and the Italian paper l'Espresso, published the transcript of entries from an NSA tasking database, as well as intelligence reports about high-level French targets.
Articles:
- Espionnage Élysée
- Nsa, intercettati i presidenti francesi Francois Hollande e Nicolas Sarkozy
Documents:
- Top French NSA Targets (no classification available)
- Top French NSA Intercepts (up to TOP SECRET/COMINT-GAMMA)
- Economic Spy Order (SECRET/REL)
> See also: http://lasvegasin.blogspot.com /2015/06/wikileaks-publishes-some-of-most-secret.html" target="_blank">Wikileaks published some of the most secret NSA reports so far
NSA tasking & reporting: Germany
On July 1, 2015, Wikileaks, in collaboration with Libération and Mediapart, Süddeutsche Zeitung and l'Espresso, published the transcript of entries from an NSA tasking database, as well as intelligence reports about high-level German targets.
Articles:
- NSA Helped CIA Outmanoeuvre Europe on Torture
- I dubbi di Angela Merkel sulla Grecia spiati dalla Nsa americana
Documents:
- Top German NSA Targets (no classification available)
- Top German NSA Intercepts (up to TOP SECRET/COMINT-GAMMA)
NSA tasking & reporting: Brazil
On July 4, 2015, Wikileaks published the transcript of entries from an NSA tasking database about high-level Brazilian targets. Unlike similar disclosures about France, Germany and Japan, no intelligence reports about Brazil were disclosed.
Article:
- Bugging Brazil
Document:
- Top Brazilian NSA Targets (no classification available)
NSA tasking & reporting: Japan
On July 31, 2015, Wikileaks, in collaboration with Süddeutsche Zeitung, l'Espresso, The Saturday Paper from Australia and the Japanese newspaper Asahi Shimbun, published the transcript of entries from an NSA tasking database, as well as intelligence reports about high-level Japanese targets.
Articles:
- Target Tokyo
- Wikileaks: 'Nsa spiava il governo giapponese. Sotto controllo anche Mitsubishi'
Documents:
- Top Japanese NSA Targets (no classification available)
- Top Japanese NSA Intercepts (TOP SECRET/COMINT)
Chinese cyber espionage against the US
On July 30 and August 10, 2015, NBC News published two slides about Chinese cyber espionage against over 600 US companies and government agencies, including access to the e-mail of top government officials since at least 2010.
This leak stands out because the slides are in digital form, and they support a story that shows the neccessity of NSA - which seems to point to an authorized leak.
Articles:
- Exclusive: Secret NSA Map Shows China Cyber Attacks on U.S. Targets
- China Read Emails of Top U.S. Officials
Documents:
- China: Cyber Exploitation and Attack Units (SECRET)
- U.S. Victims of Chinese Cyber Espionage (SECRET)
XKEYSCORE agreement between NSA, BND and BfV
On August 26, 2013, the German newspaper Die Zeit published the transcript of the Terms of Reference (ToR) about the use of NSA's XKEYSCORE system by the German security service BfV.
Being a transcript and being about XKEYSCORE, this could be from the same source as the XKEYSCORE rules, but it's also possible it came from a source within a German government agency.
Article:
- A Dubious Deal with the NSA
Document:
- XKeyscore - the document (SECRET/COMINT)
The Drone Papers
On October 15, 2015, The Intercept published a series of documents with details about drone operations by the US military between 2011 and 2013.
In the Citizen Four we see Glenn Greenwald visiting Snowden in Moscow, telling him there's a new source which revealed the role of Ramstein AFB in the drone program, including the chain of command diagram which is part of this batch of documents.
Articles:
- The Assassination Complex
- The Kill Chain
Documents:
- Small Footprint Operations 2/13 (SECRET/NOFORN)
- Small Footprint Operations 5/13 (SECRET/NOFORN)
- Operation Haymaker (SECRET/NOFORN)
- Geolocation Watchlist (TOP SECRET/COMINT)
Cellphone surveillance catalogue
On December 17, 2015, The Intercept published a range of pages from a classified catalogue containing cellphone surveillance equipment, including IMSI-catchers like Stingrays and DRT boxes.
Just like the NCTC reports, The Intercept obtained this document from a "source within the intelligence community".
Article:
- Stingrays - A Secret Catalogue of Government Gear for Spying on Your Cellphone
Document:
- Government Cellphone Surveillance Catalogue (SECRET/NOFORN)
> See also: http://lasvegasin.blogspot.com /2013/11/drtbox-and-drt-surveillance-systems.html">DRTBOX and the DRT surveillance systems
US military documents: Iraq and Afghanistan
On February 14, 2016, the website Cryptome published a batch of word and some pdf-documents containing various US military manuals and policy papers regarding operations and activities in Iraq and Afghanistan.
Documents:
- Document Dump 16-0214, Batch 0001 (classified up to SECRET)
NSA tasking & reporting: EU, Italy, UN
On February 23, 2016, Wikileaks published the transcript of entries from an NSA tasking database, as well as intelligence reports about high-level targets from the European Union, Italy and the United Nations, including German chancellor Merkel and Israeli prime minister Netanyahu.
Articles:
- NSA Targets World Leaders for US Geopolitical Interests
- WikiLeaks reveals the NSA spied on Berlusconi and his closest advisors
Documents:
- EU Targets - EU Intercepts (TOP SECRET/COMINT)
- Italy Targets - Italy Intercepts (TOP SECRET/COMINT)
- UN Targets - UN Intercepts (up to TOP SECRET/COMINT-GAMMA)
TAO hacking tools leak
On August 15, 2016, someone or a group called Shadow Brokers published a large set of hacking tool computer code attributed to the Equation Group, which is considered part of the NSA's TAO division.
Article:
- Everything you need to know about the NSA hack (but were afraid to Google)
Documents:
- NSA malware files (.zip-file via Cryptome)
> See also: http://lasvegasin.blogspot.com /2016/08/is-shadow-brokers-leak-latest-in-series.html">Is the Shadow Brokers leak the latest in a series?
It is difficult to tell exactly from how many different leakers these documents come. The journalists involved will of course do everything to hide their source's identity, including creating distraction and confusion, but also creating the impression that many other leakers followed the example of Edward Snowden.
Some thoughts on the form of the documents
Content-wise the documents from the alleged other sources are not very different from the ones from Snowden. But what seems to distinguish them most, is their form, which is either digital, a transcript or scanned from paper.
Digital
Almost all documents that were attributed to Snowden came in their original digital form (with some very few exceptions that were scanned from paper). This makes it remarkable that only two documents from the other sources are in a similar digital form.
The first one is the famous TAO Product Catalog with hacking and eavesdropping techniques, which also given its content comes closest to the Snowden documents. Despite that, this catalog was never attributed to him.
The other leak in digital form are the two slides about Chinese cyber espionage, but these probably come from a source in support of the US government.
Transcripts
A number of other leaks didn't provide documents in their original form, but only transcripts thereof. This is the case for the following revelations:
- Chancellor Merkel tasking recordThe lists from an NSA tasking database with targets for France, Germany, Brazil and Japan are also transcripts, but for the intelligence reports, which Wikileaks published simultaneously, we have at least one example that is in its original format. All other ones came as transcripts.
- XKEYSCORE rules: TOR and TAILS
- XKEYSCORE rules: New Zealand
- XKEYSCORE agreement between NSA, BND and BfV
Scanned from paper
All other documents that didn't came from Snowden look like they were printed out (some were even recognized as being double-sided) and scanned again. This is the case for:
- NCTC watchlisting guidanceThis doesn't automatically mean they are all from the same source, as two of them are from the civilian NCTC and the other three are clearly from a military context.
- NCTC terrorist watchlist report
- Ramstein AFB supporting drone operations
- The Drone Papers
- Cellphone surveillance catalogue
We don't know when or where these documents were printed out: maybe it was done by the leaker, for whom it could have been easier to exfiltrate them as hard copy, than on a detectable thumb drive.
It's also possible that they were printed out by the press contact in order to make them look different from the Snowden documents. But on the other hand, publishing them in digital form would have made it more difficult to prove they were not from the Snowden cache.
Some thoughts on the motives behind the leaks
We can also take a look at the motives that could have been behind these leaks. Interestingly, these seem to correspond quite well with the different forms the documents have.
A second source
The disclosures of the transcriptions of the XKEYSCORE rules and the tasking database lists are quite far from being in the public interest. They are about legitimate targets of foreign intelligence and publishing them seems solely meant to discredit the NSA and/or damage US foreign relationships.
The same applies to the TAO Product Catalog, which contains devices and methods that are only used against "hard targets" that cannot be reached by other means, so this is not about spying on ordinary citizens, but does compromise valid US intelligence operations.
At first sight, one would assume that these documents were from the Snowden cache, but published by people like Appelbaum and an organization like Wikileaks, who have a more radical approach than Snowden himself, and maybe therefore could have pretended they came from another source.
However, both Greenwald and security expert Bruce Schneier said these documents were really provided by another leaker. Because a number of them were published by German media, Schneier guesses it might be "either an NSA employee or contractor working in Germany, or someone from German intelligence who has access to NSA documents".
If that's the case, then it's not only remarkable that there's a second source from within or close to NSA, but also that this source is apparently fine with leaking documents that show no abuses, but only seriously harm US interests - which is either treason, or the work of a hostile intelligence agency. Snowden at least acted from his concern about increasing mass surveillance on innocent civilians.
A third source
The documents that are scanned from paper are a somewhat different story. These are about issues that concern a wider range of people. For some of them, The Intercept even gives the reason why the source leaked them: for the cellphone surveillance catalogue it was because of a concern about militarization of domestic law enforcement.
For the drone papers, the source is cited saying: "This outrageous explosion of watchlisting [...] assigning them death sentences without notice, on a worldwide battlefield". Given that he mentions watchlists, it seems very well possible that this source actually also leaked the two NCTC reports about terrorist databases and watchlists.
Combining this with the fact that both the NCTC reports and the cellphone surveillance catalog were from a source "within the intelligence community" seems to confirm that all the documents that came as scanned from paper are from the same leaker - maybe someone from a military intelligence agency like the DIA.
Conclusion
Given these thoughts on the form of the leaked documents and the possible motives behind these leaks, it seems that they can be attributed to at least three other sources, beside Snowden:
Source nr. 1 (Edward Snowden)
Source nr. 2 (German NSA employee or hostile intelligence?)- Chancellor Merkel tasking recordSource nr. 3 (someone from US military intelligence?)
- TAO product catalog
- XKEYSCORE rules: TOR and TAILS
- XKEYSCORE rules: New Zealand
- NSA tasking & reporting France, Germany, Brazil, Japan
- XKEYSCORE agreement between NSA, BND and BfV(?)
- NSA tasking & reporting EU, Italy, UN- NCTC watchlisting guidanceSource nr. 4 (someone from the US government?)
- NCTC terrorist watchlist report
- Ramstein AFB supporting drone operations
- The Drone Papers
- Cellphone surveillance catalogue- Chinese cyber espionageSource nr. 5 (low-level military person)- US military documents: Iraq and AfghanistanSource nr. 6 (Harold Martin(?) + "Shadow Brokers")- TAO hacking tools leak
Update:
On October 6, 2016, The New York Times reported that on August 27, 2016, the FBI arrested 51-year old Harold T. Martin III, who worked at NSA as a contractor for Booz Allen Hamilton. In his home in Glen Burnie, Maryland, “many terabytes" of highly classified information were found, dating from the 1990s until 2014. Hal Martin was described as a hoarder, but so far, investigators are not sure he was also responsible for the various leaks that could not be attributed to Snowden.
Links and Sources
- LawfareBlog.com: Weaponized Wikileaks: Nick Reads Wikileaks So You Don't Have To (2015)
- Schneier.com: The US Intelligence Community has a Third Leaker (2014)
More comments on Hacker News
