This story is over 5 years old.


Canada’s Cyberspy Agency, CSEC, Hijacks Computers Worldwide to Build Their Spynet

A string of new reports reveal that CSEC has been building a network of hijacked computers worldwide in order to advance its spying missions. But whose computers are they taking over in the name of Canadian national security?

This is how a criminal botnet works, which is very similar to the kinds of botnets CSEC uses. Image via Wikipedia.

Glimmers of new information about CSEC, Canada’s version of the NSA, have recently been released through a variety of media sources, which has provided a slightly clearer picture of what Canada’s mysterious cybersurveillance activities actually entail.

The biggest revelation came from an unexpected report in c’t magazin, a German publication, authored by five individuals, including Laura Poitras, one of the few journalists to have met Edward Snowden IRL, and Jacob Applebaum, a hacker-turned-reporter with ties to the TOR foundation.


Their report, entitled “NSA/GCHQ: The HACIENDA Program for Internet Colonization,” focuses not on a Mexican ranch, but rather on a “covert infrastructure” of programs that have been designed to takeover the internet, by locating vulnerable computers around the world that can be hijacked and clandestinely repurposed into spybots for government agencies.

c’t cites leaked slides from the NSA, CSEC, and GCHQ, which are not credited to Edward Snowden’s leaks; this further fuels speculation that there is a second source leaking information from within the spy agencies to the press. A possibility that Snowden himself refuses to address on the record.

One key part of the HACIENDA infrastructure, however, is a Canadian program called LANDMARK, which looks for “ORBS” (Operational Relay Box) that were recently defined by Colin Freeze in the Globe and Mail as “computers [the Five Eyes spy agencies] compromise in third-party countries.” I spoke to Chris Parsons from the Citizen Lab, who explained that these ORBs are quite possibly the property of innocent citizens, and not exclusively intelligence targets:

"CSEC seemingly regards unsecured devices (their 'ORBs') as valid intelligence targets in order to launch deniable attacks and reconnaissance practices. We don't know whether there is some effort to ascertain civilian vs non-civilian intermediary computers to take over, but the slides suggest that civilians and their equipment can be targeted."


A leaked slide showing CSEC's botnet operations. via c't.

In one of the leaked slides contained in the c’t report, which CSEC can neither confirm nor deny is authentic, there is a note about how the LANDMARK program is strengthened by the continuous acquisition of ORBs, a task that at one point was mandated to occur: “2-3 times/year, 1 day focused effort to acquire as many new ORBs as possible in as many non 5-eyes countries as possible.”

So in other words, if the slides that c’t has leaked are legitimate, then a few times a year, CSEC analysts would have an ORB party, where they spent all day looking for computers they can zombify and turn into robotic spy-slaves to do their cybersurveillance bidding. These computers are sought out in “non 5-eyes countries,” meaning they avoid any devices in the US, UK, Australia, or New Zealand.

Apparently, this task has since been automated through an analytics suite called OLYMPIA, which first became known to the public after documents showing that Canada had been spying on Brazil’s mining and environmental ministries were leaked to the press. This particular spying operation was, it seems, for economic purposes. Beyond this reported use of OLYMPIA, however, CSEC’s automation of computer-hijacking is fairly mysterious; though it wouldn’t be a stretch to imagine that it has significantly expanded CSEC’s spy network.

These operations are often referred to as CNO, or “computer network operations,” which John Adams, the former chair of CSEC, spoke about to the Globe and Mail in 2011 (in a rare display of transparency) in a previously unpublished comment: “We’ve got some bright young kids… Virtually everything–90 percent of what they do–is CNO now. It opens it up to where they can literally go out and target the world.”


These operations are also, however, well known to the criminal world. These kinds of botnets are typically used by spammers and various other forms of cybercriminals. I spoke to Christopher Parsons of the Citizen Lab, who told me:

“CSEC operates using the same techniques as organized crime and foreign intelligence services… CSEC uses these techniques for nation-state aims, similar reconnoissance techniques are used by criminals, academics, and interested internet sleuths. The tools of reconnaissance and offence are depressingly affordable, whereas secure code is expensive and hard to come by.”

Now, exactly what CSEC is doing with these spy networks is a whole other question. And, ethically at least, it is unsettling to think that our government is using international computers, presumably owned by innocent people, as hackable devices to repurpose for their own goals.

This is, however, the reality of an internet monitored by intelligence agencies the world over, and it’s certainly why the authors of c’t’s recent report chose to use the word “colonization” when describing the impact HACIENDA has had on the internet. Everyone, it seems, is spying on everyone else; but are the Five Eyes far ahead of the game?  Chinese breaches of Canadian government systems are well-documented, with the most egregious incident that has been reported recently pertaining to Chinese attacks on Canada’s National Research Council, presumably to obtain science and technology research, that was so invasive the NRC completely shut down its computer network.


Russia’s Federal Security Bureau has its own answer to the NSA’s controversial PRISM online spying program, called SORM, which most recently made headlines during the Sochi Olympics. Given that Russia, China, or any other non-Five Eyes country has never had a leak of information tantamount to the Snowden disclosures, a comparably small amount of information is known about the power or reach of foreign spy systems. But in light of Ronald Deibert’s description of SORM as “PRISM on steroids,” one can imagine the Russians have some pretty serious spying firepower.

Evidently there’s a race to control the internet through hijacking computers, monitoring networks, and intercepting information en masse. From there, the game appears to be about organizing and sharing that information efficiently. A report published yesterday on The Intercept shows that the NSA created an internal Google-esque search engine called ICReach for departments like the FBI and the DEA to access NSA records, of which there are, apparently, 850 billion.

ICReach is only available to American agencies, but there is reportedly an international version for the NSA’s Five Eyes partners, Canada included, called GLOBALREACH, which was designed to share the “vast amounts of communications metadata” that the agencies had obtained with one another.

Search engines like this indicate that the Five Eyes are quite advanced when it comes to organizing and sharing the information they are pulling from around the world, and the more each member of the Five Eyes contributes to the cause, the greater their reach becomes. Obviously there is a goal for complete, global surveillance here; which is as chilling as it is real. While the US and its allies are certainly competing for cybersurveillance supremacy with places like China and Russia, it’s useless to pick a “good guy” with so much evidence of innocent civilians being caught in the dragnet on both sides.

Plus, with armies of ORBs (or botnets) at an agency like CSEC’s disposal, plausible deniability can be attained if and when these computers launch an unsavoury or unjustifiable attack. The allegedly leaked CSEC slides in c’t refer to this as “a level of non-attribution,” meaning these computers cannot directly be attributed to CSEC itself.

We know from a recent WIRED interview with Edward Snowden, for example, that the NSA accidentally shut down Syrian internet access after a botched attempt to surveil their national network, then tried to cover their tracks. It’s not hard to envision a similar fuckup being made via a botnet that would allow the offending agency to avoid any culpability or international consequence whatsoever, which is a disturbing amount of power for a government agency to wield.

Clearly there are legitimate national security concerns that Canada has to worry about—what with Canadians running off to join the Islamic State, and Chinese hackers pilfering our intellectual property—but our cooperation in the Five Eyes' goal to achieve blanket surveillance of the planet’s communication networks, which becomes clearer with every new leaked document, is an unjust practice that creates ample opportunity for abuse. While Canadians might not be the intended targets, we should be asking whose privacy is being breached around the world, in the name of our national security interests?