At the heart of the NSA's intelligence reporting process are—or at least were, in 2012—some templates using Microsoft Word macros. That's one of the unbelievable details revealed in a series of Edward Snowden's emails to NSA's SIGINT Oversight and Compliance Division released to VICE News in response to a FOIA request. The revelation comes amid renewed focus in the security community on hackers' uses of Microsoft macros as a vector to launch malware.
In August 2012, compliance personnel in NSA's Fort Meade headquarters had a problem. As part of NSA's oversight of the use of congressionally-authorized spying authorities under the Foreign Intelligence Surveillance Act, Department of Justice and NSA compliance personnel review the intelligence reports written by analysts to ensure they meet legal guidelines, including ensuring that analysts only targeted appropriate people and masked the identities of any Americans in the reports. But because of new security compartmentalization implemented on its network in Hawaii, personnel in NSA's headquarters stopped being able to open the files sent by the Hawaii location.
"The problem comes up when we send files to [NSA Washington] for legal review;" said a Hawaii-based employee when requesting tech support, after having had a critical help ticket sit without response for a week. "NSAW cannot read the files that we send them. Since those files need to be accessible by Dept of Justice, we have a legal issue here."
The issue eventually got sent to Snowden, then doing systems administration work in the Hawaii Office of Information Sharing as a Dell contractor. As he explained 12 hours after getting the request for help, because of the Word macros NSA used as part of the process of masking any information from or about Americans, if the people who got the reports could not access the network in NSA's Hawaii location, they would be unable to open the documents.
A follow-up email from Snowden explained the problem in colorful terms: "The program used by the analysts to generate these files (Microsoft Word) embeds a huge amount of hidden metadata into every file it creates. In this case, it's creating a 'phone home' link that tells Word where to get a copy of the FISA document template that was used to create the file. That means when someone outside the enclave tries to open the document in Word, Word immediately detects the phone home link and tries to go get a copy of the document template (from the enclave it can't reach)." Because of the security features on the network in Hawaii, lawyers reading the documents in Maryland would have their documents just hang when they tried to read them.
Snowden's troubleshooting discussion included editorial comments about Microsoft design. "[T]his is really bad design on Microsoft's part, but in their defense they were probably assuming an open-sharing environment," he wrote.
Aside from providing a glimpse at how Snowden performed his job at NSA, the email exchange reveals that, at least in 2012, some NSA personnel had Microsoft macros enabled by default because they used those macros as a key part of very sensitive intelligence reporting. But by relying on macros, NSA opened itself up to hacking. As Motherboard recently described, in the last year or so hackers have used macros to infect targets with ransomware, to attack Ukraine's power grid, and spy on dissidents. If targets that have macros enabled open a document loaded with malicious macros, it will infect their computer.
Microsoft macros could pose a particularly big risk to the NSA. "It's hard to overstate how much of a threat Word macros are to the NSA's internal network," explained Nicholas Weaver, a researcher at the International Computer Science Institute. "If one bad insider managed to get one malicious macro-infected Word document onto this network it could be designed to self propagate, include itself in all the other macro-necessary documents spread through the network, before shifting to steal secrets for eventual infiltration by an insider, or even bulk sabotage: shutting down the entire NSA analyst network at a specified time."
Two things about the way NSA used these documents would mitigate the security risk of enabled Word macros somewhat. The documents Hawaii sent to Fort Meade would be sent on the government's internal secure network, making it highly unlikely anyone receiving these live macros would also receive an external document with a malicious macro. The threat posed by macros would primarily come from Weaver's imagined (or not so imaginary) one bad insider. In addition, the short term solution adopted by the Hawaii office—to have analysts save their intelligence reports into rich text format to strip the metadata causing the problem—would make the documents even more safe by eliminating the need for recipients to have macros enabled.
Still, the security risk of the macros, which had already been commonly used as attack vectors in the 1990s, raise questions about why NSA adopted Word for intelligence reporting and minimization in the first place. The security researcher the Grugq observed, "it seems really weird that a proprietary risky function of a third party product would be used for something that is such a central part of the NSA mission. Can't they develop a better way of exchanging intelligence information than emailing Word documents around? With macros enabled?"
The NSA provided no response to Motherboard's request for comment on this story.