The Swedish National Defence Radio Establishment (FRA) is an active participant in the top-secret programme WINTERLIGHT, initiated by the top level of the US intelligence agency NSA. The project is about conducting top-secret hacking of computers. This is revealed in documents leaked by Edward Snowden, which Uppdrag Granskning has uncovered.
“The FRA does not have the authority to hack computers,” says Peter Rådberg, member of the Riksdag’s Standing Committee on Defence.
On 24 April this year, General Keith Alexander, head of the National Security Agency (NSA), received a Swedish delegation headed by then Director-General of the FRA, Ingvar Åkesson. It was an impressive roster of NSA agents who met the seven delegates from the Swedish FRA. Over the course of three days of discussions, they reviewed their close collaboration point for point. At the top of the Swedish delegation’s agenda was Operation “WINTERLIGHT”.
The document describing this meeting came from Edward Snowden, who in turn leaked the material from the NSA. At the top of the document are the words “TOP SECRET” and “NOFORN” (“No Foreigners”), meaning that the contents cannot be spread even to the NSA’s partners.
The document is an internal memo in preparation for what the NSA described as a “strategic planning conference” for “SWEDUSA” – the very close intelligence collaboration between Sweden and the United States. The conference was held on 24–26 April this year, just a few weeks before Edward Snowden travelled to Hong Kong to leak this memo along with thousands of other secret documents.
On the first page of the memo, we read that the Swedish delegation had questions about the “Quantum project”.
“FRA requested a WINTERLIGHT (Quantum project) update…”
Later in the same memo, General Keith Alexander received instructions on the Swedish–American collaboration.
“Acknowledge the success that NSA, FRA … have had on WINTERLIGHT”
But WINTERLIGHT is not just any joint project. It is designated as a “Quantum operation”, and “Quantum” is the NSA’s secret hacking programme.
“Quantum inserts is a kind of hacking,” explains Ryan Gallagher, a journalist who helped Uppdrag Granskning analyse the Snowden documents on Sweden, “where they can infect a computer with a kind of malware, or a kind of spyware, in order to get access to their computer and take control of their data and then exfiltrate that data. You would normally see these kind of tactics being adopted by criminal hackers. But spy agencies use it for a different purpose; they use a similar tactic to infiltrate computers to gather intelligence. Usually particular targets – people. That’s what this quantum process is.”
Quantum operations are controlled by one of the most central divisions of the NSA, called Tailored Access Operations (TAO). This division also participated in the Swedish–American summit in April, where the Quantum project was discussed in several seminars.
A joint task of the FRA and NSA is to spy on targets that are potential threats to each country’s security. But it’s not only suspected terrorists that are targets of the Quantum hacking programme. According to previous Snowden leaks, the NSA and its British equivalent, GCHQ, have also hacked users of the Internet service TOR, which enables anonymous surfing; OPEC’s headquarters in Vienna; and the Belgian telecoms company Belgacom. Some of Belgacom’s customers include the European Commission, the European Parliament and the Council of the European Union. To access data and telecom traffic, they conducted a hacker attack.
A simplified description of the attacks is as follows:
All internet traffic passes through hubs before spreading across the world. Here, in the “backbone” of the Internet, the intelligence agency places out Quantum servers. These servers let all traffic pass through, except for the signals from the computers the agency wants to hack. These are redirected (referred to as a “tip” or “tipping”) to special servers with a single purpose – to access these computers in what are called “shots”. The NSA calls these special servers “FoxAcid”.
The method is called the “man in the middle” method, and the intelligence agency’s computers need to be so fast that they can identify the target, redirect to the server with malware, and back to the target’s computer in one “shot” before the server that the target wanted to surf has time to respond.
Who the FRA targeted in operation WINTERLIGHT is not indicated. However, the number of attacks – or “shots” – that were carried out and how many computers were taken over and redirected to the British intelligence agency GHCQ, is:
“…100 shots, five of which were successfully redirected to the GCHQ server.”
“The FRA appears to have played quite a crucial role in this process,” says journalist Ryan Gallagher. “To tip off – they use the term tipping – a target’s computer to be infected with the malware and have their data exfiltrated.”
To be certain that the FRA actively participated in the hacking operation, we ask one of the world’s leading computer security experts, Bruce Schneier, to review the technical formulations in the NSA’s secret documents.
“Both Quantum and FoxAcid are NSA/GCHQ programmes to attack computer users,” he says. “It listens to what they are doing and then attacks them. The fact that Sweden is involved in these programmes means that Sweden is involved in active attacks against internet users. It is not just passive monitoring. This is an active attack.”
Without any doubt?
Schneier: “Yeah, without any doubt! That document shows that the FRA is doing active attacks.”
“Active signals intelligence”
To understand what is so controversial about the FRA’s participation in the Quantum operation, we need to go back to 13 May 2008 and the headquarters of the Standing Committee on Defence in the Swedish Riksdag. FRA Director-General Ingvar Åkesson was called in for questioning regarding the new FRA law and rumours that the FRA does not want to simply passively intercept messages in the telecom and computer networks, but also wants to conduct what is called “active signals intelligence” – i.e. computer hacking – to access people’s computers.
“The most important question I personally asked was whether the FRA was conducting any active signals intelligence. And the FRA chief said no to that.” says Peter Rådberg (Green Party), member of the Riksdag’s Standing Committee on Defence.
The FRA chief was also asked whether the new FRA legislation would make active signals intelligence – hacking – legal.
“We asked a question as to whether it was legal for the FRA to conduct active signals intelligence gathering, and he said no to that,” Rådberg says.
He said that clearly?
Rådberg: “It was clear!”
Did that reassure you?
Rådberg: “If the FRA chief says no to such a clear question, you have to assume that it’s the truth.”
Peter Rådberg does not see that the legal conditions have changed today.
“The FRA are not allowed to carry out active signals intelligence gathering today,” he says.
The newly appointed Director-General of the FRA, Dag Hartelius, declined to be interviewed.
“I cannot discuss that type of information about specific tools or methods,” says FRA spokesman Fredrik Wallin, “but in general I can say that we follow the laws that apply to our operations, and we have permits from the Defence Intelligence Court for all of our intelligence gathering, regardless of the tools or methods used.”
In an e-mail to SVT, the former FRA chief Ingvar Åkesson expresses regret that a discussion has arisen about how the Standing Committee on Defence perceived his statements. All signals intelligence conducted under his watch was in accordance with Swedish law. Åkesson declined to comment whether the FRA has participated in the Quantum hacking programme.
Comments from the British GCHQ.
Comment from NSA spokesperson Vanee M. Vines:
“We will not publicly comment on any specific alleged intelligence activity, and the US government has made it clear that the United States gathers the same type of intelligence that all nations do."
Reporters: Sven Bergman, Joachim Dyfvermark, Fredrik Laurin, Glenn Greenwald, Ryan Gallagher.