WASHINGTON: A US security agency has been spying on Pakistan’s top civil and military leadership for decades, reveal documents obtained by an American news outlet The Intercept.

One of the documents shows that hackers associated with the US National Security Agency (NSA) used a malware called SECONDDATE to breach “targets in Pakistan’s National Telecommunications Corporation’s (NTC) VIP Division”.

The NSA conducts global monitoring, collection, and processing of information and data on key foreign personalities and intelligence agencies.

In Pakistan, the NSA hacked computers that contained documents about “the backbone of Pakistan’s Green Line communications network”. The Green Line is a secured line that is used by top civilian and military leadership of the country.

An April 2013 document “boasts of successful attacks against computer systems in both Pakistan and Lebanon,” the report added.

The documents show how the NSA used SECONDDATE to spy on Pakistan and a computer system in Lebanon. There are at least two documented cases of SECONDDATE being used to infect computers overseas.

The SECONDDATE malware, that the NSA uses to intercept web requests, redirects browsers on target computers to an agency web server. The server then infects the web requests with malware.

One document, a newsletter for the NSA’s Special Source Operations division, shows that the agency also used software other than SECONDDATE to repeatedly direct targets in Pakistan to FOXACID malware web servers, eventually infecting the targets’ computers.

The attacking malware is attached to the online anonymity network called TOR, which directs Internet traffic through a free, worldwide network of more than 7,000 relays. TOR helps conceal a user’s location and usage from anyone conducting network surveillance or traffic analysis

But the NSA malware redirects TOR users to another set of secret Internet servers, codenamed FOXACID, to infect the user’s computer.

An infected computer responds to FOXACID servers, without the knowledge of its users and continues to provide eavesdropping information to the agency as long as it remains infected.

The Intercept obtained the documents from a hacking group called “Shadow Breakers”, which announced on Monday an auction for what it claimed were “NSA cyber weapons”.

The Intercept then used documents provided by the whistleblower Edward Snowden, to verify that the auctioned software were authentic NSA material and were “part of a powerful constellation of tools used to covertly infect computers worldwide”.

“While it remains unclear how the software leaked, one thing is now beyond speculation: The malware is covered with the NSA’s virtual fingerprints and clearly originates from the agency,” the report added.

The Intercept used an NSA manual for implanting malware, classified top secret, to verify the auctioned software. The manual, acquired from Mr Snowden, instructs the NSA operators to track their use of one malware program using a specific 16-character string, “ace02468bdf13579”. The same string appears throughout the Shadow Brokers leak in code associated with the same program.

Johns Hopkins University cryptographer Matthew Green told The Intercept that the malicious software of this sophistication should not have been allowed to reach private hackers.

“They can be used to target anyone who is using a vulnerable router,” he said. “The risk is two-fold: first... the person or persons who stole this information might have used them against us (the US)...and now...ordinary criminals will use them against corporate targets.”

Some US experts, including Mr Green, have speculated that the software might have been hacked by someone in Russia and then dumped in the hackers’ market.

Published in Dawn, August 22nd, 2016