A New Zealand investigative journalist and author says the US spy system hosted by the Government Communications Security Bureau (GCSB) appears to be a controversial intelligence system used in global capture-kill operations.

Writing a commentary for RNZ News today, Nicky Hager, author of Secret Power, a 1996 book on New Zealand’s role in global spy networks, said the controversial and unidentified foreign intelligence operation cited in a report by New Zealand’s Inspector-General of Intelligence and Security (IGIS) last week appeared to be an “intelligence system with a ghostly codename”.

“The IGIS report said the GCSB decision to host a foreign system from 2012-2020 was ‘improper’ and that the GCSB ‘could not be sure the tasking of the capability was always in accordance with… New Zealand law’,” he wrote.

• READ MORE: Hager: Spy system hosted by GCSB likely to be one used in capture-kill operations
• Te Kuaka calls for urgent law change on spy agency, warns over Pacific
• Other GCSB spy base reports

“The Inspector-General said: ‘I have found some of the GCSB’s explanations about how the capability operated and was tasked to be incongruous with information in GCSB records at the time’,” Hager wrote.

But the Inspector-General could not reveal details of the system to the public because they were “highly classified”.

“The name and function of the foreign spy spying equipment, the identity of the ‘foreign partner agency’ and the location of the ‘GCSB facility’ where foreign equipment was hosted all remained secret,” Hager wrote.

Hager argued that the mystery spy equipment appeared strongly to be a top secret US surveillance system that had been installed at the GCSB’s Waihopai base at the same time as the equipment in the IGIS investigation was installed at a “GCSB facility”.

25 years of investigations
Hager has worked as an investigative journalist for the past 25 years, and has been a New Zealand member of the International Consortium of Investigative Journalists for 20 of those years.

In 2018, he was part of a reference group established by the Inspector-General of Intelligence and Security.

Hager wrote that the top secret NSA spy equipment had the ghostly codename “APPARITION” and fitted with all the details presented in the IGIS report.

“APPARITION was owned by and controlled by the US National Security Agency — the world’s largest intelligence gathering agency and head of the Five Eyes intelligence alliance that includes the GCSB,” he wrote.

According to Hager, the NSA internal report, written after the launch of the APPARITION system in 2008, said that it “builds on the success of the GHOSTHUNTER prototype . . .  a tool that enabled a significant number of capture-kill operations against terrorists”.

“Capture-kill operations involve lethal attacks on targeted people using drones, bombs and special forces raids,” wrote Hager.

“Human rights organisations have documented numerous deaths of civilians during capture-kill operations — many of them ‘algorithmically targeted’ by electronic surveillance systems such as APPARITION.

‘Extra-judicial killings’
“They are also criticised as being ‘extra-judicial killings’.”

For decades, protesters had been calling for the GCSB’s iconic radomes at Waihopai Valley spy base in rural Marlborough to be dismantled, saying that when that intelligence was shared with Five Eyes partners — the United States, the United Kingdom, Canada and Australia — it made New Zealand complicit in the military campaigns of those countries, among other criticisms.

However, Anti-Bases Campaign (ABC) organiser Murray Horton said at the time of news of the domes’ redundancy in 2021 was nothing to celebrate, since the base itself would continue to operate at the site, “albeit without its most conspicuous physical features that stick out like dogs’ balls”.

The out-of-date domes were removed in 2022.

• Nicky Hager’s full article at RNZ

This week the Five Eyes alliance — an intelligence alliance between Australia, the United Kingdom, Canada, New Zealand and the United States — announced its investigation into a China-backed threat targeting US infrastructure.

Using stealth techniques, the attacker — referred to as “Volt Typhoon” — exploited existing resources in compromised networks in a technique called “living off the land”.

Microsoft made a concurrent announcement, stating the attackers’ targeting of Guam was telling of China’s plans to potentially disrupt critical communications infrastructure between the US and Asia region in the future.

• READ MORE: Deterring China isn’t all about submarines. Australia’s ‘cyber offence’ might be its most potent weapon

This comes hot on the heels of news in April of a North Korean supply chain attack on Asia-Pacific telecommunications provider 3CX. In this case, hackers gained access to an employee’s computer using a compromised desktop app for Windows and a compromised signed software installation package.

The Volt Typhoon announcement has led to a rare admission by the US National Security Agency that Australia and other Five Eyes partners are engaged in a targeted search and detection scheme to uncover China’s clandestine cyber operations.

Such public admissions from the Five Eyes alliance are few and far between. Behind the curtain, however, this network is persistently engaged in trying to take down foreign adversaries. And it’s no easy feat.

Let’s take a look at the events leading up to Volt Typhoon — and more broadly at how this secretive transnational alliance operates.

Uncovering Volt Typhoon
Volt Typhoon is an “advanced persistent threat group” that has been active since at least mid-2021. It’s believed to be sponsored by the Chinese government and is targeting critical infrastructure organisations in the US.

The group has focused much of its efforts on Guam. Located in the Western Pacific, this US island territory is home to a significant and growing US military presence, including the air force, a contingent of the marines, and the US navy’s nuclear-capable submarines.

It’s likely the Volt Typhoon attackers intended to gain access to networks connected to US critical infrastructure to disrupt communications, command and control systems, and maintain a persistent presence on the networks.

Volt Typhoon is the name Microsoft and the Five Eyes intelligence agencies have given a Chinese state sponsored hacking group, which they say installed a mysterious code in Guam’s telecommunications systems. https://t.co/xEwith7ZmM

— RN Breakfast (@RNBreakfast) May 25, 2023

The latter tactic would allow China to influence operations during a potential conflict in the South China Sea.

Australia wasn’t directly impacted by Volt Typhoon, according to official statements. Nevertheless, it would be a primary target for similar operations in the event of conflict.

As for how Volt Typhoon was caught, this hasn’t been disclosed. But Microsoft documents highlight previous observations of the threat actor attempting to dump credentials and stolen data from the victim organisation. It’s likely this led to the discovery of compromised networks and devices.

Living-off-the-land
The hackers initially gained access to networks through internet-facing Fortinet FortiGuard devices, such as routers. Once inside, they employed a technique called “living-off-the-land”.

This is when attackers rely on using the resources already contained within the exploited system, rather than bringing in external tools. For example, they will typically use applications such as PowerShell (a Microsoft management programme) and Windows Management Instrumentation to access data and network functions.

By using internal resources, attackers can bypass safeguards that alert organisations to unauthorised access to their networks. Since no malicious software is used, they appear as a legitimate user.

As such, living-off-the-land allows for lateral movement within the network, and provides opportunity for a persistent, long-term attack.

The simultaneous announcements from the Five Eyes partners points to the seriousness of the Volt Typhoon compromise. It will likely serve as a warning to other nations in the Asia-Pacific region.

Who are the Five Eyes?
Formed in 1955, the Five Eyes alliance is an intelligence-sharing partnership comprising Australia, Canada, New Zealand, the UK and the US.

The alliance was formed after World War II to counter the potential influence of the Soviet Union. It has a specific focus on signals intelligence. This involves intercepting and analysing signals such as radio, satellite and internet communications.

The members share information and access to their respective signals intelligence agencies, and collaborate to collect and analyse vast amounts of global communications data. A Five Eyes operation might also include intelligence provided by non-member nations and the private sector.

Recently, the member countries expressed concern about China’s de facto military control over the South China Sea, its suppression of democracy in Hong Kong, and threatening moves towards Taiwan.

The latest public announcement of China’s cyber operations no doubt serves as a warning that Western nations are paying strict attention to their critical infrastructure — and can respond to China’s digital aggression.

In 2019, Australia was targeted by Chinese state-backed threat actors gaining unauthorised access to Parliament House’s computer network. Indeed, there is evidence that China is engaged in a concerted effort to target Australia’s public and private networks.

The Five Eyes alliance may well be one of the only deterrents we have against long-term, persistent attacks against our critical infrastructure.

Dennis B. Desmond is a lecturer, Cyberintelligence and Cybercrime Investigations, University of the Sunshine Coast. This article is republished from The Conversation under a Creative Commons licence. Read the original article.