A U.S. government agency tasked with supporting the nation’s nuclear deterrence capability has bought access to a data tool that claims to cover more than 90 percent of the world’s internet traffic, and can in some cases let users trace activity through virtual private networks, according to documents obtained by 404 Media.

The documents provide more insight into the use cases and customers of so-called netflow data, which can show which server communicated with another, information that is ordinarily only available to the server’s owner, or the internet service provider (ISP) handling the traffic. Other agencies that have purchased the data include the U.S. Army, NCIS, FBI, IRS, with some government clients saying it would take too long to get data from the NSA, so they bought this tool instead. In this case, the Defense Threat Reduction Agency (DTRA) says it is using the data to perform vulnerability assessments of U.S. and allied systems.

A document written by the DTRA and obtained by 404 Media says the agency “has a requirement to support ongoing assessments of the vulnerability of critical U.S. and allied national/theater mission systems, networks, architectures, infrastructures, and assets.”

The tool “is capable of following communications between servers, even private servers,” which allows the agency to identify infrastructure used by malicious actors, the document continues. That contract was for $490,000 in 2023, according to the document. 404 Media obtained the document and others under a Freedom of Information Act (FOIA) request.

  • @[email protected]
    link
    fedilink
    English
    19
    edit-2
    6 months ago

    I’ve worked with netflow data before. All it says is time, source IP, destination IP, protocol, source and destination ports, amount of data transferred, and a guess at what type of traffic it is (http, torrent, video stream, etc). https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html (table 6, though most of the fields in that table aren’t actually used). It doesn’t include any of the data within the connection.

    It wasn’t previously just your ISP, it was every provider between you and the endpoint. That is, your ISP, their ISP, and the multiple backbone providers with the big pipes between ISPs (these are the ones selling the data in the article). And of course the NSA because they have a direct tap on the backbones, but they don’t share that access or data with anyone.

    • @aodhsishaj
      link
      1
      edit-2
      6 months ago

      Useful metadata to build patterns for people that are already suspected or to find patterns of bad actors.

      They’ll likely have to send portions of it to other agencies to get confirmation and investigations started. The amount of forensic metadata this is, just wow. Like tracking a person through a crowd by the gait of their walk, over years.