U.S. intelligence agents posing as diplomats in Caracas helped an NSA analyst try to crack open PDVSA’s computer network.
The U.S. National Security Agency accessed the internal communications of Venezuela’s state-owned oil company, Petroleos de Venezuela and acquired sensitive data it planned to exploit in order to spy on the company’s top officials, according to a highly classified NSA document that reveals the operation was carried out in concert with the U.S. embassy in Caracas.
The March 2011 document, labeled, “top secret,” and provided by former NSA contractor-turned-whistleblower Edward Snowden, is being reported on in an exclusive partnership between teleSUR and The Intercept.
Drafted by an NSA signals development analyst, the document explains that PDVSA’s network, already compromised by U.S. intelligence, was further infiltrated after an NSA review in late 2010 – during President Barack Obama’s first term, which would suggest he ordered or at least authorized the operation – “showed telltale signs that things were getting stagnant on the Venezuelan Energy target set.” Most intelligence “was coming from warranted collection,” which likely refers to communications that were intercepted as they passed across U.S. soil. According to the analyst, “what little was coming from other collectors,” or warrantless surveillance, “was pretty sparse.”
Beyond efforts to infiltrate Venezuela’s most important company, the leaked NSA document highlights the existence of a secretive joint operation between the NSA and the Central Intelligence Agency operating out of the U.S. embassy in Caracas. A fortress-like building just a few kilometers from PDVSA headquarters, the embassy sits on the top of a hill that gives those inside a commanding view of the Venezuelan capital.
Last year, Der Spiegel published top-secret documents detailing the state-of-the-art surveillance equipment that the NSA and CIA deploy to embassies around the world. That intelligence on PDVSA had grown “stagnant” was concerning to the U.S. intelligence community for a number of reasons, which its powerful surveillance capabilities could help address.
“Venezuela has some of the largest oil and natural gas reserves in the world,” the NSA document states, with revenue from oil and gas accounting “for roughly one third of GDP” and “more than half of all government revenues.”
“To understand PDVSA,” the NSA analyst explains, “is to understand the economic heart of Venezuela.”
“Fully sovereign oil company!” | Photo: Reuters
Increasing surveillance on the leadership of PDVSA, the most important company in a South American nation seen as hostile to U.S. corporate interests, was a priority for the undisclosed NSA division to which the analyst reported. “Plainly speaking,” the analyst writes, they “wanted PDVSA information at the highest possible levels of the corporation – namely, the president and members of the Board of Directors.”
Given a task, the analyst got to work and, with the help of “sheer luck,” found his task easier than expected.
It began simply enough: with a visit to PDVSA’s website, “where I clicked on ‘Leadership’ and wrote down the names of the principals who would become my target list.” From there, the analyst “dumped the names” into PINWALE, the NSA’s primary database of previously intercepted digital communications, automatically culled using a dictionary of search terms called “selectors.” It was an almost immediate success.
In addition to email traffic, the analyst came across over 10,000 employee contact profiles full of email addresses, phone numbers, and other useful targeting information, including the usernames and passwords for over 900 PDVSA employees. One profile the analyst found was for Rafael Ramirez, PDVSA’s president from 2004 to 2014 and Venezuela’s current envoy to the United Nations. A similar entry turned up for Luis Vierma, the company’s former vice president of exploration and production.
“Now, even my old eyes could see that these things were a goldmine,” the analyst wrote. The entries were full of “work, home, and cell phones, email addresses, LOTS!” This type of information, referred to internally as “selectors,” can then be “tasked” across the NSA’s wide array of surveillance tools so that any relevant communications will be saved.
According to the analyst, the man to whom he reported “was thrilled!” But “it is what happened next that really made our day.”
“As I was analyzing the metadata,” the analyst explains, “I clicked on the ‘From IP’ and noticed something peculiar,” all of the employee profile, “over 10,000 of them, came from the same IP!!!” That, the analyst determined, meant “I had been looking at internal PDVSA comms all this time!!! I fired off a few emails to F6 here and in Caracas, and they confirmed it!”
“Metadata” is a broad term that can include the phone numbers a target has dialed, the duration of the call and from where it was placed, as well as the Wi-Fi networks used to access the Internet, the websites visited and the times accessed. That information can then be used to identify the user.
F6 is the NSA code name for a joint operation with the CIA known as the Special Collection Service, based in Beltsville, Maryland – and with agents posing as diplomats in dozens of U.S. embassies around the world, including Caracas, Bogota and Brasilia.
A joint NSA-CIA team operates out of the U.S. embassy in Caracas. | Photo: AFP
In 2013, Der Spiegel reported that it was this unit of the U.S. intelligence bureaucracy that had installed, within the U.S. embassy in Berlin, “sophisticated listening devices with which they can intercept virtually every popular method of communication: cellular signals, wireless networks and satellite communication.” The article suggested this is likely how the U.S. tapped into German Chancellor Angela Merkel’s cellphone.
SCS at the U.S. embassy in Caracas played an active role throughout the espionage activities described in the NSA document. “I have been coordinating with Caracas,” the NSA analyst states, “who have been surveying their environment and sticking the results into XKEYSCORE.”
XKEYSCORE, as reported by The Intercept, processes a continuous “flow of Internet traffic from fiber optic cables that make up the backbone of the world’s communication network,” storing the data for 72 hours on a “rolling buffer” and “sweep[ing] up countless people’s Internet searches, emails, documents, usernames and passwords.”
The NSA’s combined databases are, essentially, “a very ugly version of Google with half the world’s information in it,” explained Matthew Green, a professor at the Johns Hopkins Information Security Institute, in an email. “They’re capturing so much information from their cable taps, that even the NSA analysts don’t know what they’ve got,” he added, “an analyst has to occasionally step in and manually dig through the data” to see if the information they want has already been collected.
That is exactly what the NSA analyst did in the case of PDVSA, which turned up even more leads to expand their collection efforts.
“I have been lucky enough to find several juicy pdf documents in there,” the NSA analyst wrote, “one of which has just been made a report.”
That report, dated January 2011, suggests a familiarity with the finances of PDVSA beyond that which was public knowledge, noting a decline in the theft and loss of oil.
“In addition, I have discovered a string that carries user ID’s and their passwords, and have recovered over 900 unique user/password combinations” the analyst wrote, which he forwarded to the NSA’s elite hacking team, Targeted Access Operations, along with other useful information and a “targeting request to see if we can pwn this network and especially, the boxes of PDVSA’s leadership.”
“Pwn,” in this context, means to successfully hack and gain full access to a computer or network. “Pwning” a computer, or “box,” would allow the hacker to monitor a user’s every keystroke.
Photo: Reuters
A History of US Interest in Venezuelan Affairs
PDVSA has long been a target of U.S. intelligence agencies and the subject of intense scrutiny from U.S. diplomats. A February 17, 2009, cable, sent from the U.S. ambassador in Caracas to Washington and obtained by WikiLeaks, shows that PDVSA employees, were probed during visa interviews about their company’s internal operations. The embassy was particularly interested in the PDVSA’s strategy concerning litigation over Venezuela’s 2007 nationalization of the Cerro Negro oil project – and billions of dollars in assets owned by U.S. oil giant ExxonMobil.
“According to a PDVSA employee interviewed following his visa renewal, PDVSA is aggressively preparing its international arbitration case against ExxonMobil,” the cable notes.
A year before, U.S. State Department spokesman Sean McCormack told reporters that the U.S. government “fully support the efforts of ExxonMobil to get a just and fair compensation package for their assets.” But, he added, “We are not involved in that dispute.”
ExxonMobil is also at the center of a border dispute between Guyana and Venezuela. In May 2015, the company announced it had made a “significant oil discovery” in an offshore location claimed by both countries. The U.S. ambassador to Guyana has offered support for that country’s claim.
RELATED: The Long War: Venezuela and ExxonMobil
More recently, the U.S. government has begun leaking information to media about allegations against top Venezuelan officials.
In October, The Wall Street Journal reported in a piece, “U.S. Investigates Venezuelan Oil Giant,” that “agents from the Department of Homeland Security, the Drug Enforcement Administration, the Federal Bureau of Investigation and other agencies” had recently met to discuss “various PDVSA-related probes.” The “wide-ranging investigations” reportedly have to do with whether former PDVSA President Rafael Ramirez and other executives accepted bribes.
Leaked news of the investigations came less than two months before Dec. 6 parliamentary elections in Venezuela. Ramirez, for his part, has rejected the accusations, which he claims are part of a “new campaign that wants to claim from us the recovery and revolutionary transformation of PDVSA.” Thanks to Chavez, he added, Venezuela’s oil belongs to “the people.”
In its piece on the accusations against him, The Wall Street Journal notes that during Ramirez’s time in office PDVSA became “an arm of the late President Hugo Chavez’s socialist revolution,” with money made from the sale of petroleum used “to pay for housing, appliances and food for the poor.”
IN DEPTH: The War on Venezuela’s Democracy
The former PDVSA president is not the only Venezuelan official to be accused of corruption by the U.S. government. In May 2015, the U.S. Department of Justice accused Diosdado Cabello, president of the Venezuelan National Assembly, of being involved in cocaine trafficking and money laundering. Former Interior Minister Tarek El Aissami, the former director of military intelligence, Hugo Carvajal, and Nestor Reverol, head of the National Guard, have also faced similar accusations from the U.S. government.
None of these accusations against high-ranking Venezuelan officials has led to any indictments.
The timing of the charges, made in the court of public opinion rather than a courthouse, has led some to believe there’s another motive.
“These people despise us,” Venezuelan President Nicolas Maduro said in October. He and his supporters argue the goal of the U.S. government’s selective leaks is to undermine his party ahead of the upcoming elections, helping install a right-wing opposition seen as friendlier to U.S. interests. “They believe that we belong to them.”
Venezuelan President Nicolas Maduro addresses PDVSA workers. | Photo: AVN
Loose Standards for NSA Intelligence Sharing
Ulterior motives or not, by the NSA’s own admission the intelligence it gathers on foreign targets may be disseminated widely among U.S. officials who may have more than justice on their minds.
According to a guide issued by the NSA on January 12, 2015, the communications of non-U.S. persons may be captured in bulk and retained if they are said to contain information concerning a plot against the United States or evidence of, “Transnational criminal threats, including illicit finance and sanctions evasion.” Any intelligence that is gathered may then be passed on to other agencies, such as the DEA, if it “is related to a crime that has been, is being, or is about to be committed.”
Spying for the sole purpose of protecting the interests of a corporation is ostensibly not allowed, though there are exceptions that do allow for what might be termed economic espionage.
“The collection of foreign private commercial information or trade secrets is authorized only to protect nation the national security of the United States or its partners and allies,” the agency states. It is not supposed to collect such information “to afford a competitive advantage to U.S. companies and U.S. business sectors commercially.” However, “Certain economic purposes, such as identifying trade or sanctions violations or government influence or direction, shall not constitute competitive advantage.”
In May 2011, two months after the leaked document was published in NSA’s internal newsletter, the U.S. State Department announced it was imposing sanctions on PDVSA – a state-owned enterprise, or one that could be said to be subject to “government influence or direction” – for business it conducted with the Islamic Republic of Iran between December 2010 and March 2011. The department did not say how it obtained information about the transactions, allegedly worth US$50 million.
Intelligence gathered with one stated purpose can also serve another, and the NSA’s already liberal rules on the sharing of what it gathers can also be bent in times of perceived emergency.
“If, due to unanticipated or extraordinary circumstances, NSA determines that it must take action in apparent departure from these procedures to protect the national security of the United States, such action may be taken” – after either consulting other branches of the intelligence bureaucracy. “If there is insufficient time for approval,” however, it may unilaterally take action.
Beyond the obvious importance of oil, leaked diplomatic cables show PDVSA was also on the U.S. radar because of its importance to Venezuela’s left-wing government. In 2009, another diplomatic cable obtained by WikiLeaks shows the U.S. embassy in Caracas viewed PDVSA as crucial to the political operations of long-time foe and former President Hugo Chavez. In April 2002, Chavez was briefly overthrown in a coup that, according to The New York Times, as many as 200 officials in the George W. Bush administration – briefed by the CIA – knew about days before it was carried out.
The Venezuelan government was not informed of the plot.
Hugo Chavez has “a vision that is almost the mirror image” of what we seek, said the U.S. ambassador. | Photo: President’s Office
ANALYSIS: The U.S. Role in the 2002 Venezuelan Coup
“Since the December 2002-February 2003 oil sector strike, PDVSA has put itself at the service of President Chavez’s Bolivarian revolution, funding everything from domestic programs to Chavez’s geopolitical endeavors,” the 2009 cable states.
Why might that be a problem, from the U.S. government’s perspective? Another missive from the U.S. embassy in Caracas, this one sent in 2010, sheds some light: Chavez “appears determined to shape the hemisphere according to his vision of ‘socialism in the 21st century,’” it states, “a vision that is almost the mirror image of what the United States seeks.”
There was a time when not so long ago when the U.S. had an ally in Venezuela, one that shared its vision for the hemisphere – and invited a U.S. firm run by former U.S. intelligence officials to directly administer its information technology operations.
Amid a push for privatization under former Venezuelan President Rafael Caldera, in January 1997 PDVSA decided to outsource its IT system to a joint a company called Information, Business and Technology, or INTESA – the product of a joint venture between the oil company, which owned a 40 percent share of the new corporation, and the major U.S.-based defense contractor Science Applications International Corporation, or SAIC, which controlled 60 percent.
SAIC has close, long-standing ties to the U.S. intelligence community. At the time of its dealings with Venezuela, the company’s director was retired Admiral Bobby Inman. Before coming to SAIC, Inman served as the U.S. Director of Naval Intelligence and Vice Director of the U.S. Defense Intelligence Agency. Inman also served as deputy director of the CIA and, from 1977 to 1981, as director of the NSA.
In his book, “Changing Venezuela by Taking Power: The History and Policies of the Chavez Government,” author Gregory Wilpert notes that Inman was far from the only former intelligence official working for SAIC in a leadership role. Joining him were two former U.S. Secretaries of Defense, William Perry and Melvin Laird, a former director of the CIA, John Deutsch, and a former head of both the CIA and the Defense Department, Robert Gates. The company that those men controlled, INTESA, was given the job of managing “all of PDVSA’s data processing needs.”
In 2002, Venezuela, now led by a government seeking to roll back the privatizations of its predecessor, chose not to renew SAIC’s contract for another five years, a decision the company protested to the U.S. Overseas Private Investment Corporation, which insures the overseas investments of U.S. corporations. In 2004, the U.S. agency ruled that by canceling its contract with SAIC the Venezuelan government had “expropriated” the company’s investment.
However, before that ruling, and before its operations were reincorporated by PDVSA, the company that SAIC controlled, INTESA, played a key role in an opposition-led strike aimed at shutting down the Venezuelan oil industry. In December 2002, eight months after the failed coup attempt and the same month its contract was set to expire, INTESA, the Venezuelan Ministry of Communication and Information alleges, “exercised its ability to control our computers by paralyzing the charge, discharge, and storage of crude at different terminals within the national grid.” The government alleges INTESA, which possessed the codes needed to access those terminals, refused to allow non-striking PDVSA employees access to the company’s control systems.
“The result,” Wilpert noted, “was that PDVSA could not transfer its data processing to new systems, nor could it process its orders for invoices for oil shipments. PDVSA ended up having to process such things manually because passwords and the general computing infrastructure were unavailable, causing the strike to be much more damaging to the company than it would have been if the data processing had been in PDVSA’s hands.”
PDVSA’s IT operations would become a strictly internal affair soon thereafter, though one never truly free from the prying eyes of hostile outsiders.