Hey Travis, Joseph here with some more documents about the sale of bulk internet data. An agency tasked with supporting the U.S. nuclear mission bought access to Augury, a tool that claims to cover more than 90 percent of the world's internet traffic. 404 Media readers will know I've covered this tool quite a lot, including how one agency turned to buying the data because waiting for it from NSA would take too long. The full story follows below.

A U.S. government agency tasked with supporting the nation’s nuclear deterrence capability has bought access to a data tool that claims to cover more than 90 percent of the world’s internet traffic, and can in some cases let users trace activity through virtual private networks, according to documents obtained by 404 Media.

The documents provide more insight into the use cases and customers of so-called netflow data, which can show which server communicated with another, information that is ordinarily only available to the server’s owner, or the internet service provider (ISP) handling the traffic. Other agencies that have purchased the data include the U.S. Army, NCIS, FBI, IRS, with some government clients saying it would take too long to get data from the NSA, so they bought this tool instead. In this case, the Defense Threat Reduction Agency (DTRA) says it is using the data to perform vulnerability assessments of U.S. and allied systems.

A document written by the DTRA and obtained by 404 Media says the agency  “has a requirement to support ongoing assessments of the vulnerability of critical U.S. and allied national/theater mission systems, networks, architectures, infrastructures, and assets.” 

The tool “is capable of following communications between servers, even private servers,” which allows the agency to identify infrastructure used by malicious actors, the document continues. That contract was for $490,000 in 2023, according to the document. 404 Media obtained the document and others under a Freedom of Information Act (FOIA) request.

“This collection of data can yield tens of billions of records per day. The access to this volume of data is unique and renders it a powerful tool for tracking and mapping; it is the only software tool that provides such a comprehensive data processing and data capturing solution that is readily deployable,” the document says.

Specifically, the Nuclear Enterprise Directorate (NE), Mission Assurance Department (MA) sourced access to the data, according to one of the documents obtained by 404 Media. The mission of the NE is, among other things, to “prevent nuclear proliferation and nuclear terrorism,” “maintain strategic stability at reduced nuclear force levels,” and “sustain a safe, secure, and effective nuclear arsenal,” according to the DTRA’s website. MA’s more specific remit is to identify “vulnerability risks to key DoD missions and stakeholders, reducing the threats posed by adversaries around the globe,” the website adds.

DTRA bought access to the data from Argonne Ridge Group (ARG), which is an affiliate of cybersecurity company Team Cymru, the documents show. The tool developed by Team Cymru is called Augury. 

“The network data includes data from over 550 collection points worldwide, to include collection points in Europe, the Middle East, North/South America, Africa and Asia, and is updated with at least 100 billion new records each day,” a description of Augury available in another U.S. government procurement record reads. Team Cymru obtains this data from ISPs, to which Team Cymru then provides threat intelligence. The company previously confirmed this exchange to the office of Senator Ron Wyden.

While netflow data can be a powerful and useful tool for tracking adversary activity, multiple sources in the cybersecurity and threat intelligence industry previously said they were concerned or thought the sale of this data was “kinda bonkers.”

Augury can also include web browsing activity, such as the URLs a device has visited or cookies used, as well as packet capture data (PCAP), other documents previously showed.

One of the DTRA documents says that “Routing data, current or historical, and updated hourly, is available through queries to Augury as well.” This information can be used to monitor traffic from a given country, or monitor more specific locations, it adds.

The contract also includes training to use the Augury tool, and says that DTRA is granted a worldwide license to make derivative works using the data available to DTRA’s own end-user customers “in support of DTRA’s mission area(s).”

The contract also says that “neither party shall make any press releases or public statement about the other party, nor the Data exchanged, without the prior written consent of the other party.” Emails obtained by 404 Media also indicate that an NDA or similar was put in place that would “preclude anyone from sharing raw data that could identify ARG as the source.”

Neither Team Cymru or the DTRA responded to a request for comment.