A newly analyzed document from Edward Snowden's trove show that the NSA collects personal and account information on system administrators and uses it to compromise their computers in order to access the networks they manage.
“Up front, sys admins generally are not my end target. My end target is the extremist/terrorist or government official that happens to be using the network some admin takes care of,” explains the author of the document, allegedly the same network specialist in the agency’s Signals Intelligence Directorate that compiled a presentation about how the agency can identify users of the Tor browser.
The document is a collection of posts the author published two years ago on an NSA internal discussion board, and in them he or she explains how to identify system administrators of target networks - mostly those run by foreign phone and Internet companies - and what helpful things one can find on their systems (network maps, email correspondence, and so on).
The Intercept reports that the discovery process begins with unearthing IP addresses thought to be linked to the sys admins, then matching them with personal accounts (email, Facebook, etc),
Once this information is known, the agents can search for emails or posts that can be attributed to them via Google, or by searching though the "SIGINT trash can".
Once they are sure of the target, they try to compromise his or her account via Quantum hacking techniques - packet injection attacks that redirect the target to servers serving exploits.
It is unknown whether the agency limits their targeting of sys admins to foreign citizens, or whether it targets American ones as well.
What is known is that the UK Government Communications Headquarters (GCHQ) has been using this approach to successfully breach several Global Roaming Exchange (GRX) providers in Europe.