All that would be needed is to access one of the MANY devices between the end points. The closer to the core of the Internet the more traffic would have to be reviewed. As such, it becomes a problem of scale (assuming you have access first). Conversely, the closer you are to one of the endpoints, the easier it is to find the data. Issues of access still apply.
Allow me to paint an example
PC connects to local switch, switch to local router, router to ISP’s router and so on to the Internet core.
If you hack (compromise) the PC, then it is trivial to look a the inbound vs Outbound traffic. However, if the switch is the point of compromise, you have to find the PC’s traffic inside of the stream that has everyone else on the switch. Same for router, same for ISP router ... etc. At each level, the background traffic grows in volume but the target data remains the same. Somewhere in that mix it becomes a needle in a haystack. Possible but unlikely.
Understand my background. I am a white hat hacker and I get paid to compromise banks and financial institutions. I have never been stopped in 25 years. I would like to think that it is because I am some kind of Uber hacker but the truth is ... well there is just so much that needs to be protected. Further, there are so many ways in, that most enterprises can’t afford to have someone dedicated to protecting their assets all the time.
HOWEVER
What is stated as being in possession - pcap or packet captures. Normally, this capture has to be set up ahead of time to record the flows while they occur. And they can generate a LOT of data. Even if you use Netflow data (available from switches and routers) that does not include the actual packet data and only captures the flow information, it is still a fairly large set of files. This is why most enterprises and ISPs only use Netflow for troubleshooting and dont have it turned on as normal operations. Collectively, this makes me think that what is stated as being evidence may not be “right”. But I just simply dont know the details and I am therefore reluctant to say anything other than I remain skeptical.
The global company I recently retired from had NetFlow turned on worldwide. I could pull up logs from months in the past to search for errors, address pairs, endpoints, paths, etc. LOTS of info captured.
That said, I question where he got all of the states' logs from. Their traffic does not all go through a common device, as far as I know, so would have to be from different sources or from "Echelon" or somesuch.
I do hope he is successful, the symposium starts this Tuesday, Aug. 10 and ends Thursday, Aug. 12.