coderman at gmail.com
Wed Mar 12 20:39:40 PDT 2014
so they've been spending tens of millions every year to red team
privacy enhancing technologies.
when do we get to see the results and improve our tools?
How the NSA Plans to Infect 'Millions' of Computers with Malware
By Ryan Gallagher and Glenn Greenwald 12 Mar 2014, 9:19 AM EDT
Top-secret documents reveal that the National Security Agency is
dramatically expanding its ability to covertly hack into computers on
a mass scale by using automated systems that reduce the level of human
oversight in the process.
The classified files - provided previously by NSA whistleblower Edward
Snowden - contain new details about groundbreaking surveillance
technology the agency has developed to infect potentially millions of
computers worldwide with malware "implants." The clandestine
initiative enables the NSA to break into targeted computers and to
siphon out data from foreign Internet and phone networks.
The covert infrastructure that supports the hacking efforts operates
from the agency's headquarters in Fort Meade, Maryland, and from
eavesdropping bases in the United Kingdom and Japan. GCHQ, the British
intelligence agency, appears to have played an integral role in
helping to develop the implants tactic.
In some cases the NSA has masqueraded as a fake Facebook server, using
the social media site as a launching pad to infect a target's computer
and exfiltrate files from a hard drive. In others, it has sent out
spam emails laced with the malware, which can be tailored to covertly
record audio from a computer's microphone and take snapshots with its
webcam. The hacking systems have also enabled the NSA to launch
cyberattacks by corrupting and disrupting file downloads or denying
access to websites.
The implants being deployed were once reserved for a few hundred
hard-to-reach targets, whose communications could not be monitored
through traditional wiretaps. But the documents analyzed by The
Intercept show how the NSA has aggressively accelerated its hacking
initiatives in the past decade by computerizing some processes
previously handled by humans. The automated system - codenamed TURBINE
- is designed to "allow the current implant network to scale to large
size (millions of implants) by creating a system that does automated
control implants by groups instead of individually."
In a top-secret presentation, dated August 2009, the NSA describes a
pre-programmed part of the covert infrastructure called the "Expert
System," which is designed to operate "like the brain." The system
manages the applications and functions of the implants and "decides"
what tools they need to best extract data from infected machines.
Mikko Hypponen, an expert in malware who serves as chief research
officer at the Finnish security firm F-Secure, calls the revelations
"disturbing." The NSA's surveillance techniques, he warns, could
inadvertently be undermining the security of the Internet.
"When they deploy malware on systems," Hypponen says, "they
potentially create new vulnerabilities in these systems, making them
more vulnerable for attacks by third parties."
Hypponen believes that governments could arguably justify using
malware in a small number of targeted cases against adversaries. But
millions of malware implants being deployed by the NSA as part of an
automated process, he says, would be "out of control."
"That would definitely not be proportionate," Hypponen says. "It
couldn't possibly be targeted and named. It sounds like wholesale
infection and wholesale surveillance."
The NSA declined to answer questions about its deployment of implants,
pointing to a new presidential policy directive announced by President
Obama. "As the president made clear on 17 January," the agency said in
a statement, "signals intelligence shall be collected exclusively
where there is a foreign intelligence or counterintelligence purpose
to support national and departmental missions, and not for any other
"Owning the Net"
The NSA began rapidly escalating its hacking efforts a decade ago. In
2004, according to secret internal records, the agency was managing a
small network of only 100 to 150 implants. But over the next six to
eight years, as an elite unit called Tailored Access Operations (TAO)
recruited new hackers and developed new malware tools, the number of
implants soared to tens of thousands.
To penetrate foreign computer networks and monitor communications that
it did not have access to through other means, the NSA wanted to go
beyond the limits of traditional signals intelligence, or SIGINT, the
agency's term for the interception of electronic communications.
Instead, it sought to broaden "active" surveillance methods - tactics
designed to directly infiltrate a target's computers or network
In the documents, the agency describes such techniques as "a more
aggressive approach to SIGINT" and says that the TAO unit's mission is
to "aggressively scale" these operations.
But the NSA recognized that managing a massive network of implants is
too big a job for humans alone.
"One of the greatest challenges for active SIGINT/attack is scale,"
explains the top-secret presentation from 2009. "Human 'drivers' limit
ability for large-scale exploitation (humans tend to operate within
their own environment, not taking into account the bigger picture)."
The agency's solution was TURBINE. Developed as part of TAO unit, it
is described in the leaked documents as an "intelligent command and
control capability" that enables "industrial-scale exploitation."
TURBINE was designed to make deploying malware much easier for the
NSA's hackers by reducing their role in overseeing its functions. The
system would "relieve the user from needing to know/care about the
details," the NSA's Technology Directorate notes in one secret
document from 2009. "For example, a user should be able to ask for
'all details about application X' and not need to know how and where
the application keeps files, registry entries, user application data,
In practice, this meant that TURBINE would automate crucial processes
that previously had to be performed manually - including the
configuration of the implants as well as surveillance collection, or
"tasking," of data from infected systems. But automating these
processes was about much more than a simple technicality. The move
represented a major tactical shift within the NSA that was expected to
have a profound impact - allowing the agency to push forward into a
new frontier of surveillance operations.
The ramifications are starkly illustrated in one undated top-secret
NSA document, which describes how the agency planned for TURBINE to
"increase the current capability to deploy and manage hundreds of
Computer Network Exploitation (CNE) and Computer Network Attack (CNA)
implants to potentially millions of implants." (CNE mines intelligence
from computers and networks; CNA seeks to disrupt, damage or destroy
Eventually, the secret files indicate, the NSA's plans for TURBINE
came to fruition. The system has been operational in some capacity
since at least July 2010, and its role has become increasingly central
to NSA hacking operations.
Earlier reports based on the Snowden files indicate that the NSA has
already deployed between 85,000 and 100,000 of its implants against
computers and networks across the world, with plans to keep on scaling
up those numbers.
The intelligence community's top-secret "Black Budget" for 2013,
obtained by Snowden, lists TURBINE as part of a broader NSA
surveillance initiative named "Owning the Net."
The agency sought $67.6 million in taxpayer funding for its Owning the
Net program last year. Some of the money was earmarked for TURBINE,
expanding the system to encompass "a wider variety" of networks and
"enabling greater automation of computer network exploitation."
The NSA has a diverse arsenal of malware tools, each highly
sophisticated and customizable for different purposes.
One implant, codenamed UNITEDRAKE, can be used with a variety of
"plug-ins" that enable the agency to gain total control of an infected
An implant plug-in named CAPTIVATEDAUDIENCE, for example, is used to
take over a targeted computer's microphone and record conversations
taking place near the device. Another, GUMFISH, can covertly take over
a computer's webcam and snap photographs. FOGGYBOTTOM records logs of
Internet browsing histories and collects login details and passwords
used to access websites and email accounts. GROK is used to log
keystrokes. And SALVAGERABBIT exfiltrates data from removable flash
drives that connect to an infected computer.
The implants can enable the NSA to circumvent privacy-enhancing
encryption tools that are used to browse the Internet anonymously or
scramble the contents of emails as they are being sent across
networks. That's because the NSA's malware gives the agency unfettered
access to a target's computer before the user protects their
communications with encryption.
It is unclear how many of the implants are being deployed on an annual
basis or which variants of them are currently active in computer
systems across the world.
Previous reports have alleged that the NSA worked with Israel to
develop the Stuxnet malware, which was used to sabotage Iranian
nuclear facilities. The agency also reportedly worked with Israel to
deploy malware called Flame to infiltrate computers and spy on
communications in countries across the Middle East.
According to the Snowden files, the technology has been used to seek
out terror suspects as well as individuals regarded by the NSA as
"extremist." But the mandate of the NSA's hackers is not limited to
invading the systems of those who pose a threat to national security.
In one secret post on an internal message board, an operative from the
NSA's Signals Intelligence Directorate describes using malware attacks
against systems administrators who work at foreign phone and Internet
service providers. By hacking an administrator's computer, the agency
can gain covert access to communications that are processed by his
company. "Sys admins are a means to an end," the NSA operative writes.
The internal post - titled "I hunt sys admins" - makes clear that
terrorists aren't the only targets of such NSA attacks. Compromising a
systems administrator, the operative notes, makes it easier to get to
other targets of interest, including any "government official that
happens to be using the network some admin takes care of."
Similar tactics have been adopted by Government Communications
Headquarters, the NSA's British counterpart. As the German newspaper
Der Spiegel reported in September, GCHQ hacked computers belonging to
network engineers at Belgacom, the Belgian telecommunications
The mission, codenamed "Operation Socialist," was designed to enable
GCHQ to monitor mobile phones connected to Belgacom's network. The
secret files deem the mission a "success," and indicate that the
agency had the ability to covertly access Belgacom's systems since at
Infiltrating cellphone networks, however, is not all that the malware
can be used to accomplish. The NSA has specifically tailored some of
its implants to infect large-scale network routers used by Internet
service providers in foreign countries. By compromising routers - the
devices that connect computer networks and transport data packets
across the Internet - the agency can gain covert access to monitor
Internet traffic, record the browsing sessions of users, and intercept
Two implants the NSA injects into network routers, HAMMERCHANT and
HAMMERSTEIN, help the agency to intercept and perform "exploitation
attacks" against data that is sent through a Virtual Private Network,
a tool that uses encrypted "tunnels" to enhance the security and
privacy of an Internet session.
The implants also track phone calls sent across the network via Skype
and other Voice Over IP software, revealing the username of the person
making the call. If the audio of the VOIP conversation is sent over
the Internet using unencrypted "Real-time Transport Protocol" packets,
the implants can covertly record the audio data and then return it to
the NSA for analysis.
But not all of the NSA's implants are used to gather intelligence, the
secret files show. Sometimes, the agency's aim is disruption rather
than surveillance. QUANTUMSKY, a piece of NSA malware developed in
2004, is used to block targets from accessing certain websites.
QUANTUMCOPPER, first tested in 2008, corrupts a target's file
downloads. These two "attack" techniques are revealed on a classified
list that features nine NSA hacking tools, six of which are used for
intelligence gathering. Just one is used for "defensive" purposes - to
protect U.S. government networks against intrusions.
"Mass exploitation potential"
Before it can extract data from an implant or use it to attack a
system, the NSA must first install the malware on a targeted computer
According to one top-secret document from 2012, the agency can deploy
malware by sending out spam emails that trick targets into clicking a
malicious link. Once activated, a "back-door implant" infects their
computers within eight seconds.
There's only one problem with this tactic, codenamed WILLOWVIXEN:
According to the documents, the spam method has become less successful
in recent years, as Internet users have become wary of unsolicited
emails and less likely to click on anything that looks suspicious.
Consequently, the NSA has turned to new and more advanced hacking
techniques. These include performing so-called "man-in-the-middle" and
"man-on-the-side" attacks, which covertly force a user's internet
browser to route to NSA computer servers that try to infect them with
To perform a man-on-the-side attack, the NSA observes a target's
Internet traffic using its global network of covert "accesses" to data
as it flows over fiber optic cables or satellites. When the target
visits a website that the NSA is able to exploit, the agency's
surveillance sensors alert the TURBINE system, which then "shoots"
data packets at the targeted computer's IP address within a fraction
of a second.
In one man-on-the-side technique, codenamed QUANTUMHAND, the agency
disguises itself as a fake Facebook server. When a target attempts to
log in to the social media site, the NSA transmits malicious data
packets that trick the target's computer into thinking they are being
sent from the real Facebook. By concealing its malware within what
looks like an ordinary Facebook page, the NSA is able to hack into the
targeted computer and covertly siphon out data from its hard drive. A
top-secret animation demonstrates the tactic in action.
The documents show that QUANTUMHAND became operational in October
2010, after being successfully tested by the NSA against about a dozen
According to Matt Blaze, a surveillance and cryptography expert at the
University of Pennsylvania, it appears that the QUANTUMHAND technique
is aimed at targeting specific individuals. But he expresses concerns
about how it has been covertly integrated within Internet networks as
part of the NSA's automated TURBINE system.
"As soon as you put this capability in the backbone infrastructure,
the software and security engineer in me says that's terrifying,"
"Forget about how the NSA is intending to use it. How do we know it is
working correctly and only targeting who the NSA wants? And even if it
does work correctly, which is itself a really dubious assumption, how
is it controlled?"
In an email statement to The Intercept, Facebook spokesman Jay
Nancarrow said the company had "no evidence of this alleged activity."
He added that Facebook implemented HTTPS encryption for users last
year, making browsing sessions less vulnerable to malware attacks.
Nancarrow also pointed out that other services besides Facebook could
have been compromised by the NSA. "If government agencies indeed have
privileged access to network service providers," he said, "any site
running only [unencrypted] HTTP could conceivably have its traffic
A man-in-the-middle attack is a similar but slightly more aggressive
method that can be used by the NSA to deploy its malware. It refers to
a hacking technique in which the agency covertly places itself between
computers as they are communicating with each other.
This allows the NSA not only to observe and redirect browsing
sessions, but to modify the content of data packets that are passing
The man-in-the-middle tactic can be used, for instance, to covertly
change the content of a message as it is being sent between two
people, without either knowing that any change has been made by a
third party. The same technique is sometimes used by criminal hackers
to defraud people.
A top-secret NSA presentation from 2012 reveals that the agency
developed a man-in-the-middle capability called SECONDDATE to
"influence real-time communications between client and server" and to
"quietly redirect web-browsers" to NSA malware servers called FOXACID.
In October, details about the FOXACID system were reported by the
Guardian, which revealed its links to attacks against users of the
Internet anonymity service Tor.
But SECONDDATE is tailored not only for "surgical" surveillance
attacks on individual suspects. It can also be used to launch bulk
malware attacks against computers.
According to the 2012 presentation, the tactic has "mass exploitation
potential for clients passing through network choke points."
Blaze, the University of Pennsylvania surveillance expert, says the
potential use of man-in-the-middle attacks on such a scale "seems very
disturbing." Such an approach would involve indiscriminately
monitoring entire networks as opposed to targeting individual
"The thing that raises a red flag for me is the reference to 'network
choke points,'" he says. "That's the last place that we should be
allowing intelligence agencies to compromise the infrastructure -
because that is by definition a mass surveillance technique."
To deploy some of its malware implants, the NSA exploits security
vulnerabilities in commonly used Internet browsers such as Mozilla
Firefox and Internet Explorer.
The agency's hackers also exploit security weaknesses in network
routers and in popular software plugins such as Flash and Java to
deliver malicious code onto targeted machines.
The implants can circumvent anti-virus programs, and the NSA has gone
to extreme lengths to ensure that its clandestine technology is
extremely difficult to detect. An implant named VALIDATOR, used by the
NSA to upload and download data to and from an infected machine, can
be set to self-destruct - deleting itself from an infected computer
after a set time expires.
In many cases, firewalls and other security measures do not appear to
pose much of an obstacle to the NSA. Indeed, the agency's hackers
appear confident in their ability to circumvent any security mechanism
that stands between them and compromising a computer or network. "If
we can get the target to visit us in some sort of web browser, we can
probably own them," an agency hacker boasts in one secret document.
"The only limitation is the 'how.'"
The TURBINE implants system does not operate in isolation.
It is linked to, and relies upon, a large network of clandestine
surveillance "sensors" that the agency has installed at locations
across the world.
The NSA's headquarters in Maryland are part of this network, as are
eavesdropping bases used by the agency in Misawa, Japan and Menwith
The sensors, codenamed TURMOIL, operate as a sort of high-tech
surveillance dragnet, monitoring packets of data as they are sent
across the Internet.
When TURBINE implants exfiltrate data from infected computer systems,
the TURMOIL sensors automatically identify the data and return it to
the NSA for analysis. And when targets are communicating, the TURMOIL
system can be used to send alerts or "tips" to TURBINE, enabling the
initiation of a malware attack.
The NSA identifies surveillance targets based on a series of data
"selectors" as they flow across Internet cables. These selectors,
according to internal documents, can include email addresses, IP
addresses, or the unique "cookies" containing a username or other
identifying information that are sent to a user's computer by websites
such as Google, Facebook, Hotmail, Yahoo, and Twitter.
Other selectors the NSA uses can be gleaned from unique Google
advertising cookies that track browsing habits, unique encryption key
fingerprints that can be traced to a specific user, and computer IDs
that are sent across the Internet when a Windows computer crashes or
What's more, the TURBINE system operates with the knowledge and
support of other governments, some of which have participated in the
Classification markings on the Snowden documents indicate that NSA has
shared many of its files on the use of implants with its counterparts
in the so-called Five Eyes surveillance alliance - the United Kingdom,
Canada, New Zealand, and Australia.
GCHQ, the British agency, has taken on a particularly important role
in helping to develop the malware tactics. The Menwith Hill satellite
eavesdropping base that is part of the TURMOIL network, located in a
rural part of Northern England, is operated by the NSA in close
cooperation with GCHQ.
Top-secret documents show that the British base - referred to by the
NSA as "MHS" for Menwith Hill Station - is an integral component of
the TURBINE malware infrastructure and has been used to experiment
with implant "exploitation" attacks against users of Yahoo and
In one document dated 2010, at least five variants of the QUANTUM
hacking method were listed as being "operational" at Menwith Hill. The
same document also reveals that GCHQ helped integrate three of the
QUANTUM malware capabilities - and test two others - as part of a
surveillance system it operates codenamed INSENSER.
GCHQ cooperated with the hacking attacks despite having reservations
about their legality. One of the Snowden files, previously disclosed
by Swedish broadcaster SVT, revealed that as recently as April 2013,
GCHQ was apparently reluctant to get involved in deploying the QUANTUM
malware due to "legal/policy restrictions." A representative from a
unit of the British surveillance agency, meeting with an obscure
telecommunications standards committee in 2010, separately voiced
concerns that performing "active" hacking attacks for surveillance
"may be illegal" under British law.
In response to questions from The Intercept, GCHQ refused to comment
on its involvement in the covert hacking operations. Citing its
boilerplate response to inquiries, the agency said in a statement that
"all of GCHQ's work is carried out in accordance with a strict legal
and policy framework which ensures that our activities are authorized,
necessary and proportionate, and that there is rigorous oversight."
Whatever the legalities of the United Kingdom and United States
infiltrating computer networks, the Snowden files bring into sharp
focus the broader implications. Under cover of secrecy and without
public debate, there has been an unprecedented proliferation of
aggressive surveillance techniques. One of the NSA's primary concerns,
in fact, appears to be that its clandestine tactics are now being
adopted by foreign rivals, too.
"Hacking routers has been good business for us and our 5-eyes partners
for some time," notes one NSA analyst in a top-secret document dated
December 2012. "But it is becoming more apparent that other nation
states are honing their skillz [sic] and joining the scene."
Documents published with this article:
Menwith Hill Station Leverages XKeyscore for Quantum Against Yahoo and Hotmail
Five Eyes Hacking Large Routers
NSA Technology Directorate Analysis of Converged Data
There Is More Than One Way to Quantum
NSA Phishing Tactics and Man in the Middle Attacks
Quantum Insert Diagrams
The NSA and GCHQ's QUANTUMTHEORY Hacking Tactics
TURBINE and TURMOIL
VPN and VOIP Exploitation With HAMMERCHANT and HAMMERSTEIN
Thousands of Implants
More information about the cypherpunks