{"id":40956,"date":"2014-03-17T12:00:46","date_gmt":"2014-03-17T12:00:46","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=40956"},"modified":"2015-05-05T22:10:56","modified_gmt":"2015-05-05T21:10:56","slug":"how-the-nsa-plans-to-infect-millions-of-computers-with-malware","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2014\/03\/how-the-nsa-plans-to-infect-millions-of-computers-with-malware\/","title":{"rendered":"How the NSA Plans to Infect \u2018Millions\u2019 of Computers with Malware"},"content":{"rendered":"
\"One<\/a>

One presentation outlines how the NSA performs \u201cindustrial-scale exploitation\u201d of computer networks across the world.<\/p><\/div>\n

Top-secret documents reveal that the National Security Agency is dramatically expanding its ability to covertly hack into computers on a mass scale by using automated systems that reduce the level of human oversight in the process.<\/p>\n

The classified files \u2013 provided previously by NSA whistleblower Edward Snowden \u2013 contain new details about groundbreaking surveillance technology the agency has developed to infect potentially millions of computers worldwide with malware \u201cimplants.\u201d The clandestine initiative enables the NSA to break into targeted computers and to siphon out data from foreign Internet and phone networks.<\/p>\n

The covert infrastructure that supports the hacking efforts operates from the agency\u2019s headquarters in Fort Meade, Maryland, and from eavesdropping bases in the United Kingdom and Japan. GCHQ, the British intelligence agency, appears to have played an integral role in helping to develop the implants tactic.<\/p>\n

In some cases the NSA has masqueraded as a fake Facebook server, using the social media site as a launching pad to infect a target\u2019s computer and exfiltrate files from a hard drive. In others, it has sent out spam emails laced with the malware, which can be tailored to covertly record audio from a computer\u2019s microphone and take snapshots with its webcam. The hacking systems have also enabled the NSA to launch cyberattacks by corrupting and disrupting file downloads or denying access to websites.<\/p>\n

The implants being deployed were once reserved for a few hundred hard-to-reach targets, whose communications could not be monitored through traditional wiretaps. But the documents analyzed by The Intercept<\/i> show how the NSA has aggressively accelerated its hacking initiatives in the past decade by computerizing some processes previously handled by humans. The automated system \u2013 codenamed TURBINE \u2013 is designed to \u201callow the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually.\u201d<\/p>\n

In a top-secret presentation, dated August 2009, the NSA describes a pre-programmed part of the covert infrastructure called the \u201cExpert System,\u201d which is designed to operate \u201clike the brain.\u201d The system manages the applications and functions of the implants and \u201cdecides\u201d what tools they need to best extract data from infected machines.<\/p>\n

Mikko Hypponen, an expert in malware who serves as chief research officer at the Finnish security firm F-Secure<\/a>, calls the revelations \u201cdisturbing.\u201d The NSA\u2019s surveillance techniques, he warns, could inadvertently be undermining the security of the Internet.<\/p>\n

\u201cWhen they deploy malware on systems,\u201d Hypponen says, \u201cthey potentially create new vulnerabilities in these systems, making them more vulnerable for attacks by third parties.\u201d<\/p>\n

Hypponen believes that governments could arguably justify using malware in a small number of targeted cases against adversaries. But millions of malware implants being deployed by the NSA as part of an automated process, he says, would be \u201cout of control.\u201d<\/p>\n

\u201cThat would definitely not be proportionate,\u201d Hypponen says. \u201cIt couldn\u2019t possibly be targeted and named. It sounds like wholesale infection and wholesale surveillance.\u201d<\/p>\n

The NSA declined to answer questions about its deployment of implants, pointing to a new presidential policy directive announced by President Obama. \u201cAs the president made clear on 17 January,\u201d the agency said in a statement, \u201csignals intelligence shall be collected exclusively where there is a foreign intelligence or counterintelligence purpose to support national and departmental missions, and not for any other purposes.\u201d<\/p>\n

\u201cOwning the Net\u201d<\/b><\/p>\n

The NSA began rapidly escalating its hacking efforts a decade ago. In 2004, according to secret internal records<\/a>, the agency was managing a small network of only 100 to 150 implants. But over the next six to eight years, as an elite unit called Tailored Access Operations (TAO) recruited new hackers and developed new malware tools, the number of implants soared to tens of thousands.<\/p>\n

To penetrate foreign computer networks and monitor communications that it did not have access to through other means, the NSA wanted to go beyond the limits of traditional signals intelligence, or SIGINT, the agency\u2019s term for the interception of electronic communications. Instead, it sought to broaden \u201cactive\u201d surveillance methods \u2013 tactics designed to directly infiltrate a target\u2019s computers or network devices.<\/p>\n

In the documents, the agency describes such techniques as \u201ca more aggressive approach to SIGINT\u201d and says that the TAO unit\u2019s mission is to \u201caggressively scale\u201d these operations.<\/p>\n

But the NSA recognized that managing a massive network of implants is too big a job for humans alone.<\/p>\n

\u201cOne of the greatest challenges for active SIGINT\/attack is scale,\u201d explains the top-secret presentation from 2009. \u201cHuman \u2018drivers\u2019 limit ability for large-scale exploitation (humans tend to operate within their own environment, not taking into account the bigger picture).\u201d<\/p>\n

The agency\u2019s solution was TURBINE. Developed as part of TAO unit, it is described in the leaked documents as an \u201cintelligent command and control capability\u201d that enables<\/a> \u201cindustrial-scale exploitation.\u201d<\/p>\n

\"intelligent-command-and-control-1024x225\"<\/a><\/p>\n

TURBINE was designed to make deploying malware much easier for the NSA\u2019s hackers by reducing their role in overseeing its functions. The system would \u201crelieve the user from needing to know\/care about the details,\u201d the NSA\u2019s Technology Directorate notes in one secret document<\/a> from 2009. \u201cFor example, a user should be able to ask for \u2018all details about application X\u2019 and not need to know how and where the application keeps files, registry entries, user application data, etc.\u201d<\/p>\n

In practice, this meant that TURBINE would automate crucial processes that previously had to be performed manually \u2013 including the configuration of the implants as well as surveillance collection, or \u201ctasking,\u201d of data from infected systems.\u00a0But automating these processes was about much more than a simple technicality. The move represented a major tactical shift within the NSA that was expected to have a profound impact \u2013 allowing the agency to push forward into a new frontier of surveillance operations.<\/p>\n

The ramifications are starkly illustrated in one undated top-secret NSA document, which describes how the agency planned for TURBINE to \u201cincrease the current capability to deploy and manage hundreds of Computer Network Exploitation (CNE) and Computer Network Attack (CNA) implants to potentially millions of implants.\u201d (CNE mines intelligence from computers and networks; CNA seeks to disrupt, damage or destroy them.)<\/p>\n

\"nsa<\/a><\/p>\n

Eventually, the secret files indicate, the NSA\u2019s plans for TURBINE came to fruition. The system has been operational in some capacity since at least July 2010, and its role has become increasingly central to NSA hacking operations.<\/p>\n

Earlier<\/a> reports<\/a> based on the Snowden files indicate that the NSA has already deployed between 85,000 and 100,000 of its implants against computers and networks across the world<\/a>, with plans to keep on scaling up those numbers.<\/p>\n

The intelligence community\u2019s top-secret \u201cBlack Budget\u201d for 2013, obtained by Snowden, lists TURBINE as part of a broader NSA surveillance initiative named \u201cOwning the Net.\u201d<\/p>\n

The agency sought $67.6 million in taxpayer funding for its Owning the Net program last year. Some of the money was earmarked for TURBINE, expanding the system to encompass \u201ca wider variety\u201d of networks and \u201cenabling greater automation of computer network exploitation.\u201d<\/p>\n

Circumventing Encryption<\/b><\/p>\n

The NSA has a diverse arsenal of malware tools, each highly sophisticated and customizable for different purposes.<\/p>\n

One implant, codenamed UNITEDRAKE, can be used with a variety of \u201cplug-ins\u201d that enable the agency to gain total control of an infected computer.<\/p>\n

An implant plug-in named CAPTIVATEDAUDIENCE, for example, is used to take over a targeted computer\u2019s microphone and record conversations taking place near the device. Another, GUMFISH, can covertly take over a computer\u2019s webcam and snap photographs. FOGGYBOTTOM records logs of Internet browsing histories and collects login details and passwords used to access websites and email accounts. GROK is used to log keystrokes. And SALVAGERABBIT exfiltrates data from removable flash drives that connect to an infected computer.<\/p>\n

The implants can enable the NSA to circumvent privacy-enhancing encryption tools that are used to browse the Internet anonymously or scramble the contents of emails as they are being sent across networks. That\u2019s because the NSA\u2019s malware gives the agency unfettered access to a target\u2019s computer before the user protects their communications with encryption.<\/p>\n

It is unclear how many of the implants are being deployed on an annual basis or which variants of them are currently active in computer systems across the world.<\/p>\n

Previous reports have alleged<\/a> that the NSA worked with Israel to develop the Stuxnet malware, which was used to sabotage Iranian nuclear facilities. The agency also reportedly<\/a> worked with Israel to deploy malware called Flame to infiltrate computers and spy on communications in countries across the Middle East.<\/p>\n

According to the Snowden files, the technology has been used to seek out terror suspects as well as individuals regarded by the NSA as \u201cextremist.\u201d But the mandate of the NSA\u2019s hackers is not limited to invading the systems of those who pose a threat to national security.<\/p>\n

In one secret post on an internal message board, an operative from the NSA\u2019s Signals Intelligence Directorate describes using malware attacks against systems administrators who work at foreign phone and Internet service providers. By hacking an administrator\u2019s computer, the agency can gain covert access to communications that are processed by his company. \u201cSys admins are a means to an end,\u201d the NSA operative writes.<\/p>\n

The internal post \u2013 titled \u201cI hunt sys admins\u201d \u2013 makes clear that terrorists aren\u2019t the only targets of such NSA attacks. Compromising a systems administrator, the operative notes, makes it easier to get to other targets of interest, including any \u201cgovernment official that happens to be using the network some admin takes care of.\u201d<\/p>\n

Similar tactics have been adopted by Government Communications Headquarters, the NSA\u2019s British counterpart. As the German newspaper Der Spiegel<\/i> reported<\/a> in September, GCHQ hacked computers belonging to network engineers at Belgacom, the Belgian telecommunications provider.<\/p>\n

The mission, codenamed \u201cOperation Socialist,\u201d was designed to enable GCHQ to monitor mobile phones connected to Belgacom\u2019s network. The secret files deem the mission a \u201csuccess,\u201d and indicate that the agency had the ability to covertly access Belgacom\u2019s systems since at least 2010.<\/p>\n

Infiltrating cellphone networks, however, is not all that the malware can be used to accomplish. The NSA has specifically tailored some of its implants to infect large-scale network routers used by Internet service providers in foreign countries. By compromising routers \u2013 the devices that connect computer networks and transport data packets across the Internet \u2013 the agency can gain covert access to monitor Internet traffic, record the browsing sessions of users, and intercept communications.<\/p>\n

Two implants the NSA injects into network routers, HAMMERCHANT and HAMMERSTEIN, help the agency to intercept and perform \u201cexploitation attacks\u201d against data that is sent through a Virtual Private Network<\/a>, a tool that uses encrypted \u201ctunnels\u201d to enhance the security and privacy of an Internet session.<\/p>\n

\"nsa<\/a><\/p>\n

The implants also track phone calls sent across the network via Skype and other Voice Over IP software, revealing the username of the person making the call. If the audio of the VOIP conversation is sent over the Internet using unencrypted \u201cReal-time Transport Protocol\u201d packets, the implants can covertly record the audio data and then return it to the NSA for analysis.<\/p>\n

\"nsa<\/a><\/p>\n

But not all of the NSA\u2019s implants are used to gather intelligence, the secret files show. Sometimes, the agency\u2019s aim is disruption rather than surveillance. QUANTUMSKY, a piece of NSA malware developed in 2004, is used to block targets from accessing certain websites. QUANTUMCOPPER, first tested in 2008, corrupts a target\u2019s file downloads. These two \u201cattack\u201d techniques are revealed on a classified list<\/a> that features nine NSA hacking tools, six of which are used for intelligence gathering. Just one is used for \u201cdefensive\u201d purposes \u2013 to protect U.S. government networks against intrusions.<\/p>\n

\u201cMass exploitation potential\u201d<\/b><\/p>\n

Before it can extract data from an implant or use it to attack a system, the NSA must first install the malware on a targeted computer or network.<\/p>\n

According to one top-secret document<\/a> from 2012, the agency can deploy malware by sending out spam emails that trick targets into clicking a malicious link. Once activated, a \u201cback-door implant\u201d infects their computers within eight seconds.<\/p>\n

There\u2019s only one problem with this tactic, codenamed WILLOWVIXEN: According to the documents, the spam method has become less successful in recent years, as Internet users have become wary of unsolicited emails and less likely to click on anything that looks suspicious.<\/p>\n

Consequently, the NSA has turned to new and more advanced hacking techniques. These include performing so-called \u201cman-in-the-middle\u201d and \u201cman-on-the-side\u201d attacks, which covertly force a user\u2019s internet browser to route to NSA computer servers that try to infect them with an implant.<\/p>\n

To perform a man-on-the-side attack, the NSA observes a target\u2019s Internet traffic using its global network of covert \u201caccesses\u201d to data as it flows over fiber optic cables or satellites. When the target visits a website that the NSA is able to exploit, the agency\u2019s surveillance sensors alert the TURBINE system<\/a>, which then \u201cshoots\u201d data packets at the targeted computer\u2019s IP address within a fraction of a second.<\/p>\n

In one man-on-the-side technique, codenamed QUANTUMHAND, the agency disguises itself as a fake Facebook server. When a target attempts to log in to the social media site, the NSA transmits malicious data packets that trick the target\u2019s computer into thinking they are being sent from the real Facebook. By concealing its malware within what looks like an ordinary Facebook page, the NSA is able to hack into the targeted computer and covertly siphon out data from its hard drive. A top-secret animation demonstrates the tactic in action.<\/p>\n

httpv:\/\/www.vimeo.com\/88822483<\/p>\n

The documents show that QUANTUMHAND became operational in October 2010, after being successfully tested by the NSA against about a dozen targets.<\/p>\n

According to Matt Blaze, a surveillance and cryptography expert at the University of Pennsylvania, it appears that the QUANTUMHAND technique is aimed at targeting specific individuals. But he expresses concerns about how it has been covertly integrated within Internet networks as part of the NSA\u2019s automated TURBINE system.<\/p>\n

\u201cAs soon as you put this capability in the backbone infrastructure, the software and security engineer in me says that\u2019s terrifying,\u201d Blaze says.<\/p>\n

\u201cForget about how the NSA is intending to use it. How do we know it is working correctly and only targeting who the NSA wants? And even if it does work correctly, which is itself a really dubious assumption, how is it controlled?\u201d<\/p>\n

In an email statement to The Intercept<\/i>, Facebook spokesman Jay Nancarrow said the company had \u201cno evidence of this alleged activity.\u201d He added that Facebook implemented HTTPS encryption for users last year, making browsing sessions less vulnerable to malware attacks.<\/p>\n

Nancarrow also pointed out that other services besides Facebook could have been compromised by the NSA. \u201cIf government agencies indeed have privileged access to network service providers,\u201d he said, \u201cany site running only [unencrypted] HTTP could conceivably have its traffic misdirected.\u201d<\/p>\n

A man-in-the-middle attack is a similar but slightly more aggressive method that can be used by the NSA to deploy its malware. It refers to a hacking technique in which the agency covertly places itself between computers as they are communicating with each other.<\/p>\n

This allows the NSA not only to observe and redirect browsing sessions, but to modify the content of data packets that are passing between computers.<\/p>\n

The man-in-the-middle tactic can be used, for instance, to covertly change the content of a message as it is being sent between two people, without either knowing that any change has been made by a third party. The same technique is sometimes used by criminal hackers<\/a> to defraud people.<\/p>\n

A top-secret NSA presentation from 2012 reveals that the agency developed a man-in-the-middle capability called SECONDDATE to \u201cinfluence real-time communications between client and server\u201d and to \u201cquietly redirect web-browsers\u201d to NSA malware servers called FOXACID. In October, details about the FOXACID system were reported by the Guardian<\/i><\/a>, which revealed its links to attacks against users of the Internet anonymity service Tor.<\/p>\n

But SECONDDATE is tailored not only for \u201csurgical\u201d surveillance attacks on individual suspects. It can also be used to launch bulk malware attacks against computers.<\/p>\n

According to the 2012 presentation, the tactic has \u201cmass exploitation potential for clients passing through network choke points.\u201d<\/p>\n

\"nsa<\/a><\/p>\n

Blaze, the University of Pennsylvania surveillance expert, says the potential use of man-in-the-middle attacks on such a scale \u201cseems very disturbing.\u201d Such an approach would involve indiscriminately monitoring entire networks as opposed to targeting individual suspects.<\/p>\n

\u201cThe thing that raises a red flag for me is the reference to \u2018network choke points,\u2019\u201d he says. \u201cThat\u2019s the last place that we should be allowing intelligence agencies to compromise the infrastructure \u2013 because that is by definition a mass surveillance technique.\u201d<\/p>\n

To deploy some of its malware implants, the NSA exploits security vulnerabilities in commonly used Internet browsers such as Mozilla Firefox and Internet Explorer.<\/p>\n

The agency\u2019s hackers also exploit security weaknesses in network routers and in popular software plugins such as Flash and Java to deliver malicious code onto targeted machines.<\/p>\n

The implants can circumvent anti-virus programs, and the NSA has gone to extreme lengths to ensure that its clandestine technology is extremely difficult to detect. An implant named VALIDATOR, used by the NSA to upload and download data to and from an infected machine, can be set to self-destruct \u2013 deleting itself from an infected computer after a set time expires.<\/p>\n

In many cases, firewalls and other security measures do not appear to pose much of an obstacle to the NSA. Indeed, the agency\u2019s hackers appear confident in their ability to circumvent any security mechanism that stands between them and compromising a computer or network. \u201cIf we can get the target to visit us in some sort of web browser, we can probably own them,\u201d an agency hacker boasts in one secret document. \u201cThe only limitation is the \u2018how.\u2019\u201d<\/p>\n

Covert Infrastructure<\/b><\/p>\n

The TURBINE implants system does not operate in isolation.<\/p>\n

It is linked to, and relies upon, a large network of clandestine surveillance \u201csensors\u201d that the agency has installed at locations across the world<\/a>.<\/p>\n

\"nsa<\/a><\/p>\n

The NSA\u2019s headquarters in Maryland are part of this network, as are eavesdropping bases used by the agency in Misawa, Japan and Menwith Hill, England.<\/p>\n

The sensors, codenamed TURMOIL, operate as a sort of high-tech surveillance dragnet, monitoring packets of data as they are sent across the Internet.<\/p>\n

When TURBINE implants exfiltrate data from infected computer systems, the TURMOIL sensors automatically identify the data and return it to the NSA for analysis. And when targets are communicating, the TURMOIL system can be used to send alerts or \u201ctips\u201d to TURBINE, enabling the initiation of a malware attack.<\/p>\n

The NSA identifies surveillance targets based on a series of data \u201cselectors\u201d as they flow across Internet cables. These selectors, according to internal documents, can include email addresses, IP addresses, or the unique \u201ccookies\u201d containing a username or other identifying information that are sent to a user\u2019s computer by websites such as Google, Facebook, Hotmail, Yahoo, and Twitter.<\/p>\n

Other selectors the NSA uses can be gleaned from unique Google advertising cookies that track browsing habits, unique encryption key fingerprints that can be traced to a specific user, and computer IDs that are sent across the Internet when a Windows computer crashes or updates.<\/p>\n

\"nsa<\/a><\/p>\n

What\u2019s more, the TURBINE system operates with the knowledge and support of other governments, some of which have participated in the malware attacks.<\/p>\n

Classification markings on the Snowden documents indicate that NSA has shared many of its files on the use of implants with its counterparts in the so-called Five Eyes surveillance alliance \u2013 the United Kingdom, Canada, New Zealand, and Australia.<\/p>\n

GCHQ, the British agency, has taken on a particularly important role in helping to develop the malware tactics. The Menwith Hill satellite eavesdropping base that is part of the TURMOIL network, located in a rural part of Northern England, is operated by the NSA in close cooperation with GCHQ.<\/p>\n

Top-secret documents<\/a> show that the British base \u2013 referred to by the NSA as \u201cMHS\u201d for Menwith Hill Station \u2013 is an integral component of the TURBINE malware infrastructure and has been used to experiment<\/a> with implant \u201cexploitation\u201d attacks against users of Yahoo and Hotmail.<\/p>\n

In one document<\/a> dated 2010, at least five variants of the QUANTUM hacking method were listed as being \u201coperational\u201d at Menwith Hill. The same document also reveals that GCHQ helped integrate three of the QUANTUM malware capabilities \u2013 and test two others \u2013 as part of a surveillance system it operates codenamed INSENSER.<\/p>\n

GCHQ cooperated with the hacking attacks despite having reservations about their legality. One of the Snowden files, previously disclosed<\/a> by Swedish broadcaster SVT, revealed that as recently as April 2013, GCHQ was apparently reluctant to get involved in deploying the QUANTUM malware due to \u201clegal\/policy restrictions.\u201d A representative from a unit of the British surveillance agency, meeting with an obscure telecommunications standards committee in 2010, separately voiced concerns<\/a> that performing \u201cactive\u201d hacking attacks for surveillance \u201cmay be illegal\u201d under British law.<\/p>\n

In response to questions from The Intercept<\/i>, GCHQ refused to comment on its involvement in the covert hacking operations. Citing its boilerplate response to inquiries, the agency said in a statement that \u201call of GCHQ\u2019s work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorized, necessary and proportionate, and that there is rigorous oversight.\u201d<\/p>\n

Whatever the legalities of the United Kingdom and United States infiltrating computer networks, the Snowden files bring into sharp focus the broader implications. Under cover of secrecy and without public debate, there has been an unprecedented proliferation of aggressive surveillance techniques. One of the NSA\u2019s primary concerns, in fact, appears to be that its clandestine tactics are now being adopted by foreign rivals, too.<\/p>\n

\u201cHacking routers has been good business for us and our 5-eyes partners for some time,\u201d notes one NSA analyst in a top-secret document<\/a> dated December 2012. \u201cBut it is becoming more apparent that other nation states are honing their skillz [sic] and joining the scene.\u201d<\/p>\n

******************<\/p>\n

Documents published with this article:<\/i><\/p>\n