|
|
The NSA began rapidly escalating its hacking efforts a decade ago. In 2004, according to secret internal records, the agency was managing a small network of only 100 to 150 implants. But over the next six to eight years, as an elite unit called Tailored Access Operations (TAO) recruited new hackers and developed new malware tools, the number of implants soared to tens of thousands.
To penetrate foreign computer networks and monitor communications that it did not have access to through other means, the NSA wanted to go beyond the limits of traditional signals intelligence, or SIGINT, the agency?s term for the interception of electronic communications. Instead, it sought to broaden ?active? surveillance methods ? tactics designed to directly infiltrate a target?s computers or network devices.
In the documents, the agency describes such techniques as ?a more aggressive approach to SIGINT? and says that the TAO unit?s mission is to ?aggressively scale? these operations.
But the NSA recognized that managing a massive network of implants is too big a job for humans alone.
?One of the greatest challenges for active SIGINT/attack is scale,? explains the top-secret presentation from 2009. ?Human ?drivers? limit ability for large-scale exploitation (humans tend to operate within their own environment, not taking into account the bigger picture).?
The agency?s solution was TURBINE. Developed as part of TAO unit, it is described in the leaked documents as an ?intelligent command and control capability? that enables ?industrial-scale exploitation.?
TURBINE was designed to make deploying malware much easier for the NSA?s hackers by reducing their role in overseeing its functions. The system would ?relieve the user from needing to know/care about the details,? the NSA?s Technology Directorate notes in one secret document from 2009. ?For example, a user should be able to ask for ?all details about application X? and not need to know how and where the application keeps files, registry entries, user application data, etc.?
In practice, this meant that TURBINE would automate crucial processes that previously had to be performed manually ? including the configuration of the implants as well as surveillance collection, or ?tasking,? of data from infected systems. But automating these processes was about much more than a simple technicality. The move represented a major tactical shift within the NSA that was expected to have a profound impact ? allowing the agency to push forward into a new frontier of surveillance operations.
The ramifications are starkly illustrated in one undated top-secret NSA document, which describes how the agency planned for TURBINE to ?increase the current capability to deploy and manage hundreds of Computer Network Exploitation (CNE) and Computer Network Attack (CNA) implants to potentially millions of implants.? (CNE mines intelligence from computers and networks; CNA seeks to disrupt, damage or destroy them.)
Eventually, the secret files indicate, the NSA?s plans for TURBINE came to fruition. The system has been operational in some capacity since at least July 2010, and its role has become increasingly central to NSA hacking operations.
Earlier reports based on the Snowden files indicate that the NSA has already deployed between 85,000 and 100,000 of its implants against computers and networks across the world, with plans to keep on scaling up those numbers.
The intelligence community?s top-secret ?Black Budget? for 2013, obtained by Snowden, lists TURBINE as part of a broader NSA surveillance initiative named ?Owning the Net.?
The agency sought $67.6 million in taxpayer funding for its Owning the Net program last year. Some of the money was earmarked for TURBINE, expanding the system to encompass ?a wider variety? of networks and ?enabling greater automation of computer network exploitation.?
Circumventing Encryption
The NSA has a diverse arsenal of malware tools, each highly sophisticated and customizable for different purposes.
One implant, codenamed UNITEDRAKE, can be used with a variety of ?plug-ins? that enable the agency to gain total control of an infected computer.
An implant plug-in named CAPTIVATEDAUDIENCE, for example, is used to take over a targeted computer?s microphone and record conversations taking place near the device. Another, GUMFISH, can covertly take over a computer?s webcam and snap photographs. FOGGYBOTTOM records logs of Internet browsing histories and collects login details and passwords used to access websites and email accounts. GROK is used to log keystrokes. And SALVAGERABBIT exfiltrates data from removable flash drives that connect to an infected computer.
The implants can enable the NSA to circumvent privacy-enhancing encryption tools that are used to browse the Internet anonymously or scramble the contents of emails as they are being sent across networks. That?s because the NSA?s malware gives the agency unfettered access to a target?s computer before the user protects their communications with encryption.
It is unclear how many of the implants are being deployed on an annual basis or which variants of them are currently active in computer systems across the world.
Previous reports have alleged that the NSA worked with Israel to develop the Stuxnet malware, which was used to sabotage Iranian nuclear facilities. The agency also reportedly worked with Israel to deploy malware called Flame to infiltrate computers and spy on communications in countries across the Middle East.
According to the Snowden files, the technology has been used to seek out terror suspects as well as individuals regarded by the NSA as ?extremist.? But the mandate of the NSA?s hackers is not limited to invading the systems of those who pose a threat to national security.
In one secret post on an internal message board, an operative from the NSA?s Signals Intelligence Directorate describes using malware attacks against systems administrators who work at foreign phone and Internet service providers. By hacking an administrator?s computer, the agency can gain covert access to communications that are processed by his company. ?Sys admins are a means to an end,? the NSA operative writes.
The internal post ? titled ?I hunt sys admins? ? makes clear that terrorists aren?t the only targets of such NSA attacks. Compromising a systems administrator, the operative notes, makes it easier to get to other targets of interest, including any ?government official that happens to be using the network some admin takes care of.?
Similar tactics have been adopted by Government Communications Headquarters, the NSA?s British counterpart. As the German newspaper Der Spiegel reported in September, GCHQ hacked computers belonging to network engineers at Belgacom, the Belgian telecommunications provider.
The mission, codenamed ?Operation Socialist,? was designed to enable GCHQ to monitor mobile phones connected to Belgacom?s network. The secret files deem the mission a ?success,? and indicate that the agency had the ability to covertly access Belgacom?s systems since at least 2010.
Infiltrating cellphone networks, however, is not all that the malware can be used to accomplish. The NSA has specifically tailored some of its implants to infect large-scale network routers used by Internet service providers in foreign countries. By compromising routers ? the devices that connect computer networks and transport data packets across the Internet ? the agency can gain covert access to monitor Internet traffic, record the browsing sessions of users, and intercept communications.
Two implants the NSA injects into network routers, HAMMERCHANT and HAMMERSTEIN, help the agency to intercept and perform ?exploitation attacks? against data that is sent through a Virtual Private Network, a tool that uses encrypted ?tunnels? to enhance the security and privacy of an Internet session.
The implants also track phone calls sent across the network via Skype and other Voice Over IP software, revealing the username of the person making the call. If the audio of the VOIP conversation is sent over the Internet using unencrypted ?Real-time Transport Protocol? packets, the implants can covertly record the audio data and then return it to the NSA for analysis.
But not all of the NSA?s implants are used to gather intelligence, the secret files show. Sometimes, the agency?s aim is disruption rather than surveillance. QUANTUMSKY, a piece of NSA malware developed in 2004, is used to block targets from accessing certain websites. QUANTUMCOPPER, first tested in 2008, corrupts a target?s file downloads. These two ?attack? techniques are revealed on a classified list that features nine NSA hacking tools, six of which are used for intelligence gathering. Just one is used for ?defensive? purposes ? to protect U.S. government networks against intrusions.
?Mass exploitation potential?
Before it can extract data from an implant or use it to attack a system, the NSA must first install the malware on a targeted computer or network.
According to one top-secret document from 2012, the agency can deploy malware by sending out spam emails that trick targets into clicking a malicious link. Once activated, a ?back-door implant? infects their computers within eight seconds.
There?s only one problem with this tactic, codenamed WILLOWVIXEN: According to the documents, the spam method has become less successful in recent years, as Internet users have become wary of unsolicited emails and less likely to click on anything that looks suspicious.
Consequently, the NSA has turned to new and more advanced hacking techniques. These include performing so-called ?man-in-the-middle? and ?man-on-the-side? attacks, which covertly force a user?s internet browser to route to NSA computer servers that try to infect them with an implant. |
|