The U.S. National Security Agency has reportedly been working for the past several years on expanding its ability to infect computers with surveillance malware and creating a command-and-control infrastructure capable of managing millions of compromised systems at a time.
According to media reports last year based on secret documents leaked by former NSA contractor Edward Snowden, the NSA had deployed over 50,000 Computer Network Exploitation (CNE) “implants”—surveillance malware installed on computers and networking devices—around the world and their number was expected to reach 85,000 by the end of 2013.
However, the agency has also been working on building a better command-and-control infrastructure codenamed TURBINE that, according to a 2009 top-secret NSA presentation leaked by Snowden, would “allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control [of] implants by groups instead of individually,” news website The Intercept reported Wednesday.
TURBINE: a brain for malware
The leaked document reveals that TURBINE was supposed to include an “Expert System” capable of managing malware implants with limited or no human input. The NSA described the system as “a brain” that would automatically decide which tools should be provided to a given implant and how the implant should be used based on preset rules.
This system is needed because “one of the greatest challenges for Active SIGINT/attack is scale,” the presentation says. “Human ‘drivers’ limit ability for large-scale exploitation (humans tend to operate within their own environment, not taking into account the bigger picture).”
The implants, which are described in other NSA documents leaked by Snowden, are tailored for specific surveillance tasks or act as malware frameworks that have a modular architecture and support a variety of additional plug-ins to enable different surveillance capabilities.
For example, a plug-in codenamed GROK can log keystrokes. Another, called SALVAGERABBIT, can copy data from removable storage devices connected to a computer. Other plug-ins include CAPTIVATEDAUDIENCE, which can use the computer’s microphone to record nearby conversations, and GUMFISH, which can take over the computer’s webcam, The Intercept reported.
This design is similar to that observed by security researchers in sophisticated threats like Stuxnet, Flame, The Mask, Red October and others that have been discovered and analyzed in recent years and which are suspected of having been created or sponsored by nation states.
Leading users to attack servers
The NSA distributes its implants by using man-in-the-middle and man-on-the-side techniques that route targeted users trying to access legitimate websites to attack servers under NSA control. The agency then exploits vulnerabilities in browsers and other software like Java and Flash Player to deploy the malware, The Intercept reported.
“If we can get the target to visit us in some sort of web browser, we can probably own them,” an NSA hacker wrote in one of the leaked documents, according to The Intercept. “The only limitation is the ‘how’.”
In a 2012 presentation slide published by the news site, the NSA describes an exploitation technique codenamed SECONDDATE that “takes advantage of web-based protocols and man-in-the-middle positioning,” that can “quietly redirect” Web browsers to attack servers and “allows mass exploitation potential for clients passing through network choke points.”
Other documents reportedly indicate that the NSA has shared many of its implants with surveillance agencies in the U.K., Canada, New Zealand and Australia, which together with the NSA form the so-called Five Eyes partnership.
Past media reports claimed the U.K.’s Government Communications Headquarters used implant technology designed by the NSA to target network engineers from Belgian telecommunications company Belgacom and global roaming exchange providers, and possibly even prominent cryptographers.
We’re all fair game
While the NSA uses “selectors” like email addresses, tracking cookies, browser tags, IP addresses, wireless MACs and many other identifiers to choose its targets, the documents published by The Intercept seem to indicate that the agency has been working on expanding the scope of its attacks and supporting infrastructure for years.
“Our original assumption was that NSA targeted a small number of real national security threats,” said Matthew Green, a cryptographer and assistant research professor at the the Johns Hopkins University Information Security Institute in Baltimore, via email. “What we’re learning now is that for every individual like that, they’re also targeting many other people, including telecom operators, system administrators, maybe even academic cryptographers.”
“What this means is that many relatively ‘innocent’ people are on the receiving end of these attacks,” he said. “It also means that NSA is being a lot less discriminating about who they target. They’re willing to infect every employee at a company who visits Slashdot, for example, on the assumption that one will be an important system administrator.”
Green doesn’t believe that the NSA will ever do wholesale malware distribution and infection, because the agency has a limited supply of zero-day exploits—exploits for unpatched vulnerabilities—and using them on a truly mass scale would increase the chances of those exploits being discovered and becoming useless.
However, “I think the more of these things you put in the wild, the greater the chance that one falls into the hands of someone who can use it to do something criminal,” Green said. “The NSA has obviously decided their strategy is worth the risk. I don’t know if I agree with them, and more to the point, I don’t know if their overseers really understand the risk.”
“Such a large scale attack infrastructure is very offensive (in both ways),” said Eiram Carsten, the chief research officer at security intelligence and risk management firm Risk Based Security. “Even with so-called ‘data selectors’ they could easily end up compromising random victims. Also, while they may now say that they are only aiming to target specific people considered threats, the potential for a snowball effect is worrying. How long will it take before they start broadening the scope?”
“Such an attack infrastructure combined with these ‘network choke points’ to redirect traffic has the potential to compromise ‘everyone’,” Carsten said. “It would clearly have detrimental impact on the state of Internet security, and it sounds like a huge concern for Americans and foreigners alike.”
Updated at 4:51 PM to some accidentally duplicated text.