NSA installed malware on 50,000 networks, new Snowden papers show

Pwned by the USA

The NSA has successfully compromised at least 50,000 'networks' using malware controlled by a 1,000-strong team of hackers, a presentation leaked from the Snowden cache has revealed.

It's another of the many statistics to emerge from Snowden's hard drive that is single-handedly transforming the world's understanding not only of US cyber-operations but what a well-resourced state can achieve if it wants to.

The presentation seen by Dutch news source NRC Handelsblad mentions that as of 2012 the NSA's Tailored Access Operations (TAO) department had compromised "50,000 computer networks" as part of a larger Computer Network Exploitation (CNE) operation active for up to 15 years.

We have to be careful about the nomenclature here; 50,000 networks is in the NSA's eyes equivalent to 50,000 separate locations so the actual number of PCs, servers and possibly routers controlled by this network is almost certainly much greater than 50,000 individual computers.

As NRC Handelsblad notes, an example of the type of hacking projects the TAO campaigns might resemble would be the infamous attacks on Belgian national telco Belgacom by Britain's NSA ally GCHQ, first publicised in September by German magazine Spiegel Online.

In that attack, the malware was installed by luring Belgacom employees to bogus LinkedIn and Slashdot pages using a system called Quantum Insert, in effect they were phished using a tactic straight out of the criminal handbook.

Another way of viewing the TAO malware would be to see it as part of the 231 cyber-operations written up in August by the Washington Post from separate Snowden files as having been carried out in 2011 alone, all part of the well-financed 'GENIE' program. That report was also the first to discover that the NSA had been using malware but it is only now that details such as targeting and design are starting to become clearer.

The problem is that the accounts of what the NSA has been up to and for how long are still fragmentary. It is known that 50,000 networks in 30 countries have been compromised, as have 20 access points for international cable trunks, but that barely scratches the surface.

With news emerging almost every week of a new NSA attack on fundamental parts of international digital infrastructure - almost all as far as we can tell highly successful - it is now safer to assume that the NSA can unlock what it wants more or less at will.

Join the CSO newsletter!

Error: Please check your email address.

Tags Configuration / maintenancesecuritynsaBelgacomhardware systemsData CentreGCHQ

More about GCHQNSAQuantumSpiegel

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place