NSA's plans reportedly involve infecting millions of computers with surveillance malware

Leaked documents show the agency was planning to expand its infrastructure for active attacks since at least 2009

The U.S. National Security Agency has reportedly been working for the past several years on expanding its ability to infect computers with surveillance malware and creating a command-and-control infrastructure capable of managing millions of compromised systems at a time.

According to media reports last year based on secret documents leaked by former NSA contractor Edward Snowden, the NSA had deployed over 50,000 Computer Network Exploitation (CNE) "implants" -- surveillance malware installed on computers and networking devices -- around the world and their number was expected to reach 85,000 by the end of 2013.

However, the agency has also been working on building a better command-and-control infrastructure codenamed TURBINE that, according to a 2009 top-secret NSA presentation leaked by Snowden, would "allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control [of] implants by groups instead of individually," news website The Intercept reported Wednesday

The leaked document reveals that TURBINE was supposed to include an "Expert System" capable of managing malware implants with limited or no human input. The NSA described the system as "a brain" that would automatically decide which tools should be provided to a given implant and how the implant should be used based on preset rules.

This system is needed because "one of the greatest challenges for Active SIGINT/attack is scale," the presentation says. "Human 'drivers' limit ability for large-scale exploitation (humans tend to operate within their own environment, not taking into account the bigger picture)."

The implants, which are described in other NSA documents leaked by Snowden, are tailored for specific surveillance tasks or act as malware frameworks that have a modular architecture and support a variety of additional plug-ins to enable different surveillance capabilities.

For example, a plug-in codenamed GROK can log keystrokes. Another, called SALVAGERABBIT, can copy data from removable storage devices connected to a computer. Other plug-ins include CAPTIVATEDAUDIENCE, which can use the computer's microphone to record nearby conversations, and GUMFISH, which can take over the computer's webcam, The Intercept reported.

This design is similar to that observed by security researchers in sophisticated threats like Stuxnet, Flame, The Mask, Red October and others that have been discovered and analyzed in recent years and which are suspected of having been created or sponsored by nation states.

The NSA distributes its implants by using man-in-the-middle and man-on-the-side techniques that routes targeted users trying to access legitimate websites to attack servers under NSA control. The NSA distributes its implants by using man-in-the-middle and man-on-the-side techniques to force their targets' computers to visit attack servers under its control when trying to access popular websites. The agency then exploits vulnerabilities in browsers and other software like Java and Flash Player to deploy the malware, The Intercept reported.

"If we can get the target to visit us in some sort of web browser, we can probably own them," an NSA hacker wrote in one of the leaked documents, according to The Intercept. "The only limitation is the 'how'."

In a 2012 presentation slide published by the news site, the NSA describes an exploitation technique codenamed SECONDDATE that "takes advantage of web-based protocols and man-in-the-middle positioning," that can "quietly redirect" Web browsers to attack servers and "allows mass exploitation potential for clients passing through network choke points."

Other documents reportedly indicate that the NSA has shared many of its implants with surveillance agencies in the U.K., Canada, New Zealand and Australia, which together with the NSA form the so-called Five Eyes partnership.

Past media reports claimed the U.K.'s Government Communications Headquarters used implant technology designed by the NSA to target network engineers from Belgian telecommunications company Belgacom and global roaming exchange providers, and possibly even prominent cryptographers.

While the NSA uses "selectors" like email addresses, tracking cookies, browser tags, IP addresses, wireless MACs and many other identifiers to choose its targets, the documents published by The Intercept seem to indicate that the agency has been working on expanding the scope of its attacks and supporting infrastructure for years.

"Our original assumption was that NSA targeted a small number of real national security threats," said Matthew Green, a cryptographer and assistant research professor at the the Johns Hopkins University Information Security Institute in Baltimore, via email. "What we're learning now is that for every individual like that, they're also targeting many other people, including telecom operators, system administrators, maybe even academic cryptographers."

"What this means is that many relatively 'innocent' people are on the receiving end of these attacks," he said. "It also means that NSA is being a lot less discriminating about who they target. They're willing to infect every employee at a company who visits Slashdot, for example, on the assumption that one will be an important system administrator."

Green doesn't believe that the NSA will ever do wholesale malware distribution and infection, because the agency has a limited supply of zero-day exploits -- exploits for unpatched vulnerabilities -- and using them on a truly mass scale would increase the chances of those exploits being discovered and becoming useless.

However, "I think the more of these things you put in the wild, the greater the chance that one falls into the hands of someone who can use it to do something criminal," Green said. "The NSA has obviously decided their strategy is worth the risk. I don't know if I agree with them, and more to the point, I don't know if their overseers really understand the risk."

"Such a large scale attack infrastructure is very offensive (in both ways)," said Eiram Carsten, the chief research officer at security intelligence and risk management firm Risk Based Security. "Even with so-called 'data selectors' they could easily end up compromising random victims. Also, while they may now say that they are only aiming to target specific people considered threats, the potential for a snowball effect is worrying. How long will it take before they start broadening the scope?"

"Such an attack infrastructure combined with these 'network choke points' to redirect traffic has the potential to compromise 'everyone'," Carsten said. "It would clearly have detrimental impact on the state of Internet security, and it sounds like a huge concern for Americans and foreigners alike."

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionGovernment use of ITNational Security Agencyonline safetysecurityRisk Based Securitygovernmentmalware

More about BaltimoreNational Security AgencyNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts