NSA documents describe botnet-style automated mass malware infection

The Intercept has published a new NSA story, detailing how the intelligence agency and its partners planned – perhaps successfully – to implant malware into millions of computers and routers. This would enable spying on users in a way that would bypass the encryption in the web services they use, because it gives direct access to their computers rather than just scooping up web traffic as it passes through the internet.

The piece mostly glues together things we’ve already learned from Edward Snowden’s revelations. We were familiar with the NSA’s Tailored Access Operations (TAO) division, which is supposed to only do targeted surveillance on terrorists, and we knew the NSA had put implants of some kind into nearly 100,000 computers. Again, we knew the U.K.’s GCHQ agency had developed a way of impersonating services like LinkedIn(s lnkd) to sucker telecoms workers, giving the agency a way to monitor what happens on major networks.

However, the scary thing about the latest revelations is how automated this activity became, and maybe still is. Essentially, the NSA seems to have built a botnet, which is the kind of activity you’d more normally associate with criminal gangs.

Scaling up

The article describes a system called TURBINE that, according to documents leaked by Snowden, can “allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually.” That’s a far cry from the 100-150 implants the NSA apparently had a decade back.

This is worrisome partly because of the scale of the operation – it’s not exactly targeted surveillance – and partly because of the risks it would create. As F-Secure chief research officer Mikko Hypponen said in the article, such a widespread malware deployment would “potentially create new vulnerabilities in these systems, making them more vulnerable for attacks by third parties.”

As in the case of the NSA’s attempts to subvert the security of the internet by messing around with the standards-setting process, this could well be a case of the agency making innocent people less secure. This quote from the documents is certainly enough to make me nervous:

Expert System (resource and operations manager) is like the brain [;] it manages the applications and functions of implants.
– Decides which tools should be provided to a given implant and executes the rules on how it should be used.
– Decisions of the expert system are passed to the command and control modules, which execute the decision against the appropriate set of implants.

That’s a pretty good description of how a botnet is run, as is this pitch: “It will increase the current capability to deploy and manage hundreds of Computer Network Exploitation (CNE) and Computer Network Attack (CAN) implants to potentially millions of implants.”

As a side note, one of the documents describes a program called QUANTUMBOT that hijacks actual criminals’ botnets, which must be jolly convenient.

“The new hotness”

The piece also includes other gems, such as a reference to a post entitled “I hunt sys admins”. This seems to fall into the context of attacks such as the Belgacom hack, where GCHQ duped those telecoms workers with bogus LinkedIn pages that infected their computers. With this technique, the fake page arrives at the user’s computer faster than the real thing, thanks to the agencies’ placing of sensors at various points on the internet backbone. According to the article, spoofed Facebook(s fb) pages also serve as a vector for this kind of attack.

One document points out that this sort of “Quantum” attack — run from friendly facilities such as those at Menwith Hill in the U.K. and Misawa in Japan — was becoming more valuable as people became more wary of old-fashioned spam emails with dodgy links. It refers to Quantum as “the new hotness.”

The documents also describe router implants that let the spooks spy on traffic sent through Virtual Private Networks, or VPNs. There are implants for tapping into into webcams (GUMFISH); microphones (CAPTIVATEDAUDIENCE); VoIP traffic (HAMMERCHANT, which should be a Gregorian metal band); keystrokes (GROK, which I feel lacks flair), browser histories (FOGGYBOTTOM, no comment); and removable media (SALVAGERABBIT).

Cat fans may be disturbed to hear the NSA also has an analytic technique called DRAGGABLEKITTEN.

According to The Intercept, TURBINE has been up and running “in some capacity” since the middle of 2010. Is it still going? The NSA told the publication in a statement that, as President Obama promised a few months ago, “signals intelligence shall be collected exclusively where there is a foreign intelligence or counterintelligence purpose to support national and departmental missions, and not for any other purposes.”

Personally, I would seize on the word “shall” there, much as people highlighted the way the White House refused to use the past tense when commenting on the bugging of German Chancellor Merkel’s telephone — saying what you are doing and will do is not the same as saying what you have done.

Either way, the documents describe a “more aggressive approach” to signals intelligence that seems to blur the lines between mass and targeted surveillance, and – tactically speaking at least – between our intelligence agencies and the common “cybercriminal.”