As the cataract of code words and compromises continues to course from Edward Snowden’s cache of classified information, it’s easy to lose track of what, exactly, the US National Security Agency and its allies can and can’t do. So let’s clarify that — especially given that last week’s revelations make it clear that the NSA’s capabilities go way, way beyond what was previously thought.
It’s obvious that the NSA could do more than, say, the organised cybercriminal gangs of eastern Europe. The agency has more and arguably smarter people — it hires the “best and brightest” — and those people have been working on the problems for far longer.
Over the years, criminals have built software systems that automate many of the processes of hacking. Tools to “weaponise” otherwise innocuous programs or documents so they’ll infect the computers on which they’re opened. Tools that automatically check that these new pieces of malware (malicious software) will successfully evade commercial anti-virus software. Tools that automatically look at a computer’s configuration, figure out a way to hack into it, and install a remote access tool (RAT), which in turn means that the hacker can control anything and everything happening on that computer. And tools that can link thousand or even millions of these “zombies” into a botnet (a network of robots) and use them in complex transnational criminal operations.
In 2011, one of the major information security vendors taught technology journalists how to use these tools to create a cybercrime network. It took just 90 minutes. It’d then take a day or two to customise that process to the needs of your own criminal operation. The only particularly difficult part isn’t even technical: it’s figuring out how to launder all the money you’d make without getting caught.
So yes, the NSA has all of this. Once the agency has control of a target’s computer, it would presumably be less interested in watching for any credit card numbers that might be typed, or placing phoney orders for iPhones through online retailers, and more interested in looking at email and other documents for signs of evil or turning on the microphone to listen in to nearby conversations, but the principles are basically the same.
But the NSA has much more, as revealed in last week’s story at First Look …
The NSA’s RATs, which it calls “implants”, appear to be highly modular, and much smarter than the ones used by criminals. The software that controls these implants is also more sophisticated. Where criminals can, for example, select all the computers under their control from a particular country and use them to place fraudulent orders on e-commerce sites in that same country, the NSA’s system (code named TURBINE) can select computers through a wide range of options, including the user IDs for various online services — which means the system can identify every computer, tablet and smartphone a particular individual has used.
More interesting, I think, is that the NSA and its Five Eyes allies (UK, Australia, Canada, New Zealand) appear to have a comprehensive program of hacking into internet routers — not the little ones we have at home, but the high-speed routers that sit at the junctions between the major internet service providers.
“Hacking routers has been good business for us and our 5-eyes partners for some time now, but it is becoming more apparent that other nation states are honing their skillz,” reads one classified message.
The author goes on to explain that controlling a router means that you can add your own login credentials, so you can come in again later without having to hack it; add or change routing rules so you can divert specific traffic to some convenient monitoring point; monitor any and all traffic on the network the router is connected to; and weaken the encryption used on any virtual private network (VPN) terminating on the router, making it easier to crack later.
Finally, these systems seem to be cross-connected with software that can rapidly identify a specific target and send it specific packets of data — which in turn means they can attempt to hijack specific internet traffic on the fly. The process is a bit like listening in a crowded restaurant for a waiter saying “Who ordered the steak?” and quickly shouting “That’s my steak!” before the legitimate customer notices. You get the steak and add poison before passing it on.
Putting all these pieces together gives the NSA some powerful capabilities.
As an example, the agency could pull all of the email addresses from a target’s computer, then watch the entire internet (or at least the sections it controls) for anyone browsing the web who’s using those email accounts, then use the shout-faster trick to intercept their web traffic and install an implant. All automatically.
Or NSA agents could search every computer in a target country for the government communications manual and edit it so that anyone trying to use the phoney procedure is either easier to intercept, or thwarted or confused. The possibilities are literally endless.
Whether the NSA is actually doing all this today is unclear, at least from the partial presentations posted at First Look and elsewhere thus far.
The overall system is designed to “allow the current implant network to scale to large size (millions of implants)”, but the presentation could be about a work in progress rather than a finished, operational service. Even if it is operational, it’s likely that only some routers are under the NSA’s control some of the time. Even if the NSA’s intention is to install an implant on every computer in a certain social network, not all would be successful. “Millions” may well be an aspirational target.
The NSA didn’t answer First Look‘s specific questions, “As the president made clear on 17 January,” the agency reportedly said in a statement, “signals intelligence shall be collected exclusively where there is a foreign intelligence or counterintelligence purpose to support national and departmental missions, and not for any other purposes.”
Nevertheless, the stated aim of the overall NSA program of which these technologies are a part is “Owning the Net”. It’s clear that the NSA has developed a systems architecture to do just that. The only doubts are about how much of it has been built, how much of it works as advertised, and how often it’s used.