• United States



Senior Staff Writer

Three letters to define an Advanced Persistent Threat: NSA

Mar 13, 20143 mins

The latest documents leaked by Edward Snowden have hit the wire. The bombshell is that the NSA has developed programs that enabled "industrial-scale exploitation" of computer networks.

The latest documents leaked by Edward Snowden have hit the wire, and as expected, it’s worse than previously thought on some levels. Moreover, NSA analysts seem to take great pleasure in mirroring the actions of the very criminals that security professionals fight on a regular basis.

The bombshell is that the NSA has developed programs that enabled “industrial-scale exploitation” of computer networks. The automated process, part of an initiative called “Owning the Net” allows the TAO to manage massive amounts of malware installs automatically.

The types of malware managed, or implants as they’re called, range from general keylogging software, to malware that monitors a computer’s camera or microphone, or malware designed to monitor network traffic and capture credentials.

Worse, the malware itself is designed to bypass protections such as encryption, and the TAO operators have a high-degree of confidence that they’ll get their mark when he/she is selected.

“If we can get the target to visit us in some sort of web browser, we can probably own them. The only limitation is the ‘how’,” one NSA analyst bragged in a document tagged as secret.

So does all of that sound like the NSA is running their own government sanctioned botnet? It should, because that’s exactly what they do

On top of automated malware control, the NSA also reported co-opting 140,000 bots. So in addition to the endpoints they compromised themselves, the NSA will take the endpoints compromised by criminals too.

A project called QUANTUMBOT takes control of idle IRC bots, and finds computers that belong to botnets in order to hijack them as well. According to the leaked documents, the project started in 2007, it’s ongoing, and has been highly successful. [I wonder what the government salary is for a botmaster anyway?]

As always, the NSA maintains that these programs are used to monitor terrorists and extremists. However, according to one NSA presentation leaked by Snowden, that isn’t entirely true:

The internal post – titled “I hunt sys admins” – makes clear that terrorists aren’t the only targets of such NSA attacks. Compromising a systems administrator, the operative notes, makes it easier to get to other targets of interest, including any “government official that happens to be using the network some admin takes care of.”

The irony here being that Edward Snowden was a Systems Admin for the NSA when he obtained the documents he later leaked.


The full story is worth reading, as are the slides.