The news: Documents leaked by former National Security Agency (NSA) contractor Edward Snowden already brought attention to the NSA's elite Tailored Access Operations (TAO) division, which is comprised of hackers who have infiltrated tens of thousands of computer networks worldwide. But two new reports by German magazine Der Spiegel reveal the extent of what the unit is able to accomplish, and the tools it uses to do so. The findings are straight from a Hollywood movie.
What the TAO does: Using sophisticated software like the NSA's XKeyScore to isolate packets of user data — including sites visited, networks, and Tor uses — TAO agents can remotely install malware on unsuspecting users' computers. One example is a system called QUANTUMINSERT, in which an NSA agent attempts to redirect a user from his intended website to a special FoxAcid server loaded with malware. One such payload, dubbed DireScallop, prevents commercial security software from wiping NSA tools during a reboot. Others collect more data or make a user's computer vulnerable to further secret attacks.
The NSA routinely spies on whatever data can provide a clearer picture of the security holes in a given system. That includes Microsoft error reports, which NSA agents made fun of in this leaked slide:
The TAO also carries out special missions to infiltrate target networks. Der Spiegel specifically mentions an NSA mission named WHITETAMALE, which gained access to Mexico's Secretariat of Public Security, as well as an operation that successfully infiltrated the Belgian telecommunications company Belgacom.
TAO agents are sometimes escorted to targets by FBI-owned jets, which enable them to be in and out in as little as 30 minutes.
But every NSA James Bond needs to build custom gear for difficult situations. In cases when these remote tools aren't enough, the TAO turns to another NSA division, Advanced or Access Network Technology (ANT).
ANT builds NSA surveillance devices disguised as innocuous hardware. The division builds "implants" designed to penetrate networking security, directly transmit intelligence, or even interfere with a system's operations to give the NSA an edge. Der Spiegel gained access to their 2008 catalog.
A modified monitor cable that lets "TAO personnel [see] what is displayed on the targeted monitor" costs just $30. Other equipment is pricier. An "active GSM base station," equipment that mimics a cell phone tower in order to steal data from mobile devices, costs $40,000. A 50-pack of radio-capable computer bugging devices disguised as USB drives goes for over $1,000,000.
ANT also builds special software, primarily malware designed to infect the BIOS of a targeted system. The BIOS is motherboard software that activates hardware components and controls how they interact. It operates below the operating system and is first to turn on when a user powers their system, making it the ideal point of access for the NSA to target a computer. Infected BIOSes can be extremely difficult to clear.
ANT hackers also developed ways to attack the firmware of American-produced hard drives, including models made by Western Digital, Seagate, Maxtor, and Samsung. They've also cracked networking equipment like routers and firewalls produced by Juniper Networks and Huawei.
Der Spiegel found no reason to suspect anyone at those companies knows of the NSA's programs to exploit and create security holes in their products. And the NSA doesn't seem to care very much that their "intelligence solutions" could easily be co-opted by parties other than the U.S. government, cyber-criminals or foreign governments could potentially reproduce the NSA's results.
Even new computers aren't safe. According to Der Spiegel, the NSA routinely collaborates with the CIA and FBI to interdict shipments of computer and networking equipment to install bugs and modified hardware components before they reach their intended owners.
The big take-away: Using their own special workshops, TAO agents can ensure that computers are compromised before they're even unwrapped.