How the NSA Did It

Home » Collections » How the NSA Did It
How the NSA Did It

Image Courtesy of: Google

The more we learn about the NSA’s secret surveillance program, the wider and wider the scope becomes. Since Snowden leaked files containing data on the NSA’s surveillance program, we have learned that the NSA’s operations are on a scale that nobody thought was even possible. To get data on such a large scale, the NSA used “implants”, or malware they infected networks with to get access to data behind the network’s firewall. In some cases, the NSA used man in the middle attacks to disguise themselves as Facebook and infect the user’s computer when they visit Facebook.

In the past, implants were reserved for targets that were hard to reach or could not be tapped using traditional wiretapping methods. One of the largest problems preventing them from widening their scale was that a large network of implanted malware is very difficult to manage with people. In 2009, a presentation was made that detailed a method to get around this problem. “One of the greatest challenges for an active attack is scale,” explains the top-secret presentation. “Human ‘drivers’ limit ability for large-scale exploitation (humans tend to operate within their own environment, not taking into account the bigger picture).” The NSA had designed a program named TURBINE, which is described as an “intelligent command and control capability” that enables “industrial-scale exploitation.” This software was designed to “relieve the user from needing to know/care about the details. For example, a user should be able to ask for ‘all details about application X’ and not need to know how and where the application keeps files, registry entries, user application data, etc.” This meant that a lot of the minutia of hacking a system was cut out and automated, giving the agents more time to attack another system. This system was eventually implemented and has been in operation since around July 2010, allowing the NSA to infect around 85,000 to 100,000 computer networks around the world. The NSA still seeks to widen their range, however, and asked for $67.6 million in tax money last year for this program. Some of that money was used on TURBINE to help it access “a wider variety” of networks and “enable greater automation of computer network exploitation.”

The implanted malware that the NSA uses also has a variety of functions. One implant, named UNITEDRAKE, uses a variety of plugins to help take control of the infected computer. One plugin, named CAPTIVATEDAUDIENCE, enables the NSA to record audio from the computer’s microphone. GUMFISH allows the same control over the computer’s webcam. To record internet browser history, as well as usernames and passwords the NSA used a plugin called FOGGYBOTTOM. GROK records every keystroke and SALVAGERABBIT grabs data from flash drives connected to the infected computer. Other plugins allow the NSA to disable encryption tools that are used to browse the internet anonymously. Using this plugin framework, the NSA has been able to develop an incredibly sophisticated and dangerous piece of software that has the potential to spy on just about any computer.

Edward Snowden leaked a very large amount of top secret documents, and as people go through it, we find more and more ways the NSA violated everybody’s privacy and weakened the security of the internet as a whole. The NSA has become a group of common hackers, plain and simple. The tactics they use are incredibly sophisticated but are still based on the same principles (man in the middle attacks, phishing attacks, backdoors) that criminal hackers use every day. What makes the NSA dangerous is that they are government funded, and have access to as much talent and money as they need.

Joe Iacoviello

Voice your opinions