The Digital Arms Race: NSA Preps America for Future Battle
By Jacob Appelbaum, Aaron Gibson, Claudio Guarnieri, Andy Müller-Maguhn, Laura Poitras, Marcel Rosenbach, Leif Ryge, Hilmar Schmundt and Michael Sontheimer
The NSA's mass surveillance is just the beginning. Documents from Edward Snowden show that the intelligence agency is arming America for future digital wars -- a struggle for control of the Internet that is already well underway.
Normally, internship applicants need to have polished resumes, with volunteer work on social projects considered a plus. But at Politerain, the job posting calls for candidates with significantly different skill sets. We are, the ad says, "looking for interns who want to break things."
Politerain is not a project associated with a conventional company. It is run by a US government intelligence organization, the National Security Agency (NSA). More precisely, it's operated by the NSA's digital snipers with Tailored Access Operations (TAO), the department responsible for breaking into computers.
Potential interns are also told that research into third party computers might include plans to "remotely degrade or destroy opponent computers, routers, servers and network enabled devices by attacking the hardware." Using a program called Passionatepolka, for example, they may be asked to "remotely brick network cards." With programs like Berserkr they would implant "persistent backdoors" and "parasitic drivers". Using another piece of software called Barnfire, they would "erase the BIOS on a brand of servers that act as a backbone to many rival governments."
An intern's tasks might also include remotely destroying the functionality of hard drives. Ultimately, the goal of the internship program was "developing an attacker's mindset."
The internship listing is eight years old, but the attacker's mindset has since become a kind of doctrine for the NSA's data spies. And the intelligence service isn't just trying to achieve mass surveillance of Internet communication, either. The digital spies of the Five Eyes alliance -- comprised of the United States, Britain, Canada, Australia and New Zealand -- want more.
The Birth of D Weapons
According to top secret documents from the archive of NSA whistleblower Edward Snowden seen exclusively by SPIEGEL, they are planning for wars of the future in which the Internet will play a critical role, with the aim of being able to use the net to paralyze computer networks and, by doing so, potentially all the infrastructure they control, including power and water supplies, factories, airports or the flow of money.
During the 20th century, scientists developed so-called ABC weapons -- atomic, biological and chemical. It took decades before their deployment could be regulated and, at least partly, outlawed. New digital weapons have now been developed for the war on the Internet. But there are almost no international conventions or supervisory authorities for these D weapons, and the only law that applies is the survival of the fittest.
Canadian media theorist Marshall McLuhan foresaw these developments decades ago. In 1970, he wrote, "World War III is a guerrilla information war with no division between military and civilian participation." That's precisely the reality that spies are preparing for today.
The US Army, Navy, Marines and Air Force have already established their own cyber forces, but it is the NSA, also officially a military agency, that is taking the lead. It's no coincidence that the director of the NSA also serves as the head of the US Cyber Command. The country's leading data spy, Admiral Michael Rogers, is also its chief cyber warrior and his close to 40,000 employees are responsible for both digital spying and destructive network attacks.
Surveillance only 'Phase 0'
From a military perspective, surveillance of the Internet is merely "Phase 0" in the US digital war strategy. Internal NSA documents indicate that it is the prerequisite for everything that follows. They show that the aim of the surveillance is to detect vulnerabilities in enemy systems. Once "stealthy implants" have been placed to infiltrate enemy systems, thus allowing "permanent accesses," then Phase Three has been achieved -- a phase headed by the word "dominate" in the documents. This enables them to "control/destroy critical systems & networks at will through pre-positioned accesses (laid in Phase 0)." Critical infrastructure is considered by the agency to be anything that is important in keeping a society running: energy, communications and transportation. The internal documents state that the ultimate goal is "real time controlled escalation".
One NSA presentation proclaims that "the next major conflict will start in cyberspace." To that end, the US government is currently undertaking a massive effort to digitally arm itself for network warfare. For the 2013 secret intelligence budget, the NSA projected it would need around $1 billion in order to increase the strength of its computer network attack operations. The budget included an increase of some $32 million for "unconventional solutions" alone.
NSA Docs on Network Attacks and Exploitation
Excerpt from the secret NSA budget on computer network operations / Code word GENIE
Document about the expansion of the Remote Operations Center (ROC) on endpoint operations
Document explaining the role of the Remote Operations Center (ROC)
Interview with an employee of NSA's department for Tailored Access Operations about his field of work
Supply-chain interdiction / Stealthy techniques can crack some of SIGINT's hardest targets
Classification guide for computer network exploitation (CNE)
NSA training course material on computer network operations
Overview of methods for NSA integrated cyber operations
NSA project description to recognize and process data that comes from third party attacks on computers
Exploring and exploiting leaky mobile apps with BADASS
Overview of projects of the TAO/ATO department such as the remote destruction of network cards
iPhone target analysis and exploitation with Apple's unique device identifiers (UDID)
Report of an NSA Employee about a Backdoor in the OpenSSH Daemon
NSA document on QUANTUMSHOOTER, an implant to remote-control computers with good network connections from unknown third parties
In recent years, malware has emerged that experts have attributed to the NSA and its Five Eyes alliance based on a number of indicators. They include programs like Stuxnet, used to attack the Iranian nuclear program. Or Regin, a powerful spyware trojan that created a furor in Germany after it infected the USB stick of a high-ranking staffer to Chancellor Angela Merkel. Agents also used Regin in attacks against the European Commission, the EU's executive, and Belgian telecoms company Belgacom in 2011.
Given that spies can routinely break through just about any security software, virtually all Internet users are at risk of a data attack.
The new documents shed some new light on other revelations as well. Although an attack called Quantuminsert has been widely reported by SPIEGEL and others, documentation shows that in reality it has a low success rate and it has likely been replaced by more reliable attacks such as Quantumdirk, which injects malicious content into chat services provided by websites such as Facebook and Yahoo. And computers infected with Straitbizarre can be turned into disposable and non-attributable "shooter" nodes. These nodes can then receive messages from the NSA's Quantum network, which is used for "command and control for very large scale active exploitation and attack." The secret agents were also able to breach mobile phones by exploiting a vulnerability in the Safari browser in order to obtain sensitive data and remotely implant malicious code.
In this guerilla war over data, little differentiation is made between soldiers and civilians, the Snowden documents show. Any Internet user could suffer damage to his or her data or computer. It also has the potential to create perils in the offline world as well. If, for example, a D weapon like Barnfire were to destroy or "brick" the control center of a hospital as a result of a programming error, people who don't even own a mobile phone could be affected.
Intelligence agencies have adopted "plausible deniability" as their guiding principle for Internet operations. To ensure their ability to do so, they seek to make it impossible to trace the author of the attack.
It's a stunning approach with which the digital spies deliberately undermine the very foundations of the rule of law around the globe. This approach threatens to transform the Internet into a lawless zone in which superpowers and their secret services operate according to their own whims with very few ways to hold them accountable for their actions.
NSA Docs on Malware and Implants
CSEC document about the recognition of trojans and other "network based anomaly"
The formalized process through which analysts choose their data requirement and then get to know the tools that can do the job
QUANTUMTHEORY is a set of technologies allowing man-on-the-side interference attacks on TCP/IP connections (includes STRAIGHTBIZARRE and DAREDEVIL)
Sample code of a malware program from the Five Eyes alliance
Attribution is difficult and requires considerable forensic effort. But in the new documents there are at least a few pointers. Querty, for example, is a keylogger that was part of the Snowden archive. It's a piece of software designed to surreptitiously intercept all keyboard keys pressed by the victim and record them for later inspection. It is an ordinary, indeed rather dated, keylogger. Similar software can already be found in numerous applications, so it doesn't seem to pose any acute danger -- but the sourcecode contained in it does reveal some interesting details. They suggest that this keylogger might be part of the large arsenal of modules that that belong to the Warriorpride program, a kind of universal Esperanto software used by all the Five Eyes partner agencies that at times was even able to break into iPhones, among other capabilities. The documents published by SPIEGEL include sample code from the keylogger to foster further research and enable the creation of appropriate defenses.
'Just a Bunch of Hackers'
The men and women working for the Remote Operations Center (ROC), which uses the codename S321, at the agency's headquarters in Fort Meade, Maryland, work on one of the NSA's most crucial teams, the unit responsible for covert operations. S321 employees are located on the third floor of one of the main buildings on the NSA's campus. In one report from the Snowden archive, an NSA man reminisces about how, when they got started, the ROC people were "just a bunch of hackers." Initially, people worked "in a more ad hoc manner," the report states. Nowadays, however, procedures are "more systematic". Even before NSA management massively expanded the ROC group during the summer of 2005, the department's motto was, "Your data is our data, your equipment is our equipment."
NSA Docs on Exfiltration
Explanation of the APEX method of combining passive with active methods to exfiltrate data from networks attacked
Explanation of APEX shaping to put exfiltrating network traffic into patterns that allow plausible deniability
Presentation on the FASHIONCLEFT protocol that the NSA uses to exfiltrate data from trojans and implants to the NSA
Methods to exfiltrate data even from devices which are supposed to be offline
Document detailing SPINALTAP, an NSA project to combine data from active operations and passive signals intelligence
Technical description of the FASHIONCLEFT protocol the NSA uses to exfiltrate data from Trojans and implants to the NSA
The agents sit in front of their monitors, working in shifts around the clock. Just how close the NSA has already gotten to its aim of "global network dominance" is illustrated particularly well by the work of department S31177, codenamed Transgression.
The department's task is to trace foreign cyber attacks, observe and analyze them and, in the best case scenario, to siphon off the insights of competing intelligence agencies. This form of "Cyber Counter Intelligence" counts among the most delicate forms of modern spying.