The United States National Security Agency appears to be engaged in a massive malware disseminating campaign to infect computer systems and networks around the world, according to leaked top secret documents.
A PowerPoint presentation provided to The Intercept by Snowden purports to show how the NSA plans to spread malware on systems automatically, using the TURBINE system and fake Facebook servers, so as to infect millions of computers.
NSA's efforts started ten years ago through its Tailored Acces Operations (TAO) unit, whose mission is to "aggressively scale" electronic infiltration methods for "industrial-scale exploitation".
The spy agency utilises a large arsenal of imaginatively named malware to remotely control computers and to capture data from them, as well as to interrupt their operation:
- UNITEDRAKE is modular malware that can take complete control of infected computers.
- CAPTIVATEDAUDIENCE hijacks computer microphones and records conversations.
- FOGGYBOTTOM snatches web browser history files, and login details for sites and email accounts.
- GUMFISH controls webcams and takes photographs.
- SALVAGERABBIT can capture data from external drives and send it to the NSA.
- GROK is a keylogger.
- QUANTUMSKY blocks access to specific websites.
- QUANTUMCOPPER corrupts targets' file downloads.
By using malware deployed in network routers, the NSA may be able to access data passing through virtual private networks. The HAMMERSTEIN man in the middle malware appears to attack the Internet Key Exchange (IKE) phase used to set up secure VPN sessions, and attempts decryption of content.
In a similar manner, the HAMMERCHANT router implant can compromise Voice over Internet Protocol communications, capturing Session Initiation Protocol (SIP/H.323) signalling used to set up calls as well the Real Time Protocol (RTP) data streams for the content.
According to the presentation, NSA exploits vulnerabilities in web browsers, the Oracle Java and Adobe Flash frameworks, and router software to infect devices. The malware is said to be able to hide itself from anti-virus programs and can delete itself after a set time if needed.
The NSA's favoured attack method to implant malware is the "man in the middle" (MITM) technique, whereby software is secretely placed on networks between computers communicating with each other. MITM allows multiple devices to be targeted and also makes it easier to capture the data they transmit.
The exact scale of NSA's malware dissemination campaign remains unknown as the US government refuses to provide detail on the operations, but the agency is believed to have successfully compromised as many as 100,000 systems around the world.
Digital liberties group the Centre for Democracy and Technology senior counsel Harley Geiger said "if this report is accurate, the NSA is acting like a spambot."
"The use of malware implants should be targeted against specific threats in tightly controlled situations, but this kind of mass automated surveillance would put countless Internet users at risk," Geiger said.
Australian and New Zealand intelligence agencies were privy to the information in the NSA presentation, along with their equivalents in Canada and Britain, and are believed to participate in the programme itself.