Sunday, September 1, 2013

NSA Malware

There's a fascinating report in the Washington Post about the dimensions of US offensive cyber-operations. Here are a few excerpts.
Additionally, under an extensive effort code-named GENIE, U.S. computer specialists break into foreign networks so that they can be put under surreptitious U.S. control. Budget documents say the $652 million project has placed “covert implants,” sophisticated malware transmitted from far away, in computers, routers and firewalls on tens of thousands of machines every year, with plans to expand those numbers into the millions.

The documents provided by Snowden and interviews with former U.S. officials describe a campaign of computer intrusions that is far broader and more aggressive than previously understood. The Obama administration treats all such cyber-operations as clandestine and declines to acknowledge them.
The administration’s cyber-operations sometimes involve what one budget document calls “field operations” abroad, commonly with the help of CIA operatives or clandestine military forces, “to physically place hardware implants or software modifications.”

Much more often, an implant is coded entirely in software by an NSA group called Tailored Access Operations (TAO). As its name suggests, TAO builds attack tools that are custom-fitted to their targets.

The NSA unit’s software engineers would rather tap into networks than individual computers because there are usually many devices on each network. Tailored Access Operations has software templates to break into common brands and models of “routers, switches and firewalls from multiple product vendor lines,” according to one document describing its work.

The implants that TAO creates are intended to persist through software and equipment upgrades, to copy stored data, “harvest” communications and tunnel into other connected networks. This year TAO is working on implants that “can identify select voice conversations of interest within a target network and exfiltrate select cuts,” or excerpts, according to one budget document. In some cases, a single compromised device opens the door to hundreds or thousands of others.
The focus on routers, switches, and firewalls is very interesting and news.  To the best of my knowledge, nothing like this is known to the computer security industry.  No doubt the NSA is careful to test its efforts first, to ensure they aren't detected.

However, the hunt will be on now.

This suggests also a new market niche doing intrusion detection on these kinds of infrastructure components.  However, it's not clear that a US based firm could be a very credible provider...


sunbeam said...

I kind of have the suspicion that we are not the only ones doing this.

And I also suspect that the obvious suspects (state actors and their intelligence agencies) have been doing it a long time.

Another interesting speculation is action on this front by private interests: corporations (like oh, say Goldman Sachs), drug gangs, terrorists, any sort of group with the deep pockets to do it.

Mr. Sunshine said...

"nothing like this is known to the computer security industry" ... How is that possible? If true, it would appear the security industry has charged a fortune to provide no security. Malware is malware - it does certain things and exhibits signatures - government written or not - in order to work, does it not? How could this go undetected?

Stuart Staniford said...

Mr Sunshine. Not "no security", just "the best solution to the halting problem that money can currently buy" :-)

That is generally somewhat better than nothing, but considerably worse than everything.

Unknown said...

Also sheds light on Government reluctance to allow Telcos to use equipment supplied by China's Huawei.

Sushi said...

During the Reagan administration US agencies reportedly planted malware in pipeline control systems supplied to the Soviet Union. This pipeline later ruptured with consequent large fires that were reported to be visible to space satellites.

This activity constitutes a direct threat to the citizens of another state. I fail to see how this can be considered other than an act of war.

Geof said...

If memory serves me correctly, it is illegal in the UK to develop algorithms or devices that GCHQ cannot decrypt.