Since the early days of TCP, port scanning has been used by computer saboteurs to locate vulnerable systems. In a new set of top secret documents seen by Heise, it is revealed that in 2009, the British spy agency GCHQ made port scans a “standard tool” to be applied against entire nations (Figure 1, see the picture gallery). Twenty-seven countries are listed as targets of the HACIENDA program in the presentation (Figure 2), which comes with a promotional offer: readers desiring to do reconnaissance against another country need simply send an e-mail (Figure 3).
The HACIENDA Program
The documents do not spell out details for a review process or the need to justify such an action. It should also be noted that the ability to port-scan an entire country is hardly wild fantasy; in 2013, a port scanner called ZMap was implemented that can scan the entire IPv4 address space in less than one hour using a single PC.  The massive use of this technology can thus make any server anywhere, large or small, a target for criminal state computer saboteurs.
The list of targeted services includes ubiquitous public services such as HTTP and FTP, as well as common administrative protocols such as SSH (Secure SHell protocol – used for remote access to systems) and SNMP (Simple Network Management Protocol – used for network administration) (Figure 4). Given that in the meantime, port scanning tools like ZMap have been developed which allow anyone to do comprehensive scans, it is not the technology used that is shocking, but rather the gargantuan scale and pervasiveness of the operation. The next section gives background on how port-mapping tools work and what information is gained by using them, making it clear what becomes possible when a state actor uses them at scale.
Background: The TCP Three-Way Handshake
The most commonly-used protocol on the Internet is TCP | the Transmission Control Protocol. Every time an email is sent or a web page is browsed, TCP is the protocol that is used to move data reliably between clients and servers. Port-mapping tools take advantage of a structural problem in TCP in order to determine what services are running on a system. Since the early days of TCP, port scanning has been used by attackers to locate vulnerable systems. Whenever a TCP client wants to communicate with a TCP server, the two parties perform what is called a TCP three-way handshake. The flawed design of this handshake is the foundation for port mapping tools, as during the handshake, the server leaks information about the availability of a service without checking the client’s authorization.
Figure 5 illustrates the sequence of TCP packets which are sent to establish a connection. The establishment of the connection works as follows: the host which wants to initiate a connection first sends out a TCP SYN (“synchronize”) packet. If the destination host accepts the connection request, it sends a SYN/ACK (“synchronize/acknowledge”) packet. After receiving a positive reply, the initiating host sends out an ACK (“acknowledge”) packet, which finalizes the TCP three-way handshake. This TCP three-way handshake allows an adversary to easily determine if some TCP service is offered at a given port by a host on the Internet: if the TCP port is closed, the server reacts differently to the TCP SYN packet (Figure 6), sending a RST (“reset”) packet instead of the SYN/ACK it would send were the port open. Thus, an adversary can easily map Internet services by considering the differences in the server’s replies in the packet flows depicted in Figure 5 and Figure 6 respectively.
The Enemy Online
In addition to simple port scans, GCHQ also downloads so-called banners and other readily available information (Figure 4). A banner is text sent by some applications when connecting to an associated port; this often indicates system and application information, including version and other information useful when looking for vulnerable services. Doing reconnaissance at the massive scale revealed in the documents demonstrates that the goal is to perform active collection and map vulnerable services ubiquitiously, not to go after specific targets.
By preparing for attacks against services offered via SSH and SNMP, the spy agency targets critical infrastructure such as systems used for network operations. As shown in the past with the penetration of Belgacom and Stellar, when an employee’s computer system or network credentials may be useful, those systems and people are targeted and attacked.
The database resulting from the scans is then shared with other spy agencies of the Five Eyes spying club (Figure 7), which includes the United States, Canada, United Kingdom, Australia and New Zealand. MAILORDER is described in the documents as a secure transport protocol used between the Five Eyes spy agencies to exchange collected data.
Every Device a Target
The process of scanning entire countries and looking for vulnerable network infrastructure to exploit is consistent with the meta-goal of “Mastering the Internet”, which is also the name of a GCHQ cable-tapping program: these spy agencies try to attack every possible system they can, presumably as it might provide access to further systems. Systems may be attacked simply because they might eventually create a path towards a valuable espionage target, even without actionable information indicating this will ever be the case.
Using this logic, every device is a target for colonization, as each successfully exploited target is theoretically useful as a means to infiltrating another possible target. Port scanning and downloading banners to identify which software is operating on the target system is merely the first step of the attack (Figure 8). Top secret documents from the NSA seen by Heise demonstrate that the involved spy agencies follow the common methodology of online organized crime (Figure 9): reconnaissance (Figure 10) is followed by infection (Figure 11), command and control (Figure 12), and exfiltration (Figure 13). The NSA presentation makes it clear that the agency embraces the mindset of criminals. In the slides, they discuss techniques and then show screenshots of their own tools to support this criminal process (Figure 14, 15 and 16).
The NSA is known to be interested in 0-day attacks, which are attacks exploiting largely unknown vulnerabilities for which no patch is available. Once an adversary armed with 0-day attacks has discovered that a vulnerable service is running on a system, defense becomes virtually impossible. Firewalls are unlikely to offer sufficient protection, whether because administrators need remote access or because spy agencies have already infiltrated the local network (See: MUSCULAR: NSA/GCHQ Tapping Communications Links to Google & Yahoo Data Centers). Furthermore, adding additional equipment, such as firewalls administered via SNMP, into an internal network may also open up new vulnerabilities.
Figure 8 points to a particular role that HACIENDA plays in the spy club’s infrastructure, namely the expansion of their covert infrastructure. The top secret documents seen by Heise describe the LANDMARK program, a program by the Canadian spy agency CSEC which is used to expand covert infrastructure (Figure 17).
The covert infrastructure includes so-called Operational Relay Boxes (ORBs), which are used to hide the location of the attacker when the Five Eyes launch exploits against targets or steal data (Figure 18). Several times a year, the spy club tries to take control of as many machines as possible, as long as they are abroad.
For example, in February 2010 twenty-four spies located over 3000 potential ORBs in a single work day (Figure 19). However, going over the port scan results provided by HACIENDA was considered too laborous (Figure 20), so they programmed their OLYMPIA system to automate the process (Figure 21). As a result, the spies brag that they can now locate vulnerable devices in a subnet in less than five minutes (Figure 22).
The Canadians are not the only ones using HACIENDA to locate machines to compromise and turn into ORBs. At GCHQ, the hunt for ORBs is organized as part of the MUGSHOT program (Figure 23). The GCHQ has also automated the process and claims significant improvements in accuracy due to the automation (Figure 24). Again the information obtained from HACIENDA plays a prominent role (Figure 25). A key point is that with MUGSHOT the GCHQ integrates results from active scans (HACIENDA) as well as passive monitoring (Figure 26), to “understand everything important about all machines on the Internet”.
Thus, system and network administrators now face the threat of industrial espionage, sabotage and human rights violations created by nation-state ad- versaries indiscriminately attacking network infrastructure and breaking into services. Such an adversary needs little reason for an attack beyond gaining access and is supported by a multi-billion dollar budget, immunity from prosecution, and compelled collaboration by companies from Five Eyes countries. As a result, every system or network administrator needs to worry about protecting his system against this unprecedented threat level. In particular, citizens of countries outside of the Five Eyes have, as a result of these programs, greatly reduced security, privacy, integrity and resilience capabilities.
Spy agencies are using their powers to commandeer Internet systems for power projection. Their actions follow the standard template of cyber-criminal behav ior, using reconnaissance through active and passive port scanning to identify potential victims. Given this serious threat, system administrators need to improve their defensive posture and, in particular, reduce the visibility of non- public services. Patching services does not help against 0-day attacks, and firewalls may not be applicable or suffcient. In the second part of our article, we will introduce another option for system administrators to make non-public system administration services less visible for reconnaissance operations. By standardizing such techniques, the Internet community may be able to dampen the ability of security services to master the Internet.