THE BIRTH OF D WEAPONS
According to top secret documents from the archive of NSA whistleblower Edward Snowden seen exclusively by SPIEGEL, intelligence agencies are planning for wars of the future in which the Internet will play a critical role, with the aim of being able to use the net to paralyze computer networks and, by doing so, potentially all the infrastructure they control, including power and water supplies, factories, airports or the flow of money.
During the 20th century, scientists developed so-called ABC weapons — atomic, biological and chemical. It took decades before their deployment could be regulated and, at least partly, outlawed. New digital weapons have now been developed for the war on the Internet. But there are almost no international conventions or supervisory authorities for these D weapons, and the only law that applies is the survival of the fittest.
Canadian media theorist Marshall McLuhan foresaw these developments decades ago. In 1970, he wrote, “World War III is a guerrilla information war with no division between military and civilian participation.” That’s precisely the reality that spies are preparing for today.
The US Army, Navy, Marines and Air Force have already established their own cyber forces, but it is the NSA, also officially a military agency, that is taking the lead. It’s no coincidence that the director of the NSA also serves as the head of the US Cyber Command. The country’s leading data spy, Admiral Michael Rogers, is also its chief cyber warrior and his close to 40,000 employees are responsible for both digital spying and destructive network attacks.
From a military perspective, surveillance of the Internet is merely “Phase 0” in the US digital war strategy. Internal NSA documents indicate that it is the prerequisite for everything that follows. They show that the aim of the surveillance is to detect vulnerabilities in enemy systems. Once “stealthy implants” have been placed to infiltrate enemy systems, thus allowing “permanent accesses,” then Phase Three has been achieved — a phase headed by the word “dominate” in the documents. This enables them to “control/destroy critical systems & networks at will through pre-positioned accesses (laid in Phase 0).” Critical infrastructure is considered by the agency to be anything that is important in keeping a society running: energy, communications and transportation. The internal documents state that the ultimate goal is “real time controlled escalation”.
One NSA presentation proclaims that “the next major conflict will start in cyberspace.” To that end, the US government is currently undertaking a massive effort to digitally arm itself for network warfare. For the 2013 secret intelligence budget, the NSA projected it would need around $1 billion in order to increase the strength of its computer network attack operations. The budget included an increase of some $32 million for “unconventional solutions” alone.
NSA DOCS ON NETWORK ATTACKS AND EXPLOITATION:
- Excerpt from the secret NSA budget on computer network operations / Code word GENIE (2MB) (See: Codename GENIE: NSA to Control 85,000 “Implants” in Strategically Chosen Machines Around the World by Year End)
- Supply-chain interdiction / Stealthy techniques can crack some of SIGINT’s hardest targets (1MB) (See:NSA Intercepts Computer Shipping Deliveries of Targets to Install Malware/Backdoors)
- Classification guide for computer network exploitation (CNE) (2MB)
- NSA training course material on computer network operations (17MB)
- Overview of methods for NSA integrated cyber operations (12MB)
- NSA project description to recognize and process data that comes from third party attacks on computers (<1MB)
- Exploring and exploiting leaky mobile apps with BADASS (26MB) (See: BADASS: GCHQ/CSEC Program Exploits Leaky Apps & Unencrypted Advertising Data to Spy on Smartphone Users)
- Overview of projects of the TAO/ATO department such as the remote destruction of network cards (3MB) (See:NSA’s ANT Division Catalog of Exploits for Nearly Every Major Software/Hardware/Firmware)
- iPhone target analysis and exploitation with Apple’s unique device identifiers (UDID) (3MB)
- Report of an NSA Employee about a Backdoor in the OpenSSH Daemon (1MB)
- NSA document on QUANTUMSHOOTER, an implant to remote-control computers with good network connections from unknown third parties (2MB)
In recent years, malware has emerged that experts have attributed to the NSA and its Five Eyes alliance based on a number of indicators. They include programs like Stuxnet, used to attack the Iranian nuclear program. Or Regin, a powerful spyware trojan that created a furor in Germany after it infected the USB stick of a high-ranking staffer to Chancellor Angela Merkel. Agents also used Regin in attacks against the European Commission, the EU’s executive, and Belgian telecoms company Belgacom in 2011.
The new documents shed some new light on other revelations as well. Although an attack called QUANTUMINSERT has been widely reported by SPIEGEL and others, documentation shows that in reality it has a low success rate and it has likely been replaced by more reliable attacks such as QUANTUMDIRK, which injects malicious content into chat services provided by websites such as Facebook and Yahoo. And computers infected with STRAITBIZARRE (PDF/37MB) can be turned into disposable and non-attributable “shooter” nodes (PDF/2MB). These nodes can then receive messages from the NSA’s QUANTUM network, which is used for “command and control for very large scale active exploitation and attack.” The secret agents were also able to breach mobile phones by exploiting a vulnerability in the Safari browser in order to obtain sensitive data and remotely implant malicious code.
NSA DOCS ON MALWARE AND IMPLANTS:
- CSEC document about the recognition of trojans and other “network based anomaly” (9MB) (See: EONBLUE: CSE’s Cyber Threat Detection Platform; Access Internet Core Infrastructure with 200 Sensors Across Globe)
- The formalized process through which analysts choose their data requirement and then get to know the tools that can do the job (3MB)
- QUANTUMTHEORY is a set of technologies allowing man-on-the-side interference attacks on TCP/IP connections (includes STRAIGHTBIZARRE and DAREDEVIL) (7MB) (See: NSA Quantum Files)
- Sample code of a malware program from the Five Eyes alliance (<1MB) (See: NSA’s QWERTY Keylogger Source Code)
In this guerrilla war over data, little differentiation is made between soldiers and civilians, the Snowden documents show. Any Internet user could suffer damage to his or her data or computer. It also has the potential to create perils in the offline world as well. If, for example, a D weapon like BARNFIRE were to destroy or “brick” the control center of a hospital as a result of a programming error, people who don’t even own a mobile phone could be affected.
Intelligence agencies have adopted “plausible deniability” as their guiding principle for Internet operations. To ensure their ability to do so, they seek to make it impossible to trace the author of the attack.
It’s a stunning approach with which the digital spies deliberately undermine the very foundations of the rule of law around the globe. This approach threatens to transform the Internet into a lawless zone in which superpowers and their secret services operate according to their own whims with very few ways to hold them accountable for their actions.
NSA DOCS ON EXFILTRATION:
- Explanation of the APEX method of combining passive with active methods to exfiltrate data from networks attacked (30MB)
- Explanation of APEX shaping to put exfiltrating network traffic into patterns that allow plausible deniability (5MB)
- Presentation on the FASHIONCLEFT protocol that the NSA uses to exfiltrate data from trojans and implants to the NSA (7MB)
- Methods to exfiltrate data even from devices which are supposed to be offline (37MB)
- Document detailing SPINALTAP, an NSA project to combine data from active operations and passive signals intelligence (18MB)
- Technical description of the FASHIONCLEFT protocol the NSA uses to exfiltrate data from Trojans and implants to the NSA (7MB)
TUTELAGE & DEFIANTWARRIOR: TRANSFORMING DEFENSES INTO ATTACKS
The search for foreign cyber attacks has long since been largely automated by the NSA and its Five Eyes partners. The TUTELAGE system can identify incursions and ensure that they do not reach their targets.
The NSA is also able to transform its defenses into an attack of its own. The method is described as “reverse engineer, repurpose software” and involves botnets, sometimes comprising millions of computers belonging to normal users onto which software has been covertly installed. They can thus be controlled remotely as part of a “zombie army” to paralyze companies or to extort them. If the infected hosts appear to be within the United States, the relevant information will be forwarded to the FBI Office of Victim Assistance. However, a host infected with an exploitable bot could be hijacked through a QUANTUMBOT attack and redirected to the NSA. This program is identified in NSA documents as DEFIANTWARRIOR and it is said to provide advantages such as “pervasive network analysis vantage points” and “throw-away non-attributable CNA (eds: computer network attack) nodes.” This system leaves people’s computers vulnerable and covertly uses them for network operations that might be traced back to an innocent victim. Instead of providing protection to private Internet users, QUANTUMBOT uses them as human shields in order to disguise its own attacks.
It’s not just computers, of course, that can be systematically broken into, spied on or misused as part of a botnet. Mobile phones can also be used to steal information from the owner’s employer. The unwitting victim, whose phone has been infected with a spy program, smuggles the information out of the office. The information is then retrieved remotely as the victim heads home after work. Digital spies have even adopted drug-dealer slang in referring to these unsuspecting accomplices. They are called “unwitting data mules.”
NSA DOCS ON BOTNET TAKEOVERS:
INTELLIGENCE WORLD IS SCHIZOPHRENIC & NEEDS TO BE TREATED
The intelligence world is a schizophrenic one. The NSA’s job is to defend the Internet while at the same time exploiting its security holes. It is both cop and robber, consistent with the motto adhered to by spies everywhere: “Reveal their secrets, protect our own.”
As a result, some hacked servers are like a bus during rush hour, with people constantly coming and going. The difference, though, is that the server’s owner has no idea anyone is there. And the presumed authorities stand aside and do nothing.
NSA agents aren’t concerned about being caught. That’s partly because they work for such a powerful agency, but also because they don’t leave behind any evidence that would hold up in court. And if there is no evidence of wrongdoing, there can be no legal penalty, no parliamentary control of intelligence agencies and no international agreement. Thus far, very little is known about the risks and side-effects inherent in these new D weapons and there is almost no government regulation.
Edward Snowden has revealed how intelligence agencies around the world, led by the NSA, are doing their best to ensure a legal vacuum in the Internet. In a recent interview with James Bamford for an upcoming PBS NOVA special, the whistleblower voiced his concerns that “defense is becoming less of a priority than offense.”
Snowden finds that concerning. “What we need to do,” he said, “is we need to create new international standards of behavior.”