The men and women working for the Remote Operations Center (ROC), which uses the codename S321, at the agency’s headquarters in Fort Meade, Maryland, work on one of the NSA’s most crucial teams, the unit responsible for covert operations. S321 employees are located on the third floor of one of the main buildings on the NSA’s campus. In one report from the Snowden archive, an NSA man reminisces about how, when they got started, the ROC people were “just a bunch of hackers.” Initially, people worked “in a more ad hoc manner,” the report states. Nowadays, however, procedures are “more systematic”. Even before NSA management massively expanded the ROC group during the summer of 2005, the department’s motto was, “Your data is our data, your equipment is our equipment.”
NSA specialists at the Remote Operations Center (ROC) have an entire palette of digital skeleton keys and crowbars created by the Tailored Access Operations (TAO) unit, enabling access to even the best protected computer networks. They give their tools aggressive-sounding names, as though they were operating an app-store for cyber criminals: The implant tool “Hammerchant” allows the recording of Internet-based phone calls (VoIP). Foxacid allows agents to continually add functions to small malware programs even after they have been installed in target computers. The project’s logo is a fox that screams as it is dissolved in acid. The NSA has declined to comment on operational details but insists that it has not violated the law.
But as well developed as the weapons of digital war may be, there is a paradox lurking when it comes to breaking into and spying on third party networks: How can intelligence services be sure that they won’t become victims of their own methods and be infiltrated by private hackers, criminals or other intelligence services, for example?
To control their malware, the Remote Operation Center operatives remain connected to them via their own shadow network, through which highly sensitive telephone recordings, malware programs and passwords travel.
The incentive to break into this network is enormous. Any collection of VPN keys, passwords and backdoors is obviously of very high value. Those who possess such passwords and keys could theoretically pillage bank accounts, thwart military deployments, clone fighter jets and shut down power plants. It means nothing less than “global network dominance”.
As they are busy spying, the spies are spied on by other spies. In response, they routinely seek to cover their tracks or to lay fake ones instead. In technical terms, the ROC lays false tracks as follows: After third-party computers are infiltrated, the process of exfiltration can begin — the act of exporting the data that has been gleaned. But the loot isn’t delivered directly to ROC’s IP address. Rather, it is routed to a so-called Scapegoat Target. That means that stolen information could end up on someone else’s servers, making it look as though they were the perpetrators.
Before the data ends up at the Scapegoat Target, of course, the NSA intercepts and copies it using its mass surveillance infrastructure and sends it on to the ROC. But such cover-up tactics increase the risk of a controlled or uncontrolled escalation between the agencies involved.
REMOTE OPERATIONS CENTER (ROC) DOCS:
- Document about the expansion of the Remote Operations Center (ROC) on endpoint operations
- Document explaining the role of the Remote Operations Center (ROC)
- Interview with an employee of NSA’s department for Tailored Access Operations about his field of work
- Supply-chain interdiction / Stealthy techniques can crack some of SIGINT’s hardest targets
- Overview of projects of the TAO/ATO department such as the remote destruction of network cards