NSA's plans reportedly involve infecting millions of computers with surveillance malware

Leaked documents show the agency was planning to expand its infrastructure for active attacks since at least 2009

The U.S. National Security Agency has reportedly been working for the past several years on expanding its ability to infect computers with surveillance malware and creating a command-and-control infrastructure capable of managing millions of compromised systems at a time.

According to media reports last year based on secret documents leaked by former NSA contractor Edward Snowden, the NSA had deployed over 50,000 Computer Network Exploitation (CNE) "implants" -- surveillance malware installed on computers and networking devices -- around the world and their number was expected to reach 85,000 by the end of 2013.

However, the agency has also been working on building a better command-and-control infrastructure codenamed TURBINE that, according to a 2009 top-secret NSA presentation leaked by Snowden, would "allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control [of] implants by groups instead of individually," news website The Intercept reported Wednesday

The leaked document reveals that TURBINE was supposed to include an "Expert System" capable of managing malware implants with limited or no human input. The NSA described the system as "a brain" that would automatically decide which tools should be provided to a given implant and how the implant should be used based on preset rules.

This system is needed because "one of the greatest challenges for Active SIGINT/attack is scale," the presentation says. "Human 'drivers' limit ability for large-scale exploitation (humans tend to operate within their own environment, not taking into account the bigger picture)."

The implants, which are described in other NSA documents leaked by Snowden, are tailored for specific surveillance tasks or act as malware frameworks that have a modular architecture and support a variety of additional plug-ins to enable different surveillance capabilities.

For example, a plug-in codenamed GROK can log keystrokes. Another, called SALVAGERABBIT, can copy data from removable storage devices connected to a computer. Other plug-ins include CAPTIVATEDAUDIENCE, which can use the computer's microphone to record nearby conversations, and GUMFISH, which can take over the computer's webcam, The Intercept reported.

This design is similar to that observed by security researchers in sophisticated threats like Stuxnet, Flame, The Mask, Red October and others that have been discovered and analyzed in recent years and which are suspected of having been created or sponsored by nation states.

The NSA distributes its implants by using man-in-the-middle and man-on-the-side techniques that routes targeted users trying to access legitimate websites to attack servers under NSA control. The NSA distributes its implants by using man-in-the-middle and man-on-the-side techniques to force their targets' computers to visit attack servers under its control when trying to access popular websites. The agency then exploits vulnerabilities in browsers and other software like Java and Flash Player to deploy the malware, The Intercept reported.

"If we can get the target to visit us in some sort of web browser, we can probably own them," an NSA hacker wrote in one of the leaked documents, according to The Intercept. "The only limitation is the 'how'."

In a 2012 presentation slide published by the news site, the NSA describes an exploitation technique codenamed SECONDDATE that "takes advantage of web-based protocols and man-in-the-middle positioning," that can "quietly redirect" Web browsers to attack servers and "allows mass exploitation potential for clients passing through network choke points."

Other documents reportedly indicate that the NSA has shared many of its implants with surveillance agencies in the U.K., Canada, New Zealand and Australia, which together with the NSA form the so-called Five Eyes partnership.

Past media reports claimed the U.K.'s Government Communications Headquarters used implant technology designed by the NSA to target network engineers from Belgian telecommunications company Belgacom and global roaming exchange providers, and possibly even prominent cryptographers.

While the NSA uses "selectors" like email addresses, tracking cookies, browser tags, IP addresses, wireless MACs and many other identifiers to choose its targets, the documents published by The Intercept seem to indicate that the agency has been working on expanding the scope of its attacks and supporting infrastructure for years.

"Our original assumption was that NSA targeted a small number of real national security threats," said Matthew Green, a cryptographer and assistant research professor at the the Johns Hopkins University Information Security Institute in Baltimore, via email. "What we're learning now is that for every individual like that, they're also targeting many other people, including telecom operators, system administrators, maybe even academic cryptographers."

"What this means is that many relatively 'innocent' people are on the receiving end of these attacks," he said. "It also means that NSA is being a lot less discriminating about who they target. They're willing to infect every employee at a company who visits Slashdot, for example, on the assumption that one will be an important system administrator."

Green doesn't believe that the NSA will ever do wholesale malware distribution and infection, because the agency has a limited supply of zero-day exploits -- exploits for unpatched vulnerabilities -- and using them on a truly mass scale would increase the chances of those exploits being discovered and becoming useless.

However, "I think the more of these things you put in the wild, the greater the chance that one falls into the hands of someone who can use it to do something criminal," Green said. "The NSA has obviously decided their strategy is worth the risk. I don't know if I agree with them, and more to the point, I don't know if their overseers really understand the risk."

"Such a large scale attack infrastructure is very offensive (in both ways)," said Eiram Carsten, the chief research officer at security intelligence and risk management firm Risk Based Security. "Even with so-called 'data selectors' they could easily end up compromising random victims. Also, while they may now say that they are only aiming to target specific people considered threats, the potential for a snowball effect is worrying. How long will it take before they start broadening the scope?"

"Such an attack infrastructure combined with these 'network choke points' to redirect traffic has the potential to compromise 'everyone'," Carsten said. "It would clearly have detrimental impact on the state of Internet security, and it sounds like a huge concern for Americans and foreigners alike."

Join the PC World newsletter!

Error: Please check your email address.

Tags intrusionGovernment use of ITNational Security Agencyonline safetysecurityRisk Based Securitygovernmentmalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments


Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >


Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >


Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >


Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?