Inside TAO: Documents Reveal Top NSA Hacking Unit

By SPIEGEL Staff

Photo Gallery: A Powerful NSA Toolbox Photos
Google Earth

Part 2: Targeting Mexico

Mexico's Secretariat of Public Security, which was folded into the new National Security Commission at the beginning of 2013, was responsible at the time for the country's police, counterterrorism, prison system and border police. Most of the agency's nearly 20,000 employees worked at its headquarters on Avenida Constituyentes, an important traffic artery in Mexico City. A large share of the Mexican security authorities under the auspices of the Secretariat are supervised from the offices there, making Avenida Constituyentes a one-stop shop for anyone seeking to learn more about the country's security apparatus.

Operation WHITETAMALE

That considered, assigning the TAO unit responsible for tailored operations to target the Secretariat makes a lot of sense. After all, one document states, the US Department of Homeland Security and the United States' intelligence agencies have a need to know everything about the drug trade, human trafficking and security along the US-Mexico border. The Secretariat presents a potential "goldmine" for the NSA's spies, a document states. The TAO workers selected systems administrators and telecommunications engineers at the Mexican agency as their targets, thus marking the start of what the unit dubbed Operation WHITETAMALE.

Workers at NSA's target selection office, which also had Angela Merkel in its sights in 2002 before she became chancellor, sent TAO a list of officials within the Mexican Secretariat they thought might make interesting targets. As a first step, TAO penetrated the target officials' email accounts, a relatively simple job. Next, they infiltrated the entire network and began capturing data.

Soon the NSA spies had knowledge of the agency's servers, including IP addresses, computers used for email traffic and individual addresses of diverse employees. They also obtained diagrams of the security agencies' structures, including video surveillance. It appears the operation continued for years until SPIEGEL first reported on it in October.

The technical term for this type of activity is "Computer Network Exploitation" (CNE). The goal here is to "subvert endpoint devices," according to an internal NSA presentation that SPIEGEL has viewed. The presentation goes on to list nearly all the types of devices that run our digital lives -- "servers, workstations, firewalls, routers, handsets, phone switches, SCADA systems, etc." SCADAs are industrial control systems used in factories, as well as in power plants. Anyone who can bring these systems under their control has the potential to knock out parts of a country's critical infrastructure.

The most well-known and notorious use of this type of attack was the development of Stuxnet, the computer worm whose existence was discovered in June 2010. The virus was developed jointly by American and Israeli intelligence agencies to sabotage Iran's nuclear program, and successfully so. The country's nuclear program was set back by years after Stuxnet manipulated the SCADA control technology used at Iran's uranium enrichment facilities in Natanz, rendering up to 1,000 centrifuges unusable.

The special NSA unit has its own development department in which new technologies are developed and tested. This division is where the real tinkerers can be found, and their inventiveness when it comes to finding ways to infiltrate other networks, computers and smartphones evokes a modern take on Q, the legendary gadget inventor in James Bond movies.

Having Fun at Microsoft's Expense

One example of the sheer creativity with which the TAO spies approach their work can be seen in a hacking method they use that exploits the error-proneness of Microsoft's Windows. Every user of the operating system is familiar with the annoying window that occasionally pops up on screen when an internal problem is detected, an automatic message that prompts the user to report the bug to the manufacturer and to restart the program. These crash reports offer TAO specialists a welcome opportunity to spy on computers.

The original Microsoft error message exploited by the NSA Zoom
SPIEGEL ONLINE

The original Microsoft error message exploited by the NSA

When TAO selects a computer somewhere in the world as a target and enters its unique identifiers (an IP address, for example) into the corresponding database, intelligence agents are then automatically notified any time the operating system of that computer crashes and its user receives the prompt to report the problem to Microsoft. An internal presentation suggests it is NSA's powerful XKeyscore spying tool that is used to fish these crash reports out of the massive sea of Internet traffic.

The automated crash reports are a "neat way" to gain "passive access" to a machine, the presentation continues. Passive access means that, initially, only data the computer sends out into the Internet is captured and saved, but the computer itself is not yet manipulated. Still, even this passive access to error messages provides valuable insights into problems with a targeted person's computer and, thus, information on security holes that might be exploitable for planting malware or spyware on the unwitting victim's computer.

Although the method appears to have little importance in practical terms, the NSA's agents still seem to enjoy it because it allows them to have a bit of a laugh at the expense of the Seattle-based software giant. In one internal graphic, they replaced the text of Microsoft's original error message with one of their own reading, "This information may be intercepted by a foreign sigint system to gather detailed information and better exploit your machine." ("Sigint" stands for "signals intelligence.")

An NSA internal slide: "This information may be intercepted by a foreign SIGINT system to gather detailed information and better exploit your machine." Zoom
SPIEGEL ONLINE

An NSA internal slide: "This information may be intercepted by a foreign SIGINT system to gather detailed information and better exploit your machine."

One of the hackers' key tasks is the offensive infiltration of target computers with so-called implants or with large numbers of Trojans. They've bestowed their spying tools with illustrious monikers like "ANGRY NEIGHBOR," "HOWLERMONKEY" or "WATERWITCH." These names may sound cute, but the tools they describe are both aggressive and effective.

According to details in Washington's current budget plan for the US intelligence services, around 85,000 computers worldwide are projected to be infiltrated by the NSA specialists by the end of this year. By far the majority of these "implants" are conducted by TAO teams via the Internet.

Increasing Sophistication

Until just a few years ago, NSA agents relied on the same methods employed by cyber criminals to conduct these implants on computers. They sent targeted attack emails disguised as spam containing links directing users to virus-infected websites. With sufficient knowledge of an Internet browser's security holes -- Microsoft's Internet Explorer, for example, is especially popular with the NSA hackers -- all that is needed to plant NSA malware on a person's computer is for that individual to open a website that has been specially crafted to compromise the user's computer. Spamming has one key drawback though: It doesn't work very often.

Nevertheless, TAO has dramatically improved the tools at its disposal. It maintains a sophisticated toolbox known internally by the name "QUANTUMTHEORY." "Certain QUANTUM missions have a success rate of as high as 80%, where spam is less than 1%," one internal NSA presentation states.

A comprehensive internal presentation titled "QUANTUM CAPABILITIES," which SPIEGEL has viewed, lists virtually every popular Internet service provider as a target, including Facebook, Yahoo, Twitter and YouTube. "NSA QUANTUM has the greatest success against Yahoo, Facebook and static IP addresses," it states. The presentation also notes that the NSA has been unable to employ this method to target users of Google services. Apparently, that can only be done by Britain's GCHQ intelligence service, which has acquired QUANTUM tools from the NSA.

A favored tool of intelligence service hackers is "QUANTUMINSERT." GCHQ workers used this method to attack the computers of employees at partly government-held Belgian telecommunications company Belgacom, in order to use their computers to penetrate even further into the company's networks. The NSA, meanwhile, used the same technology to target high-ranking members of the Organization of the Petroleum Exporting Countries (OPEC) at the organization's Vienna headquarters. In both cases, the trans-Atlantic spying consortium gained unhindered access to valuable economic data using these tools.

Article...
For reasons of data protection and privacy, your IP address will only be stored if you are a registered user of Facebook and you are currently logged in to the service. For more detailed information, please click on the "i" symbol.

Post to other social networks

Comments
Discuss this issue with other readers!
36 total posts
Show all comments
    Page 1    
1. Thanks Der Spiegel
sneeekysteve 12/29/2013
Thanks for publishing all the dirt from Edward Snowden. I'll respect your journalistic ethics when you start publishing similar articles about Russian and Chinese snooping on Europe. To date I haven't seen a single article about Russian or Chinese spying.
2. optional
w.hamilton 12/29/2013
In the 1980s, the British publisher, Robert Maxwell, allegedly sold $35 million worth of licenses to stolen copies of INSLAW, Inc.'s PROMIS database software to the Government of Mexico for its law enforcement and intelligence agencies on behalf of a joint U.S./Israel signal intelligence project. A CIA contractor allegedly operated a PROMIS packaging facility in Herndon, Virginia throughout the 1980s and 1990s to supply "turnkey" SIGINT-enabled" PROMIS software hardware systems various PROMIS-centric intelligence projects, including sales conducted by Robert Maxwell and Israeli intelligence as agents and instrumentalities of the United States. The CIA contractor in Herndon allegedly inserted into each computer on which it packaged PROMIS an NSA-manufactured integrated circuit, known as the Petrie Chip, which enabled NSA to penetrate the electronic counter-measures protecting target police and intelligence sites to retrieve data processed in their PROMIS applications.
3. Bugged computers sold at Walmart
invisibleman4700 12/29/2013
Yeah, I bought a Toshiba Laptop Windows 7 that had been pre-set with a proxy remote connection. At the time I had called the FBI and the store to report it. Now turns out it was the NSA: "TAO can divert the shipping delivery to its own secret workshops. The NSA calls this method interdiction. At these so-called "load stations," agents carefully open the package in order to load malware onto the electronics, or even install hardware components that can provide backdoor access for the intelligence agencies. "
4. optional
lala 12/29/2013
Fun to imagine the seizures Alexander, Hayden and company must be having reading these articles...
5. NSA TAO license plates
spon-facebook-10000353779 12/29/2013
Tea Party patriots have been able to determine 350 car license plate numbers from above photograph of TAO parking lot
Show all comments
    Page 1    
Keep track of the news

Stay informed with our free news services:

All news from SPIEGEL International
Twitter | RSS
All news from World section
RSS

© SPIEGEL ONLINE 2013
All Rights Reserved
Reproduction only allowed with the permission of SPIEGELnet GmbH



  • Print Send
  • Feedback
  • Comment | 36 Comments
From DER SPIEGEL


European Partners
Presseurop

Politiken

Corriere della Sera

A&F Guilty of Age Discrimination

Berlusconi Given Community Service


Facebook
Twitter