Inside TAO: Documents Reveal Top NSA Hacking†Unit

By SPIEGEL Staff

Photo Gallery: A Powerful NSA Toolbox Photos
Google Earth

Part 3: The NSA's Shadow Network

The insert method and other variants of QUANTUM are closely linked to a shadow network operated by the NSA alongside the Internet, with its own, well-hidden infrastructure comprised of "covert" routers and servers. It appears the NSA also incorporates routers and servers from non-NSA networks into its covert network by infecting these networks with "implants" that then allow the government hackers to control the computers remotely. (Click here to read a related article on the NSA's "implants".)

In this way, the intelligence service seeks to identify and track its targets based on their digital footprints. These identifiers could include certain email addresses or website cookies set on a person's computer. Of course, a cookie doesn't automatically identify a person, but it can if it includes additional information like an email address. In that case, a cookie becomes something like the web equivalent of a fingerprint.

A Race Between Servers

Once TAO teams have gathered sufficient data on their targets' habits, they can shift into attack mode, programming the QUANTUM systems to perform this work in a largely automated way. If a data packet featuring the email address or cookie of a target passes through a cable or router monitored by the NSA, the system sounds the alarm. It determines what website the target person is trying to access and then activates one of the intelligence service's covert servers, known by the codename FOXACID.

This NSA server coerces the user into connecting to NSA covert systems rather than the intended sites. In the case of Belgacom engineers, instead of reaching the LinkedIn page they were actually trying to visit, they were also directed to FOXACID servers housed on NSA networks. Undetected by the user, the manipulated page transferred malware already custom tailored to match security holes on the target person's computer.

The technique can literally be a race between servers, one that is described in internal intelligence agency jargon with phrases like: "Wait for client to initiate new connection," "Shoot!" and "Hope to beat server-to-client response." Like any competition, at times the covert network's surveillance tools are "too slow to win the race." Often enough, though, they are effective. Implants with QUANTUMINSERT, especially when used in conjunction with LinkedIn, now have a success rate of over 50 percent, according to one internal document.

Tapping Undersea Cables

At the same time, it is in no way true to say that the NSA has its sights set exclusively on select individuals. Of even greater interest are entire networks and network providers, such as the fiber optic cables that direct a large share of global Internet traffic along the world's ocean floors.

One document labeled "top secret" and "not for foreigners" describes the NSA's success in spying on the "SEA-ME-WE-4" cable system. This massive underwater cable bundle connects Europe with North Africa and the Gulf states and then continues on through Pakistan and India, all the way to Malaysia and Thailand. The cable system originates in southern France, near Marseille. Among the companies that hold ownership stakes in it are France Telecom, now known as Orange and still partly government-owned, and Telecom Italia Sparkle.

The document proudly announces that, on Feb. 13, 2013, TAO "successfully collected network management information for the SEA-Me-We Undersea Cable Systems (SMW-4)." With the help of a "website masquerade operation," the agency was able to "gain access to the consortium's management website and collected Layer 2 network information that shows the circuit mapping for significant portions of the network."

It appears the government hackers succeeded here once again using the QUANTUMINSERT method.

The document states that the TAO team hacked an internal website of the operator consortium and copied documents stored there pertaining to technical infrastructure. But that was only the first step. "More operations are planned in the future to collect more information about this and other cable systems," it continues.

But numerous internal announcements of successful attacks like the one against the undersea cable operator aren't the exclusive factors that make TAO stand out at the NSA. In contrast to most NSA operations, TAO's ventures often require physical access to their targets. After all, you might have to directly access a mobile network transmission station before you can begin tapping the digital information it provides.

Spying Traditions Live On

To conduct those types of operations, the NSA works together with other intelligence agencies such as the CIA and FBI, which in turn maintain informants on location who are available to help with sensitive missions. This enables TAO to attack even isolated networks that aren't connected to the Internet. If necessary, the FBI can even make an agency-owned jet available to ferry the high-tech plumbers to their target. This gets them to their destination at the right time and can help them to disappear again undetected after as little as a half hour's work.

Responding to a query from SPIEGEL, NSA officials issued a statement saying, "Tailored Access Operations is a unique national asset that is on the front lines of enabling NSA to defend the nation and its allies." The statement added that TAO's "work is centered on computer network exploitation in support of foreign intelligence collection." The officials said they would not discuss specific allegations regarding TAO's mission.

Sometimes it appears that the world's most modern spies are just as reliant on conventional methods of reconnaissance as their predecessors.

Take, for example, when they intercept shipping deliveries. If a target person, agency or company orders a new computer or related accessories, for example, TAO can divert the shipping delivery to its own secret workshops. The NSA calls this method interdiction. At these so-called "load stations," agents carefully open the package in order to load malware onto the electronics, or even install hardware components that can provide backdoor access for the intelligence agencies. All subsequent steps can then be conducted from the comfort of a remote computer.

These minor disruptions in the parcel shipping business rank among the "most productive operations" conducted by the NSA hackers, one top secret document relates in enthusiastic terms. This method, the presentation continues, allows TAO to obtain access to networks "around the world."

Even in the Internet Age, some traditional spying methods continue to live on.

REPORTED BY JACOB APPELBAUM, LAURA POITRAS, MARCEL ROSENBACH, CHRISTIAN ST÷CKER, J÷RG SCHINDLER AND HOLGER STARK

Article...
  • For reasons of data protection and privacy, your IP address will only be stored if you are a registered user of Facebook and you are currently logged in to the service. For more detailed information, please click on the "i" symbol.
  • Post to other social networks

Comments
Discuss this issue with other readers!
36 total posts
Show all comments
    Page 1    
1. Thanks Der Spiegel
sneeekysteve 12/29/2013
Thanks for publishing all the dirt from Edward Snowden. I'll respect your journalistic ethics when you start publishing similar articles about Russian and Chinese snooping on Europe. To date I haven't seen a single article about Russian or Chinese spying.
2. optional
w.hamilton 12/29/2013
In the 1980s, the British publisher, Robert Maxwell, allegedly sold $35 million worth of licenses to stolen copies of INSLAW, Inc.'s PROMIS database software to the Government of Mexico for its law enforcement and intelligence agencies on behalf of a joint U.S./Israel signal intelligence project. A CIA contractor allegedly operated a PROMIS packaging facility in Herndon, Virginia throughout the 1980s and 1990s to supply "turnkey" SIGINT-enabled" PROMIS software hardware systems various PROMIS-centric intelligence projects, including sales conducted by Robert Maxwell and Israeli intelligence as agents and instrumentalities of the United States. The CIA contractor in Herndon allegedly inserted into each computer on which it packaged PROMIS an NSA-manufactured integrated circuit, known as the Petrie Chip, which enabled NSA to penetrate the electronic counter-measures protecting target police and intelligence sites to retrieve data processed in their PROMIS applications.
3. Bugged computers sold at Walmart
invisibleman4700 12/29/2013
Yeah, I bought a Toshiba Laptop Windows 7 that had been pre-set with a proxy remote connection. At the time I had called the FBI and the store to report it. Now turns out it was the NSA: "TAO can divert the shipping delivery to its own secret workshops. The NSA calls this method interdiction. At these so-called "load stations," agents carefully open the package in order to load malware onto the electronics, or even install hardware components that can provide backdoor access for the intelligence agencies. "
4. optional
lala 12/29/2013
Fun to imagine the seizures Alexander, Hayden and company must be having reading these articles...
5. NSA TAO license plates
spon-facebook-10000353779 12/29/2013
Tea Party patriots have been able to determine 350 car license plate numbers from above photograph of TAO parking lot
Show all comments
    Page 1    
Keep track of the news

Stay informed with our free news services:

All news from SPIEGEL International
Twitter | RSS
All news from World section
RSS

© SPIEGEL ONLINE 2013
All Rights Reserved
Reproduction only allowed with the permission of SPIEGELnet GmbH



From DER SPIEGEL


European Partners
Presseurop

Politiken

Corriere della Sera

Concordia Leaves Giglio

Concordia Casts Off


Facebook
Twitter