Inside TAO: Documents Reveal Top NSA Hacking Unit

By SPIEGEL Staff

Photo Gallery: A Powerful NSA Toolbox Photos
Google Earth

The NSA's TAO hacking unit is considered to be the intelligence agency's top secret weapon. It maintains its own covert network, infiltrates computers around the world and even intercepts shipping deliveries to plant back doors in electronics ordered by those it is targeting.

In January 2010, numerous homeowners in San Antonio, Texas, stood baffled in front of their closed garage doors. They wanted to drive to work or head off to do their grocery shopping, but their garage door openers had gone dead, leaving them stranded. No matter how many times they pressed the buttons, the doors didn't budge. The problem primarily affected residents in the western part of the city, around Military Drive and the interstate highway known as Loop 410.

In the United States, a country of cars and commuters, the mysterious garage door problem quickly became an issue for local politicians. Ultimately, the municipal government solved the riddle. Fault for the error lay with the United States' foreign intelligence service, the National Security Agency, which has offices in San Antonio. Officials at the agency were forced to admit that one of the NSA's radio antennas was broadcasting at the same frequency as the garage door openers. Embarrassed officials at the intelligence agency promised to resolve the issue as quickly as possible, and soon the doors began opening again.

It was thanks to the garage door opener episode that Texans learned just how far the NSA's work had encroached upon their daily lives. For quite some time now, the intelligence agency has maintained a branch with around 2,000 employees at Lackland Air Force Base, also in San Antonio. In 2005, the agency took over a former Sony computer chip plant in the western part of the city. A brisk pace of construction commenced inside this enormous compound. The acquisition of the former chip factory at Sony Place was part of a massive expansion the agency began after the events of Sept. 11, 2001.

On-Call Digital Plumbers

One of the two main buildings at the former plant has since housed a sophisticated NSA unit, one that has benefited the most from this expansion and has grown the fastest in recent years -- the Office of Tailored Access Operations, or TAO. This is the NSA's top operative unit -- something like a squad of plumbers that can be called in when normal access to a target is blocked.

According to internal NSA documents viewed by SPIEGEL, these on-call digital plumbers are involved in many sensitive operations conducted by American intelligence agencies. TAO's area of operations ranges from counterterrorism to cyber attacks to traditional espionage. The documents reveal just how diversified the tools at TAO's disposal have become -- and also how it exploits the technical weaknesses of the IT industry, from Microsoft to Cisco and Huawei, to carry out its discreet and efficient attacks.

The unit is "akin to the wunderkind of the US intelligence community," says Matthew Aid, a historian who specializes in the history of the NSA. "Getting the ungettable" is the NSA's own description of its duties. "It is not about the quantity produced but the quality of intelligence that is important," one former TAO chief wrote, describing her work in a document. The paper seen by SPIEGEL quotes the former unit head stating that TAO has contributed "some of the most significant intelligence our country has ever seen." The unit, it goes on, has "access to our very hardest targets."

A Unit Born of the Internet

Defining the future of her unit at the time, she wrote that TAO "needs to continue to grow and must lay the foundation for integrated Computer Network Operations," and that it must "support Computer Network Attacks as an integrated part of military operations." To succeed in this, she wrote, TAO would have to acquire "pervasive, persistent access on the global network." An internal description of TAO's responsibilities makes clear that aggressive attacks are an explicit part of the unit's tasks. In other words, the NSA's hackers have been given a government mandate for their work. During the middle part of the last decade, the special unit succeeded in gaining access to 258 targets in 89 countries -- nearly everywhere in the world. In 2010, it conducted 279 operations worldwide.

Indeed, TAO specialists have directly accessed the protected networks of democratically elected leaders of countries. They infiltrated networks of European telecommunications companies and gained access to and read mails sent over Blackberry's BES email servers, which until then were believed to be securely encrypted. Achieving this last goal required a "sustained TAO operation," one document states.

This TAO unit is born of the Internet -- created in 1997, a time when not even 2 percent of the world's population had Internet access and no one had yet thought of Facebook, YouTube or Twitter. From the time the first TAO employees moved into offices at NSA headquarters in Fort Meade, Maryland, the unit was housed in a separate wing, set apart from the rest of the agency. Their task was clear from the beginning -- to work around the clock to find ways to hack into global communications traffic.

Recruiting the Geeks

To do this, the NSA needed a new kind of employee. The TAO workers authorized to access the special, secure floor on which the unit is located are for the most part considerably younger than the average NSA staff member. Their job is breaking into, manipulating and exploiting computer networks, making them hackers and civil servants in one. Many resemble geeks -- and act the part, too.

Indeed, it is from these very circles that the NSA recruits new hires for its Tailored Access Operations unit. In recent years, NSA Director Keith Alexander has made several appearances at major hacker conferences in the United States. Sometimes, Alexander wears his military uniform, but at others, he even dons jeans and a t-shirt in his effort to court trust and a new generation of employees.

The recruitment strategy seems to have borne fruit. Certainly, few if any other divisions within the agency are growing as quickly as TAO. There are now TAO units in Wahiawa, Hawaii; Fort Gordon, Georgia; at the NSA's outpost at Buckley Air Force Base, near Denver, Colorado; at its headquarters in Fort Meade; and, of course, in San Antonio.

One trail also leads to Germany. According to a document dating from 2010 that lists the "Lead TAO Liaisons" domestically and abroad as well as names, email addresses and the number for their "Secure Phone," a liaison office is located near Frankfurt -- the European Security Operations Center (ESOC) at the so-called "Dagger Complex" at a US military compound in the Griesheim suburb of Darmstadt.

But it is the growth of the unit's Texas branch that has been uniquely impressive, the top secret documents reviewed by SPIEGEL show. These documents reveal that in 2008, the Texas Cryptologic Center employed fewer than 60 TAO specialists. By 2015, the number is projected to grow to 270 employees. In addition, there are another 85 specialists in the "Requirements & Targeting" division (up from 13 specialists in 2008). The number of software developers is expected to increase from the 2008 level of three to 38 in 2015. The San Antonio office handles attacks against targets in the Middle East, Cuba, Venezuela and Colombia, not to mention Mexico, just 200 kilometers (124 miles) away, where the government has fallen into the NSA's crosshairs.

Article...
  • For reasons of data protection and privacy, your IP address will only be stored if you are a registered user of Facebook and you are currently logged in to the service. For more detailed information, please click on the "i" symbol.
  • Post to other social networks

Comments
Discuss this issue with other readers!
36 total posts
Show all comments
    Page 1    
1. Thanks Der Spiegel
sneeekysteve 12/29/2013
Thanks for publishing all the dirt from Edward Snowden. I'll respect your journalistic ethics when you start publishing similar articles about Russian and Chinese snooping on Europe. To date I haven't seen a single article about Russian or Chinese spying.
2. optional
w.hamilton 12/29/2013
In the 1980s, the British publisher, Robert Maxwell, allegedly sold $35 million worth of licenses to stolen copies of INSLAW, Inc.'s PROMIS database software to the Government of Mexico for its law enforcement and intelligence agencies on behalf of a joint U.S./Israel signal intelligence project. A CIA contractor allegedly operated a PROMIS packaging facility in Herndon, Virginia throughout the 1980s and 1990s to supply "turnkey" SIGINT-enabled" PROMIS software hardware systems various PROMIS-centric intelligence projects, including sales conducted by Robert Maxwell and Israeli intelligence as agents and instrumentalities of the United States. The CIA contractor in Herndon allegedly inserted into each computer on which it packaged PROMIS an NSA-manufactured integrated circuit, known as the Petrie Chip, which enabled NSA to penetrate the electronic counter-measures protecting target police and intelligence sites to retrieve data processed in their PROMIS applications.
3. Bugged computers sold at Walmart
invisibleman4700 12/29/2013
Yeah, I bought a Toshiba Laptop Windows 7 that had been pre-set with a proxy remote connection. At the time I had called the FBI and the store to report it. Now turns out it was the NSA: "TAO can divert the shipping delivery to its own secret workshops. The NSA calls this method interdiction. At these so-called "load stations," agents carefully open the package in order to load malware onto the electronics, or even install hardware components that can provide backdoor access for the intelligence agencies. "
4. optional
lala 12/29/2013
Fun to imagine the seizures Alexander, Hayden and company must be having reading these articles...
5. NSA TAO license plates
spon-facebook-10000353779 12/29/2013
Tea Party patriots have been able to determine 350 car license plate numbers from above photograph of TAO parking lot
Show all comments
    Page 1    
Keep track of the news

Stay informed with our free news services:

All news from SPIEGEL International
Twitter | RSS
All news from World section
RSS

© SPIEGEL ONLINE 2013
All Rights Reserved
Reproduction only allowed with the permission of SPIEGELnet GmbH



From DER SPIEGEL


European Partners
Presseurop

Politiken

Corriere della Sera

Early Election

Marines Case Stokes Italy-India Tensions


Facebook
Twitter