x

Servers

Servers are special computers that make data available within a company network or on the Internet. According to the catalog SPIEGEL has viewed, the NSA’s ANT division makes several hardware and software implants available for servers made by a handful of manufacturers including Dell and Hewlett-Packard. Whether further hardware and software for other server models are available is unknown. A software implant called “DEITYBOUNCE,” for example, conceals itself inside the BIOS, the lowest level of software, of Dell PowerEdge servers. This location ensures the implant will still be able to function and to install further spyware even if the computer is rebooted -- or even if a new operating system is installed. Hardware implants for Dell and HP servers must be installed in a process the NSA calls “interdiction” -- agents intercept a computer as it is being delivered, manipulate the hardware and then send it along the intended delivery route once again.

HP DL380 G5: is a fifth generation storage server (such servers are currently in their eighth generation). It was conceived for use in corporate data centers.
IRONCHEF is a BIOS based implant that is used to communicate with NSA infrastructure using hidden hardware. It is designed for Proliant servers manufactured by Hewlett-Packard.
Dell PowerEdge Server: is a storage server from US manufacturer Dell that is designed for corporate data centers.
DEITYBOUNCE s a Dell PowerEdge server implant through BIOS, making the server accessible to the NSA.

Firewalls

Hardware firewalls are special computers that are placed between the internal network of a company or an Internet provider and the rest of the Internet. They are intended to prevent hacking, denial-of-service attacks and spam, while at the same time allowing access to the company’s employees who log into the company network via a virtual private network (VPN). The NSA’s ANT division has developed hardware and software “implants” for hardware firewalls from all the major manufacturers -- Cisco, Juniper and Huawei -- that transform these products, which are intended as protective digital barriers, into gateways for attacks by the NSA’s hackers. Most of ANT’s firewall implants function by concealing themselves in BIOS, meaning the lowest level of software on the device in question. This ensures the implant will still be able to function and that that spyware can be reinstalled even if the computer is rebooted -- or a new operating system is installed.

Cisco PIX-Serie, Cisco ASA-Serie
Products in the PIX series from US manufacturer Cisco were hardware firewalls, depending on the model, for small and medium-sized companies, but also for large companies and service providers. Production of the product line ended in 2008. The ASA series represents the successor models, and they are designed for businesses of different sizes as well as corporate data centers.
JETPLOW: is a firmware resistant implant for Cisco PIX and ASA Firewalls that installs a permanent back door. These products were designed to cater for the needs of enterprises and data centers of all sizes.
Huawei Eudemon Serie
The Eudemon line of hardware firewalls by Chinese manufacturer Huawei are designed for both small and medium-sized companies (the 200 series) and for service providers and large corporations (1000 series). Huawei technology is used around the world at companies that include European telecommunications conglomerates like O2, Vodafone and Deutsche Telekom.
HALLUXWATER is a back door for Huawei Eudemon firewalls in the form of a software implant hidden in the boot ROM. Huawei is one of the largest producers of networking hardware worldwide. During the second quarter of 2013, Huawei was behind Cisco but ahead of Juniper in terms of revenues generated with routers and switches. Many Western telecommunications firms, including Deutsche Telekom, use Huawei hardware.
Juniper Netscreen / ISG 1000
The larger models among manufacturer Juniper’s Netscreen line of products are conceived of hardware firewalls for corporate networks and service providers. This also applies to firewalls in the ISG series of products. According to the manufacturer, they are suitable for use by Internet service providers and mobile phone service providers.
FEEDTROUGH is a Juniper Netscreen Firewall implant that enables remote access to the company’s N5XT, NS25, NS50, NS200, NS500, ISG1000 models. The larger models of the Netscreen and ISG series are designed for large corporate networks and Internet and mobile phone service providers.
Juniper SSG, Netscreen G5, Netscreen 25 und 50, SSG-Serie
Juniper’s SSG models are hardware firewalls for small and medium-sized companies as well as branch offices of larger corporations.
GOURMETTROUGH: A configurable implant for a number of Juniper Firewalls.
SOUFFLETROUGH is an implant hidden in the BIOS for Juniper SSG300 and SSG500 devices providing a permanent back door (PBD). The Juniper SSG series routers are hardware firewalls designed for small and medium-sized companies and branch offices of larger corporations.

Router

Routers are special computers that play a role in connecting the internal network of a company or an Internet provider, as well as in transmitting and processing Internet traffic. According to the catalog viewed by SPIEGEL, the NSA’s ANT division has, among its offerings, implants for use in professional routers made by at least two manufacturers, Juniper and Huawei. It is unknown whether further ANT products exist for such devices. ANT’s router implants conceal themselves in BIOS, the lowest level of software in each device. This ensures that other spyware can still be installed, even if the computer is rebooted or a new operating system is installed. The router models that appear in the ANT catalog are ones designed for use by small, medium and large businesses, as well as for the data centers of Internet and mobile phone service providers.

Huawei Router
China’s Huawei has established itself as one of the world’s biggest manufacturers of network equipment. According to market research firm Infonetics, Huawei was second place on the global market during the second quarter of 2013 in terms of turnover on routers and switches for mobile communications and Internet providers, just behind Cisco and ahead of Juniper. Many Western telecommunications companies rely on Huawei hardware, including Germany’s Deutsche Telekom.
HEADWATER is a software-based Huawei router implant that provides a permanent back door (PBD) hidden in the boot ROM that is resistant to firmware updates and enables remote control of the device.
Juniper J-Series
Juniper Series J routers are enterprise routers that connect servers and desktop computers with the corporate network and the Internet.
SCHOOLMONTANA is a software implant for Juniper J Series devices providing resistance against software updates. J Series routers are enterprise devices that connect servers and desktop computers with the corporate network and the Internet.
Juniper M-Series
Juniper’s M series routers are built for corporations and service providers. They are also used in data centers of companies that provide other corporations and private customers with Internet connections.
SIERRAMONTANA is a software implant for Juniper M series routers that is resistant against firmware updates and remains in the BIOS. These routers are designed for use by enterprises and service providers.
Juniper T-Series
Die Router der Serie T werden dem Hersteller Juniper zufolge von "führenden Service-Providern eingesetzt, um große Festnetz-, Mobil-, Video- und Cloud-Netzwerke zu betreiben". STUCCOMONTANA is a persistence implant for the Juniper T-Series routers. As a BIOS modification, it can survive software updates. According to Juniper, T-Series routers power “the largest service provider networks in wireline, mobile, video and cloud services.”

Firewalls

Hardware firewalls are special computers that are placed between the internal network of a company or an Internet provider and the rest of the Internet. They are intended to prevent hacking, denial-of-service attacks and spam, while at the same time allowing access to the company’s employees who log into the company network via a virtual private network (VPN). The NSA’s ANT division has developed hardware and software “implants” for hardware firewalls from all the major manufacturers -- Cisco, Juniper and Huawei -- that transform these products, which are intended as protective digital barriers, into gateways for attacks by the NSA’s hackers. Most of ANT’s firewall implants function by concealing themselves in BIOS, meaning the lowest level of software on the device in question. This ensures the implant will still be able to function and that that spyware can be reinstalled even if the computer is rebooted -- or a new operating system is installed.

Cisco PIX-Serie, Cisco ASA-Serie
Products in the PIX series from US manufacturer Cisco were hardware firewalls, depending on the model, for small and medium-sized companies, but also for large companies and service providers. Production of the product line ended in 2008. The ASA series represents the successor models, and they are designed for businesses of different sizes as well as corporate data centers.
JETPLOW: is a firmware resistant implant for Cisco PIX and ASA Firewalls that installs a permanent back door. These products were designed to cater for the needs of enterprises and data centers of all sizes.
Huawei Eudemon Serie
The Eudemon line of hardware firewalls by Chinese manufacturer Huawei are designed for both small and medium-sized companies (the 200 series) and for service providers and large corporations (1000 series). Huawei technology is used around the world at companies that include European telecommunications conglomerates like O2, Vodafone and Deutsche Telekom.
HALLUXWATER is a back door for Huawei Eudemon firewalls in the form of a software implant hidden in the boot ROM. Huawei is one of the largest producers of networking hardware worldwide. During the second quarter of 2013, Huawei was behind Cisco but ahead of Juniper in terms of revenues generated with routers and switches. Many Western telecommunications firms, including Deutsche Telekom, use Huawei hardware.
Juniper Netscreen / ISG 1000
The larger models among manufacturer Juniper’s Netscreen line of products are conceived of hardware firewalls for corporate networks and service providers. This also applies to firewalls in the ISG series of products. According to the manufacturer, they are suitable for use by Internet service providers and mobile phone service providers.
FEEDTROUGH is a Juniper Netscreen Firewall implant that enables remote access to the company’s N5XT, NS25, NS50, NS200, NS500, ISG1000 models. The larger models of the Netscreen and ISG series are designed for large corporate networks and Internet and mobile phone service providers.
Juniper SSG, Netscreen G5, Netscreen 25 und 50, SSG-Serie
Juniper’s SSG models are hardware firewalls for small and medium-sized companies as well as branch offices of larger corporations.
GOURMETTROUGH: A configurable implant for a number of Juniper Firewalls.
SOUFFLETROUGH is an implant hidden in the BIOS for Juniper SSG300 and SSG500 devices providing a permanent back door (PBD). The Juniper SSG series routers are hardware firewalls designed for small and medium-sized companies and branch offices of larger corporations.

Room Surveillance

The NSA’s ANT division has developed an entire range of equipment for seeing and hearing what happens inside rooms without having to actually install radio-signal-emitting bugging devices in them. Most of this equipment involves a combination of hardware implants which emit a very inconspicuous signal, and a radio unit aimed, from outside, at the space being monitored. Reflected radar waves are changed by the signal emitted by the implant hidden in the targeted space, making it possible to capture the location of a specific object in the room (device name: “TAWDRYYARD”), words spoken there (“LOUDATO”) or what is being displayed on a monitor (“NIGHTWATCH” and “RAGEMASTER”). ANT’s name for this family of surveillance equipment, made up of a combination of hardware implants and radar detection, is “ANGRYNEIGHBOR.” Then there is the CTX4000 radar unit, which can reveal the signals emitted by devices such as laser printers, even if they don’t contain an implant. The NSA calls this system “DROPMIRE,” and internal documents show it has been used, for example, to spy on EU representatives’ offices in Washington.

CTX4000 The predecessor to PHOTOANGLO, a transmitter of continuous radar waves for signals analysis of reflections from implants like those in the ANGRYNEIGHBOR family. Among other purposes, it is used for data collection under a method called DROPMIRE, which has been used, for example, against the European Union’s diplomatic offices in Washington, DC.
LOUDAUTO is a passive room audio bug that transmits data from recorded conversations through radar reflections.
NIGHTWATCH is a system to reconstruct monitor signals from target systems.
PHOTOANGLO is an advanced radar system (successor of the CTX4000) detecting reflections from continuous wave signals. It enables signals from passive bugging devices like those in the ANGRYNEIGHBOR family to be received from a considerable distance.
TAWDRYYARD is a hardware module that retro-reflects incoming radar waves and thus makes it possible to locate its whereabouts in a room, even through walls. It is used, among other purposes, to make it easier to locate RAGEMASTER modules that are used to intercept signals from computer monitors.

Wireless LAN

The NSA’s ANT division also develops methods for gaining access to wireless LAN networks from the outside, allowing them to tap into these networks and plant their own software on them. The “NIGHTSTAND” system, for example, can remotely inject data packets for various Windows systems -- malware, for example -- into wireless networks’ data traffic. Then there’s the “SPARROW III” system, designed to map wireless LAN networks from the air. The system is small enough to be mounted on a drone (UAV).

NIGHTSTAND is a mobile system for wireless injection of exploits for Windows systems using the 802.11 standard. According to the data sheet it works over distances of up to 13 kilometers (eight miles).
SPARROW II is a tool for detecting and mapping wireless networks – from a drone, for example.

Computers

The NSA’s ANT division offers a range of ways to gain control over others’ computers. One of these involves installing hardware units on a targeted computer by, for example, intercepting the device when it’s first being delivered to its intended recipient, a process the NSA calls “interdiction.” Other spyware programs can be loaded onto a computer via “remote access.” Some of these programs make the hacked computer secretly divert data via a wireless LAN connection whenever the opportunity arises (program name: “SOMBERKNAVE”). Other NSA spyware programs embed themselves in the computer’s BIOS, the lowest level of software on a device. This location allows them to survive rebooting and even software updates (“SWAP”). Still other programs conceal themselves in the master boot record, the firmware of the affected hard drive (“IRATEMONK”).

Bei GINSU is software that ensures the survival of KONGUR software implants in machines using the BULLDOZER hardware implant that have a PCI bus. With it, these Windows systems can be tapped by the NSA using remote access.
IRATEMONK:An implant hidden in the firmware of hard drives from manufacturers including Western Digital, Seagate, Maxtor and Samsung that replaces the Master Boot Record (MBR).
SWAP is a PC bios implant that allows remote control over various operating systems (Windows, FreeBSD, Linux, Solaris) and file systems (FAT32, NTFS, EXT2, EXT3, UFS 1.0) on a PC.
WISTFULTOLL is a software implant for targets using Windows Management Instrumentation (WMI) to gain access to data. It can also be a plug-in for UNITEDDRAKE and STRAITBIZZARE spy programs.
HOWLERMONKEY is a radio transceiver which is combined with a module for specific purposes and allows the extraction of data from IT components or can make them remote-controllable.
JUNIORMINT is a multi-chip-module (MCM), a miniaturized hardware implant that can be configured for different uses.
MAESTRO-II is a multi-chip-module (MCM) which can be freely configured as an implant the size of a one cent coin.
SOMBERKNAVE is a Windows XP software implant that uses unused wireless interfaces (802.11) to connect to the NSA remote operations center and make the device remote-controllable.
TRINITY is a freely configurable multi-chip-module (MCM) which can be used as an implant in various areas the size of a one cent coin.

Keyboards

For the NSA’s specialists, using software to log keystrokes on a hacked computer is child’s play. The hardware implant “SURLYSPAWN” goes one step further, by transmitting what a computer user types even when the computer isn’t online. An invisible signal emitted by the implant is modified by every keystroke, and then a radar signal emitted by a device located outside the building makes the implant’s invisible signal visible. This allows agents sitting across the street, for example, to know what a subject is typing on a computer that isn’t connected to the Internet.

For the NSA’s specialists, using software to log keystrokes on a hacked computer is child’s play. The hardware implant “SURLYSPAWN” goes one step further, by transmitting what a computer user types even when the computer isn’t online. An invisible signal emitted by the implant is modified by every keystroke, and then a radar signal emitted by a device located outside the building makes the implant’s invisible signal visible. This allows agents sitting across the street, for example, to know what a subject is typing on a computer that isn’t connected to the Internet.

Mobile Phones

The NSA’s ANT division develops implants for mobile phones and SIM cards. One of these is a spyware implant called “DROPOUTJEEP” -- designed for the first generation of iPhones -- which was still in development in 2008, shortly after the iPhone’s launch. This spyware was to make it possible to remotely download or upload files to a mobile phone. It would also, according to the catalog, allow the NSA to divert text messages, browse the user’s address book, intercept voicemails, activate the phone’s microphone and camera at will, determine the current cell site and the user’s current location, “etc.” ANT’s technicians also develop modified mobile phones, for use in special cases that look like normal, standard devices, but transmit various pieces of information to the NSA -- that can be swapped undetected with a target’s own mobile phone or passed to informants and agents. In 2008, ANT had models from Eastcom and Samsung on offer, and it has likely developed additional models since.

DROPOUTJEEP is an implant for Apple’s iPhone iOS that allows remote access and control through SMS or data service. According to the NSA documents, it offers diverse possibilities: It would allow data to be downloaded from or uploaded to the smart phone, it can read SMS messages, browse the user’s address book, listen to voicemails, determine the phone’s location and turn the phone’s microphone and camera on at will, without the user noticing and determine the current cell site. At the beginning of 2008, it was still being developed.
GOPHERSET: An implant for GSM SIM cards that uses hidden functions to pull phone book, SMS and log files of incoming and outgoing calls.
MONKEYCALENDAR is attack software that directs a SIM card to transmit geolocation data via covert SMS texts.
TOTECHASER is an implant hidden in the Flashrom of the Thuraya 2520 satellite phone that passes data from the built-in Windows CE to be transmitted via hidden SMS text messages.
TOTEGHOSTLY is an implant from the NSA’s STRAITBIZARRE family that enables full remote control of Windows Mobile phones. It offers diverse possibilities including the ability to download or upload data to a mobile phone, read SMS texts, read the address book, intercept voice mails, determine geolocation, turn the microphone and camera on or off, determine the cell tower location, etc.
PICASSO is a series of modified GSM handsets that collect user data and can act as location tracking and audio bugging devices. The data is collected through a USB interface or transmitted through covert SMS messages.

Cell Phone Networks

When it comes to monitoring and tracking mobile phones, the NSA’s ANT division has an entire range of products on offer. These include everything from specially equipped mobile phone models that make it possible to physically track another mobile phone, to fully equipped GSM base stations capable of masquerading as a network operator’s official mobile phone antennas, and thus monitor and record conversations or text messages from mobile phones within their range. One only has to think of the alleged tapping of German Chancellor Angela Merkel’s mobile phone for examples of their potential uses. Several of these specialized mobile phone base stations also have the capability to determine the exact location of any mobile phone user within their range. Then there is a device called “CANDYGRAM” -- referred to by the ANT technicians as a “telephone tripwire” -- which sends a text message to a command center as soon as certain mobile phone users enter its range.

CROSSBEAM is an implant that has the same form as the kind of GSM module that can be found in a notebook computer. It allows the interception of communication and covert remote access.
CANDYGRAM is a GSM base station simulator (for 900/1800/1900 MHz) which detects the physical location of a target's mobile phone and verifies the exact location through a silent SMS.
CYCLONE HX9 is a GSM network simulator that enables attacks on GSM 900 mobile phones. Such base stations are used to eavesdrop on mobile phones and to capture data from them. The NSA is suspected of having eavesdropped on German Chancellor Angela Merkel’s mobile phone.
EBSR is an active GSM base transceiver station simulator that enables attacks against GSM mobile phones using the GSM 900/1800/1900 frequency range.
ENTOURAGE is a hardware receiver for the “direction finding” of GSM and 3G mobile phones that can also detect a mobile phone’s GPS coordinates.
Bei GENESIS is a modified normal mobile phone for GSM and 3G that can determine network parameters and spectrum usage as well as locate mobile phones.
NEBULA is a base station router for 2G networks (900 MHz) and 3G networks (2100 MHz)
TYPHON HX: is a GSM base station simulator/router for GSM spectrum used around the world (850, 900, 1800, 1900 MHz). It enables the tapping of mobile phones.
WATERWITCH is a tool for exact geolocation tracking of mobile phones of targets located nearby.

USB

The NSA‘s ANT division has an entire range of USB plug bugging devices on offer. These are disguised either as a keyboard’s USB plug or as a type of USB extension cord that can be connected unnoticed between a mouse, keyboard or another device and the computer itself. These devices can send and receive radio signals either over a short distance (device name: “COTTONMOUTH I”) or over longer distances via a detour through another implant either in the computer or elsewhere in the room (“COTTONMOUTH II” and “COTTONMOUTH III”). These implants make it possible to not only monitor the bugged computer and its network, but also to send commands to the computer and the compromised network.

COTTONMOUTH-1 is a USB implant for the interception of communication, injection of Trojans etc. Using its built-in radio transmitter, it can also connect with other Cottonmouth implants.
COTTONMOUTH-2 is a USB implant which allows remote-control of a target system. It connects to another module hidden in the chassis of the computer that allows radio frequency contact over longer distances.
COTTONMOUTH-3 is a USB hardware implant which allows covert communication through radio waves used in computers which are either offline or for other reasons are not accessible through normal network connections. It connects to another module hidden in the chassis of the computer that allows radio frequency contact over longer distances or it connects with other Cottonmouth devices in the vicinity.
FIREWALK is a hardware implant in the form of an Ethernet or USB connector that allows data extraction and active injection of exploits through radio frequency communication.

Computer Monitor Surveillance

Technicians at the NSA’s ANT division have developed a system that makes it possible to divert data from a computer monitor undetected. A component called RAGEMASTER is installed in the ferrite insulation on the video cable right behind the monitor plug. It emits a signal that is then “illuminated” by a radar unit located remotely from the building being monitored, and thus made visible for NSA workers. A complex system makes it possible to use this reflected, slightly altered radar signal to reconstruct what can be seen on the monitor of the computer under surveillance.

RAGEMASTER is a hardware implant to intercept image signals from VGA monitors. It works on a passive basis, with its signal being carried by reflection over externally broadcast radar waves. It is hidden in the ferrite insulation of the VGA monitor cable, which is located right behind the monitor plug.

Servers
Firewalls
Router
Firewalls
Room Surveillance
Wireless LAN
Computers
Keyboards
Mobile Phones
Cell Phone Networks
USB
Computer Monitor Surveillance
Click on the red dots for more information. Use arrows or click the image and scroll to the left or right to see more.