Photo Gallery How the Intelligence Service Cracks Internet Hubs

The NSA’s arsenal includes a method that makes it possible to outfit nearly any computer with spyware, undetected. “QUANTUMINSERT” makes use of secret, superfast NSA servers. Strictly confidential documents show the exact workings of this system, which is by no means applied only to suspected terrorists.
1 / 14

The starting slide of a presentation about the Texas Cryptologic Center where many of the agents with the NSA's Tailored Access Operations (TAO) unit are based. At the bottom left is a modified version of Intel’s logo, reading “tao inside” instead of “Intel Inside.” The pink bars conceal the names of NSA personnel.

SPIEGEL ONLINE
2 / 14

The first slide of an NSA presentation from the Snowden archive, concerning the FOXACID system. It depicts a fox being dissolved in acid and then packed into a can labeled “spam," in an image presumably created by a joker within the NSA. The can’s label reads, “made with FOX, packed in ACID.” The “Nutrition Facts” include a “% Daily Value” of “sadism (50%)” and “total crap (100%).” Spam emails were the original method that the NSA's TAO division used in its attempts to infect the computers of targeted individuals with malware. The agency now has a more effective method at its disposal, called QUANTUM.

SPIEGEL ONLINE
3 / 14

How the QUANTUMTHEORY system works: Slides from a top secret presentation for NSA technicians and analysts, created by NSA service provider Booz Allen. According to this explanation, the main players here are the computer of the “target,” the Internet company Yahoo, an “Internet router” and a branch of the NSA division Special Source Operations (SSO). This division is responsible, among other things, for tapping international Internet connection cables, either in cooperation with major telecommunications companies or in covert operations.

SPIEGEL ONLINE
4 / 14

Step 1: The target attempts to log into his or her Yahoo account.

SPIEGEL ONLINE
5 / 14

Step 2: A server that the SSO division has previously placed at a central location within the Internet’s infrastructure discovers a data packet with a “selector” -- a data point that indicates a person “tasked” on the NSA’s list of desired targets. In this case, the “selector” is the target’s Yahoo login. The notification that the target is currently attempting to log into his or her Yahoo account is forwarded to a server maintained by the NSA division Tailored Access Operations (TAO). This server goes by the code name FOXACID. Read more about the TAO division in the attached article.

SPIEGEL ONLINE
6 / 14

Steps 3 and 4: The FOXACID server sends a data packet, disguised as a Yahoo data packet, to the target’s computer. It contains a link to a web address (URL) that TAO has loaded with malware. At the same time, the data packet from the target’s computer reaches the Yahoo server it was actually attempting to access.

SPIEGEL ONLINE
7 / 14

Step 5: The fake data packet from the FOXACID server arrives at the target’s computer before the genuine Yahoo data packet. The Yahoo data packet, arriving too late, is turned away. This works only because the servers and connections used are extremely fast. The FOXACID system doesn’t always win the race, and sometimes multiple attempts are necessary.

SPIEGEL ONLINE
8 / 14

Step 6: The target sees the desired Yahoo page on the computer screen, while unbeknownst to the user, the browser has actually been rerouted to a FOXACID URL.

SPIEGEL ONLINE
9 / 14

Step 7: The FOXACID server checks once again that the browser being used does in fact contain the desired security holes for infecting the target’s computer with malware. The appropriate malware is then deployed.

SPIEGEL ONLINE
10 / 14

Step 8: The malware reaches its target. The target individual’s computer is now equipped with an NSA back door, which allows the first manipulation of the computer to take place and enables the further installation of specialized spyware.

SPIEGEL ONLINE
11 / 14

The NSA’s Quantum capabilities: The NSA can employ all these “selectors” to infect a target’s computer with spyware. According to this presentation, the method is particularly effective when used with Yahoo, Facebook and static IP addresses. But YouTube, Twitter and the business networking site LinkedIn are also among the services the American intelligence agency is able to misappropriate in this way. LinkedIn, for example, was used to infiltrate the computers of IT personnel at partially state-owned Belgian telecommunications company Belgacom. This operation, dubbed “Operation Socialist,” was conducted by the British intelligence agency GCHQ, with support from the NSA.

SPIEGEL ONLINE
12 / 14

GCHQ’s QUANTUMTHEORY capabilities: According to this presentation, government hackers at the British intelligence agency have services to offer beyond those of their colleagues at the NSA, including, for instance, the ability to hack into Google’s email service Gmail and Russian search engine operator Yandex, as well as AOL.

SPIEGEL ONLINE
13 / 14

NSA malware VALIDATOR: This 2004 document describes a version, commonly used at the time, of the standard back door access that the NSA installs on targeted individuals’ computers using the method described. "VALIDATOR,” the document states, "provides unique backdoor access to personal computers of targets of national interest, including but not limited to terrorist targets.” VALIDATOR is only the NSA’s first step in taking control of a computer. The software then installs other spyware programs with various capabilities and names such as OLYMPUS and UNITEDRAKE. Once it has carried out its task, the VALIDATOR implant can even erase itself. According to an internal presentation, VALIDATOR will be followed by software with the code name COMMONDEER.

SPIEGEL ONLINE
14 / 14

NSA spyware OLYMPUSFIRE: OLYMPUSFIRE is one of several malware programs that VALIDATOR can install on targets’ computers. According to this document, its "commands include directory listings, retrieving files, performing netmaps, etc." OLYMPUSFIRE then forwards this information to a “Listening Post” (LP), a computer hidden somewhere on the Internet. OLYMPUSFIRE is just one of the NSA’s various spyware programs. And once a back door to a target’s computer is in place, the NSA has full access. The agency can now modify data, capture and forward constant screenshots of the targeted computer’s screen, activate the webcam and microphone and intercept all the user’s communications and all passwords entered.

SPIEGEL ONLINE