Photo Gallery How the Intelligence Service Cracks Internet Hubs
The starting slide of a presentation about the Texas Cryptologic Center where many of the agents with the NSA's Tailored Access Operations (TAO) unit are based. At the bottom left is a modified version of Intels logo, reading tao inside instead of Intel Inside. The pink bars conceal the names of NSA personnel.
The first slide of an NSA presentation from the Snowden archive, concerning the FOXACID system. It depicts a fox being dissolved in acid and then packed into a can labeled spam," in an image presumably created by a joker within the NSA. The cans label reads, made with FOX, packed in ACID. The Nutrition Facts include a % Daily Value of sadism (50%) and total crap (100%). Spam emails were the original method that the NSA's TAO division used in its attempts to infect the computers of targeted individuals with malware. The agency now has a more effective method at its disposal, called QUANTUM.
How the QUANTUMTHEORY system works: Slides from a top secret presentation for NSA technicians and analysts, created by NSA service provider Booz Allen. According to this explanation, the main players here are the computer of the target, the Internet company Yahoo, an Internet router and a branch of the NSA division Special Source Operations (SSO). This division is responsible, among other things, for tapping international Internet connection cables, either in cooperation with major telecommunications companies or in covert operations.
Step 1: The target attempts to log into his or her Yahoo account.
Step 2: A server that the SSO division has previously placed at a central location within the Internets infrastructure discovers a data packet with a selector -- a data point that indicates a person tasked on the NSAs list of desired targets. In this case, the selector is the targets Yahoo login. The notification that the target is currently attempting to log into his or her Yahoo account is forwarded to a server maintained by the NSA division Tailored Access Operations (TAO). This server goes by the code name FOXACID. Read more about the TAO division in the attached article.
Steps 3 and 4: The FOXACID server sends a data packet, disguised as a Yahoo data packet, to the targets computer. It contains a link to a web address (URL) that TAO has loaded with malware. At the same time, the data packet from the targets computer reaches the Yahoo server it was actually attempting to access.
Step 5: The fake data packet from the FOXACID server arrives at the targets computer before the genuine Yahoo data packet. The Yahoo data packet, arriving too late, is turned away. This works only because the servers and connections used are extremely fast. The FOXACID system doesnt always win the race, and sometimes multiple attempts are necessary.
Step 6: The target sees the desired Yahoo page on the computer screen, while unbeknownst to the user, the browser has actually been rerouted to a FOXACID URL.
Step 7: The FOXACID server checks once again that the browser being used does in fact contain the desired security holes for infecting the targets computer with malware. The appropriate malware is then deployed.
Step 8: The malware reaches its target. The target individuals computer is now equipped with an NSA back door, which allows the first manipulation of the computer to take place and enables the further installation of specialized spyware.
The NSAs Quantum capabilities: The NSA can employ all these selectors to infect a targets computer with spyware. According to this presentation, the method is particularly effective when used with Yahoo, Facebook and static IP addresses. But YouTube, Twitter and the business networking site LinkedIn are also among the services the American intelligence agency is able to misappropriate in this way. LinkedIn, for example, was used to infiltrate the computers of IT personnel at partially state-owned Belgian telecommunications company Belgacom. This operation, dubbed Operation Socialist, was conducted by the British intelligence agency GCHQ, with support from the NSA.
GCHQs QUANTUMTHEORY capabilities: According to this presentation, government hackers at the British intelligence agency have services to offer beyond those of their colleagues at the NSA, including, for instance, the ability to hack into Googles email service Gmail and Russian search engine operator Yandex, as well as AOL.
NSA malware VALIDATOR: This 2004 document describes a version, commonly used at the time, of the standard back door access that the NSA installs on targeted individuals computers using the method described. "VALIDATOR, the document states, "provides unique backdoor access to personal computers of targets of national interest, including but not limited to terrorist targets. VALIDATOR is only the NSAs first step in taking control of a computer. The software then installs other spyware programs with various capabilities and names such as OLYMPUS and UNITEDRAKE. Once it has carried out its task, the VALIDATOR implant can even erase itself. According to an internal presentation, VALIDATOR will be followed by software with the code name COMMONDEER.
NSA spyware OLYMPUSFIRE: OLYMPUSFIRE is one of several malware programs that VALIDATOR can install on targets computers. According to this document, its "commands include directory listings, retrieving files, performing netmaps, etc." OLYMPUSFIRE then forwards this information to a Listening Post (LP), a computer hidden somewhere on the Internet. OLYMPUSFIRE is just one of the NSAs various spyware programs. And once a back door to a targets computer is in place, the NSA has full access. The agency can now modify data, capture and forward constant screenshots of the targeted computers screen, activate the webcam and microphone and intercept all the users communications and all passwords entered.
