Photo Gallery How the NSA Infiltrates Computers
R&T stands for Requirements and Tasking. These analysts are responsible for the technical process of infiltrating computers with the help of the NSA's QUANTUM methods. There's a further, almost identical presentation for analysts in another department, the so-called Tasking Office of Primary Interest (TOPI).
QUANTUM THEORY enables NSA workers in different roles to infiltrate different types of computers. The R&T analysts are able to install permanent backdoors on computers using malware called the NSA VALIDATOR. Its successor program is known as COMMONDEER. TOPI analysts, on the other hand, are only able to use a program called QUANTUMNATION to distribute malware with the codename SEASONEDMOTH. These "moths" die automatically after 30 days, with the malware deleting itself automatically if it is not given permission for further operation.
QUANTUM is a "man-on-the-side" attack. That means that in addition to being taken to the actual site a targeted person is trying to reach, the person is also taken to so-called FOXACID servers. These additional data packets contain malware like VALIDATOR or SEASONEDMOTH. SSO stands for Special Source Operations -- the NSA division that is responsible for tapping undersea cables.
How the QUANTUMTHEORY system works: Slides from a top secret presentation for NSA technicians and analysts, created by NSA service provider Booz Allen. According to this explanation, the main players here are the computer of the target, the Internet company Yahoo, an Internet router and a branch of the NSA division Special Source Operations (SSO). This division is responsible, among other things, for tapping international Internet connection cables, either in cooperation with major telecommunications companies or in covert operations.
Step 1: The target person attempts to log into his or her Yahoo account.
Step 2: A server that the SSO division has previously placed at a central location within the Internets infrastructure discovers a data packet with a selector -- a data point that indicates a person tasked on the NSAs list of desired targets. In this case, the selector is the targets Yahoo login. The notification that the target is currently attempting to log into his or her Yahoo account is forwarded to a server maintained by the NSA division Tailored Access Operations (TAO). This server goes by the code name FOXACID.
Steps 3 and 4: The FOXACID server sends a data packet, disguised as a Yahoo data packet, to the targets computer. It contains a link to a web address (URL) that TAO has loaded with malware. At the same time, the data packet from the targets computer reaches the Yahoo server it was actually attempting to access.
Step 5: The fake data packet from the FOXACID server arrives at the targets computer before the genuine Yahoo data packet. The Yahoo data packet, arriving too late, is turned away. This works only because the servers and connections used are extremely fast. The FOXACID system doesnt always win the race, and sometimes multiple attempts are necessary.
Step 6: The target sees the desired Yahoo page on the computer screen, while unbeknownst to the user, the browser has actually been rerouted to a FOXACID URL.
Step 7: The FOXACID server checks once again that the browser being used does in fact contain the desired security holes for infecting the targets computer with malware. The appropriate malware is then deployed.
Step 8: The malware reaches its target. The target individuals computer is now equipped with an NSA back door, which allows the first manipulation of the computer to take place and enables the further installation of specialized spyware.
The NSAs Quantum capabilities: The NSA can employ all these selectors to infect a targets computer with spyware. According to this presentation, the method is particularly effective when used with Yahoo, Facebook and static IP addresses. But YouTube, Twitter and the business networking site LinkedIn are also among the services the American intelligence agency is able to misappropriate in this way. LinkedIn, for example, was used to infiltrate the computers of IT personnel at partially state-owned Belgian telecommunications company Belgacom. This operation, dubbed Operation Socialist, was conducted by the British intelligence agency GCHQ, with support from the NSA.
GCHQs QUANTUMTHEORY capabilities: According to this presentation, government hackers at the British intelligence agency have services to offer beyond those of their colleagues at the NSA, including, for instance, the ability to hack into Googles email service Gmail and Russian search engine operator Yandex, as well as AOL.
QFD stands for Query Filled Dataset. This slide explains to analysts how a "selector," meaning a piece of information about a target person available online, can be used to further prepare for spying. Here, the analyst searches in a database called Marina that contains large quantities of data saved by the NSA from the Internet. This dataset already includes a telephone number, a Facebook cookie, the IMSI, or identification number of a mobile phone SIM card, information about a Yahoo account and the name of the target person.
This search in the Marina database shows data from Yahoo and Skype.
The Marina database includes selectors from diverse sources. Here, for example, data from Yahoo, Skype and Gmail is included. The QUANTUM method apparently works best against Yahoo and Facebook, the slide states. If an NSA analyst wants to use a Gmail account to plant their spyware on a target person's computer, they have to seek help from their colleagues at Britain's GCHQ.
Marina search results: Browser version, Yahoo cookies, etc., from a "known selector," helped the analyst to track down two "new selectors" -- the target person's Gmail account and Yahoo cookie.
Having found these new selectors, the analyst can now use them to help find further accounts that may be linked, for example, to the Gmail address.
Marina enables analysts to search by selectors, such as Yahoo, Google or Skype accounts, as well as by date -- allowing searches that go back months or even years into the past.
In this way, it is also possible to identify additional selectors. Here, a Facebook dataset has been located that is associated with the target person.
As a next step, the analysts are instructed to review which of the selectors that have been located are best suited for using the QUANTUM method to place spyware on the target's computer. It also says the analyst should review whether the user has recently used a specified service (in this case Facebook).
Because the NSA is not able to exploit some selectors which GCHQ can, such as Gmail, the NSA analysts appear to be accustomed to asking their British colleagues for help. To facilitate this, a "Partnering Agreement" exists with the UK. A related form has to be filled out by the NSA analyst that includes the site of the data collection (Sigad) as well as the IP address(es) that the target person uses.
This slide explains how the analyst can see if his or her target for a QUANTUM operation has actually been accepted by the automated system. The system now automatically attempts to infect the computer of the target person as soon as the opportunity arises. The system even shows analysts precisely when an attempt took place and whether it was successful.
A summary of the QUANTUMNATION program: QUANTMNATION ensures that "lightweight" malware is used to install a first back door on the device that has been targeted -- on the basis of a person's Facebook account, for example. This slide also reveals that VALIDATOR malware exists for iOS devices, like Apple's iPhones and iPads.
This slide explains the bureaucratic process an analyst must navigate in order to hack the computer or mobile phone of a target person.
This slide shows a sample form that an analyst must fill out with the necessary data in order to set a QUANTUM attack in motion.
If the form has been filled out correctly, the analyst will be kept informed of the status of the request. The last sentence warns the spies to "de-task" a QUANTUM request once the computer of the target person has been successfully infected.
Still have any questions?
