Photo Gallery How the NSA Infiltrates Computers

One weapon in the NSA’s arsenal is a method that allows for spyware to be planted undetected on almost any computer. "QUANTUMINSERT" is based on secret, super fast NSA servers. Top secret documents show precisely how the system works -- and that it is in no way used exclusively to track suspected terrorists.
1 / 28

R&T stands for Requirements and Tasking. These analysts are responsible for the technical process of infiltrating computers with the help of the NSA's QUANTUM methods. There's a further, almost identical presentation for analysts in another department, the so-called Tasking Office of Primary Interest (TOPI).

Foto: SPIEGEL ONLINE
2 / 28

QUANTUM THEORY enables NSA workers in different roles to infiltrate different types of computers. The R&T analysts are able to install permanent backdoors on computers using malware called the NSA VALIDATOR. Its successor program is known as COMMONDEER. TOPI analysts, on the other hand, are only able to use a program called QUANTUMNATION to distribute malware with the codename SEASONEDMOTH. These "moths" die automatically after 30 days, with the malware deleting itself automatically if it is not given permission for further operation.

Foto: SPIEGEL ONLINE
3 / 28

QUANTUM is a "man-on-the-side" attack. That means that in addition to being taken to the actual site a targeted person is trying to reach, the person is also taken to so-called FOXACID servers. These additional data packets contain malware like VALIDATOR or SEASONEDMOTH. SSO stands for Special Source Operations -- the NSA division that is responsible for tapping undersea cables.

Foto: SPIEGEL ONLINE
4 / 28

How the QUANTUMTHEORY system works: Slides from a top secret presentation for NSA technicians and analysts, created by NSA service provider Booz Allen. According to this explanation, the main players here are the computer of the “target,” the Internet company Yahoo, an “Internet router” and a branch of the NSA division Special Source Operations (SSO). This division is responsible, among other things, for tapping international Internet connection cables, either in cooperation with major telecommunications companies or in covert operations.

Foto: SPIEGEL ONLINE
5 / 28

Step 1: The target person attempts to log into his or her Yahoo account.

Foto: SPIEGEL ONLINE
6 / 28

Step 2: A server that the SSO division has previously placed at a central location within the Internet’s infrastructure discovers a data packet with a “selector” -- a data point that indicates a person “tasked” on the NSA’s list of desired targets. In this case, the “selector” is the target’s Yahoo login. The notification that the target is currently attempting to log into his or her Yahoo account is forwarded to a server maintained by the NSA division Tailored Access Operations (TAO). This server goes by the code name FOXACID.

Foto: SPIEGEL ONLINE
7 / 28

Steps 3 and 4: The FOXACID server sends a data packet, disguised as a Yahoo data packet, to the target’s computer. It contains a link to a web address (URL) that TAO has loaded with malware. At the same time, the data packet from the target’s computer reaches the Yahoo server it was actually attempting to access.

Foto: SPIEGEL ONLINE
8 / 28

Step 5: The fake data packet from the FOXACID server arrives at the target’s computer before the genuine Yahoo data packet. The Yahoo data packet, arriving too late, is turned away. This works only because the servers and connections used are extremely fast. The FOXACID system doesn’t always win the race, and sometimes multiple attempts are necessary.

Foto: SPIEGEL ONLINE
9 / 28

Step 6: The target sees the desired Yahoo page on the computer screen, while unbeknownst to the user, the browser has actually been rerouted to a FOXACID URL.

Foto: SPIEGEL ONLINE
10 / 28

Step 7: The FOXACID server checks once again that the browser being used does in fact contain the desired security holes for infecting the target’s computer with malware. The appropriate malware is then deployed.

Foto: SPIEGEL ONLINE
11 / 28

Step 8: The malware reaches its target. The target individual’s computer is now equipped with an NSA back door, which allows the first manipulation of the computer to take place and enables the further installation of specialized spyware.

Foto: SPIEGEL ONLINE
12 / 28

The NSA’s Quantum capabilities: The NSA can employ all these “selectors” to infect a target’s computer with spyware. According to this presentation, the method is particularly effective when used with Yahoo, Facebook and static IP addresses. But YouTube, Twitter and the business networking site LinkedIn are also among the services the American intelligence agency is able to misappropriate in this way. LinkedIn, for example, was used to infiltrate the computers of IT personnel at partially state-owned Belgian telecommunications company Belgacom. This operation, dubbed “Operation Socialist,” was conducted by the British intelligence agency GCHQ, with support from the NSA.

Foto: SPIEGEL ONLINE
13 / 28

GCHQ’s QUANTUMTHEORY capabilities: According to this presentation, government hackers at the British intelligence agency have services to offer beyond those of their colleagues at the NSA, including, for instance, the ability to hack into Google’s email service Gmail and Russian search engine operator Yandex, as well as AOL.

Foto: SPIEGEL ONLINE
14 / 28

QFD stands for Query Filled Dataset. This slide explains to analysts how a "selector," meaning a piece of information about a target person available online, can be used to further prepare for spying. Here, the analyst searches in a database called Marina that contains large quantities of data saved by the NSA from the Internet. This dataset already includes a telephone number, a Facebook cookie, the IMSI, or identification number of a mobile phone SIM card, information about a Yahoo account and the name of the target person.

Foto: SPIEGEL ONLINE
15 / 28

This search in the Marina database shows data from Yahoo and Skype.

Foto: SPIEGEL ONLINE
16 / 28

The Marina database includes selectors from diverse sources. Here, for example, data from Yahoo, Skype and Gmail is included. The QUANTUM method apparently works best against Yahoo and Facebook, the slide states. If an NSA analyst wants to use a Gmail account to plant their spyware on a target person's computer, they have to seek help from their colleagues at Britain's GCHQ.

Foto: SPIEGEL ONLINE
17 / 28

Marina search results: Browser version, Yahoo cookies, etc., from a "known selector," helped the analyst to track down two "new selectors" -- the target person's Gmail account and Yahoo cookie.

Foto: SPIEGEL ONLINE
18 / 28

Having found these new selectors, the analyst can now use them to help find further accounts that may be linked, for example, to the Gmail address.

Foto: SPIEGEL ONLINE
19 / 28

Marina enables analysts to search by selectors, such as Yahoo, Google or Skype accounts, as well as by date -- allowing searches that go back months or even years into the past.

Foto: SPIEGEL ONLINE
20 / 28

In this way, it is also possible to identify additional selectors. Here, a Facebook dataset has been located that is associated with the target person.

Foto: SPIEGEL ONLINE
21 / 28

As a next step, the analysts are instructed to review which of the selectors that have been located are best suited for using the QUANTUM method to place spyware on the target's computer. It also says the analyst should review whether the user has recently used a specified service (in this case Facebook).

Foto: SPIEGEL ONLINE
22 / 28

Because the NSA is not able to exploit some selectors which GCHQ can, such as Gmail, the NSA analysts appear to be accustomed to asking their British colleagues for help. To facilitate this, a "Partnering Agreement" exists with the UK. A related form has to be filled out by the NSA analyst that includes the site of the data collection (Sigad) as well as the IP address(es) that the target person uses.

Foto: SPIEGEL ONLINE
23 / 28

This slide explains how the analyst can see if his or her target for a QUANTUM operation has actually been accepted by the automated system. The system now automatically attempts to infect the computer of the target person as soon as the opportunity arises. The system even shows analysts precisely when an attempt took place and whether it was successful.

Foto: SPIEGEL ONLINE
24 / 28

A summary of the QUANTUMNATION program: QUANTMNATION ensures that "lightweight" malware is used to install a first back door on the device that has been targeted -- on the basis of a person's Facebook account, for example. This slide also reveals that VALIDATOR malware exists for iOS devices, like Apple's iPhones and iPads.

Foto: SPIEGEL ONLINE
25 / 28

This slide explains the bureaucratic process an analyst must navigate in order to hack the computer or mobile phone of a target person.

Foto: SPIEGEL ONLINE
26 / 28

This slide shows a sample form that an analyst must fill out with the necessary data in order to set a QUANTUM attack in motion.

Foto: SPIEGEL ONLINE
27 / 28

If the form has been filled out correctly, the analyst will be kept informed of the status of the request. The last sentence warns the spies to "de-task" a QUANTUM request once the computer of the target person has been successfully infected.

Foto: SPIEGEL ONLINE
28 / 28

Still have any questions?

Foto: SPIEGEL ONLINE