NSA tactics no better than a CYBERCRIME GANG, says infosec'er

Detailed analysis reveals they're on par with banking scammers


The NSA operates like a state-sponsored cybercrime gang using much the same tools and techniques as miscreants slinging banking trojans, one cynic has suggested.

Anyone following the Snowden revelations knows by now that the NSA uses exploits and malware to spy on the online activities of targets, but ponytailed infosec expert Bruce Schneier has put together the clearest explanation to date on its methodology for running such attacks.

Encryption guru Schneier has pored over recent Snowden leaks to work out the methodology for deploying Foxacid, the NSA's Exploit Kit.

According to Schneier, the NSA normally carry out reconnaissance prior to tricking their targets into visiting Foxacid exploit servers. Usually the NSA resorts to “man-in-the-middle” hack attempts through an NSA-run set of servers codenamed “Quantum” that sit on the Internet's “backbone”. These redirect targets away from their intended destinations. In other cases, forms of phishing might be deployed.

Targets might be TOR-using terrorism suspects, foreign dignitaries or others targeted by the NSA's cyber-warriors. These tactics exist at the opposite end of the spectrum from dragnet-style programs such as PRISM.

Information on the relative importance and technical sophistication of someone targeted by Foxacid is used to decide the ferocity of a cyber-attack, Schneier explains.

"If the target is a high-value one, Foxacid might run a rare zero-day exploit that it developed or purchased," Schneier explains in a blog post, based on an essay that first appeared in The Atlantic.

"If the target is technically sophisticated, Foxacid might decide that there's too much chance for discovery, and keeping the zero-day exploit a secret is more important. If the target is a low-value one, Foxacid might run an exploit that's less valuable. If the target is low-value and technically sophisticated, Foxacid might even run an already-known vulnerability."

"We know that the NSA receives advance warning from Microsoft of vulnerabilities that will soon be patched; there's not much of a loss if an exploit based on that vulnerability is discovered. Foxacid has tiers of exploits it can run, and uses a complicated trade-off system to determine which one to run against any particular target."

The NSA's Tailored Access Operations (TAO) unit, which runs Foxacid, has detailed rules of engagement and a well-thought-out procedure that allows relatively unskilled operators to act with subtlety and sophistication, Schneier adds.

"Operators running the Foxacid system have a detailed flowchart, with tons of rules about when to stop," Schneier explains. "If something doesn't work, stop. If they detect a PSP, a personal security product, stop. If anything goes weird, stop. This is how the NSA avoids detection, and also how it takes mid-level computer operators and turn them into what they call 'cyberwarriors'. It's not that they're skilled hackers, it's that the procedures do the work for them."

Schneier notes the variety of catchy code-names applied to different approaches of attack by the TAO crew.

"According to a top-secret operational procedures manual provided by Edward Snowden, an exploit named Validator might be the default, but the NSA has a variety of options. The documentation mentions United Rake, Peddle Cheap, Packet Wrench, and Beach Head - all delivered from a Foxacid subsystem called Ferret Cannon."

The security guru contrasts the nuanced attacks carried out by TAO on a tactical level with the blanket collection of data through dragnet programmes favoured on a policy level by the NSA's chiefs.

However some, such as computer security researcher “the grugq”, were less impressed by the NSA's tactical savviness, comparing the spy agency's tools to well-known underground utilities such as the Blackhole Exploit Kit and the ZeuS banking trojan.

The Electronic Frontier Foundation's more serious redux of the latest NSA spying revelations also concludes that the techniques in play aren't particularly sophisticated. EFF reckons knowing more about these approaches might help browser makers – and others – develop more secure technologies.

"The NSA's system for deploying malware isn't particularly novel, but getting some insight into how it works should help users and browser and software vendors better defend against these types of attacks, making us all safer against criminals, foreign intelligence agencies, and a host of attackers," it concludes. ®

Similar topics


Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021