The Office of Tailored Access Operations (TAO), now Computer Network Operations, and structured as S32, is a

cyber-warfare Cyberwarfare is the use of cyber attacks against an enemy state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, manipulation or economic war ...

intelligence-gathering unit of the

National Security Agency The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...

(NSA). It has been active since at least 1998, possibly 1997, but was not named or structured as TAO until "the last days of 2000," according to General Michael Hayden. TAO identifies, monitors, infiltrates, and gathers intelligence on computer systems being used by entities foreign to the United States.

History

TAO is reportedly "the largest and arguably the most important component of the NSA's huge Signals Intelligence Directorate (SID), consisting of more than 1,000 military and civilian computer hackers, intelligence analysts, targeting specialists, computer hardware and software designers, and electrical engineers".

Snowden leak

A document leaked by former NSA contractor

Edward Snowden Edward Joseph Snowden (born June 21, 1983) is an American and naturalized Russian former computer intelligence consultant who leaked highly classified information from the National Security Agency (NSA) in 2013, when he was an employee and su ...

describing the unit's work says TAO has software templates allowing it to break into commonly used hardware, including "routers, switches, and firewalls from multiple product vendor lines". TAO engineers prefer to tap networks rather than isolated computers, because there are typically many devices on a single network.

Organization

TAO's headquarters are termed the ''Remote Operations Center'' (ROC) and are based at the NSA headquarters at

Fort Meade, Maryland Fort Meade is a census-designated place (CDP) in Anne Arundel County, Maryland, Anne Arundel County, Maryland, United States. The population was 9,327 at the 2010 census. It is the home to the National Security Agency, Central Security Service, Uni ...

. TAO also has expanded to NSA Hawaii (

Wahiawa Wahiawa ( haw, Wahiawā, ) is a census-designated place (CDP) in Honolulu County, Hawaii, United States, on the island of Oahu. It is in the Wahiawa District, on the plateau or "central valley" between the two volcanic mountains that comprise the ...

, Oahu), NSA Georgia (

Fort Gordon Fort Gordon, formerly known as Camp Gordon, is a United States Army installation established in October 1941. It is the current home of the United States Army Signal Corps, United States Army Cyber Command, and the Cyber Center of Excellence. It ...

, Georgia), NSA Texas (

Joint Base San Antonio Joint Base San Antonio (JBSA) is a United States military facility located in San Antonio, Texas, USA. The facility is under the jurisdiction of the United States Air Force 502d Air Base Wing, Air Education and Training Command (AETC). The win ...

, Texas), and NSA Colorado ( Buckley Space Force Base, Denver). * S321 – Remote Operations Center (ROC) In the Remote Operations Center, 600 employees gather information from around the world. * S323 –

Data Network Technologies Branch In the pursuit of knowledge, data (; ) is a collection of discrete values that convey information, describing quantity, quality, fact, statistics, other basic units of meaning, or simply sequences of symbols that may be further interpreted ...

(DNT) : develops automated spyware ** S3231 – Access Division (ACD) ** S3232 – Cyber Networks Technology Division (CNT) ** S3233 – ** S3234 – Computer Technology Division (CTD) ** S3235 – Network Technology Division (NTD) *

Telecommunications Network Technologies Branch Telecommunication is the transmission of information by various types of technologies over wire, radio, optical, or other electromagnetic systems. It has its origin in the desire of humans for communication over a distance greater than that fe ...

(TNT) : improve network and computer hacking methods * Mission Infrastructure Technologies Branch: operates the software provided above * S328 –

Access Technologies Operations Branch Access may refer to: Companies and organizations * ACCESS (Australia), an Australian youth network * Access (credit card), a former credit card in the United Kingdom * Access Co., a Japanese software company * Access Healthcare, an Indian BPO ser ...

(ATO): Reportedly includes personnel seconded by the CIA and the FBI, who perform what are described as "off-net operations", which means they arrange for CIA agents to surreptitiously plant eavesdropping devices on computers and telecommunications systems overseas so that TAO's hackers may remotely access them from Fort Meade. Specially equipped submarines, currently the USS ''Jimmy Carter'', are used to wiretap fibre optic cables around the globe. ** S3283 – Expeditionary Access Operations (EAO) ** S3285 – Persistence Division

Virtual locations

Details on a program titled QUANTUMSQUIRREL indicate NSA ability to masquerade as any routable IPv4 or IPv6 host. This enables an NSA computer to generate false geographical location and personal identification credentials when accessing the Internet utilizing QUANTUMSQUIRREL.

Leadership

From 2013 to 2017, the head of TAO was

Rob Joyce Robert E. Joyce is an American cybersecurity official who served as special assistant to the President and Cybersecurity Coordinator on the U.S. National Security Council. He also began serving as White House Homeland Security Adviser to Preside ...

, a 25-plus year employee who previously worked in the NSA's

Information Assurance Directorate Information is an abstract concept that refers to that which has the power to inform. At the most fundamental level information pertains to the interpretation of that which may be sensed. Any natural process that is not completely random, ...

(IAD). In January 2016, Joyce had a rare public appearance when he gave a presentation at the Usenix’s Enigma conference. QUANTUMSQUIRREL

NSA ANT catalog

The

NSA ANT catalog The ANT catalog (or TAO catalog) is a classified product catalog by the U.S. National Security Agency (NSA) of which the version written in 2008–2009 was published by German news magazine ''Der Spiegel'' in December 2013. Forty-nine catalog ...

is a 50-page classified document listing technology available to the

United States The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territorie ...

National Security Agency (NSA) The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collectio ...

Tailored Access Operations (TAO) by the Advanced Network Technology (ANT) Division to aid in cyber surveillance. Most devices are described as already operational and available to US nationals and members of the Five Eyes alliance. According to ''

Der Spiegel ''Der Spiegel'' (, lit. ''"The Mirror"'') is a German weekly news magazine published in Hamburg. With a weekly circulation of 695,100 copies, it was the largest such publication in Europe in 2011. It was founded in 1947 by John Seymour Chaloner ...

'', which released the catalog to the public on December 30, 2013, "The list reads like a mail-order catalog, one from which other NSA employees can order technologies from the ANT division for tapping their targets' data." The document was created in 2008.This section copied from

; see there for sources Security researcher

Jacob Appelbaum Jacob Appelbaum (born 1 April 1983) is an American independent journalist, computer security researcher, artist, and hacker. He studied at the Eindhoven University of Technology and was a core member of the Tor project, a free software network des ...

gave a speech at the Chaos Communications Congress in

Hamburg (male), (female) en, Hamburger(s), Hamburgian(s) , timezone1 = Central (CET) , utc_offset1 = +1 , timezone1_DST = Central (CEST) , utc_offset1_DST = +2 , postal ...

Germany Germany,, officially the Federal Republic of Germany, is a country in Central Europe. It is the second most populous country in Europe after Russia, and the most populous member state of the European Union. Germany is situated betwe ...

, in which he detailed techniques that the simultaneously published ''Der Spiegel'' article he coauthored disclosed from the catalog.

QUANTUM attacks

The TAO has developed an attack suite they call QUANTUM. It relies on a compromised router that duplicates internet traffic, typically

HTTP The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...

requests, so that they go both to the intended target and to an NSA site (indirectly). The NSA site runs FOXACID software which sends back exploits that load in the background in the target

web browser A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on ...

before the intended destination has had a chance to respond (it's unclear if the compromised router facilitates this race on the return trip). Prior to the development of this technology, FOXACID software made

spear-phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...

attacks the NSA referred to as spam. If the browser is exploitable, further permanent "implants" (rootkits etc.) are deployed in the target computer, e.g. OLYMPUSFIRE for Windows, which give complete remote access to the infected machine. This type of attack is part of the man-in-the-middle attack family, though more specifically it is called

man-on-the-side attack A man-on-the-side attack is a form of active attack in computer security similar to a man-in-the-middle attack. Instead of completely controlling a network node as in a man-in-the-middle attack, the attacker only has regular access to the communi ...

. It is difficult to pull off without controlling some of the

Internet backbone The Internet backbone may be defined by the principal data routes between large, strategically interconnected computer networks and core routers of the Internet. These data routes are hosted by commercial, government, academic and other high-ca ...

. There are numerous services that FOXACID can exploit this way. The names of some FOXACID modules are given below: *

alibaba Ali Baba (character), Ali Baba is a character from the folk tale ''Ali Baba and the Forty Thieves''. Ali Baba or Alibaba may also refer to: Films * Ali Baba and the Forty Thieves (1902 film), ''Ali Baba and the Forty Thieves'' (1902 film), a F ...

ForumUser *

doubleclick DoubleClick Inc. was an advertisement company that developed and provided Internet ad serving services from 1995 until its acquisition by Google in March 2008. DoubleClick offered technology products and services that were sold primarily to adv ...

ID *

rocketmail RocketMail was one of the first major free webmail services. The service was originally a product of Four11 Corporation. For a brief time, RocketMail battled with Hotmail for the number-one spot among free webmail services. Four11, including R ...

* hi5 * HotmailID *

LinkedIn LinkedIn () is an American business and employment-oriented online service that operates via websites and mobile apps. Launched on May 5, 2003, the platform is primarily used for professional networking and career development, and allows job se ...

* mailruid * msnMailToken64 * qq *

Facebook Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin M ...

* simbarid *

Twitter Twitter is an online social media and social networking service owned and operated by American company Twitter, Inc., on which users post and interact with 280-character-long messages known as "tweets". Registered users can post, like, and ...

Yahoo Yahoo! (, styled yahoo''!'' in its logo) is an American web services provider. It is headquartered in Sunnyvale, California and operated by the namesake company Yahoo! Inc. (2017–present), Yahoo Inc., which is 90% owned by investment funds ma ...

* Gmail *

YouTube YouTube is a global online video platform, online video sharing and social media, social media platform headquartered in San Bruno, California. It was launched on February 14, 2005, by Steve Chen, Chad Hurley, and Jawed Karim. It is owned by ...

By collaboration with the British Government Communications Headquarters (GCHQ) ( MUSCULAR), Google services could be attacked too, including Gmail. Finding machines that are exploitable and worth attacking is done using analytic databases such as XKeyscore. A specific method of finding vulnerable machines is interception of

Windows Error Reporting Windows Error Reporting (WER) (codenamed Watson) is a crash reporting technology introduced by Microsoft with Windows XP and included in later Windows versions and Windows Mobile 5.0 and 6.0. Not to be confused with the Dr. Watson debugging ...

traffic, which is logged into XKeyscore. QUANTUM attacks launched from NSA sites can be too slow for some combinations of targets and services as they essentially try to exploit a race condition, i.e. the NSA server is trying to beat the legitimate server with its response. As of mid-2011, the NSA was prototyping a capability codenamed QFIRE, which involved embedding their exploit-dispensing servers in

virtual machine In computing, a virtual machine (VM) is the virtualization/emulation of a computer system. Virtual machines are based on computer architectures and provide functionality of a physical computer. Their implementations may involve specialized hardw ...

s (running on

VMware ESX VMware ESXi (formerly ESX) is an enterprise-class, type-1 hypervisor developed by VMware for deploying and serving virtual computers. As a type-1 hypervisor, ESXi is not a software application that is installed on an operating system (OS); ...

) hosted closer to the target, in the so-called Special Collection Sites (SCS) network worldwide. The goal of QFIRE was to lower the latency of the spoofed response, thus increasing the probability of success. COMMENDEER is used to commandeer (i.e. compromise) untargeted computer systems. The software is used as a part of QUANTUMNATION, which also includes the software vulnerability scanner VALIDATOR. The tool was first described at the 2014 Chaos Communication Congress by

, who characterized it as tyrannical. QUANTUMCOOKIE is a more complex form of attack which can be used

against Against may refer to: * ''Against'' (album), 1998 album by Brazilian metal band Sepultura ** "Against" (song) the title track song from the Sepultura album *Against (American band), 2006 American thrash band *Against (Australian band) Again ...

Tor Tor, TOR or ToR may refer to: Places * Tor, Pallars, a village in Spain * Tor, former name of Sloviansk, Ukraine, a city * Mount Tor, Tasmania, Australia, an extinct volcano * Tor Bay, Devon, England * Tor River, Western New Guinea, Indonesia Sc ...

users.

Targets and collaborations

Suspected, alleged and confirmed targets of the Tailored Access Operations unit include national and international entities like

China China, officially the People's Republic of China (PRC), is a country in East Asia. It is the world's most populous country, with a population exceeding 1.4 billion, slightly ahead of India. China spans the equivalent of five time zones and ...

, Northwestern Polytechnical University.,

OPEC The Organization of the Petroleum Exporting Countries (OPEC, ) is a cartel of countries. Founded on 14 September 1960 in Baghdad by the first five members (Iran, Iraq, Kuwait, Saudi Arabia, and Venezuela), it has, since 1965, been headquart ...

, and Mexico's Secretariat of Public Security. The group has also targeted global communication networks via SEA-ME-WE 4 – an optical fibre

submarine communications cable A submarine communications cable is a cable laid on the sea bed between land-based stations to carry telecommunication signals across stretches of ocean and sea. The first submarine communications cables laid beginning in the 1850s carried tel ...

system that carries telecommunications between Singapore, Malaysia, Thailand, Bangladesh, India, Sri Lanka, Pakistan, United Arab Emirates, Saudi Arabia, Sudan, Egypt, Italy, Tunisia, Algeria and France. Additionally, Försvarets radioanstalt (FRA) in Sweden gives access to fiber optic links for QUANTUM cooperation. TAO's QUANTUM INSERT technology was passed to UK services, particularly to GCHQ's MyNOC, which used it to target Belgacom and GPRS roaming exchange (GRX) providers like the Comfone,

Syniverse Syniverse is a telecommunications company based in the United States. It was founded in 1987 as a GTE business unit called GTE Telecommunications Services Inc. The company’s global headquarters is in Tampa, Florida, with regional headquarters i ...

, and Starhome. Belgacom, which provides services to the

European Commission The European Commission (EC) is the executive of the European Union (EU). It operates as a cabinet government, with 27 members of the Commission (informally known as "Commissioners") headed by a President. It includes an administrative body o ...

, the

European Parliament The European Parliament (EP) is one of the legislative bodies of the European Union and one of its seven institutions. Together with the Council of the European Union (known as the Council and informally as the Council of Ministers), it adopts ...

and the

European Council The European Council (informally EUCO) is a collegiate body that defines the overall political direction and priorities of the European Union. It is composed of the heads of state or government of the EU member states, the President of the E ...

discovered the attack. In concert with the

CIA The Central Intelligence Agency (CIA ), known informally as the Agency and historically as the Company, is a civilian intelligence agency, foreign intelligence service of the federal government of the United States, officially tasked with gat ...

and

FBI The Federal Bureau of Investigation (FBI) is the domestic Intelligence agency, intelligence and Security agency, security service of the United States and its principal Federal law enforcement in the United States, federal law enforcement age ...

, TAO is used to intercept laptops purchased online, divert them to secret warehouses where spyware and hardware is installed, and send them on to customers. TAO has also targeted internet browsers

and Firefox. According to a 2013 article in ''

Foreign Policy A State (polity), state's foreign policy or external policy (as opposed to internal or domestic policy) is its objectives and activities in relation to its interactions with other states, unions, and other political entities, whether bilaterall ...

'', TAO has become "increasingly accomplished at its mission, thanks in part to the high-level cooperation it secretly receives from the 'big three' American telecom companies (

AT&T AT&T Inc. is an American multinational telecommunications holding company headquartered at Whitacre Tower in Downtown Dallas, Texas. It is the world's largest telecommunications company by revenue and the third largest provider of mobile tel ...

Verizon Verizon Communications Inc., commonly known as Verizon, is an American multinational telecommunications conglomerate and a corporate component of the Dow Jones Industrial Average. The company is headquartered at 1095 Avenue of the Americas in ...

and

Sprint Sprint may refer to: Aerospace *Spring WS202 Sprint, a Canadian aircraft design *Sprint (missile), an anti-ballistic missile Automotive and motorcycle *Alfa Romeo Sprint, automobile produced by Alfa Romeo between 1976 and 1989 *Chevrolet Sprint, ...

), most of the large US-based Internet service providers, and many of the top computer security software manufacturers and consulting companies." A 2012 TAO budget document claims that these companies, on TAO's behest, "insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communications devices used by targets".Matthew M. Aid, (October 15, 2013)
The NSA's New Code Breakers
", ''Foreign Policy'' A number of US companies, including

Cisco Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, ...

and

Dell Dell is an American based technology company. It develops, sells, repairs, and supports computers and related products and services. Dell is owned by its parent company, Dell Technologies. Dell sells personal computers (PCs), servers, data ...

, have subsequently made public statements denying that they insert such back doors into their products.

Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...

provides advance warning to the NSA of vulnerabilities it knows about, before fixes or information about these vulnerabilities is available to the public; this enables TAO to execute so-called zero-day attacks. A Microsoft official who declined to be identified in the press confirmed that this is indeed the case, but said that Microsoft cannot be held responsible for how the NSA uses this advance information.

References

External links

Inside TAO: Documents Reveal Top NSA Hacking Unit

NSA 'hacking unit' infiltrates computers around the world – report

NSA Tailored Access Operations
* https://www.wired.com/threatlevel/2013/09/nsa-router-hacking/ * https://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html
Getting the 'Ungettable' Intelligence: An Interview with TAO's Teresa Shea
{{National Security Agency Computer surveillance Cyberwarfare in the United States Hacker groups National Security Agency American advanced persistent threat groups Cybercrime in India Cyberwarfare in Iran