Remote Operations Center on:
[Wikipedia]
[Google]
[Amazon]
The Office of Tailored Access Operations (TAO), now Computer Network Operations, and structured as S32, is a cyber-warfare intelligence-gathering unit of the
The TAO has developed an attack suite they call QUANTUM. It relies on a compromised router (computing), router that duplicates internet traffic, typically HTTP requests, so that they go both to the intended target and to an NSA site (indirectly). The NSA site runs FOXACID software which sends back exploits that load in the background in the target web browser before the intended destination has had a chance to respond (it's unclear if the compromised router facilitates this race on the return trip). Prior to the development of this technology, FOXACID software made spear-phishing attacks the NSA referred to as spam. If the browser is exploitable, further permanent "implants" (rootkits etc.) are deployed in the target computer, e.g. OLYMPUSFIRE for Windows, which give complete remote access to the infected machine. This type of attack is part of the man-in-the-middle attack family, though more specifically it is called man-on-the-side attack. It is difficult to pull off without controlling some of the Internet backbone.
There are numerous services that FOXACID can exploit this way. The names of some FOXACID modules are given below:
* Alibaba Group, alibabaForumUser
* doubleclickID
* rocketmail
* hi5
* HotmailID
* LinkedIn
* Mail.Ru, mailruid
* MSN, msnMailToken64
* Tencent QQ, qq
* Facebook
* simbarid
* Twitter
* Yahoo
* Gmail
* YouTube
By collaboration with the British Government Communications Headquarters (GCHQ) (MUSCULAR (surveillance program), MUSCULAR), Google services could be attacked too, including Gmail.
Finding machines that are exploitable and worth attacking is done using analytic databases such as XKeyscore. A specific method of finding vulnerable machines is interception of Windows Error Reporting traffic, which is logged into XKeyscore.
QUANTUM attacks launched from NSA sites can be too slow for some combinations of targets and services as they essentially try to exploit a race condition, i.e. the NSA server is trying to beat the legitimate server with its response. As of mid-2011, the NSA was prototyping a capability codenamed QFIRE, which involved embedding their exploit-dispensing servers in virtual machines (running on VMware ESX) hosted closer to the target, in the so-called Special Collection Sites (SCS) network worldwide. The goal of QFIRE was to lower the latency of the spoofed response, thus increasing the probability of success.
COMMENDEER is used to commandeer (i.e. compromise) untargeted computer systems. The software is used as a part of QUANTUMNATION, which also includes the software vulnerability scanner VALIDATOR. The tool was first described at the 2014 Chaos Communication Congress by Jacob Appelbaum, who characterized it as tyrannical.
QUANTUMCOOKIE is a more complex form of attack which can be used Tor (anonymity network)#Weaknesses, against Tor (anonymity network), Tor users.
The NSA's New Code Breakers
", ''Foreign Policy'' A number of US companies, including Cisco and Dell, have subsequently made public statements denying that they insert such back doors into their products. Microsoft provides advance warning to the NSA of vulnerabilities it knows about, before fixes or information about these vulnerabilities is available to the public; this enables TAO to execute so-called zero-day attacks. A Microsoft official who declined to be identified in the press confirmed that this is indeed the case, but said that Microsoft cannot be held responsible for how the NSA uses this advance information.
Inside TAO: Documents Reveal Top NSA Hacking Unit
NSA 'hacking unit' infiltrates computers around the world – report
NSA Tailored Access Operations
* https://www.wired.com/threatlevel/2013/09/nsa-router-hacking/ * https://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html
Getting the 'Ungettable' Intelligence: An Interview with TAO's Teresa Shea
{{National Security Agency Computer surveillance Cyberwarfare in the United States Hacker groups National Security Agency American advanced persistent threat groups Cybercrime in India Cyberwarfare in Iran
National Security Agency
The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collect ...
(NSA). It has been active since at least 1998, possibly 1997, but was not named or structured as TAO until "the last days of 2000," according to General Michael Hayden.
TAO identifies, monitors, infiltrates, and gathers intelligence on computer systems being used by entities foreign to the United States.
History
TAO is reportedly "the largest and arguably the most important component of the NSA's huge Signals Intelligence Directorate (SID), consisting of more than 1,000 military and civilian computer hackers, intelligence analysts, targeting specialists, computer hardware and software designers, and electrical engineers".Snowden leak
A document leaked by former NSA contractor Edward Snowden describing the unit's work says TAO has software templates allowing it to break into commonly used hardware, including "routers, switches, and firewalls from multiple product vendor lines". TAO engineers prefer to tap networks rather than isolated computers, because there are typically many devices on a single network.Organization
TAO's headquarters are termed the ''Remote Operations Center'' (ROC) and are based at the NSA headquarters at Fort Meade, Maryland. TAO also has expanded to NSA Hawaii (Wahiawa
Wahiawa ( haw, Wahiawā, ) is a census-designated place (CDP) in Honolulu County, Hawaii, United States, on the island of Oahu. It is in the Wahiawa District, on the plateau or "central valley" between the two volcanic mountains that comprise the ...
, Oahu), NSA Georgia ( Fort Gordon, Georgia), NSA Texas (Joint Base San Antonio
Joint Base San Antonio (JBSA) is a United States military facility located in San Antonio, Texas, USA. The facility is under the jurisdiction of the United States Air Force 502d Air Base Wing, Air Education and Training Command (AETC). The wi ...
, Texas), and NSA Colorado (Buckley Space Force Base
Buckley Space Force Base is a United States Space Force base in Aurora, Colorado named after United States Army Air Service First Lieutenant John Harold Buckley. The base is run by Space Base Delta 2, with major units including the U.S. Space Fo ...
, Denver).
* S321 – Remote Operations Center (ROC) In the Remote Operations Center, 600 employees gather information from around the world.
* S323 – Data Network Technologies Branch
In the pursuit of knowledge, data (; ) is a collection of discrete values that convey information, describing quantity, quality, fact, statistics, other basic units of meaning, or simply sequences of symbols that may be further interpreted ...
(DNT) : develops automated spyware
** S3231 – Access Division (ACD)
** S3232 – Cyber Networks Technology Division (CNT)
** S3233 –
** S3234 – Computer Technology Division (CTD)
** S3235 – Network Technology Division (NTD)
* Telecommunications Network Technologies Branch
Telecommunication is the transmission of information by various types of technologies over wire, radio, optical, or other electromagnetic systems. It has its origin in the desire of humans for communication over a distance greater than that fe ...
(TNT) : improve network and computer hacking methods
* Mission Infrastructure Technologies Branch: operates the software provided above
* S328 – Access Technologies Operations Branch
Access may refer to:
Companies and organizations
* ACCESS (Australia), an Australian youth network
* Access (credit card), a former credit card in the United Kingdom
* Access Co., a Japanese software company
* Access Healthcare, an Indian BPO s ...
(ATO): Reportedly includes personnel seconded by the CIA and the FBI, who perform what are described as "off-net operations", which means they arrange for CIA agents to surreptitiously plant eavesdropping devices on computers and telecommunications systems overseas so that TAO's hackers may remotely access them from Fort Meade. Specially equipped submarines, currently the USS ''Jimmy Carter'', are used to wiretap fibre optic cables around the globe.
** S3283 – Expeditionary Access Operations (EAO)
** S3285 – Persistence Division
Virtual locations
Details on a program titled QUANTUMSQUIRREL indicate NSA ability to masquerade as any routable IPv4 or IPv6 host. This enables an NSA computer to generate false geographical location and personal identification credentials when accessing the Internet utilizing QUANTUMSQUIRREL.Leadership
From 2013 to 2017, the head of TAO was Rob Joyce, a 25-plus year employee who previously worked in the NSA'sInformation Assurance Directorate
Information is an abstract concept that refers to that which has the power to inform. At the most fundamental level information pertains to the interpretation of that which may be sensed. Any natural process that is not completely random, ...
(IAD). In January 2016, Joyce had a rare public appearance when he gave a presentation at the Usenix’s Enigma conference.
NSA ANT catalog
TheNSA ANT catalog
The ANT catalog (or TAO catalog) is a classified product catalog by the U.S. National Security Agency (NSA) of which the version written in 2008–2009 was published by German news magazine ''Der Spiegel'' in December 2013. Forty-nine catalog ...
is a 50-page classified document listing technology available to the United States
The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territori ...
National Security Agency (NSA) Tailored Access Operations (TAO) by the Advanced Network Technology (ANT) Division to aid in cyber surveillance. Most devices are described as already operational and available to US nationals and members of the Five Eyes
The Five Eyes (FVEY) is an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States. These countries are parties to the multilateral UKUSA Agreement, a treaty for joint cooperation in sig ...
alliance. According to ''Der Spiegel'', which released the catalog to the public on December 30, 2013, "The list reads like a mail-order catalog, one from which other NSA employees can order technologies from the ANT division for tapping their targets' data." The document was created in 2008.This section copied from NSA ANT catalog
The ANT catalog (or TAO catalog) is a classified product catalog by the U.S. National Security Agency (NSA) of which the version written in 2008–2009 was published by German news magazine ''Der Spiegel'' in December 2013. Forty-nine catalog ...
; see there for sources
Security researcher Jacob Appelbaum gave a speech at the Chaos Communications Congress in Hamburg, Germany, in which he detailed techniques that the simultaneously published ''Der Spiegel'' article he coauthored disclosed from the catalog.
QUANTUM attacks
The TAO has developed an attack suite they call QUANTUM. It relies on a compromised router (computing), router that duplicates internet traffic, typically HTTP requests, so that they go both to the intended target and to an NSA site (indirectly). The NSA site runs FOXACID software which sends back exploits that load in the background in the target web browser before the intended destination has had a chance to respond (it's unclear if the compromised router facilitates this race on the return trip). Prior to the development of this technology, FOXACID software made spear-phishing attacks the NSA referred to as spam. If the browser is exploitable, further permanent "implants" (rootkits etc.) are deployed in the target computer, e.g. OLYMPUSFIRE for Windows, which give complete remote access to the infected machine. This type of attack is part of the man-in-the-middle attack family, though more specifically it is called man-on-the-side attack. It is difficult to pull off without controlling some of the Internet backbone.
There are numerous services that FOXACID can exploit this way. The names of some FOXACID modules are given below:
* Alibaba Group, alibabaForumUser
* doubleclickID
* rocketmail
* hi5
* HotmailID
* LinkedIn
* Mail.Ru, mailruid
* MSN, msnMailToken64
* Tencent QQ, qq
* Facebook
* simbarid
* Twitter
* Yahoo
* Gmail
* YouTube
By collaboration with the British Government Communications Headquarters (GCHQ) (MUSCULAR (surveillance program), MUSCULAR), Google services could be attacked too, including Gmail.
Finding machines that are exploitable and worth attacking is done using analytic databases such as XKeyscore. A specific method of finding vulnerable machines is interception of Windows Error Reporting traffic, which is logged into XKeyscore.
QUANTUM attacks launched from NSA sites can be too slow for some combinations of targets and services as they essentially try to exploit a race condition, i.e. the NSA server is trying to beat the legitimate server with its response. As of mid-2011, the NSA was prototyping a capability codenamed QFIRE, which involved embedding their exploit-dispensing servers in virtual machines (running on VMware ESX) hosted closer to the target, in the so-called Special Collection Sites (SCS) network worldwide. The goal of QFIRE was to lower the latency of the spoofed response, thus increasing the probability of success.
COMMENDEER is used to commandeer (i.e. compromise) untargeted computer systems. The software is used as a part of QUANTUMNATION, which also includes the software vulnerability scanner VALIDATOR. The tool was first described at the 2014 Chaos Communication Congress by Jacob Appelbaum, who characterized it as tyrannical.
QUANTUMCOOKIE is a more complex form of attack which can be used Tor (anonymity network)#Weaknesses, against Tor (anonymity network), Tor users.
Targets and collaborations
Suspected, alleged and confirmed targets of the Tailored Access Operations unit include national and international entities like China, Northwestern Polytechnical University., OPEC, and Secretariat of Public Security (Mexico), Mexico's Secretariat of Public Security. The group has also targeted global communication networks via SEA-ME-WE 4 – an optical fibre submarine communications cable system that carries telecommunications between Singapore, Malaysia, Thailand, Bangladesh, India, Sri Lanka, Pakistan, United Arab Emirates, Saudi Arabia, Sudan, Egypt, Italy, Tunisia, Algeria and France. Additionally, National Defence Radio Establishment (Sweden), Försvarets radioanstalt (FRA) in Sweden gives access to fiber optic links for QUANTUM cooperation. TAO's QUANTUM INSERT technology was passed to UK services, particularly to Government Communications Headquarters, GCHQ's MyNOC, which used it to target Belgacom and GPRS roaming exchange (GRX) providers like the Comfone, Syniverse, and Starhome. Belgacom, which provides services to the European Commission, the European Parliament and the European Council discovered the attack. In concert with the CIA and FBI, TAO is used to intercept laptops purchased online, divert them to secret warehouses where spyware and hardware is installed, and send them on to customers. TAO has also targeted internet browsers Tor (network), Tor and Firefox. According to a 2013 article in ''Foreign Policy'', TAO has become "increasingly accomplished at its mission, thanks in part to the high-level cooperation it secretly receives from the 'big three' American telecom companies (AT&T, Verizon and Sprint Corporation, Sprint), most of the large US-based Internet service providers, and many of the top computer security software manufacturers and consulting companies." A 2012 TAO budget document claims that these companies, on TAO's behest, "insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communications devices used by targets".Matthew M. Aid, (October 15, 2013)The NSA's New Code Breakers
", ''Foreign Policy'' A number of US companies, including Cisco and Dell, have subsequently made public statements denying that they insert such back doors into their products. Microsoft provides advance warning to the NSA of vulnerabilities it knows about, before fixes or information about these vulnerabilities is available to the public; this enables TAO to execute so-called zero-day attacks. A Microsoft official who declined to be identified in the press confirmed that this is indeed the case, but said that Microsoft cannot be held responsible for how the NSA uses this advance information.
See also
* Advanced persistent threat * Cyberwarfare in the United States * Equation Group * Magic Lantern (software) * MiniPanzer and MegaPanzer * PLA Unit 61398 * Stuxnet * Syrian Electronic Army * WARRIOR PRIDEReferences
External links
Inside TAO: Documents Reveal Top NSA Hacking Unit
NSA 'hacking unit' infiltrates computers around the world – report
NSA Tailored Access Operations
* https://www.wired.com/threatlevel/2013/09/nsa-router-hacking/ * https://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html
Getting the 'Ungettable' Intelligence: An Interview with TAO's Teresa Shea
{{National Security Agency Computer surveillance Cyberwarfare in the United States Hacker groups National Security Agency American advanced persistent threat groups Cybercrime in India Cyberwarfare in Iran