BIRMINGHAM – The lesson to be learned from the content of Snowden?s documents released to date is that the NSA has built a global capability to execute on a plan of information dominance for intelligence gathering. Ostensibly to collect enough communications meta data and content to deter, disrupt, and destroy terrorists and their plans, the NSA?s capabilities have also been used for broader spying on foreign leaders, and through its partner agencies within the UK, Canada and Australia, intercept communications that appear to have an economic motivation.
An examination of the capabilities that the NSA has developed and deployed provides a window into advanced cyber attack methods. Based on the sophistication of these methods, and the tools that the NSA has operationalized, it raises the question: What can an organization do to protect itself against this level of targeted attack? Put aside the decades old argument that ?we are not a target.? That argument was proven wrong over and over. Just look at retail operations who were blind to the desire of cyber criminals to collect credit card details back to Lowes, TJMax, and, most recently, Nieman Marcus and Target.
The catalog of capabilities revealed in a detailed listing of the NSA?s Tailored Access Operations (TAO), specifically an organization known only as ANT, is an indicator of what offensive cyber operations look like.
The NSA has developed the global capacity to intercept data as it travels across Internet backbones and the ability to mine tremendous amounts of captured data in near realtime. XKEYSCORE is one such tool. The capability to select targets and the types of data to extract from the stream is demonstrated by the ability to detect and capture when a Windows PC crashes and the crash report, which contains data from memory that reveals machine settings and even account passwords, is sucked into the NSA?s data centers.
The data from particular targets on the Internet or from cell phone calls is extracted too. Another capability is to capture location data from cell phone calls which are also carried across the undersea cables that the NSA and GCHQ monitor. Data sent from commonly deployed applications, notably Angry Birds, is also captured.
Quantum and FoxAcid as described by the leaked documents are effective means of attack. FoxAcid servers are strategically placed on Internet backbones. They can deliver multiple exploits against someone browsing the web. Via the Quantum Injection program, once a target is identified packets are injected into the download of web pages that direct the browser to receive the exploit code from the FoxAcid servers.
Think about how an organization could defend against the following catalog of exploit tools: DEITYBOUNCE is a persistent application attack that exploits the motherboard BIOS of Dell PowerEdge servers.
Through ?interdiction? a term referring to interception of a computer when it is shipped to a target, the IRONCHEF software and hardware backdoors are installed. From the catalog: ?If the software CNE (Computer Network Exploit) implant is removed from the target machine. IRONCHEF is used to access the machine, determine the reason for removal of the software, and then reinstall the software from a listening post to the target system.? In other words the attacker, in close proximity can reinstall the software backdoor after it is removed.
Routers and firewalls from Juniper and Cisco are vulnerable to malware that the NSA has developed that is difficult to detect and remove, even after their operating systems are re-installed. The Juniper exploit, dubbed FEEDTROUGH, ?can, by design, even survive ?across reboots and software upgrades.?? This level of persistent threat is reminiscent of the most advanced type of cyber attack emanating from China and documented in security company Mandiant?s APT1 report. FEEDTROUGH is the C&C channel that is used to detect software upgrades and reinstall two back doors, BANANAGLEE and ZESTYLEAK.
Ironically, the first published case of a backdoor in Huawei gear is ?[t]he HALLUXWATER Persistence Back Door implant? which ?is installed on a target Huawei Eudemon firewall as a boot ROM upgrade.? While HEADWATER is a similar backdoor for Huawei routers.
A localized means of attack against target cell phones is the equipment dubbed TYPHOON HX. This equipment mimics a femto cell access point for cell phone calls and is a method of intercepting voice and data communications when the target is in close proximity. CANDYGRAM is a simpler device that alerts an operative when a particular handset enters within range.
Remote illumination of embedded devices with radar is an old technique memorialized by George Keenan?s experience while he was Ambassador to the Soviet Union. Known as the ?Great Seal incident? a radar illuminated device was planted in the wall behind the Great Seal of the United States behind Keenan?s desk in the Moscow embassy. The KGB was able to bounce radar waves off the device which would modulate the reflected signal in accord with sound waves it picked up. It was a passive, undetectable, bug that could eavesdrop on the conversations in Keenan?s office. The TAO catalog has several examples of devices that work on the same principal but are miniaturized to the point where they can be installed in computer equipment and either provide a passive audio bug or transmit information directly from the host computer. LOUDAUTO is an example of a ?room audio? collection device. It measures less than 2 cm in length.
The ANT catalog continues, describing NIGHTSTAND which is a wifi injection tool kit that can inject malware into any PC attached to an attacked wireless network.
SOMBERKNAVE is a ?Windows XP wireless software implant that provides covert internet connectivity for isolated targets?. Delivered over the Internet, it uses the PC?s 802.11 wifi transceiver to connect to any wireless access point and ?phone home?. Implants are cataloged for iPhones (DROPOUTJEEP) and GSM SIM cards for mobile phones (GOPHERSET and MONKEYCALENDAR).
This collection of tools revealed in the ANT catalog are significant in that each one demonstrates the types of sophisticated attacks that can be made against targets. While the Signals Intelligence Directorate (SID) of the NSA, under which TAO operates, targets systems for intelligence collection, these capabilities have to be included in every organizations threat analysis.
It is going to be expensive to deploy the controls and protections that can reduce exposure to these threats. Imagine the cost of inspecting laptops and servers for hardware and software backdoors. What kind of controls could even detect BIOS level backdoors in routers, switches and firewall appliances?
Just when we thought we were getting a grasp on how to counter APTs we have seen the future of attack methodologies that a motivated adversary can field. It does not look good for the defender.
Richard Stiennon is a noted cyber security expert, analyst as well as executive editor of SecurityCurrent.Com. He lives in Birmingham, Michigan.
