Do the National Security Agency's online espionage capabilities provide good value for money?
Recent reports have disclosed that the NSA uses a fleet of high-latency -- codenamed "Quantum" -- servers to redirect targeted systems to another fleet of servers, codenamed "FoxAcid," that launch tailored drive-by attacks. The agency's malware reportedly targets a range of vulnerabilities, from publicly known flaws to zero-day bugs that only the NSA possesses.
That information comes via former NSA contractor Edward Snowden's leak of top secret documents that detail many of the agency's operating practices. What's struck some information security experts is just how similar the NSA's techniques are to those of cybercrime gangs and advanced persistent attack (APT) groups sponsored or run by other nations.
"The NSA's system for deploying malware isn't particularly novel," according to an overview of the NSA system published by the Electronic Frontier Foundation staff technologist Dan Auerbach.
[ Want to know more about NSA cyber spying operations? See NSA Discloses Cellphone Location Tracking Tests . ]
In fact, some security experts would go farther than that. "We could replicate the NSA's capabilities for about $30k on the Russian private blackhat forums," tweeted the Bangkok-based vulnerability broker known as the GrugQ. "US taxpayers, you're being ripped off!"
Exactly what is the return on investment generated by the NSA's hacking techniques? Of course, precise numbers are secret, but in August The Washington Post published a document leaked by Snowden that revealed the secret 2013 "black budget" for the U.S. intelligence community to be $52.6 billion. Of that, $10.8 billion went to the NSA to support its mandate to protect U.S. government systems and obtain foreign signals intelligence, in part via what the budget documents referred to as "offensive cyber operations." The NSA's security intelligence budget, for comparison's sake, was second only to the CIA's $14.7 billion allocation.
As befits an intelligence agency, most -- if not all -- of the NSA's premium hacking capabilities would have been built by NSA staff. But the GrugQ argued that a number of customized NSA hacking techniques might be just as easily fulfilled using off-the-shelf technology, albeit some of it from cybercrime syndicates. "NSA is like a nation state cybercrime gang. Quantum == Traff, FoxAcid == BlackHole Exploit kit++, Implants == Zeus++," he tweeted, referring to the ability to hack into boxes handling network traffic ("traff"), as well as such malware families as the Zeus banking Trojan and automated Blackhole crimewire toolkit.
Unlike most criminal gangs operating online, however, the NSA also employs a sophisticated risk management model that decides which exploits best fit any given target, and tailors the attack sophistication to the value of the target, according to BT chief security technology officer Bruce Schneier, who's been working with the Guardian to review information leaked by Snowden. "FoxAcid has tiers of exploits it can run, and uses a complicated trade-off system to determine which one to run against any particular target," he said in a blog post that was previously published by the Atlantic.
For example, high-value targets might get hit with a very valuable zero-day vulnerability, unless their operational security is considered good enough to detect the exploit, in which case it may be held in reserve. For low-value targets, even if they're technically sophisticated, however, the agency might use a known vulnerability.
"According to a top-secret operational procedures manual provided by Edward Snowden, an exploit named Validator might be the default, but the NSA has a variety of options," said Schneier. "The documentation mentions United Rake, Peddle Cheap, Packet Wrench and Beach Head -- all delivered from a FoxAcid subsystem called Ferret Cannon."
Those terms appear to be geek-espionage insider-speak for the agency's actual online attack capabilities, and many of the names have left security experts guessing. "Ferret cannon is a hint at capability, dire scallop -- bypasses AV? -- is a hint ... they seem suggestive at least," tweeted the GrugQ.
What also struck Schneier was that the operating procedures for the Tailored Access Operations (TAO) personnel who launch cyberattacks are quite conservative. "They're super cautious about what they do," he said, so as to not tip off their targets.
But if the NSA excels at infiltrating targeted systems while avoiding detection -- and anecdotal evidence suggests this to be the case -- Schneier identified a glaring weakness in its risk-management model. "The organization seems to be good enough at assessing the risk of discovery -- for example, if the target of an intelligence-gathering effort discovers that effort -- but to have completely ignored the risks of those efforts becoming front-page news," he said.