NSA Surveillance Infected 50,000 PCs With Malware

Leaked document details agency's "implants," satellite intercepts, joint CIA eavesdropping operations, and embassy-based monitoring programs abroad.

Mathew J. Schwartz, Contributor

November 25, 2013

5 Min Read

The National Security Agency (NSA) has hacked into more than 50,000 PCs to install malware that monitors US government targets.

So said a report, published Saturday by Dutch newspaper NRC Handelsblad, that included a top secret NSA presentation that dates from 2012. The newspaper said the document was furnished by former NSA contractor Edward Snowden.

The leaked presentation, which is labeled as restricted for dissemination to the United States, Australia, Canada, Great Britain, and New Zealand -- the countries that comprise the "five eyes" surveillance network -- highlights the NSA's "classes of access," which include third-party agreements or liaisons with 30 countries and 20 high-speed optical cable access programs, and the ability to eavesdrop on 12 foreign and 40 regional satellites.

The slide also lists "80+ SCS," apparently referring to the agency's secret Special Collection Service monitoring stations, which involve a joint project with the CIA that's designed to eavesdrop on difficult-to-reach places such as foreign embassies and communications centers.

[ For more on the NSA's data interceptions, see NSA Reportedly Taps Google, Yahoo Data Centers. ]

That figure squares with another leaked slide, published last month by Germany's Der Spiegel weekly news magazine, which reported that as of 2010 the NSA's SCS teams were active in about 80 locations, of which 19 were in Europe -- including such cities as Paris, Madrid, Rome, Berlin, and Frankfurt. The teams reportedly operate from US embassies, using camouflaged surveillance equipment installed on upper floors or rooftops of the embassies.

"Wiretapping from an embassy is illegal in nearly every country. But that is precisely the task of the SCS, as is evidenced by another secret document," Der Spiegel reported. "According to the document, the SCS operates its own sophisticated listening devices with which they can intercept virtually every popular method of communication: cellular signals, wireless networks, and satellite communication."

Meanwhile, the leaked slide published Saturday by NRC Handelsblad also lists the aforementioned "50,000 world-wide implants," which were installed by the NSA's CNE -- computer network exploitation -- teams. The CNE teams operate from within the agency's Tailored Access Operations (TAO) group and comprise about 1,000 personnel, including 600 military and civilian personnel who are based at the NSA's headquarters in Fort Meade, Md., Foreign Policy reported.

The number of systems exploited to date by CNE squares with information contained in the LinkedIn profile of Dean Schyvincht, who as of late August 2013 claimed to be the Texas-based TAO senior computer network operator. Schyvincht said he managed 14 people who collectively executed "over 54,000 Global Network Exploitation (GNE) operations in support of national intelligence agency requirements," the Washington Post reported. That LinkedIn profile has since been deleted.

According to the Post, the NSA first began its CNE operations in 1998, and by 2008 a secret American intelligence report revealed that the agency had installed an estimated 20,000 "implants" into targeted systems. That means the number of systems infected by the NSA has more than doubled in the past five years.

The NSA might activate that malware for a period of weeks, months, or even years. "The malware can be controlled remotely and be turned on and off at will. The 'implants' act as digital 'sleeper cells' that can be activated with a single push of a button," reported NRC Handelsblad. "The NSA presentation shows their CNE operations [are] in countries such as Venezuela and Brazil. The malware installed in these countries can remain active for years without being detected."

The ongoing leak of classified NSA information, meanwhile, led the agency's director, Gen. Keith Alexander, to offer his resignation to President Obama, the Wall Street Journal first reported Sunday. The newspaper said Alexander offered to quit in June, after Snowden took credit for the leaks. But an unnamed former US defense official told the Journal that senior administration officials declined his offer, saying that while they no longer trusted Alexander, they didn't believe that his resignation would solve the problems that lead to the leaks, and furthermore didn't want to hand Snowden what they said would amount to a win.

But the leaks will likely reshape how the agency operates, according to Richard Ledgett, who's heading the NSA's Snowden response team. "It was cataclysmic," he said of the leaks, speaking to the Journal. "This is the hardest problem we've had to face in 62 years of existence."

One alteration might follow the departure of Alexander, who's set to leave this coming spring. Deputy defense secretary Ashton Carter is reportedly recommending that -- for the first time ever -- the president select a civilian leader for the NSA.

In addition, the Patriot Act, which the NSA has cited as its justification for the digital dragnet it's now running, is set to expire on June 1, 2015. Privacy experts believe that if the Obama administration seeks to get the law reauthorized, it will need to compromise with pro-privacy members of Congress who want to see the agency cease its mass surveillance of U.S. citizens.

Pen testing helps companies become more secure by finding and analyzing their insecurities, but pen test services can be fraught with their own kind of risk. In this Dark Reading report, Choosing, Managing And Evaluating A Penetration Testing Service, we recommend what to look for in a provider and its wares, how to get what you pay for, and how to ensure that pen testing itself doesn't open the company or its employees up to new risk. (Free registration required.)

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights