Report: NSA not only creates, but also hijacks, malware

Documents leaked by Edward Snowden show the NSA hijacks botnets and computers infected with malware by other intelligence agencies

In addition to having its own arsenal of digital weapons, the U.S. National Security Agency reportedly hijacks and repurposes third-party malware.

The NSA is using its network of servers around the world to monitor botnets made up of thousands or millions of infected computers. When needed, the agency can exploit features of those botnets to insert its own malware on the already compromised computers, through a technology codenamed Quantumbot, German new magazine Der Spiegel reported Sunday.

One of the secret documents leaked by former NSA contractor Edward Snowden and published by Der Spiegel contains details about a covert NSA program called DEFIANTWARRIOR that's used to hijack botnet computers and use them as "pervasive network analysis vantage points" and "throw-away non-attributable CNA [computer network attack] nodes."

This means that if a user's computer is infected by cybercriminals with some malware, the NSA might step in, deploy their own malware alongside it and then use that computer to attack other interesting targets. Those attacks couldn't then be traced back to the NSA.

According to the leaked document, this is only done for foreign computers. Bots that are based in the U.S. are reported to the FBI Office of Victim Assistance.

The NSA also intercepts and collects data that is stolen by third-party malware programs, especially those deployed by other foreign intelligence agencies, if it is valuable. It refers to this practice as "fourth party collection."

In 2009, the NSA tracked a Chinese cyberattack against the U.S. Department of Defense and was eventually able to infiltrate the operation. It found that the Chinese attackers were also stealing data from the United Nations so it continued to monitor the attackers while they were collecting internal UN data, Der Spiegel reported.

It goes deeper than that. One leaked secret document contains an NSA worker's account of a case of fifth party collection. It describes how the NSA infiltrated the South Korean CNE (computer network exploitation) program that targeted North Korea.

"We found a few instances where there were NK officials with SK implants on their boxes, so we got on the exfil [data exfiltration] points, and sucked back the data," the NSA staffer wrote in the document. "However, some of the individuals that SK was targeting were also part of the NK CNE program. So I guess that would be the fifth party collect you were talking about."

In other words, the NSA spied on a foreign intelligence agency that was spying on a different foreign intelligence agency that had interesting data of its own.

Sometimes the NSA also uses the servers of unsuspecting third parties as scapegoats, Der Spiegel reported. When exfiltrating data from a compromised system, the data is sent to such servers, but it is then intercepted and collected en route though the NSA's vast upstream surveillance network.

The documents published by Der Spiegel also shine more light on the malware capabilities of the NSA and the rest of the Five Eyes partners -- the intelligence agencies of the U.K., Canada, Australia and New Zealand.

One leaked document from the Communications Security Establishment Canada (CSEC) describes a unified computer network exploitation platform codenamed WARRIORPRIDE that is used by all Five Eyes partners and can be extended through plug-ins.

Der Spiegel released samples of an old keylogger program dubbed QWERTY that likely acted as a WARRIORPRIDE plug-in, so that the security industry can analyze it and possibly find other connections. The keylogger was among the files leaked by Snowden to journalists.

Another leaked document dated June 2012 describes the technical accomplishments of a malware writer working for one of the Five Eyes agencies. One of the computer network attack (CNA) tools he developed is codenamed PITIEDFOOL and can be used to wipe data from computer hard disk drives at a preconfigured time after first disabling Volume Shadow Copy (VSS), a Windows backup service that can be used to restore data.

"I took a build of FUZZYEBOLA from last month, and without recompiling inserted the PITIEDFOOL binary with configuration details to execute it at a certain time," the tool's author wrote describing a test. "At that time I saw the process usage slightly increase (from 0% to around 2%) and a few minutes later the system rebooted and didn't come back up. Running a file recovery tool over the entire drive yielded some files (from scraping headers) but nearly the entire contents of the drive were irrecoverable, and if it had been configured to securely wipe every sector on the drive after killing the MFT and VSS it wouldn't have been able to recover anything at all. Success!"

If national security agencies are adopting such destructive file wiping malware programs, their use might become a frequent occurrence in the future. Wiper malware was used in August 2012 to destroy data on 30,000 computers at Saudi Aramco, the national oil company of Saudi Arabia; in March 2013 against South Korean banks and broadcasting organizations, and recently against Sony Pictures Entertainment in the U.S.

In each of those cases, previously unknown hacktivist groups claimed responsibility for the attacks. However, the FBI later attributed the attack against Sony to North Korea, resulting in new U.S. sanctions against the country.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags intrusionNational Security Agencyonline safetysecuritySony Pictures Entertainmentspywaremalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?