01:00 PM

NSA Hack Attacks: Good Value For Money?

Leaked operations manual reveals NSA attack techniques that are not significantly better than common cybercrime capabilities, despite their high cost to government.

Do the National Security Agency's online espionage capabilities provide good value for money?

Recent reports have disclosed that the NSA uses a fleet of high-latency -- codenamed "Quantum" -- servers to redirect targeted systems to another fleet of servers, codenamed "FoxAcid," that launch tailored drive-by attacks. The agency's malware reportedly targets a range of vulnerabilities, from publicly known flaws to zero-day bugs that only the NSA possesses.

That information comes via former NSA contractor Edward Snowden's leak of top secret documents that detail many of the agency's operating practices. What's struck some information security experts is just how similar the NSA's techniques are to those of cybercrime gangs and advanced persistent attack (APT) groups sponsored or run by other nations.

"The NSA's system for deploying malware isn't particularly novel," according to an overview of the NSA system published by the Electronic Frontier Foundation staff technologist Dan Auerbach.

[ Want to know more about NSA cyber spying operations? See NSA Discloses Cellphone Location Tracking Tests . ]

In fact, some security experts would go farther than that. "We could replicate the NSA's capabilities for about $30k on the Russian private blackhat forums," tweeted the Bangkok-based vulnerability broker known as the GrugQ. "US taxpayers, you're being ripped off!"

Exactly what is the return on investment generated by the NSA's hacking techniques? Of course, precise numbers are secret, but in August The Washington Post published a document leaked by Snowden that revealed the secret 2013 "black budget" for the U.S. intelligence community to be $52.6 billion. Of that, $10.8 billion went to the NSA to support its mandate to protect U.S. government systems and obtain foreign signals intelligence, in part via what the budget documents referred to as "offensive cyber operations." The NSA's security intelligence budget, for comparison's sake, was second only to the CIA's $14.7 billion allocation.

As befits an intelligence agency, most -- if not all -- of the NSA's premium hacking capabilities would have been built by NSA staff. But the GrugQ argued that a number of customized NSA hacking techniques might be just as easily fulfilled using off-the-shelf technology, albeit some of it from cybercrime syndicates. "NSA is like a nation state cybercrime gang. Quantum == Traff, FoxAcid == BlackHole Exploit kit++, Implants == Zeus++," he tweeted, referring to the ability to hack into boxes handling network traffic ("traff"), as well as such malware families as the Zeus banking Trojan and automated Blackhole crimewire toolkit.

Unlike most criminal gangs operating online, however, the NSA also employs a sophisticated risk management model that decides which exploits best fit any given target, and tailors the attack sophistication to the value of the target, according to BT chief security technology officer Bruce Schneier, who's been working with the Guardian to review information leaked by Snowden. "FoxAcid has tiers of exploits it can run, and uses a complicated trade-off system to determine which one to run against any particular target," he said in a blog post that was previously published by the Atlantic.

For example, high-value targets might get hit with a very valuable zero-day vulnerability, unless their operational security is considered good enough to detect the exploit, in which case it may be held in reserve. For low-value targets, even if they're technically sophisticated, however, the agency might use a known vulnerability.

"According to a top-secret operational procedures manual provided by Edward Snowden, an exploit named Validator might be the default, but the NSA has a variety of options," said Schneier. "The documentation mentions United Rake, Peddle Cheap, Packet Wrench and Beach Head -- all delivered from a FoxAcid subsystem called Ferret Cannon."

Those terms appear to be geek-espionage insider-speak for the agency's actual online attack capabilities, and many of the names have left security experts guessing. "Ferret cannon is a hint at capability, dire scallop -- bypasses AV? -- is a hint ... they seem suggestive at least," tweeted the GrugQ.

What also struck Schneier was that the operating procedures for the Tailored Access Operations (TAO) personnel who launch cyberattacks are quite conservative. "They're super cautious about what they do," he said, so as to not tip off their targets.

But if the NSA excels at infiltrating targeted systems while avoiding detection -- and anecdotal evidence suggests this to be the case -- Schneier identified a glaring weakness in its risk-management model. "The organization seems to be good enough at assessing the risk of discovery -- for example, if the target of an intelligence-gathering effort discovers that effort -- but to have completely ignored the risks of those efforts becoming front-page news," he said.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
10/31/2013 | 3:06:57 PM
re: NSA Hack Attacks: Good Value For Money?
yupGǪfoodstamp funding has been cut massively over the last 5 years! you nailed that one!
User Rank: Apprentice
10/14/2013 | 8:07:57 PM
re: NSA Hack Attacks: Good Value For Money?
I bet we could make progress on saving money if we defunded this horrible idea. The only thing we have to fear is our own government.
User Rank: Ninja
10/12/2013 | 1:52:11 PM
re: NSA Hack Attacks: Good Value For Money?
As it turns out most of the NSA programs exist only because their leaders and sponsors need a reason to have a job. They produce zero results, only accumulate more data that needs to be processed making the hay stack only bigger to find the same amount of needles. And then there is ineptitude in execution as can be seen in the NSA's Utah data center that doesn't even work right. The NSA is a giant waste of tax payer money and one of the big reasons of federal debt spiraling out of control. But yeah, that gets addressed by cutting food stamps....
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-05-28
The sr_do_ioctl function in drivers/scsi/sr_ioctl.c in the Linux kernel through 4.16.12 allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact because sense buffers have different sizes at the CDROM layer and the SCSI layer.
PUBLISHED: 2018-05-28
An issue was discovered in Free Lossless Image Format (FLIF) 0.3. An attacker can trigger a long loop in image_load_pnm in image/image-pnm.cpp.
PUBLISHED: 2018-05-26
The Werewolf Online application 0.8.8 for Android allows attackers to discover the Firebase token by reading logcat output.
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. The module in charge of serving stored files gets the path from the database. Modifying the name of the file to serve on the corresponding ap_form table leads to a path traversal vulnerability via the download.php q parameter.
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. There is a download.php SQL injection via the q parameter.