NSA Infects Much U.S. Tech Before it Even Ships

Spyware slipped into IT, security products could give NSA eyes everywhere.

Even the most dramatic accusations of improper or criminal behavior appear to understate the actual digital-espionage methods of the National Security Agency (NSA), according to a series of stories published over the weekend by German daily Der Spiegel.

Since at least 2005, a special division of the NSA has laid the groundwork for (and may have written) the Stuxnet virus, spied on the elected leaders of both allies and enemies, penetrated the most hackproof networks in the world and installed backdoors accessible only to the NSA in computer and networking products made by some of the largest manufacturers in the world, according to a Dec. 29 story in Der Spiegel.

Details of the attacks made by the San Antonio, Tex.-based NSA group known as the Office of Tailored Access Operations (TAO) come from a 50-page catalog of penetration and observation tools provided to Spiegel by whistleblower and former NSA contractor Edward Snowden.

The catalog lists a host of tools from an even more specialized NSA division called ANT, “which presumably stands for Advanced or Access Network Technology,” according to the Spiegel story, which describes ANT as the “master carpenters” building or customizing tools to penetrate targets selected by TAO.

According to the catalog, which lists the cost of each tool as well as its purpose, ANT manufactures a range of spy gear disguised as the ordinary flotsam of IT equipment, ranging from a $39 monitor cord that allows “TAO personnel to see what is displayed on the targeted monitor” to a GSM base station that masquerades as a legitimate cell phone tower to intercept and monitor cell-phone traffic ($40,000).

ANT also develops software designed to penetrate commercial networking and security products, which is often tailored to hardware from specific manufacturers.

A tool code-named FEEDTROUGH, for example, is designed to penetrate firewalls manufactured by secure-networking specialist Juniper Networks and create a backdoor through which NSA can access anything the Juniper firewall protects and survive reboots, security scans and even upgrades of the firewall software itself. Given the effort of developing attack software for each major product from each major IT vendor, however, developers at ANT eventually shifted toward malware built into the BIOS installed to run the circuit boards of many computer vendors, making itself nearly invisible by loading before anti-malware products and before even the legitimate components of the BIOS software.

Once installed, the malware that ANT refers to as “Persistence” gives NSA operators the ability to install or upgrade nearly any other software they want.

Both the penetration tools and Persistence malware are designed to create backdoors, allowing the NSA to install any other surveillance or penetration software it chooses, and are aimed primarily at firewalls and other security products responsible for preventing exactly the type of backdoor the ANT software creates.

In another effort to slip NSA backdoors into “secure” systems before any effort can be made to block them, ANT has developed access to and malware for the firmware running hard drives from companies including Western Digital, Seagate, Maxtor and Samsung – all but one of which are American companies, the Spiegel story points out.

There is no indication in the catalog or other documents provided by Snowden that any of those IT vendors is aware they’ve been targeted by the NSA or that they may be inadvertently distributing NSA malware along with their own technology. Once installed in the firmware of hard drives, BIOS that runs circuit boards of computers, routers and other networking equipment (or infecting SCADA industrial control systems as the Stuxnet virus and its descendants have done), ANT software compromises the security of those systems sometimes before the systems themselves even emerge from the manufacturing line.

Many of the compromised systems – especially routers that provide Internet access to users whose systems may not yet be infected – are set up to route requests for connections to legitimate sites through NSA servers first, allowing the NSA to record the network activity even of users it hasn’t touched in any other way.

While the NSA’s techniques may be effective spycraft, they undermine global confidence in technology produced by U.S. companies and IT makers in general, according to many analysts.

Security guru Bruce Schneier, for example, said that reports the NSA had subverted global cryptography standards.

“The U.S. government needs to recognize and account for the deep harm that it is likely inflicting on American businesses because of these surveillance efforts,” according to Good Harbor Consulting security expert Jacob Olcott, as quoted in BankInfoSecurity Dec. 23.

Weakening security and cryptography standards designed to protect networked communications undermines global faith in all networked technology, not just that produced by U.S. companies, undermines not only buyer confidence, but the stability and potential for the Internet to facilitate global economic growth, according to the conclusions of a commission appointed by the White House to examine allegations of improper surveillance by the NSA.

Rather than undermining security technology to promote its intelligence goals, the U.S. government should “promote security, by (1) fully supporting and not undermining efforts to create encryption standards; (2) making clear that it will not in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption; and (3) supporting efforts to encourage the greater use of

encryption technology for data in transit, at rest, in the cloud, and in storage,” according to the commission’s report, which was published Dec. 12, long before the most recent round of revelations.

Image: Shutterstock.com/Zffoto

Related