NSA Elite Hacking Team Operations Exposed

Treasure trove of tools created and used by NSA hackers for planting backdoors via Cisco, Juniper, Apple products unveiled in latest document leaks

Dark Reading logo in a gray background | Dark Reading

It should come as no surprise that the National Security Agency has a special team of top-gun hackers who breaks into systems around the world to spy on its targets. But revelations published yesterday by a German magazine about the NSA's Tailored Access Operations (TAO) Group and the agency's homegrown hacking tools shine some light on the scope and expertise of the agency's hacking abilities, including its custom backdoor tools for popular commercial networking equipment and systems.

Der Spiegel reported yesterday that the NSA describes the TAO as specialized in "getting the ungettable" with access to "our very hardest targets." According to the report, the hacking team successfully infiltrated 258 targets across 89 countries, and in 2010, executed some 279 different operations.

The report stops short of confirming whether the TAO team was involved in the creation and execution of Stuxnet, the highly targeted malware program that sabotaged uranium enrichment equipment in Iran's Natanz nuclear facility. But it references leaked internal NSA presentation documents on the agency's goals of hacking "servers, workstations, firewalls, routers, handsets, phone switches, SCADA systems, etc."

Michael Sutton, vice president of security research at Zscaler, says the report by the German publication appears to "insinuate" TAO's involvement with Stuxnet, but it's not definitive. "The team does have a development arm constantly tinkering with new technologies," Sutton says.

The leaked catalog of NSA's custom software and hardware-based hacking tools date back to 2008, so the newly exposed information raises more questions about what else the agency has in its arsenal today. The NSA toolkit published by der Spiegel consists of so-called "implant" items, such as Nightstand, an 802.11 wireless exploitation and injection tool; Jetplow, a "firmware persistence implant" for taking over Cisco PIX and ASA firewalls; Halluxwater, a backdoor for Huawei firewalls; Feedtrough, a software tool that operates in Juniper firewalls to move other NSA spy software onto mainframes; and Dropout Jeep, a software tool for intercepting communications from an Apple iPhone.

According to the report, the tools have allowed the NSA to create its own global spy network "that operates alongside the Internet." And in a nod to old-school spying techniques, the NSA's TAO group reportedly can intercept from a target a computer shipment and load malware or hardware backdoor access onto the equipment before it reaches the buyer.

[EMC security subsidiary accused of accepting $10 million from the NSA to purposefully use encryption for which the intelligence agency enjoyed backdoor access. See RSA Denies Trading Security For NSA Payout.]

Networking vendors Cisco and Juniper both issued statements of concern about the report. John Stewart, senior vice president and chief security officer at Cisco, says his company is unaware of any new product vulnerabilities reportedly exploited by the agency, and does not deploy security "backdoors" in its products.

"We are deeply concerned with anything that may impact the integrity of our products or our customers’ networks and continue to seek additional information," Stewart said in a blog post. "At this time, we do not know of any new product vulnerabilities, and will continue to pursue all avenues to determine if we need to address any new issues. If we learn of a security weakness in any of our products, we will immediately address it. As we have stated prior, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security ‘back doors’ in our products."

A Juniper spokesperson echoed the same sentiments. "We take allegations of this nature very seriously and are working actively to address any possible exploit paths ... We are also committed to the responsible disclosure of security vulnerabilities, and if necessary, will work closely with customers to implement any mitigation steps," the spokesperson said. "Juniper Networks is not aware of any so-called 'BIOS implants' in our products and has not assisted any organization or individual in the creation of such implants."

Zscaler's Sutton says the round of NSA revelations of backdoors in security and networking products has placed the affected vendors in a "delicate position."

"There are really a couple of different ways they get drawn into this. One is that they are a passive participant caught in the middle, and their technologies are attacked," he says. "The NSA has been quite aggressive ... tapping into cables at data centers, and that's all bad news for the vendors. Even though they are not complicit in that process, [vendors] still bear the brunt of the public backlash."

Sutton says the other side of the coin is that vendors in some cases are legally obligated to hand over some data to the NSA, for example. "That, too, is not desirable for them," he says. "They want the public to see" they have no choice in those cases, he says.

Security expert Richard Stiennon says this means security vendors will need to take security more seriously than ever now that they have a "new adversary." "Historically the greatest threats to hardware and software vendors were hackers and security researchers who sought the positive exposure of being the ones to discover a new vulnerability. The actual exploit of published vulnerabilities of network gear is rare and in most cases of responsible disclosure the vendor is given an opportunity to release a patch before the vulnerability is published," he said in a post.

Still, the NSA is not unlike other attackers, Sutton says. "Each time we have one of these [NSA] leaks ... the focus tends to be on this silver bullet we didn't know about, this very powerful tool and method. But the NSA is no different in its tactics at the base level than any other attacker," he says. "They have a toolkit available to them, they reach out and pull out particular tasks. And those tools continually evolve and are remade to suit their purposes. We are constantly seeing glimpses into that toolbox."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights