Leaked slide shows NSA hackers secretly infected 50,000 computer networks with malware

As if the NSA doesn’t engage in enough surveillance and intelligence-gathering operations, NSA hackers have reportedly infected over 50,000 computer networks globally with specialized malware, referred to as “implants,” that were compared to “digital ‘sleeper cells’ that can be activated with a single push of a button.”

NRC Handelsblad, a Dutch newspaper, published a leaked slide from a top-secret 2012 presentation, which was obtained by Edward Snowden, showing NSA’s Computer Network Exploitation (CNE) global operations that span five continents.

Leaked NSA slide about hacking, infecting 50,000 networks with malware for global spying, and tapping fiber optic cables

On the slide leaked by NRC, the blue dots indicate the NSA has tapped into internet traffic via large, high-speed fiber optic cables that provide the NSA with “20 access programs worldwide.” Red “regional” dots cover 84 Special Collection Service (SCS) installations, some with redacted location names, which “are part of a joint CIA-NSA program used for close surveillance operations and wiretapping.” Orange dots represent 52 regional FORNSAT “facilities dedicated to intercepting foreign satellite communications.” Additionally, listed under “classes of accesses,” there are green dots that represent 30 third-party countries and yellow dots that indicate more than 50,000 CNE implants across the globe.

The Office of Tailored Access Operations (TAO) is a NSA office where hackers work 24/7 in rotating shifts developing “information that would allow the U.S. to destroy or damage foreign computer and telecommunications systems with a cyberattack.” We previously looked at how ultra-secret NSA hackers, called Computer Network Exploitation (CNE) operators, have successfully owned China for nearly 15 years.

As Foreign Policy reported in June, TAO “collects intelligence information on foreign targets by surreptitiously hacking into their computers and telecommunications systems, cracking passwords, compromising the computer security systems protecting the targeted computer, stealing the data stored on computer hard drives, and then copying all the messages and data traffic passing within the targeted email and text-messaging systems. The technical term of art used by NSA to describe these operations is computer network exploitation (CNE).”

Entrance to TAO is protected by armed guards, a retinal scanner and a six-digit code; inside the TAO’s inner sanctum is the Remote Operations Center (ROC) where U.S. hackers break into targeted foreign systems and deploy specially crafted software “implants.” This malware allows TAO intercept operators to “continuously monitor the email and/or text-messaging traffic coming in and out of the computers or hand-held devices.” As pointed out by NRC Handelsblad, the implants can be turned on and off with the push of a button.

NSA reportedly hacking and spying since 1998

The Washington Post reported that, by 2008, NSA-TAO cyber operations had installed about 20,000 “implants” to compromise routers, switches and firewalls, but that this type of NSA hacking and spying has been happening since 1998. The Post estimated that by the end of 2013, the NSA would “control at least 85,000 implants in strategically chosen machines around the world” in order to harvest information. The NRC Handelsblad leaked slide shows that at least 50,000 CNE implants were in use by 2012.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.