NSA secretly uses scapegoats, data mules and innocent victims' PCs for botnets

Besides the NSA being in North Korean systems but not warning Sony about the attack, leaked documents indicate that the NSA covertly uses innocent victims’ infected PCs when hijacking botnets, secretly redirects blame to scapegoats as well as taps into 'unwitting data mules' to pass along exfiltrated information.

NSA National Security Operations Center
Credit: NSA

After digging into top secret documents provided by Edward Snowden, Der Spiegel published another very enlightening report on the NSA’s digital arms race. Documents discuss how Five Eyes intelligence partners “steal their tools, tradecraft, targets, and take.”

National Security Agency headquarters in Fort Meade Trevor Paglen

One document about fourth party collection (pdf) discusses how the NSA takes advantage of computer network exploitation by countries that are not part of Five Eyes. For example, the NSA can glean intelligence about a fourth party target when secretly spying on one country that was using a keylogger to spy on another country.

Yet former U.S. Cyber Command and NSA chief Gen. Keith Alexander told ABC, “The Sony attack clearly highlights that we’re not ready [to defend against a cyberattack]. The way we’re protecting our networks, it’s not working.” Is the U.S. really not ready to defend against attacks, or does the NSA simply choose not to reveal its capabilities and what it knows about cyberattacks launched by other countries? Alexander’s claim about Sony seems dubious, especially when you consider a 2007 document about fifth party collection (pdf):

NSA fourth and fifth party collection NSA

Due to “the extensive American penetration of the North Korean system,” then why didn’t the NSA warn Sony about the attacks? Cyber warfare expert James A. Lewis told The New York Times, "The speed and certainty with which the United States made its determinations about North Korea told you that something was different here. [The U.S.] had some kind of inside view." But according to an unnamed source, even with a substantial digital foothold inside North Korean networks, the NSA “couldn’t really understand the severity” of the attack against Sony.

It “was very, very important” to call out bad cyber conduct and say the government knew who hacked Sony.  “It was the North Koreans who hacked Sony," FBI Director James Comey said during his speech at the International Conference on Cyber Security.

Comey said the Guardians of Peace "got sloppy" several times. "Either because they forgot or because they had a technical problem, they connected directly and we could see them. And we could see that the IP addresses that were being used to post and to send the e-mails were coming IPs that were exclusively used by the North Koreans."

Scapegoats and “unwitting data mules”

As for digital war strategy phases, surveillance is apparently so common that the NSA doesn’t even rank it above “Phase 0.” After Phase 0 detects vulnerabilities, “stealthy implants” are used to infiltrate enemy systems and allow for “Phase Three” or “permanent access.” We previously looked at the NSA’s ANT catalog, which contains exploits the NSA uses to hack PCs, routers and servers for surveillance, as well as documents describing how the NSA cracks VPN encryption; both are full of bizarre codenames and scary capabilities. The documents Der Spiegel leaked this time are no different and cover much more than fourth and fifth party collection.

For example, NSA personnel are not worried about getting caught spying. After infiltrating third party computers, the NSA lays false tracks while exfiltrating the data by using scapegoat targets.“That means that stolen information could end up on someone else's servers, making it look as though they were the perpetrators.”

Der Spiegel also looked at the NSA’s “methods to exfiltrate data even from devices which are supposed to be offline” (pdf). The NSA presentation discusses Delay Tolerant Networks (DTN), or an “unattributable” way to use commercial mobile devices without the phone’s owner ever being the wiser. The NSA explained that it can use “several ‘brush-pass’ wireless hand-offs as an untraceable alternative to scheduled meetings, dead drops.”

"Unwitting data mules" is a pet term the NSA gives victims whose mobile phones are infected with spyware in order to steal information from the victims’ employers. As the victims head home from work, the NSA remotely retrieves the stolen data from phones. 

The following graphics show examples of how people and vehicles can unwittingly be used as relays. The presentation explained the process as: “Data sources at ‘secret’ locations on campus. Queue up or generate data.” Then “mobile data generator in a car sending segments of audio.”

NSA DTN slides using unwitting data mules NSA

The “destination node in the parking lot by the Comcast Center.” The next slide shows pedestrian relays walk around, and pick up data from source nodes.”

NSA DTN slides on using unwitting data mules NSA

“Car players are typical data ferries” that relay data to the bus in the parking lot, which is used in this example of the data’s ultimate destination.

Relay data, NSA on unwitting data mules NSA

Covertly using innocent victims’ PCs when hijacking botnets

Then there’s the NSA’s botnet takeover, which is yet another way that the NSA can use innocent but infected victims as targets to aid its cause. Der Spiegel reported:

The NSA is also able to transform its defenses into an attack of its own. The method is described as "reverse engineer, repurpose software" and involves botnets, sometimes comprising millions of computers belonging to normal users onto which software has been covertly installed. They can thus be controlled remotely as part of a "zombie army" to paralyze companies or to extort them. If the infected hosts appear to be within the United States, the relevant information will be forwarded to the FBI Office of Victim Assistance.

However, a host infected with an exploitable bot could be hijacked through a Quantumbot attack and redirected to the NSA. This program is identified in NSA documents as Defiantwarrior and it is said to provide advantages such as "pervasive network analysis vantage points" and "throw-away non-attributable CNA (eds: computer network attack) nodes". This system leaves people's computers vulnerable and covertly uses them for network operations that might be traced back to an innocent victim. Instead of providing protection to private Internet users, Quantumbot uses them as human shields in order to disguise its own attacks. 

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
7 Wi-Fi vulnerabilities beyond weak passwords
Shop Tech Products at Amazon