Tailored Access Operations

Last updated
Tailored Access Operations
AbbreviationTAO
Formationc. 1997–2001
Type Advanced persistent threat
Purpose Cyberespionage, cyberwarfare
Headquarters Fort Meade
Region
United States
Methods Zero-days, spyware
Official language
English
Parent organization
S3 Data Acquisition
A reference to Tailored Access Operations in an XKeyscore slide XKeyscore presentation from 2008.pdf
A reference to Tailored Access Operations in an XKeyscore slide

The Office of Tailored Access Operations (TAO), now Computer Network Operations, and structured as S32, [1] is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA). [2] It has been active since at least 1998, possibly 1997, but was not named or structured as TAO until "the last days of 2000," according to General Michael Hayden. [3] [4] [5]

Contents

TAO identifies, monitors, infiltrates, and gathers intelligence on computer systems being used by entities foreign to the United States. [6] [7] [8] [9]

History

TAO is reportedly "the largest and arguably the most important component of the NSA's huge Signals Intelligence Directorate (SID), [10] consisting of more than 1,000 military and civilian computer hackers, intelligence analysts, targeting specialists, computer hardware and software designers, and electrical engineers. The office is currently known as Office of Computer Network Operations (OCNO). ". [4]

Snowden leak

A document leaked by former NSA contractor Edward Snowden describing the unit's work says TAO has software templates allowing it to break into commonly used hardware, including "routers, switches, and firewalls from multiple product vendor lines". [11] TAO engineers prefer to tap networks rather than isolated computers, because there are typically many devices on a single network. [11]

Organization

TAO's headquarters are termed the Remote Operations Center (ROC) and are based at the NSA headquarters at Fort Meade, Maryland. TAO also has expanded to NSA Hawaii (Wahiawa, Oahu), NSA Georgia (Fort Eisenhower, Georgia), NSA Texas (Joint Base San Antonio, Texas), and NSA Colorado (Buckley Space Force Base, Denver). [4]

Virtual locations

Details [17] on a program titled QUANTUMSQUIRREL indicate NSA ability to masquerade as any routable IPv4 or IPv6 host. [18] This enables an NSA computer to generate false geographical location and personal identification credentials when accessing the Internet utilizing QUANTUMSQUIRREL. [19]

Leadership

From 2013 to 2017, [20] the head of TAO was Rob Joyce, a 25-plus year employee who previously worked in the NSA's Information Assurance Directorate (IAD). In January 2016, Joyce had a rare public appearance when he gave a presentation at the Usenix’s Enigma conference. [21]

QUANTUMSQUIRREL image from an NSA presentation explaining the QUANTUMSQUIRREL IP host spoofing ability QUANTUMSQUIRREL.jpg
QUANTUMSQUIRREL image from an NSA presentation explaining the QUANTUMSQUIRREL IP host spoofing ability

NSA ANT catalog

The NSA ANT catalog is a 50-page classified document listing technology available to the United States National Security Agency (NSA) Tailored Access Operations (TAO) by the Advanced Network Technology (ANT) Division to aid in cyber surveillance. Most devices are described as already operational and available to US nationals and members of the Five Eyes alliance. According to Der Spiegel , which released the catalog to the public on December 30, 2013, "The list reads like a mail-order catalog, one from which other NSA employees can order technologies from the ANT division for tapping their targets' data." The document was created in 2008. [22] Security researcher Jacob Appelbaum gave a speech at the Chaos Communications Congress in Hamburg, Germany, in which he detailed techniques that the simultaneously published Der Spiegel article he coauthored disclosed from the catalog. [22]

QUANTUM attacks

Lolcat image from an NSA presentation explaining in part the naming of the QUANTUM program NSA quantum cat.jpg
Lolcat image from an NSA presentation explaining in part the naming of the QUANTUM program
NSA's QUANTUMTHEORY overview slide with various codenames for specific types of attack and integration with other NSA systems NSA QUANTUMTHEORY.jpg
NSA's QUANTUMTHEORY overview slide with various codenames for specific types of attack and integration with other NSA systems

The TAO has developed an attack suite they call QUANTUM. It relies on a compromised router that duplicates internet traffic, typically HTTP requests, so that they go both to the intended target and to an NSA site (indirectly). The NSA site runs FOXACID software which sends back exploits that load in the background in the target web browser before the intended destination has had a chance to respond (it's unclear if the compromised router facilitates this race on the return trip). Prior to the development of this technology, FOXACID software made spear-phishing attacks the NSA referred to as spam. If the browser is exploitable, further permanent "implants" (rootkits etc.) are deployed in the target computer, e.g. OLYMPUSFIRE for Windows, which gives complete remote access to the infected machine. [23] This type of attack is part of the man-in-the-middle attack family, though more specifically it is called man-on-the-side attack. It is difficult to pull off without controlling some of the Internet backbone. [24]

There are numerous services that FOXACID can exploit this way. The names of some FOXACID modules are given below: [25]

By collaboration with the British Government Communications Headquarters (GCHQ) (MUSCULAR), Google services could be attacked too, including Gmail. [25]

Finding machines that are exploitable and worth attacking is done using analytic databases such as XKeyscore. [26] A specific method of finding vulnerable machines is interception of Windows Error Reporting traffic, which is logged into XKeyscore. [27]

QUANTUM attacks launched from NSA sites can be too slow for some combinations of targets and services as they essentially try to exploit a race condition, i.e. the NSA server is trying to beat the legitimate server with its response. [28] As of mid-2011, the NSA was prototyping a capability codenamed QFIRE, which involved embedding their exploit-dispensing servers in virtual machines (running on VMware ESX) hosted closer to the target, in the so-called Special Collection Sites (SCS) network worldwide. The goal of QFIRE was to lower the latency of the spoofed response, thus increasing the probability of success. [29]

COMMENDEER [ sic ] is used to commandeer (i.e. compromise) untargeted computer systems. The software is used as a part of QUANTUMNATION, which also includes the software vulnerability scanner VALIDATOR. The tool was first described at the 2014 Chaos Communication Congress by Jacob Appelbaum, who characterized it as tyrannical. [30] [31] [32]

QUANTUMCOOKIE is a more complex form of attack which can be used against Tor users. [33]

Targets and collaborations

Suspected, alleged and confirmed targets of the Tailored Access Operations unit include national and international entities like China, [4] Northwestern Polytechnical University, [34] OPEC, [35] and Mexico's Secretariat of Public Security. [27]

The group has also targeted global communication networks via SEA-ME-WE 4 – an optical fibre submarine communications cable system that carries telecommunications between Singapore, Malaysia, Thailand, Bangladesh, India, Sri Lanka, Pakistan, United Arab Emirates, Saudi Arabia, Sudan, Egypt, Italy, Tunisia, Algeria and France. [31] Additionally, Försvarets radioanstalt (FRA) in Sweden gives access to fiber optic links for QUANTUM cooperation. [36] [37]

TAO's QUANTUM INSERT technology was passed to UK services, particularly to GCHQ's MyNOC, which used it to target Belgacom and GPRS roaming exchange (GRX) providers like the Comfone, Syniverse, and Starhome. [27] Belgacom, which provides services to the European Commission, the European Parliament and the European Council discovered the attack. [38]

In concert with the CIA and FBI, TAO is used to intercept laptops purchased online, divert them to secret warehouses where spyware and hardware is installed, and send them on to customers. [39] TAO has also targeted internet browsers Tor and Firefox. [24]

According to a 2013 article in Foreign Policy , TAO has become "increasingly accomplished at its mission, thanks in part to the high-level cooperation it secretly receives from the 'big three' American telecom companies (AT&T, Verizon and Sprint), most of the large US-based Internet service providers, and many of the top computer security software manufacturers and consulting companies." [40] A 2012 TAO budget document claims that these companies, on TAO's behest, "insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communications devices used by targets". [40] A number of US companies, including Cisco and Dell, have subsequently made public statements denying that they insert such back doors into their products. [41] Microsoft provides advance warning to the NSA of vulnerabilities it knows about, before fixes or information about these vulnerabilities is available to the public; this enables TAO to execute so-called zero-day attacks. [42] A Microsoft official who declined to be identified in the press confirmed that this is indeed the case, but said that Microsoft cannot be held responsible for how the NSA uses this advance information. [43]

See also

Related Research Articles

<span class="mw-page-title-main">ECHELON</span> Signals intelligence collection and analysis network

ECHELON, originally a secret government code name, is a surveillance program operated by the five signatory states to the UKUSA Security Agreement: Australia, Canada, New Zealand, the United Kingdom and the United States, also known as the Five Eyes.

<span class="mw-page-title-main">Industrial espionage</span> Use of espionage for commercial purposes rather than security

Industrial espionage, also known as economic espionage, corporate spying, or corporate espionage, is a form of espionage conducted for commercial purposes instead of purely national security.

<span class="mw-page-title-main">National Security Agency</span> U.S. signals intelligence organization

The National Security Agency (NSA) is an intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collection, and processing of information and data for foreign intelligence and counterintelligence purposes, specializing in a discipline known as signals intelligence (SIGINT). The NSA is also tasked with the protection of U.S. communications networks and information systems. The NSA relies on a variety of measures to accomplish its mission, the majority of which are clandestine. The NSA has roughly 32,000 employees.

<span class="mw-page-title-main">UKUSA Agreement</span> Multilateral signals intelligence treaty signed in 1946

The United Kingdom – United States of America Agreement is a multilateral agreement for cooperation in signals intelligence between Australia, Canada, New Zealand, the United Kingdom, and the United States. The alliance of intelligence operations is also known as the Five Eyes. In classification markings this is abbreviated as FVEY, with the individual countries being abbreviated as AUS, CAN, NZL, GBR, and USA, respectively.

<span class="mw-page-title-main">Special Collection Service</span> Classified joint CIA–NSA program to insert eavesdropping equipment in difficult places

The Special Collection Service (SCS), codenamed F6, is a highly classified joint U.S. Central Intelligence Agency–National Security Agency program charged with inserting eavesdropping equipment in difficult-to-reach places, such as foreign embassies, communications centers, and foreign government installations. Established in the late 1970s and headquartered in Beltsville, Maryland, the SCS has been involved in operations ranging from the Cold War to the Global War on Terrorism.

<span class="mw-page-title-main">Tempora</span> GCHQ-operated Internet and telephone surveillance system

Tempora is the codeword for a formerly-secret computer system that is used by the British Government Communications Headquarters (GCHQ). This system is used to buffer most Internet communications that are extracted from fibre-optic cables, so these can be processed and searched at a later time. It was tested from 2008 and became operational in late 2011.

<span class="mw-page-title-main">XKeyscore</span> Mass surveillance system

XKeyscore is a secret computer system used by the United States National Security Agency (NSA) for searching and analyzing global Internet data, which it collects in real time. The NSA has shared XKeyscore with other intelligence agencies, including the Australian Signals Directorate, Canada's Communications Security Establishment, New Zealand's Government Communications Security Bureau, Britain's Government Communications Headquarters, Japan's Defense Intelligence Headquarters, and Germany's Bundesnachrichtendienst.

<span class="mw-page-title-main">Bullrun (decryption program)</span> Code name of a decryption program run by the NSA

Bullrun is a clandestine, highly classified program to crack encryption of online communications and data, which is run by the United States National Security Agency (NSA). The British Government Communications Headquarters (GCHQ) has a similar program codenamed Edgehill. According to the Bullrun classification guide published by The Guardian, the program uses multiple methods including computer network exploitation, interdiction, industry relationships, collaboration with other intelligence community entities, and advanced mathematical techniques.

<span class="mw-page-title-main">Mass surveillance in the United States</span>

The practice of mass surveillance in the United States dates back to wartime monitoring and censorship of international communications from, to, or which passed through the United States. After the First and Second World Wars, mass surveillance continued throughout the Cold War period, via programs such as the Black Chamber and Project SHAMROCK. The formation and growth of federal law-enforcement and intelligence agencies such as the FBI, CIA, and NSA institutionalized surveillance used to also silence political dissent, as evidenced by COINTELPRO projects which targeted various organizations and individuals. During the Civil Rights Movement era, many individuals put under surveillance orders were first labelled as integrationists, then deemed subversive, and sometimes suspected to be supportive of the communist model of the United States' rival at the time, the Soviet Union. Other targeted individuals and groups included Native American activists, African American and Chicano liberation movement activists, and anti-war protesters.

<span class="mw-page-title-main">2010s global surveillance disclosures</span> Disclosures of NSA and related global espionage

During the 2010s, international media reports revealed new operational details about the Anglophone cryptographic agencies' global surveillance of both foreign and domestic nationals. The reports mostly relate to top secret documents leaked by ex-NSA contractor Edward Snowden. The documents consist of intelligence files relating to the U.S. and other Five Eyes countries. In June 2013, the first of Snowden's documents were published, with further selected documents released to various news outlets through the year.

<span class="mw-page-title-main">Global surveillance</span> Mass surveillance across national borders

Global mass surveillance can be defined as the mass surveillance of entire populations across national borders.

<span class="mw-page-title-main">ANT catalog</span> Classified catalog of hacking tools by the NSA

The ANT catalog is a classified product catalog by the U.S. National Security Agency (NSA) of which the version written in 2008–2009 was published by German news magazine Der Spiegel in December 2013. Forty-nine catalog pages with pictures, diagrams and descriptions of espionage devices and spying software were published. The items are available to the Tailored Access Operations unit and are mostly targeted at products from US companies such as Apple, Cisco and Dell. The source is believed to be someone different than Edward Snowden, who is largely responsible for the global surveillance disclosures during the 2010s. Companies whose products could be compromised have denied any collaboration with the NSA in developing these capabilities. In 2014, a project was started to implement the capabilities from the ANT catalog as open-source hardware and software.

The Joint Threat Research Intelligence Group (JTRIG) is a unit of the Government Communications Headquarters (GCHQ), the British intelligence agency. The existence of JTRIG was revealed as part of the global surveillance disclosures in documents leaked by the former National Security Agency contractor Edward Snowden.

<span class="mw-page-title-main">Timeline of global surveillance disclosures (2013–present)</span>

This timeline of global surveillance disclosures from 2013 to the present day is a chronological list of the global surveillance disclosures that began in 2013. The disclosures have been largely instigated by revelations from the former American National Security Agency contractor Edward Snowden.

The United States is widely considered to have one of the most extensive and sophisticated intelligence network of any nation in the world, with organizations including the Central Intelligence Agency and the National Security Agency, amongst others. It has conducted numerous espionage operations against foreign countries, including both allies and rivals. Its operations have included the use of industrial espionage, cyber espionage. and mass surveillance.

Regin is a sophisticated malware and hacking toolkit used by United States' National Security Agency (NSA) and its British counterpart, the Government Communications Headquarters (GCHQ). It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence-gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download, including malware discovered at a Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from 2003. Among computers infected worldwide by Regin, 28 percent were in Russia, 24 percent in Saudi Arabia, 9 percent each in Mexico and Ireland, and 5 percent in each of India, Afghanistan, Iran, Belgium, Austria, and Pakistan.

The Equation Group, classified as an advanced persistent threat, is a highly sophisticated threat actor suspected of being tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA). Kaspersky Labs describes them as one of the most sophisticated cyber attack groups in the world and "the most advanced (...) we have seen", operating alongside the creators of Stuxnet and Flame. Most of their targets have been in Iran, Russia, Pakistan, Afghanistan, India, Syria and Mali.

Operation Socialist is the code name given by the British signals and communications agency Government Communications Headquarters (GCHQ) to an operation in which GCHQ successfully breached the infrastructure of the Belgian telecommunications company Belgacom between 2010 and 2013. The operation's existence was first revealed in documents leaked by the former National Security Agency contractor Edward Snowden.

Hardware backdoors are backdoors in hardware, such as code inside hardware or firmware of computer chips. The backdoors may be directly implemented as hardware Trojans in the integrated circuit.

References

  1. Nakashima, Ellen (1 December 2017). "NSA employee who worked on hacking tools at home pleads guilty to spy charge". The Washington Post . Retrieved 4 December 2017.
  2. Loleski, Steven (2018-10-18). "From cold to cyber warriors: the origins and expansion of NSA's Tailored Access Operations (TAO) to Shadow Brokers". Intelligence and National Security. 34 (1): 112–128. doi:10.1080/02684527.2018.1532627. ISSN   0268-4527. S2CID   158068358.
  3. Hayden, Michael V. (23 February 2016). Playing to the Edge: American Intelligence in the Age of Terror. Penguin Press. ISBN   978-1594206566 . Retrieved 1 April 2021.
  4. 1 2 3 4 5 Aid, Matthew M. (10 June 2013). "Inside the NSA's Ultra-Secret China Hacking Group". Foreign Policy. Retrieved 11 June 2013.
  5. Paterson, Andrea (30 August 2013). "The NSA has its own team of elite hackers" . The Washington Post. Archived from the original on Oct 19, 2013. Retrieved 31 August 2013.
  6. Kingsbury, Alex (June 19, 2009). "The Secret History of the National Security Agency". U.S. News & World Report . Retrieved 22 May 2013.
  7. Kingsbury, Alex; Mulrine, Anna (November 18, 2009). "U.S. is Striking Back in the Global Cyberwar". U.S. News & World Report . Retrieved 22 May 2013.
  8. Riley, Michael (May 23, 2013). "How the U.S. Government Hacks the World". Bloomberg Businessweek . Archived from the original on May 25, 2013. Retrieved 23 May 2013.
  9. Aid, Matthew M. (8 June 2010). The Secret Sentry: The Untold History of the National Security Agency. Bloomsbury USA. p. 311. ISBN   978-1-60819-096-6 . Retrieved 22 May 2013.
  10. "FOIA #70809 (released 2014-09-19)" (PDF).
  11. 1 2 Gellman, Barton; Nakashima, Ellen (August 30, 2013). "U.S. spy agencies mounted 231 offensive cyber-operations in 2011, documents show". The Washington Post. Retrieved 7 September 2013. Much more often, an implant is coded entirely in software by an NSA group called, Tailored Access Operations (TAO). As its name suggests, TAO builds attack tools that are custom-fitted to their targets. The NSA unit's software engineers would rather tap into networks than individual computers because there are usually many devices on each network. Tailored Access Operations has software templates to break into common brands and models of "routers, switches, and firewalls from multiple product vendor lines," according to one document describing its work.
  12. "Secret NSA hackers from TAO Office have been pwning China for nearly 15 years". Computerworld. 2013-06-11. Archived from the original on 2014-01-25. Retrieved 2014-01-27.
  13. Rothkopf, David. "Inside the NSA's Ultra-Secret China Hacking Group". Foreign Policy. Retrieved 2014-01-27.
  14. "Hintergrund: Die Speerspitze des amerikanischen Hackings - News Ausland: Amerika". Tages-Anzeiger. tagesanzeiger.ch. Retrieved 2014-01-27.
  15. "Inside the NSA's Ultra-Secret Hacking Group". Atlantic Council. 2013-06-11. Retrieved 2023-07-27.
  16. noahmax (2005-02-21). "Jimmy Carter: Super Spy?". Defense Tech. Archived from the original on 2014-02-20. Retrieved 2014-01-27.
  17. https://www.eff.org/files/2014/04/09/20140312-intercept-the_nsa_and_gchqs_quantumtheory_hacking_tactics.pdf (slide 8)
  18. Dealer, Hacker. "Dealer, Hacker, Lawyer, Spy: Modern Techniques and Legal Boundaries of Counter-cybercrime Operations". The European Review of Organised Crime.
  19. "The NSA and GCHQ's QUANTUMTHEORY Hacking Tactics". firstlook.org. 2014-07-16. Retrieved 2014-07-16.
  20. Landler, Mark (April 10, 2018). "Thomas Bossert, Trump's Chief Adviser on Homeland Security, Is Forced Out". New York Times. Retrieved March 9, 2022.
  21. Thomson, Iain (January 28, 2016). "NSA's top hacking boss explains how to protect your network from his attack squads". The Register.
  22. 1 2 This section copied from NSA ANT catalog; see there for sources
  23. "Quantumtheory: Wie die NSA weltweit Rechner hackt". Der Spiegel. 2013-12-30. Retrieved 2014-01-18.
  24. 1 2 Schneier, Bruce (2013-10-07). "How the NSA Attacks Tor/Firefox Users With QUANTUM and FOXACID". Schneier.com. Retrieved 2014-01-18.
  25. 1 2 "NSA-Dokumente: So knackt der Geheimdienst Internetkonten". Der Spiegel. 2013-12-30. Retrieved 2014-01-18.
  26. Gallagher, Sean (August 1, 2013). "NSA's Internet taps can find systems to hack, track VPNs and Word docs" . Retrieved August 8, 2013.
  27. 1 2 3 "Inside TAO: Targeting Mexico". Der Spiegel. 2013-12-29. Retrieved 2014-01-18.
  28. Fotostrecke (2013-12-30). "QFIRE - die "Vorwärtsverteidigng" der NSA". Der Spiegel. Retrieved 2014-01-18.
  29. "QFIRE - die "Vorwärtsverteidigng" der NSA". Der Spiegel. 2013-12-30. Retrieved 2014-01-18.
  30. ""Chaos Computer Club CCC Presentation" at 28:34". YouTube .
  31. 1 2 Thomson, Iain (2013-12-31). "How the NSA hacks PCs, phones, routers, hard disks 'at speed of light': Spy tech catalog leaks". The Register . London . Retrieved 2014-08-15.
  32. Mick, Jason (2013-12-31). "Tax and Spy: How the NSA Can Hack Any American, Stores Data 15 Years". DailyTech. Archived from the original on 2014-08-24. Retrieved 2014-08-15.
  33. Weaver, Nicholas (2013-03-28). "Our Government Has Weaponized the Internet. Here's How They Did It". Wired. Retrieved 2014-01-18.
  34. "China Accuses US of Repeated Hacks on Polytechnic University". Bloomberg. September 5, 2022 via www.bloomberg.com.
  35. Gallagher, Sean (2013-11-12). "Quantum of pwnness: How NSA and GCHQ hacked OPEC and others". Ars Technica. Retrieved 2014-01-18.
  36. "Läs dokumenten om Sverige från Edward Snowden - Uppdrag Granskning". SVT.se. Retrieved 2014-01-18.
  37. "What You Wanted to Know" (PDF). documentcloud.org. Retrieved 2015-10-03.
  38. "British spies reportedly spoofed LinkedIn, Slashdot to target network engineers". Network World. 2013-11-11. Archived from the original on 2014-01-15. Retrieved 2014-01-18.
  39. "Inside TAO: The NSA's Shadow Network". Der Spiegel. 2013-12-29. Retrieved 2014-01-27.
  40. 1 2 Aid, Matthew M. (2013-10-15). "The NSA's New Code Breakers". Foreign Policy. Retrieved 2023-07-27.
  41. Farber, Dan (2013-12-29). "NSA reportedly planted spyware on electronics equipment | Security & Privacy". CNET News. Retrieved 2014-01-18.
  42. Schneier, Bruce (2013-10-04). "How the NSA Thinks About Secrecy and Risk". The Atlantic. Retrieved 2014-01-18.
  43. Riley, Michael (2013-06-14). "U.S. Agencies Said to Swap Data With Thousands of Firms". Bloomberg. Retrieved 2014-01-18.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.