The U.S. National Security Agency has reportedly been working for the past several years on expanding its ability to infect computers with surveillance malware and creating a command-and-control infrastructure capable of managing millions of compromised systems at a time.
According to media reports last year based on secret documents leaked by former NSA contractor Edward Snowden, the NSA had deployed over 50,000 CNE (Computer Network Exploitation) "implants" -- surveillance malware installed on computers and networking devices -- around the world, and their number was expected to reach 85,000 by the end of 2013.
[ Cut to the key news for technology development and IT management with the InfoWorld Daily newsletter, our summary of the top tech happenings. ]
However, the agency has also been working on building a better command-and-control infrastructure codenamed TURBINE that, according to a 2009 top-secret NSA presentation leaked by Snowden, would "allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control [of] implants by groups instead of individually," news website The Intercept reported Wednesday
The leaked document reveals that TURBINE was supposed to include an "Expert System" capable of managing malware implants with limited or no human input. The NSA described the system as "a brain" that would automatically decide which tools should be provided to a given implant and how the implant should be used based on preset rules.
This system is needed because "one of the greatest challenges for Active SIGINT/attack is scale," the presentation says. "Human 'drivers' limit ability for large-scale exploitation (humans tend to operate within their own environment, not taking into account the bigger picture)."
The implants, which are described in other NSA documents leaked by Snowden, are tailored for specific surveillance tasks or act as malware frameworks that have a modular architecture and support a variety of additional plug-ins to enable different surveillance capabilities.
For example, a plug-in codenamed GROK can log keystrokes. Another, called SALVAGERABBIT, can copy data from removable storage devices connected to a computer. Other plug-ins include CAPTIVATEDAUDIENCE, which can use the computer's microphone to record nearby conversations, and GUMFISH, which can take over the computer's webcam, The Intercept reported.
This design is similar to that observed by security researchers in sophisticated threats like Stuxnet, Flame, The Mask, Red October and others that have been discovered and analyzed in recent years and which are suspected of having been created or sponsored by nation states.
The NSA distributes its implants by using man-in-the-middle and man-on-the-side techniques that route targeted users trying to access legitimate websites to attack servers under NSA control. The agency then exploits vulnerabilities in browsers and other software like Java and Flash Player to deploy the malware, The Intercept reported.
"If we can get the target to visit us in some sort of web browser, we can probably own them," an NSA hacker wrote in one of the leaked documents, according to The Intercept. "The only limitation is the 'how'."