Does the NSA Have Plans to Infect Millions of PCs with Malware, or Not?

If you who must disclose information with organizations, make sure they have security protocols in place to protect data privacy in the age of the NSA.


18 March 2014

Does the NSA Have Plans to Infect Millions of PCs with Malware, or Not?

Last week, reporters Ryan Gallagher and Glenn Greenwald shared their latest scoop, courtesy of classified files leaked by NSA whistleblower Edward Snowden.

The claim?  Supposedly, the NSA has developed technology which could be used to infect millions of computers worldwide with spying malware.  Once in place, the malware could be used to vacuum up information and data from overseas companies and networks.

Referring to a top secret NSA presentation, the article in The Intercept gives an overview of the system:

The automated system – codenamed TURBINE – is designed to "allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually."

Another document, dated August 2009, describes a technique codenamed QUANTUMHAND, which tricks users into believing they are connecting to Facebook:

In some cases the NSA has masqueraded as a fake Facebook server, using the social media site as a launching pad to infect a target’s computer and exfiltrate files from a hard drive. In others, it has sent out spam emails laced with the malware, which can be tailored to covertly record audio from a computer’s microphone and take snapshots with its webcam. The hacking systems have also enabled the NSA to launch cyber-attacks by corrupting and disrupting file downloads or denying access to websites.

The journalists even managed to get their hands on top secret animation, demonstrating how QUANTUMHAND would work.

Fake websites, data-stealing malware, webcam-snooping and so forth are nothing new, of course.  We've seen malicious hackers taking advantage of such technologies for years. But QUANTUMHAND is more sophisticated, detecting that a targeted computer is accessing a particular site (Facebook is the example given) by monitoring internet traffic, tipping off TURBINE and redirecting users to a bogus site under the NSA's control instead for purposes of infection and data exfiltration.

TURBINE appears designed to make spying less reliant on the NSA's own hacking personnel thus opening opportunities for automated large-scale exploitation. With such a system in place, it would become easier to attack and steal information from a much larger number of computers.  As one leaked NSA document describes, the plan for TURBINE was to "increase the current capability to deploy and manage hundreds of Computer Network Exploitation (CNE) and Computer Network Attack (CNA) implants to potentially millions of implants."

I don't think any of us would be surprised or shocked at the news that the NSA is interested in spying on people's computers.  One would hope that the NSA would only use surveillance technology to snoop upon the computers of persons who they had strong reasons to believe would be of interest and a risk to the United States, abiding at all times to the legal restrictions on the agency's activities.

Most relevantly in this case, the claim that the NSA might have planned to infect millions of computers with malware, without the careful oversight of human operators, is a deeply disturbing one.  After all, any malware infection opens up vulnerabilities which could be exploited by other attackers.

For its part, the NSA firmly rebutted the report, curtly claiming it was inaccurate:

Recent media reports that allege NSA has infected millions of computers around the world with malware, and that NSA is impersonating U.S. social media or other websites, are inaccurate. NSA uses its technical capabilities only to support lawful and appropriate foreign intelligence operations, all of which must be carried out in strict accordance with its authorities. Technical capability must be understood within the legal, policy, and operational context within which the capability must be employed.

NSA’s authorities require that its foreign intelligence operations support valid national security requirements, protect the legitimate privacy interests of all persons, and be as tailored as feasible. NSA does not use its technical capabilities to impersonate U.S. company websites. Nor does NSA target any user of global Internet services without appropriate legal authority. Reports of indiscriminate computer exploitation operations are simply false.

Did you notice that the NSA's response says it "does not" impersonate US websites, using the present tense, rather than denying that it has not ever done so? And The Intercept never claimed that the NSA had infected millions of computers, only that TURBINE was designed to scale to that size.

Whether this is a case of sloppy wording in the NSA's denial or a deliberate slippery evasion of the accusations is a question that is not easy for any of us to answer. One thing is clear - this is a story that continues to twist and turn, causing many interested in privacy and security to keep a close eye on the NSA's activities.

If you must disclose private information with organizations, be that as a client or a customer, make sure that the partners you work with have security protocols in place to protect your data privacy in the age of the NSA. For more information, check out this whitepaper from Intralinks: “The Most Powerful of Adversaries: NSA Programs and Techniques Provide Lessons in Data Privacy and Managing Enterprise Collaboration.”



Graham Cluley

Graham Cluley

Graham Cluley is an award-winning veteran of the anti-virus industry, fighting cybercrime and raising awareness of computer security and privacy issues since the early 1990s. Find out more on his computer security blog or follow him on Twitter.