Introduction

Germany’s Der Spiegel has published a couple of disturbing articles on the NSA surveillance activities. The media agency has focused its articles on the Advanced/Access Network Technology (ANT) division of the NSA’s Tailored Access Operations (TAO) elite hacker unit, and the capabilities of the division in the development of advanced tools to infiltrate practically every technology.

Der Spiegel published an internal NSA catalog that offers spies backdoors into a wide range of equipment from major IT vendors. The document includes backdoors for hard drives from Western Digital, Seagate, Maxtor and Samsung, for Juniper Networks firewalls, networking appliances from Cisco and Huawei, and unspecified equipment from Dell. The products listed in the catalog are designed by the Advanced/Access Network Technology (ANT), the agency has built capabilities to compromise any kind of device, They’re also able to infect BIOS firmware of targeted systems for long-term cyber espionage.

The catalog includes many tools and their prices, for example, a base station for fooling mobile networks and cell phones is $40,000, bugs disguised as USB plugs are $20,000, and there are also cheaper rigged monitor cables for spying on targets’ monitors.

“The catalog even lists the prices for these electronic break-in tools, with costs ranging from free to $250,000. In the case of Juniper, the name of this particular digital lock pick is FEEDTROUGH. This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers. Thanks to FEEDTROUGH, these implants can, by design, even survive “across reboots and software upgrades. In this way, US government spies can secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH has been deployed on many target platforms.”

The articles also reveal how the NSA and its allies tapped major undersea cables analyzing bulk internet traffic. The leaked documents report that, on Feb. 13, 2013, TAO “successfully collected network management information for the SEA-Me-We Undersea Cable Systems (SMW-4).” With the help of a “website masquerade operation,” the agency was able to “gain access to the consortium’s management website and collected Layer 2 network information that shows the circuit mapping for significant portions of the network.”

“One document labeled top secret and not for foreigners describes the NSA’s success in spying on the SEA-ME-WE-4 cable system. This massive underwater cable bundle connects Europe with North Africa and the Gulf states and then continues on through Pakistan and India, all the way to Malaysia and Thailand. The cable system originates in southern France, near Marseille. Among the companies that hold ownership stakes in it are France Telecom, now known as Orange and still partly government-owned, and Telecom Italia Sparkle.”

To Protect and Infect

The story starts when the popular cryptographer and activist Jacob Appelbaum took to Der Speigel the pages of a catalog of backdoors, monitoring programs and many other spying tool-kits.

Appelbaum made an interesting speech at the 30th Chaos Communication Congress on the militarization of the internet, exposing the content of the precious NSA catalog. Appelbaum confirmed to have received the top-secret documents by Edward Snowden. They’re more evidence of the scale of surveillance operated by the NSA worldwide.

“Their goal is to have total surveillance of everything they’re interested in. There really is no boundary to what they want to do. There is only sometimes a boundary of what they are funded to do and the amount of things they are able to do at scale. They seem to do (those things) without thinking too much about it. And there are specific tactical things where they have to target a group or individual, and those things seem limited either by budgets or simply by their time. The NSA has retarded the process by which we secure the Internet because it has established a hegemony of power in secret to do these things.”

Appelbaum described the internal organization of the NSA, in particular of the existence of an elite team of hackers known as the agency’s Tailored Access and Operations unit, or TAO. The cyber security expert described their major products, including deep-packet inspection (e.g.TURMOIL) and a series of off-the-shelf or zero-day exploits ready to be injected into a data stream to compromise a vulnerable machine.

What’s nteresting is the proof of concept on the FoxAcid infrastructure proposed by Appelbaum. Let’s remember that the system was able to make a real time analysis of targets choosing the most efficient exploits. Appelbaum revealed the existence of QUANTUM-X tools which includes a set of zero days, man-on-the-side attacks and much more.

Of course, the NSA also has the best technology for internet monitoring and mobile surveillance, anything could be intercepted.

Digging in the Catalog

In the days after the disclosure of the NSA catalog, many websites reported the news, focusing their posts on the spyware codenamed DROPOUTJEEP. That spyware was designed by the intelligence agency to spy on every Apple iPhone, but the pages of the catalog are a mine of interesting information. I decided to focus my attention on those products, still not analyzed by the media, that appear to be powerful tools for cyber espionage and surveillance.

What I’ve found very interesting is a set of components designed by the NSA to spy on computer screens, fax/printers, audio devices, keyboards and mice, by not even having to install an agent on the target machine. The systems are based on continuous wave irradiation. The tools belong to the ANGRYNEIGHBOR family of bugs. The series of bugs implemented as RF retro reflectors communicate with the use of an external radar wave generator such as CTX4000 or PHOTOANGLO. Appelbaum at the Chaos Communication Congress confirmed the existence of the device (CTX4000 or PHOTOANGLO), described as a portable continuous wave generator. He added that it’s remote controllable and works in combination with tiny electronic implants to bounce waves of energy off monitors, keyboards and printers to analyze what has been respectively viewed, typed and printed.

The ANGRYNEIGHBOR family of bugs is considerably revolutionary, because it works even if the target device isn’t online, enlarging the possibility of an attack for NSA agents.

“This (CTX4000) is a continuous wave generator or continuous wave radar unit. You can detect its use because it’s used between one and two gigahertz, and its bandwidth is up to 45 megahertz, user-adjustable, two watts. Using an internal amplifier, external amplifier, makes it possible to go up to one kilowatt.”

The VAGRANT collection requires a continuous RF generator such as the CTX4000 or PHOTOANGLO. Meanwhile, the returned signals are processed and displayed by components like NIGHTWATCH, GOTHAM, LS-2 (with an external monitor) and VIEWPLATE.

The signals are processed by specific systems, depending on the nature of the spying devices. The VIEWPLATE unit was used for VAGRANT video signal analysis, LOUDAUTO for ambient audio interception, DROPMIRE for printer and fax scanning, RAGEMASTER for video capturing and SURLYSPAWN to tap keyboards and mice used by the target.

In the image below, I tried to figure out the entire collection of NSA radar wave devices that were disclosed recently.

Pierluigi Paganini

(Security Affairs – NSA, hacking)

Share this...

Linkedin Reddit Pinterest

Share On