Since 2010, the National Security Agency has kept a push-button hacking system called Turbine that allows the agency to scale up the number of networks it has access to from hundreds to potentially millions. The news comes from new Edward Snowden documents published by Ryan Gallagher and Glenn Greenwald in The Intercept today. The leaked information details how the NSA has used Turbine to ramp up its hacking capacity to “industrial scale,” plant malware that breaks the security on virtual private networks (VPNs) and digital voice communications, and collect data and subvert targeted networks on a once-unimaginable scale.

Turbine is part of Turbulence, the collection of systems that also includes the Turmoil network surveillance system that feeds the NSA’s XKeyscore surveillance database. While it is controlled from NSA and GCHQ headquarters, it is a distributed set of attack systems equipped with packaged “exploits” that take advantage of the ability the NSA and GCHQ have to insert themselves as a “man in the middle” at Internet chokepoints. Using that position of power, Turbine can automate functions of Turbulence systems to corrupt data in transit between two Internet addresses, adding malware to webpages being viewed or otherwise attacking the communications stream.

Since Turbine went online in 2010, it has allowed the NSA to scale up from managing hundreds of hacking operations each day to handling millions of them. It does so by taking people out of the loop of managing attacks, instead using software to identify, target, and attack Internet-connected devices by installing malware referred to as “implants.” According to the documents, NSA analysts can simply specify the type of information required and let the system figure out how to get to it without having to know the details of the application being attacked.

The “selectors” that analysts can use to target victims through Turbine are significant. Using Turmoil as a targeting system, Turbine can look for identifying cookies from a number of Web services, including Google, Yahoo, Twitter, Facebook, Hotmail, and DoubleClick, as well as those from the Russian services Mail.ru, Rambler, and Yandex. Those cookies are all available for targeting purposes, as is user account information from a whole host of services.

Turmoil can also key in on Windows Update identifiers, software serial numbers passed over the Internet, and signatures from physical devices such as phones’ International Mobile Station Equipment Identity (IMEI) numbers and Wi-Fi MAC addresses. All of these things can be indexed as metadata by Turmoil and tied by other metadata to a specific target.

Once installed, implants give the NSA and GCHQ a way to extract data from the target, monitor its communications, or launch attacks against the network the target resides on. Turbine implants have even allowed the NSA and GCHQ to hack IPSec VPN connections by inserting an implant on routers that break VPNs’ key exchange process, opening virtually any VPN to direct surveillance.

Hammer time

The documents published today include slides from the NSA’s Turbulence team detailing the “phases” of the NSA’s capabilities to monitor VPN and Voice over IP (VoIP) traffic using a set of attacks known as Hammerstein and Hammerchant. Previously, it was known that the NSA could exploit the older Point to Point Tunneling Protocol (PPTP) for VPNs. But the new documents show how Turbine and Turbulence can be used to attack VPNs using the more secure Internet Protocol Security (IPSec) standard.

At the most basic level, Turbulence simply captures metadata from Internet Key Exchange (IKE) messages between systems connecting over an IPSec VPN. The NSA can apparently perform a “static tasking” against an IPSec VPN based on its IP addresses using the Hammerstein implant. (Hammerstein is a piece of malware injected into a router sitting in the path of the VPN traffic, which forwards key exchanges and encrypted data to a Turbulence system.)

Hammerstein allows the NSA and GCHQ to tap into networks that don’t pass through the Turbulence checkpoint. The data can then be pushed through a specialized VPN-cracking “blade” in the Turmoil server hardware to decrypt the content.

The Hammerchant implant does roughly the same thing with digital voice calls and video conferences that Hammerstein does with VPNs. It can intercept call traffic based on the SIP and H.323 protocols, allowing “call surveys” that collect metadata or capture the actual voice content.

Turbine added the capability of “dynamic tasking” to these attacks. It can send identifying information on the fly to Hammerstein or Hammerchant automatically based on a set of parameters set by an NSA operator with a few mouse clicks.

Search and destroy

Other man-in-the-middle and “man on the side” attack systems are also tied into Turbine. Quantum Insert, the attack tool used to hack the networks of OPEC and the Belgian telecommunications company Belgacom, can also be controlled by Turbine by using webpage request data collected by Turmoil to automatically trigger an attack. Turbine can push an HTML request posing as a response from a visited site back through a Quantum Insert implant on a server or router closer to the server the request is sent to. It does this because of a microseconds-long response time advantage to convince the target’s browser that it’s the response being sought out. It then delivers malware that allows the NSA (or GCHQ) to poke around the target’s computer and network.

These capabilities give the NSA’s Tailored Access Operations (TAO) unit the ability to conduct not just tailored attacks, but multilayered, massive operations that can scoop up vast amounts of data not accessible via XKeyscore. As if that’s not enough, there’s also an attack tool designed for wholesale exploits of traffic passing through a specific Internet “choke point”—a peering point for a specific Internet Service Provider, an Internet exchange at a national border or at a submarine cable meeting point, or any other routing point on the Internet that could host an implant.

Called SecondDate, the capability was described in a 2012 NSA document as a tool “to influence real-time communications between client and server.” It has the ability to redirect Web browsers to the NSA’s FoxAcid malware servers, and it may have been used as part of an attack on Tor users. SecondDate can serve as part of a targeted attack, but it can also be used, according to NSA documents, for “mass exploitation potential for clients passing through network choke points.” In other words, SecondDate can be used in concert with the NSA’s other systems to attack whole swaths of the Internet, infecting systems with surveillance malware.

All of these capabilities give the NSA and GCHQ considerable reach. But they also run the risk of allowing others to stand on the agencies’ shoulders and take advantage of the exploits the NSA has already seeded into parts of the Internet’s infrastructure. Regardless of the scope of the NSA’s ongoing surveillance, the chance that someone else could hijack or repackage a capability like Hammerstein or SecondDate for criminal or other malicious means poses a risk to the entire Internet.