Among all of the NSA hacking operations exposed by whistleblower Edward Snowden over the last two years, one in particular has stood out for its sophistication and stealthiness. Known as Quantum Insert, the man-on-the-side hacking technique has been used to great effect since 2005 by the NSA and its partner spy agency, Britain's GCHQ, to hack into high-value, hard-to-reach systems and implant malware.

Quantum Insert is useful for getting at machines that can't be reached through phishing attacks. It works by hijacking a browser as it's trying to access web pages and forcing it to visit a malicious web page, rather than the page the target intend to visit. The attackers can then surreptitiously download malware onto the target's machine from the rogue web page.

Quantum Insert has been used to hack the machines of terrorist suspects in the Middle East, but it was also used in a controversial GCHQ/NSA operation against employees of the Belgian telecom Belgacom and against workers at OPEC, the Organization of Petroleum Exporting Countries. The "highly successful" technique allowed the NSA to place 300 malicious implants on computers around the world in 2010, according to the spy agency's own internal documents—all while remaining undetected.

But now security researchers with Fox-IT in the Netherlands, who helped investigate that hack against Belgacom, have found a way to detect Quantum Insert attacks using common intrusion detection tools such as Snort, Bro and Suricata.

The detection focuses on identifying anomalies in the data packets that get sent to a victim's browser client when the browser attempts to access web pages. The researchers, who plan to discuss their findings at the RSA Conference in San Francisco today, have written a blog post describing the technical details and are releasing custom patches for Snort to help detect Quantum Insert attacks.

How Quantum Insert Works

According to various documents leaked by Snowden and published by The Intercept and the German newspaper Der Spiegel, Quantum Insert requires the NSA and GCHQ to have fast-acting servers relatively near a target's machine that are capable of intercepting browser traffic swiftly in order to deliver a malicious web page to the target's machine before the legitimate web page can arrive.

To achieve this, the spy agencies use rogue systems the NSA has codenamed FoxAcid servers, as well as special high-speed servers known as "shooters," placed at key points around the internet.

In the Belgacom hack, GCHQ first identified specific engineers and system administrators who worked for the Belgian telecom and one of its subsidiaries, BICS. The attackers then mapped out the digital footprints of chosen workers, identifying the IP addresses of work and personal computers as well as Skype, Gmail and social networking accounts such as Facebook and LinkedIn. Then they set up rogue pages, hosted on FoxAcid servers, to impersonate, for example, an employee's legitimate LinkedIn profile page.

The agencies then used packet-capturing tools that sniffed or sifted through internet traffic—which can occur with the cooperation of telecoms or without it—to spot footprints or other markers that identified the online traffic of these targets. Sometimes the fingerprints involved spotting persistent tracking cookies that web sites assigned to the user.

When the sniffers spotted a "GET request" from a target's browser—messages sent by the browser to call up a specific URL or web page such as the user's LinkedIn profile page—it would notify the NSA's high-speed shooter server, which would then kick into action and send a redirect or "shot" to the browser. That shot was essentially a spoofed Transmission Control Protocol (TCP) packet that would redirect the user's browser to a malicious LinkedIn page hosted on a FoxAcid server. The FoxAcid server would then download and install malware on the victim's machine.

Quantum Insert attacks require precise positioning and action on the part of the rogue servers to ensure that they "win" the race to redirect and serve up a malicious page faster than the legitimate servers can deliver a page to the browser. The closer the traffic-sniffing and shooter machines are to the target, the more likely the rogue servers will "win" the race to the victim's machine. According to one NSA document from 2012, the success rate per shot for LinkedIn pages was "greater than 50 percent."

How to Catch a Quantum Insert

But hidden within another document leaked by Snowden was a slide that provided a few hints about detecting Quantum Insert attacks, which prompted the Fox-IT researchers to test a method that ultimately proved to be successful. They set up a controlled environment and launched a number of Quantum Insert attacks against their own machines to analyze the packets and devise a detection method.

According to the Snowden document, the secret lies in analyzing the first content-carrying packets that come back to a browser in response to its GET request. One of the packets will contain content for the rogue page; the other will be content for the legitimate site sent from a legitimate server. Both packets, however, will have the same sequence number. That, it turns out, is a dead giveaway.

Here's why: When your browser sends a GET request to pull up a web page, it sends out a packet containing a variety of information, including the source and destination IP address of the browser as well as so-called sequence and acknowledge numbers, or ACK numbers. The responding server sends back a response in the form of a series of packets, each with the same ACK number as well as a sequential number so that the series of packets can be reconstructed by the browser as each packet arrives to render the web page.

But when the NSA or another attacker launches a Quantum Insert attack, the victim's machine receives duplicate TCP packets with the same sequence number but with a different payload. "The first TCP packet will be the 'inserted' one while the other is from the real server, but will be ignored by the [browser]," the researchers note in their blog post. "Of course it could also be the other way around; if the QI failed because it lost the race with the real server response."

Although it's possible that in some cases a browser will receive two packets with the same sequence number from a legitimate server, they will still contain the same general content; a Quantum Insert packet, however, will have content with significant differences. The researchers have detailed in their blog post other anomalies that can help detect a Quantum Insert attack. And in addition to making patches available for Snort to detect Quantum Insert attacks, they have also posted packet captures to their GitHub repository to show how they performed Quantum Insert attacks.