The NSA’s Band of Technology Criminals

On this website, we’ve speculated that one outcome of the flood of NSA-centered revelations has been to desensitize U.S. citizens and diminish outrage at what is actually revealed. We are becoming conditioned to the horror story that is the National Security Administration.

Right before Christmas, we got another dose of breath-taking outrageousness through the reporting of a group of journalists courtesy of the German weekly news magazine Der Spiegel. The report profiles the work of a powerful unit of technological thugs called the Tailored Access Operations unit or TAO — either an unfortunate coincidence in naming or a reflection of disdain for another culture.

By the NSA’s own admission, this is among its most important programs and one of its fastest growing. Its existence has already been reported on by the Washington Post based on Edward Snowden information. These Spiegel articles add disturbing details to the picture.

The unit, founded in 1997 and now comprised of an estimated 1,000 technologists and support staff in a half dozen offices nationwide, attacks highly selective and well-protected targets. It steals data, conducts on-line denial of service and other attacks against computers and servers in other countries (including government servers and websites), sneaks into offices and other locations to break open and tamper with computers, and intercepts shipments of equipment to break into those and insert modifications that will allow NSA data capture.

Yet, as frightening as this activity is, perhaps TAO’s greatest attack is on the Internet itself. It has turned a technology that was designed to enable communication among the world’s people into an implement of war and sabotage. In fact, one TAO paper explains the need to “support Computer Network Attacks as an integrated part of military operations.”

In the NSA’s on-line war effort, this is its shock troop, housed separately from all other NSA staff and drawn from the NSA’s elite programmers and hackers. “Their job is breaking into, manipulating and exploiting computer networks, making them hackers and civil servants in one,” the Spiegel report explains. And their assignments are usually to go after those “targets” that have proven most resistant to the NSA’s normal spying and data-capture methods.

Snowden documents demonstrate how wide and pervasive this unit’s work has become. According to Bloomberg Businessweek, TAO operations intercept and collect about two petabytes of data every hour — for reference, a petabyte is a quadrillion bytes of data (the article you’re reading contains about 12,000 bytes).

That almost unfathomable amount of spy information reflects a frenzied level of operation. “During the middle part of the last decade,” the Spiegel report explains, “the special unit succeeded in gaining access to 258 targets in 89 countries — nearly everywhere in the world. In 2010, it conducted 279 operations worldwide.”

The specifics of one profiled operation, targeting Mexico, profile the most routine and basic TAO work. In a project named “Operation Whitetamale”, TAO staffers in Texas zeroed in on Mexico’s Secretariat for Public Security, a 20,000 person agency responsible at the time for overseeing Mexico’s police, counterterrorism, prison system and border police.

The NSA has a section called “Target Selection” that is responsible for listing individuals, organizations and agencies whose data the NSA wants. Some time ago, the Target Selection staff gave TAO a list of Mexican government officials it wanted to spy on. For the most part, these weren’t people suspected of wrong-doing. The NSA wanted to track them to evaluate their performance in the various anti-drug and border-control projects the U.S. is most interested in and their attitudes and internal communications about those programs. In short, they wanted to spy on them.

TAO went to work. They first hacked into the officials’ email accounts (including that of Mexico’s President), probably the easiest of their tasks. Using that as a basis, they then obtained IP addresses (the unique number assigned to every computer on the Internet) for computers used for email. They then captured the individual IP addresses of many Secretariat employees. With that info, they would know when people are on-line and what they’re doing when they are. They captured all kinds of non-public information including conversations, internal reports, meeting minutes and diagrams of the security agencies’ structures and video surveillance. All of it was turned over to the NSA for processing.

But that spying, which caused an outcry in Mexico and a diplomatic mess when discovered, is only a small part of TAO’s activities.

One TAO presentation, revealed in Snowden documents, describes the importance of “Computer Network Exploitation” which means capturing actual control over servers, workstations, firewalls, routers, handsets, phone switches, even SCADA systems (the computerized systems that run factory and industrial operations). If you have control over those systems, not only can you capture data but you can actually shut down communications and even parts of an economy.

If that seems like science-fiction, the Stuxnet program is worth considering. Jointly developed by the United States and Israel, the program targeted Iran’s nuclear industry by unleashing a computer virus that successfully sabotaged the Iranian nuclear research and development program and set it back years. That SCADA attack left as many as 1,000 Iranian centrifuges unusable. It was a form of warfare with absolutely no declaration of war or, for that matter, reliable evidence that Iran was doing anything that might be dangerous to anyone.

Those who think they may be safe from this kind of sabotage because they live in the United States apparently need to think again. The NSA, relying mostly on TAO staff, has been running a huge “hackers’ project”: inserting “trojans” (programs that live on your computer and, when triggered, can do just about anything the hacker wants) on an estimated 85,000 computers world-wide. A trojan can report on every single thing you do on the Internet and some of them can, in fact, destroy all of your stored data.

It’s here that the legal questions arise. If you hack a computer anywhere on earth and start capturing its data you are going to capture data from U.S. citizens because, in a world-wide system like the Internet, people in this country communicate with people in other countries (and from other governments) world-wide. That type of spying on U.S. citizens is, in fact, completely illegal.

What’s more TAO has developed highly sophisticated methods for implanting. Usually trojans are delivered to your computer via emails that unleash the infection when you open them. At this point, many regular Internet users (often burned by a trojan plant) don’t open those emails so their success rate has dropped enormously. But TAO’s trojan-planting success rate is a reported 80 percent based on NSA documents.

The question is what are they doing differently; the answer is that they use Facebook, Yahoo, Twitter and YouTube (among other social networking services) as a kind of backdoor to computers. Users of these services interact with them in scores of ways during an on-line session. TAO has figured out ways to insert the virus during those interactions probably by hacking into the servers these companies maintain.

This kind of “outside server capture” is one of TAO’s major tactics. Apparently the unit’s hackers work assiduously to “capture” servers and computers all over the world. Once they’ve infected non-NSA servers, they use those outside servers to conduct or expand attacks and spying. In short, they recruit computers world-wide to their army without the owners’ permission or knowledge.

The amount of damage that can be done by server capture is nightmare-provoking. According to NSA reports, TAO staff has used these remote stations to perform all types of data capture and even to manipulate the on-line movement of Internet users. In one project, targeting the Belgian telecom company Belgacom, TAO used captured servers to force company engineers to go to NSA websites that were masquerading as the legitimate sites the engineers were seeking. The Belgians thought they were transferring information to their own protected websites but were actually giving all that information to the NSA.

This thirst for stolen data appears insatiable and TAO’s quest for mega-data is expanding constantly. Perhaps the most dramatic example is TAO’s cracking of the “SEA-ME-WE-4”, a massive telecommunications cable system that runs under-water linking Europe with the North Africa, the Gulf States, Pakistan, India and extending to Malaysia and Thailand. TAO hacked the computers managing the system and captured about it. Then the NSA successfully intercepted and captured information on the system’s layout, structure and data handling. This gave it the ability to intercept massive amounts of transferred data; it can even shut the cable’s data transfer down if it wants.

What distinguishes TAO from the rest of the NSA, besides the sophistication and scope of its on-line attacks and data-theft, is its willingness to sneak into offices and server centers and plant data-capture devices into equipment there. This way, collaborating with FBI and CIA personnel, TAO can attack networks that aren’t on the Internet such as office and building-wide networks. According to Snowden documents, the FBI provides jets to ferry TAO staffers to remote locations so they can break into those offices at times when there are few people in a building. They complete their work in a matter of minutes and the information collection or sabotage automatically begins; the documents indicate that there are CIA and FBI personnel in those offices to collect and move the captured data.

The presence of the FBI in these operations is significant. The Bureau, by law, usually investigate domestic targets so, while we don’t know which offices TAO has targeted, it’s logical to assume they are either in or linked to offices in the United States.

In fact, they frequently don’t need to visit offices. TAO intercepts a shipment of computers destined for a target location and routes them to what it calls “load offices” There, TAO staffers expertly open the packages, insert the malware (usually trojans) into the computers, cell phones or other devices, close the package and send the equipment on to its original destination. These offices are receiving equipment that is already hacked and ready to send information to the NSA.

How “illegal” is TAO? When it is used on U.S. citizens or residents, it’s completely illegal and it’s not possible to fathom how these activities could be conducted on the Internet without affecting data coming from or going into this country. When the activities are outside the U.S., the judgements enter the murky world of espionage which has very few rules and prohibitions.

But, illegal or not, these activities are immoral and destructive. The Internet has been built to facilitate human communication world-wide effectively facilitating our collaboration and mutual support as a human race. Programs like TAO cynically and brazenly misuse that functionality as a tool of war. They do just the opposite of why we created the Internet in the first place and stand as tributes to the moral terpitude of the government that rules us.

Alfredo Lopez writes about technology issues for This Can’t Be Happening!

Alfredo Lopez writes about technology issues for This Can’t Be Happening!