Jump to content

Tailored Access Operations

From Wikipedia, the free encyclopedia
(Redirected fromRemote Operations Center)
Tailored Access Operations
AbbreviationTAO
Formationc.1997–2001[1]
TypeAdvanced persistent threat
PurposeCyberespionage,cyberwarfare
HeadquartersFort Meade
Region
United States
MethodsZero-days,spyware
Official language
English
Parent organization
S3 Data Acquisition

National Security Agencysurveillance
Map of global NSA data collectionas of 2007,with countries subject to the most data collection shown in red
Programs
Pre-1978
Since 1978
Since 1990
Since 1998
Since 2001
Since 2007
Databases, tools etc.
GCHQ collaboration
Legislation
Institutions
Lawsuits
Whistleblowers
Publication
Related
Concepts
Collaboration
United States
Five Eyes
Other
A reference to Tailored Access Operations in anXKeyscoreslide

TheOffice of Tailored Access Operations(TAO), nowComputer Network Operations,and structured asS32,[1]is acyber-warfareintelligence-gathering unit of theNational Security Agency(NSA).[2]It has been active since at least 1998, possibly 1997, but was not named or structured as TAO until "the last days of 2000," according to GeneralMichael Hayden.[3][4][5]

TAO identifies, monitors, infiltrates, and gathers intelligence on computer systems being used by entities foreign to the United States.[6][7][8][9]

History[edit]

See also:Signals intelligence

TAO is reportedly "the largest and arguably the most important component of the NSA's huge Signals Intelligence Directorate (SID),[10]consisting of more than 1,000 military and civilian computer hackers, intelligence analysts, targeting specialists, computer hardware and software designers, and electrical engineers. The office is currently known as Office of Computer Network Operations (OCNO). ".[4]

Snowden leak[edit]

A document leaked by former NSA contractorEdward Snowdendescribing the unit's work says TAO has software templates allowing it to break into commonly used hardware, including "routers, switches, and firewalls from multiple product vendor lines".[11]TAO engineers prefer to tap networks rather than isolated computers, because there are typically many devices on a single network.[11]

Organization[edit]

TAO's headquarters are termed theRemote Operations Center(ROC) and are based at the NSA headquarters atFort Meade, Maryland.TAO also has expanded toNSA Hawaii(Wahiawa,Oahu),NSA Georgia(Fort Eisenhower,Georgia),NSA Texas(Joint Base San Antonio,Texas), andNSA Colorado(Buckley Space Force Base,Denver).[4]

  • S321 – Remote Operations Center (ROC) In theRemote Operations Center,600 employees gather information from around the world.[12][13]
  • S323 –Data Network Technologies Branch(DNT): develops automated spyware
    • S3231 – Access Division (ACD)
    • S3232 – Cyber Networks Technology Division (CNT)
    • S3233 –
    • S3234 – Computer Technology Division (CTD)
    • S3235 – Network Technology Division (NTD)
  • Telecommunications Network Technologies Branch(TNT): improve network and computer hacking methods[14]
  • Mission Infrastructure Technologies Branch: operates the software provided above[15]
  • S328 –Access Technologies Operations Branch(ATO): Reportedly includes personnel seconded by the CIA and the FBI, who perform what are described as "off-net operations", which means they arrange for CIA agents to surreptitiously plant eavesdropping devices on computers and telecommunications systems overseas so that TAO's hackers may remotely access them from Fort Meade.[4]Specially equipped submarines, currently theUSSJimmy Carter,[16]are used to wiretap fibre optic cables around the globe.
    • S3283 – Expeditionary Access Operations (EAO)
    • S3285 – Persistence Division

Virtual locations[edit]

Details[17]on a program titled QUANTUMSQUIRREL indicate NSA ability to masquerade as any routable IPv4 or IPv6 host.[18]This enables an NSA computer to generate false geographical location and personal identification credentials when accessing the Internet utilizing QUANTUMSQUIRREL.[19]

Leadership[edit]

From 2013 to 2017,[20]the head of TAO wasRob Joyce,a 25-plus year employee who previously worked in the NSA'sInformation Assurance Directorate(IAD). In January 2016, Joyce had a rare public appearance when he gave a presentation at the Usenix’s Enigma conference.[21]

"Truly covert infrastructure, be any IP in the world."
QUANTUMSQUIRRELimage from an NSA presentation explaining the QUANTUMSQUIRREL IP host spoofing ability

NSA ANT catalog[edit]

Main article:NSA ANT catalog

TheNSA ANT catalogis a 50-pageclassifieddocument listing technology available to theUnited StatesNational Security Agency (NSA)Tailored Access Operations (TAO) by the Advanced Network Technology (ANT) Division to aid in cyber surveillance. Most devices are described as already operational and available to US nationals and members of theFive Eyesalliance. According toDer Spiegel,which released the catalog to the public on December 30, 2013, "The list reads like a mail-order catalog, one from which other NSA employees can order technologies from the ANT division for tapping their targets' data." The document was created in 2008.[22] Security researcherJacob Appelbaumgave a speech at theChaos Communications CongressinHamburg,Germany,in which he detailed techniques that the simultaneously publishedDer Spiegelarticle he coauthored disclosed from the catalog.[22]

QUANTUM attacks[edit]

"I iz in ur space-time continuum, upsetting all your gravity and quantums and stuffs."
Lolcatimage from an NSA presentation explaining in part the naming of the QUANTUM program
NSA's QUANTUMTHEORY overview slide with various codenames for specific types of attack and integration with other NSA systems

The TAO has developed an attack suite they call QUANTUM. It relies on a compromisedrouterthat duplicates internet traffic, typicallyHTTPrequests, so that they go both to the intended target and to an NSA site (indirectly). The NSA site runs FOXACID software which sends back exploits that load in the background in the targetweb browserbefore the intended destination has had a chance to respond (it's unclear if the compromised router facilitates this race on the return trip). Prior to the development of this technology, FOXACID software madespear-phishingattacks the NSA referred to as spam. If the browser is exploitable, further permanent "implants" (rootkits etc.) are deployed in the target computer, e.g. OLYMPUSFIRE for Windows, which gives complete remote access to the infected machine.[23]This type of attack is part of theman-in-the-middle attackfamily, though more specifically it is calledman-on-the-side attack.It is difficult to pull off without controlling some of theInternet backbone.[24]

There are numerous services that FOXACID can exploit this way. The names of some FOXACID modules are given below:[25]

By collaboration with the BritishGovernment Communications Headquarters(GCHQ) (MUSCULAR), Google services could be attacked too, includingGmail.[26]

Finding machines that are exploitable and worth attacking is done using analytic databases such asXKeyscore.[27]A specific method of finding vulnerable machines is interception ofWindows Error Reportingtraffic, which is logged into XKeyscore.[28]

QUANTUM attacks launched from NSA sites can be too slow for some combinations of targets and services as they essentially try to exploit arace condition,i.e. the NSA server is trying to beat the legitimate server with its response.[29]As of mid-2011, the NSA was prototyping a capability codenamed QFIRE, which involved embedding their exploit-dispensing servers invirtual machines(running onVMware ESX) hosted closer to the target, in the so-calledSpecial Collection Sites(SCS) network worldwide. The goal of QFIRE was to lower the latency of the spoofed response, thus increasing the probability of success.[30][31][32]

COMMENDEER [sic] is used to commandeer (i.e. compromise) untargeted computer systems. The software is used as a part of QUANTUMNATION, which also includes the software vulnerability scanner VALIDATOR. The tool was first described at the 2014Chaos Communication CongressbyJacob Appelbaum,who characterized it as tyrannical.[33][34][35]

QUANTUMCOOKIE is a more complex form of attack which can be usedagainst Torusers.[36]

Targets and collaborations[edit]

Suspected, alleged and confirmed targets of the Tailored Access Operations unit include national and international entities likeChina,[4]Northwestern Polytechnical University,[37]OPEC,[38]andMexico's Secretariat of Public Security.[28]

The group has also targeted global communication networks viaSEA-ME-WE 4– an optical fibresubmarine communications cablesystem that carries telecommunications between Singapore, Malaysia, Thailand, Bangladesh, India, Sri Lanka, Pakistan, United Arab Emirates, Saudi Arabia, Sudan, Egypt, Italy, Tunisia, Algeria and France.[34]Additionally,Försvarets radioanstalt (FRA)in Sweden gives access to fiber optic links for QUANTUM cooperation.[39][40]

TAO's QUANTUM INSERT technology was passed to UK services, particularly toGCHQ'sMyNOC,which used it to targetBelgacomandGPRS roaming exchange(GRX) providers like theComfone,Syniverse,and Starhome.[28]Belgacom, which provides services to theEuropean Commission,theEuropean Parliamentand theEuropean Councildiscovered the attack.[41]

In concert with theCIAandFBI,TAO is used to intercept laptops purchased online, divert them to secret warehouses where spyware and hardware is installed, and send them on to customers.[42]TAO has also targeted internet browsersTorandFirefox.[24]

According to a 2013 article inForeign Policy,TAO has become "increasingly accomplished at its mission, thanks in part to the high-level cooperation it secretly receives from the 'big three' American telecom companies (AT&T,VerizonandSprint), most of the large US-based Internet service providers, and many of the top computer security software manufacturers and consulting companies. "[43]A 2012 TAO budget document claims that these companies, on TAO's behest, "insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communications devices used by targets".[43]A number of US companies, includingCiscoandDell,have subsequently made public statements denying that they insert such back doors into their products.[44]Microsoftprovides advance warning to the NSA of vulnerabilities it knows about, before fixes or information about these vulnerabilities is available to the public; this enables TAO to execute so-calledzero-day attacks.[45]A Microsoft official who declined to be identified in the press confirmed that this is indeed the case, but said that Microsoft cannot be held responsible for how the NSA uses this advance information.[46]

See also[edit]

References[edit]

  1. ^Nakashima, Ellen (1 December 2017)."NSA employee who worked on hacking tools at home pleads guilty to spy charge".The Washington Post.Retrieved4 December2017.
  2. ^Loleski, Steven (2018-10-18)."From cold to cyber warriors: the origins and expansion of NSA's Tailored Access Operations (TAO) to Shadow Brokers".Intelligence and National Security.34(1): 112–128.doi:10.1080/02684527.2018.1532627.ISSN0268-4527.S2CID158068358.
  3. ^Hayden, Michael V. (23 February 2016).Playing to the Edge: American Intelligence in the Age of Terror.Penguin Press.ISBN978-1594206566.Retrieved1 April2021.
  4. ^abcdeAid, Matthew M. (10 June 2013)."Inside the NSA's Ultra-Secret China Hacking Group".Foreign Policy.Retrieved11 June2013.
  5. ^Paterson, Andrea (30 August 2013)."The NSA has its own team of elite hackers".The Washington Post.Archivedfrom the original on Oct 19, 2013.Retrieved31 August2013.
  6. ^Kingsbury, Alex (June 19, 2009)."The Secret History of the National Security Agency".U.S. News & World Report.Retrieved22 May2013.
  7. ^Kingsbury, Alex; Mulrine, Anna (November 18, 2009)."U.S. is Striking Back in the Global Cyberwar".U.S. News & World Report.Retrieved22 May2013.
  8. ^Riley, Michael (May 23, 2013)."How the U.S. Government Hacks the World".Bloomberg Businessweek.Archived fromthe originalon May 25, 2013.Retrieved23 May2013.
  9. ^Aid, Matthew M. (8 June 2010).The Secret Sentry: The Untold History of the National Security Agency.Bloomsbury USA. p. 311.ISBN978-1-60819-096-6.Retrieved22 May2013.
  10. ^"FOIA #70809 (released 2014-09-19)"(PDF).
  11. ^abGellman, Barton; Nakashima, Ellen (August 30, 2013)."U.S. spy agencies mounted 231 offensive cyber-operations in 2011, documents show".The Washington Post.Retrieved7 September2013.Much more often, an implant is coded entirely in software by an NSA group called, Tailored Access Operations (TAO). As its name suggests, TAO builds attack tools that are custom-fitted to their targets. The NSA unit's software engineers would rather tap into networks than individual computers because there are usually many devices on each network. Tailored Access Operations has software templates to break into common brands and models of "routers, switches, and firewalls from multiple product vendor lines," according to one document describing its work.
  12. ^"Secret NSA hackers from TAO Office have been pwning China for nearly 15 years".Computerworld. 2013-06-11. Archived fromthe originalon 2014-01-25.Retrieved2014-01-27.
  13. ^Rothkopf, David."Inside the NSA's Ultra-Secret China Hacking Group".Foreign Policy.Retrieved2014-01-27.
  14. ^"Hintergrund: Die Speerspitze des amerikanischen Hackings - News Ausland: Amerika".Tages-Anzeiger.tagesanzeiger.ch.Retrieved2014-01-27.
  15. ^"Inside the NSA's Ultra-Secret Hacking Group".Atlantic Council.2013-06-11.Retrieved2023-07-27.
  16. ^noahmax (2005-02-21)."Jimmy Carter: Super Spy?".Defense Tech. Archived fromthe originalon 2014-02-20.Retrieved2014-01-27.
  17. ^https://www.eff.org/files/2014/04/09/20140312-intercept-the_nsa_and_gchqs_quantumtheory_hacking_tactics.pdf(slide 8)
  18. ^Dealer, Hacker. "Dealer, Hacker, Lawyer, Spy: Modern Techniques and Legal Boundaries of Counter-cybercrime Operations".The European Review of Organised Crime.
  19. ^"The NSA and GCHQ's QUANTUMTHEORY Hacking Tactics".firstlook.org. 2014-07-16.Retrieved2014-07-16.
  20. ^Landler, Mark (April 10, 2018)."Thomas Bossert, Trump's Chief Adviser on Homeland Security, Is Forced Out".New York Times.RetrievedMarch 9,2022.
  21. ^Thomson, Iain (January 28, 2016)."NSA's top hacking boss explains how to protect your network from his attack squads".The Register.
  22. ^abThis section copied fromNSA ANT catalog;see there for sources
  23. ^"Quantumtheory: Wie die NSA weltweit Rechner hackt".Der Spiegel.2013-12-30.Retrieved2014-01-18.
  24. ^abSchneier, Bruce (2013-10-07)."How the NSA Attacks Tor/Firefox Users With QUANTUM and FOXACID".Schneier.com.Retrieved2014-01-18.
  25. ^Fotostrecke (2013-12-30)."NSA-Dokumente: So knackt der Geheimdienst Internetkonten".Der Spiegel.Retrieved2014-01-18.
  26. ^"NSA-Dokumente: So knackt der Geheimdienst Internetkonten".Der Spiegel.2013-12-30.Retrieved2014-01-18.
  27. ^Gallagher, Sean (August 1, 2013)."NSA's Internet taps can find systems to hack, track VPNs and Word docs".RetrievedAugust 8,2013.
  28. ^abc"Inside TAO: Targeting Mexico".Der Spiegel.2013-12-29.Retrieved2014-01-18.
  29. ^Fotostrecke (2013-12-30)."QFIRE - die" Vorwärtsverteidigng "der NSA".Der Spiegel.Retrieved2014-01-18.
  30. ^"QFIRE - die" Vorwärtsverteidigng "der NSA".Der Spiegel.2013-12-30.Retrieved2014-01-18.
  31. ^"QFIRE - die" Vorwärtsverteidigng "der NSA".Der Spiegel.2013-12-30.Retrieved2014-01-18.
  32. ^"QFIRE - die" Vorwärtsverteidigng "der NSA".Der Spiegel.2013-12-30.Retrieved2014-01-18.
  33. ^""Chaos Computer Club CCC Presentation" at 28:34 ".YouTube.
  34. ^abThomson, Iain (2013-12-31)."How the NSA hacks PCs, phones, routers, hard disks 'at speed of light': Spy tech catalog leaks".The Register.London.Retrieved2014-08-15.
  35. ^Mick, Jason (2013-12-31)."Tax and Spy: How the NSA Can Hack Any American, Stores Data 15 Years".DailyTech.Archived fromthe originalon 2014-08-24.Retrieved2014-08-15.
  36. ^Weaver, Nicholas (2013-03-28)."Our Government Has Weaponized the Internet. Here's How They Did It".Wired.Retrieved2014-01-18.
  37. ^"China Accuses US of Repeated Hacks on Polytechnic University".Bloomberg.September 5, 2022 – via www.bloomberg.com.
  38. ^Gallagher, Sean (2013-11-12)."Quantum of pwnness: How NSA and GCHQ hacked OPEC and others".Ars Technica.Retrieved2014-01-18.
  39. ^"Läs dokumenten om Sverige från Edward Snowden - Uppdrag Granskning".SVT.se.Retrieved2014-01-18.
  40. ^"What You Wanted to Know"(PDF).documentcloud.org.Retrieved2015-10-03.
  41. ^"British spies reportedly spoofed LinkedIn, Slashdot to target network engineers".Network World. 2013-11-11. Archived fromthe originalon 2014-01-15.Retrieved2014-01-18.
  42. ^"Inside TAO: The NSA's Shadow Network".Der Spiegel.2013-12-29.Retrieved2014-01-27.
  43. ^abAid, Matthew M. (2013-10-15)."The NSA's New Code Breakers".Foreign Policy.Retrieved2023-07-27.
  44. ^Farber, Dan (2013-12-29)."NSA reportedly planted spyware on electronics equipment | Security & Privacy".CNET News.Retrieved2014-01-18.
  45. ^Schneier, Bruce (2013-10-04)."How the NSA Thinks About Secrecy and Risk".The Atlantic.Retrieved2014-01-18.
  46. ^Riley, Michael (2013-06-14)."U.S. Agencies Said to Swap Data With Thousands of Firms".Bloomberg.Retrieved2014-01-18.

External links[edit]

Retrieved from "https://en.wikipedia.org/w/index.php?title=Tailored_Access_Operations&oldid=1230484539"