Mediaboss Marketing

In addition to having its own arsenal of digital weapons, the U.S. National Security Agency reportedly hijacks and repurposes third-party malware.

The NSA is using its network of servers around the world to monitor botnets made up of thousands or millions of infected computers. When needed, the agency can exploit features of those botnets to insert its own malware on the already compromised computers, through a technology codenamed Quantumbot, German new magazine Der Spiegel reported Sunday.

One of the secret documents leaked by former NSA contractor Edward Snowden and published by Der Spiegel contains details about a covert NSA program called DEFIANTWARRIOR thats used to hijack botnet computers and use them as pervasive network analysis vantage points and throw-away non-attributable CNA [computer network attack] nodes.

This means that if a users computer is infected by cybercriminals with some malware, the NSA might step in, deploy their own malware alongside it and then use that computer to attack other interesting targets. Those attacks couldnt then be traced back to the NSA.

According to the leaked document, this is only done for foreign computers. Bots that are based in the U.S. are reported to the FBI Office of Victim Assistance.

The NSA also intercepts and collects data that is stolen by third-party malware programs, especially those deployed by other foreign intelligence agencies, if it is valuable. It refers to this practice as fourth party collection.

In 2009, the NSA tracked a Chinese cyberattack against the U.S. Department of Defense and was eventually able to infiltrate the operation. It found that the Chinese attackers were also stealing data from the United Nations so it continued to monitor the attackers while they were collecting internal UN data, Der Spiegel reported.

It goes deeper than that. One leaked secret document contains an NSA workers account of a case of fifth party collection. It describes how the NSA infiltrated the South Korean CNE (computer network exploitation) program that targeted North Korea.

We found a few instances where there were NK officials with SK implants on their boxes, so we got on the exfil [data exfiltration] points, and sucked back the data, the NSA staffer wrote in the document. However, some of the individuals that SK was targeting were also part of the NK CNE program. So I guess that would be the fifth party collect you were talking about.

In other words, the NSA spied on a foreign intelligence agency that was spying on a different foreign intelligence agency that had interesting data of its own.

Visit link:
Report: NSA not only creates, but also hijacks, malware

When the NSA had limited access to North Korea's networks, the agency secretly tapped into South Korea's surveillance malware.

A new wave of documents from Edward Snowden's cache of National Security Agency data published by Der Spiegel demonstrates how the agency has used its network exploitation capabilities both to defend military networks from attack and to co-opt other organizations' hacks for intelligence collection and other purposes. In one case, the NSA secretly tapped into South Korean network espionage on North Korean networks to gather intelligence.

The documents were published as part of an analysis by Jacob Appelbaum and others working for Der Spiegel of how the NSA has developed an offensive cyberwarfare capability over the past decade. According to a report by the New York Times, the access the NSA gained into North Korea's networkswhich initially leveraged South Korean "implants" on North Korean systems, but eventually consisted of the NSA's own malwareplayed a role in attributing the attack on Sony Pictures to North Korean state-sponsored actors.

Included with the documents released by Der Spiegel are details on how the NSA built up its Remote Operations Center to carry out "Tailored Access Operations" on a variety of targets, while also building the capability to do permanent damage to adversaries' information systems, including internal NSA newsletter interviews and training materials. Also included was a malware sample for a keylogger, apparently developed by the NSA and possibly other members of the "Five Eyes" intelligence community, which was also included in the dump. The code appears to be from the Five Eyes joint program "Warriorpride," a set of tools shared by the NSA, the United Kingdom's GCHQ, the Australian Signals Directorate, Canada's Communications Security Establishment, and New Zealand's Government Communications Security Bureau.

It's not clear from the report whether the keylogger sample came from the cache of documents provided by former NSA contractor Edward Snowden or from another source. As of now, Appelbaum and Der Spiegel have not yet responded to a request by Ars for clarification. However, Appelbaum has previously published content from the NSA, including the NSA's ANT catalog of espionage tools, that were apparently not from the Snowden cache.

The core of the NSA's ability to detect, deceive, block, and even repurpose others' cyber-attacks, according to the documents, are Turbine and Turmoil, components of the Turbulence family of Internet surveillance and exploitation systems. These systems are also connected to Tutelage, an NSA system used to monitor traffic to and from US military networks, to defend against attacks on Department of Defense systems.

When an attack on a DoD network is detected through passive surveillance (either through live alerts from the Turmoil surveillance filters or processing by the Xkeyscore database), the NSA can identify the components involved in the attack and take action to block it, redirect it to a false target to analyze the malware used in the attack, or do other things to disrupt or deceive the attacker. This all happens outside of DOD's networks, on the public Internet, using "Quantum" attacks injected into network traffic at a routing point.

But the NSA can also use others' cyberattacks for its own purposes, including hijacking botnets operated by other actors to spread the NSA's own "implant" malware. Collection of intelligence of a target using another actor's hack of that target is referred to within the signals intelligence community as "fourth party collection." By discovering an active exploit by another intelligence organization or other attacker on a target of interest, the NSA can opportunistically ramp up collection on that party as well, or even use it to distribute its own malware to do surveillance.

In a case study covered in one NSA presentation, the NSA's Tailored Access Office hijacked a botnet known by the codename "Boxingrumble" that had primarily targeted the computers of Chinese and Vietnamese dissidents and was being used to target the DOD's unclassified NIPRNET network. The NSA was able to deflect the attack and fool the botnet into treating one of TAO's servers as a trusted command and control (C&C or C2) server. TAO then used that position of trust, gained by executing a DNS spoofing attack injected into the botnet's traffic, to gather intelligence from the bots and distribute the NSA's own implant malware to the targets.

Things get even more interesting in the case of the NSA's urgent need to gather more intelligence from North Korea's networks. In a question-and-answer posting to the NSA's intranet, an NSA employee recounted a "fifth party" collection that occurred when the NSA hacked into South Korea's exploit of North Korean computersand ended up collecting data from North Korea's hack of someone else:

View post:
NSA secretly hijacked existing malware to spy on N. Korea, others

US cybersecurity officials were convinced North Korea was behind the notorious Sony hack last November because the NSA had secretly infiltrated the hermit kingdoms computer systems years before the Hollywood e-mail raid, according to a new report.

The National Security Agency penetrated North Korean networks in 2010 over concerns the nations digital infrastructure was considered one of the most impenetrable targets on earth, The New York Times reports.

The NSAs classified program placed malware that could trace the workings of North Korean hackers and followed a secretive system that traveled from Chinese and Malaysian networks back into a North Korean intelligence service.

Evidence gathered during the US cyber-surveillance mission convinced President Obama that hackers backed by the North Korean government were responsible for the Sony attacks, the paper said.

The hackers released embarrassing personal e-mails from Sony Pictures bigwigs in an attempt to thwart the release of a movie that lampooned North Korean despot Kim Jong-un.

Read more:
NSA hacked North Korea computers in 2010

Home News Security NSA hacked North Korea in 2010 but still failed to spot Sony attack The US had enough insight to blame North Korea. But will sceptics be convinced?

Share

The National Security Agency (NSA) failed to grasp the seriousness of North Koreas alleged November attack on Sony Pictures as it unfolded despite having penetrated the countrys networks as far back as 2010, a report by the New York Times has suggested.

Judging from the anonymous sources lined up by the newspaper as well as a short Der Spiegel document released from Edward Snowdens cache, the US program was fairly successful at burrowing into the North Korea s cyber-systems from about four years ago, detecting the Chinese and Malaysian networks used by its expanding cyber-army.

From the Spiegel document, it appears that both the US and South Korea were able to implant malware on the mailboxes of specific North Korean officials. The US even detected and hijacked a third-party campaign (most likely by China) that hacked North Korea with great success using a zero day flaw.

As to how the US used intelligence gathered during this period to trace the Sony attacks to North Korea only after the fact, the New York Times is tantalisingly vague. Again, we hit the usual wall.

Fearing the exposure of its methods in a country that remains a black hole for intelligence gathering, American officials have declined to talk publicly about the role the technology played in Washingtons assessment that the North Korean government had ordered the attack on Sony, said the NYT.

Why didnt the US spot the attacks in advance if they had broken into North Koreas systems? In fact it appears they did to some extent but underestimated their seriousness. For instance, the NSA did not know that the attackers had used a spear phishing attack to successfully gain access to the admin account needed to do much of the damage.

The attackers spent two months from mid-September to mid-November roaming around the firms network, plotting their destructive attack in more detail, the newspaper briefings said.

The US even put a name to the Sony attack - Reconnaissance General Bureau commander, Kim Yong-chol, who allegedly oversaw the attacks.

Here is the original post:
NSA hacked North Korea in 2010 but still failed to spot Sony attack

TheNational Security Agency-- also known as the NSA -- tapped into North Koreas computer network in 2010, long before the attack on Sony Pictures Entertainment in November, the New York Timesreported exclusively. The U.S. was able to pinpoint North Korea as the culprit responsible for the Sony hack since it was familiar with the DPRKs Internet operation.

But the U.S. didnt break into the computer system of Kim Jong Uns government without help. South Korea and other allies aided America, the Times said, citing an NSA document along withformer U.S. and foreign officials.

President Barack Obama blamed North Korea for the Sony hack. He had no doubt North Korea was responsible because the information came through early warning radar, the Times said.

The speed and certainty with which the United States made its determinations about North Korea told you that something was different here -- that they had some kind of inside view, James A. Lewis, acyberwarfareexpert at the Center for Strategic and International Studies in Washington, told the Times. Attributing where attacks come from is incredibly difficult and slow.

When American whistleblower Edward Snowden leaked information about the NSA to media outlets in June 2013, the country had mixed feelings about whether the U.S. government should monitor their personal communications in the search for potential threats, the Washington Post reported Saturday. A Washington Post-ABC News poll released Sunday indicates twice as many Americans are willing to give up their privacy to protect themselves from potential terror threats as those who oppose the surveillance.The study queried 1,003 adults Jan. 12-15. It had a margin of error of 3.5 points.

When it comes to privacy versus protection, young adults are the most confused. They are split with 48 percent saying threats should be investigated and 47 percent saying privacy should be put first. However, when it comes to senior citizens the divide is drastically different: 75 percent of people more than 65 years of age say threats should be examined.

Snowden, who sought asylum in Russia, released documents indicatingChinese spies stole 50 terabytes of data, including information about the F-35 Joint Strike Fighter. The Chinese were reportedly able to use data stolen from American intelligence to create "fifth-generation" fighter that could threaten the dominance the U.S. holds in the skies.

Follow me on Twitter @mariamzzarella

The rest is here:
NSA Broke Into North Korea's Internet Before Sony Hack: Report