Everything we know of NSA and Five Eyes malware
Note: all the information contained in this essay are extracted from documents that have already been previously published by a number of news organizations at different times.
The Snowden revelations have instigated a global outcry for privacy and empowered a more informed and critical analysis of the growing adoption of mass “passive” surveillance. However, the use of “active” surveillance and targeted attacks are commonly deemed as a necessary evil.
After years of publications, and even a massive commercial speculation, on the nature of state-sponsored attacks, particularly by China and Russia, it comes to no surprise that Western governments are also engaged in malware attacks. However, we still know very little on their capabilities and sophistication.
What we are learning is that it isn’t anymore just a matter of pure intelligence or counter-terrorism. A large portion of the attacks we’re seeing from all fronts are mostly political and sometimes economic. In few occasions they’re even in support of military missions. In a climate of fatigue from endless wars, modern day’s imperialism is carried through network packets and conflicts are played in the dark, across submarine cables and Internet routers, far from the sight of the public or the press.
In order to comprehend the true nature of the 21st century’s intelligence and military complex, it’s important to investigate and report on the infiltration capabilities of governments around the world, with no exceptions. If we are selective on the information the public is given, we will obtain a false picture of the ongoing war for Internet and information dominance and we won’t be able to build neutrally secure systems. There’s no space for nationalism in technology.
The GENIE Project
All the active collection and offensive activities pursued by NSA are funded under a program a document published by Der Spiegel calls GENIE. In NSA’s own words “the GENIE project plans, equips, and conducts Endpoint operations that actively compromise otherwise intactable targets and complement Midpoint programs that passively eavesdrop on communication links”. Among other things the budget includes “sustaining covert domestic” surveillance:
Source: Der Spiegel
And spending tens of million of dollars covertly acquiring 0day vulnerabilities from third parties in a very samaritan program named “Community Investment”:
Source: Der Spiegel
Much of what I’m going to illustrate in this essay is likely to be financed through the GENIE project, whose figures are staggering. NSA allocated more than 650 million dollars in 2013 alone, with the projected budget passing the billion dollars in 2017.
It is unrealistic to expect to understand the depth and the reach of NSA’s malware programs given the amount of resources they are provided with. However thanks to technical research and the journalistic publications of the last year, we’re able to reconstruct some of the missing parts and we can try to put the puzzle back together.
Malware for mass surveillance
Several documents released by Der Spiegel and The Intercept in the last year demonstrate that the exploitation and infiltration of computers often complements the “passive” collection by providing entrance into systems and networks that would otherwise be invisible to the mass surveillance infrastructure. The separation between mass and targeted surveillance is becoming blurry as we learn of attacks against Internet Service Providers, of targeting of system administrators and systematic compromise of Internet routers.
Dismissing the inherent problems of government hacking as a “necessary and proportionate” use of force is clearly a superficial and dangerous underestimation of the ongoing activities of governments around the world to sabotage the security and integrity of computer systems and of core Internet infrastructure. NSA is excelling at it.
Source: Der Spiegel
A document published by Der Spiegel shows that “active implants”, a fancy term for malware, are used to “copy traffic and direct a copy past a passive collector”. In other words, NSA is creating and deploying dedicated malware with the sole purpose of intercepting traffic they’d otherwise not be able to collect (or collect in clear) and route it through passive collectors that can then pipe it into NSA’s massive collection machinery.
More specifically, they install malware on “network infrastructure devices” to either collect “an entire link without selection” or alternatively do “targeted copying”.
I’m not sure how to emphasize this better. They’re compromising PBXs and similar core infrastructure with malware to mirror entire phone carrier links. Let that sink in for a second.
Source: Der Spiegel
Just to put a name on it, we learn from the same document that an implant calledBRAVENICKEL is the one used to perform the bulk collection from the link layers.HAMMERMILL is instead used for selective interception of traffic, which can then be either sent to the NSA’s passive collection systems or to TAO, possibly for more ad-hoc monitoring operations.
As explained by a different document, also published by Der Spiegel, we learn that more specifically HAMMERMILL is provided with what appear to be two plugins.HAMMERSTEIN to collect VPN key exchanges, and HAMMERCHANT which instead is used to target VoIP traffic. The active collection of keys becomes critical in an attempt to systematically defeat encrypted communications, as better illustrated in this article.
Malware of all flavors
If there is one thing I can say for a fact, is that NSA has malware of all flavors. They have malware for all sorts of devices, platforms, architectures and networks. Their malware programs probably amount to dozens and NSA certainly has a different code name for each and every one of them. It is practically impossible to identify and understand all of them, but we can at least start with the ones that occur more often across the Snowden documents published so far. In the case of NSA, the principal malware programs seem to be VALIDATOR, UNITEDRAKE, and STRAITBIZARRE.
VALIDATOR is an implant used to gain first access on the target device, collect some preliminary information and enable the subsequent deployment of a larger and more sophisticated malware framework. It is unclear what are its specific capabilities, but documents from the ANT catalog published by Der Spiegel in December 2013 suggest that it is at least available for Windows systems as well Internet routers. The SCHOOLMONTANA, SIERRAMONTANA, and STUCCOMONTANA are BIOS backdoors that in fact enable persistence to VALIDATOR on different models of Juniper routers.
Source: Der Spiegel
SOMBERKNAVE is a Windows software implant that can enable VALIDATOR to exfiltrate data even from air-gapped machines by providing “covert internet connectivity for isolated targets”. If there is a Wireless card available, SOMBERKNAVE will attempt to silently associate with any available WiFi and exfiltrate the stolen information through it. Lesson learned: an air-gapped machine isn’t air-gapped as long as it has hardware that can establish any kind of network connection.
However, as anticipated, VALIDATOR is just a reconnaissance tool, a dropper. The following stage of a typical attack would likely involve the deployment of a larger, full-featured and more sensitive implant, generally UNITEDRAKE or STRAITBIZARRE.
UNITEDRAKE is an extensible and modular framework which is provided with a large number of plugins that perform different collection functions, including GROK, a keylogger, SALVAGERABBIT, a USB exfiltration module, FOGGYBOTTOM, which presumably steals history and other information from Internet browsers, GUMFISH, which takes snapshots from a webcam, CAPTIVATEDAUDIENCE, to record audio from the embedded microphone, and WISTFULTOLL, to perform machine reconnaissance and available for STRAITBIZARRE as well.
UNITEDRAKE has been reported in the past in connection with QUANTUM and FOXACID, and despite probably being one of the principal deployments from TAO, it seems to be simply a general purpose malware framework.
Not much else is known about UNITEDRAKE.
STRAITBIZARRE appears to be the largest and most sophisticated malware programs in TAO’s arsenal. It’s a cross-platform implant available on Linux, Windows as well as mobile platforms.
Source: Der Spiegel
The main goal of STRAITBIZARRE is to provide an interface for a large variety of software and hardware implants to exfiltrate data. The ANT catalog published by Der Spiegel in 2013 contains few examples of such implants including COTTONMOUTH, a USB hardware implant which infiltrates in the target network, TOTEGHOSTLY, a STRAITBIZARRE based implant for Windows Mobile phones, and DROPOUTJEEP, a STRAITBIZARRE based implant for Apple iPhones.
The document from which the slide on the side is extracted goes in great length explaining how STRAITBIZARRE implants are used to exfiltrate data from systems that would otherwise be inaccessible or that would require phyisical access to the running device.
Source: Der Spiegel
Additionally, a document recently published by Der Spiegel shows how computers infected with STRAITBIZARRE can be turned into disposable and non-attributable “Shooter” nodes part of the QUANTUM infrastructure. These nodes can then receive messages from TURBINE, NSA’s Command & Control system.
For example, as shown in the diagram on the left, a QUANTUM Shooter (or TAO Shooter) is actively participant in QUANTUM attacks as it is instructed by NSA’s TURBINE to send specifically crafted responses to selected targets and hijack DNS, HTTP or any type of traffic NSA has a QUANTUM attack for.
All in all, STRAIBIZARRE is probably what would keep me up at night.
As of now, there are no indications that either UNITEDRAKE or STRAITBIZARRE have been discovered in the wild, although it is probable that some of the prestigious malware attacks we’ve observed in the past and commonly attributed to the US — such as Stuxnet, Duqu and Flame — might be related to one of the two.
Source: Der Spiegel
Despite having a probably unmatched budget and level of sophistication, NSA obviously isn’t the only member of the Five Eye in the malware business. Documents recently released by Der Spiegeldemonstrate that Five Eyes are in fact collectively developing WARRIORPRIDE,described by the Canadian CSEC as a “scalable, flexible, portable CNE platform” unified across Five Eyes.
Similarly to the malware programs illustrated so far, WARRIORPRIDE also appears to be a complex modular toolkit, provided with a variety of plugins, including some the CSEC explains to be particularly useful for reconnaissance and identification of foreign CNE implants.
Additionally, WARRIORPRIDE is also a multi-platform framework. Records from a GCHQ documentreleased by Der Spiegel show for example that an iPhone implementation has been created as well, and that it has been approved as a QUANTUM-enabled implant.
Along with the recent trove of CNE documents, Der Spiegel also published QWERTY, a keylogger module which appears to be part of the WARRIORPRIDE framework. While we know that the Canadians certainly make use of WARRIORPRIDE, strings in one of the QWERTY binaries suggest that the Australian Defense Signals Directorate (DSD), now just known as Australian Signals Directorate (ASD), might have had a part in the development:
Additionally, the XML definition file for the 20123.sys file from QWERTY shows that it depends on WzowskiLib and CNELib:
<platforms>Windows NT, Windows 2000, Windows XP (32/64 bit), Windows 2003 (32/64 bit)</platforms>
<rightsRequired>System or Administrator (if Administrator, I think the DriverInstallationUtility will generate some logs)</rightsRequired>
<pluginsDepend>U_HookManager v1.0, Kernel Covert Store v1.0</pluginsDepend>
<librariesDepend>CNELib v2.10, WzowskiLib v2.1</librariesDepend>
Source: Der Spiegel
A different deck from Canadian CSECcontains a slightly modified version of the slide illustrated previously, this time mentioning Wzowski as a “5-eyes API” WARRIORPRIDE is implemented with.
We can deduce that WzowskiLib and CNELib both are libraries collectively developed and used by USA, UK, Canada, Australia and New Zealand as a foundation for developing private as well as shared malware kits, including but not exclusively WARRIORPRIDE.
It is clear now that Five Eyes, especially other than the NSA I imagine, joined efforts to share resources and collectively develop a unified malware program.
So what is Regin?
At the end of November, Morgan Marquis-Boire and I published together with The Intercept a large collection of samples from a large and sophisticated malware framework commonly identified asRegin, identified during a long investigation into the Belgacom hack.
It was immediately clear that Regin was sophisticated enough to be coming from a Western government, and finding it used against Belgacom was a clear indication that GCHQ might have been responsible. However, I have to admit, I originally didn’t think that any agency other than NSA could have been able to produce a kit as sophisticated as Regin. I soon realized I was wrong.
We know that Regin has been used in the Belgacom hack attributed to — or rather confessed by — the British GCHQ. First documented ties between Regin and GCHQ came with documents released by The Intercept having specific mentions of tools and modules, LEGSPIN and HOPSCOTCH,identified by Kaspersky as part of the Regin framework:
While working on Der Spiegel publication, I started becoming increasingly convinced that Regin might in fact have been DAREDEVIL, what appears to be the GCHQ principal malware program, also mentioned in the screenshot above. All we knew was that Regin was used by GCHQ, so it might as well have been the case. However, my interpretation changed when I noticed this extract from the WARRIORPRIDE slide presented before:
This line can be open to interpretation, but it strongly suggests that WARRIORPRIDE and DAREDEVIL might in fact be different code names for the same malware program; what we commonly call Regin.
Additionally, researchers from Kaspersky were able to tie QWERTY to Regin by finding very clear similarities with a Regin keylogger module in their possession. Kaspersky also showed that QWERTY isn’t functional alone and it instead requires the 50225 Regin module, responsible for kernel-mode hooking. As a side note, I believe 50225 to be U_HookManager mentioned as a plugin dependency in the XML file presented above.
This is significant because it provides a more concrete identification of Regin to a documented malware program from the Five Eyes. As we know that QWERTY is in fact a WARRIORPRIDE module, we might deduce that Regin is likely to be WARRIORPRIDE itself. An additional, but a bit stretched, interpretation might be that DAREDEVIL is a derivation of WARRIORPRIDE or that they might be so closely compatible, that Regin could in fact be the combination of the two.
Source: Der Spiegel
For what it’s worth, there appears to be no evidence or mention of WARRIORPRIDE being used by NSA in any of the documents that have been published so far. What we know however, is that along with STRAITBIZARRE (yes, they mispelled it), DAREDEVIL/WARRIORPRIDE is enabled as a QUANTUM implant.
This however isn’t surprising. In relation to the Belgacom hack, Der Spiegel previously revealed that the infiltration, while operated by GCHQ, was in fact executed through a QUANTUM attack. We can deduce that members of Five Eyes, especially NSA and GCHQ, commonly share infiltration techniques and infrastructure and possibly coordinate to overcome one’s potential technical or legal limitations.
It is very hard to have a clear understanding of the CNE and malware capabilities of NSA, GCHQ and Five Eyes as a whole. There is a large variety of programs and code names and it is clear that many of them are designed in such a way to be compatible and speak the same protocols. In some cases we can expect them to share parts of their code base as well.
The resources at their disposal are enormous, likely unmatched, and certainly their technical sophistication is equally remarkable. Assuming that Regin might in fact be WARRIORPRIDE, we can conclude that we still haven’t seen any of NSA’s malware programs in action. And if we did, we haven’t been able to identify which program they correspond to. My best bet is still on Flame.
Attribution is hard, and many criticize attempts of it as pretentious and most likely wrong. While I’m generally supportive of calling things for what they are, I’m learning that attribution of Western intelligence agencies attacks is incredibly hard. Regin is the closest we have got so far, and still, we likely won’t be able to differentiate one member of the Five Eyes from the others as a sole responsible for a given attack.
At this point much of what is known, and partly even what I explained here, is largely speculative. It is imperative that the technical community keeps conducting analysis of the information at our disposal, connect the dots and fill the blank spots left. Share what you have, publish what you know. Don’t hold back.