Project Sauron - active since at least 2011

[Bob]

Remember Sauron of Lord of the rings?

Kaspersky only discovered its existence when it was asked by an unnamed government organization to investigate something weird going on with its network traffic.

The malware can move across a network -- across even air gapped computers that are supposed to be more secure than typical setups -- to siphon passwords, cryptographic keys, IP addresses, configuration files, among other data off computers.

It then stores all those information in a USB drive that Windows recognizes as an approved device.

Both security companies (Kaspersky and Symantec) believe its development required the involvement of specialist teams and that it costs millions of dollars to operate.

They didn't name a government in particular, but they noted that the malware took cues from older tools used for state-sponsored attacks, including Flamer that's been linked to Stuxnet in the past. As you might know, the Stuxnet worm, widely believed to be the joint creation of the US and Israel, infected Iran's nuclear program computers in the mid-2000s.

Symantec believes it has been used for what could be state-sponsored attacks to infiltrate 36 computers across at least seven organizations around the world - Its targets include several individuals in Russia, a Chinese airline, an unnamed organization in Sweden and an embassy in Belgium.

Kaspersky says you can add various scientific research centers, military installations, telecommunications companies and financial institutions to that list.

It has been said that Project Sauron has been active since at least 2011, but it was only unearthed recently because it was designed not to use patterns security experts usually look for when hunting for malware.

(Source)

==update==
additional SOURCE REFERENCES for material in the OP

Via: Ars Technica
Source: Symantec, Reuters, Kaspersky
Keywords In this article: duqu, flamer, gear, malware, ProjectSauron, security, strider, stuxnet

Writer: for EnGadget article - Mariella Moon

(see below: https://projectavalon.net/forum4/show...=1#post1088494)

===========

Thread SUMMARY:
As seen in the thread, the questions asked between the posts are How did it get there, Who created it, and could it have come from signing into the TOR (were the machines in the affected countries also used to access TOR) - there is a post about NSA's intensive SPYING on TOR and how "man in the middle" intercepts can infiltrate targeted machines without anyone 'out there' being aware that such happened..

[Bob]

The name "Project Sauron" came from code contained in one of the malware's configuration files. (above from Kaspersky Labs module analysis)

specially prepared USB storage drives that have a virtual file system that isn't viewable by the Windows operating system. To infected computers, the removable drives appear to be approved devices, but behind the scenes are several hundred megabytes reserved for storing data that is kept on the air-gapped machines. The arrangement works even against computers in which data-loss prevention software blocks the use of unknown USB drives.

Kaspersky researchers still aren't sure precisely how the USB-enabled exfiltration works. The presence of the invisible storage area doesn't in itself allow attackers to seize control of air-gapped computers. The researchers suspect the capability is used only in rare cases and requires use of a zero-day exploit that has yet to be discovered. In all, Project Sauron is made up of at least 50 modules that can be mixed and matched to suit the objectives of each individual infection.

"Once installed, the main Project Sauron modules start working as 'sleeper cells,' displaying no activity of their own and waiting for 'wake-up' commands in the incoming network traffic," Kaspersky researchers wrote in a separate blog post. "This method of operation ensures Project Sauron’s extended persistence on the servers of targeted organizations."

Kaspersky researchers said they discovered the malware last September after a customer at an unidentified government organization hired them to investigate anomalous network traffic. They eventually unearthed a "strange" executable program library that was loaded into the memory of one of the customer's domain controller servers.

The library was masquerading as a Windows password filter, which is something administrators typically use to ensure passwords match specific requirements for length and complexity. The module started every time a network or local user logged in or changed a password, and it was able to view passcodes in plaintext.

Targets included - Russia, Iran, Rwanda, China, Sweden, Belgium, and possibly in Italian-speaking countries.

(Source)

[Bob]

Project Analysis - getting inside the modules within Sauron..

interesting packet monitoring technique..

[Bob]

Symantec released their 'report' on the Project Sauron spyware -

calling it - "Backdoor.Remsec indicators of compromise.."

[Cidersomerset]

Project Sauron may have been created by a state-sponsored hacker group,
researchers believe

Quote from article below , it reminds me of Rich Halls doc on state sponsored
crop circle makers and of course many covert actions are backed by all sorts
of government agencies , openly and covertly.






'Project Sauron' malware hidden for five years

By Chris Baraniuk
Technology reporter


9 hours ago
From the section Technology


The malware has been nicknamed Project Sauron after references to JRR Tolkien's dark lord were found in the code

A sophisticated form of malware known as Project Sauron went undetected
for five years at a string of organisations, according to security researchers.

The malware may have been designed by a state-sponsored group.

It can disguise itself as benign files and does not operate in predictable ways,
making it harder to detect.Experts from Kaspersky Lab and Symantec said it
allows the attacker to spy on infected computers.In September last year,
Kaspersky first detected the malware on an unspecified "government
organisation" network.Since then, the firm claims to have found evidence of
Project Sauron at more than 30 organisations in Russia, Iran and Rwanda.

These were generally government, scientific, military, telecoms and financial
organisations, according to Kaspersky.

Separately, Symantec said it had found the malware in other countries,
including at an airline in China and an embassy in Belgium.


read more...

http://www.bbc.co.uk/news/technology-37021957

[Atlas]

Posted by Bob (here)
As you might know, the Stuxnet worm, widely believed to be the joint creation of the US and Israel, infected Iran's nuclear program computers in the mid-2000s.

Zero Days Official Trailer

Source: https://youtube.com/watch?v=PRCiiUIILG4

[TargeT]

In the 2000's security experts used to say "its the golden age for hacking"

well now in 2016 I think it's the "platinum age for hacking"....

That first post.... doesnt make sense.

The malware can move across a network -- across even air gapped computers that are supposed to be more secure than typical setups -- to siphon passwords, cryptographic keys, IP addresses, configuration files, among other data off computers. It then stores all those information in a USB drive that Windows recognizes as an approved device. Both security companies believe its development required the involvement of specialist teams and that it costs millions of dollars to operate.

in reading the reports from K and S it the above makes no sense.... millions of dollars to create maybe, not to operate.. USB what? it used covert HTTP communications and other methods, no usb needed... air gapped what? that's just ridiculous...

this is a very slick suit of software, but anyone that implements security measures commonly known (2016) would catch this; domain controllers should have application whitelisting enabled... these types of attacks will get more and more sophisticated due to necessity... this one is clearly 5 years old... I can't IMAGINE what the more recent tools are like

[Bob]

Is it possible/plausible/probable that IRAN created the 'new' malware/spyware? Even though they are listed as being a "target" (could that be a distraction?) Just wondering out loud..

Checking relations between the groups mentioned

China - Belgium - excellent relationship, good trade partners.

https://www.washingtonpost.com/world...dca_story.html

Post says -

The Justice Department on Thursday announced it has indicted seven hackers associated with the Iranian government, marking the first time the United States has charged state-sponsored individuals with hacking to disrupt the networks of key U.S. industries.

The crimes include attacking U.S. banks’ public websites from late 2011 through May 2013

Cited are two Iran-based computer security companies — ITSec Team and Mersad Co. — on behalf of the Iranian Revolutionary Guard Corps, a branch of the Iranian military established to defend the country’s Islamic system and promote its ideology.

China - Sweden

Sweden's and China's ties goes back to the 17th century.

Sweden traded with China and this was recorded by Nils Matsson Kiöping. He visited southern China on the ship Götheborg in 1654 and wrote accounts of his journeys to China upon his return to Sweden.

The Swedish East India Company traded with China 1731-1813.

Sweden was the first Western country to establish official diplomatic relations with the People's Republic of China.

In 2006 the trade value between the two countries added up to 6.73 billion U.S. dollars. Sweden has become China's ninth-largest trading partner in the European Union and China has been Sweden's largest trade partner in Asia for four consecutive years.

China - Rwanda

China and Rwanda established diplomatic relations on November 12, 1971

From 2000 to 2011, there were approximately 56 Chinese official development finance projects identified in Rwanda through various media reports

Rwanda has been the center of much international attention since the war and genocide of 1994. The country is an active member of the United Nations, having presided over the Security Council during part of 1995 and again in 2013-2014. The UN assistance mission in Rwanda, a UN Chapter 6 peace-keeping operation, involved personnel from more than a dozen countries. Most of the UN development and humanitarian agencies have had a large presence in Rwanda.

During the height of the crisis, a three-month period in 1994, however, the UN removed most of its peacekeepers, and virtually all other formal foreign support fled as well. The only other nation to directly involve itself at that point was France.

Several west European and African nations, Canada, People's Republic of China, Egypt, Libya, Russia, the Holy See, and the European Union maintain diplomatic missions in Kigali.

China - Iran

China–Iran relations typically refers to the economic, political, and social relations between the modern nations of the People's Republic of China and Iran, from the 1950s to the present day.

Over the past few decades, China and Iran have developed a broad and deep partnership centered on China's energy needs and Iran's abundant resources as well as significant non-energy economic ties, arms sales and defense cooperation, and geostrategic balancing against the United States. This partnership presents a unique challenge to U.S. interests and objectives. In particular, China's policies have hampered U.S. and international efforts to dissuade Iran from developing a nuclear weapons capability.

Over the past several years, China has become Iran's number one oil customer and trading partner.

China has provided Iran with the technological know-how to develop its energy resources. Chinese engineers have also built bridges, dams, railroads, and tunnels throughout Iran.

The Iranian regime views China as a potential ally against the United States, and Beijing views Iran as a potential partner for limiting U.S. influence in the Middle East.

( January 28, 2016 OLGA SAMOFALOVA, VZGLYAD) China has agreed to construct two nuclear power plants in Iran and import Iranian oil on a long-term basis. Such cooperation could threaten Russian positions, since Moscow had earlier announced that it would simultaneously be building eight nuclear plants in Iran. Russia's place in the Chinese oil market, which for the last years has been squeezing out the Arabic countries, could also be affected.

So, WHO done it?

¤=[Post Update]=¤

Posted by TargeT (here)
In the 2000's security experts used to say "its the golden age for hacking"

well now in 2016 I think it's the "platinum age for hacking"....

That first post.... doesnt make sense.

The malware can move across a network -- across even air gapped computers that are supposed to be more secure than typical setups -- to siphon passwords, cryptographic keys, IP addresses, configuration files, among other data off computers. It then stores all those information in a USB drive that Windows recognizes as an approved device. Both security companies believe its development required the involvement of specialist teams and that it costs millions of dollars to operate.

in reading the reports from K and S it the above makes no sense.... millions of dollars to create maybe, not to operate.. USB what? it used covert HTTP communications and other methods, no usb needed... air gapped what? that's just ridiculous...

this is a very slick suit of software, but anyone that implements security measures commonly known (2016) would catch this; domain controllers should have application whitelisting enabled... these types of attacks will get more and more sophisticated due to necessity... this one is clearly 5 years old... I can't IMAGINE what the more recent tools are like

If it works who cares how they managed to get it PAST the normal heuristic detectors - they managed, so whatever that it is "old".

[ThePythonicCow]

Posted by Bob (here)
(Source)

This report sourced from engadget.com is derived from a bit more detailed report at arstechnica.com, which in turn is derived from reports by Kaspersky (pdf) and Symantec.

I have seen reports of air-gap espionage based on sensing slight changes in the fan noise. Some other, zero-day, exploit might be used to get an agent to assist in emitting the desired data emitted from the normally air-gapped computer ... just guessing. This espionage appears to involve substantial effort to apply the latest techniques, adapted to specific high value targets ... I can well imagine that it's costing the nation-state perpetrating it a few million dollars.

P.S. - on reading a bit more - it seems that the perpetrator was able to get an approved USB drive, with their hidden hacks, into the air-gapped computer. This would make extraction of that data, across the air gap, using something such as fan noise, possible. Store the data on the hidden part of the USB drive and then transmit the data, a bit slowly I suspect with lots of Error Correction Codes, across the air gap using noise or some such.

[TargeT]

Posted by Bob (here)
Is it possible/plausible/probable that IRAN created the 'new' malware/spyware? Even though they are listed as being a "target" (could that be a distraction?) Just wondering out loud..

the similarity to stuxxnet / flamer seems to indicate it's "ours".

[TargeT]

Posted by Paul (here)
I have seen reports of air-gap espionage based on sensing slight changes in the fan noise. Some other, zero-day, exploit might be used to get an agent to assist in emitting the desired data emitted from the normally air-gapped computer ... just guessing. This espionage appears to involve substantial effort to apply the latest techniques, adapted to specific high value targets ... I can well imagine that it's costing the nation-state perpetrating it a few million dollars.

P.S. - on reading a bit more - it seems that the perpetrator was able to get an approved USB drive, with their hidden hacks, into the air-gapped computer. This would make extraction of that data, across the air gap, using something such as fan noise, possible. Store the data on the hidden part of the USB drive and then transmit the data, a bit slowly I suspect with lots of Error Correction Codes, across the air gap using noise or some such.

I disagree that "zero day" or any current methods were used with this suite, the plugins are all a part of my Incident Response tool kit.

I couldn't find anything about air gap communication in the Kas report (I just skimmed the symantic one).. that IS very very new, not 5 years old.

Much more likely that the USB stored the info, the USB was moved between computers (this is how you get data from / to an air gapped computer) as a method of "sneakernet" for security... but the USB drive was apparently not considered in the security plan.... my organization does not allow the use of USB external drives (they are blocked via GPO) due to things JUST like this.
I highly doubt any of the more recent stuff applies to this package (such as EMF detection from keyboards for remote keylogging; fan speed changes or the like, they had a very normal keylogger included).

The PCAP plug ins, all of the included software is old stuff... this is the stuff I train on (I'm in a SANS course right now, 504) the method of hiding is old (and very common) the SNEAKY part of it is the encrypted channels it uses; as we do not inspect encrypted traffic (its just too resource intensive) but still noisy.. an IPS /IDS would catch this if the logs were reviewed(sounds like they weren't).

The funny thing 'bout these types of malware is they have to use YOUR wire to get out.. as long as your paying attention to your traffic (and have a good base line) stuff like this sticks out like sore thumb..

ONE installation of Security Onion would have caught this (or just Bro).

[Bob]

for folks who haven't heard about StuxNet - here from IEEE is how it works graphically explained:

Stuxnet could spread stealthily between computers running Windows—even those not connected to the Internet. If a worker stuck a USB thumb drive into an infected machine, Stuxnet could, well, worm its way onto it, then spread onto the next machine that read that USB drive. Because someone could unsuspectingly infect a machine this way, letting the worm proliferate over local area networks, experts feared that the malware had perhaps gone wild across the world.

In October 2012, U.S. defense secretary Leon Panetta warned that the United States was vulnerable to a “cyber Pearl Harbor” that could derail trains, poison water supplies, and cripple power grids. The next month, Chevron confirmed the speculation by becoming the first U.S. corporation to admit that Stuxnet had spread across its machines.

Although the authors of Stuxnet haven’t been officially identified, the size and sophistication of the worm have led experts to believe that it could have been created only with the sponsorship of a nation-state, and although no one’s owned up to it, leaks to the press from officials in the United States and Israel strongly suggest that those two countries did the deed. Since the discovery of Stuxnet, Schouwenberg and other computer-security engineers have been fighting off other weaponized viruses, such as Duqu, Flame, and Gauss, an onslaught that shows no signs of abating.

This marks a turning point in geopolitical conflicts, when the apocalyptic scenarios once only imagined in movies like Live Free or Die Hard have finally become plausible. “Fiction suddenly became reality,” Schouwenberg says. But the hero fighting against this isn’t Bruce Willis; he’s a scruffy 27-year-old with a ponytail. Schouwenberg tells me, “We are here to save the world.” The question is: Does the Kaspersky Lab have what it takes?

Viruses weren’t always this malicious. In the 1990s, when Schouwenberg was just a geeky teen in the Netherlands, malware was typically the work of pranksters and hackers, people looking to crash your machine or scrawl graffiti on your AOL home page.

Source: http://spectrum.ieee.org/telecom/sec...ory-of-stuxnet "the reall story of stuxnet" - produced by the IEEE

[Bob]

Posted by TargeT (here)
[..]

ONE installation of Security Onion would have caught this (or just Bro).

Shame folks don't use packet capture and analysis and active denial to sites which they don't approve..

By the Way...

here is an excellent README page -

https://www.schneier.com/blog/archiv...e_nsa_att.html

Looking under the hood.. so to speak..

[..] understanding how NSA actively cracks TOR, corrupts computers, (lots of data provided by Snowden on these methods) and explains a bit why TOR enabled computers are being compromised.. (Wonder if those locations infiltrated by this spyware mentioned in the OP got there having some TOR activity happen...)

They mention some bragging by NSA in how they can even forge a GOOGLE page request by being faster on the internet than the other servers (packets and packet clashes and who wins providing data (fake or otherwise)... called "Man in the Middle" attacks..

[TargeT]

Posted by Bob (here)

Posted by TargeT (here)
[..]

ONE installation of Security Onion would have caught this (or just Bro).

Shame folks don't use packet capture and analysis and active denial to sites which they don't approve..

yes, the level of what I refer to as "job security" out there is ASTOUNDING and the lack of talent to implement these things equally so... there are so many underqualified people acting out security theater for their bosses (who understand even less than they do).. it's damaging to everyone.

[Bob]

Just a FYI for folks wondering about the NSA's ability to get one onto a compromised webpage, even if you haven't knowingly gone to an invalid/dangerous webpage - the "man in the middle" attack by getting there first, into one's browser.. this is a reprint of Bruce Schneier's page who is the originator of the below: https://www.schneier.com/blog/archiv...e_nsa_att.html

(I am going to do this without the quote to keep the text non-italic, but it is from his page)

=====================

How the NSA Attacks Tor/Firefox Users With QUANTUM and FOXACID

The online anonymity network Tor is a high-priority target for the National Security Agency. The work of attacking Tor is done by the NSA's application vulnerabilities branch, which is part of the systems intelligence directorate, or SID. The majority of NSA employees work in SID, which is tasked with collecting data from communications systems around the world.

According to a top-secret NSA presentation provided by the whistleblower Edward Snowden, one successful technique the NSA has developed involves exploiting the Tor browser bundle, a collection of programs designed to make it easy for people to install and use the software. The trick identifies Tor users on the Internet and then executes an attack against their Firefox web browser.

The NSA refers to these capabilities as CNE, or computer network exploitation.

The first step of this process is finding Tor users. To accomplish this, the NSA relies on its vast capability to monitor large parts of the Internet. This is done via the agency's partnership with US telecoms firms under programs codenamed Stormbrew, Fairview, Oakstar and Blarney.

The NSA creates "fingerprints" that detect HTTP requests from the Tor network to particular servers. These fingerprints are loaded into NSA database systems like XKeyscore, a bespoke collection and analysis tool that NSA boasts allows its analysts to see "almost everything" a target does on the Internet.

Using powerful data analysis tools with codenames such as Turbulence, Turmoil and Tumult, the NSA automatically sifts through the enormous amount of Internet traffic that it sees, looking for Tor connections.

Last month, Brazilian TV news show Fantastico showed screenshots of an NSA tool that had the ability to identify Tor users by monitoring Internet traffic.

The very feature that makes Tor a powerful anonymity service, and the fact that all Tor users look alike on the Internet, makes it easy to differentiate Tor users from other web users. On the other hand, the anonymity provided by Tor makes it impossible for the NSA to know who the user is, or whether or not the user is in the US.

After identifying an individual Tor user on the Internet, the NSA uses its network of secret Internet servers to redirect those users to another set of secret Internet servers, with the codename FoxAcid, to infect the user's computer. FoxAcid is an NSA system designed to act as a matchmaker between potential targets and attacks developed by the NSA, giving the agency opportunity to launch prepared attacks against their systems.

Once the computer is successfully attacked, it secretly calls back to a FoxAcid server, which then performs additional attacks on the target computer to ensure that it remains compromised long-term, and continues to provide eavesdropping information back to the NSA.

Exploiting the Tor browser bundle

Tor is a well-designed and robust anonymity tool, and successfully attacking it is difficult. The NSA attacks we found individually target Tor users by exploiting vulnerabilities in their Firefox browsers, and not the Tor application directly.

This, too, is difficult. Tor users often turn off vulnerable services like scripts and Flash when using Tor, making it difficult to target those services. Even so, the NSA uses a series of native Firefox vulnerabilities to attack users of the Tor browser bundle.

According to the training presentation provided by Snowden, EgotisticalGiraffe exploits a type confusion vulnerability in E4X, which is an XML extension for JavaScript. This vulnerability exists in Firefox 11.0 -- 16.0.2, as well as Firefox 10.0 ESR -- the Firefox version used until recently in the Tor browser bundle. According to another document, the vulnerability exploited by EgotisticalGiraffe was inadvertently fixed when Mozilla removed the E4X library with the vulnerability, and when Tor added that Firefox version into the Tor browser bundle, but NSA were confident that they would be able to find a replacement Firefox exploit that worked against version 17.0 ESR.

The Quantum system

To trick targets into visiting a FoxAcid server, the NSA relies on its secret partnerships with US telecoms companies. As part of the Turmoil system, the NSA places secret servers, codenamed Quantum, at key places on the Internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond, thereby tricking the target's browser to visit a Foxacid server.

In the academic literature, these are called "man-in-the-middle" attacks, and have been known to the commercial and academic security communities. More specifically, they are examples of "man-on-the-side" attacks.

They are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the Internet backbone, and exploit a "race condition" between the NSA server and the legitimate website. This top-secret NSA diagram, made public last month, shows a Quantum server impersonating Google in this type of attack.

The NSA uses these fast Quantum servers to execute a packet injection attack, which surreptitiously redirects the target to the FoxAcid server. An article in the German magazine Spiegel, based on additional top secret Snowden documents, mentions an NSA developed attack technology with the name of QuantumInsert that performs redirection attacks. Another top-secret Tor presentation provided by Snowden mentions QuantumCookie to force cookies onto target browsers, and another Quantum program to "degrade/deny/disrupt Tor access".

This same technique is used by the Chinese government to block its citizens from reading censored Internet content, and has been hypothesized as a probable NSA attack technique.

The FoxAcid system

According to various top-secret documents provided by Snowden, FoxAcid is the NSA codename for what the NSA calls an "exploit orchestrator," an Internet-enabled system capable of attacking target computers in a variety of different ways. It is a Windows 2003 computer configured with custom software and a series of Perl scripts. These servers are run by the NSA's tailored access operations, or TAO, group. TAO is another subgroup of the systems intelligence directorate.

The servers are on the public Internet. They have normal-looking domain names, and can be visited by any browser from anywhere; ownership of those domains cannot be traced back to the NSA.

However, if a browser tries to visit a FoxAcid server with a special URL, called a FoxAcid tag, the server attempts to infect that browser, and then the computer, in an effort to take control of it. The NSA can trick browsers into using that URL using a variety of methods, including the race-condition attack mentioned above and frame injection attacks.

FoxAcid tags are designed to look innocuous, so that anyone who sees them would not be suspicious. http://baseball2.2ndhalfplays.com/ne...952_z1zzz.html is an example of one such tag, given in another top-secret training presentation provided by Snowden.

There is no currently registered domain name by that name; it is just an example for internal NSA training purposes.

The training material states that merely trying to visit the homepage of a real FoxAcid server will not result in any attack, and that a specialized URL is required. This URL would be created by TAO for a specific NSA operation, and unique to that operation and target. This allows the FoxAcid server to know exactly who the target is when his computer contacts it.

According to Snowden, FoxAcid is a general CNE system, used for many types of attacks other than the Tor attacks described here. It is designed to be modular, with flexibility that allows TAO to swap and replace exploits if they are discovered, and only run certain exploits against certain types of targets.

The most valuable exploits are saved for the most important targets. Low-value exploits are run against technically sophisticated targets where the chance of detection is high. TAO maintains a library of exploits, each based on a different vulnerability in a system. Different exploits are authorized against different targets, depending on the value of the target, the target's technical sophistication, the value of the exploit, and other considerations.

In the case of Tor users, FoxAcid might use EgotisticalGiraffe against their Firefox browsers.

According to a top-secret operational management procedures manual provided by Snowden, once a target is successfully exploited it is infected with one of several payloads. Two basic payloads mentioned in the manual are designed to collect configuration and location information from the target computer so an analyst can determine how to further infect the computer.

These decisions are made in part by the technical sophistication of the target and the security software installed on the target computer, called Personal Security Products or PSP, in the manual.

FoxAcid payloads are updated regularly by TAO. For example, the manual refers to version 8.2.1.1 of one of them.

FoxAcid servers also have sophisticated capabilities to avoid detection and to ensure successful infection of its targets. The operations manual states that a FoxAcid payload with the codename DireScallop can circumvent commercial products that prevent malicious software from making changes to a system that survive a reboot process.

The NSA also uses phishing attacks to induce users to click on FoxAcid tags.

TAO additionally uses FoxAcid to exploit callbacks -- which is the general term for a computer infected by some automatic means -- calling back to the NSA for more instructions and possibly to upload data from the target computer.

According to a top-secret operational management procedures manual, FoxAcid servers configured to receive callbacks are codenamed FrugalShot. After a callback, the FoxAcid server may run more exploits to ensure that the target computer remains compromised long term, as well as install "implants" designed to exfiltrate data.

By 2008, the NSA was getting so much FoxAcid callback data that they needed to build a special system to manage it all.


This essay previously appeared in the Guardian. It is the technical article associated with this more general-interest article. I also wrote two commentaries on the material.

EDITED TO ADD: Here is the source material we published. The Washington Post published its own story independently, based on some of the same source material and some new source material.

Here's the official US government response to the story.

The Guardian decided to change the capitalization of the NSA codenames. They should properly be in all caps: FOXACID, QUANTUMCOOKIE, EGOTISTICALGIRAFFE, TURMOIL, and so on.

This is the relevant quote from the Spiegel article:

According to the slides in the GCHQ presentation, the attack was directed at several Belgacom employees and involved the planting of a highly developed attack technology referred to as a "Quantum Insert" ("QI"). It appears to be a method with which the person being targeted, without their knowledge, is redirected to websites that then plant malware on their computers that can then manipulate them. Some of the employees whose computers were infiltrated had "good access" to important parts of Belgacom's infrastructure, and this seemed to please the British spies, according to the slides.

That should be "QUANTUMINSERT." This is getting frustrating. The NSA really should release a style guide for press organizations publishing their secrets.

And the URL in the essay (now redacted at the Guardian site) was registered within minutes of the story posting, and is being used to serve malware. Don't click on it.

================

Bruce Schneier


Do you use TOR?

[Bob]

One may find it interesting to do a PA forum search on "TOR BROWSER" and see the various threads, posts and discussions about members discussing using, or wanting to use (or not), the Tor Browser. https://projectavalon.net/forum4/search.php

One member (retired) even mentioned Schneier's blog and "FoxAcid" - nobody so far appears to have discussed the NSA's "Man in the Middle" attack, which could be how NSA is able to get spyware payloads onto machines which have used TOR at some point.

Flagged, Tagged, Targeted and Whacked certainly doesn't seem to be a good cycle from having used TOR to just snoop around to see what's 'out there'..

Anonymity? Greenwald's comments (https://theintercept.com/2014/10/28/...owden-secrets/) about using TOR is especially interesting, alluding that it is OK to do that (use TOR).. hmm wonder about that suggestion, using TOR.. if that NSA FLAG is worth it.

REFERENCE LINKS - Man in the Middle attack -

https://www.techdirt.com/articles/20...p-telcos.shtml - "How The NSA Pulls Off Man-In-The-Middle Attacks: With Help From The Telcos"

https://en.wikipedia.org/wiki/Man-on-the-side_attack

https://www.theguardian.com/world/20...line-anonymity - the Guardian

https://www.helpnetsecurity.com/2013...-mitm-attacks/ - How NSA impersonated GOOGLE !



http://www.thewire.com/politics/2013...oogling/69398/

The NSA inserts itself between the target and where the target is trying to get. It is the man in the middle. It's as though you were sending a package to a friend, but the NSA told the mailman to bring it to their offices first. They look at it, repackage it, and send it on to its final destination. To extend that analogy, it's also like you decided to send your package via certified mail, requesting a signature once the package arrives. What the NSA is doing, in essence, is signing your friend's name.

The Atlantic Wire spoke by phone with the Electronic Frontier Foundation's Micah Lee, who previously helped us put together our guide to hiding from the NSA. In that guide, Lee warned about man-in-the-middle attacks, but pointed out (as he did on Friday) that it was hard to do such things at a wide scale. Unlike other forms of surveillance, MITM attacks are generally (but not necessarily) detectable.

https://hackertarget.com/11-offensive-security-tools/ - defence, offence

http://www.wired.com/2014/03/quantum/ - how NSA 'only' targets potential terrorists

WE ALREADY KNEW that the NSA has weaponized the internet, enabling it to “shoot” exploits at anyone it desires. A single web fetch, imitated by an identified target, is sufficient for the NSA to exploit its victim.

But the Edward Snowden slides and story published yesterday at The Intercept convey a wealth of new detailed information about the NSA’s technology and its limitations.

First, it’s clear that the NSA has settled on a system called QUANTUM as its preferred, if not near-universal, internet exploitation mechanism. QUANTUM is vastly more effective than just sending spam. But since its launch at NSA, the program has clearly suffered from both mission creep and target creep.

[Rex]

Posted by Atlas (here)

Posted by Bob (here)
As you might know, the Stuxnet worm, widely believed to be the joint creation of the US and Israel, infected Iran's nuclear program computers in the mid-2000s.

Zero Days Official Trailer

Source: https://youtube.com/watch?v=PRCiiUIILG4

Bump - I watched it last night, it's a must watch in my book.