Tailored Access Operations

File:XKeyscore presentation from 2008.pdf

A reference to Tailored Access Operations in an XKeyscore slide

The Office of Tailored Access Operations (TAO) is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA). It has been active since at least circa 1998.^[1]^[2] TAO identifies, monitors, infiltrates, and gathers intelligence on computer systems being used by entities foreign to the United States.^[3]^[4]^[5]^[6] The NSA terms these activities "computer network exploitation".

TAO is reportedly "now the largest and arguably the most important component of the NSA's huge Signals Intelligence Directorate^[7] (SIGINT), consisting of more than 1,000 military and civilian computer hackers, intelligence analysts, targeting specialists, computer hardware and software designers, and electrical engineers."^[1]

A document leaked by former NSA contractor Edward Snowden describing the unit's work says TAO has software templates allowing it to break into commonly used hardware, including “routers, switches, and firewalls from multiple product vendor lines".^[8] According to The Washington Post, TAO engineers prefer to tap networks rather than isolated computers, because there are typically many devices on a single network.^[8]

Organization

TAO's headquarters are termed the Remote Operations Center (ROC) and are based at the NSA headquarters at Fort Meade, Maryland. TAO also has expanded to NSA Hawaii (Wahiawa, Oahu), NSA Georgia (Fort Gordon, Georgia), NSA Texas (San Antonio, Texas), and NSA Colorado (Buckley Air Force Base, Denver).^[1]

Since 2013, the head of TAO is Rob Joyce, who previously worked in the NSA's Information Assurance Directorate (IAD). In January 2016, Joyce had a rare public appearance when he gave a presentation at the Usenix’s Enigma conference.^[9]

In the Remote Operations Center, 600 employees gather information from around the world.^[10]^[11] Their motto is "Your data is our data, your equipment is our equipment - anytime, any place, by any legal means."

Data Network Technologies Branch: develops automated spyware
Telecommunications Network Technologies Branch: improve network and computer hacking methods^[12]
Mission Infrastructure Technologies Branch: operates the software provided above^[13]
Access Technologies Operations Branch: Reportedly includes personnel seconded by the CIA and the FBI, who perform what are described as "off-net operations," which means they arrange for CIA agents to surreptitiously plant eavesdropping devices on computers and telecommunications systems overseas so that TAO's hackers may remotely access them from Fort Meade.^[1] Specially equipped submarines, currently USS Jimmy Carter,^[14] are used to wiretap fibre optic cables around the globe.

Virtual locations

Details^{[citation needed]} on a program titled QUANTUMSQUIRREL indicate NSA ability to masquerade as any routable IPv4 or IPv6 host. This enables an NSA computer to generate false geological location and personal identification credentials when accessing the Internet utilizing QUANTUMSQUIRREL.^[15]

"Truly covert infrastructure, be any IP in the world."

QUANTUMSQUIRREL image from an NSA presentation explaining the QUANTUMSQUIRREL IP host spoofing ability

QUANTUM attacks

Lolcat image from an NSA presentation explaining in part the naming of the QUANTUM program

NSA's QUANTUMTHEORY overview slide with various codenames for specific types of attack and integration with other NSA systems

The TAO has developed an attack suite they call QUANTUM. It relies on a compromised router that duplicates internet traffic, typically HTTP requests, so that they go both to the intended target and to an NSA site (indirectly). The NSA site runs FOXACID software which sends back exploits that load in the background in the target web browser before the intended destination has had a chance to respond (it's unclear if the compromised router facilitates this race on the return trip). Prior to the development of this technology, FOXACID software made spear-phishing attacks the NSA referred to as spam. If the browser is exploitable, further permanent "implants" (rootkits etc.) are deployed in the target computer, e.g. OLYMPUSFIRE for Windows, which give complete remote access to the infected machine.^[16] This type of attack is part of the man-in-the-middle attack family, though more specifically it is called man-on-the-side attack. It is difficult to pull off without controlling some of the Internet backbone.^[17]

There are numerous services that FOXACID can exploit this way. The names of some FOXACID modules are given below:^[18]

By collaboration with the British Government Communications Headquarters (GCHQ) (MUSCULAR), Google services could be attacked too, including Gmail.^[19]

Finding machines that are exploitable and worth attacking is done using analytic databases such as XKeyscore.^[20] A specific method of finding vulnerable machines is interception of Windows Error Reporting traffic, which is logged into XKeyscore.^[21]

QUANTUM attacks launched from NSA sites can be too slow for some combinations of targets and services as they essentially try exploit a race condition, i.e. the NSA server is trying to beat the legitimate server with its response.^[22] As of mid-2011, the NSA was prototyping a capability codenamed QFIRE, which involved embedding their exploit-dispensing servers in virtual machines (running on VMware ESX) hosted closer to the target, in the so-called Special Collection Sites (SCS) network worldwide. The goal of QFIRE was to lower the latency of the spoofed response, thus increasing the probability of success.^[23]^[24]^[25]

COMMENDEER [sic] is used to commandeer (i.e. compromise) untargeted computer systems. The software is used as a part of QUANTUMNATION, which also includes the software vulnerability scanner VALIDATOR. The tool was first described at the 2014 Chaos Communication Congress by Jacob Appelbaum, who characterized it as tyrannical.^[26]^[27]^[28]

QUANTUMCOOKIE is a more complex form of attack which can be used against Tor users.^[29]

Known targets and collaborations

Lua error in package.lua at line 80: module 'strict' not found.

China^[1]
Tor/Firefox users^[17]
In concert with the U.S. CIA and FBI, TAO is used to intercept laptops purchased online, divert them to secret warehouses where spyware and hardware is installed, and send them on to customers.^[30]
OPEC^[31]
SEA-ME-WE 4 – an optical fibre submarine communications cable system that carries telecommunications between Singapore, Malaysia, Thailand, Bangladesh, India, Sri Lanka, Pakistan, United Arab Emirates, Saudi Arabia, Sudan, Egypt, Italy, Tunisia, Algeria and France.^[27]
Mexico's Secretariat of Public Security^[21]
TAO's QUANTUM INSERT technology was passed to UK services, particularly to GCHQ's MyNOC, which used it to target Belgacom and GPRS roaming exchange (GRX) providers like the Comfone, Syniverse, and Starhome.^[21] Belgacom, which provides services to the European Commission, the European Parliament and the European Council discovered the attack.^[32]
Försvarets radioanstalt (FRA) in Sweden gives access to fiberoptic links for QUANTUM cooperation.^[33]^[34]

According to a 2013 article in Foreign Policy, "TAO has become increasingly accomplished at its mission, thanks in part to the high-level cooperation it secretly receives from the 'big three' American telecom companies (AT&T, Verizon and Sprint), most of the large US-based Internet service providers, and many of the top computer security software manufactures and consulting companies."^[35] A 2012 TAO budget document claims that these companies, on TAO's behest, "insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communications devices used by targets".^[35] A number of US companies, including Cisco and Dell, have subsequently made public statements denying that they insert such back doors into their products.^[36] Microsoft provides advance warning to the NSA of vulnerabilities it knows about, before fixes or information about these vulnerabilities is available to the public; this enables TAO to execute so-called zero-day attacks.^[37] A Microsoft official who declined to be identified in the press confirmed that this is indeed the case, but said that Microsoft can't be held responsible for how the NSA uses this advance information.^[38]

References

↑ ^1.0 ^1.1 ^1.2 ^1.3 ^1.4 Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ FOIA #70809 (released 2014-09-19)
↑ ^8.0 ^8.1 Lua error in package.lua at line 80: module 'strict' not found.
↑ The Register: NSA’s top hacking boss explains how to protect your network from his attack squads, January 28, 2016
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ WebCite query result
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ ^17.0 ^17.1 Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ ^21.0 ^21.1 ^21.2 Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ ^27.0 ^27.1 Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ ^35.0 ^35.1 Matthew M. Aid, (October 15, 2013) "The NSA's New Code Breakers", Foreign Policy
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.

External links

[fp2013-1] 1.0 ^1.1 ^1.2 ^1.3 ^1.4 Lua error in package.lua at line 80: module 'strict' not found.

[2] Lua error in package.lua at line 80: module 'strict' not found.

[Kingsbury-3] Lua error in package.lua at line 80: module 'strict' not found.

[4] Lua error in package.lua at line 80: module 'strict' not found.

[Riley-5] Lua error in package.lua at line 80: module 'strict' not found.

[Aid2010-6] Lua error in package.lua at line 80: module 'strict' not found.

[7] FOIA #70809 (released 2014-09-19)

[gellman-nakashima-2013-8] 8.0 ^8.1 Lua error in package.lua at line 80: module 'strict' not found.

[9] The Register: NSA’s top hacking boss explains how to protect your network from his attack squads, January 28, 2016

[10] Lua error in package.lua at line 80: module 'strict' not found.

[11] Lua error in package.lua at line 80: module 'strict' not found.

[12] Lua error in package.lua at line 80: module 'strict' not found.

[13] WebCite query result

[14] Lua error in package.lua at line 80: module 'strict' not found.

[15] Lua error in package.lua at line 80: module 'strict' not found.

[16] Lua error in package.lua at line 80: module 'strict' not found.

[Schneier-17] 17.0 ^17.1 Lua error in package.lua at line 80: module 'strict' not found.

[18] Lua error in package.lua at line 80: module 'strict' not found.

[19] Lua error in package.lua at line 80: module 'strict' not found.

[20] Lua error in package.lua at line 80: module 'strict' not found.

[spiegel1-21] 21.0 ^21.1 ^21.2 Lua error in package.lua at line 80: module 'strict' not found.

[22] Lua error in package.lua at line 80: module 'strict' not found.

[23] Lua error in package.lua at line 80: module 'strict' not found.

[24] Lua error in package.lua at line 80: module 'strict' not found.

[25] Lua error in package.lua at line 80: module 'strict' not found.

[26] Lua error in package.lua at line 80: module 'strict' not found.

[pwnage-27] 27.0 ^27.1 Lua error in package.lua at line 80: module 'strict' not found.

[28] Lua error in package.lua at line 80: module 'strict' not found.

[29] Lua error in package.lua at line 80: module 'strict' not found.

[30] Lua error in package.lua at line 80: module 'strict' not found.

[31] Lua error in package.lua at line 80: module 'strict' not found.

[32] Lua error in package.lua at line 80: module 'strict' not found.

[33] Lua error in package.lua at line 80: module 'strict' not found.

[34] Lua error in package.lua at line 80: module 'strict' not found.

[fp-35] 35.0 ^35.1 Matthew M. Aid, (October 15, 2013) "The NSA's New Code Breakers", Foreign Policy

[36] Lua error in package.lua at line 80: module 'strict' not found.

[37] Lua error in package.lua at line 80: module 'strict' not found.

[38] Lua error in package.lua at line 80: module 'strict' not found.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

[28]

[29]

[30]

[31]

[32]

[33]

[34]

[35]

[36]

[37]

[38]

v t e National Security Agency
Locations	Alaskan Mission Operations Center Colorado Cryptologic Center Consolidated Intelligence Center CSSG Dorsey Road European Cryptologic Center European Technical Center Fort Meade Friendship Annex Georgia Cryptologic Center Hawaii Cryptologic Center Interagency Training Center Kent Island Misawa Security Operations Center Multiprogram Research Facility Pine Gap RAF Menwith Hill Roaring Creek Room 641A Salt Creek Texas Cryptologic Center Utah Data Center
Leaders	Ralph Canine John A. Samford Laurence Hugh Frost Gordon Blake Marshall Carter Noel Gayler Samuel C. Phillips Lew Allen Bobby Ray Inman Lincoln D. Faurer William Eldridge Odom Bill Studeman John Michael McConnell Kenneth Minihan Michael Hayden Keith B. Alexander Michael S. Rogers
Divisions	Central Security Service Information Warfare Support Center Remote Operations Center Special Collection Service Special Source Operations Tailored Access Operations NSA/CSS Threat Operations Center National Security Operations Center
Technology	ANT catalog FROSTBURG HARVEST Secure Terminal Equipment (STE) STU-I STU-II STU-III WARRIOR PRIDE
Controversy	2013 mass surveillance disclosures Church Committee Edward Snowden LOVEINT James Bamford NSA warrantless surveillance controversy Pike Committee Russ Tice Thomas Andrews Drake Thomas Tamm
Programs	Boundless Informant Dropmire ECHELON Fairview Insider Threat Program MUSCULAR MYSTIC PRISM Real Time Regional Gateway Stellar Wind TRAILBLAZER Turbulence Upstream XKeyscore
Databases	DISHFIRE Interquake Main Core MAINWAY MARINA Nymrod PINWALE
Other	Dundee Society Institute for Defense Analyses National Cryptologic Museum National Cryptologic School National Vigilance Park NSA Hall of Honor VENONA Zendian Problem

Tailored Access Operations

Contents

Organization

Virtual locations

QUANTUM attacks

Known targets and collaborations

See also

References

External links

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools