The NSA runs a massive, full-time hacking operation targeting foreign systems, the latest leaks from Edward Snowden show. But unlike conventional cybercriminals, the agency is less interested in hacking PCs and Macs. Instead, America's spooks have their eyes on the internet routers and switches that form the basic infrastructure of the net, and are largely overlooked as security vulnerabilities.
Wired reports: Under a $652-million program codenamed "Genie," U.S. intel agencies have hacked into foreign computers and networks to monitor communications crossing them and to establish control over them, according to a secret black budget document leaked to the Washington Post. U.S. intelligence agencies conducted 231 offensive cyber operations in 2011 to penetrate the computer networks of targets abroad.
This included not only installing covert "implants" in foreign desktop computers but also on routers and firewalls - tens of thousands of machines every year in all. According to the Post, the government planned to expand the program to cover millions of additional foreign machines in the future and preferred hacking routers to individual PCs because it gave agencies access to data from entire networks of computers instead of just individual machines. Most of the hacks targeted the systems and communications of top adversaries like China, Russia, Iran and North Korea and included activities around nuclear proliferation. The NSA's focus on routers highlights an often-overlooked attack vector with huge advantages for the intruder, says Marc Maiffret, chief technology officer at security firm Beyond Trust. Hacking routers is an ideal way for an intelligence or military agency to maintain a persistent hold on network traffic because the systems aren't updated with new software very often or patched in the way that Windows and Linux systems are.
Hijacking routers and switches could allow the NSA to do more than just eavesdrop on all the communications crossing that equipment. It would also let them bring down networks or prevent certain communication, such as military orders, from getting through, though the Post story doesn’t report any such activities. With control of routers, the NSA could re-route traffic to a different location, or intelligence agencies could alter it for disinformation campaigns, such as planting information that would have a detrimental political effect or altering orders to re-route troops or supplies in a military operation.
According to the budget document, the CIA’s Tailored Access Programs and NSA’s software engineers possess “templates” for breaking into common brands and models of routers, switches and firewalls.
The article doesn’t say it, but this would likely involve pre-written scripts or backdoor tools and root kits for attacking known but unpatched vulnerabilities in these systems, as well as for attacking zero-day vulnerabilities that are yet unknown to the vendor and customers.