NSA Leaked Tools: Quantum Insert
Many tools and methods of hacking were let loose into the wild, secret organizations were revealed and the stolen tools were now in the hands of the enemy, Edward Snowden, the name that soon became known all over the world, the name of the man behind the infamous NSA leak. This leak of classified NSA tools brought to light their secret network of cyber warfare. Many of the NSAs hacking methods became widely known, some of which startled those who heard of them. Quantum Insert, among others, a method of hi-jacking a computer through an infected router and sheer speed, was one of these methods.
Edward Snowden Is an American citizen, he specialized in computers and was a former Central Intelligence Agency employee and contractor for the United States government. In 2013, Snowden, without authorization, copied and leaked classified information for the National Security Agency (NSA) which was soon known of around the world. Although being branded a traitor by many, he has also been called a hero. These leaks were revealed to several journalists who then mentioned them through news outlets such as The Guardian and The Washington Post, and many debates have been brought up concerning the use and ethicality of mass surveillance and government secrecy. There have also been claims that Snowden wasn’t the only one to release sensitive info. Also in the year of 2013, Der Spiegel released an article exposing the NSAs toolbox, “While it came from one of the news agencies in possession of documents leaked by former NSA contractor Edward Snowden,[12] security expert Bruce Schneier said he doesn’t ‘believe the TAO catalog came from the Snowden documents. I think there’s a second leaker out there’” (NSA ANT… 1).
The ANT catalog gives us a scope showing just how much of the NSAs tools have been compromised. Being the National Security Agency, the NSA needs people who specialize in using and developing their tools. The Tailored Access Operations Unit, or TAO for short, does just that. Der Spiegel has also released an article on this group: “Getting the ungettable” is the NSA’s own description of its duties. “It is not about the quantity produced but the quality of intelligence that is important,” one former TAO chief wrote, describing her work in a document. The paper seen by SPIEGEL quotes the former unit head stating that TAO has contributed “some of the most significant intelligence our country has ever seen.” The unit, it goes on, has “access to our very hardest targets.”
TAO is the main group in the NSA responsible for making aggressive attacks, “the special unit succeeded in gaining access to 258 targets in 89 countries – nearly everywhere in the world. In 2010, it conducted 279 operations worldwide” (Schneier 2). This article also mentions QUANTUM INSERT and how it’s favored among many intelligence service hackers. According to the article, NSA agents relied on standard social engineering methods such as sending targeted attack emails disguised as spam, “all that is needed to plant NSA malware on a person’s computer is for that individual to open a website that has been specially crafted to compromise the user’s computer.” (Schneier 4). The problem with spam is that it doesn’t always work, this is where QUANTUM INSERT steps in.
Missions that use QUANTUM INSERT have a success rate of about 80% while those that use the standard spam methods are less than 1%. QUANTUM INSERT all starts with surveillance, “Once TAO teams have gathered sufficient data on their targets’ habits, they can shift into attack mode, programming the QUANTUM systems to perform this work in a largely automated way (Schneier 6). Once the target sends a request through the infected router, alarms are triggered and NSA FOXACID servers are notified. These FOXACID servers host files that makes the user connect to NSA covert systems rather than their intended site. Once connected, the manipulated page transfers malware custom tailored to the systems vulnerabilities.
QUANTUM INSERT is not foolproof, in order for the redirect to be successful, the FOXACID servers need to beat the response from the actual server the packet is being sent to, “The technique can literally be a race between servers…described in internal intelligence agency jargon with phrases like: “Wait for client to initiate new connection,” “Shoot!” and “Hope to beat server-to-client response.” Like any competition, at times the covert network’s surveillance tools are “too slow to win the race” (Schneier 8). The following pictures show these steps in more detail.
As shown in the previous pictures, QUANTUM INSERT is relatively simple, but it’s definitely a bit more complicated than it looks, “QUANTUMINSERT is described as a ‘HTML Redirection’ attack by injecting malicious content into a specific TCP session. A session is selected for injection based on ‘selectors’[3], such as a persistent tracking cookie that identifies a user for a longer period of time” (Lennarthaagsma 3). Once the shooter, FOXACID server, is tipped off and spoofed TCP packets are sent to beat the packets from the original server impersonating it. The QUANTUM attack is known to be a man-on-the-side (MOTS) attack as opposed to a man-in-the-middle attack (MITM). In a MITM attack, the original packets are replaced while in an MOTS attack they are injected.
The reason why QUANTUM INSERT works is because of TCP segment overlap which occurs when two packets of the same sequence number appear, “.A client will receive duplicate TCP packets with the same sequence number but with a different payload. The first TCP packet will be the ‘inserted’ one while the second is from the real server, but will be ignored by the client” (Lennarthaagsma 12). Because of the double sequence numbers, the second packet will usually be ignored and dropped leaving the first one to be used. “Theoretically an insert can be done anywhere in the TCP session, for example in long lived HTTP/1.1 sessions. A redirect could also be performed that would have less than 10% difference with the real payload. For example by doing the QI on a similar domain name on a HTTP 302 redirect” (Lennarthaagsma 11). The shooter can also start sending the TCP packet before the client sends the HTTP request, however, by doing this the shooter will lose the ability to identify and target specific users.
Undersea Cable have also been targeted, “One document labeled ‘top secret’ and ‘not for foreigners’ describes the NSA’s success in spying on the ‘SEA-ME-WE-4’ cable system” (Inside TAO 7). The bundle connecting multiple locations such as Europe, North Africa, Pakistan and Thailand was successfully used for the collection of network management information, “With the help of a ‘website masquerade operation,’ the agency was able to ‘gain access to the consortium’s management website and collected Layer 2 network information that shows the circuit mapping for significant portions of the network’” (Inside TAO 8). TAO “hacked an internal website of the operator consortium and copied documents stored there pertaining to technical infrastructure” (Inside TAO 9).
How do we detect QUANTUM INSERT? There are several things to look out for, In order to detect this type of attack one would need to use an IDS to observe traffic between the client and the server. As mentioned before, the client will receive two packets with identical sequence numbers. This is already a good indicator of a QI attack and probably one of the easiest to identify. However, this method could also spark false-positives, “A retransmission with a different payload size will sometimes look like a QUANTUMINSERT, this can happen when a retransmission is cut short, for example during TCP window size changes” (Lennarthaagsma 12).
Another anomaly to look out for is the Time To Live (TTL). Since the QI packets are normally inserted closer to the target, the TTL will be relatively higher due to the responses from the actual server coming from farther away. The TTL can be modified but being able to accurately predict the correct TTL value can be difficult, however, slight changes in TTL values are not unusual due to frequent route changes (Lennarthaagsma 13). Preventing QI attacks is actually very simple. QI works on the HTTP protocol meaning that if you are using HTTPS, on the client and server side, you should be relatively safe. All resources being sent over the internet should also be over SSL. Any type of VM software can also prevent QI attacks.
Quantum Insert, a method of injecting malware into unsuspecting systems allowed the NSA to infect over 300 computers around the world in 2010. This method of infection gave the NSA a higher success rate in all of their missions that utilized it. QI and many other tools that were once top secret have been released into the wild. This brings up a question, how will the NSA combat their creations once they are turned on their creators?