NSA Used Facebook As a Trojan Horse to Infect Targets with Malware

Glenn Greenwald's Snowden files are the bottomless mimosas of cyber-security scares. The latest dispatch from The Intercept describes how the National Security Agency exploited Silicon Valley by disguising itself as a fake Facebook server in order to infect targeted computers with malware.

Through these "implants," the NSA was able to "siphon out data from foreign Internet and phone networks."

In a way, the government agency sounds like any other startup. They developed this "groundbreaking surveillance technology" to optimize hacking into computers undetected. They also built an automated system codenamed TURBINE to truly scale spying by reducing "the level of human oversight in the process." Automating the implant process, you see, enables the NSA to potentially infect millions of computers worldwide!

Wearing a friendly Facebook mask also helped:

In some cases the NSA has masqueraded as a fake Facebook server, using the social media site as a launching pad to infect a target's computer and exfiltrate files from a hard drive. In others, it has sent out spam emails laced with the malware, which can be tailored to covertly record audio from a computer's microphone and take snapshots with its webcam. The hacking systems have also enabled the NSA to launch cyberattacks by corrupting and disrupting file downloads or denying access to websites.

According to one top-secret document from 2012, the agency used to use spam emails to get targets to click on "malicious links" that activated a "back-door implant." But Internet users are not as gullible as they once were, so the NSA had to hit them where they hang out online:

In one man-on-the-side technique, codenamed QUANTUMHAND, the agency disguises itself as a fake Facebook server. When a target attempts to log in to the social media site, the NSA transmits malicious data packets that trick the target's computer into thinking they are being sent from the real Facebook. By concealing its malware within what looks like an ordinary Facebook page, the NSA is able to hack into the targeted computer and covertly siphon out data from its hard drive. A top-secret animation demonstrates the tactic in action.

Documents show that QUANTUMHAND became operational in October 2010 after the NSA beta-tested it on a dozen or so targets. Surveillance expert Matt Blaze says the technique was designed to target individuals, but is concerned about how it's been "covertly integrated within Internet networks" as part of TURBINE:

"As soon as you put this capability in the backbone infrastructure, the software and security engineer in me says that's terrifying," Blaze says.

"Forget about how the NSA is intending to use it. How do we know it is working correctly and only targeting who the NSA wants? And even if it does work correctly, which is itself a really dubious assumption, how is it controlled?"

Spokesperson Jay Nancarrow told The Intercept that Facebook had "no evidence of this alleged activity." Facebook is less vulnerable to malware attacks now that it offers users HTTPS encryption for users, but that was only implemented last year.

Nancarrow also pointed out that other services besides Facebook could have been compromised by the NSA. "If government agencies indeed have privileged access to network service providers," he said, "any site running only [unencrypted] HTTP could conceivably have its traffic misdirected."

Pointing the finger elsewhere may not the best response. Does Facebook really want its users to become more paranoid and proactive about privacy concerns?

Update: On Thursday, the NSA issued a statement calling the allegations "inaccurate" and "simply false":

Recent media reports that allege NSA has infected millions of computers around the world with malware, and that NSA is impersonating U.S. social media or other websites, are inaccurate. NSA uses its technical capabilities only to support lawful and appropriate foreign intelligence operations, all of which must be carried out in strict accordance with its authorities. Technical capability must be understood within the legal, policy, and operational context within which the capability must be employed.

NSA's authorities require that its foreign intelligence operations support valid national security requirements, protect the legitimate privacy interests of all persons, and be as tailored as feasible. NSA does not use its technical capabilities to impersonate U.S. company websites. Nor does NSA target any user of global Internet services without appropriate legal authority. Reports of indiscriminate computer exploitation operations are simply false.

Mark Zuckerberg's passive-aggressive message to Obama would indicate that certain "U.S. company websites" are not buying the NSA's explanation. Either that or coordinated public relations efforts between Washington D.C. and Silicon Valley are going flawlessly.

To contact the author of this post, please email nitasha@gawker.com.

[Image via Getty]