IP Over Avian Carriers, NSA Edition

If the NSA has been hacking everything, how has nobody seen them coming?

As the Snowden leaks continue to dribble out, it has become increasingly obvious that most nations planning for "cyber-war" have been merely sharpening knives for what looks like an almighty gunfight. We have to ask ourselves a few tough questions, the biggest of which just might be:

"If the NSA was owning everything in sight (and by all accounts they have) then how is it that nobody ever spotted them?" [...]

We think that the following reasons help to explain how this mass exploitation remained under the radar for so long:

  1. Amazing adherence to classification/secrecy oaths;
  2. You thought they were someone else;
  3. You were looking at the wrong level;
  4. Some beautiful misdirection;
  5. They were playing chess & you were playing checkers;
  6. Your "experts" failed you miserably.

This part is kind of amazing:

We see the use of an entire new protocol, called FASHIONCLEFT to effectively copy traffic off a network, attach metadata to it, then hide the packet within another packet allowed to exfil the targeted network.

Tunnelling one type of traffic over another is not novel (although a 27 page interface control document for the protocol is cool) but this still leaves open the possibility that you would see victim_machine talking to HOST_X in Europe. This is where passive collection comes in..

This is beautiful! So the data is munged into any packet that is likely to make it out of the network, and is then directed past a passive collector. This means that we cant rely on the host the data was sent to for attribution, and even if we did completely own the last hop, to see who shows up to grab the data, we would be watching in vain, because the deed was done when the packets traversed a network 3 hops ago.

This really is an elegant solution and a beautiful sleight of hand. With the NSA controlling tens of thousands of passive hosts scattered around the Internet, good luck ever finding that smoking gun!

So basically FASHIONCLEFT is IP Over Avian Carriers, NSA Edition.

It's a protocol for encapsulating hashed, possibly encrypted, packets from other protocols inside a completely different protocol: you allow outbound ssh (let's say) so it dumps your internal network traffic onto the end of legitimate ssh packets that were on their way out anyway! I'm not entirely clear on whether this encapsulation is happening at the transport layer (munging TCP packets) or the session layer (munging in protocol-specific ways, like MPEG frames or something).

Those packets can be going anywhere and NSA will still be able to see them all because they own the midpoint routers, passively inspecting packets during transit. They're using existing connections as dead-drops, but the payload is copied before it even makes it to the drop.

And it's probably your BIOS that's doing this. Good times.

Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , , , , ,

  • Previously