Threat Intelligence

MonsterMind, HACIENDA: How Intelligence is Threatening “Our” Cyberspace

August 26, 2014 by Pierluigi Paganini

Five Eyes and more

In the last twelve months, whistleblower Edward Snowden has revealed to the public how invasive is the cyber strategy of the US government and its cyber allies, Canada, the UK, Australia, and New Zealand.

These governments have an intense cooperation in signals intelligence, also known as SIGINT, the discipline that refers to the intelligence-gathering by interception of signals. The US National Security Agency and the British GCHQ Agency, according the documents leaked by the former NSA consultant, have developed powerful cyber capabilities that allow them to spy on every individual on every communication channel.

Their operations have influenced the choices of respective governments; the information collected by their appliances has been gathered with stealth cyber attacks conducted by the elite hacking units of the intelligence agencies.

The reality is that not only the Five Eyes are “militarizing” cyberspace. Principal governments are investing to increase their cyber capabilities. Russia, Iran and North Korea are probably the states that most of all scare the West in this sense.

The dispute in cyberspace is totally changing the way governments approach each other. The new battlefield has no boundaries and the operations are “instantaneous”. For this reason, governments are designing new systems that are able to analyze events in real time.

Governments are increasing their interest in concepts like proactive defense, the possibility to adopt automated systems that are able to respond incoming cyber attacks against national infrastructures.

All these changes are silently influencing our digital life. New malware are spread in the wild daily, infecting millions of devices. As explained by Chris Soghoian, principal technologist with the American Civil Liberties Union, during the last TrustyCon conference, there is the concrete possibility that governments will exploit automated update services to serve malware and spy on users.

What does it mean for Internet users?

It means that Intelligence agencies could infect systems, serving malicious code that masquerades as application updates, instead to exploit consolidated techniques like phishing and watering hole attacks.

If you believe that a similar technique is not feasible, you are wrong. The update process for Microsoft applications was already exploited for state-sponsored attacks like the Flame campaign. In that case, attackers used a sophisticated “collision attack” to forge a Microsoft digital certificate and digitally sign the updates.

“The FBI is in the hacking business. The FBI is in the malware business … The FBI may need more than these two tools to deliver malware. They may need something else and this is where my concern is. This is where we are going and why I’m so worried about trust,” Soghoian said.

Governments could potentially use the update service offered by almost every software provider for its products, but there are possible side effects to seriously consider:

  • Loss of the trust users have in the services.
  • Potentially a bad actor could exploit the same process to infect victims on a large scale.

“There are really sound security reasons why we want automatic security updates. If consumers have to do work to get updates, they won’t, and they will stay vulnerable … What that means though is giving companies root on our computers—and we really don’t know what’s in the code after fact. This is a point of leverage the government can use. We have no evidence they are using it right now, but these companies have a position of power over our devices that is unparalleled,” Soghoian said.

Another element to analyze is the support offered by private companies, like ISPs, to governments that could advantage such attacks.

Soghoian cautioned that the government could take advantage of existing features in large consumer solutions. He mentioned a rescue feature implemented for Google Android phone locks where if a user fails on their pattern to unlock their phone, Android gives the possibility to unlock the device anyway. Soghoian confirmed that the US government has requested to Google the password resets for specific handsets in order to access their accounts or devices.

TAO and JTRIG, the elite hacking units that are trying to control the web

Snowden revelations have provided interesting details on the surveillance activities of the NSA and GCHQ. In particular, the whistleblower explained the existence of similar elite hacking units involved in large scale hacking campaigns and cyber espionage operations. The units are respectively the TAO for the NSA and the JTRIG for the British intelligence.

The German news agency Der Spiegel published the internal NSA catalog, which includes a wide range of appliances and spy backdoors that allow US intelligence to compromise a wide range of equipment from major vendors.

The catalog includes the backdoor for hard drives from Western Digital, Seagate, Maxtor and Samsung, for Juniper Networks firewalls, networking appliances from Cisco and Huawei, and unspecified equipment from Dell.

The backdoors appear to be the result of highly sophisticated hacking and cracking operations conducted by the NSA. All the products offered are designed by the Advanced/Access Network Technology (ANT) division of the NSA’s Tailored Access Operations (TAO) elite hacker unit.

The catalog includes implants for BIOS firmware of targeted systems, base stations for fooling mobile networks and cellphones ($40,000), bugs disguised as USB plugs ($20,000) and also cheaper rigged monitor cables for spying on targets’ monitors.

The TAO unit is specialized in hacking activities. According to the documents disclosed by Snowden, it manages a hacking platform, codenamed FoxAcid, which was used to infiltrate more than 50,000 foreign networks with malware based attacks. The TAO hacking team apparently has supported the British intelligence in the cyber attack on Belgacom.

What’s going on with British intelligence?

JTRIG is the secret unit mentioned for the first time in a collection of documents leaked by Snowden which describe the Rolling Thunder operation. The group ran a DoS attack against chatrooms used by hacktivists belonging to groups like Anonymous. The JTRIG unit of the British GCHQ intelligence agency has apparently a structure like TAO, and like the US hacking unit, it has designed its own collection of applications that were used in hacking activities and for Internet deception and surveillance. Also in the case of JTRIG, the existence of the tools was revealed by the a collection of documents leaked by Edward Snowden. The applications were created by GCHQ’s Joint Threat Research Intelligence Group (JTRIG) and are considered one of the most advanced systems for propaganda and Internet deception.

A post published The Intercept referenced a top-secret GCHQ document called “JTRIG Tools and Techniques” which details the operations and the techniques used by JTRIG. The presentation was created with the purpose of sharing information on the “weaponised capability” of the team with other units of the GCHQ.

Several tools designed by JTRIG are introduced as “in development,” but many of them are “fully operational, tested and reliable.”

“We only advertise tools here that are either ready to fire or very close to being ready,” reports the presentation.

The document is reserved for internal use. It provides to the GCHG agents information on surveillance and online deception activities which can be conducted by the intelligence agency.

“The page indicates that it was last modified in July 2012, and had been accessed almost 20,000 times.”

Figure – JTRIG catalog

The presentation details the list of tools designed by JTRIG which were used for Internet surveillance and also for PSYOPs by manipulating and distorting online political discourse and disseminating state propaganda.

As reported in the post, the list of JTRIG capabilities includes:

  • “Change outcome of online polls” (UNDERPASS)
  • “Mass delivery of email messaging to support an Information Operations campaign” (BADGER) and “mass delivery of SMS messages to support an Information Operations campaign” (WARPARTH)
  • “Disruption of video-based websites hosting extremist content through concerted target discovery and content removal.” (SILVERLORD)
  • “Active Skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and bidirectional instant messaging. Also contact lists.” (MINIATURE HERO)
  • “Find private photographs of targets on Facebook” (SPRING BISHOP)
  • “A tool that will permanently disable a target’s account on their computer” (ANGRY PIRATE)
  • “Ability to artificially increase traffic to a website” (GATEWAY) and “ability to inflate page views on websites” (SLIPSTREAM)
  • “Amplification of a given message, normally video, on popular multimedia websites (Youtube)” (GESTATOR)
  • “Targeted Denial Of Service against Web Servers” (PREDATORS FACE) and “Distributed denial of service using P2P. Built by ICTR, deployed by JTRIG” (ROLLING THUNDER)
  • “A suite of tools for monitoring target use of the UK auction site eBay (” (ELATE)
  • “Ability to spoof any email address and send email under that identity” (CHANGELING)
  • “For connecting two target phones together in a call” (IMPERIAL BARGE)

Both agencies, the NSA and GCHQ, involved respectively the TAO unit and the JTRIG team to tap major undersea cables analyzing bulk Internet traffic. British units conducted the Tempora Operation, a massive tapping program conducted by the Government Communications Headquarters (GCHQ), while the NSA succeeded to tap principal cable systems including the “SEA-ME-WE-4″:

“One document labeled ‘top secret’ and ‘not for foreigners’ describes the NSA’s success in spying on the ‘SEA-ME-WE-4’ cable system. This massive underwater cable bundle connects Europe with North Africa and the Gulf states and then continues on through Pakistan and India, all the way to Malaysia and Thailand. The cable system originates in southern France, near Marseille. Among the companies that hold ownership stakes in it are France Telecom, now known as Orange and still partly government-owned, and Telecom Italia Sparkle.

“The document proudly announces that, on Feb. 13, 2013, TAO ‘successfully collected network management information for the SEA-Me-We Undersea Cable Systems (SMW-4).’ With the help of a ‘website masquerade operation,’ the agency was able to ‘gain access to the consortium’s management website and collected Layer 2 network information that shows the circuit mapping for significant portions of the network’,” reveals Der Spiegel.

NSA accidentally caused the 2012 Syrian Internet blackout

The last revelation of Snowden has disconcerted the intelligence community. Two years ago, Syria suffered a major Internet blackout. The entire country was disconnected from the Internet for three days. Security experts attributed the responsibility for the Internet blackout to the Syrian government that is facing an ongoing civil war.

Figure – Syria Blackout 2012

The Syrian government denied to have disconnected the country from the Internet, blaming terrorists for an attack on the internal backbone. Snowden revealed that the Internet Blackout in Syria was caused by the National Security Agency. In an interview with Wired magazine, Snowden confirmed that the Internet blackout was caused accidentally by the hackers of the NSA belonging to the elite unit known as the Tailored Access Operations (TAO). The TAO team was attempting to infiltrate the country’s connection to the Internet to spy on the internal traffic.

The TAO unit had allegedly been attempting to hack the router of Syria’s main Internet service provider, injecting a malware that would have allowed the NSA to redirect traffic through systems eavesdropped with the NSA Turmoil monitoring system and the Xkeyscore packet processing system.

Presuming the NSA was attempting to compromise the country’s Internet to spy on Syrian individuals of interest, in reality they succeeded in the attack, but as a side effect the country disconnected from the Internet.

Snowden described the incident as an “oh shit” moment at the Tailored Access Operations center, because the US intelligence feared that its operation would be uncovered by the Syrian government. The TAO unit was trying to cover its operation by restoring the Internet connection and repairing the router.

“Fortunately for the NSA, the Syrians were apparently more focused on restoring the nation’s Internet than on tracking down the cause of the outage,” Bamford wrote.

At the time of this writing, the NSA did not release official comment to the declaration, but if confirmed, the incident shows how a hacking operation could be conducted on a large scale by the government elite units of hackers.

MonsterMind and Hacienda … last revelation on intelligence activities

In a recent interview, Edward Snowden discussed the risks related to the adoption of a proactive defense, the possibility to respond instantaneously and in an automated manner to a cyber attack. The whistleblower revealed that the US government is developing a system with such capabilities, codenamed as MonsterMind, that is able to automatically reply to cyber attacks against the US infrastructures. These kind of military solutions could have a significant impact on the cyberspace as we will see soon, the principal question is:

“Is this kind of system reliable?”

As can any other system, they can fail in the identification of the source of attacks. A wrong attribution could cause serious problems for intermediate nations, those countries that host compromised systems used in the offensive or that host computers whose IPs have been spoofed by bad actors.

“The NSA whistleblower says the agency is developing a cyber defense system that would instantly and autonomously neutralize foreign cyberattacks against the US, and could be used to launch retaliatory strikes as well. The program, called MonsterMind, raises fresh concerns about privacy and the government’s policies around offensive digital attacks,” states Wired Magazine.

Imagine that Russia decides to run a DDoS attack against US systems, but that its cyber army is able to spoof the origin IP address of a different country or to route through infrastructure of an intermediate country the malicious traffic. Then a retaliatory automated attack could hit the wrong state rather than Russian networks.

As explained by Snowden in his latest interview with Wired, MonsterMind could compromise countries involved in the attack.

“These attacks can be spoofed … You could have someone sitting in China, for example, making it appear that one of these attacks is originating in Russia. And then we end up shooting back at a Russian hospital. What happens next?” said Snowden.

The problem of attribution isn’t the only problem related to the deployment of MonsterMind. An automatic system like it needs to receive in input a significant amount of data, including network traffic of all private communications coming into the US. To fuel proactive defense systems with such kind of data represents a menace for the privacy of US citizens. MonsterMind needs this information to efficiently discriminate normal network traffic from anomalous or malicious traffic.

“If we’re analyzing all traffic flows, that means we have to be intercepting all traffic flows. That means violating the Fourth Amendment, seizing private communications without a warrant, without probable cause or even a suspicion of wrongdoing. For everyone, all the time,” he added.

Cryptographer Matt Blaze, an associate professor of computer science at the University of Pennsylvania, said that the algorithm which is implemented by the automated scanning system Snowden describes is similar to the ones on which are based the Einstein 2 (. pdf) and Einstein 3 (. pdf) programs developed by the government. Both use network sensors to identify malicious attacks.

Also in this case, the US government avoided commenting on Snowden’s revelation on MonsterMind.

If the adoption of MonsterMind is a threat to security and privacy of Internet users, operations conducted by British intelligence are equally aggressive and dangerous.

In the last years the British GCHQ has conducted numerous hacking operations against systems in 27 countries. Through a massive port scanning the intelligence agency was searching for vulnerabilities to exploit in cyber attacks.

The GCHQ targeted several type of services, including FTP, as well as common administrative protocols such as SSH (Secure Shell protocol – used for remote access to systems) and SNMP (Simple Network Management Protocol – used for network administration).

Figure -Hacienda Program

The existence of the HACIENDA program was revealed by the German publisher Heise. The program is related to a large-scale scan of open ports of all servers connected to the Internet with the purpose of discovering vulnerabilities to exploit.

“The process of scanning entire countries and looking for vulnerable network infrastructure to exploit is consistent with the meta-goal of ‘Mastering the Internet‘, which is also the name of a GCHQ cable-tapping program: these spy agencies try to attack every possible system they can, presumably as it might provide access to further systems. Systems may be attacked simply because they might eventually create a path towards a valuable espionage target, even without actionable information indicating this will ever be the case.

“Using this logic, every device is a target for colonisation, as each successfully exploited target is theoretically useful as a means to infiltrating another possible target,” statesthe report on the HACIENDA program.

As explained by the experts, the data collected by HACIENDA is shared by the GCHQ with other intelligence agencies of the Five Eyes.

The article states that scanning activities of HACIENDA program are conducted with popular software like Nmap and Zmap. The most common scan mode used by hackers of the GCHQ is the TCP Stealth.

“In 2013, a port scanner called Zmap was implemented that can scan the entire IPv4 address space in less than one hour using a single PC. [3] The massive use of this technology can thus make any server anywhere, large or small, a target for criminal state computer saboteurs,” states the report on HACIENDA program.

The news is not surprising, Intelligence agencies fuel their database with any kind of data related to systems exposed on the Internet.

“Five Eyes have their own non-public Shodan and they are using it,” said the security expert the Grugq.

It is obvious that state-sponsored hackers adopt tools considered fundamental in the hacking community, and it is important to highlight the wide scale of programs like HACIENDA.

Militarization of cyberspace … the greatest danger

Almost every government is exerting great effort to improve its cyber capabilities. Every day state-sponsored hackers operate undercover to spy on foreign governments or to hack systems of other countries.

Government entities and intelligence agencies are making a huge effort to create a new cyber weapon able to hit enemies in cyberspace in case of attack.

Countries like China, Russia, US and Israel are probably most advanced in the development of cyber weapons. Stuxnet was the first malware designed with the specific intent to hit critical infrastructure of a hostile government like Iran.

Every malware in the wild could be reverse engineered by bad actors and used against the population or private entities for espionage or sabotage. In the case of Stuxnet, for example, it was hard to modify the code related to the attack against industrial SCADA control systems, but anyway the malware could be adapted to send malicious commands to an infected industrial plant that could cause serious damages.

These agents are very effective and adopt complex techniques to deceive victim systems. The Flame malware for example used a false Windows Update system to spread itself, but malware authors were able to sign malicious code to allow target infection without raising suspects.

Another element to consider seriously is that exploits used by government could be reused for a long time by threat actors. Once again the militarization of the cyberspace has serious consequences on Internet users, even if the malware was spread many years ago. It is the same for the Stuxnet malware. One of the main vulnerabilities exploited by the malicious code (CVE-2010-2568), and patched four years ago, is still being used in cyber attacks targeting millions of computers worldwide.

Microsoft issued a security patch on August 2nd, 2010, meanwhile Stuxnet was first discovered in June 2010.

The flaw still exploited by bad actors is a Windows Shell vulnerability, which allows a remote or local attacker to run code via a malicious .LNK or .PIF file via an improperly handled icon displayed in Windows Explorer.

Experts at Kaspersky Lab discovered that in the period between November 2013 and June 2014, the Windows Shell vulnerability (CVE-2010-2568) exploited by Stuxnet was detected 50 million times, targeting nearly 19 million machines all over the world. A report issued by Kaspersky provided interesting data on the abuse of this exploit worldwide. Vietnam (42.45%), India (11.7%) and Indonesia (9.43%) are the countries with higher number of CVE-2010-2568 exploits detections.

Figure – CVE-2010-2568 exploits detections (Kaspersky)

The above countries are characterized by a large diffusion of the Windows XP OS, so it’s not surprising that they were targeted by bad actors who are trying to exploit the flaw to gain administrative rights on a Windows machine remotely. As expected, the exploits mainly targeted Windows machine.

Such a high number of attacks is caused by the presence of a great number of servers that aren’t updated or that lack proper defensive solutions. The presence of government malware in the wild represents a serious threat to such systems, which in many cases are deployed in countries with limited resources to invest in cyber security and defensive systems.

The fact that old vulnerabilities are still exploited in numerous attacks highlights the importance of patch management. Cyber criminals and state-sponsored hackers are aware that these exploits are effective, even though years have passed since the disclosure.

Unfortunately, the diffusion of such complex malware in cyberspace could have serious effects for a long time. Consider that exploitation of zero-day flaw seems to be a prerogative of state-sponsored hackers … no matter if you are a government agency or a simple Internet user, the diffusion of such malware will impact you for a long time.

Anther issue to consider is that government malware could be intentionally spread with secret support of security firms. Many experts speculated that in some cases, the anti-virus companies have not prevented the spread of malware because they agreed with the governments.

The Dutch campaign group called Bits of Freedom invited principal antivirus vendors to reveal any request to whitelist some kinds of malware being designed by the government. If antivirus companies are whitelisting state malware, there will be the concrete risk that government-built malware and cyber weapons will run out of control.


The operations conducted by the numerous intelligence agencies are interfering with the user’s Internet experience. The cases described demonstrate that this interference is invasive. Let’s consider the effects of cyber espionage, which can have devastating effects on the targeted systems.

We have considered direct consequences of the operations conducted by governments, but the side effects are equally dangerous. Government-built malware could be reverse engineered by threat actors and used to hit systems worldwide. Usually this process allows the malware to evolve because bad actors improve it with new features.

I believe that it is impossible to define a global cyber regulation that will be accepted by any government, so it is impossible to imagine mitigation strategies against these threats and their effects … for sure it’s time to consider cyber security seriously and adopt a layered approach to preserve our systems.



Kaspersky revealed that Stuxnet Exploits is still used worldwide

MonsterMind – Snowden reveals the US proactive defense system

Posted: August 26, 2014
Pierluigi Paganini
View Profile

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.