QUANTUM and FOXACID; NSA:TAO MiTMing TOR Users

Bruce Schneier has recently published a series of articles on the ways that the users of the TOR network and others have been targeted with exploits by the NSA’s Tailored Access Operations group. He has also posted a full explanation on his blog. The attacks run generally as follows:

1. Through pervasive surveillance and traffic sharing agreements with telecommunications companies (under project code names such as Stormbrew, Fairview, Oakstar and Blarney) customer http traffic is collected.

2. Using data analysis tools with names like Turbulence, Turmoil and Tumult, connections leaving the TOR network’s exit nodes and connecting to other servers on the internet are found.

3. These individual connections are then exploited using a man-in-the-middle (MiTM) attack where servers positioned strategically around the world (a system called QUANTUM) respond and impersonate the server the TOR user is attempting to connect to. This works if the QUANTUM server is closer in physical distance to the TOR exit node than the exit node is to the TOR user’s target server, allowing the commands to reach there first. Ideally, nothing is noticed by the TOR user, as attacks of this nature can actually pass the user through to their originally intended server.

4. As needed, TOR users can be redirected by QUANTUM onto a different set of servers run by the Tailored Access Operations group, called FOXACID.

5. The FOXACID servers look like normal webpages, but if someone is directed to a specific tag url, the server executes specific exploits against the target user’s machine. Most of these exploits have targeted the Firefox browser, and often the specific version of the Firefox browser “bundled” with TOR by the TOR foundation. Phishing has also been used to induce users to click on FOXACID tags.  Once exploited, a trojan is downloaded to the target user’s machine, which then calls home to a separate subset of FOXACID servers, called FRUGALSHOT. The FRUGALSHOT servers perform more exploits as needed to ensure the integrity of the compromise and allow further monitoring of the target’s activities. The target’s real IP address (bypassing their TOR network connection) is also obtainable.

The bottom line is that a structured system has been revealed which subverts the anonymity provided by the TOR network by installing malicious programs onto the computers of users. While various Computer Network Effect operations have come into view and been theorized lately, the generally thought was often that these attacks would be targeted at nation states rather than used in a wholesale manner against users whose national affiliation is not known beforehand. Obviously any assumptions along those lines was wrongheaded, and the targeting of general populations of internet users with exploit code and trojans has received the blessing of the US Government.

There remain methods of preventing this kind of attack, however. The best way to avoid it would be to use tails, which installs TOR and a Browser bundle as a LiveCD/ LiveUSB that cannot be written to, preventing any trojan software from installing and/or calling home with your actual IP address.

Dan Gifford – MCySec Media Manager