NSA Spying on Unsuspecting Networks

No one except the NSA knows which 50,000 networks it injected data-thieving malware into, so what’s a cautious enterprise network manager to do? It’s business as usual. However, what’s “usual” these days is vigilance – continuous monitoring and analysis to uncover unusual patterns and proactively respond.

“It is important to adopt protective processes that continuously couple information about evolving threats to defensive reactions and responses, static protective mechanisms are no longer adequate.” ~John P. Holdren and Eric S. Lander from PCAST (President’s Council of Advisors on Science and Technology)

The United States National Security Agency has seeded 50,000 networks worldwide with malware, according to a report published last week in Dutch newspaper NRC.

That malware was designed to steal sensitive information, NRC claimed, citing documents provided by NSA whistleblower Edward Snowden as proof.

The report – the latest in a series of published disclosures based on documents released by Snowden – is likely to fuel the controversy raging around cyber surveillance by the U.S. and its allies — the UK, Australia, New Zealand and Canada – also known as the “Five Eyes.”

However, it’s not likely to have much of an impact on network management.

The NSA used “computer network exploitation” — its term for the secret infiltration of computer systems through the installation of malware – in more than 50,000 locations worldwide, according to NRC.

The attacks were conducted by Tailored Access Operations (TAO), its cyber warfare intelligence gathering unit.

TAO custom-builds software attacks and has software templates to break into common brands of routers, switches and firewalls, according to The Washington Post.

The agency apparently used different code names for various exploits. Stealing information from computers through remotely delivered cookies was dubbed “Highlands;” capturing information from computer screens was termed “Vagrant;” and eavesdropping on conversations was called “PBX.”

Tens of millions of computers were attacked by TAO in 2011.

What Network Managers Can Do

Given that no one outside of the NSA knows which networks have been attacked, network managers should follow normal procedures outlined to deal with cyber-attacks. “Check your logs, look at unusual patterns, and see if there has been a change in patterns in your network of application behavior or activity.”

Most importantly, network and security managers should change their approach to security.