Tech by VICE

How the NSA Hijacks Hacker Botnets for Spying

The secret program DEFIANTWARRIOR lets the agency piggyback on cyberattacks.

by Janus Rose
Jan 19 2015, 2:30pm

Image: ​NSA via Der Spiegel

The National Security Agency and its allies aren't just hacking and spying these days—they're also hacking and spying on other peoples' hacking and spying.

That's been the case since at least 2007, according to new top secret documents from Edward S​nowden's archive released by the German newspaper Der Spiegel over the weekend. In fact, the US spy agency and its Five Eyes surveillance partners—which include the UK, Canada, Australia, and New Zealand—have taken a keen interest in the victims of hackers and cybercriminals.

Take botnets, for example. Commonly used to send spam and commit credit card fraud, a botnet is essentially an army of malware-infected zombie computers, all carrying out the commands of a distant attacker without their owners' knowledge. If your computer gets "herded" into a botnet—often along with hundreds of thousands of other machines—criminals can covertly instruct it to steal your passwords, spread malware via phishing emails, or help take down websites with DDoS attacks, in which a server is overwhelmed with thousands of connections in rapid succession.

But for the NSA and its allies, botnet victims are just another tool to be used. According to the newly-released documents, the NSA has been commandeering other hackers' bots to serve its own goals, like sabotaging the computers of rival nation states or monitoring networks that exist beyond its already impressive reach.

A set of top secret slides shows that NSA's Tailored Access Operations unit hijacks botnets under a program called DEFIANTWARRIOR. The system uses previously disclosed spy tools like XKEYSCORE and TURBINE to identify, target and exploit victimized computers, directing them into a "bot prison" where an algorithm sorts them according to location. If the bot has a US IP address, control of the computer is forwarded to the FBI's Office of Victim Assistance. But if the computers belong to a foreign citizen or government outside the Five Eyes alliance, control is given to the NSA's elite hacking unit. From there, they're used as "vantage points" for spying—a way to exploit more machines with backdoors, and even "throw-away" nodes for mounting cyberattacks that can't be traced back to the spy agency.

the NSA recruiting unwitting members of criminal botnets is kind of crazy

That the NSA recruits unwitting members of criminal botnets is kind of crazy considering the resources authorities have put into taking th​e​se botnets down. It's also revealing that only American and non-Five Eyes IPs are treated as "victims," according to the Der Spiegel report, while everyone else is essentially re-victimized and initiated into the NSA's secret bot army.

But botnets are just one way the NSA has been riding on hackers' coattails. Several new documents from the Snowden archive describe what the agency calls "4th party collection," various strategies for snooping on cybercriminals and rival intelligence agencies—basically, spying on spying. The goal is to have other groups do the NSA's dirty work by turning their surveillance activities against them.

To illustrate the concept, a classified present​ation on 4th party collection is subtitled "I drink your milkshake," complete with clip-art of a milkshake and an extra-long straw—a reference to Daniel Day Lewis' meme-tastic​ monologue at the end of There Will Be Blood.

One particularly interesting strategy is "Victim Stealing / Sharing," which involves exploiting weaknesses in surveillance implants placed by other intelligence agencies to "either take control of the implant or replace it with our own." Not only does this give the NSA and its allies access to data from other countries' surveillance targets, it also lets them re-purpose their rivals' code and techniques; agents are encouraged to "steal their tools, tradecraft, targets and take."

All this meta-surveillance gets more than a little absurd: in a discussion thread, a NSA employee goes another layer down to give an example of "fifth p​arty access," which is when the NSA is spying on someone spying on someone who then begins spying on someone.

It seems a perfect example of how pervasive surveillance enables more of the same—like a house of mirrors, where vulnerabilities and danger seemingly go on forever—and the NSA seems to be having a grand old time of it.