NSA Has Been Hijacking the Botnets of Other Hackers

NSA slide via The Intercept

The NSA doesn’t just hack foreign computers. It also piggybacks on the work of professional for-profit hackers, taking over entire networks of already-hacked machines and using them for their own purposes.
That’s one of the surprising details to emerge from the latest Edward Snowden leaks.
The big disclosure in today’s story from The Intercept is that the NSA, by July 2010, had built a system called TURBINE designed to scale up its sophisticated computer-hacking operations. The NSA has infected between 85,000 and 100,000 machines with “implants,” according to previous Snowden stories. With TURBINE as its new command-and-control platform, the NSA can potentially boost that to handle “millions of implants” at once.
TURBINE accomplishes that “by creating a system that does automated control implants by groups instead of individually.”
That’s exactly the solution the computer underground came up with over 10 years ago, when hackers faced an embarrassment of riches in the form of massive numbers of vulnerable Windows machines. Infecting thousands of machines was easy; controlling them in a coherent way wasn’t.
So black hat developers invented the “bot” – a type of malware that would silently join an IRC chat room controlled by the hacker. From there, the hacker could issue mass commands to all the hacked computers at once, or direct commands to a subset of them.
Large modern botnets can contain 2 million hacked machines, and are used for click fraud, denial of service attacks, password theft, bitcoin mining and other things.
It makes sense for the NSA to seize on a similar solution. What’s interesting is that the NSA isn’t just building its own botnet. Since August 2007 it’s had a program called QUANTUMBOT dedicated to taking over the command-and-control systems of existing, but idle, bots. One top secret slide describes the program as “highly successful” with “over 140,000 bots co-opted.”
It’s not clear what the NSA wants with 140,000 randomly infected machines. Hackers fight for control of each other’s botnets all the time – a good botnet can be rented out in the underground for cash money. But the NSA has plenty of money. Computer security researcher Nicholas Weaver theorizes the agency could use bot software as a “deniable implant” – if you find your computer slaved to a known hacker botnet, you’re not likely to suspect the most sophisticated intelligence agency in the world is behind it. At least, not until now.