SAN FRANCISCO, March 12 While U.S. law
enforcement agencies have long tried to stamp out networks of
compromised computers used by cyber criminals, the National
Security Agency has been hijacking the so-called botnets as a
resource for spying.
The NSA has "co-opted" more than 140,000 computers since
August 2007 for the purpose of injecting them with spying
software, according to a slide leaked by former NSA contractor
Edward Snowden and published by The Intercept news website on
Wednesday. ()
Botnets are typically used by criminals to steal financial
information from infected machines, to relay spam messages, and
to conduct "denial-of-service" attacks against websites by
having all the computers try to connect simultaneously, thereby
overwhelming them.
In November, Federal Bureau of Investigation Director James
Comey told the Senate that botnets had "emerged as a global
cyber security threat" and that the agency had developed a
"comprehensive public-private approach to eliminate the most
significant botnet activity and increase the practical
consequences for those who use botnets for intellectual property
theft or other criminal activities."
According to the NSA slide published by The Intercept, one
technique the intelligence agency used was called QUANTUMBOT,
which "finds computers belonging to botnets, and hijacks the
command and control channel." The program was described as
"highly successful."
Reuters reported in May that U.S. agencies had tapped
botnets to harvest data from the machines' owners or to maintain
the ability to issue the infected computers new commands.
The slide leaked by Snowden is the first confirmation of the
practice, and underscores the complications for the NSA of
balancing its major mission of providing eavesdropping
capability with the less well-funded missions of protecting
critical national assets and assisting law enforcement.
The Top Secret slide was marked for distribution to the
"Five Eyes" intelligence alliance, which includes the United
States and Britain.
The NSA declined to confirm or deny the existence of the
program. It is not known if the botnets hijacked by the agency
were in other counties or in the United States, or if the
botnets could have been recaptured by criminals.
Many botnet operations disable the machines' security
software, leaving them vulnerable to new attacks by others.
In a written statement, an NSA spokeswoman said: "As the
President affirmed on 17 January, signals intelligence shall be
collected exclusively where there is a foreign intelligence or
counterintelligence purpose to support national and departmental
missions, and not for any other purposes.
"Moreover, Presidential Policy Directive 28 affirms that all
persons - regardless of nationality - have legitimate privacy
interests in the handling of their personal information, and
that privacy and civil liberties shall be integral
considerations in the planning of U.S. signals intelligence
activities."
The Intercept article and supporting slides showed that the
NSA had sought the means to automate the deployment of its tools
for capturing email, browsing history and other information in
order to reach as many as millions of machines.
It did not say whether such widespread efforts, which
included impersonating web pages belonging to Facebook Inc
and other companies, were limited to computers overseas.
If it did pursue U.S. computers, the NSA also could have
minimized information about those users.