The Office of Tailored Access Operations (TAO), structured as S32, is a

cyber-warfare Cyberwarfare is the use of cyber attacks against an enemy state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, manipulation or economic w ...

intelligence-gathering unit of the

National Security Agency The National Security Agency (NSA) is an intelligence agency of the United States Department of Defense, under the authority of the director of national intelligence (DNI). The NSA is responsible for global monitoring, collection, and proces ...

(NSA). It has been active since at least 1998, possibly 1997, but was not named or structured as TAO until "the last days of 2000," according to General Michael Hayden. TAO identifies, monitors, infiltrates, and gathers intelligence on computer systems being used by entities foreign to the United States.

History

TAO is reportedly "the largest and arguably the most important component of the NSA's huge Signals Intelligence Directorate (SID), consisting of more than 1,000 military and civilian computer hackers, intelligence analysts, targeting specialists, computer hardware and software designers, and electrical engineers. The office is currently known as Office of Computer Network Operations (OCNO). ".

Snowden leak

A document leaked by former NSA contractor

Edward Snowden Edward Joseph Snowden (born June 21, 1983) is a former National Security Agency (NSA) intelligence contractor and whistleblower who leaked classified documents revealing the existence of global surveillance programs. Born in 1983 in Elizabeth ...

describing the unit's work says TAO has software templates allowing it to break into commonly used hardware, including "routers, switches, and firewalls from multiple product vendor lines". TAO engineers prefer to tap networks rather than isolated computers, because there are typically many devices on a single network.

Organization

TAO's headquarters are termed the ''Remote Operations Center'' (ROC) and are based at the NSA headquarters at

Fort Meade, Maryland Fort Meade is a census-designated place (CDP) in Anne Arundel County, Maryland, United States. The population was 9,324 at the 2020 census. It is the home to the National Security Agency, Central Security Service, United States Cyber Command an ...

. TAO also has expanded to NSA Hawaii ( Wahiawa, Oahu), NSA Georgia (

Fort Eisenhower Fort Gordon, formerly known as Fort Eisenhower and Camp Gordon, is a United States Army installation established southwest of Augusta, Georgia in October 1941. It is the current home of the United States Army Signal Corps, United States Army Cy ...

, Georgia), NSA Texas (

Joint Base San Antonio Joint Base San Antonio (JBSA) is a United States military facility located in San Antonio, Texas, US. The facility is under the jurisdiction of the United States Air Force 502d Air Base Wing, Air Education and Training Command (AETC). The wi ...

, Texas), and NSA Colorado (

Buckley Space Force Base Buckley Space Force Base is a United States Space Force base in Aurora, Colorado named after United States Army Air Service First lieutenant, First Lieutenant John Harold Buckley. The base is run by Space Base Delta 2, with major units includin ...

, Denver). * S321 – Remote Operations Center (ROC) In the Remote Operations Center, 600 employees gather information from around the world. * S323 – Data Network Technologies Branch (DNT) : develops automated spyware ** S3231 – Access Division (ACD) ** S3232 – Cyber Networks Technology Division (CNT) ** S3233 – ** S3234 – Computer Technology Division (CTD) ** S3235 – Network Technology Division (NTD) * Telecommunications Network Technologies Branch (TNT) : improve network and computer hacking methods * Mission Infrastructure Technologies Branch: operates the software provided above * S328 – Access Technologies Operations Branch (ATO): Reportedly includes personnel seconded by the

CIA The Central Intelligence Agency (CIA; ) is a civilian foreign intelligence service of the federal government of the United States tasked with advancing national security through collecting and analyzing intelligence from around the world and ...

and the

FBI The Federal Bureau of Investigation (FBI) is the domestic Intelligence agency, intelligence and Security agency, security service of the United States and Federal law enforcement in the United States, its principal federal law enforcement ag ...

, who perform what are described as "off-net operations", which means they arrange for CIA agents to surreptitiously plant eavesdropping devices on computers and telecommunications systems overseas so that TAO's hackers may remotely access them from Fort Meade. Specially equipped submarines, currently the USS ''Jimmy Carter'', are used to wiretap fibre optic cables around the globe. ** S3283 – Expeditionary Access Operations (EAO) ** S3285 – Persistence Division

Virtual locations

Details on a program titled QUANTUMSQUIRREL indicate NSA ability to masquerade as any routable IPv4 or IPv6 host. This enables an NSA computer to generate false geographical location and personal identification credentials when accessing the Internet utilizing QUANTUMSQUIRREL.

Leadership

From 2013 to 2017, the head of TAO was Rob Joyce, a 25-plus year employee who previously worked in the NSA's Information Assurance Directorate (IAD). In January 2016, Joyce had a rare public appearance when he gave a presentation at the Usenix’s Enigma conference.

NSA ANT catalog

The NSA ANT catalog is a 50-page

classified Classified may refer to: General *Classified information, material that a government body deems to be sensitive *Classified advertising or "classifieds" Music *Classified (rapper) (born 1977), Canadian rapper * The Classified, a 1980s American ro ...

document listing technology available to the

United States The United States of America (USA), also known as the United States (U.S.) or America, is a country primarily located in North America. It is a federal republic of 50 U.S. state, states and a federal capital district, Washington, D.C. The 48 ...

National Security Agency (NSA) The National Security Agency (NSA) is an intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence, director of national intelligence (DNI). The NSA is responsible for global ...

Tailored Access Operations (TAO) by the Advanced Network Technology (ANT) Division to aid in cyber surveillance. Most devices are described as already operational and available to US nationals and members of the

Five Eyes The Five Eyes (FVEY) is an Anglosphere intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States. These countries are party to the multilateral UKUSA Agreement, a treaty for joint cooperat ...

alliance. According to ''

Der Spiegel (, , stylized in all caps) is a German weekly news magazine published in Hamburg. With a weekly circulation of about 724,000 copies in 2022, it is one of the largest such publications in Europe. It was founded in 1947 by John Seymour Chaloner ...

'', which released the catalog to the public on December 30, 2013, "The list reads like a mail-order catalog, one from which other NSA employees can order technologies from the ANT division for tapping their targets' data." The document was created in 2008.This section copied from NSA ANT catalog; see there for sources Security researcher

Jacob Appelbaum Jacob Appelbaum (born April 1, 1983) is an American independent journalist, computer security researcher, artist, Hacking (innovation), hacker and teacher. Appelbaum, who earned his PhD from the Eindhoven University of Technology, first became not ...

gave a speech at the

Chaos Communications Congress The Chaos Communication Congress is an annual hacker conference organized by the Chaos Computer Club. The congress features a variety of lectures and workshops on technical and political issues related to security, cryptography, privacy and ...

Hamburg Hamburg (, ; ), officially the Free and Hanseatic City of Hamburg,. is the List of cities in Germany by population, second-largest city in Germany after Berlin and List of cities in the European Union by population within city limits, 7th-lar ...

Germany Germany, officially the Federal Republic of Germany, is a country in Central Europe. It lies between the Baltic Sea and the North Sea to the north and the Alps to the south. Its sixteen States of Germany, constituent states have a total popu ...

, in which he detailed techniques that the simultaneously published ''Der Spiegel'' article he coauthored disclosed from the catalog.

QUANTUM attacks

The TAO has developed an attack suite they call QUANTUM. It relies on a compromised router that duplicates internet traffic, typically

HTTP HTTP (Hypertext Transfer Protocol) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, wher ...

requests, so that they go both to the intended target and to an NSA site (indirectly). The NSA site runs FOXACID software which sends back exploits that load in the background in the target

web browser A web browser, often shortened to browser, is an application for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's scr ...

before the intended destination has had a chance to respond (it's unclear if the compromised router facilitates this race on the return trip). Prior to the development of this technology, FOXACID software made spear-phishing attacks the NSA referred to as spam. If the browser is exploitable, further permanent "implants" (rootkits etc.) are deployed in the target computer, e.g. OLYMPUSFIRE for Windows, which gives complete remote access to the infected machine. This type of attack is part of the

man-in-the-middle attack In cryptography and computer security, a man-in-the-middle (MITM) attack, or on-path attack, is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communi ...

family, though more specifically it is called man-on-the-side attack. It is difficult to pull off without controlling some of the

Internet backbone The Internet backbone is the principal data routes between large, strategically interconnected computer networks and core routers of the Internet. These data routes are hosted by commercial, government, academic and other high-capacity network ...

. There are numerous services that FOXACID can exploit this way. The names of some FOXACID modules are given below: * alibabaForumUser *

doubleclick DoubleClick Inc. was an American advertisement company that developed and provided Internet ad serving services from 1995 until its acquisition by Google in March 2008. DoubleClick offered technology products and services that were sold primaril ...

ID * rocketmail * hi5 *

Hotmail Outlook.com, formerly Hotmail, is a free personal email service offered by Microsoft. It also provides a webmail interface accessible via web browser or mobile apps featuring mail, Calendaring software, calendaring, Address book, contacts, and ...

ID *

LinkedIn LinkedIn () is an American business and employment-oriented Social networking service, social network. It was launched on May 5, 2003 by Reid Hoffman and Eric Ly. Since December 2016, LinkedIn has been a wholly owned subsidiary of Microsoft. ...

* mailruid * msnMailToken64 *

Tencent QQ Tencent QQ (), also known as QQ, is an instant messaging software service and web portal developed by the Mainland Chinese technology company Tencent. QQ offers services that provide online social games, music, shopping, microblogging, movies, ...

Facebook Facebook is a social media and social networking service owned by the American technology conglomerate Meta Platforms, Meta. Created in 2004 by Mark Zuckerberg with four other Harvard College students and roommates, Eduardo Saverin, Andre ...

Twitter Twitter, officially known as X since 2023, is an American microblogging and social networking service. It is one of the world's largest social media platforms and one of the most-visited websites. Users can share short text messages, image ...

Yahoo Yahoo (, styled yahoo''!'' in its logo) is an American web portal that provides the search engine Yahoo Search and related services including My Yahoo, Yahoo Mail, Yahoo News, Yahoo Finance, Yahoo Sports, y!entertainment, yahoo!life, an ...

Gmail Gmail is the email service provided by Google. it had 1.5 billion active user (computing), users worldwide, making it the largest email service in the world. It also provides a webmail interface, accessible through a web browser, and is also ...

YouTube YouTube is an American social media and online video sharing platform owned by Google. YouTube was founded on February 14, 2005, by Steve Chen, Chad Hurley, and Jawed Karim who were three former employees of PayPal. Headquartered in ...

By collaboration with the British

Government Communications Headquarters Government Communications Headquarters (GCHQ) is an intelligence and security organisation responsible for providing signals intelligence (SIGINT) and information assurance (IA) to the government and armed forces of the United Kingdom. Primari ...

(GCHQ) (

MUSCULAR MUSCULAR (DS-200B), located in the United Kingdom, is the name of a surveillance program jointly operated by Britain's Government Communications Headquarters (GCHQ) and the U.S. National Security Agency (NSA) that was revealed by documents release ...

), Google services could be attacked too, including

. Finding machines that are exploitable and worth attacking is done using analytic databases such as

XKeyscore XKeyscore (XKEYSCORE or XKS) is a secret computer system used by the United States National Security Agency (NSA) for searching and analyzing global Internet data, which it collects in real time. The NSA has shared XKeyscore with other intelligen ...

. A specific method of finding vulnerable machines is interception of

Windows Error Reporting Windows Error Reporting (WER) (codenamed Watson) is a crash reporter, crash reporting technology introduced by Microsoft with Windows XP and included in later Windows versions and Windows Mobile 5.0 and 6.0. Not to be confused with the Dr. W ...

traffic, which is logged into XKeyscore. QUANTUM attacks launched from NSA sites can be too slow for some combinations of targets and services as they essentially try to exploit a

race condition A race condition or race hazard is the condition of an electronics, software, or other system where the system's substantive behavior is dependent on the sequence or timing of other uncontrollable events, leading to unexpected or inconsistent ...

, i.e. the NSA server is trying to beat the legitimate server with its response. As of mid-2011, the NSA was prototyping a capability codenamed QFIRE, which involved embedding their exploit-dispensing servers in

virtual machine In computing, a virtual machine (VM) is the virtualization or emulator, emulation of a computer system. Virtual machines are based on computer architectures and provide the functionality of a physical computer. Their implementations may involve ...

s (running on

VMware ESX VMware ESXi (formerly ESX) is an enterprise-class, type-1 hypervisor developed by VMware, a subsidiary of Broadcom, for deploying and serving virtual computers. As a type-1 hypervisor, ESXi is not a software application that is installed on ...

) hosted closer to the target, in the so-called Special Collection Sites (SCS) network worldwide. The goal of QFIRE was to lower the latency of the spoofed response, thus increasing the probability of success. COMMENDEER is used to commandeer (i.e. compromise) untargeted computer systems. The software is used as a part of QUANTUMNATION, which also includes the software vulnerability scanner VALIDATOR. The tool was first described at the 2014

Chaos Communication Congress The Chaos Communication Congress is an annual hacker conference organized by the Chaos Computer Club. The congress features a variety of lectures and workshops on technical and political issues related to security, cryptography, privacy and ...

, who characterized it as tyrannical. QUANTUMCOOKIE is a more complex form of attack which can be used against Tor users.

Targets and collaborations

Suspected, alleged and confirmed targets of the Tailored Access Operations unit include national and international entities like

China China, officially the People's Republic of China (PRC), is a country in East Asia. With population of China, a population exceeding 1.4 billion, it is the list of countries by population (United Nations), second-most populous country after ...

Northwestern Polytechnical University Northwestern Polytechnical University (NWPU; ) is a public science and engineering university in Xi'an, Shaanxi, China. It is affiliated with the Ministry of Industry and Information Technology. The university is part of Project 211, Project 985 ...

OPEC The Organization of the Petroleum Exporting Countries (OPEC ) is an organization enabling the co-operation of leading oil-producing and oil-dependent countries in order to collectively influence the global oil market and maximize Profit (eco ...

, and Mexico's Secretariat of Public Security. The group has also targeted global communication networks via SEA-ME-WE 4 – an optical fibre

submarine communications cable A submarine communications cable is a cable laid on the seabed between land-based stations to carry telecommunication signals across stretches of ocean and sea. The first submarine communications cables were laid beginning in the 1850s and car ...

system that carries telecommunications between Singapore, Malaysia, Thailand, Bangladesh, India, Sri Lanka, Pakistan, United Arab Emirates, Saudi Arabia, Sudan, Egypt, Italy, Tunisia, Algeria and France. Additionally, Försvarets radioanstalt (FRA) in Sweden gives access to fiber optic links for QUANTUM cooperation. TAO's QUANTUM INSERT technology was passed to UK services, particularly to

GCHQ Government Communications Headquarters (GCHQ) is an intelligence and security organisation responsible for providing signals intelligence (SIGINT) and information assurance (IA) to the government and armed forces of the United Kingdom. Primar ...

's MyNOC, which used it to target Belgacom and GPRS roaming exchange (GRX) providers like the Comfone, Syniverse, and Starhome. Belgacom, which provides services to the

European Commission The European Commission (EC) is the primary Executive (government), executive arm of the European Union (EU). It operates as a cabinet government, with a number of European Commissioner, members of the Commission (directorial system, informall ...

, the

European Parliament The European Parliament (EP) is one of the two legislative bodies of the European Union and one of its seven institutions. Together with the Council of the European Union (known as the Council and informally as the Council of Ministers), it ...

and the

European Council The European Council (informally EUCO) is a collegiate body (directorial system) and a symbolic collective head of state, that defines the overall political direction and general priorities of the European Union (EU). It is composed of the he ...

discovered the attack. In concert with the

and

, TAO is used to intercept laptops purchased online, divert them to secret warehouses where spyware and hardware is installed, and send them on to customers. TAO has also targeted

Tor Tor, TOR or ToR may refer to: Places * Toronto, Canada ** Toronto Raptors * Tor, Pallars, a village in Spain * Tor, former name of Sloviansk, Ukraine, a city * Mount Tor, Tasmania, Australia, an extinct volcano * Tor Bay, Devon, England * Tor ...

and

Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements curr ...

. According to a 2013 article in ''

Foreign Policy Foreign policy, also known as external policy, is the set of strategies and actions a State (polity), state employs in its interactions with other states, unions, and international entities. It encompasses a wide range of objectives, includ ...

'', TAO has become "increasingly accomplished at its mission, thanks in part to the high-level cooperation it secretly receives from the 'big three' American telecom companies (

AT&T AT&T Inc., an abbreviation for its predecessor's former name, the American Telephone and Telegraph Company, is an American multinational telecommunications holding company headquartered at Whitacre Tower in Downtown Dallas, Texas. It is the w ...

Verizon Verizon Communications Inc. ( ), is an American telecommunications company headquartered in New York City. It is the world's second-largest telecommunications company by revenue and its mobile network is the largest wireless carrier in the ...

and Sprint), most of the large US-based Internet service providers, and many of the top computer security software manufacturers and consulting companies." A 2012 TAO budget document claims that these companies, on TAO's behest, "insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communications devices used by targets". A number of US companies, including

Cisco Cisco Systems, Inc. (using the trademark Cisco) is an American multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, s ...

and

Dell Dell Inc. is an American technology company that develops, sells, repairs, and supports personal computers (PCs), Server (computing), servers, data storage devices, network switches, software, computer peripherals including printers and webcam ...

, have subsequently made public statements denying that they insert such back doors into their products.

Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...

provides advance warning to the NSA of vulnerabilities it knows about, before fixes or information about these vulnerabilities is available to the public; this enables TAO to execute so-called

zero-day attack A zero-day (also known as a 0-day) is a vulnerability or security hole in a computer system unknown to its developers or anyone capable of mitigating it. Until the vulnerability is remedied, threat actors can exploit it in a zero-day exploit, or z ...

s. A Microsoft official who declined to be identified in the press confirmed that this is indeed the case, but said that Microsoft cannot be held responsible for how the NSA uses this advance information.

References

External links

Inside TAO: Documents Reveal Top NSA Hacking Unit

NSA 'hacking unit' infiltrates computers around the world – report

NSA Tailored Access Operations

NSA Laughs at PCs, Prefers Hacking Routers and Switches

Getting the 'Ungettable' Intelligence: An Interview with TAO's Teresa Shea
{{National Security Agency Computer surveillance Cyberwarfare in the United States Hacker groups National Security Agency