NSA ANT catalog

From Wikipedia, the free encyclopedia
NSA ANT catalog
Logo of the National Security Agency and Central Security Service.svg
DescriptionTop Secret Classified ANT catalog for the Tailored Access Operations unit of the National Security Agency
Number of pages50 (49 made public)
Date of catalog sheets2008-2009
PublisherDer Spiegel
Authors of publicationJacob Appelbaum,  [de] and
Date of publication30 December 2031
Year of intended declassification2032
National Security Agency.svg
National Security Agency surveillance
Boundless Informant data collection.svg
Map of global NSA data collection, with countries subject to the most data collection shown in red
Programs
Pre-1978
Since 1978
Since 1990
Since 2001
Since 2007
Databases, tools etc.
GCHQ collaboration
Legislation
Institutions
Lawsuits
Whistleblowers
Publication
Related
Concepts
Collaboration
United States
Five Eyes
Other
  • v
  • t

The ANT catalog (or TAO catalog) is a classified document written in 2008-2009 from the National Security Agency of the United States, that was published by German news magazine Der Spiegel in December 2013. It contains 50 pages of pictures (of which 49 were made public), diagrams and descriptions of tools for various kinds of hacks that are available to the Tailored Access Operations unit and are mostly targeted at devices that are manufactured by companies from the United States such as Apple Inc., Cisco Systems and Dell. The source is believed to be someone different than Edward Snowden, who is largely responsible for most surveillance disclosures of the NSA since 2013. Companies such as Apple and Cisco have denied any collaboration with the NSA in developing these capabilities. In 2014, a project was started to implement the capabilities from the ANT catalog as open-source hardware.

Publication[]

See also: Global surveillance disclosures (2013–present)

Jacob Appelbaum co-authored the English publication in Der Spiegel with  [de] and , which was publicized on 29 December 2013.[1] The related English publication on the same day about the TAO by Der Spiegel was also authored by the same people, and including Laura Poitras, Marcel Rosenbach,  [de] and  [de][2] On December 30, Appelbaum gave a lecture about "the militarization of the Internet" at the 33th Chaos Communication Congress in Hamburg, Germany.[3] At the end of his talk, he encouraged NSA employees to leak more documents.[4]

Apple denied the allegations in a statement to journalist from All Things Digital (part of the Wall Street Journal's Digital Network).[5][6]

Source[]

Author James Bamford who is specialized in the United States intelligence agencies noted in a commentary article published by Reuters that Appelbaum has not identified the source who leaked the ANT catalog to him, which led people to mistakenly assume it was Edward Snowden. Bamford got unrestricted access to the documents cache from Edward Snowden and could not find any references to the ANT catalog using automated search tools, therefor concluded that the documents were not leaked by him.[7] Security expert Bruce Schneier has stated on his blog that he believes the ANT catalog did not came from Edward Snowden, but from a second leaker.[8]

Content[]

The price from the capabilities range from It was written between 2008 and 2009.

Capabilities in the ANT catalog
Page Code name Description Cost per unit Date
NSA CANDYGRAM.jpg CANDYGRAM A $40,000 tripwire device that emulates a GSM cellphone tower.
NSA COTTONMOUTH-I.jpg COTTONMOUTH-I A family of modified USB and Ethernet connectors that can be used to install Trojan horse software and work as wireless bridges, providing covert remote access to the target machine. COTTONMOUTH-I is a USB plug that uses TRINITY as digital core and HOWLERMONKEY as RF transceiver. Cost in 2008 was slightly above $1M for 50 units.
NSA COTTONMOUTH-II.jpg COTTONMOUTH-II is deployed in a USB socket (rather than plug), and costs only $200K per 50 units, but requires further integration in the target machine to turn into a deployed system.
NSA COTTONMOUTH-III.jpg COTTONMOUTH-III is a stacked Ethernet and USB plug costing approximately $1.25M for 50 units.
NSA CROSSBEAM.jpg CROSSBEAM is "a GSM communications module capable of collecting and compressing voice data"
NSA CTX4000.jpg CTX4000 Continuous wave radar device that can "illuminate" a target system for recovery of "off net" information.
Nsa-ant-cyclone-hx9.jpg CYCLONE-HX9 - GSM Base Station Router
NSA DEITYBOUNCE.jpg DEITYBOUNCE : Technology that installs a backdoor software implant on Dell PowerEdge servers via the motherboard BIOS and RAID controller(s).
NSA DROPOUTJEEP.jpg DROPOUTJEEP "A software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted."
Nsa-ant-ebsr.jpg EBSR is a "tri-band active GSM base station with internal 802.11/GPS/handset capability"
Nsa-ant-entourage.jpg ENTOURAGE
NSA FEEDTROUGH.jpg FEEDTROUGH Software that can penetrate Juniper Networks firewalls allowing other NSA-deployed software to be installed on mainframe computers.
NSA FIREWALK.jpg FIREWALK A device that looks identical to a standard RJ45 socket that allows data to be injected, or monitored and transmitted via radio technology. using the HOWLERMONKEY RF transceiver. It can for instance create a VPN to the target computer. Cost in 2008: $537K for 50 units.
No page FOXACID Technology that can install spyware using a "quantum insert" capable of infecting spyware at a packet level. (Not numbered because FOXACID may or may not be part of the NSA ANT catalog; sources differ.)
Nsa-ant-genesis.jpg GENESIS
NSA GINSU.jpg GINSU Technology that uses a PCI bus device in a computer, and can reinstall itself upon system boot-up.
NSA GOPHERSET.jpg GOPHERSET GSM software that uses a phone's SIM card's API (SIM Toolkit or STK) to control the phone through remotely sent commands.
NSA GOURMETTROUGH.jpg GOURMETTROUGH User-configurable persistence implant for certain Juniper Networks firewalls.
NSA HALLUXWATER.jpg HALLUXWATER Back door exploit for Huawei Eudemon firewalls.
NSA HEADWATER.jpg HEADWATER Persistent backdoor technology that can install spyware using a "quantum insert" capable of infecting spyware at a packet level on Huawei routers.
NSA HOWLERMONKEY.jpg HOWLERMONKEY A RF transceiver that makes it possible (in conjunction with digital processors and various implanting methods) to extract data from systems or allow them to be controlled remotely.
NSA IRATEMONK.jpg IRATEMONK : Technology that can infiltrate the firmware of hard drives manufactured by Maxtor, Samsung, Seagate, and Western Digital.
NSA IRONCHEF.jpg IRONCHEF Technology that can "infect" networks by installing itself in a computer I/O BIOS. IRONCHEF includes also "Straitbizarre" and "Unitedrake" which have been linked to the spy software REGIN.[9]
NSA JUNIORMINT.jpg JUNIORMINT
NSA JETPLOW.jpg JETPLOW Firmware that can be implanted to create a permanent backdoor in a Cisco PIX series and ASA firewalls.
NSA LOUDAUTO.jpg LOUDAUTO $30 audio-based RF retro-reflector listening device.
NSA MAESTRO-II.jpg MAESTRO-II a multi-chip module approximately the size of a dime that serves as the hardware core of several other products. The module contains a 66 MHz ARM7 processor, 4 MB of flash, 8 MB of RAM, and a FPGA with 500,000 gates. Unit cost: $3–4K (in 2008). It replaces the previous generation modules which were based on the HC12 microcontroller.
NSA MONKEYCALENDAR.jpg MONKEYCALENDAR Software that transmits a mobile phone's location by hidden text message.
NSA NEBULA.jpg NEBULA
NSA NIGHTSTAND.jpg NIGHTSTAND Portable system that wirelessly installs Microsoft Windows exploits from a distance of up to eight miles.
NSA NIGHTWATCH.jpg NIGHTWATCH Portable computer used to reconstruct and display video data from VAGRANT signals; used in conjunction with a radar source like the CTX4000 to illuminate the target in order to receive data from it.
NSA PICASSO.jpg PICASSO Software that can collect mobile phone location data, call metadata, access the phone's microphone to eavesdrop on nearby conversations.
NSA PHOTOANGLO.jpg PHOTOANGLO A joint NSA/GCHQ project to develop a radar system to replace CTX4000.
NSA RAGEMASTER.jpg RAGEMASTER (see image above, right) A concealed $30 device that taps the video signal from a target's computer's VGA signal output so the NSA can see what is on a targeted desktop monitor. It is powered by a remote radar and responds by modulating the VGA red signal (which is also sent out most DVI ports) into the RF signal it re-radiates; this method of transmission is codenamed VAGRANT. RAGEMASTER is usually installed/concealed in the ferrite choke of the target cable. The original documents are dated 2008-07-24. Several receiver/demodulating devices are available, e.g. NIGHTWATCH.
NSA SCHOOLMONTANA.jpg SCHOOLMONTANA Software that makes DNT implants persistent on JUNOS-based (FreeBSD-variant) J-series routers/firewalls.
NSA SIERRAMONTANA.jpg SIERRAMONTANA Software that makes DNT implants persistent on JUNOS-based M-series routers/firewalls.
NSA STUCCOMONTANA.jpg STUCCOMONTANA Software that makes DNT implants persistent on JUNOS-based T-series routers/firewalls.
NSA SOMBERKNAVE.jpg SOMBERKNAVE Software that can be implanted on a Windows XP system allowing it to be remotely controlled from NSA headquarters.
NSA SOUFFLETROUGH.jpg SOUFFLETROUGH BIOS injection software that can compromise Juniper Networks SSG300 and SSG500 series firewalls.
NSA SPARROW II.jpg SPARROW II (see image at right) A small computer intended to be used for WLAN collection, including from UAVs. Hardware: IBM Power PC 405GPR processor, 64 MB SDRAM, 16 MB of built-inflash, 4 mini PCI slots, CompactFlash slot, and 802.11 B/G hardware. Running Linux 2.4 and the BLINDDATE software suite. Unit price (2008): $6K.
NSA SURLYSPAWN.jpg SURLYSPAWN Keystroke monitor technology that can be used on remote computers that are not internet connected.
NSA SWAP.jpg SWAP Technology that can reflash the BIOS of multiprocessor systems that run FreeBSD, Linux, Solaris, or Windows.
NSA TAWDRYYARD.jpg TAWDRYYARD
NSA TOTECHASER.jpg TOTECHASER
NSA TOTEGHOSTLY.jpg TOTEGHOSTLY Software that can be implanted on a Windows mobile phone allowing full remote control.
NSA TRINITY.jpg TRINITY (see image at right) A more recent and more powerful multi-chip module using a 180 MHz ARM9 processor, 4 MB of flash, 96 MB of SDRAM, and a FPGA with 1 million gates. Smaller than a penny. Estimated cost (2008) $625K for 100 units.
NSA WATERWITCH.jpg WATERWITCH A portable "finishing tool" that allows the operator to find the precise location of a nearby mobile phone.
NSA WISTFULTOLL.jpg WISTFULTOLL

Follow-up developments[]

Security expert Matt Suiche noted that the software exploits leaked by the Shadow Brokers could be seen as genuine because it matched with names from the ANT catalog.[10] John Bumgarner has stated to IEEE Spectrum that US government suspicion of Huawei is based on its own ability to add backdoors as shown in the ANT catalog.[11]

NSA Playset[]

The NSA Playset is an open source project, which was inspired by the NSA ANT catalog,[12] to create more accessible and easy to use tools for security researchers.[13] Most of the surveillance tools can be recreated with off-the-shelf or open-source hardware and software.[14] Thus far, the NSA Playset consists of fourteen items, for which the code and instructions can be found online on the project’s homepage.[15]

After the initial NSA ANT catalog leak, which was published by Der Spiegel in 2013,[15][16] Michael Ossman, the founder of Great Scott Gadgets, gave a shout out to other security researchers to start working on the tools mentioned in the catalog and to recreate them.[17] The name NSA Playset[14] came originally from Dean Pierce, who is also a contributor(TWILIGHTVEGETABLE(GSM)) to the NSA Playset. Anyone is invited to join and contribute their own device. The requisites for an addition to the NSA Playset is a similar or already existing NSA ANT project, ease of use and a silly name based on the original tool’s name.[15][16] The silly name requisite is a rule that Michael Ossman himself came up with and an example is given on the project’s website: "For example, if your project is similar to FOXACID, maybe you could call it COYOTEMETH." The ease of use part stems also from the NSA Playset's motto: "If a 10 year old can’t do it, it doesn't count!"

Capabilities[]

  1. TWILIGHTVEGETABLE: a boot image for GSM communication monitoring.[15]
  2. LEVITICUS: a hand held GSM frequency analyzer disguised as a Motorola phone.[15]
  3. DRIZZLECHAIR: a hard drive with all the needed tools to crack A5/1 including the rainbow tables.[15]
  4. PORCUPINEMASQUERADE: a passive Wi-Fi reconnaissance drone.[15]
  5. KEYSWEEPER: a keylogger in form of a USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back (over GSM).[15]
  6. SLOTSCREAMER: a PCI hardware implant, which can access memory and IO.[15]
  7. ADAPTERNOODLE: a USB exploitation device.
  8. CHUKWAGON: uses a pin on a computer's VGA port to attack via the I²C bus accessing the computer's operating system.[15]
  9. TURNIPSCHOOL: a hardware implant concealed in a USB cable which provides short range radio frequency communication capability to software running on the host computer.[15]
  10. BLINKERCOUGH: a hardware implant that is embedded in a VGA cable which allows data exfiltration.[15]
  11. SAVIORBURST: a hardware implant exploiting the JTAG interface for software application persistence.
  12. CACTUSTUTU: Portable system that enables wireless installation of Microsoft Windows exploits.
  13. TINYALAMO: software that targets BLE (Bluetooth Low Energy) and allows keystroke surveillance(keylogger) and injection.[15]
  14. CONGAFLOCK: Radio frequency retroreflector intended for experimentation Intended use would be the implantation into a cable and data exfiltration based on radio reflectivity of the device.(FLAMENCOFLOCK (PS/2), TANGOFLOCK(USB), SALSAFLOCK(VGA) are retroreflectors with specific interfaces to test data exfiltration. )[15]

References[]

  1. ^ Appelbaum, Jacob; Horchert, Judith; Stöcker, Christian (2013-12-29). "Catalog Reveals NSA Has Back Doors for Numerous Devices". Der Spiegel. ISSN 2195-1349. Retrieved 2021-12-21.
  2. ^ "Documents Reveal Top NSA Hacking Unit".
  3. ^ "Vortrag: To Protect And Infect, Part 2 - The militarization of the Internet".
  4. ^ "17 exploits the NSA uses to hack PCs, routers and servers for surveillance". Computerworld.
  5. ^ "Apple Denies Working with NSA on iPhone Backdoor". AllThingsD. Retrieved 2021-12-18.
  6. ^ Robertson, Adi (2013-12-31). "Apple denies any knowledge of NSA's iPhone surveillance implant". The Verge. Retrieved 2021-12-18.
  7. ^ "Commentary: Evidence points to another Snowden at the NSA".
  8. ^ "The NSA may have another leaker on its hands".
  9. ^ Stöcker, Christian; Rosenbach, Marcel (25 November 2014). "Trojaner Regin ist ein Werkzeug von NSA und GCHQ". Spiegel Online (in German). Retrieved 2 February 2015.
  10. ^ "Hackers Have Allegedly Stolen NSA-Linked 'Cyber Weapons' and Are Auctioning Them Off". Fortune. Retrieved 2021-12-18.
  11. ^ "U.S. Suspicions of China's Huawei Based Partly on NSA's Own Spy Tricks". IEEE Spectrum. 2014-03-26. Retrieved 2021-12-21.
  12. ^ Rutrell Yasin (August 7, 2015). "The NSA Playset: 5 Better Tools To Defend Systems". DarkReading.com. Retrieved June 14, 2017.
  13. ^ Lucy Teitler (November 17, 2014). "Let's Play NSA! The Hackers Open-Sourcing Top Secret Spy Tools". Motherboard. Retrieved June 14, 2017.
  14. ^ a b Michael Ossmann (July 31, 2014). "The NSA Playset". Mossman's blog. Retrieved June 14, 2017.
  15. ^ a b c d e f g h i j k l m n Sean Gallagher (August 11, 2015). "The NSA Playset: Espionage tools for the rest of us". Ars Technica: Technology Lab. Retrieved June 14, 2017.
  16. ^ a b David Rudin (August 18, 2015). "The NSA Playset is trying to democratize surveillance using the aesthetic of child's play". Kill Screen. Retrieved June 14, 2017.
  17. ^ Violet Blue (June 11, 2014). "NSA Playset invites hackers to 'play along with the NSA'". ZD Net. Retrieved June 15, 2017.

External links[]

Retrieved from ""