An internal NSA catalog offers spies backdoors into a wide range of equipment from major computing and security vendors, according to an article published by Germany’s Der Spiegel on Sunday, based on leaked documents.
Targets include firewalls from Juniper Networks(s jnpr), hard drives from Western Digital(s wdc), Seagate(s stx), Maxtor(s mxtr) and Samsung, networking gear from Cisco(s csco) and Huawei, and servers from Dell. The documents are from 2007, so other products may have been affected since then. According to the piece, there is no evidence that any of the companies knowingly allowed these backdoors — this seems to be a matter of highly sophisticated hacking and cracking.
According to more specific documents published on Monday by Der Spiegel, the affected network security products and servers include:
- Cisco 500 series PIX firewalls and most ASA firewalls (5505, 5510, 5520, 5540, 5550)
- Juniper Networks SSG 500 and SSG 300 series firewalls (320M, 350M, 520, 550, 520M, 550M), as well as Juniper Netscreen NSG5T, NS50, NS25 and ISG1000 appliances
- Juniper J-series, M-series and J-series routers
- Huawei Eudemon 200, 500 and 1000 series firewalls
- Huawei routers (unspecified)
- Dell PowerEdge 1850, 2850, 1950, 2950 RAID servers
The catalog also offers fairly cheap rigged monitor cables for spying on targets’ monitors ($30), and pricier equipment such as base stations for fooling mobile networks and cellphones ($40,000), and bugs disguised as USB plugs ($20,000+).
These are all products of the Advanced/Access Network Technology (ANT) division of the NSA’s Tailored Access Operations (TAO) elite hacker unit. According to the article, ANT also has techniques for infecting BIOS firmware, the instructions that run when a computer starts up, in order to enable long-term, undetected spying.
A second Spiegel article provides an wider look at the actions of TAO unit, describing the “shadow network” that runs alongside the internet in order to aid attacks (such as the UK’s Belgacom hack), the exploitation of Windows(s msft) crash reports as a way of finding vulnerabilities in victims’ computers, and the physical interception of computers and accessories that have been ordered online, in order to bug them.
Saturday’s revelations aren’t all about targeted attacks, though. They also refer to how the NSA and its partners subvert major undersea cables to tap into bulk internet traffic — specifically the traffic flowing through the SEA-ME-WE-4 cable connecting Europe, North Africa and Asia, the network mapping of which was apparently achieved in early 2013.
This article was updated at 8.30am PT to remove the suggestion that the relevant documents came from the Snowden cache. Their provenance is in fact not clear from the Spiegel articles. It was updated again on Monday to include specific details of affected products, as published on Monday by Der Spiegel.