TURBINE, how NSA has plundered botnets to the cybercrime

TURBINE is the codename for a sophisticated hacking platform to take control of C&C servers managed by cybercrime.

The NSA has been hijacking the botnets managed by cybercrime to its own purpose, this is the last revelation on questionable activities of the agency.

Also this last revelation is based on documents leaked by Snowden, the news was disclosed by The Intercept and confirmed that by July 2010 the National Security Agency had built a system codenamed TURBINE designed to conduct sophisticated computer-hacking operations. Details on the leaked documents state that the NSA has infected between 85,000 and 100,000 computers with “implants,”. TURBINE is the second command-and-control platform, in the past documents referred another system designed with same purpose named FOX ACID composed of a collection of servers that provides an automated hacking platform used to drive operators into hacking targets. Probably other platforms are still operating secretly, the NSA can potentially boost that to handle millions of infected machines at once.

[TURBINE] is designed to “allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually.” 

Security communities has assisted to the explosion of the number of botnets in the last years, groups of coordinated machine that are used by cybercrime to run DDoS attacks, date theft, bitcoin mining, phishing campaigns and malware diffusion.

Consider that also Tor environment is becoming a fertile environment for botmasters that hide their infrastructure in the anonymizing network, Kaspersky security researcher Sergey Lozhkin published an interesting article on the topic, revealing that Tor network is currently being used to hide C&C server of nearly 900 botnet and other illegal hidden services. Large modern botnets can be composed of millions of infected machines and it is plausible that the NSA has planned to abuse them for its purposes.

NSA documentation demonstrates the existence of a program called QUANTUMBOT since 2007,  a dedicated architecture to  take over the command-and-control systems of existing botnets, one of the leaked slides reports that “over 140,000 bots co-opted”, not bad,  what do you think about?

In the documents leaked by Snowden the NSA describes its techniques as “a more aggressive approach to SIGINT” and says that the TAO unit’s mission is to “aggressively scale” these operations, the agency also referred the necessity of an automated system to manage a massive network of implants.

“One of the greatest challenges for active SIGINT/attack is scale,” explains the top-secret presentation from 2009. “Human ‘drivers’ limit ability for large-scale exploitation (humans tend to operate within their own environment, not taking into account the bigger picture).” The agency’s solution was TURBINE. Developed as part of TAO unit, it is described in the leaked documents as an “intelligent command and control capability” that enables “industrial-scale exploitation.”

“TURBINE was designed to make deploying malware much easier for the NSA’s hackers by reducing their role in overseeing its functions. The system would “relieve the user from needing to know/care about the details,” the NSA’s Technology Directorate notes in one secret document from 2009. “For example, a user should be able to ask for ‘all details about application X’ and not need to know how and where the application keeps files, registry entries, user application data, etc.”

In practice, this meant that TURBINE would automate crucial processes that previously had to be performed manually – including the configuration of the implants as well as surveillance collection, or “tasking,” of data from infected systems. But automating these processes was about much more than a simple technicality. The move represented a major tactical shift within the NSA that was expected to have a profound impact – allowing the agency to push forward into a new frontier of surveillance operations.” reports The Intercept.

Which is the intent of NSA? Cybercrime prevention, infiltration of underground ecosystem … or worst, the agency planned to use it to serve malware for surveillance purpose or to conduct attacks against foreign targets in undercover, personally I incline to the latter hypothesis.

Pierluigi Paganini

(Security Affairs – botnets, NSA, TURBINE)