Among all of the NSA hacking operations exposed by whistleblower Edward Snowden over the last two years, one in particular has stood out for its sophistication and stealthiness. Known as Quantum Insert, the man-on-the-side hacking technique has been used to great effect since 2005 by the NSA and its partner spy agency, Britain’s GCHQ, to hack into high-value, hard-to-reach systems and implant malware.
Quantum Insert is useful for getting at machines that can’t be reached through phishing attacks. It works by hijacking a browser as it’s trying to access web pages and forcing it to visit a malicious web page, rather than the page the target intend to visit. The attackers can then surreptitiously download malware onto the target’s machine from the rogue web page.
Quantum Insert has been used to hack the machines of terrorist suspects in the Middle East, but it was also used in a controversial GCHQ/NSA operation against employees of the Belgian telecom Belgacom and against workers at OPEC, the Organization of Petroleum Exporting Countries. The “highly successful” technique allowed the NSA to place 300 malicious implants on computers around the world in 2010, according to the spy agency’s own internal documents—all while remaining undetected.
But now security researchers with Fox-IT in the Netherlands, who helped investigate that hack against Belgacom, have found a way to detect Quantum Insert attacks using common intrusion detection tools such as Snort, Bro and Suricata.
The detection focuses on identifying anomalies in the data packets that get sent to a victim’s browser client when the browser attempts to access web pages. The researchers, who plan to discuss their findings at the RSA Conference in San Francisco today, have written a blog post describing the technical details and are releasing custom patches for Snort to help detect Quantum Insert attacks.
How Quantum Insert Works
According to various documents leaked by Snowden and published by The Intercept and the German newspaper Der Spiegel, Quantum Insert requires the NSA and GCHQ to have fast-acting servers relatively near a target’s machine that are capable of intercepting browser traffic swiftly in order to deliver a malicious web page to the target’s machine before the legitimate web page can arrive.
To achieve this, the spy agencies use rogue systems the NSA has codenamed FoxAcid servers, as well as special high-speed servers known as “shooters,” placed at key points around the internet.
In the Belgacom hack, GCHQ first identified specific engineers and system administrators who worked for the Belgian telecom and one of its subsidiaries, BICS. The attackers then mapped out the digital footprints of chosen workers, identifying the IP addresses of work and personal computers as well as Skype, Gmail and social networking accounts such as Facebook and LinkedIn. Then they set up rogue pages, hosted on FoxAcid servers, to impersonate, for example, an employee’s legitimate LinkedIn profile page.
The agencies then used packet-capturing tools that sniffed or sifted through internet traffic—which can occur with the cooperation of telecoms or without it—to spot…