ANT catalog
ANT catalog | |
---|---|
NSA/CSS, used on all the catalog pages | |
Description | classified ANT product catalog for the Tailored Access Operations unit |
Original author | National Security Agency |
Number of pages | 49 |
Date of catalog sheets | 2008–2009 |
Publisher | Der Spiegel |
Authors of publication | Jacob Appelbaum, Christian Stöcker and Judith Horchert |
Date of publication | 30 December 2013 |
Year of intended declassification | 2032 |
National Security Agency surveillance |
---|
The ANT catalog
Background
The Tailored Access Operations unit has existed since the late 90s. Its mission is to collect intelligence on foreign targets of the United States by hacking into computers and telecommunication networks.[3] It has been speculated for years before that capabilities like those in the ANT catalog existed.[1]
In 2012,
Publication
Jacob Appelbaum co-authored the English publication in Der Spiegel with Christian Stöcker and Judith Horchert, which was publicized on 29 December 2013.[1] The related English publication on the same day about the TAO by Der Spiegel was also authored by the same people, and including Laura Poitras, Marcel Rosenbach, Jörg Schindler and Holger Stark .[5] On December 30, Appelbaum gave a lecture about "the militarization of the Internet" at the 30th Chaos Communication Congress in Hamburg, Germany.[6] At the end of his talk, he encouraged NSA employees to leak more documents.[7]
Apple denied the allegations that it collaborated on the development of DROPOUTJEEP in a statement to journalist Arik Hesseldahl from
Bruce Schneier wrote about the tools on his blog in a series titled "NSA Exploit of the Week". He stated that because of this, his website got blocked by the Department of Defense.[11]
Source
The source who leaked the ANT catalog to Der Spiegel is unknown as of 2024.
Officials at the NSA did not believe that the web crawler used by Snowden touched the ANT catalog and started looking for other people who could have leaked the catalog.[12]
Author James Bamford, who is specialized in the United States intelligence agencies, noted in a 2016 commentary article that Appelbaum has not identified the source who leaked the ANT catalog to him, which led people to mistakenly assume it was Edward Snowden. Bamford got unrestricted access to the documents cache from Edward Snowden and could not find any references to the ANT catalog using automated search tools, thereby concluding that the documents were not leaked by him.[13] Security expert Bruce Schneier has stated on his blog that he also believes the ANT catalog did not come from Snowden, but from a second leaker.[14]
Content
The published catalog pages were written between 2008 and 2009. The price of the items ranged from free up to $250,000.
Page | Code name | Description[15] | Unit price in US$[c] |
---|---|---|---|
CANDYGRAM | Tripwire device that emulates a GSM cellphone tower. | 40,000 | |
COTTONMOUTH-I | Family of modified USB and Ethernet connectors that can be used to install wireless bridges , providing covert remote access to the target machine. COTTONMOUTH-I is a USB plug that uses TRINITY as digital core and HOWLERMONKEY as RF transceiver. |
20,300 | |
COTTONMOUTH-II | Can be deployed in a USB socket (rather than plug), and, but requires further integration in the target machine to turn into a deployed system. | 4,000 | |
COTTONMOUTH-III | Stacked Ethernet and USB plug | 24,960 | |
CROSSBEAM | GSM communications module capable of collecting and compressing voice data | 4,000 | |
CTX4000 | Continuous wave radar device that can "illuminate" a target system for recovery of "off net" information. | N/A | |
CYCLONE-HX9 | GSM Base Station Router as a Network-In-a-Box | 70,000[d] | |
DEITYBOUNCE | Technology that installs a backdoor software implant on Dell PowerEdge servers via the motherboard BIOS and RAID controller(s). | 0 | |
DROPOUTJEEP | "A software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted." | 0 | |
EBSR | Tri-band active GSM base station with internal 802.11/GPS/handset capability | 40,000 | |
ENTOURAGE | Direction finding application for GSM, UMTS, CDMA2000 and FRS signals | 70,000 | |
FEEDTROUGH | Software that can penetrate Juniper Networks firewalls allowing other NSA-deployed software to be installed on mainframe computers. | N/A | |
FIREWALK | Device that looks identical to a standard VPN to the target computer. |
10,740 | |
GENESIS | GSM handset with added software-defined radio features to record the radio frequency spectrum | 15,000 | |
GODSURGE | Software implant for a JTAG bus device named FLUXBABBITT which is added to Dell PowerEdge servers during interdiction. GODSURGE installs an implant upon system boot-up using the FLUXBABBITT JTAG interface to the Xeon series CPU. | 500[e] | |
GINSU | Technology that uses a PCI bus device in a computer, and can reinstall itself upon system boot-up. | 0 | |
GOPHERSET | GSM software that uses a phone's SIM card's API (SIM Toolkit or STK) to control the phone through remotely sent commands. | 0 | |
GOURMETTROUGH | User-configurable persistence implant for certain Juniper Networks firewalls. | 0 | |
HALLUXWATER | Back door exploit for Huawei Eudemon firewalls. | N/A | |
HEADWATER | Persistent backdoor technology that can install spyware using a quantum insert capable of infecting spyware at a packet level on Huawei routers. |
N/A | |
HOWLERMONKEY | A RF transceiver that makes it possible (in conjunction with digital processors and various implanting methods) to extract data from systems or allow them to be controlled remotely. |
750[f] | |
IRATEMONK | Technology that can infiltrate the firmware of hard drives manufactured by Maxtor, Samsung, Seagate, and Western Digital. | 0 | |
IRONCHEF | Technology that can "infect" networks by installing itself in a computer I/O BIOS. IRONCHEF includes also "Straitbizarre" and "Unitedrake" which have been linked to the spy software REGIN.[16] | 0 | |
JUNIORMINT | Implant based on an ARM9 core and an FPGA. | N/A | |
JETPLOW | Firmware that can be implanted to create a permanent backdoor in a Cisco PIX series and ASA firewalls. | 0 | |
LOUDAUTO | Audio-based RF retro-reflector listening device. | 30 | |
MAESTRO-II | HC12 microcontroller. |
3,000[g] | |
MONKEYCALENDAR | Software that transmits a mobile phone's location by hidden text message. | 0 | |
NEBULA | Multi-protocol network-in-a-box system. | 250,000 | |
NIGHTSTAND | Portable system that installs Microsoft Windows exploits from a distance of up to eight miles over a wireless connection. | N/A[h] | |
NIGHTWATCH | Portable computer used to reconstruct and display video data from VAGRANT signals; used in conjunction with a radar source like the CTX4000 to illuminate the target in order to receive data from it. | N/A | |
PICASSO | Software that can collect mobile phone location data, call metadata, access the phone's microphone to eavesdrop on nearby conversations. | 2,000 | |
PHOTOANGLO | A joint NSA/GCHQ project to develop a radar system to replace CTX4000. | 40,000 | |
RAGEMASTER | A concealed device that taps the video signal from a target's computer's ferrite choke of the target cable. The original documents are dated 2008-07-24. Several receiver/demodulating devices are available, e.g. NIGHTWATCH. |
30 | |
SCHOOLMONTANA | Software that makes DNT JUNOS-based (FreeBSD -variant) J-series routers/firewalls. |
N/A | |
SIERRAMONTANA | Software that makes DNT implants persistent on JUNOS-based M-series routers/firewalls. | N/A | |
STUCCOMONTANA | Software that makes DNT implants persistent on JUNOS-based T-series routers/firewalls. | N/A | |
SOMBERKNAVE | Software that can be implanted on a Windows XP system allowing it to be remotely controlled from NSA headquarters. | 50,000 | |
SOUFFLETROUGH | BIOS injection software that can compromise Juniper Networks SSG300 and SSG500 series firewalls. | 0 | |
SPARROW II | A small computer intended to be used for mini PCI slots, CompactFlash slot, and 802.11 B/G hardware. Running Linux 2.4 and the BLINDDATE software suite. Unit price (2008): $6K. |
6,000 | |
SURLYSPAWN | Keystroke monitor technology that can be used on remote computers that are not internet connected. | 30 | |
SWAP | Technology that can reflash the BIOS of multiprocessor systems that run Solaris, or Windows . |
0 | |
TAWDRYYARD | Radio frequency retroreflector to provide location information. | 30 | |
TOTECHASER | Windows CE implant for extracting call logs, contact lists and other information. | N/A | |
TOTEGHOSTLY | Software that can be implanted on a Windows mobile phone allowing full remote control. | 0 | |
TRINITY | Multi-chip module using a 180 MHz ARM9 processor, 4 MB of flash, 96 MB of SDRAM, and a FPGA with 1 million gates. Smaller than a penny. | 6,250[j] | |
TYPHON HX | Network-in-a-box for a GSM network with signaling and call control. | N/A | |
WATERWITCH | A portable "finishing tool" that allows the operator to find the precise location of a nearby mobile phone. | N/A | |
WISTFULTOLL | Plugin for collecting information from targets using Windows Management Instrumentation | 0 |
Follow-up developments
Security expert
NSA Playset
The NSA Playset is an open-source project inspired by the NSA ANT catalog to create more accessible and easy to use tools for security researchers.[19] Most of the surveillance tools can be recreated with off-the-shelf or open-source hardware and software. Thus far, the NSA Playset consists of fourteen items, for which the code and instructions can be found online on the project's homepage. After the initial leak, Michael Ossman, the founder of Great Scott Gadgets, gave a shout out to other security researchers to start working on the tools mentioned in the catalog and to recreate them. The name NSA Playset came originally from Dean Pierce, who is also a contributor (TWILIGHTVEGETABLE(GSM)) to the NSA Playset. Anyone is invited to join and contribute their own device. The requisites for an addition to the NSA Playset is a similar or already existing NSA ANT project, ease of use and a silly name (based on the original tool's name if possible). The silly name requisite is a rule that Michael Ossman himself came up with and an example is given on the project's website: "For example, if your project is similar to FOXACID, maybe you could call it COYOTEMETH." The ease of use part stems also from the NSA Playset's motto: "If a 10 year old can't do it, it doesn't count!"[19][20][21][22]
Name[23] | Description[22] |
---|---|
TWILIGHTVEGETABLE | a boot image for GSM communication monitoring. |
LEVITICUS | a hand held GSM frequency analyzer disguised as a Motorola phone; named after GENESIS. |
DRIZZLECHAIR | a hard drive with all the needed tools to crack A5/1 including the rainbow tables. |
PORCUPINEMASQUERADE | a passive Wi-Fi reconnaissance drone. |
KEYSWEEPER | a keylogger in form of a USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back (over GSM). |
SLOTSCREAMER | a PCI hardware implant, which can access memory and IO.
|
ADAPTERNOODLE | a USB exploitation device. |
CHUKWAGON | uses a pin on a computer's VGA port to attack via the I²C bus accessing the computer's operating system. |
TURNIPSCHOOL | a hardware implant concealed in a USB cable which provides short range radio frequency communication capability to software running on the host computer. |
BLINKERCOUGH | a hardware implant that is embedded in a VGA cable which allows data exfiltration. |
SAVIORBURST | a hardware implant exploiting the JTAG interface for software application persistence; named after GODSURGE. FLUXBABBIT is replaced by SOLDERPEEK. |
CACTUSTUTU | Portable system that enables wireless installation of Microsoft Windows exploits; covers NIGHTSTAND. |
TINYALAMO | software that targets BLE (Bluetooth Low Energy) and allows keystroke surveillance (keylogger) and injection. |
CONGAFLOCK | Radio frequency retroreflector intended for experimentation. Intended use would be the implantation into a cable and data exfiltration based on radio reflectivity of the device.(FLAMENCOFLOCK (PS/2), TANGOFLOCK (USB), SALSAFLOCK (VGA) are retroreflectors with specific interfaces to test data exfiltration.) |
See also
Explanatory notes
- ^ Whether ANT stands for Advanced Network Technology or Access Network Technology is not known.[1]
- ^ The article from Der Spiegel notes that it is a "50-page document" and that "nearly 50 pages" are published. The gallery contains 49 pages. Der Spiegel also noted that the document is likely far from complete.[2]
- ^ If the price is listed in bulk, a calculation is made to get the unit price
- ^ For two months
- ^ Including installation costs
- ^ When ordering 25 units, the price per item is US$1000
- ^ Up to 4,000
- ^ Varies from platform to platform
- ^ Data Network Technologies, a division of the Tailored Access Operations
- ^ 100 units for 625,000
References
- ^ from the original on 2014-01-04. Retrieved 2021-12-21.
- from the original on 2022-04-11. Retrieved 2022-04-11.
- ^ Aid, Matthew M. "Inside the NSA's Ultra-Secret China Hacking Group". Foreign Policy. Archived from the original on 2022-02-12. Retrieved 2022-02-12.
- ^ Kelley, Michael B. "We Now Know A Lot More About Edward Snowden's Epic Heist — And It's Troubling". Business Insider. Archived from the original on 2022-04-06. Retrieved 2022-04-06.
- from the original on 2019-02-06. Retrieved 2022-02-09.
- ^ "Vortrag: To Protect And Infect, Part 2 - The militarization of the Internet". ccc.de. Archived from the original on 2021-11-02. Retrieved 2021-12-18.
- ^ Storm, Darlene (3 January 2014). "17 exploits the NSA uses to hack PCs, routers and servers for surveillance". Computerworld. Archived from the original on 2021-12-18. Retrieved 2021-12-18.
- AllThingsD. Archivedfrom the original on 2022-02-24. Retrieved 2021-12-18.
- ^ Robertson, Adi (2013-12-31). "Apple denies any knowledge of NSA's iPhone surveillance implant". The Verge. Archived from the original on 2021-12-18. Retrieved 2021-12-18.
- ^ Bent, Kristin; Spring, Tom (2013-12-30). "Dell, Cisco 'Deeply Concerned' Over NSA Backdoor Exploit Allegations". CRN. Archived from the original on 2022-04-07. Retrieved 2022-04-08.
- ^ Farrell, Stephen (July 2023). "Reflections on Ten Years Past The Snowden Revelations". Internet Engineering Task Force. Retrieved 2023-10-28.
- OCLC 1039082430.
- ^ Bamford, James (2016-08-22). "Commentary: Evidence points to another Snowden at the NSA". Reuters. Archived from the original on 2022-02-24. Retrieved 2022-02-09.
- ^ Pasick, Adam (4 July 2014). "The NSA may have another leaker on its hands". Quartz. Archived from the original on 23 October 2014. Retrieved 7 February 2022.
- ^ "Interactive Graphic: The NSA's Spy Catalog". Der Spiegel. 2013-12-30. Archived from the original on 2014-01-02. Retrieved 2022-04-07.
- Spiegel Online (in German). Archivedfrom the original on 28 November 2014. Retrieved 2 February 2015.
- ^ Hackett, Robert. "Hackers Have Allegedly Stolen NSA-Linked 'Cyber Weapons' and Are Auctioning Them Off". Fortune. Archived from the original on 2021-12-18. Retrieved 2021-12-18.
- ^ Hsu, Jeremy (2014-03-26). "U.S. Suspicions of China's Huawei Based Partly on NSA's Own Spy Tricks". IEEE Spectrum. Archived from the original on 2021-12-21. Retrieved 2021-12-21.
- ^ Vice Motherboard. Archivedfrom the original on February 25, 2017. Retrieved June 14, 2017.
- ZDNet. Archivedfrom the original on June 19, 2017. Retrieved June 15, 2017.
- ^ Michael Ossmann (July 31, 2014). "The NSA Playset". Mossman's blog. Archived from the original on December 28, 2017. Retrieved June 14, 2017.
- ^ a b Sean Gallagher (August 11, 2015). "The NSA Playset: Espionage tools for the rest of us". Ars Technica. Archived from the original on September 22, 2017. Retrieved June 14, 2017.
- ^ "NSA Playset homepage". www.nsaplayset.org.
Further reading
- Koop, Peter. "Leaked documents that were not attributed to Snowden". Electrospaces.net. Archived from the original on 2022-02-24. Retrieved 2022-04-12.
External links
- NSA Playset wiki
- The NSA Playset a Year of toys and tools at Black Hat 2015
- NSA Playset at Toorcamp 2014