NSA secretly hijacked existing malware to spy on N. Korea, others

A new wave of documents from Edward Snowden’s cache of National Security Agency data published by Der Spiegel demonstrates how the agency has used its network exploitation capabilities both to defend military networks from attack and to co-opt other organizations’ hacks for intelligence collection and other purposes. In one case, the NSA secretly tapped into South Korean network espionage on North Korean networks to gather intelligence.

The documents were published as part of an analysis by Jacob Appelbaum and others working for Der Spiegel of how the NSA has developed an offensive cyberwarfare capability over the past decade. According to a report by the New York Times, the access the NSA gained into North Korea’s networks—which initially leveraged South Korean “implants” on North Korean systems, but eventually consisted of the NSA’s own malware—played a role in attributing the attack on Sony Pictures to North Korean state-sponsored actors.

Included with the documents released by Der Spiegel are details on how the NSA built up its Remote Operations Center to carry out “Tailored Access Operations” on a variety of targets, while also building the capability to do permanent damage to adversaries’ information systems, including internal NSA newsletter interviews and training materials. Also included was a malware sample for a keylogger, apparently developed by the NSA and possibly other members of the “Five Eyes” intelligence community, which was also included in the dump. The code appears to be from the Five Eyes joint program “Warriorpride,” a set of tools shared by the NSA, the United Kingdom’s GCHQ, the Australian Signals Directorate, Canada’s Communications Security Establishment, and New Zealand’s Government Communications Security Bureau.