TAO (TAILORED ACCESS OPERATIONS)
As the most targeted Nation in the world, The United States intelligence community has been continuously raising the bar to combat global bad actors. Tailored Access Operations is the largest operative component of the Signal Intelligence Directorate of the United States National Security Agency (NSA), consisting of over 1000 military and civilian cyber security professionals, hackers, technology specialists, and hardware and software designers. Approximately 600 of TAO (Tailored Access Operations)’s Computer Network Exploitation (CNE) operators work in rotating 24 hour, seven days a week, shifts out of the Remote Operations Center at Fort Meade.
The Office of Tailored Access Operations produces some of the best intelligence for the United States government and its work has been pivotal to the success of numerous operations. TAO is credited with delivering critical information to the 2007 U.S. Army operations in Iraq and in the 2007 operations to prevent Iran from obtaining nuclear weapons.
TAO is comprised of four main divisions. The Data Network Technologies Branch develops the infiltration and collection software utilized by the TAO. The Telecommunications Network Technologies Branch curates infiltration techniques. The Mission Infrastructure Technologies Branch combines the spyware and techniques to use in campaigns and they develop and build the computer and telecommunications hardware. The Access Technologies Branch, which contains personnel seconded by the CIA and FBI, performs “off-net operations.” TAO is headed by U.S. Cyber Command and the director of the NSA.
The NSA is not authorized to conduct operations against domestic targets; however, some are concerned about the massive telecommunications monitoring programs that were revealed as a result of the Snowden leaks. The NSA monitors domestic traffic to capture communications in which at least one party originates from outside the United States. When CNE operators identify a network or system belonging to a nefarious foreign entity, they attempt to compromise its security, download a copy of its hard drive for analysis, and plant malware tools to monitor email and network traffic from the machine.
The main attack suite developed by the TAO and made public by the Snowden leak is dubbed QUANTUM. QUANTUM features a suite of attack tools that enable DNS injection attacks, HTTP injection attacks, and the ability to inject into MySQL connections. It also contains tools to hijack IRC and HTTP-based criminal botnets and tools to create phantom servers. The QUANTUMDEFENSE portion of the program searches tapped connections for DNS requests for NIPRnet addresses and initiates a packet-injection attack on a DNS reply to redirect the target to an NSA controlled site. This site may be a FOXACID server, which probes the victim’s browser for weaknesses. The TAO can exploit any weaknesses with the QUANTUMINSERT program and seize control of the victim system. QUANTUMSMACKDOWN conducts packet injection attacks against attacks aimed at Department of Defense assets. QUANTUMCOOKIE is used to de-anonymize Tor users through web cookies and fetch requests. Finally, the QUANTUMSQIRREL program lets TAO pose as any authenticated user on virtually any site by spoofing the IPv4 or IPv6 address of the host. Through this, TAO can monitor most digital communication, create posts from a “trusted” account, or pose as specific users in online transactions.