Purpose:
ANT is a division of the NSA that provides software and hardware surveillance products to members of the ‘Five Eyes’ alliance, including the NSA and GCHQ. The ANT catalogue is a 50-page classified document from 2008 listing available technology, with summaries of hardware and software surveillance in eleven areas, including [SPI03]:
1. Room surveillance
CTX4000 – radar unit that can reveal the signals emitted by devices such as laser printers.
LOUDAUTO – audio-based radio frequency listening device capable of picking up conversations.
NIGHTWATCH – portable computer used to reconstruct and display video data from nearby computer monitors.
PHOTOANGLO – enables signals of passive bugging devices to be received from a considerable distance.
TAWDRYYARD – radio frequency position locator used to locate RAGEMASTER devices implanted in physical locations.
2. Computer monitor surveillance
RAGEMASTER – concealed device implanted into a computer’s video cable that intercepts image signals from a computer’s monitor.
3. Computers
GINSU – uses a hardware implant to restore a software implant that has been removed during an operating system upgrade or reinstall.
IRATEMONK – infiltration of hard drive firmware manufactured by Maxtor, Samsung, Seagate, and Western Digital. It replaces the Master Boot Record.
SWAP – enables remote control of a variety of operating systems including FreeBSD, Linux, Solaris and Windows.
WISTFULTOLL – harvests and returns forensic data from the Windows operating system.
HOWLERMONKEY – hardware implant used to extract data from systems or allow them to be controlled remotely.
JUNIORMINT – hardware chip implant configurable for a number of uses.
MAESTRO-II – multi-chip module approximately the size of a 20p coin with multiple uses.
SOMBERKNAVE – allows a Windows XP system to be controlled remotely using unused wireless interfaces that provide covert Internet connectivity.
TRINITY – configurable multi-chip module, smaller than a penny and implanted for a variety of uses.
4. Keyboards
SURLYSPAWN – hardware implant that enables keystroke monitoring remotely using a radar signal emitter, even if computers are not connected to the Internet.
5. USB
COTTONMOUTH-I – USB hardware implant that intercepts communication as well as having the capability of injecting Trojans.
COTTONMOUTH-II – USB socket implant that enables covert communication with the target system.
COTTONMOUTH-III – stacked Ethernet and USB plug that provides a wireless bridge allowing covert communication.
FIREWALK – hardware implant in the form of an Ethernet and USB connector that enables data extraction as well as injection of exploits through radio frequency communication.
6. Wireless LAN
NIGHTSTAND – mobile system that wirelessly installs Windows exploits from a distance of up to eight miles.
SPARROW II – small computer used to detect and map wireless networks from a drone or other capability.
7. Mobile phones
DROPOUTJEEP – used on first generation iPhones enabling remote access and control through SMS or data service, allowing for upload and download of files, activating the phone’s camera and microphone, browsing the address book, diverting text messages, intercepting voicemails and determining the user’s location.
GOPHERSET – GSM software that uses a phone’s SIM card API (SIM Toolkit or STK) to access the contacts list, SMS and logs of incoming and outgoing calls.
MONKEYCALENDAR – transmits a mobile phone’s geolocation using covert SMS texts.
TOTECHASER – Windows CE implant targeting the Thuraya 2520 satellite/GSM phone using hidden SMS texts.
TOTEGHOSTLY – implant that allows full remote control of Windows mobile phones, including upload and download of data, activating the phone’s camera and microphone, browsing the address book, diverting text messages, intercepting voicemails and determining the user’s location.
PICASSO – modified GMS handsets that enable location tracking and audio bugging.
8. Mobile phone networks
CROSSBEAM – GSM communications module that allows for interception of communication and covert remote access.
CANDYGRAM – mobile phone tower simulator that verifies locations through silent SMS.
CYCLONE-HX9 – GSM network simulator that enables eavesdropping on GSM 900 phones, which may have been used to eavesdrop on Chancellor Merkel’s phone.
EBSR – GSM base transceiver station with the ability to attack mobile phones on the GSM 900/1800/1900 frequency range.
ENTOURAGE – hardware receiver for direction finding that can detect the GPS coordinates of mobile phones.
GENESIS – modified mobile phone used to covertly perform network surveys as well as locate other mobile phones.
NEBULA – “network in a box” base station router for 2G and 3G networks.
TYPON HX – “network in a box” GSM base station simulator capable of tapping into mobile phones.
WATERWITCH – allows the operator to find the geolocation of specific mobile phones.
9. Firewalls
JETPLOW – firmware implant to create a permanent backdoor in Cisco PIX series and ASA firewalls.
HALLUXWATER – backdoor exploit for Huawei Eudemon firewalls, hidden in the boot ROM, enabling covert access to read and write memory, execute an address or execute a packet.
FEEDTROUGH – software implant that exploits Juniper Networks firewalls allowing remote access.
GOURMETTROUGH – configurable persistence implant for certain Juniper Networks firewalls.
SOUFFLETROUGH – BIOS injection software that can compromise Juniper Networks SSG300 and SSG500 series firewalls, installing a persistent backdoor.
10. Routers
HEADWATER – persistent backdoor technology enabling covert remote execution of code within Huawei routers.
SCHOOLMONTANA – implant that modifies the BIOS on Juniper JUNOS-based J-series routers.
SIERRAMONTANA – persistent software implant placed onto JUNOS-based M-series routers.
STUCCOMONTANA – persistent software implant that modifies the BIOS on JUNOS-based T-series routers.
11. Servers
IRONCHEF – exploits a computer’s motherboard BIOS to communicate with hidden hardware implants that provides two-way radio frequency (RF) communication on HP Proliant servers.
DEITYBOUNCE – software implant on Dell PowerEdge servers via the motherboard BIOS and RAID controller(s) that enables code execution while the operating system powers on.
Capabilities:
- Hardware implants across a variety of devices
- Software implants across a variety of devices
Exploitation of:
- Servers:
- Dell PowerEdge
- HP Proliant
- Firewalls:
- Juniper Networks J & M series
- Huawei Eudemon
- Cisco PIX series and ASA
- Routers:
- Huawei
- Juniper J, M and T series
- Operating system:
- Juniper JUNOS
- Windows
- FreeBSD
- Linux
- Solaris
- Hard drives:
- Maxtor
- Samsung
- Seagate
- Western Digital
Data extraction sources:
- Placing implants into physical devices manufactured by US companies
- Computers
- Mobile phones
- Physical locations
Combined with other state surveillance tools:
ANT tools combined with each other
Layers of operation:
- Physical Layer
- Link Layer
- Network Layer
- Transport Layer
- Application Layer
- Social Layer
Background:
The ANT product catalogue has been associated with the monitoring of Chancellor Merkel’s mobile phone [SPI02] as well as broader surveillance on US allies more broadly [GUA01], including the GCHQ programme Operation Socialist [SPI04]. Over 100,000 computers have received implants across the globe and use a covert radio frequency channel to exchange data [NYT01].
Company partners:
- Digital Network Technologies (NSA contractor)
Sources:
American Civil Liberties Union, ACLU (ACU)
1) https://www.aclu.org/files/natsec/nsa/20140130/NSA%27s%20Spy%20Catalogue.pdf
Guardian (GUA)
1) http://www.theguardian.com/world/2013/jun/30/nsa-leaks-us-bugging-european-allies
New York Times (NYT)
1) http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html?_r=0
Spiegel (SPI)
1) http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
2) http://www.spiegel.de/international/world/nsa-secret-toolbox-ant-unit-offers-spy-gadgets-for-every-need-a-941006.html
3) http://www.spiegel.de/international/world/a-941262.html
4) http://www.spiegel.de/international/world/ghcq-targets-engineers-with-fake-linkedin-pages-a-932821.html