QUANTUM THEORY is a programme that capitalises on vulnerabilities within applications and networks using a number of hacking techniques. It includes a variety of sub-programmes such as [ELE01, INT02]:
- QUANTUMBOT – IRC botnet hijacking
- QUANTUMBISQUIT – targets that are behind large proxies
- QUANTUMCOOKIE – forces cookies onto target browsers
- QUANTUMINSERT – HTML web page redirection to spy agency servers known as FOXACID.
- QUANTUMSQUEEL – for injection of MySQL databases
- QUANTUMSPIM – instant messaging hijacking
- QUANTUMDNS – domain name server (DNS) injection and redirection
- QUANTUMHAND – exploits the computer of a person who logs into Facebook
- QUANTUMPHANTOM – hijacks an IP address to redirect to a covert infrastructure
- QUANTUMSKY – denies access to a webpage using RST packet spoofing
- QUANTUMCOPPER – file upload/download disruption and corruption
- QUANTUMSMACKDOWN – prevents downloading implants to DoD computers
In the case of QUANTUMINSERT, for example, the programme relies upon the placement of secret servers across key areas of the Internet backbone [SCH01]. This is done so that requests to visit web sites can be intercepted before the legitimate server is contacted, which tricks a web browser into visiting a bogus web site on a government server. It uses a well known hacking technique called “man-in-the-middle” attacks. However, the government agencies have an added capacity of conducting “man-on-the-side” attacks that require access to the Internet backbone. Once a web browser is redirected, malware can be inserted directly into the users’ computer.
- HTTP injection
- DNS injection allowing bogus certificates, breaking SSL and redirection of traffic to NSA servers
- Packet-injection to block attacks on government servers by terminating a requested connection
- Plug-in to inject into MySQL connections
- Vulnerabilities in network standards
- Vulnerabilities in software, e.g. persistent “push” connections from Facebook, where a user’s browser would leave an idle connection open, waiting for a command from the server [WIR01]
Data extraction sources:
- IRC and other botnets
- Web services (e.g. Yahoo, Facebook, Gmail, LinkedIn)
- Peer-to-peer networks (e.g. TOR)
Combined with other state surveillance tools:
TURBINE – Internet traffic sifting that shifts data to a variety of databases.
FOXACID – Spy agency web servers used to redirect Internet traffic (e.g. TOR users) [GUA01].
XKEYSCORE – search engine for access to content, metadata and real-time tracking and monitoring of website traffic and user activities.
MUSCULAR – intercepts data going into and out of Google and Yahoo services.
MARINA – metadata repository for Internet traffic.
Layers of operation:
QUANTUM made headlines when it was uncovered that GCHQ was behind the Belgacom cyber attack conducted under the codename “Operation Socialist” [SPI01]. The company provides telecommunications access to the European Commission, the European Council and the European Parliament. GCHQ used QUANTUMINSERT to target Belgacom employees, redirecting them to websites that would implant malware onto their computers which could then be used to manipulate those machines. The technique was also used by GCHQ to compromise users of LinkedIn [SPI02].
Spy agencies maintain a library of exploits, each based on a different vulnerability in a system [GUA01].