Hijacking Malware: The NSA’s New Tactic

It’s no secret that the NSA has been spying on the American populous for years – facts that were proven when Edward Snowden began sharing secret government files proving as much. From phone tapping to elaborate malware deployments created to spy on other countries (and American citizens), the NSA seems to have no shortage of tricks up its sleeve. But what happens when even the NSA doesn’t have the resources available to commit its next great act of treason? Simple… It simply leverages the power of existing botnets. Botnets, which by many accounts, are the very thing organizations like the NSA should be protecting us from.

A recent article published by Der Spiegel containing excerpts from secret documents leaked by former NSA contractor Edward Snowden has detailed information pertaining to a covert NSA program code named DEFIANTWARRIOR. This program is designed to hijack botnet computers which can then be used as “pervasive network analysis vantage points” and “throw-away non-attributable computer network attack nodes.” In other words, this program was designed to leverage the power of existing malware botnets. Since the NSA is actually controlling the botnet of an illicit hacking group, any attacks committed with these botnets are impossible to trace back to the NSA (or any other sector of federal government).

What’s startling about this program is that indicates advanced knowledge of these botnets by the NSA – an organization which would rather use illegal malware deployments to its advantage rather than intercept and destroy the criminals responsible for creating the malware campaign.

What technology could be powerful enough to take over botnets that this same government often spends millions of dollars per year tracking down and extraditing from foreign safe havens? It’s called Quantumbot and as far as anyone knows, this program is still active today. In addition to hijacking known criminal botnets for its own questionable purposes, the NSA can also use Quantumbot to intercept third-party malware programs (such as those deployed by foreign intelligence agencies).


According to the report recently printed by Der Spiegel, this tactic was referred to as “fourth party collection.” But, the DEFINATWARRIOR program goes even further than that by implementing what the report calls “fifth party collection.” One of the leaked secret documents describes (from an NSA employee’s account) how the NSA infiltrated a South Korean computer network exploitation (CNE) designed to spy on North Korea. The article went on to report that the NSA is also capable of using unsuspecting third-party servers as scapegoats.

In other words, the NSA is (and has) used servers not belonging to the United States as a way to launch various campaigns while the server owner is blamed for the breach because the NSA simply intercepts the data while being transmitted to the targeted scapegoat server.

While the fact that the NSA uses less-than-honorable techniques to collect data isn’t news, it’s worth pointing out just how far the U.S. government’s reach has become in this digital age. Who knows what ‘project’ we will learn about next and more importantly, how that project could define Internet security as we know it.