Hijacking Malware: The NSA’s New Tactic

It’s no secret that the NSA has been spying on the American populous for years – facts that were proven when Edward Snowden began sharing secret government files proving as much. From phone tapping to elaborate malware deployments created to spy on other countries (and American citizens), the NSA seems to have no shortage of tricks up its sleeve. But what happens when even the NSA doesn’t have the resources available to commit its next great act of treason? Simple… It simply leverages the power of existing botnets. Botnets, which by many accounts, are the very thing organizations like the NSA should be protecting us from.

A recent article published by Der Spiegel containing excerpts from secret documents leaked by former NSA contractor Edward Snowden has detailed information pertaining to a covert NSA program code named DEFIANTWARRIOR. This program is designed to hijack botnet computers which can then be used as “pervasive network analysis vantage points” and “throw-away non-attributable computer network attack nodes.” In other words, this program was designed to leverage the power of existing malware botnets. Since the NSA is actually controlling the botnet of an illicit hacking group, any attacks committed with these botnets are impossible to trace back to the NSA (or any other sector of federal government).

What’s startling about this program is that indicates advanced knowledge of these botnets by the NSA – an organization which would rather use illegal malware deployments to its advantage rather than intercept and destroy the criminals responsible for creating the malware campaign.

What technology could be powerful enough to take over botnets that this same government often spends millions of dollars per year tracking down and extraditing from foreign safe havens? It’s called Quantumbot and as far as anyone knows, this program is still active today. In addition to hijacking known criminal botnets for its own questionable purposes, the NSA can also use Quantumbot to intercept third-party malware programs (such as those deployed by foreign intelligence agencies).


According to the report recently printed by Der Spiegel, this tactic was referred to as “fourth party collection.” But, the DEFINATWARRIOR program goes even further than that by implementing what the report calls “fifth party collection.” One of the leaked secret documents describes (from an NSA employee’s account) how the NSA infiltrated a South Korean computer network exploitation (CNE) designed to spy on North Korea. The article went on to report that the NSA is also capable of using unsuspecting third-party servers as scapegoats.

In other words, the NSA is (and has) used servers not belonging to the United States as a way to launch various campaigns while the server owner is blamed for the breach because the NSA simply intercepts the data while being transmitted to the targeted scapegoat server.

While the fact that the NSA uses less-than-honorable techniques to collect data isn’t news, it’s worth pointing out just how far the U.S. government’s reach has become in this digital age. Who knows what ‘project’ we will learn about next and more importantly, how that project could define Internet security as we know it.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal