TAO ANT Catalogue

Overview

The TAO ANT Catalogue is the most substantively documented public-record artifact of NSA hardware-implant capability. The catalogue's leakage in December 2013 — approximately six months after the broader Snowden-disclosure cycle began — produced the substantial public-record reconstruction of what the institutional NSA hardware-implant programme actually contained. The catalogue's product entries provide for each implant the institutional unit cost, the operational characteristics, the target platform, the deployment methodology, and the institutional point-of-contact within the ANT division. The substantive scale of the documented programme — approximately fifty implant products, covering substantially every major commercial network-equipment manufacturer (Dell, HP, Cisco, Juniper, Huawei) and substantially every major commercial computing platform (Windows servers, network firewalls, routers, USB peripherals, mobile telephones) — has substantially been the most significant single revelation about NSA technical capability in the post-Snowden record.

The institutional NSA position on the catalogue's authenticity has been the substantial pattern of neither-confirm-nor-deny. NSA Director Keith Alexander, Director of National Intelligence James Clapper, and successive subsequent NSA leadership have substantively neither acknowledged nor denied the catalogue's authenticity. The substantively settled subsequent assessment — drawing on the published Snowden-document corpus, on the substantial subsequent academic-and-policy literature, and on the documented operational pattern in subsequent institutional disclosures — is that the catalogue is substantively genuine and that the documented implants substantively existed in the operational inventory at the 2008 publication date.

Origins / Development

The Tailored Access Operations (TAO) directorate was established within the NSA's Signals Intelligence Directorate in approximately 1997, substantially in response to the institutional recognition that the post-1990s expansion of internet-based communications had substantially shifted the SIGINT operational terrain from the historical telephony-and-radio framework toward a network-and-computing framework that conventional NSA collection methodology had limited operational reach into. The institutional response was the substantial build-up of TAO across the late-1990s and 2000s period as the NSA's principal computer-network-exploitation (CNE) capability — the institutional ability to compromise foreign-network endpoints to extract data that conventional cable-and-wireless collection could not access.

The Advanced Network Technology (ANT) division within TAO was the institutional unit responsible for the hardware-and-firmware-implant component of the CNE capability. The division was substantially distinct from the software-implant division (which produced the operational malware payloads — the FOXACID exploitation server, the QUANTUM packet-injection capability, the broader software-CNE programme) and from the operational-deployment division (the field operators who substantively conducted the implant installations). The ANT division's institutional focus was the substantive engineering work — the design, prototyping, manufacture, and operational characterisation of the implant hardware itself.

The institutional pattern that produced the catalogue was the institutional ANT customer-service relationship with the operational TAO operators. The ANT division operated substantively as an internal NSA supplier — operational TAO operators across the field-office network requested specific implants for specific operational needs; ANT supplied the implants from its product inventory or developed new implants for novel target platforms. The catalogue was substantively the institutional product menu — the institutional reference document that TAO operators consulted to identify what implants were available for what target platforms. The 2008 dating of the leaked catalogue version suggests that the document was substantively a periodic-update publication rather than a one-off; subsequent reporting has suggested that updated catalogue versions across the post-2008 period substantially expanded the product set without substantially changing the institutional pattern.

The TAO field-office network across the post-1997 period included the principal TAO operations centre at NSA Maryland (Fort Meade); the TAO field office at the NSA Texas Cryptologic Center on the Medina Annex of Lackland Air Force Base in San Antonio (substantially documented in the post-2013 published institutional record as the principal TAO operational forward-deployment site for substantially the Latin American, Caribbean, and partial Middle East and North African operational areas); the TAO field offices at NSA Hawaii (Kunia / subsequently Wahiawa) and NSA Georgia (Fort Gordon); and substantial TAO presence at the NSA Pacific Technical Center at Yokota Air Base, Japan. The San Antonio TAO field office substantially produced the operational deployment of ANT implants across the Latin American operational area, with the substantially documented institutional pattern of supply-chain interdiction operations conducted in cooperation with US Customs and Border Protection at the Texas-Mexico border.

Operational characteristics

The ANT catalogue's product set substantially divides into operational-functional categories. The published product entries provide for each implant the operational characteristics on which the institutional substance of the catalogue rests.

BIOS / firmware persistence implants

The principal product category in the catalogue, accounting for approximately one-third of the documented entries. These implants substantively modify the firmware of the target platform — the BIOS / UEFI of servers and PCs, the firmware of network appliances, the bootloader of mobile devices — to establish ongoing access that survives operating-system reinstallation. The principal documented products include DEITYBOUNCE (Dell PowerEdge BIOS implant); IRONCHEF (HP ProLiant BIOS implant); JETPLOW (Cisco PIX/ASA firewall firmware implant); FEEDTROUGH (the supporting persistence framework that facilitated the firmware-implant installation across multiple platforms); HALLUXWATER (Huawei Eudemon firewall firmware implant); SOUFFLETROUGH (Juniper firewall firmware implant); and the broader set of platform-specific firmware-implant products. The institutional unit cost of these implants ranged from approximately $0 (for development costs amortised across operational use) to approximately $300,000 per operational deployment (for the most operationally complex programmes).

USB-cable and peripheral implants

The COTTONMOUTH product family comprised three documented variants. COTTONMOUTH-I was a USB Type-A male connector with embedded radio-frequency communication and key-injection capability; the implant resembled an ordinary USB cable head but contained a complete computing-and-radio platform within the connector. COTTONMOUTH-II was a USB Type-A female connector implant intended for installation within the target host. COTTONMOUTH-III was a chained-implant variant that combined COTTONMOUTH-I with the FIREWALK Ethernet implant for combined USB-and-Ethernet operational reach. The institutional unit cost of COTTONMOUTH-I was substantively documented as $20,300 per fifty units in 2008.

Active-network-tap implants

FIREWALK was the documented Ethernet jack implant — a hardware module installed within an Ethernet wall jack that substantively duplicated the network traffic flowing through the jack and forwarded the duplicated traffic via covert RF emission to a nearby NSA collection point. The institutional unit cost of FIREWALK was substantively documented as $10,740 per fifty units. NIGHTWATCH was a related visual-surveillance product that captured the screen content of CRT and LCD monitors via emanation collection and reconstructed the screen image for operational use.

RF-retroreflector implants

The catalogue documented a substantive family of passive radio-frequency retroreflector implants — hardware that did not contain its own radio transmitter but rather re-radiated continuous-wave illumination from a nearby NSA-operated radar transmitter (typically the SUTER / SCREEN MASTER systems, with operational range of approximately 5–8 nautical miles). The principal documented products included LOUDAUTO (room-audio retroreflector); NIGHTSTAND (screen-content retroreflector); SURLYSPAWN (keyboard-keystroke retroreflector); and TAWDRYYARD (low-power-beacon retroreflector for adjacent-implant location).

Mobile-platform implants

The catalogue documented mobile-platform implants for the principal pre-2008 mobile platforms. DROPOUTJEEP was the documented iPhone 3G implant — substantively described in the catalogue as having approximately 100% successful operational deployment, with capability to extract SMS, contact list, voicemail, geolocation, hot-microphone audio, and camera capture. GOPHERSET was the documented GSM SIM-card implant. MONKEYCALENDAR was the related GSM-network mobile-calendar exfiltration implant. The institutional pattern of mobile-platform implants across the post-2008 period substantially expanded; the substantive subsequent additions to the documented mobile-implant inventory have substantially been the subject of subsequent disclosures rather than the original 2008 catalogue.

Network-equipment supply-chain interdiction

The institutional pattern through which the network-equipment-implant products (JETPLOW, HALLUXWATER, SOUFFLETROUGH, etc.) were operationally deployed was substantively the supply-chain-interdiction methodology. The substantively documented operational pattern was: NSA institutional collection identified a target organisation that had ordered network-equipment from a major manufacturer; the implant required for the target platform was identified; the equipment shipment was substantively intercepted at a transit point (typically a US Customs facility, a freight-forwarder hub, or an international airport cargo facility) under coordination between TAO operators and US Customs personnel; the equipment was substantively unboxed at a TAO load-station facility; the appropriate ANT implant was installed; the equipment was substantively reboxed and resealed to factory specification; and the equipment was substantively forwarded to the original recipient with the implant operational. The substantively documented operational pattern is most extensively reported in Der Spiegel's 30 December 2013 article Documents Reveal Top NSA Hacking Unit, which substantially documented the load-station methodology with photograph and operational-detail content.

Documented deployments

The documented deployments of ANT-catalogue implants across the post-2013 published institutional record have substantively included:

Confirmed Petrobras and adjacent Latin American targets (2010–13). The Snowden-document corpus substantively documented NSA TAO operational targeting of the Brazilian state oil company Petrobras and adjacent Latin American institutional targets across the 2010–13 period. The substantively documented operational implants on these target networks have included JETPLOW-class network-firewall implants and adjacent-platform implants. The disclosure produced the substantial Brazilian-government institutional response across 2013–14, including the public-policy realignment of Brazilian telecommunications-infrastructure policy.

Confirmed Huawei and Chinese-target operational deployments. The substantially documented NSA TAO operational programme codenamed SHOTGIANT — substantively documented in the 22 March 2014 New York Times and Der Spiegel joint disclosure — was the operational programme directed at Huawei Technologies and at Huawei-equipped Chinese-network targets. The substantively documented operational implants on these targets have included HALLUXWATER firmware implants on Huawei Eudemon firewalls and adjacent Huawei-platform implants.

Confirmed EU institutional and Belgian government targets. The substantially documented NSA-TAO and GCHQ-MyNOC operational targeting of the Belgian state telecommunications carrier Belgacom across the 2010–13 period — the operational programme codenamed OPERATION SOCIALIST and substantively documented in the November 2013 and December 2014 Der Spiegel and The Intercept disclosures — substantially implemented JETPLOW-class network-equipment implants and the broader CNE methodology the ANT catalogue documented.

Alleged Mexican Presidential office targets (2010s). The August 2013 Der Spiegel disclosure of NSA SIGINT product on Mexican President Enrique Peña Nieto's communications has been substantively attributed in subsequent reporting to TAO ANT-class implant deployment on Mexican executive-branch network infrastructure. The Mexican-government institutional position has been that the operational deployment was substantively confirmed; the US-government institutional position has been the substantial pattern of neither-confirm-nor-deny.

Legal / Oversight framework

The legal framework within which the ANT catalogue's operational deployment occurred is substantively the post-1981 Executive Order 12333 framework — the US executive-branch foundational instrument for foreign-intelligence collection — under which TAO operations conducted against non-US-person targets located outside the United States substantively occur. The 1978 Foreign Intelligence Surveillance Act framework applies only to operations against US persons or against persons within the United States; ANT-class operations against foreign targets located abroad substantively fall outside FISA's institutional reach.

The substantive subsequent oversight question — the question of whether the ANT catalogue's operational deployment has been substantively constrained by US-domestic constitutional considerations or by international-law considerations — has been the subject of sustained academic-and-policy commentary. The substantive position the US-government institutional record articulates is that the operational deployment is substantively legitimate under EO 12333 authority and substantively conducted within the limits of the EO's institutional constraints. The substantial alternative position — articulated by civil-liberties advocates, by foreign governments whose institutional infrastructure has been operationally targeted, and by substantial portions of the academic literature — is that the operational deployment has substantively exceeded the institutional limits that the broader domestic-and-international legal framework substantively imposes.

The post-2013 institutional reform record on TAO ANT operations has been substantially limited. The 2014 USA Freedom Act's institutional reforms substantially focused on Section 215 bulk-telephony-metadata collection rather than on TAO ANT-class operational targeting. The substantial subsequent institutional reform of TAO operational practice has substantially been internal-NSA institutional adjustment rather than external statutory-framework reform.

Sources & Further Reading

1. Jacob Appelbaum, Judith Horchert, and Christian Stöcker, Catalog Reveals NSA Has Back Doors for Numerous Devices, Der Spiegel, 29 December 2013 — the principal English-language coverage of the catalogue.
2. Der Spiegel TAO catalogue page set — the substantial documentary publication of the catalogue's product entries, available through Der Spiegel's Snowden archive.
3. Jacob Appelbaum's 30 December 2013 keynote presentation at the 30th Chaos Communication Congress, Hamburg, To Protect and Infect: The Militarization of the Internet — the substantively definitive presentation of the catalogue's content.
4. David E. Sanger and Nicole Perlroth, N.S.A. Breached Chinese Servers Seen as Spy Peril, The New York Times, 22 March 2014 — the SHOTGIANT / Huawei disclosure.
5. Glenn Greenwald, No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State, Metropolitan Books, 2014 — substantial chapters on TAO operations and the supply-chain-interdiction methodology.
6. Matthew M. Aid, The Secret Sentry: The Untold History of the National Security Agency, Bloomsbury Press, 2009 — the principal pre-Snowden book-length NSA history with substantial coverage of TAO operational evolution.
7. Ryan Gallagher, Operation Socialist: The Inside Story of How British Spies Hacked Belgium's Largest Telco, The Intercept, 13 December 2014.
8. National Security Archive Snowden Documents Collection, George Washington University.
9. Bruce Schneier, Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World, W. W. Norton, 2015 — substantial subsequent academic-and-policy analysis of TAO operational pattern.
10. Privacy and Civil Liberties Oversight Board, Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act, 2 July 2014 — the post-2013 institutional review of the Section 702 framework adjacent to but distinct from EO 12333 TAO operations.