Tailored Access Operations
AbbreviationTAO
Formationc. 1997–2001[1]
Purpose
HeadquartersFort Meade
Region served
United States
Official language
English
Parent organization
S3 Data Acquisition

The Office of Tailored Access Operations (TAO), also known as Equation Group by Kaspersky[1] or APT-C-40 by China,[2] structured as S32,[3] is an elite cyberwarfare intelligence-gathering unit of the National Security Agency (NSA).[4][5][6][7]

TAO identifies, monitors, infiltrates, and gathers intelligence on computer systems being used domestically and by entities foreign to the United States.[8][9][10][11]

History

Red Team

The Red Team was created in 1997, with the objective to carry out Operation Eligible Receiver, which was envisioned to see the most amount of damage a group of skilled hackers could do, during the operation the team thrashed the Cybersecurity of the Department of Defense; it was later stopped after four days following concerns of stalling the functionality of the american military. After this mission, four people, Michael V. Hayden, Bill Marshall, Bill Black and Ken Minihan seeked to make this group a permanent section within the NSA, after seeing the value it would bring to the agency. They put together a team with members of different NSA branches, but after 9/11 and a new influx of budget centered around intelligence and countermeasures.[5][12][13]

By May 11, 2008, the TAO had 60 total official members at Texas, 30 civilians and 30 in the military (10 USAF, 8 USA, 10 USN, 2 USC) with an admitted unknown number of external military agents, with only 1 contractor for the TAO-ANT. The agency had planned to grow to 270 agents by the end of Fiscal Year 2015.[14]

Before 2013, the existence of this office was a rumour, where nobody truly knew what it was.[15] By this year there were already 1.000 hackers, which were not necessarily agents of the NSA, since, because of the increase in operations, they needed personel growth, so they hired cybersecurity contractors with previous experience in the intelligence field, looking for people with obsessive attention to detail.[5][16]

Snowden leak

A reference to Tailored Access Operations in an XKeyscore slide leaked by Snowden.
Main article: Snowden disclosures

Edward Snowden received an offer to be part of the TAO, but declined the offer.[17]instead working for the intelligence consulting agency Booz Allen Hamilton, that was being contracted by the NSA.

After seeing the level of surveillance by the NSA he decided to leak several files to The Guardian and The Washington Post on June 9th, 2013, where the global surveillance operations by the TAO were in the eye of the storm.[18]

A document leaked by Snowden describes the unit's work in the following way: "The TAO has software templates allowing it to break into commonly used hardware, including "routers, switches, and firewalls from multiple product vendor lines".[19]

The amount of information now available of its targets and methods was so abundant that several security companies seeked to catch and expose the TAO red handed, with only one succeeding, Kaspersky, with its 2015 report "Equation Group: Questions And Answers", in which they named the TAO Equation Group, given its proclivity to use complex algorithms to avoid detection in their methods, those being so exaggerated that it was more than obvious that a highly skilled, trained and select group of people with enough time and resources were the perpretators of these sophisticated attacks.[20][1]

The Shadow Brokers

Main article: The Shadow Brokers

On August 13, 2016, a user by the handle @shadowbrokerss on Pastebin, and similar usernames on Tumblr, GitHub and Twitter, made a post auctioning "Equation Group's cyberweapons" (TAO's).[21] To prove their validity, on the same post they uploaded 2 ZIP files, both of which were password protected, with only one of the keys being provided; inside of that first file were the tools JETPLOW, EPICBANANA and EXTRABANANA, these were confirmed as legitimate exploits for industrial-grade firewalls by Cisco, the password of the second file was not published, as its contents were being the center of the auction and stated as "better than Stuxnet". The public auciton had a goal of 1.000.000 bitcoin on the listed bitcoin address, where, after it was reached, the contents of the file would be made accessible to the general public.

On October 31, 2016, another dump was published, this time on Medium, named "Trick or Treat",[22] where they leaked the server addresses of victims of the TAO, and the proxies that were used to do so.[23] The 352 servers showed 49 targeted countries, China, Japan and Korea being the top three, 32 addresses of the total were educational institutes in China and Taiwan.[24]

TAO's JETPLOW tool.

As a result of the wholesale of the exploits not being purchased on its entirety, even after lowering the price to 10.000 bitcoin, the Shadow Brokers made a post from a ZeroNet account, in the Darknet, where they sold the exploits separately with the prices ranging between 10 to 100 bitcoin each, exploits such as DANDERSPRITZ and FUZZBUNCH were listed as products, aswell as other tools that were only referenced in the files published by Snowden.[25][26] These posts caused a wave of massive patches by the companies that were targeted.

On April 8, 2017, in another Medium publication titled "Don't Forget Your Base",[27] they ranted about Trump's presidency as they felt bretayed by his changes from discourse to praxis, inside the post there was the key to the second ZIP file from their first post. It contained tools to exploit practicallly every Operating System, ranging from the most well known ones like Windows to those used only industrially and militarily, like Unix based systems. Everything free and public.[28] A week later, on April 14, another dump was published on Steemit, named "Lost In Translation",[29] which contained tools specifically tailored to exploit Windows and Swift, aswell as internal NSA evidence of the tools being used in the context of the agency with the uncensored names of the authors of these ops. Among the exploits was ETERNALBLUE, which was, in essence, a master key to any single up-to-date computer that ran Windows without it being signaled in any way, and could be remotely controlled by DOUBLEPULSAR. This leak caused the creation of the ransomware attacks of WannaCry and Not_Petya.

Screenshot showing TAO's tools published in one of The Shadow Brokers' leaks.

During this month, folowing the lack of coverage by the media,the group started to reply to the Twitter accounts of TAO employees, i.e, Jake Wiliiams, a cybersecurity researcher who at the time was a classified member of the TAO,[16] they were also threatening to dox the members.[12][30]

In October they released their final statements which were rants towars the United States and their discourses. After which, they dissappeared.[30][12]

Most of the clues and the threads that sew the story and its relation to the TAO remain unavailable to the general public. There are identifiers that point us to possible workers inside Kaspersky, who already had knowledge and possession of these tools, after looking for the signatures of TAO's tools through their antivirus,[31][32] these allegedly were deleted by director's orders,[33] but TSB's dumps match negative news cycles by western media targetting Russia and during bad state of affairs with the US. It is clear that they were not doing it for the money, because there is an entire market to sell zero-day exploits, and could go sell them there anonymously and earn a lot more than 10 bitcoin; they decided to chase the media spotlight and try to keep it on them through political and media rants. It is also speculated if it was an inside job by the TAO. In both theories, the use of broken english used in the statements is seen as performative to signal russian agency.[12]

This leak set them back years of work and tools.[30][16] It is unknown the operating ways of the office since the disruption, but in 2020 the NSA informed Microsoft of a bug in the certifications protocol which could potentially allow someone to spoof legitimate software and surveil or control the target's device.[34] This could have been perfectly be used by the TAO, so wether this disclosure is to ensure their own ways or means a shift of objectives will remain unclear until another data dump sheds light on the agency once again.

The office is currently known as Office of Computer Network Operations (OCNO)."[6]

Organization

See also: Signals intelligence

TAO is reportedly "the largest and arguably the most important component of the NSA's huge Signals Intelligence Directorate (SID),[35] consisting of more than 1,000 military and civilian computer hackers, intelligence analysts, targeting specialists, computer hardware and software designers, and electrical engineers.

TAO's headquarters are termed the Remote Operations Center (ROC) and are based at the NSA headquarters at Fort Meade, Maryland. TAO has expanded to NSA Hawaii (Wahiawa, Oahu), NSA Georgia (Fort Gordon, Georgia), NSA Texas (Joint Base San Antonio, Texas), and NSA Colorado (Buckley Space Force Base, Denver).[6]

The structure is approximately as follows:[36]

  • S321 – Remote Operations Center (ROC): Six hundred employees gather information from around the world.[37][38]
    • S321? – Network Operations Center (NOC)
    • S321? – Oper. Readiness Division (ORD)
    • S321? – Interactive Operations Division (IOD)
    • S321? – Production Operations Division (POD)
    • S321? – Access Operations Division (AOD)
  • S322 – Advanced Network Technology (ANT)
    • S3221 – (persistence sofftware)
    • S3222 – (software implants)
      • S32221 – ?
      • S32222 – (routers, server, etc.)
    • S3223 – (hardware implants)
    • S3224 – ?
      • S32241 – ?
      • S32242 – (GSM Cellular communications)
      • S32243 – (Retroreflective Radar)
  • S323 – Data Network Technologies Branch (DNT): Develops automated spyware
    DNT Logo
    • S3231 – Access Division (ACD)
      • S32313 – Application Vulnerabilites Branch
    • S3232 – Cyber Networks Technology Division (CNT)
    • S3234 – Computer Technology Division (CTD)
    • S3235 – Network Technology Division (NTD)
      • S32354 – STDP (FASHIONCLEFT)
  • S324 – Telecommunications Network Technologies Branch (TNT): Improve network and computer hacking methods[39]
  • S325 – Mission Infrastructure Technologies Branch (MIT): Operates the software provided above[40]
  • S326 – Access Operations
    • S3261 – Access and Target Development
  • S237 – Requirements & Targeting (TNT)
  • S328 – Access Technologies Operations Branch (ATO): Reportedly includes personnel seconded by the CIA and the FBI, who perform what are described as "off-net operations", which means they arrange for CIA agents to surreptitiously plant eavesdropping devices on computers and telecommunications systems overseas so that TAO's hackers may remotely access them from Fort Meade.[41] Specially equipped submarines, currently the USS Jimmy Carter,[42] are used to wiretap fibre optic cables around the globe.
    ATO Logo
    • S3283 – Expeditionary Access Operations (EAO)
    • S3285 – Persistence POLITERAIN team
  • S32P – TAO Program Planning Integration
  • S32? – Network Warfare Team (NWT)
  • S32X – ?

Virtual locations

Details[43] on a program titled QUANTUMSQUIRREL indicate NSA ability to masquerade as any routable IPv4 or IPv6 host.[44] This enables an NSA computer to generate false geographical location and personal identification credentials when accessing the Internet utilizing QUANTUMSQUIRREL.[45]

QUANTUMSQUIRREL illustration slide.

Leadership

From 2013 to 2017,[46] the head of TAO was Rob Joyce, a longtime employee who had previously worked in the NSA's Information Assurance Directorate (IAD). In January 2016, Joyce made a rare public appearance, giving a presentation at the Usenix’s Enigma conference.[47] On 2019 Anne Neuberger's leadership started.[48] In 2021, Rob Joyce went back to his leadership, only to retire on 2024.[49] Since 2026 David Imbordino has been in charge of the office.[50] However this information is not clear, since it is one of the most classified groups in the world. It is assumed that the leader is the Head of the Cibersecurity Directorate at the NSA, since that is the title that Rob Joyce held when he stated it.[47]

NSA ANT catalog

Main article: NSA ANT catalog

The NSA ANT catalog is a fifty-page classified document listing technology available to the United States National Security Agency (NSA) Tailored Access Operations (TAO) by the Advanced Network Technology (ANT) Division to aid in cyber surveillance. Most devices are described as already operational and available to US nationals and members of the Five Eyes alliance. According to Der Spiegel, which released the catalog to the public on December 30, 2013, "The list reads like a mail-order catalog, one from which other NSA employees can order technologies from the ANT division for tapping their targets' data." The document was created in 2008.[51] Security researcher Jacob Appelbaum gave a speech at the Chaos Communications Congress in Hamburg, Germany, in which he detailed techniques that the simultaneously published Der Spiegel article he coauthored disclosed from the catalog.[51]

QUANTUM attacks

NSA's QUANTUMTHEORY overview slide with various codenames for specific types of attack and integration with other NSA systems

The TAO has developed an attack suite they call QUANTUM. It relies on a compromised router that duplicates internet traffic, typically HTTP requests, so that they go both to the intended target and to an NSA site (indirectly). The NSA site runs FOXACID software, which sends back exploits that load in the background in the target web browser before the intended destination has had a chance to respond, although it is unclear whether the compromised router facilitates this race on the return trip. Prior to the development of this technology, FOXACID software made spear-phishing attacks the NSA referred to as spam. If the browser is exploitable, further permanent "implants" (rootkits, etc.) are deployed in the target computer; e.g., OLYMPUSFIRE for Windows, which gives complete remote access to the infected machine.[52] This type of attack is part of the man-in-the-middle attack family, though more specifically it is called man-on-the-side attack. It is difficult to execute without controlling some of the Internet backbone.[53]

There are numerous services that FOXACID can exploit this way. The names of some FOXACID modules are given below:[54]

FOXACID internal illustration.

By collaboration with the British Government Communications Headquarters (GCHQ) (MUSCULAR), Google services could be attacked too, including Gmail.[54]

"I iz in ur space-time continuum, upsetting all your gravity and quantums and stuffs."
Lolcat image from an NSA presentation explaining in part the naming of the QUANTUM program

Finding machines that are exploitable and worth attacking is done using analytic databases such as XKeyscore.[55] A specific method of finding vulnerable machines is interception of Windows Error Reporting traffic, which is logged into XKeyscore.[56]

QUANTUM attacks launched from NSA sites can be too slow for some combinations of targets and services as they essentially try to exploit a race condition, i.e. the NSA server is trying to beat the legitimate server with its response.[57] As of mid-2011, the NSA was prototyping a capability codenamed QFIRE, which involved embedding their exploit-dispensing servers in virtual machines (running on VMware ESX) hosted closer to the target, in the so-called Special Collection Sites (SCS) network worldwide. The goal of QFIRE was to lower the latency of the spoofed response, thus increasing the probability of success.[58]

COMMENDEER [sic] is used to commandeer (i.e. compromise) untargeted computer systems. The software is used as a part of QUANTUMNATION, which also includes the software vulnerability scanner VALIDATOR. The tool was first described at the 2014 Chaos Communication Congress by Jacob Appelbaum, who characterized it as tyrannical.[59][60][61]

QUANTUMCOOKIE is a more complex form of attack which can be used against Tor users.[62]

Methods, collaborations and targets

Since its inception it is clear the TAO is not a cyberattack or cyberdefence unit, rather focused on finding and storing exploits that are useful to use in a calculated way to generate internal problems or collect intel on its target instead of attacking bluntly.[12]

Its method relies on looking for the best and most efficent way to break into a network, securing its place and escalating privileges within the systems and map out every single piece of the target's environment; once this is considered done, the agents will infiltrate completely to know its targets routines and files until all the necessary intelligence os gathered another target is placed. The objectives are mainly nation-states or related, so that the information collected can be used by policy makers and manage the intelligence objectives.[12][1][16]

They use primarily RC5 encryption in their malware, aswell as RC6, RC4 or AES in some others, apart from hashes and cryptographic functions.[1]

Confirmed targets of the Tailored Access Operations unit include national and international entities such as China,[6] Northwestern Polytechnical University,[63] OPEC,[64] Mexico's Secretariat of Public Security and president, Brazil, Iran, the entire internet, Syria, Afghanistan, Russia, Pakistan, India, Korea, Japan and Mali, among many others.[56][24] It is hard to know the entirety of its victims, aswell as their level of infiltriation and real number of enemies, since it is one of, if not, the most sophisticated ciberexploitation group currently and a self-destruct protocol in several of its malware.[20]

The group has also targeted global communication networks via SEA-ME-WE 4 – an optical fibre submarine communications cable system that carries telecommunications between Singapore, Malaysia, Thailand, Bangladesh, India, Sri Lanka, Pakistan, United Arab Emirates, Saudi Arabia, Sudan, Egypt, Italy, Tunisia, Algeria and France.[60] Additionally, Försvarets radioanstalt (FRA) in Sweden gives access to fiber optic links for QUANTUM cooperation.[65][66]

TAO's QUANTUM INSERT technology was passed to UK services, particularly to GCHQ's MyNOC, which used it to target Belgacom and GPRS roaming exchange (GRX) providers like the Comfone, Syniverse, and Starhome.[56] Belgacom, which provides services to the European Commission, the European Parliament and the European Council discovered the attack.[67]

In concert with the CIA and FBI, TAO is used to intercept laptops purchased online, divert them to secret warehouses where spyware and hardware is installed, and send them on to customers.[68] TAO has also targeted Tor and Firefox.[53]

According to a 2013 article in Foreign Policy, TAO has become "increasingly accomplished at its mission, thanks in part to the high-level cooperation it secretly receives from the 'big three' American telecom companies (AT&T, Verizon and Sprint), most of the large US-based Internet service providers, and many of the top computer security software manufacturers and consulting companies."[69] A 2012 TAO budget document claims that these companies, on TAO's behest, "insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communications devices used by targets".[69] A number of US companies, including Cisco and Dell, have subsequently made public statements denying that they insert such back doors into their products.[70] Microsoft provides advance warning to the NSA of vulnerabilities it knows about, before fixes or information about these vulnerabilities is available to the public; this enables TAO to execute so-called zero-day attacks.[71] A Microsoft official who declined to be identified in the press confirmed that this is indeed the case, but said that Microsoft cannot be held responsible for how the NSA uses this advance information.[72]

Stuxnet

Main article: Stuxnet

Stuxnet is a computer worm discovered on June 17, 2010. Its objective were SCADA systems and is responsible of damaging Iran's Nuclear Program after being installed on a computer in the Nuclear Facility of Natanz on 2009. Made in collaboration by the United States' TAO and Israel's NCSA in Operation Olympic Games.[73]

Illustration of how Stuxnet works.

TREASUREMAP

Main article: Operation Treasure Map

"Bad guys are everywhere, good guys are somewhere" is the slogan of the operation which sought to map out the entire internet. Its objective was having the "capability for building a near real-time, interactive map of the global internet. [...] Any device, anywhere, all the time". Its plan was to monitor the "Logical Network Layer" aswell as the "Physical Network Layer" and the "Geographical Layer" under it. Mapping the traffic of the entire internet through IPv4 and IPv6 addresses, DNS, the traceroute, by country and by geographical data. It is unknown if the mission came to fruition after it being leaked among the files Snowden published on 2013.[74][75]

Operation TreasureMap description slide.

Huawei infiltration

The NSA focused on collecting information on the former Chinese president Hu Jintao, the Chinese Ministry of Commerce, banks and telecom companies, but did a special effort in centring the operation on the massive Chinese technology company Huawei.[76]

It started on 2009, with Operation "ShotGiant" given the importance of Huawei in the Chinese tech sphere and its role as an enemy to the United State to form a monopoly on telecommunications; the agency infiltrated the company with a special team that obtained a list of 1.400 clients and internal documents regarding their engineering training and the use of Huawei products.[77][78]

"Why We Care Slide" in Operation ShotGiant.

Not only did they collect the archive of emails, they also acquired the source code for several products. They infiltrated along key spots in Huawei's Shenzhen network, where they could intercept all the networks traffic since January 2009. The objective was to find any form of government involvement, but the same internal documents showed that was not the case.[78]

The operation was made by direct orders by the White House's Intelligence Coordinator and the FBI.[79][78]

The agency also stated in a document that "the structures of the intelligence community were not apt to handle issues that combine economic, counterintelligence, military influence and telecommunications infrastructure in just one entity."[78]

The information was also used to understand the functioning and structure of the enterprise, since China has been focused on scoping out US companies, thus upping the tech standard that used to be set by the US, as well as controlling the flux of internet information.[76][78]

Mexico-Brazil infiltration

Internal Operation WhiteTamale background slide.

During the 2000s the office surveilled the Mexican president's email, in an operation named "FlatLiquid" that was labelled fulfilled on May 2010, it is reported how "TAO successfully exploited a key mail server in the Mexican Presicencia domain within the Mexican Presidential network to gain first-ever access to President Felipe Calderón's public email account." This domain was also being used by the cabinet and contained "diplomatic, economic and leadership communications which continue to provide insight into Mexico's political system and internal stability." being labelled as a "lucrative source." It is also reported by Brazil's TV Globo that the agency conducted surveillance of presidential candidate Enrique Peña Nieto and his close circle on summer 2012.[80]

Several documents show how Mexico and Brazil are not interests, they are the two most important countries to surveil according to a classified list of intelligence priorities by the NSA declassified by the White House, in which the interests of each country is categorized from 1 to 5, 1 being high priority, and 5 being low: Drug trafficking was number 1, the country's leadership, economic stability, military capabilities, human rights and international commerce were labelled a 3, and counterespionage a 4. Brazil has similar spots, but their nuclear program was the top priority. The White House had its sights set on Brazil's president, Dilma Rousseff and her advisors, as well as the communications of Petrobras, to have the upper hand in the US' economic interests.[80]

The NSA not only spied the president and his cabinet, in a parallel operation named "WhiteTamale", during August 2009, the agency gained access to the emails of various high-ranking secretariats of the Public Security Secretariat, which helped them to understand the functioning of the cartels and to have "better diplomatic talking points". In one year, 260 classified reports were made so the United States government could make better diplomatic gatherings and international investments.[80][81][14]

Operation Whitetamale Presentation.

The agency determined the intrusions as a "tremendous success", where "these TAO accesses into several Mexican government agencies are just the beginning -- we intend to go much further against this important target," and the divisions were "poised for future successes." These operations were mainly made from the NSA's Headquarters in San Antonio, Texas, but there would also be secret spying stations within the US embassies in Mexico City and Brasilia.[80]

The operation was made in coordination with the CIA, with the name "Special Collection Service", where "the teams have at their disposal a wide array of methods and high-tech equipment that allow[s] them to intercept all forms of electronic communication. The NSA conducts its surveillance of telephone conversations and text messages transmitted through Mexico's cell phone network under the internal code 'EveningEasel'." Brasilia's communication interception works in a similar way.[80]

Given the Mexican presidential elections of 2012, they amplified the intensity and reach of their operations, because even though they were inside the president's network, they still knew little of Peña Nieto, the candidate assured to win. Washington was confused in regards to him, since he had conflicting positions, he, on the one hand, preached about changing the security policy of his predecessor, demilitarizing, ending the War against the cartels, and funding social prograns, but in the other, he personally assured the White House that there would be no changes in the policies made by Calderón.[80][81]

Operation WhiteTamale slide.

Following this the NSA approved an unusual type of espionage, a structural one, where during two weeks of early summer 2012, the specialized unit focused on monitoring every piece of information related to Peña Nieto's telecommunications and 9 of his close associates; according to a presentation dated on June 2012, they used a software called "DishFire" in which they could input every contact and related data to be automatically organised to show the most important ones, putting them in a data bank. In total, 85.489 sent and received messages were intercepted, finding a "needle in a haystack in a repeatable and efficient way".[80]

This revelation caused uproar and policy changes in Brazil. In Mexico, nothing of the sort, just press releases denouncing the illegality of the actions, issuing their trust on due process to those who may have abused their power and an internal investigation that led nowhere.[80][82]

See also

References

  1. ^ a b c d Lab, Kaspersky (February 2015). Equation Group: Questions and Answers (PDF). Kaspersky.
  2. ^ Lau, Lina (2025-02-18). "An inside look at NSA (Equation Group) TTPs from China's lense". Retrieved 2026-05-30.
  3. ^ Nakashima, Ellen (1 December 2017). "NSA employee who worked on hacking tools at home pleads guilty to spy charge". The Washington Post. Archived from the original on 16 April 2021. Retrieved 4 December 2017.
  4. ^ Loleski, Steven (2018-10-18). "From cold to cyber warriors: the origins and expansion of NSA's Tailored Access Operations (TAO) to Shadow Brokers". Intelligence and National Security. 34 (1): 112–128. doi:10.1080/02684527.2018.1532627. ISSN 0268-4527. S2CID 158068358.
  5. ^ a b c Hayden, Michael V. (23 February 2016). Playing to the Edge: American Intelligence in the Age of Terror. Penguin Press. ISBN 978-1594206566. Retrieved 1 April 2021.
  6. ^ a b c d Aid, Matthew M. (10 June 2013). "Inside the NSA's Ultra-Secret China Hacking Group". Foreign Policy. Archived from the original on 12 February 2022. Retrieved 11 June 2013.
  7. ^ Paterson, Andrea (30 August 2013). "The NSA has its own team of elite hackers". The Washington Post. Archived from the original on Oct 19, 2013. Retrieved 31 August 2013.
  8. ^ Kingsbury, Alex (June 19, 2009). "The Secret History of the National Security Agency". U.S. News & World Report. Archived from the original on 1 July 2016. Retrieved 22 May 2013.
  9. ^ Kingsbury, Alex; Mulrine, Anna (November 18, 2009). "U.S. is Striking Back in the Global Cyberwar". U.S. News & World Report. Archived from the original on 1 July 2016. Retrieved 22 May 2013.
  10. ^ Riley, Michael (May 23, 2013). "How the U.S. Government Hacks the World". Bloomberg Businessweek. Archived from the original on May 25, 2013. Retrieved 23 May 2013.
  11. ^ Aid, Matthew M. (8 June 2010). The Secret Sentry: The Untold History of the National Security Agency. Bloomsbury USA. p. 311. ISBN 978-1-60819-096-6. Retrieved 22 May 2013.
  12. ^ a b c d e f Cybernews (2025-07-03). The Biggest Hacking Mystery of Our Time: Shadow Brokers. Retrieved 2026-05-28 – via YouTube.
  13. ^ Sloan, Peter (2017-09-06). "The TAO of Cyber Warfare: Dark Territory". Information Bytes. Archived from the original on 2025-12-07. Retrieved 2026-05-28.
  14. ^ a b "NSA's TAO Unit Introduces Itself". Der Spiegel. 2014-02-17. ISSN 2195-1349. Retrieved 2026-05-31.
  15. ^ Kingsbury, Alex (June 19, 2009). "The Secret History of the National Security Agency". U.S. News & World Report.
  16. ^ a b c d Cybernews (2025-07-10). Ex-NSA Hacker on Being Exposed by Russian Intelligence | Jake Williams #002. Retrieved 2026-05-28 – via YouTube.
  17. ^ Kaplan, Fred (2016-09-16). "The Leaky Myths of Snowden". Slate. ISSN 1091-2339. Retrieved 2026-05-28.
  18. ^ Walters, Joanna (2013-12-29). "NSA 'hacking unit' infiltrates computers around the world – report". The Guardian. ISSN 0261-3077. Retrieved 2026-05-28.
  19. ^ Gellman, Barton; Nakashima, Ellen (August 30, 2013). "U.S. spy agencies mounted 231 offensive cyber-operations in 2011, documents show". The Washington Post. Retrieved 7 September 2013. Much more often, an implant is coded entirely in software by an NSA group called, Tailored Access Operations (TAO). As its name suggests, TAO builds attack tools that are custom-fitted to their targets. The NSA unit's software engineers would rather tap into networks than individual computers because there are usually many devices on each network. Tailored Access Operations has software templates to break into common brands and models of "routers, switches, and firewalls from multiple product vendor lines," according to one document describing its work. TAO engineers prefer to tap networks rather than isolated computers, because there are typically many devices on a single network.
  20. ^ a b Goodin, Dan (2015-02-16). "How "omnipotent" hackers tied to NSA hid for 14 years—and were found at last". Ars Technica. Retrieved 2026-05-28.
  21. ^ Equation Group - Cyber Weapons Auction
  22. ^ theshadowbrokers (2016-10-31). "Message#5 — Trick or Treat?". Medium. Retrieved 2026-05-28.
  23. ^ Kirk, Jeremy (November 1, 2016). "Shadow Brokers Says 'Trick or Treat' Over Attack Tool Leak". www.bankinfosecurity.com. Retrieved 2026-05-28.
  24. ^ a b "'Shadow Brokers' Reveal List Of Servers Hacked By The NSA; China, Japan, And Korea The Top 3 Targeted Countries; 49 Total Countries, Including: China, Japan, Germany, Korea, India, Italy, Mexico, Spain, Taiwan, & Russia - Fortuna's Corner". Fortuna's Corner. 2016-11-01. Archived from the original on 2017-01-16. Retrieved 2026-05-28.
  25. ^ Agudo, Sergio (2016-12-15). "Shadow Brokers vuelve a la carga: exploits de la NSA en venta directa". Genbeta (in Spanish). Retrieved 2026-05-28.
  26. ^ Cite error: The named reference :1 was invoked but never defined (see the help page).
  27. ^ theshadowbrokers (2017-04-08). "Don't Forget Your Base". Medium. Retrieved 2026-05-28.
  28. ^ Cox, Joseph (2017-04-08). "They're Back: The Shadow Brokers Release More Alleged Exploits". VICE. Retrieved 2026-05-28.
  29. ^ Theshadowbrokers (2017-04-14). "Lost in Translation". Steemit. Retrieved 2026-05-28.
  30. ^ a b c Shane, Scott; Perlroth, Nicole; Sanger, David E. (2017-11-12). "Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core". The New York Times. ISSN 0362-4331. Retrieved 2026-05-29.
  31. ^ "Investigation Report for the September 2014 Equation malware detection incident in the US". Securelist. 2017-11-16. Retrieved 2026-05-29.
  32. ^ Lubold, Gordon; Harris, Shane (2017-10-05). "Russian Hackers Stole NSA Data on U.S. Cyber Defense". Wall Street Journal. ISSN 0099-9660. Retrieved 2026-05-29.
  33. ^ "Kaspersky defends its role in NSA breach". 2017-11-16. Retrieved 2026-05-29.
  34. ^ CBS News (2020-01-14). NSA discovers security flaw in Microsoft Windows operating system. Retrieved 2026-05-31 – via YouTube.
  35. ^ "FOIA #70809 (released 2014-09-19)" (PDF).
  36. ^ P/K. "NSA's organizational designations". Retrieved 2026-05-28.
  37. ^ "Secret NSA hackers from TAO Office have been pwning China for nearly 15 years". Computerworld. 2013-06-11. Archived from the original on 2014-01-25. Retrieved 2014-01-27.
  38. ^ Rothkopf, David. "Inside the NSA's Ultra-Secret China Hacking Group". Foreign Policy. Retrieved 2014-01-27.
  39. ^ "Hintergrund: Die Speerspitze des amerikanischen Hackings - News Ausland: Amerika". Tages-Anzeiger. tagesanzeiger.ch. Archived from the original on 2013-06-21. Retrieved 2014-01-27.
  40. ^ "Inside the NSA's Ultra-Secret Hacking Group". Atlantic Council. 2013-06-11. Archived from the original on 2020-10-21. Retrieved 2023-07-27.
  41. ^ Aid, Matthew M. (10 June 2013). "Inside the NSA's Ultra-Secret China Hacking Group". Foreign Policy. Archived from the original on 12 February 2022. Retrieved 11 June 2013.
  42. ^ noahmax (2005-02-21). "Jimmy Carter: Super Spy?". Defense Tech. Archived from the original on 2014-02-20. Retrieved 2014-01-27.
  43. ^ https://www.eff.org/files/2014/04/09/20140312-intercept-the_nsa_and_gchqs_quantumtheory_hacking_tactics.pdf (slide 8)
  44. ^ Dealer, Hacker. "Dealer, Hacker, Lawyer, Spy: Modern Techniques and Legal Boundaries of Counter-cybercrime Operations". The European Review of Organised Crime.
  45. ^ "The NSA and GCHQ's QUANTUMTHEORY Hacking Tactics". firstlook.org. 2014-07-16. Archived from the original on 2015-07-20. Retrieved 2014-07-16.
  46. ^ Landler, Mark (April 10, 2018). "Thomas Bossert, Trump's Chief Adviser on Homeland Security, Is Forced Out". New York Times. Archived from the original on April 11, 2018. Retrieved March 9, 2022.
  47. ^ a b Thomson, Iain (January 28, 2016). "NSA's top hacking boss explains how to protect your network from his attack squads". The Register. Archived from the original on July 27, 2023. Retrieved July 27, 2023.
  48. ^ Myre, Greg (2019-08-26). "'Persistent Engagement': The Phrase Driving A More Assertive U.S. Spy Agency". NPR. Retrieved 2026-05-29.
  49. ^ "National Security Agency Announces Retirement of Cybersecurity Director". National Security Agency/Central Security Service. Archived from the original on 2026-05-26. Retrieved 2026-05-29.
  50. ^ "NSA cyber directorate gets new acting leadership". therecord.media. Retrieved 2026-05-29.
  51. ^ a b This section copied from NSA ANT catalog; see there for sources
  52. ^ "Quantumtheory: Wie die NSA weltweit Rechner hackt". Der Spiegel. 2013-12-30. Archived from the original on 2014-03-23. Retrieved 2014-01-18.
  53. ^ a b Schneier, Bruce (2013-10-07). "How the NSA Attacks Tor/Firefox Users With QUANTUM and FOXACID". Schneier.com. Retrieved 2014-01-18.
  54. ^ a b "NSA-Dokumente: So knackt der Geheimdienst Internetkonten". Der Spiegel. 2013-12-30. Archived from the original on 2014-01-16. Retrieved 2014-01-18.
  55. ^ Gallagher, Sean (August 1, 2013). "NSA's Internet taps can find systems to hack, track VPNs and Word docs". Archived from the original on August 4, 2013. Retrieved August 8, 2013.
  56. ^ a b c "Inside TAO: Targeting Mexico". Der Spiegel. 2013-12-29. Archived from the original on 2014-01-17. Retrieved 2014-01-18.
  57. ^ Fotostrecke (2013-12-30). "QFIRE - die "Vorwärtsverteidigng" der NSA". Der Spiegel. Retrieved 2014-01-18.
  58. ^ "QFIRE - die "Vorwärtsverteidigng" der NSA". Der Spiegel. 2013-12-30. Archived from the original on 2014-01-16. Retrieved 2014-01-18.
  59. ^ ""Chaos Computer Club CCC Presentation" at 28:34". YouTube. Archived from the original on 2014-09-09. Retrieved 2014-09-09.
  60. ^ a b Thomson, Iain (2013-12-31). "How the NSA hacks PCs, phones, routers, hard disks 'at speed of light': Spy tech catalog leaks". The Register. London. Retrieved 2014-08-15.
  61. ^ Mick, Jason (2013-12-31). "Tax and Spy: How the NSA Can Hack Any American, Stores Data 15 Years". DailyTech. Archived from the original on 2014-08-24. Retrieved 2014-08-15.
  62. ^ Weaver, Nicholas (2013-03-28). "Our Government Has Weaponized the Internet. Here's How They Did It". Wired. Retrieved 2014-01-18.
  63. ^ "China Accuses US of Repeated Hacks on Polytechnic University". Bloomberg. September 5, 2022 – via www.bloomberg.com.
  64. ^ Gallagher, Sean (2013-11-12). "Quantum of pwnness: How NSA and GCHQ hacked OPEC and others". Ars Technica. Retrieved 2014-01-18.
  65. ^ "Läs dokumenten om Sverige från Edward Snowden - Uppdrag Granskning". SVT.se. Archived from the original on 2014-02-23. Retrieved 2014-01-18.
  66. ^ "What You Wanted to Know" (PDF). documentcloud.org. Retrieved 2015-10-03.
  67. ^ "British spies reportedly spoofed LinkedIn, Slashdot to target network engineers". Network World. 2013-11-11. Archived from the original on 2014-01-15. Retrieved 2014-01-18.
  68. ^ "Inside TAO: The NSA's Shadow Network". Der Spiegel. 2013-12-29. Archived from the original on 2017-04-20. Retrieved 2014-01-27.
  69. ^ a b Aid, Matthew M. (2013-10-15). "The NSA's New Code Breakers". Foreign Policy. Retrieved 2023-07-27.
  70. ^ Farber, Dan (2013-12-29). "NSA reportedly planted spyware on electronics equipment | Security & Privacy". CNET News. Archived from the original on 2014-01-25. Retrieved 2014-01-18.
  71. ^ Schneier, Bruce (2013-10-04). "How the NSA Thinks About Secrecy and Risk". The Atlantic. Archived from the original on 2014-01-10. Retrieved 2014-01-18.
  72. ^ Riley, Michael (2013-06-14). "U.S. Agencies Said to Swap Data With Thousands of Firms". Bloomberg. Archived from the original on 2015-01-12. Retrieved 2014-01-18.
  73. ^ This section was copied from the Stuxnet article, for references, see there.
  74. ^ "NSA/CSS Threat Operations Center, TREASURE MAP: Bad guys are everywhere, good guys are somewhere!, undated. TS//SI//REL TO USA, FVEY | National Security Archive". nsarchive.gwu.edu. Retrieved 2026-05-30.
  75. ^ "Treasure Map Presentation". The Intercept. Retrieved 2026-05-30.
  76. ^ a b Cybernews (2025-07-17). How the NSA Hacked Huawei: Operation Shotgiant. Retrieved 2026-05-31 – via YouTube.
  77. ^ Sanger, David E.; Perlroth, Nicole (2014-03-22). "N.S.A. Breached Chinese Servers Seen as Security Threat". The New York Times. ISSN 0362-4331. Retrieved 2026-05-31.
  78. ^ a b c d e "NSA Spied on Chinese Government and Networking Firm Huawei". Der Spiegel. 2014-03-22. ISSN 2195-1349. Retrieved 2026-05-31.
  79. ^ "US spy agency 'hacked Huawei HQ': China confirms Snowden leak". South China Morning Post. 2023-09-20. Retrieved 2026-05-31.
  80. ^ a b c d e f g h Glüsing, Jens; Poitras, Laura; Rosenbach, Marcel; Stark, Holger (2013-10-20). "NSA Hacked Email Account of Mexican President". Der Spiegel. ISSN 2195-1349. Retrieved 2026-05-31.
  81. ^ a b Louv, Jason (2014-02-25). "La NSA de EU tiene una oficina en México". VICE (in Spanish). Retrieved 2026-05-31.
  82. ^ "El gobierno de México abre una investigación interna por espionaje de EU". Expansión (in Spanish). 2013-10-22. Retrieved 2026-05-31.