Return to

Jan. 28, 2021
Notes from the Pentagon

How NSA hacked Huawei's routers

By Bill Gertz
Documents leaked from the National Security Agency in 2014 revealed that the nation’s premier spy service was secretly stealing electronic and other secrets by hacking Huawei Technologies telecommunications gear used widely in China and around the world.

The sensational spying operation, code-named Shotgiant, was scuttled by Edward Snowden, the former NSA contractor now living in Russia who disclosed the top-secret hacking after stealing nearly 2 million NSA documents and releasing them to the press.

Inside the Ring can now disclose how the NSA was able to conduct its electronic spying operations around the world, penetrating Huawei‘s routers and listening to the communications that passed through them.

A person familiar with the operation said cyberspies working for the NSA‘s Tailored Access Operations group, the secret hacking unit based near Baltimore-Washington International Airport, were able to get inside Huawei equipment because of an earlier hack of Cisco Systems routers.

In the early, 2000s, Huawei was sued by Cisco for stealing portions of Cisco’s Internetwork Operating System, or IOS — a family of software used in the company’s routers and switches. The case was settled quietly out of court.

Unbeknownst to Huawei, the stolen technology included the same software NSA had successfully broken into in Cisco routers. Thus, all Huawei equipment became giant listing posts for the cyberspies.

The ability to steal secrets from telecom gear was confirmed in an internal NSA memorandum from around 2012 that discussed big-router hacking.

“I’m not talking about your home ADSL router. I’m talking about bigger routers, such as Ciscos/Junipers/Huaweis used by [internet providers] for their infrastructure,” an NSA technician wrote. “Hacking routers has been good business for us and our [Five Eyes] partners for some time now, but it is becoming more apparent that other nation states are honing their skills and joining the scene.”

“Five Eyes” refers to the U.S. close intelligence-sharing alliance with Australia, New Zealand, Canada and Britain.

Router hacking, the memo explained, allows spies to add login credentials that permit remote access “anytime you choose.”

Routing rules also can be added or changed. Using “packet capture” capabilities in the equipment was described as “like a local listening post for any credentials being passed over the wire!”

Another spying tool from hacked routers is weakening the encryption for virtual private networks so the NSA could create easily decipherable information streams.

Finally, the NSA used hacked routers to install “a dorked [manipulated] version of the operating system with whatever functionality you want pre-built in,” the memo said.

With Mr. Snowden’s leaks in 2014, the NSA lost the ability to spy on one of the most significant intelligence targets: China. Another NSA document revealed that the agency was spying on Huawei to learn its links to the Chinese military and the ruling Communist Party.

“Many of our targets communicate over Huawei-produced products, we want to make sure that we know how to exploit these products. We also want to ensure that we retain access to these communication lines, etc.,” the NSA stated in a briefing slide.

“There is also concern that Huawei‘s widespread infrastructure will provide [China] with SIGINT capabilities and enable them to perform denial-of-service type attacks,” the slide stated, using the term for signals intelligence.

One slide quoted a national intelligence estimate from the early years of the Obama administration warning that America’s cyberinfrastructure faced a growing threat from hackers.

“We assess with high confidence that the increasing role of international companies and foreign individuals in U.S. information technology supply chains and services will increase the potential for persistent, stealthy subversions,” the national intelligence estimate stated.

A spokesman for NSA had no immediate comment. A Representative of Cisco did not return an email seeking comment.

The USS Theodore Roosevelt aircraft carrier strike group is conducting operations in the South China Sea, sending a signal to Beijing that it does not own the strategic waterway.

The Pacific Fleet posted an update about the carrier and its accompanying warships this week, saying on Facebook that they were “conducting routine U.S. 7th Fleet maritime security operations, including flight operations with fixed and rotary-wing aircraft, maritime strike exercises, and coordinated tactical training between surface and air units.”

“After sailing through these waters throughout my 30-year career, it’s great to be in the South China Sea again, conducting routine operations, promoting freedom of the seas, and reassuring allies and partners,” said Rear Adm. Doug Verissimo, commander of Carrier Strike Group 9.

“With two-thirds of the world’s trade traveling through this very important region, it is vital that we maintain our presence and continue to promote the rules-based order which has allowed us all to prosper,” the admiral added. “While we miss visiting our allies and partners in the region in person, we’re grateful for all the opportunities we have to operate with them at sea.”

China has been conducting naval and aerial surveillance near the carrier, but no provocations or incidents have been reported.

“We all benefit from free and open access to the seas, and our operations represent our commitment to maintaining regional security and stability,” said Capt. Eric Anduze, the Roosevelt’s commanding officer.

In addition to the carrier and its warplanes, warships in the group include the guided missile cruiser USS Bunker Hill, and guided missile destroyers USS Russell and USS John Finn.

At one time, the National Security Agency was so secret that even its name was classified. Uttering the three words could land someone in hot water for violating secrecy rules. Now the agency, once dubbed “No Such Agency” for its penchant for anonymity, has raised its profile significantly.

Earlier this month, the NSA published an annual report on its 2020 cybersecurity activities, most of which in the past would have been considered top-secret.

The report reveals that the agency “rekeyed” the encryption software used on board all 165 F-22 stealth fighters. The security measure is done each year.

Military software used on the F-22 includes NATO-standard Link 16 communications software, advanced “friend or foe” identification software, sensor fusion software for overhead views and anti-jamming, military-grade GPS links.

If Chinese or Russian hackers obtain the keys or other secrets about the software, then enemy military hackers could penetrate the jet software and cause it to malfunction or crash during a conflict.

The NSA also is working to upgrade the codes used for securing other weapons systems, including the launch codes for nuclear missiles.

“Foremost in NSA‘s code-making mission is the production of the nuclear ‘launch codes’ and related materials that would be used should the president ever authorize the launch of U.S. nuclear weapons,” the report said. “NSA also provides the encryption in the communications systems used to convey those orders.”

The NSA is responsible for making the codes, the keys and equipment used to protect government and military communications from foreign eavesdropping and data theft.

The agency also develops cryptographic protective technologies that were not specified in the report.

“These technologies are important in preventing or detecting adversaries from physically exploiting cryptographic equipment and classified material while they are deployed or shipped around the world,” the report said.

The function appears to involve the use of anti-tamper and tamper-indicating equipment or software that will alert security officials if communications gear is targeted. According to the report, the NSA delivered 108,421 tamper-related products to customers around the world in 2020.

One new worry for the NSA is the development of quantum computing that could render current electronic eavesdropping nearly impossible.

The NSA is working to make defense systems resistant to such advanced computer exploitation.

“Such a computer is still theoretical, but its development could render large swaths of the U.S. cryptographic inventory obsolete,” the report said. “Thus, the [Defense Department and the intelligence community] are relying heavily on NSA, with substantial fiscal investments to field next-generation encryption.”

As part of the new security, the NSA approved a new suite of “quantum-resistant cryptographic algorithms” used in defense and intelligence networks. The secure software will counter “a range of potential threats for future use in equipment supporting the warfighter.”

The report makes no mention of the massive SolarWinds hack of government and private computer systems that U.S. officials have said has the hallmarks of a Moscow intelligence operation.

SolarWinds is a management software company whose Orion software is used widely in computer networks. Some 18,000 networks were hit in the cyberattack, which allowed the hackers to gain access to sensitive information, including from the Treasury and Homeland Security Departments.

The White House said President Biden brought up the hacking operation in his first phone call since the election with Russian President Vladimir Putin.

“Eighteen months ago, several colleagues and I discussed the results of an internal study to examine the state of the cybersecurity mission at NSA,” Anne Neuberger, NSA cybersecurity director, stated in the report. “The findings were grim. As technology and the cyberthreat had rapidly evolved, it was clear we had not always kept pace.”

An NSA cybersecurity directorate was created shortly after the study to remedy the shortcomings.

  • Contact Bill Gertz on Twitter via @BillGertz.

  • Return to