How to discover NSA Quantum Insert attacks on your systems

Pierluigi Paganini April 23, 2015

Security experts at Fox-IT have developed a method for detecting NSA Quantum Insert attacks and have published an interesting post on the hacking practice.

Security researchers at Fox-IT have developed a method for detecting NSA hacking activity operated through the Quantum Insert-style hacks.

The team of experts has published free open-source tools to detect duplicate sequence numbers of HTTP packets, with different data sizes, that are associated with the presence of Quantum Insert attack.

“Detection is possible by looking for duplicate TCP packets but with different payloads, and other anomalies in TCP streams,” explained Fox-IT.

quantum insert attack follow_stream3

The Quantum Insert attack run by every entity that is able to eavesdrop victim’s traffic and manipulate it, Snowden has revealed that the technique is also adopted by other intelligence agencies such as the British GCHQ.

A recent post published by CitizenLab revealed also the existence of a similar hacking platform, dubbed the Great Cannon, used by the Chinese Government.

It is important to note that experts Fox-IT have explained that the application might be circumvented.

The Quantum Insert is a signals intelligence hacking technique described in several documents leaked by the whistleblower Edward Snowden, the typical attack scenario consists in an “HTML redirection” attack that was carried out by injecting malicious content into victim’s traffic. The attacker injects malicious code in a victim’s TCP session that is chosen based on various factors, such as persistent tracking cookie that allow the attackers to identifies a specific user to monitor. Once identified the session of interest related to a specific user, the shooter component injects the malicious code in the stream of data.

“QUANTUMINSERT is described as a ‘HTML Redirection’ attack by injecting malicious content into a specific TCP session. A session is selected for injection based on ‘selectors’[3], such as a persistent tracking cookie that identifies a user for a longer period of time.

The injection is done by observing HTTP requests by means of eavesdropping on network traffic. When an interesting target is observed, another device, the shooter, is tipped to send a spoofed TCP packet. In order to craft and spoof this packet into the existing session, information about this session has to be known by the shooter.” is reported in the blog post published by Fox-IT.

The shooter analyzes the following information of each TCP packet containing the HTTP request in order to modify it:

  • Source & Destination IP address
  • Source & Destination port
  • Sequence & Acknowledge numbers

The QUANTUM INSERT attack can be successful only if the packets injected will arrive at the target before the ‘legitimate’ webserver response, in this way the attacker can impersonate the web server and hack into the target.

“The usage of HTTPS in combination with HSTS can reduce the effectiveness of QI [Quantum Insert]. Also using a content delivery network (CDN) that offers low latency can make it very difficult for the QI packet to win the race with the real server,” states researchers at Fox-IT

Experts at Fox-IT created a number of packet captures (pcaps) that could be used to detect ongoing Quantum Insert attacks, they are available on the GitHub repository. 

Enjoy the analysis on the Quantum Insert attack proposed by Fox-IT.

Pierluigi Paganini

(Security Affairs – Quantum Insert attack, NSA)



you might also like

leave a comment