How I created my version of NSA’s AotS QUANTUMINSERT attack

Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo

I created a version of a specific technique in an attack suite known as QUANTUMTHEORY that was used by a team inside the NSA called Tailored Access Operations, or TAO for short. TAO used the tools in QUANTUMTHEORY in offensive operations from 2005 to at least 2010 against targeted individuals to achieve whatever goals they had.

I’ll explain some of the tools in QUANTUMTHEORY, what they were designed to do, and then talk about a technique I call HOXINSERT, as a tribute to one of the exploitation techniques in the QUANTUMTHEORY toolset known as QUANTUMINSERT.

I think QUANTUMINSERT is extremely cool, but you don’t have to take my word for it. Canada’s equivalent of the NSA, the Communications Security Establishment (CSE) said, “It’s no lie, quantum is cool“, and the NSA themselves said, “The new exploit hotness is Quantum. Certain Quantum missions have a success rate as high as 80%, where spam is less than 1%“.

Before QUANTUMINSERT, the NSA used spam emails to get their targets to click links in emails until they realized it’s become less and less effective, as people learn not to click suspicious-looking links in spam emails.

Although I’m comparing HOXINSERT with QUANTUMINSERT, they’re not the same. Technically, they have nothing in common, but from the target’s perspective, they might seem similar.

What are Tailored Access Operations and QUANTUMTHEORY?

You might have read about the NSA’s Computer Network Operations’ previously Tailored Access Operations attack suite called QUANTUMTHEORY.

TAO was one of the most capable teams inside the NSA that developed and innovated sophisticated hardware and software capabilities to penetrate and persist inside any target as covertly as possible to achieve their goal.

In 2014, the documents leaked by Edward Snowden suggested that tools in QUANTUMTHEORY suite were used in offensive operations back in 2005 by TAO and their partners. But you shouldn't let the old dates fool you, as techniques similar to this are still used today by commercial spyware vendors, like Intellexa, to compromise targeted endpoints with their sophisticated spyware.

The QUANTUMTHEORY suite consists of multiple different tools, each designed to be used for specific purposes, ultimately allowing the operators at the NSA to conduct mainly surveillance operations against their adversaries and even friendly nations.

According to the leaked documents, QUANTUMINSERT was used to deploy 300 TAO implants to targets that were un-exploitable by any other means, and its [Operational Success] was [Highly Successful].

QUANTUMINSERT from leaked NSA slides
QUANTUMINSERT from leaked NSA slides

When they couldn’t use other means of exploitation, they relied on QUANTUMINSERT, which was the perfect payload delivery technique.

What are QUANTUMTHEORY and QUANTUMINSERT?

QUANTUMTHEORY is a highly sophisticated hacking toolset that also partially leveraged the NSA’s other capabilities that might not have been available to mere mortals, especially if you were not backed by one of the world’s most powerful nations.

These other capabilities included the NSA gaining access to key systems owned by third-party companies, either because the company voluntarily provided access, was forced to give access, or unknowingly provided access.

SHOOTER servers are part of QUANTUMINSERT—QI—which, in turn, is part of the QUANTUMTHEORY toolset. The servers were designed to be faster than the original service servers. When the target user requests the server for LinkedIn.com, both the SHOOTER server and the legitimate LinkedIn server would get the request, but the SHOOTER server would be faster to respond to the target user request.

The extremely fast Shooter servers had been specially optimized for speed, and their location has also been chosen to be as geographically close to the target as possible so that they can respond to requests faster, thus being able to hijack the request and redirect the request to a FOXACID server.

Usually, the placement of the SHOOTER servers required the NSA to exercise their powers and use the aforementioned partner’s infrastructure to monitor internet traffic at specific points and to make sure the SHOOTER servers would be faster than the original server the target would request.

FOXACID would then decide what kind of payload would be sent to the target by fingerprinting the web browser and operating system, for example, and either serving an exploit specific for that combination of software or a credential harvesting page, depending on what service the target user initially requested.

Here is a simplification of the QUANTUMINSERT architecture. The requests are numbered from steps 1 to 3.

QUANTUMINSERT architecture simplified
QUANTUMINSERT architecture simplified

So, the target requests a website, for example, by clicking a link in an email. Note that the link isn't modified in any way. The request is sent to a server whose purpose is to find the address for the requested website. The NSA has tapped into the server and can see the target’s request.

A Shooter server would catch the request and redirect it to a FOXACID server. FOXACID would decide on a payload suitable for the target, an exploit, or a phishing page and respond to the request. The real website’s response is simply discarded by the target.

What are HOXINSERT and HOXACID?

With HOXINSERT, the email contains both the address to the trusted website and the address to a HOXACID server. When the target checks the link by hovering over it, it will display the address to the trusted website. When the target clicks the link, a request is sent for the second address, which is the HOXACID server.

HOXINSERT architecture simplified
HOXINSERT architecture simplified

The reason why I'm bringing up QUANTUMINSERT is that we can kind of match the components in both techniques.

FOXACID in HOXINSERT is HTML smuggling, which we can call HOXACID. Both the original FOXACID server and our HOXACID server can fingerprint the target software and choose the exploit, malware, or phishing page. Since I don’t currently have any fancy exploits, I can fingerprint the device on the HOXACID server and, for example, choose a phishing page if the device is iOS, Android, or ChromeOS-based and malware-laced document if Windows or MacOS-based.

The server hosting HOXACID is the Shooter server. We can use any static hosting we want and choose the geographic location to make sure it's close to the target user. The bugs in email clients that allow the manipulation of the status bar enable all of this, thus being HOXINSERT.

The bugs allow an attacker to control both the URL that's displayed to the user in the email client’s status bar and the URL that's actually requested when clicked. These URLs are different to trick the user into loading malicious content instead of what they thought they’d load.

I bet you’ve often been told to hover over the link to check where it leads. In the case of email clients, a user should always be able to trust the status bar that's supposed to show the URL where the hyperlink goes to. With HOXINSERT, this isn't true anymore.

With HOXINSERT, the user’s trust in the status bar works against them. For example, I’ve built the habit of checking the link in the email by hovering over it, but once I click it, I rarely check it again in the web browser’s address bar. If I trust the displayed URL when hovering over the link, I trust the email enough to click the link.

Disclaimer: I reported these techniques to Mozilla, Google, and Microsoft. Microsoft and Google rated these as [wont-fix] or [working as intended]. Mozilla fixed the issue in the Thunderbird email client.

Status for some popular email clients

Status for some popular email clients

What’s the big deal?

I want to warn end users and show that something like this is possible and accessible to threat actors.

Now, it's important to distinguish that the techniques I use to manipulate the URL in a native or web-based email client status bar can easily be confused with other popular techniques that are very well known but that either don’t work in almost any email client—Javascript-based—or can’t manipulate the URL that the email client renders in the status bar—title attribute.

Next, I'll show different attack scenarios for different operating systems and email clients. The basic principle is the same for every OS and client, but the method of manipulating the URL in the email client’s status bar might be slightly different.

[.c-cta-box][.c-cta-content][.c-title-wrapper][.c-title]HOXINSERT against the Outlook Web App[.c-title][.c-title-wrapper][.c-paragraph-wrapper][.c-paragraph]How I used HOXINSERT in an attack vector against Outlook Web App (OWA) and Windows[.c-paragraph][.c-paragraph-wrapper][.c-button-wrapper][.c-button]Read the next article[.c-button][.c-button-wrapper][.c-cta-content][.c-cta-box]

About the author

Pontus joined Hoxhunt in 2017 and currently works as an Offensive Security Engineer. He enjoys researching and developing attack techniques, exploits, and tools.

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this