Threat Intelligence

How Classified NSA Exploit tools RADON and DEWSWEEPER Work

Pierluigi Paganini
November 11, 2013 by
Pierluigi Paganini

The NSA FoxAcid Platform

Security expert Bruce Schneier is one of the most authoritative experts who revealed that the NSA has a wide-ranging arsenal of zero-day exploits to use for cyber operations. The revelation isn't surprising, the security community is aware of the great effort spent by governments on cyber operations. Many intelligence agencies have created dedicated internal units, specialized in hacking for sabotage and cyber espionage. Almost every government is improving its cyber capabilities, in many cases they're working in the development of cyber weapons.

The report recently published by the FireEye security firm, titled "World War C," described cyberspace as the new battlefield, and it's evident how state-sponsored attacks have intensified. Campaigns such as Moonlight Maze, and Titan Rain, or the destructive cyber strikes on Iran and Georgia mark the evolution of military doctrine.

"Cyberspace has become a full-blown war zone as governments across the globe clash for digital supremacy in a new, mostly invisible theater of operations. Once limited to opportunistic criminals, cyber attacks are becoming a key weapon for governments seeking to defend national sovereignty and project national power."

Alongside conventional weapons, cyber tools such as DDoS tools, spyware and malware are assuming a role of greater importance in the arsenals of governments. But the principal element for nation-state driven cyber attacks is the knowledge of zero-day vulnerabilities to exploit.

The last collection of NSA documents leaked by Snowden reports that the Central Intelligence Agency implemented a collection of servers codenamed FoxAcid that exploit software vulnerabilities on targets' machines.

"Here are the FoxAcid basics: By the time the NSA tricks a target into visiting one of those servers, it already knows exactly who that target is, who wants him eavesdropped on, and the expected value of the data it hopes to receive. Based on that information, the server can automatically decide what exploit to serve the target, taking into account the risks associated with attacking the target, as well as the benefits of a successful attack," reported Schneier.

The documents published by the former intelligence consultant's report that US agencies can count on numerous exploits for their attacks. They have a sophisticated platform that's able to evaluate the status of a target, and its response during the offensive, to chose the best exploit kit to adopt. "Validator" is the name of the exploit kit used as the default option for the attacks. But FoxAcid servers have a wide range of malicious kits like Radon, Dewsweeper, United Rake, Peddle Cheap, Packet Wrench, and Beach Head.

"To trick targets into visiting a FoxAcid server, the NSA relies on its secret partnerships with US telecoms companies. As part of the Turmoil system, the NSA places secret servers, codenamed Quantum, at key places on the internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond, thereby tricking the target's browser to visit a FoxAcid server." reported the post on The Guardian.

Figure - NSA Data Center

The platform designed by the NSA is able to automate the principal phases of an attack, making it possible to involve operators without great hacking expertise. US NSA hackers could count on an incredible amount of information gathered on their targets. The data is elaborated realtime based on the response of the target defense systems to suggest best attacking options. According the info leaked, FoxAcid servers are able to provide a multiple choice menu for attack options, from which attackers could choose the proper offensive mode.

"If the target is a high-value one, FoxAcid might run a rare zero-day exploit that it developed or purchased. If the target is technically sophisticated, FoxAcid might decide that there's too much chance for discovery, and keeping the zero-day exploit a secret is more important. If the target is a low-value one, FoxAcid might run an exploit that's less valuable. If the target is low-value and technically sophisticated, FoxAcid might even run an already-known vulnerability" the cyber security expert Bruce Schneier wrote.

The document explicitly introduces a cost-benefit analysis provided to evaluate the exploitation method. Tailored Access Operations (TAO) operators running the FoxAcid system could implement detailed and complex flowchart which covers all probable stages of an attack and the results thereof. For example, in the presence of a personal security product, they could stop an offensive to avoid detection, or to proceed with different strategy based on the partial response of targeted systems.

The FoxAcid system was also used to track individuals into the anonymizing Tor network. The NSA uses its servers to hijack a user with a set of secret internet servers with FoxAcid. FoxAcid servers were used to launch prepared attacks against their systems, ensuring that they remain compromised in the long term, and continues to provide eavesdropping information back to the NSA.

Popular security expert Bruce Schneier is very critical of the agency's ability to control the secrecy of mass surveillance programs.

"While the NSA excels at performing this cost-benefit analysis at the tactical level, it's far less competent at doing the same thing at the policy level. The organization seems to be good enough at assessing the risk of discovery—for example, if the target of an intelligence-gathering effort discovers that effort—but to have completely ignored the risks of those efforts becoming front-page news." wrote Schneier.

A Close Look at Radon and Dewsweeper

The Radon and Dewsweeper systems are both hardware host taps that allow an attacker to establish a bridge within the target network in a covert way.

Both exploit kits are mentioned in the document leaked through Le Monde titled "20100910 Closed Access SIGADS 01" as part of a list reporting code names for NSA Exploit Tools:

  • HIGHLANDS: Collection from Implants
  • VAGRANT: Collection of Computer Screens
  • MAGNETIC: Sensor Collection of Magnetic Emanations
  • MINERALIZE: Collection from LAN Implant
  • OCEAN: Optical Collection System for Raster-Based Computer Screens
  • LIFESAFER: Imaging of the Hard Drive
  • GENIE: Multi-stage operation: jumping the airgap etc.
  • BLACKHEART: Collection from an FBI Implant
  • DROPMIRE: Passive collection of emanations using antenna
  • CUSTOMS: Customs opportunities (not LIFESAVER)
  • DROPMIRE: Laser printer collection, purely proximal access (not implanted)
  • DEWSWEEPER: USB (Universal Serial Bus) hardware host tap that provides a covert link over a US link into a target network. Operates with an RF relay subsystem to provide wireless Bridge into target network.
  • RADON: Bi-directional host tap that can inject Ethernet packets onto the same targets. Allows bi-directional exploitation of denied networks using standard on-net tools.
  • DEWSWEEPER and RADON are exploit kits used to penetrate the target network, while Dewsweeper operates with RF relay subsystem to establish a wireless bridge into the target network, Radon relies on Ethernet technology to inject Ethernet packets onto the victim infrastructure.

DEWSWEEPER and RADON are exploit kits used to penetrate the target network, while Dewsweeper operates with an RF relay subsystem to establish a wireless bridge into the target network. Radon relies on Ethernet technology to inject Ethernet packets onto the victim infrastructure.

Well, it's not possible to find information about the spying devices on the Internet. Nor is a description of how they operate, but we can try to put it together.

Both are USB devices, due that reason, we have to think of a device disguised as a normal USB token, with an embedded RF transceiver and the antenna hidden within the cable. The power supply is provided by USB when the spying key is connected to a PC, laptop or any other devices.

The main problem is how hide the presence of those components. That includes the user interface, and the hardware components present in the USB token. They need to be silently installed on the victim machine without prompting any message, so it's not recognizable from a resource manager of the host. To do that, the NSA has definitely exploited critical USB flaws to allow US devices to be granted root access on a victim's system.

Figure - NSA Top Secret Document leaked through Le Monde

A Critical Windows USB Exploit

To understand how both NSA USB exploit kits could remain invisible to the victims, we must analyze USB exploits in detail, and how they allow flash drives to grant root access to a host system.

In March 2013, Microsoft plugged a security hole in its Windows operating system that allowed attackers to use USB-connected drives to take full control of a targeted computer ... this sounds interesting, and it's probably exactly what we're looking for!

At the time of the patch release, security experts at Microsoft classified the flaw as "important" instead as "critical" because exploiting of the USB flaw required physical access to the victim's computer. But let's think for example that during an official conference or political meeting someone decided to give USB token as a present, like memory or chargers, the victims in this case are totally unaware of the menace, and of the risks related to the use of kind gifts.

Fact or fiction? The history gives us the answer.

With an apparently innocent USB device, it's possible to infect the target PC. The exploitation of those vulnerabilities also allows attackers to penetrate target networks that are isolated from the Internet. That's exactly what happened in the case of the diffusion of the popular Stuxnet. Recently, Microsoft has fixed numerous vulnerabilities related to USB hard drives, like the LNK file vulnerability that allowed Stuxnet to infect machines when a stick was plugged in.

Microsoft Security Bulletin coded the dangerous security flaw as MS13-027 – important. Microsoft qualified the security flaws as vulnerabilities in kernel mode drivers that could allow elevation of privilege (2807986). Microsoft alerted its users of the possible exploit of the MS13-027 series of vulnerabilities through a maliciously formatted USB drive physically inserted in the their computer. The exploit is simple, the Windows USB device drivers enumerate the device, parsing a specially crafted descriptor, the attacker could cause the system to execute malicious code with full permission of the operating system kernel.

Microsoft Security Response Center researchers Josh Carlson and William Peteroy wrote in a blog post that the vulnerability is triggered during device enumeration, no user intervention is required, making possible to exploit the security hole even if the computer is locked or no user is logged in.

"In fact, the vulnerability can be triggered when the workstation is locked or when no user is logged in, making this an un-authenticated elevation of privilege for an attacker with casual physical access to the machine."

The MS13-027 vulnerbility affects all versions of Windows, ranging from Windows 8 to as far back as Windows XP SP2, including the many Windows Server OSes. Microsoft's experts admit this attack may indicate other, similar "avenues of exploitation" could be found even without physical access to the host system.

"Other software that enables low-level pass-through of USB device enumeration may open additional avenues of exploitation that do not require direct physical access to the system," stated Carlson.

Exploiting Malformed USB Descriptions as Injection Points

In this section, I'll describe how a malformed USB description is exploited to submit injector code for the execution of malware.

  • Attacker analyzes specifications for how targeted OS and device drivers interact.
  • Attacker determines the expected format for the "USB Device Description."
  • Attacker prepares a custom "USB Device Description," analyzing how it's passed by the USB token to the USB Device Driver by trying to find the memory location reserved to contain the data.
  • The attacker crafts a malformed "USB Device Description" (e.g. using an abnormally long descriptor) and observe how the operating system manages it. The attacker can count on memory overflow to overwrite existing instructions in memory with malicious code.
  • The attacker replaces the "USB Device Description" with their malicious injection code.
  • The attacker needs to craft the "USB Device Description" to make sure the initial instruction in their malware injection code will occupy a memory location determined by the code executed as part of the "USB Device Description."
  • A buffer overrun attack occurs when the "USB Device Description" has an abnormal length that causes critical instruction overwriting, and the execution of the malicious code wil be embedded in the description (the injector).
  • The injector code operates as if it is part of the operating system kernel.
  • The injector code is used to load and start the execution of malicious code, usually encrypted, hidden on the USB device.

Netragard and Radon, Coincidence or Something Else?

We've discussed how it's possible to exploit vulnerabilities in USB technology to silently serve malware to infect a host. It's certain that both Radon and Dewsweeper use a similar technique to compromise the victims. As is imaginable, both tools have evolved in time. During their life cycle, probably various versions have exploited different zero-day vulnerabilities that were successively fixed. It's highly probable that their latest versions are able to operate by exploiting new unknown USB flaws.

When trying to search Google for both components, it's possible to retrieve a few results that aren't very interesting and they don't provide any technical details about the hardware exploit kits used by the NSA.

One result caught my attention, it was on the Netragard corporate website. It explicitly referenced the use of a spy tool based on USB devices to silently inoculate malware … it's name is Radon!

Is it a coincidence? Who is Netragard?

Netragard is a security company that delivers anti-hacking services, including penetration testing, vulnerability assessments, web application security testing, and related functions.

Netragard is a Massachusetts firm that sold more than fifty exploits to private businesses and US government agencies in 2012 . Prices ranged from $20,000 to more than $250,000. The founder of Netragard, Adriel Desautels, revealed that some of the above exploits could be considered "weaponised." That means that the exploits have been acquired by governments for offensive purposes or active defense.

It's important to note that numerous private firms also have access to the zero-day market to acquire exploit kits from dozens of independent hackers. Officially, clients are carefully screened to make sure they are not selling code to anyone else, including hostile governments and cybercriminals. The reality is that numerous "dangerous" applications have been found all over the world, like the case of a popular spyware system.

The post from Netragard states:

The general methodology that we follow to achieve an irrecoverable infrastructure compromise that is depicted below at a high-level.

  1. Gain entry via a single point (one of the three referenced below.)
  2. Install custom backdoors (RADON our safe, undetectable, home-grown pseudo-malware.)
  3. Identify and penetrate the domain controller (surprisingly easy in most cases.)
  4. Extract and crack the passwords (we have pretty rainbows and access to this GPU cracker.)
  5. Propagate the attack to the rest of the network (Distributed Metastasis.)

It referred the RADON backdoor also when it described the scenario of a social engineering attack facilitated by the use of technological "tools," like planting malware, spy devices, and so on.

"During an engagement in 2012, Netragard used social engineering to execute an irrecoverable infrastructure compromise against one of its healthcare customers. This was done through a job opportunity that was posted on our customers website. Specifically, our customer was looking to hire a Web Application Developer that understood how to design secure applications. We built an irresistible resume and established fake references, which quickly landed us an on-site interview. When we arrived, we were picked up by our contact and taken to his office. While sitting there, we asked him for a glass of water and he promptly left us alone in his office for roughly 2 minutes. During that time, we used a USB device to infect his desktop computer with RADON (our pseudo-malware). When he returned we thanked him for the water and continued on with the interview. In the end, we were offered the job but turned it down (imagine if we accepted it)."

The post also refers to RADON in a section dedicated to the use of malware:

"We used RADON, our home-brew 'safe' malware, in nearly every engagement in 2012. RADON is designed to enable us to infect customer systems in a safe and controllable manner. Safe means that every strand is built with an expiration date that, when reached, results in RADON performing an automatic and clean self-removal. Safe also means that we have the ability to tell RADON to deinstall at any point during the engagement should any customer make the request. RADON is 100% undetectable and will completely evade all antivirus software, intrusion prevention / detection systems, etc. Why did we build RADON? We built it because we need to have the same capabilities as the bad guys, if not, then our testing wouldn't be realistic."

To resume, although there's no evidence that we're referring to the same exploit kit, there's a real possibility that the NSA has been reported to the US company for the development of the spying agent mentioned in the document leaked by Le Monde.


The revelations on US surveillance, and in particular the disclosure of FoxAcid infrastructure, raise a discussion on the importance of zero-day exploits. The knowledge of zero-day exploits is considered a primary ingredient for tcyber attack success. State-sponsored hackers and cyber criminals consider zero-day exploits a precious resource, around which a booming market has grown.

Zero-day exploits can be used to design cyber weapons, or could be exploited for cyber espionage purposes, just as described in the document leaked by Snowden. In both cases. governments appear to be the most interested entities for the use of this sort of malicious code.

A government's decision to acquire a zero-day exploit for use against a foreign governments hides serious risks. A country, cyber terrorist, cyber criminals or state-sponsored hackers could reverse engineer source code to compose new malicious agents to use against the same authors.

The main players in the zero-day market are the Grugq, small firms like Vupen and Netragard, and other defense contractors, such as Northrop Grumman.

"Netragard's founder Adriel Desautels says he's been in the exploit-selling game for a decade, and describes how the market has 'exploded' in just the last year. He says there are now 'more buyers, deeper pockets,' that the time for a purchase has accelerated from months to weeks, and he's been approached by sellers with around 12 to 14 zero-day exploits every month compared to just four to six a few years ago."

The NSA has nearly 35,000 employees, and an official annual budget of $10.8 billion. It has "an almost unlimited agenda," as the Times report said that highlighted the great effort spent by the agency to "spy routinely on friends as well as foes," not only to fight terrorism, but also to "achieve 'diplomatic advantage' over such allies as France and Germany and 'economic advantage' over Japan and Brazil, among other countries."

NSA divisions known as Tailored Access Operations, and the Transgression Branch have specific missions to "break into computers around the world to steal the data inside, and sometimes to leave spy software behind. TAO is increasingly important in part because it allows the agency to bypass encryption by capturing messages as they are written or read, when they are not encoded."

Radon and Dewsweeper are just a couple of arrows in the arsenal of NSA cyber units. We must be prepared for the worst. The demand explosion for zero-day exploits leave little doubt about the true intentions of governments, and the impact is certainly not confined to just cyberspace.


Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.