Such networks are typically “air-gapped” — physically separated from the free-for-all of the Internet, with its countless varieties of malicious code, such as viruses and worms, created to steal information or damage systems. Officials had long been concerned with the unauthorized removal of classified material from secure networks; now malware had gotten in and was attempting to communicate to the broader Internet.
One likely scenario is that an American soldier, official or contractor in Afghanistan — where the largest number of infections occurred — went to an Internet cafe, used a thumb drive in an infected computer and then inserted the drive in a classified machine. “We knew fairly confidently that the mechanism had been somebody going to a kiosk and doing something they shouldn’t have as opposed to somebody who had been able to get inside the network,” one former official said.
Once a computer became infected, any thumb drive used on the machine acquired a copy of Agent.btz, ready for propagation to other computers, like bees carrying pollen from flower to flower. But to steal content, the malware had to communicate with a master computer for instructions on what files to remove and how to transmit them.
These signals, or beacons, were first spotted by a young analyst in the NSA’s Advanced Networks Operations (ANO) team, a group of mostly 20- and 30-something computing experts assembled in 2006 to hunt for suspicious activity on the government’s secure networks. Their office was a nondescript windowless room in Ops1, a boxy, low-rise building on the 660-acre campus of the NSA.
ANO’s operators are among 30,000 civilian and military personnel at NSA, whose main mission is to collect foreign communications intelligence on enemies abroad. The agency is forbidden to gather intelligence on Americans or on U.S. soil without special authorization from a court whose proceedings are largely secret.
NSA, whose employees hold 800 PhDs in mathematics, science and engineering, is based at Fort Meade, an Army base between Baltimore and Washington that has the world’s largest collection of supercomputers as well as its own police force and silicon-chip plant.
The ANO operators determined that the breach was serious after a few days of furious investigation. On the afternoon of Friday, Oct. 24,Richard C. Schaeffer Jr., then the NSA’s top computer systems protection officer, was in an agency briefing with President George W. Bush, who was making his last visit to the NSA before leaving office. An aide handed Schaeffer a note alerting him to the breach.