The NSA Leak, the Fox, and the Hatchet Man

“Your data is our data, your equipment is our equipment – anytime, any place, by any legal means.” So reads the motto of the NSA’s Office of Tailored Access Operations or TAO. TAO is not interested in your computer but in the network that it may be connected to. Their goal is to breach the hardware supporting such networks like routers, switches, and network firewalls. For this post, I am focusing on what is called their quantum attack capability and, more specifically, an attack tool known as FOXACID. This is because FOXACID has recently made headlines on some more obscure leak sites due to revelations that it is or is planned to be used by David Brock and his Correct the Record organization to reveal and deal with influential Trump supporters on social media sites.

However, before it can be determined whether there is any truth behind the above story, it is necessary to define what is meant by a quantum attack. To put it in the simplest terms, this sort of attack depends on compromised routers which allow the attackers to ‘read’ what site a victim may want to visit. The page request is not intercepted, as in a man-in-the-middle attack, but is allowed to go on to its intended target. However, the attackers rely on their speedier connections to send a spoofed requested page back to the victim before the real site can do so. This is what is sometimes called a man-on-the-side attack. The victim, thinking they are on the real page, may not be suspicious and will not know that they can be victimized with malware insertion (such as a RAT) from the spoofed page. These types of attacks are more efficient if what is called the ‘internet backbone’ is under some control by the attackers. The internet backbone includes main networks and ISPs. Here are some of the targets that a quantum attack program with FOXACID can exploit.


This diagram shows how traffic to Yahoo is side-tracked by a FOXACID-compromised router.


Quantum attacks have been used to attack China, Tor/Firefox browsers, OPEC, and a communication network (Belgacom) connected to EU agencies. These attacks were also used to divert online-purchased laptops to warehouses where spyware was installed on them before they were delivered to the purchasers.

According to a 2013 article in Foreign Policy Magazine, “TAO has become increasingly accomplished at its mission, thanks in part to the high-level cooperation it secretly receives from the ‘big three’ American telecom companies (AT&T, Verizon and Sprint), most of the large US-based Internet service providers, and many of the top computer security software manufacturers and consulting companies.” These companies go even further in their cooperation than you may think. Wikipedia quotes a TAO document as confirming that these companies assist the NSA and “insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communications devices used by targets”. That sure seems to imply that they insert spyware into smartphones. Microsoft is known to alert the NSA on vulnerabilities they find and before they’ve been fixed, enabling the NSA to perform zero-day attacks in the interval. In short, quantum attacks using FOXACID-compromised servers and, with the help of all of the above-mentioned agents, are, without a doubt, one of the most powerful attack vectors available. Now, imagine that this falls into the wrong hands.

Although FOXACID was known about for some time, it was not considered to be available ‘in the wild’ until recently. Some top secret documents explaining its details and even some of its code has been leaked online. This all came from a hack by someone referred to as Shadow Brokers. Harold Martin, an employee of Booz-Allen, an NSA contractor, has been, at least tentatively, tied to the leak and is now facing trial. Martin tried to sell some of these programs and gave others away for free. Among these  NSA tools was at least one that relied on FOXACID-compromised servers. This meant that a FOXACID toolkit was potentially up for sale or given away and it’s possible that someone got their hands on it.

That brings us to the story making the rounds on some of the fringe sites. I would not normally take these leaks seriously except for the above facts. This leaked story involves the use of FOXACID by David Brock and his Clinton-connected Clear the Record super PAC to identify the most influential Trump supporters who operate on sites like reddit, Twitter, and 4/8 chan and who band together to work on pro-Trump social media posts. Here’s the story.

It begins with David Brock, a man who has set up numerous super PAC groups and other organizations, such as Shareblue, to support Clinton. Brock, when he worked for the Republican Party, described himself as a “right-wing hit man”. Feeling alienated by the anti-gay rhetoric of conservatives, he switched sides and became a Clinton advocate. He came under criticism earlier this year for putting pressure on Bernie Sanders to release his medical records to prove that he was healthy enough to be president and for claiming that “black lives don’t matter to Bernie Sanders.” Critics have referred to Brock as a “psycho dirty tricks hitman”. He has been, and is now, under investigation for misuse of donations and illegal ties to the Clinton campaign. However, he will do whatever he can to get Hillary Clinton elected.

That brings us to a conversation with David Brock and others on the Correct the Record team that was purportedly hacked by someone who claimed that they “were able to get some monitoring software onto a junior analyst’s laptop to take a look inside the slack-channel where they were doing work.” Slack is a messaging platform promoted as “team communication for the 21st Century”. The platform, and part of the purportedly hacked conversation is shown in a screen capture below.


If this hack is valid, it apparently occurred by compromising the account of Elizabeth Kim, a young intern. A RAT, or Remote Access Trojan, could have been installed on her machine and would enable a remote viewer to see everything she does, including watching her chat on Slack. So, at least technically, this would be possible.

The conversation revolves around the apparent dressing down of Brock by someone higher up in the Clinton organization. Apparently, they were angry at him for not manipulating the online polls better after the first presidential debate, as the Democrats lost every one of them. Manipulating media and social media is Brock’s job. He, thus, puts pressure on his underlings, Kim and Connor Shaw, to find out who was manipulating these polls for Trump. He claims this has been difficult to determine “because it isn’t like fighting a centrally organized campaign. It’s more like fighting a disease.” Apparently, Brock and Elliot Fink , the other participant in this conversation, have already developed a plan that was approved by someone high up in the organization, which could be even Clinton or Obama. Brock states, “so we have full clearance. Word of God.”

And what is this plan? Fink uploads the following image.


That’s right. Fink says they will be using FOXACID. The image is from a NSA slide presentation that was leaked by Snowden. Here’s how the conversation goes

Fink begins.

This is manna from heaven, kids.


We have the use of an NSA intrusion package. We are going to find the thought leaders. the meme-generators… I need a target analysis for reddit, twitter, and the chans by tomorrow 5 PM.


You will monitor, identify, and using the FA software set we have, identify/dox.

 cshaw [6:18 AM] 

that will dox them??

 efink [6:20 AM] 

It will man-on-the-side for the anon boards and intercept traffic. We can use that for IP addresses and loading tracking software and magic lantern onto their devices. Once we have them compromised


David? How many do we need?

 brock [6:21 AM] 

I want 150 from 4chan, whatever you can get from 8. I want 1000 top reddit drivers exposed and I want content analysis for their posts. I want the people who are really driving their narrative.


I need all that in a packet by tomorrow afternoon with lexical analysis, proof of compromise. I want clips of memes. I want to up-vote patterns. All this has to be inside the US too. We can’t use externals.

 (FA = FOXACID; dox = publish private information; 8 = 8 chan website; magic lantern = install malware)

 Can FOXACID do this? Theoretically, yes. It seems like a lot of work for the team to get done in one day, but it’s possible.

But here are my questions? How does Fink (or Kim and Shaw) know how to use this? Looking at his Linkedin profile, it seems that Fink has some cyber technical ability but how much is not clear. It is also not clear how Fink and Brock got the software. Did they buy it from Harold Martin (Shadow Broker)? Did someone else purchase it for them? Is the NSA complicit in this? Certainly, the NSA could intercept traffic to any of these sites and send an analysis or the raw data through to Kim and Shaw with all the identifying information, such as IP addresses. Perhaps, then, these two could do some analysis on their own. But are they trained for this and for doing everything else that Fink is asking of them?

It’s become quite evident that David Brock will do whatever it takes to disrupt the Trump campaign. He has recently offered to pay for leaks on Trump. He separately offered to pay all legal fees to anyone associated with The Apprentice TV show who could give him audio or video tapes that would be damaging to Trump. It, therefore, is not impossible for him to try to use something like FOXACID. However, from the evidence given in this conversation, it is impossible to conclude that he has control of this.

At the end of the conversation, there is the hint that those exposed by FOXACID would meet the same fate as Seth Rich. Seth Rich was killed in Washington, D.C. Julian Assange later hinted that he may have been killed for leaking inside information on the DNC to Wikileaks. In any event, the suggestion here is that those found supporting Trump could be killed. This allegation made some Trump supporters on the chan and reddit sites conclude that this whole story was created by Brock to scare Trump supporters into toning down their support for Trump.  That conclusion is also possible.

In the end, there is no way to prove what is true and what is not. If Trump supporters find that their posts are disappearing or they are being infected with malware, a case could be made for this story. It is also possible that further leaks could substantiate this. The thought that powerful NSA malware could be used by a political party is a scary one, but as we have seen during this election, anything is possible.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s