NSA denies infecting millions of PCs with malware, says reports it spoofed websites are wrong

The US National Security Agency (NSA) has denied claims that it conducts indiscriminate hacking and says it doesn’t impersonate US social media or websites.

Just because the NSA has the systems to hijack millions of computers across the world, it doesn't mean it's actually doing so, the US spy agency has said.

"Recent media reports that allege NSA has infected millions of computers around the world with malware, and that NSA is impersonating US social media or other websites, are inaccurate," the NSA said in a statement to media yesterday.

The statement followed reports based on classified NSA documents from whistleblower Edward Snowden that revealed the existence of Turbine, an NSA system that allowed the agency to perform automated control malware implants "by groups instead of individually".

The Turbine capabilities appeared around 2009, marking a departure from its old approach where manually deployed implants were reserved for targets that couldn’t be monitored through traditional wiretaps, according to the report on Tuesday by The Intercept.

According to the report, Turbine was built to compensate for the human limitations around hacking at scale. Turbine became part of its elite hacking squad, the Tailored Access operations unit, enabling it conduct "industrial-scale exploitation" and manage "millions of implants".

The Intercept's report did not allege NSA actually used the system to infect millions of people's computers and points to previous reports based on Snowden documents that put the number of implants deployed by the agency at between 85,000 to 100,000.

And while Turbine may make it capable of attacking users by group rather than individually, the NSA has denied it operates indiscriminate cyber attacks. It also appears to have denied a claim that it had spoofed a Facebook server to phish its targets.

"NSA's authorities require that its foreign intelligence operations support valid national security requirements, protect the legitimate privacy interests of all persons, and be as tailored as feasible. NSA does not use its technical capabilities to impersonate U.S. company websites. Nor does NSA target any user of global Internet services without appropriate legal authority. Reports of indiscriminate computer exploitation operations are simply false," it said.

"NSA uses its technical capabilities only to support lawful and appropriate foreign intelligence operations, all of which must be carried out in strict accordance with its authorities. Technical capability must be understood within the legal, policy, and operational context within which that capability must be employed."

The nominee to head up the NSA US Navy vice admiral Michael S Rogers earlier this week outlined how the agency handles zero day flaws in software and devices , which are one of the key assets it uses to exploit computers.

According to Rogers, the NSA's default position is to disclose software vulnerabilities to vendors of the affected product.

But that position stands in contrast the $25m it spent on acquiring zero day flaws from third-party security firms, which could otherwise have sold or reported them to the vendor.

Read more on the NSA