How the NSA Used MS Word Macros
There have been new revelations about the US government’s spy program thanks to a series of Edward Snowden’s emails to the NSA’s SIGINT Oversight and Compliance Division released due to a Freedom of Information Act request. We’ve warned people time and again how macros embedded within Word documents are a prime attack vector of hackers, well it turns out that not only does the NSA have macros enabled, they need them to function.
In order to make sure the NSA’s spying met legal guidelines, such as targeting the right people and masking any American identities in reports, those reports are reviewed by Department of Justice and NSA compliance officers. The Hawaii office was having some difficulty because new security protocols that had compartmentalized that particular office’s network was keeping NSA headquarters from being able to read their reports.
Snowden, who was working as a system administrator as a Dell contractor in the Hawaii Office of Information Sharing, was tasked with looking into the issue. What he found was that the Word macros used to mask the identities of Americans required the person to be able to access the network of the Hawaii office to view the report, but due to the security compartmentalization anyone outside of that office would be unable to gain access and therefore unable to read the documents.
While this sort of inner office tech support may seem dull, it allows us a little bit of knowledge on the inner workings of the NSA, specifically that they use macros. Not only are macros the favorite way for hackers to initiate ransomware attacks, they have been recently used in spying and in an attack on Ukraine’s power grid. If you have them enabled the only thing it takes to get infected with malware is to open a document with malicious macros embedded in it.
Ultimately, the NSA came up with a solution that was inherently more secure by having analysts save their reports in rich text format, eliminating macros altogether. One thing that probably helped shield the NSA from attack was that these reports were shared on the government’s internal secure network. The likelihood that anyone would introduce an external document is probably slim.