In a 2012 presentation slide published by the news site, the NSA describes an exploitation technique codenamed SECONDDATE that "takes advantage of web-based protocols and man-in-the-middle positioning," that can "quietly redirect" Web browsers to attack servers and "allows mass exploitation potential for clients passing through network choke points."
Other documents reportedly indicate that the NSA has shared many of its implants with surveillance agencies in the U.K., Canada, New Zealand and Australia, which together with the NSA form the so-called Five Eyes partnership.
Past media reports claimed the U.K.'s Government Communications Headquarters used implant technology designed by the NSA to target network engineers from Belgian telecommunications company Belgacom and global roaming exchange providers, and possibly even prominent cryptographers.
While the NSA uses "selectors" like email addresses, tracking cookies, browser tags, IP addresses, wireless MACs and many other identifiers to choose its targets, the documents published by The Intercept seem to indicate that the agency has been working on expanding the scope of its attacks and supporting infrastructure for years.
"Our original assumption was that NSA targeted a small number of real national security threats," said Matthew Green, a cryptographer and assistant research professor at the the Johns Hopkins University Information Security Institute in Baltimore, via email. "What we're learning now is that for every individual like that, they're also targeting many other people, including telecom operators, system administrators, maybe even academic cryptographers."
"What this means is that many relatively 'innocent' people are on the receiving end of these attacks," he said. "It also means that NSA is being a lot less discriminating about who they target. They're willing to infect every employee at a company who visits Slashdot, for example, on the assumption that one will be an important system administrator."
Green doesn't believe that the NSA will ever do wholesale malware distribution and infection, because the agency has a limited supply of zero-day exploits -- exploits for unpatched vulnerabilities -- and using them on a truly mass scale would increase the chances of those exploits being discovered and becoming useless.
However, "I think the more of these things you put in the wild, the greater the chance that one falls into the hands of someone who can use it to do something criminal," Green said. "The NSA has obviously decided their strategy is worth the risk. I don't know if I agree with them, and more to the point, I don't know if their overseers really understand the risk."
"Such a large scale attack infrastructure is very offensive (in both ways)," said Carsten Eiram, the chief research officer at security intelligence and risk management firm Risk Based Security. "Even with so-called 'data selectors' they could easily end up compromising random victims. Also, while they may now say that they are only aiming to target specific people considered threats, the potential for a snowball effect is worrying. How long will it take before they start broadening the scope?"
"Such an attack infrastructure combined with these 'network choke points' to redirect traffic has the potential to compromise 'everyone'," Eiram said. "It would clearly have detrimental impact on the state of Internet security, and it sounds like a huge concern for Americans and foreigners alike."