The following is a description of one of the NSAs cyber-attack methods revealed on the Snowden documents.
FoxAcid is a system designed by the NSA capable of launching a variety of attacks at target computers. The NSA refers to this as an “exploit orchestrator”. It is a Windows 2003 server loaded with PERL scripts and custom software. The malware is used to exploit browser vulnerabilities allowing the NSA to gain control of your browser for the purpose of spying on your online activity.
To ensure the infected computer remains compromised for eavesdropping it periodically calls back to the FoxAcid server which will attack the computer again with new malware.
FoxAcid servers exist on the public internet. They are visited by any computer anywhere. However they do no infect every visiting computer. The visiting computer must have a special URL indicating it is the intended target. Each target has its own specific URL. The target is usually tricked into clicking on the special URL. Some favorite NSA methods of infection are phishing attacks, race-condition attacks and frame injection attacks.
FoxAcid servers are run by the NSA’s tailored access operations, or TAO, group. TAO is another subgroup of the systems intelligence directorate. It is the responsibility of TAO to create the URL for each target, swap and replace malware on the FoxAcid servers and to determine which exploit should be used on which target.
TAO uses the initial malware infection to report back technical sophistication of the target and the security software installed on the target computer. With this information they can determine which payload to order the first infection to download from the FoxAcid server. Infected computers also call back to the NSA for more instructions as well upload data from the target computer. In 2008 the NSA had to build a special system manage all of the callback data.