How to Detect NSA’s Quantum Insert Attacks

How to Detect NSA’s Quantum Insert Attacks

During past two years Edward Snowden exposed multiple NSA hacking operations, however the most sophisticated one was known as Quantum Insert. Quantum insert is a MITM (man-in-the-middle) attack, which has been used since 2005 by NSA and GCHQ in order to hack high-end systems and inject malware.

What is Quantum Insert?

Quantum Insert is mostly used for reaching those systems and machines that are unreachable through phishing attacks. It hijacks a browser while accessing a web page and transfers user to a malicious webpage, allowing hackers to download malware onto target’s system.

NSA used Quantum Insert to hack into terrorist’s computers in the Middle East, however it was also used in a highly controversial NSA and GCHQ operations against employees of the Belgian telecom Belgacom and OPEC, thus allowing NSA hackers to inject 300 malicious pieces of code on computer around the world while remaining undetected.

In order for a Quantum Insert to work, both NSA and GCHQ must have very swift servers located near target’s machine and capable of intercepting browser traffic quickly to deliver malicious web page to the target’s computer. Agencies have achieved this using rogue systems codenamed FoxAcid servers and ultra-hight-speed servers called “shooters”.

Hacking into Belgacom – How Does Quantum Insert Work?

In the case of Belgacom hack it was important to identify engineers and system admins who worked for this company and its subsidiary BICS. NSA hackers/attackers used digital footprints of those employees to map and identify their IP addresses (both work and home), Skype, Gmail, Facebook and LinkedIn. After that GCHQ created a FoxAcid hosted rouge pages, replicating for example target’s Facebook profile page.

After a target was mapped agencies used packet-capturing tools which sniffed internet traffic via cooperation with telecoms or without them. After sniffers identified GET request initiated by target’s browser it would notify shooter servers, which would redirect browser. Redirection occurred using spoofed TCP packets that would transfer user to a malicious Facebook page hosted on FoxAcid.

Identifying Quantum Insert

When Snowden uncovered Quantum Insert he also leaked a slide by Netherlands’s security company Fox-IT showing how to deal with this attacks. According to this document, the secret lies in the very first packets that come back to a browser to respond to GET request. One of the packet contains content from a malicious page while other packets carry content for authentic site sent from legitimate server. However both packets have same sequence number.

According to the Snowden document, the secret lies in analyzing the first content-carrying packets that come back to a browser in response to its GET request. One of the packets will contain content for the rogue page; the other will be content for the legitimate site sent from a legitimate server. Both packets, however, will have the same sequence number. That, it turns out, is a dead giveaway.


When a browser sends a GET request to show a web page, it sends a packet carrying various data including source/target IP address, sequence and ACK (acknowledge) numbers. The server sends responds with series of packets each containing ACK numbers and sequence numbers, in order to allow browser to reconstruct series of packet s as a web page.

In case of Quantum Insert attack, victim’s system receives duplicate TCP packets using same sequence numbers with different payload. The very first one is injected one and the other comes from an authentic server, however latter will be ignored by browser.

Checking the first content carrying packet is probably the easiest way to detect a QI, but offers no guarantees, as an inject can be present later in the TCP session. Checking only the first content carry packet reduces the amount of false positives.

A re-transmission with a different payload size will sometimes look like a QUANTUM INSERT, this can happen when a re-transmission is cut short, for example during TCP window size changes.

The injected packets also show a difference in their Time To Live (TTL) values. Because the QI packets are usually inserted closer to the target client, the TTL is relatively higher than that of the real responses, because they come from further away. While the initial TTL can be modified, it is difficult to exactly predict the correct TTL value.

The Fox-IT team have created patches for Snort giving an ability to detect Quantum Insert and they have also published packet captures on their GitHub repo.

Join our forum at:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.