Here's one I do understand: Suppose you want to exfiltrate some data out of a network without raising alarms. One way to do it is to set up a DNS server. Basically, you use DNS itself as a communication method, not merely a lookup table.
I've never actually used it, but it always seemed a cool idea. Almost no one blocks DNS, which means you can send data from anywhere in the world in a very unexpected way. You'd of course want to keep the transmission size reasonable (perhaps 5GB of DNS traffic might raise some eyebrows) but any system that you can `nslookup foo.com 8.8.8.8` on, you'd be able to `nslookup foo.com <your special server>` on. So this technique works in almost every case, except extremely monitored systems that only allow outgoing connections to a specific set of restricted IP addresses.
But for the special network protocol that the NSA uses to access backdoored NICs, I forget why it works, since the packet would need to pass through many routers along the way. In fact, I feel like I'm misremembering. Most target computers are behind routers, so it really doesn't make sense. Maybe it's a technique used against routers themselves. All I remember is that the NSA has some type of "signals we can send which normal networking tooling doesn't detect at all," along with a dose of "we know Iran just ordered some new servers, so we intercepted the servers and installed a backdoor." (The latter is called TAO: https://en.wikipedia.org/wiki/Tailored_Access_Operations)
They definitely do something with NICs though. The ANT document (https://en.wikipedia.org/wiki/NSA_ANT_catalog#Capabilities_l...) shows "COTTONMOUTH-III is a stacked Ethernet and USB plug costing approximately $1.25M for 50 units." Must be one hell of a plug.
https://en.wikipedia.org/wiki/NSA_ANT_catalog#/media/File:NS... is also pretty neat. It's a USB airgap bridge, i.e. janitor walks up and plugs it in to the target device. I wonder what the range on stuff like that is... Seems like you'd have to be sitting outside in a van or something, which is rather hard to do if your target is a nuclear enrichment facility (stuxnet).
You don’t need to tell nslookup to use a special server. If you control the SOA for your own domain, the normal DNS server will happily exfiltrate your data for you.
The technique worked well for portals that allowed arbitrary DNS-over-UDP as well as portals that had their own exclusive DNS - provided that those portals worked by redirecting all IP traffic (i.e. they didn't fake DNS results).
It was slow though... I think I maxxed-out at around 8KBps (~64kbps) - barely enough for basic email functionality and text-only web-surfing.
https://www.congress.gov/bill/116th-congress/senate-bill/179...
§ 5707 (c)(2): "the implications of [5G] global and regional adoption on the cyber and espionage threat to the United States, the interests of the United States, and the cyber and collection capabilities of the United States;"
