Cyber Threat Actor: National Security Agency
| Actor Type | Location | Known Incidents |
Nation State
|
United States of America
|
3 incidents |
|---|
Profile
The threat actor known by the aliases No Such Agency, National Security Agency and NSA is a United States intelligence organization based in the United States of America. It is publicly recognized as a state‑affiliated entity responsible for signals intelligence and cyber operations. The actor’s affiliation with the U.S. government is explicitly noted in the sourced material, establishing a clear state nexus. No criminal consortium or non‑state affiliation is described in the provided information.
Targeting observed in the reported incidents includes a Chinese military university engaged in military research, iPhone users alleged to be government personnel and diplomatic staff, and the general public using the Angry Birds mobile application. The strategic objectives cited across these cases are the theft of sensitive information, the collection of system and user data, and surveillance through advertising networks, all indicative of espionage‑oriented goals. No financial gain or disruptive intent is mentioned in the sources, so the focus remains on intelligence gathering. The actor’s activities are described as affecting institutions with military and technological significance as well as consumer platforms that can be leveraged for data collection.
Notable tactics, techniques and procedures referenced in the material involve the use of malware previously linked to the NSA, such as families associated with the Shadow Brokers leaks of 2016, and the creation of front companies or fictitious identities to register domain names and SSL certificates. A zero‑click iMessage exploit delivering non‑persistent malware that executes without user interaction, collects data and deletes traces is also described. Additionally, DNS tampering that intermittently redirects visitors to a spoofed page and exploitation via third‑party advertising networks are cited as initial access or data collection methods. These TTPs are presented exactly as reported, without extrapolation beyond the given details.
Representative operations highlighted in the sources are the alleged 2022 cyberattack on Northwestern Polytechnical University, the 2019 zero‑click iMessage campaign affecting thousands of iPhones, and the 2014 DNS‑based defacement of the Angry Birds website tied to surveillance concerns. Each incident is publicly attributed to the NSA by Chinese or Russian authorities, or framed within reports linking intelligence agencies to the described activity. The actor’s role as a United States state intelligence service is the only affiliation explicitly established in the provided context.
