This undated GCHQ reference document enumerates the processes and tools analysts use for computer network exploitation: see the Der Spiegel article The Digital Arms Race: NSA Preps America for Future Battle, 17 January 2015.
This 17 September 2004 article from the internal NSA newsletter SIDToday describes the establishment of a new Remote Operations Center (ROC) for performing endpoint (hacking) attacks: see the Der Spiegel article The Digital Arms Race: NSA Preps America for Future Battle, 17 January 2015.
This extract from the US Intelligence Community’s Congressional Budget Justification for the Fiscal Year 2013 (the “Black Budget”) provides the budget for GENIE the project “which underpins NSA/CSS’ Computer Network Operations (CNO) Endpoint capabilities conducted by the Tailored Access Operations (TAO) Group: see the Der Spiegel article The Digital Arms Race: NSA Preps America for Future Battle, 17 January 2015.
This presentation gives an overview of the NSA’s programmes targeting the fibre optic cables that carry much of the world’s internet traffic. One slide gives a breakdown of which data sources form the basis of Presidential daily briefings. Another shows that the access point used to collect Yahoo and Google cloud data (MUSCULAR) is operated by GCHQ on UK territory. Slides detailing RAMPART cable accesses were published by the Intercept on 18 June 2014: see the Washington Post article How we know the NSA had access to internal Google and Yahoo cloud data, 4 November 2013.
An outline for the SIGINT Enabling project, which aims to “influence and/or overtly leverage” the design of commercial IT products. A small section of this document was later un-redacted by The Intercept: see the ProPublica article Revealed: The NSA’s Secret Campaign to Crack, Undermine Internet Security, 5 September 2013.