The NSA planted malware capable of collecting sensitive information on 50,000 computers worldwide, a leaked presentation slide shows.
The slide, from 2012, features a world map showing "Computer Network Exploitation" access points in more than 50,000 locations, spanning five continents, a report in Danish paper NRC Handelsblad said. The report is based on documents leaked by whistleblower Edward Snowden.
NSA reportedly had 20,000 infected networks in 2008, showing the figure had more than doubled in four years.
The latest malware apparently functions as a digital sleeper cell, which can be remotely turned on and off by the NSA. The malware is said to be distributed by the NSA's Tailored Access Operations group (TAO).
The scale of NSA's malware is "extraordinary", Jim Killock, executive director at Open Rights Group told SCMagazineUK.com, adding: "And for what purpose? It seems the hacking is not an individual or suspect, but about gaining access to networks where data might be acquired."
Nick Pickles, director at privacy campaigner Big Brother Watch, concurs, adding: "Offensive cyber warfare against targets that pose no direct security risk undermines the very fabric of an open and international internet. Yet again, the NSA has been found to be acting in a manner wholly contradictory to US foreign policy of ensuring the internet does not fragment and further undermine the free flow of information and ideas around the world."
The capabilities of NSA's malware are not yet known. However, firms cannot expect antivirus software to detect the malware created by security services, Killock warned. "Malware can only be detected if it has already been created. The challenge for the commercial industry is to think about how it is they are going to try to detect the activities of security agencies."
Campaigners have been calling on the UK government for transparency over the NSA's activities as well as those of UK spy agency GCHQ. "We need some transparency about the surveillance that's taking place," Killock said. "We have a huge blurring of the strategy which seems to be 'any time, anywhere'. This will hopefully make people aware of their security and make sure that systems aren't susceptible to malware, but we need Governments to behave responsibly."