The big story out of the Washington Post today is about how the NSA uses Google cookies in order to hack computers.
It's important to note that cookie collection isn't used in bulk surveillance, but rather in crafting exploits for identified targets.
The NSA gives the target's cookies to Tailored Access Operations, its division of elite hackers. If TAO knows what websites a target visits on regular basis, it can probe those websites for weaknesses.
Once a weakness is found, TAO can upload a software exploit to a link that user periodically clicks or a file it periodically downloads, thus executing whatever malware exploit TAO has designed.
This hacking method is highly effective given the right bait, which makes the TAO's target profiling so valuable.
"Many people’s jobs consists in reading PDFs and providing them with a compromised PDFs in a familiar context has ~100% chance of success," John Michener, chief scientist, Casaba Security, tells Business Insider via email. "Microsoft has observed that over 90% of the compromises are now to third party applications and plugins such as PDF readers, Office, Flash, and the like."
Michener imagines if the roles were reversed, and an American diplomat were targeted:
"In the case of a compromised site such as “Foreign Policy”, [the target] would download a compromised paper in pdf format and would be compromised when they ran the pdf reader," Michener wrote. "In fact, they could simply read the article via the browser – which would load the pdf reader locally to do the formatting – and the effect would be the same."
The NSA could also use the target's profile to craft very convincing or compelling spear phishing attacks, which Michener notes is the easier approach.
Recently, The New York Times revealed that several diplomats compromised themselves prior to a G20 meeting in Paris. Suspected Chinese hackers used a spear phishing attack which promised naked photos of Nicolas Sarkozy's supermodel wife.