"The agency’s solution," reports The Intercept, "was TURBINE. Developed as part of TAO unit, it is described in the leaked documents as an 'intelligent command and control capability' that enables 'industrial-scale exploitation.'"
"The TURBINE infrastructure will allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually," says one NSA document. It describes Turbine as an 'Active SIGINT system.' SIGINT stands for 'signals intelligence', and therefore implies the interception of communications. This is perhaps the NSA's primary mission. The NSA states, "The Signals Intelligence mission collects, processes, and disseminates intelligence information from foreign signals for intelligence and counterintelligence purposes and to support military operations."
Infecting a computer with malware and controlling that malware from a remote C&C unit is not the interception of foreign signals. To get round this semantic problem the NSA uses the term 'active SIGINT,' which implies provoking the communications (through the use of infiltration) that can then be intercepted.
One of the documents goes further. A slide titled There is More Than One Way to QUANTUM (made available to partner spy agencies in the Five Eyes) describes Quantumbot. It 'takes control of idle IRC bots' and 'finds computers belonging to botnets, and hijacks the command and control channel.' Quantumbot is described as 'Highly Successful (over 140,000 bots co-opted).'
When the security industry 'takes down' or 'disrupts' a botnet, the bots themselves remain infected. The takedown is usually done with the cooperation of the FBI. The NSA would therefor have knowledge of and access to any botnet C&C servers that aren't taken over by the industry rather than law enforcement.
It's easy, PandaLabs technical director Luis Corrons told Infosecurity, "especially when you don’t have to follow the law: find out where the bot is communicating to, go there and hack into the Command & Control server, and voilà, you have a new botnet of your own... Once you have gained access to the C&C then it is very easy, it will depend on the botnet but in most cases you could just install the same C&C in a server you control and then update the URL where all bots have to connect to in order to receive instructions."
Security expert David Harley told Infosecurity, "It’s far from unknown for one gang to hijack or piggyback another gang’s botnet. If the NSA wanted to play the same game, I imagine they have the in-house expertise that would get them a seat at the table – though there would obviously be ethical, legal and constitutional issues if this turned out to be the case."
He also believes that not only could it happen, the security industry could see it happening without recognizing who was doing it. "We do see botnets with very close resemblances to other botnets, sometimes botnets recently taken down." But finding a botnet and knowing who controls it are two different things, he explained.