> If they achieve access to a target, it's likely they control a path to it.
Without specific, documented cases this is speculation of course. But I don't see why they'd use a link level protocol. 1. It requires patching multiple networking devices in the path, which is not very quiet. 2. It sticks out in any monitoring (via mirror ports) more than a UDP packet to a random host. DNS or ntp as a transport would be much simpler to hide.
And what exactly would be the problem for the NSA with patching networking devices? They even mention how it's useful specifically for these hard targets
>"some of the most productive operations in TAO because they pre-position access points into hard target networks around the world."
Without specific, documented cases this is speculation of course. But I don't see why they'd use a link level protocol. 1. It requires patching multiple networking devices in the path, which is not very quiet. 2. It sticks out in any monitoring (via mirror ports) more than a UDP packet to a random host. DNS or ntp as a transport would be much simpler to hide.