Six New Additions to the SIGINT Summaries

Grondstation van de Nationale SIGINT Organisatie (NSO) in Burum, Frysl‚nI have added six new items to the SIGINT Summaries page. The Summaries include downloadable copies of leaked Communications Security Establishment(CSE) documents, along with summary, publication, and original source information.1 CSE is Canada’s foreign signals intelligence agency and has operated since the Second World War.

Documents were often produced by CSE’s closest partners which, collectively, form the ‘Five Eyes’ intelligence network. This network includes the CSE, the National Security Agency (NSA), the Government Communications Headquarters (GCHQ), Australian Signals Directorate (ASD),2 and Government Communications Security Bureau (GCSB)).

All of the documents are available for download from this website. Though I am hosting the documents they were all first published by another party. The new documents and their summaries are listed below. The full list of documents and their summary information is available on the Canadian SIGINT Summaries page.

The new contributions come from documents released by Der SpiegelThe Intercept, and CBC. They cover a range of topics, including activities undertaken by the Counter Computer Network Exploitation (CCNE) groups at the Communications Security Establishment (CSE), the mass monitoring of file downloads from free file upload sites (e.g. Rapidshare, MegaUpload), as well as enriching UK and Canadian databases using data that foreign nations’ hackers are exfiltrating from targets of interest to the NSA, UK, and Canadians.

Open Source for Cyber Defence/Progress

Summary: This GCHQ wiki entry identifies current and future sources of data for cyber defence actions. All of the sources are open source. In the future there are plans to integrate sources of vulnerability intelligence, bulk infrastructure data, as well as a set of miscellaneous kinds of data (e.g. what addresses should be protected).

The wiki entry describes GhostNet as a “known ORB server” under the ‘Bulk Infrastructure Data’ heading. GhostNet is a command and control infrastructure that was mainly used by the People’s Republic of China in the course of targeting organizations such as foreign embassies and the Tibetan Government-In-Exile. Research on GhostNet was conducted by a collection of academic institutions, including the Citizen Lab at the Munk School of Global Affairs, University of Toronto. Operational Relay Boxes (ORBs) are used by SIGINT agencies as proxies and let SIGINT actors to take actions that victims cannot positively attribute to the responsible agency. It is unclear from the document whether GCHQ or other Five Eyes agencies plan to use GhostNet infrastructure as their own ORBs or whether they classified activities coming from that infrastructure as likely attributable to Chinese-signals intelligence groups.
Document Published: February 4, 2015
Document Dated: Last Updated June 25, 2012
Document Length: 2 pages
Associated ArticleWestern Spy Agencies Secretly Rely On Hackers For Intel And Expertise
Download DocumentOpen Source for Cyber Defence/Progress

Who Else Is Targeting Your Target? Collecting Data Stolen By Hackers

Summary: This NSA bulletin describes CSE and GCHQ discovery of hackers who are exfiltrating email data from targets of interest to the agencies. CSE and GCHQ have exploited hacker-based stolen data (codenamed INTOLERANT) and used it to enrich the agencies’ own data stores. Victims targeted by the hackers, and thus exploited by the SIGINT agencies, fell into the following categories: Indian Diplomatic and Indian Navy, Central Asian Diplomats, Chinese Human Rights Defenders, Tibetan Pro-Democracy Personalities, Uighur Activists, European Special Representative to Afghanistan and Indian photo-journalists, and the Tibetan Government-In-Exile. Though the hackers are believed to be state-sponsored neither CSE or CCHQ could positively attribute their actions to a particular state. Canadian, American, or other Five Eyes nations’ institutions that liaise with the victims may have been notified of the hacking though there is no evidence that the actual victims were notified.
Document Published: February 4, 2015
Document Dated: June 5, 2010 (Last Updated October 11, 2012)
Document Length: 1 page
Associated Article: Western Spy Agencies Secretly Rely On Hackers For Intel And Expertise
Download DocumentWho Else Is Targeting Your Target? Collecting Data Stolen By Hackers

LEVITATION and the FFU Hypothesis

Summary: This CSE slide deck describes the effectiveness the LEVITATION program. LEVITATION is used to monitor and identify persons who download materials from Free File Upload (FFU) sites. At the time of the presentation, LEVITATION monitored for file URLs, as well as for sequential numbers, selector names, and web search terms. In the future CSE proposed integrating GPS data, devices close to places, telephony gaps, information about the targets of foreign SIGINT agencies, and missed call data. The document does not state how integrating this data would enrich the LEVITATION program.

LEVITATION begins with CSE’s Web Operations Centre (CWOC) identifying URLs on FFU sites linking to documents of interest. A special source, codenamed ATOMIC BANJO, provides 10-15 million ‘download events’ to CSE each day from 102 FFU sites. All of these events are available using OLYMPIA, CSE’s network knowledge engine. CSE examines the aggregate events against CWOC’s list of roughly 2,200 URLs, which yields roughly 350 download events of interest each month. It is unclear whether the remaining event data is purged from CSE’s databases.

Information from interesting download events are then processed by CSE. The Establishment first examines whether the IP address associated with the download event has been seen five hours previous and following the event by Five Eyes listening posts. If the IP address was seen then the MARINA or MUTANT BROTH databases are queried to correlate the IP address with personally-identifying identifiers in those databases, thus identifying the person who likely downloaded the material in question. MARINA is a NSA database containing intercepted metadata and GCHQ’s MUTANT BROTH database contains similar metadata. Though not discussed elsewhere, CSE notes successes derived from monitoring file uploads — and then disseminating intelligence to organizations such as the CIA — for intelligence gathering as well.
Document Published: January 27, 2014
Document Dated: Unknown (Post March 2012)
Document Length: 21 pages
Associated ArticleCSE tracks millions of downloads daily: Snowden documents
Download DocumentLEVITATION and the FFU Hypothesis

SNOWGLOBE: From Discovery to Attribution

Summary: CSE’s Counter Intelligence branch identified a spyware-based intelligence program, codenamed SNOWGLOBE, that may have been crafted by France’s intelligence service. SNOWGLOBE was found using the REPLICANTFARM anomaly detection system that is part of CSE’s WARRIOR PRIDE computer network exploitation platform.

Various versions of the spyware implants were found since November 2009 (SNOWBALL 1, SNOWBALL 2, and SNOWMAN). Together they compose the SNOWGLOBE program. The program’s infrastructure was identified using CSE’s passive collection system (EONBLUE). Infrastructure was found in the US, Canada, UK, Czech Republic, Poland, and Norway. The infrastructure was found on free hosting services as well as attached to existing non-free systems. CSE could not determine if access to those systems involved the foreign actor using an exploit or special source access, or a combination of the two.

The spyware was found to have infected Iranian (e.g. Atomic Energy Organization), European (e.g. European Financial Association), African, and Canadian organizations. A French-language Canadian news organization was also infected by SNOWGLOBE. Based on the victims CSE did not believe that SNOWGLOBE fit a cybercrime profile. At the time CSE presented these findings they could not positively attribute SNOWGLOBE or a particular French intelligence agency nor could they identify the person(s) running it, nor did CSE know how the French agency gained access to the non-free parts of its infrastructure.
Document Published: March 21, 2014 // January 17, 2015
Document Dated: 2011
Document Length: 9 pages // 25 pages
Associated Article: Quand les Canadiens partent en chasse de ‘Babar’ (Fr); French spy software targeted Canada: report (En); The Digital Arms Race: NSA Preps America for Future Battle
Download Document: SNOWGLOBE: From Discovery to Attribution (9 pages) // SNOWGLOBE: From Discovery to Attribution (Expanded Edition) (25 pages)

Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure

Summary: This CSE document describes how the Establishment analyzes its targets as part of Counter Computer Network Exploitation (CCNE) operations. CCNE operations draw data from the Computer Network Exploitation (CNE) group, the Global Network Discovery group, and the Cyber Counter Intelligence group. CCNE analyses ideally identify whether a foreign party has already exploited a CSE targeted device or infrastructure and, if so, which part has done so.

CCNE relies heavily on the outputs of WARRIOR PRIDE, which is CSE’s computer network exploitation platform. These outputs, codenamed REPLICANTFARM, let CCNE identify whether there are other actors, implant technologies, or other anomalies present on the targeted device or system.3

As part of its operations, CCNE can use covert infrastructure that is identified and mapped as part of the LANDMARK system. The infrastructure, referred to as ‘Operational Relay Boxes’ (ORBs), lets CCNE plausibly deny its activities.

The core takeaway for this document is that CCNE provides situational awareness to CNE, insofar as it alerts the CNE team about possible cohabitation of common infrastructure. CCNE also lets CSE identify new actors when detecting previously-unseen anomalies as well as lets the Establishment track known actors. As a result, CCNE is able to ‘deconflict’ where a piece of infrastructure has multiple state agencies intruding upon it while providing information about the tradecraft and tools used by foreign actors discovered in the world.
Document Published: January 17, 2015
Document Dated: June 2010
Document Length: 30 pages
Associated ArticleThe Digital Arms Race: NSA Preps America for Future Battle
Download Document: Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure

CSE SIGINT Cyber Discovery: Summary of the current effort

Summary: This CSE slide deck describes the integration between the Counter Computer Network Exploitation (CCNE), Global Network Discovery (GND), and Cyber Counterintelligence (CNT1) units. Whereas CCNE and GND are responsible for collecting data, CNT1 is responsible for analyzing and reporting on the discovered data.

CCNE uses plugins from the WARRIOR PRIDE to parse data sent from CSE-exploited devices and systems. CCNE’s goal is to determine if a non-CSE implant or other actor has already exploited the device or system, as well as evaluate whether anomalous files are present on the device or system, or whether anomalous data traffic is coming from the device or system.

GND uses over 200 sensors deployed around the world to track threats; this sensor network is codenamed EONBLUE. EONBLUE sensors scale to 10Gbps of data traffic and there were plans to increase detection speeds to multi-10Gbps rates. Data traffic is analyzed to discover targets (relying on the SLIPSTREAM machine reconnaissance WARRIOR PRIDE plugin), as well as to track targets (codenamed SNIFFLE) and extract Domain Name System and HTTP metadata.

As part of future work, GND planned to test EONBLUE’s ability to send metadata into a localized XKEYSCORE database and, potentially, to share metadata with other nations’ XKEYSCORE databases. XKEYSCORE is used to hold raw and unselected communications data. GND also planned to share CSE EONBLUE data with the DSD’s EONBLUE program. Curiously, the GND also has a system of detecting QUANTUM, which is a system that injects data packets into network traffic for computer network exploitation activities.

CNT1 analyzes the data or leads provided by CCNE and GND groups to pursue interesting leads and conducts analyses of information derived from the other groups. Received data can come from special source, warranted, and second party data, malware analysis and reverse engineering, as well as forensic analyses of implants. The analysis is used to produce reports on the anomalies or activities seen by CCNE and GND, as well as to try and attribute the data or leads to specific actors.
Document Published: January 17, 2015
Document Dated: November 2010
Document Length: 22 pages
Associated Article: The Digital Arms Race: NSA Preps America for Future Battle
Download Document: CSEC SIGINT Cyber Discovery: Summary of the current effort


  1.  Formally known as the Communications Security Establishment Canada (CSEC). 
  2.  The ASD was formerly known as the Defence Signals Directorate (DSD). 
  3.  Codenamed actors that are monitored for include: MAKERSMARK / FANNER, SEEDSPHERE / BYZANTINE (i.e. China), ALOOFNESS, VOYEUR, SUPERDRAKE, and GOSSIPGIRL. The documents note that selectors for CCNE are always approved against actors such as MAKERSMARK for WATERMARK operations. The document does not reveal what such operations entail.