This page contains a listing of covernames associated with the National Security Agency (NSA). NSA is responsible for providing signals intelligence (SIGINT) and information assurance services to the United States government.
I have produced similar lists for Communications Security Establishment (CSE), Government Communications Headquarters (GCHQ), Australian Signals Directorate (ASD), and Government Communications Security Bureau (GCSB). You may also want to visit Electrospaces.net, which has also developed lists of covernames for some of the above mentioned agencies.
In some cases, you may find that covernames are listed across different agencies. This results from how covernames lists have often been created, which involved close reading of documents that were associated with different agencies and then listing covernames under the agency which authored the documents. In all cases, I would suggest you search across agency covername lists when researching a given covername.
Most of the material provided below is derived from publicly available documents, books, and other resources. Unlike other covername guides, however, we have included some which are derived from the 2016 NSA Tool dump and thus exceed what was contained in the Snowden documents, and which had previously been listed at https://musalbas.com/blog/2016/08/16/equation-group-firewall-operations-catalogue.html (this URL is now only accessible using the Wayback machine). Descriptions of what the covernames mean or refer to are done on a best-effort basis; if you believe there is additional publicly referenced material derived from NSA documents which could supplement descriptions please let me know. In all cases, we have sought to cite sentences/passages of analysis to specific texts or sources.
Last updated January 12, 2023.
NSA Covernames/Programs and Suggested Use/Interpretation
#
1212/DEHEX – Converts hexadecimal strings to IP addresses and ports (Equation Group firewall operations catalogue).
A
AARDVARKSTAKE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
ABSOLINEDELTA – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
ADJUTANTVENTURE – This was an operator against whom the NSA was engaged in fourth party collection, and which used a fixed value to set encryption keys (TRANSGRESSION Overview for Pod58, 14).
ACRIDMINI – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9). It was used as an input for SPINALTAP (SPINALTAP: Making Passive Sexy for Generation Cyber, 6). The ACRIDMINI project was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
AFTERBOOTSOLE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
AFTERCLIFFDIVE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
AFTERDOGHOUSE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
AFTERGASSTATION– This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
AFTERLASTTEAM – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
AFTERRICHGEAR -This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
AFTERSHORTRUN – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
AFTERTANKERTRUCK -This covername refers to a project operated by either the NSA or GCHQ, and is involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
AFTERTREEFORM – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
AFTERWAYBACK -This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
AFTERWINDBLOWN – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
AFTERYARDARM – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
ARTIFACE – This is a covername for one of FAIRVIEW’s corporate partners (SSO Dictionary, 1).
AIRHANDLER – An operations centre at Fort Gordon where analysts produced intelligence concerning Afghani activities based on intercepted cell phone calls that were relayed to the station via satellite from inside of Afghanistan (The Secret Sentry: The Untold History of the National Security Agency, 301).
ALTEREDCARBON – This covername refers to the effort to develop IRATEMONK implants for Seagate drives, including their hybrid drive products. This project existed within the Persistence Division in the NSA, and was available for interns to work on (S3285/InternProjects, 4).
AMBULANT (AMB) – A covername used by National Counterintelligence and Security Centre (Exceptionally Controlled Information (ECI) Compartments, 1).
AMULETSTELLAR –
ANCHORY – This covername refers to a database where SIGINT product reports were stored (SID Today: Write Right: Caveat Scrutator (Or, ‘But I Saw It on the Internet!’), 1).
ANCIENTBREW – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
APACHERIVER – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
APERIODIC (APR) – A covername used by National Counterintelligence and Security Centre (Exceptionally Controlled Information (ECI) Compartments, 1).
APERTURESCIENCE – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).
APEX – This covername refers to the cross-organizational effort to achieve a capability for shaping Tailored Access Operation (TAO) active collection from HAMMERMILL routers to TURMOIL, which is a midpoint passive collector (TURMOIL/APEX/APEX High Level Description Document, 2). The ultimate goal of APEX development was to do the following. First, achieve the real-time exfil of HAMMERMILL active collection and direct it to a TURMOIL passive collector that could recognize, unwrap the packets from the TAO protocol (i.e., FASHIONCLEFT), and restore the packets to their original state. Second, to perform processing and forwarding of the unwrapped content to data repositories, and optionally perform further target identification and traffic selection in TURMOIL. Third, to engage TURBULENCE storage and analytic processes for delivery of content to analysis. Fourth, to enable TURBINE dynamic control of HAMMERMILL and TURMOIL, so as to allow for near real-time implant tasking on feedback from TURMOIL ((TURMOIL/APEX/APEX High Level Description Document, 2). The effect would be to access two sides of IKE exchanges (TURMOIL/APEX/APEX High Level Description Document, 3).
APLUS – refers to the software linked with the increased modem capacity at Menwith Hill Station that was part of the ‘exploit it all’ paradigm (ELEGANT CHAOS, 4).
APPARITION – This covername refers to a system designed to precisely geolocate foreign very small aperture satellite terminals (VSATs), which are often used by Internet cafes and foreign governments in the Middle East. It builds off of GHOSTHUNTER, insofar as whereas GHOSTHUNTER combined FORNSAT and VSAT geolocation information at Menwith Hill, APPARITION was designed to collect VSAT information and share it in databases that could be queried from other (non-local) collection and analyst locations (APPARITION Becomes a Reality, 1).
ARGYLEALIEN – This covername refers to a project that interns could work on, and was part of the Tailored Access Operations (TAO) team. Specifically, this covername refers to an effort to exploit a security feature in many modern hard drives to zero out drives (S3285/InternProjects, 3).
ARMOREDCONDOR – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
ARROWECLIPSE – This covername refers to an operator that was targeting infrastructure used by BYZANTINE CANDOR, a Chinese-based Computer Network Exploitation (CNE) operator (BYZANTINE HADES: An Evolution of Collection, 21).
ASPHALT – This covername refers to software modems responsible for processing low-bit signals linked to satellite collection at Menwith Hill Station (MHS) (ELEGANT CHAOS, 3). Alternately, this covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19). It is unclear whether these were discrete programs.
ASSIMILATOR – This covername refers to a social media analysis (SNA) tool that was developed to extract social relations from manuscripts, store the relations in a specialized database, and subsequently perform operations on the aggregated social network data (SID Today: New SNA Tool (and More) to be Unveiled at Open House).
ASSOCIATION – This covername refers to a tool that could access GSM events (Event (SIGINT), 3) and was able to access FASCIA data (SSO Dictionary, 3).
ATOMICCANNON – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
ATOMICCONDOR – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
ATOMICFIREBALL – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
ATOMICFOG – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
ATOMICMONKEY – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
ATOMICPUNCH – This covername refers to a project operated by either the NSA or GCHQ, and is involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
ATOMICSTRIKE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
AUNTIE (AUN) – A covername that was used by National Counterintelligence and Security Centre (Exceptionally Controlled Information (ECI) Compartments, 1).
AURORAGOLD (AG) – AURORAGOLD refers to an NSA project which gathered data on international GSM/UMTS cellphone networks for both the NSA’s Wireless Portfolio Program Office (WPMO), and also its Target Technology Trends Center (TC3/SSG4) (AURORAGOLD, 1). The data gathered for AURORAGOLD helped the NSA to understand the current state of global cellphone networks, conduct trending and time-series analysis, and to forecast the evolution of GSM/UMTS networks (AURORAGOLD, 1). AURORAGOLD involved a team of analysts, developers, and wireless SMEs who worked on: maintaining a database of Mobile Network Operators (MNOs), networks, and PWIDs collected from international roaming documents (IR.21s); targeting working groups of MNOs, roaming hubs, and of the GSM Association (GSMA); and merging open-source, licensed, commercial data with SIGINT to address wireless demands (AURORAGOLD Working Group, 3). AURORAGOLD provided the NSA with primary-source network information and firsthand insight into industry changes (AURORAGOLD Working Group, 2).
AZTECTOMB – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
B
BACKSNARF – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
BADASS – An NSA compartment (Gellman, Dark Mirror, 206) that refers to the BEGAL Automated Deployment And Survey System (Mobile apps doubleheader: BASASS Angry Birds, 3). See: GCHQ covernames.
BADDECISION (BDN) – This was used to redirect a target to a FOXACID server without being noticed (Introduction to WLAN/802.11 Active CNE Operations, 15). It was described as a “802.11 CNE tool that uses a true man in the middle attack and frame injection technique to redirect a target client to a FOXACID server” (Introduction to BADDECISION, 5).
BADGIRL – An NSA covername (Gellman, Dark Mirror, 203).
BALLOONKNOT – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9). See GCHQ covernames.
BANANABALLOT – A BIOS module associated with an implant (likely BANANAGLEE) (Equation Group firewall operations catalogue).
BANNANADAIQUIRI – An implant associated with SCREAMINGPLOW (Equation Group firewall operations catalogue).
BANANAGLEE – A non-persistent firewall software implant for Cisco ASA and PIX devices that was installed by writing the implant directly to memory. (Equation Group firewall operations catalogue).
BANANALIAR – A tool for connecting to an unspecified implant (likely BANANAGLEE) (Equation Group firewall operations catalogue).
BANYAN – This covername refers to a “calling-tree analysis tool which contains all FASCIA II call records and LAMPSHADE INMARSAT data” (SSO Dictionary, 3); these records are also, more generally, referred to as telephony events (Event (SIGINT), 3).
BARGLEE – A firewall software implant. Unknown vendor (Equation Group firewall operations catalogue).
BARICE – A tool that provides a shell for installing the BARGLEE implant (Equation Group firewall operations catalogue).
BARNFIRE – This covername refers to a Tailored Access Operations (TAO) intern computer network attack project. XXX (S3285/InternProjects, 3).
BARPUNCH – A module for BANANAGLEE and BARGLEE implants (Equation Group firewall operations catalogue).
BASECOAT – This covername refers to a MYSTIC access in the Bahamas. The Drug Enforcement Agency (DEA) possessed access to this lawful interception system for counter-narcotics. There were two BASECOAT sites that were located in the Bahamas (SSO Dictionary excerpt MYSTIC).
BATCAVE – This covername included a “digital hideout for agency hackers who emerge to steal another country’s software code.” (Gellman, Dark Mirror, 209).
BBALL – A module for BANANAGLEE implants (Equation Group firewall operations catalogue).
BBALLOT – A module for BANANAGLEE implants (Equation Group firewall operations catalogue).
BBANJO – A module for BANANAGLEE implants (Equation Group firewall operations catalogue).
BCANDY – A module for BANANAGLEE implants (Equation Group firewall operations catalogue).
BEACHHEAD – A reference to JSOC and CIA tools that were developed and operated by Computer Network Exploitation (CNE) operators responsible for FOXACID servers (FOXACID SOP For Operational Management of FOXACID Infrastructure, 7).
BEDOUINSTRIKE -This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
BEECHPONY – A firewall implant that was a predecessor of BANANAGLEE (Equation Group firewall operations catalogue).
BEEFCAKE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
BENIGNCERTAIN – A tool that appears to be for sending certain types of Internet Key Exchange (IKE) packets to a remote host and parsing the response (Equation Group firewall operations catalogue).
BENTWHISTLE – This covername refers to an aspect of the BERSERKR implant, which was developed by the NSA’s Persistence Division and was available for interns to work on. BENTWHISTLE was a collection tool that ran from BERSERKR (S3285/InternProjects, 10).
BERSERKR – This covername refers to a persistent backdoor that was implanted into the BIOS and ran from the SMM. The implant was developed by the NSA’s Persistence Division, and was available for interns to work on. Tasks that interns could work on, included detecting loaded drivers and running processes (for Windows persistence) or installing an application or injecting something into memory which provided persistence on Linux devices; in the future, interns could work on an efforts to build a collection tool that ran from BERSERKR (S3285/InternProjects, 9-10).
BFLEA – A module for BANANAGLEE implants (Equation Group firewall operations catalogue).
BIGBIRD – This covername refers to a “cable modernization effort, which began in 2004 to support the theme of a more focused, agile collection, a more cost-effective cover, and access to new higher priority cable systems. As part of the FAIRVIEW/SSO broad access, focused collection strategy, the BIGBIRD effort provided the program with significant additional access to targets on selected undersea cable systems, an automated remote survey capability, and a modernized collection and processing suite for exploiting this new access.” BIGBIRD was planned to be further modernized as part of POORWILL. (SSO Dictionary, 1).
BIGDIPPER – This covername refers to a data processing capability that was used by FAIRVIEW in a PINECONE SCIF as part of preparing metadata sourced from billing records and ICDR’s that was to be sent to the NSA (FAIRVIEW Dataflow Diagrams, 10).
BIGPIPE –
BILBOBADGER – Daily summaries from this covername were used as an enrichment feed for ELEGANTCHAOS (ELEGANT CHAOS, 9).
BILLOCEAN – Retrieved the serial number of a firewall, to be recorded in operation notes. Used in conjunction with EGREGIOUSBLUNDER for Fortigate firewalls (Equation Group firewall operations catalogue).
BIRDWATCHER – This covername refers to a project which resurveyed for VPN key exchanges in order to try and obtain a paired keyset (Special Collection Service: Pacific SIGDEV Conference, 10).
BISHOP – Recoded to MAVERICK CHURCH (BYZANTINE HADES: An Evolution of Collection, 3).
BISHOPKNIGHT – This covername refers to a Chinese Computer Network Exploitation (CNE) actor (BYZANTINE HADES: An Evolution of Collection, 3).
BLACKAMETHYST – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
BLACKMESA – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
BLACKANT (BAT) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 1)
BLACKAXE (BAX) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 1).
BLACKBALL (BKL) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 1).
BLACKBELT – An NSA covername (Gellman, Dark Mirror, 207) that refers to a FAIRVIEW access (SSO Dictionary, 1)..
BLACKCLOUD (BCL) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 1).
BLACKHOLE (BLH) – See GCHQ covernames.
BLACKJACK (BKJ) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 1).
BLACKNIGHT – This was a legacy system under the THEORYMASTER program, which was to be replaced by COURIERSKILL (SSO Dictionary, 1).
BLACKPEARL – This was a processing and collection system (Atomic SIGINT Data Format (ASDF) Configuration Read Me, 1) that, when it was visualized in slides, sometimes Included links that were associated with particular SIGADs (Network Shaping 101). Some of the data it contained came from FAIRVIEW (SSO Corporate Portfolio Overview, 9). BLACKPEARL was associated with SIGDEV targeting routers or other networking infrastructure and c automated linking of DNI information and network characterization against survey collection across the SIGINT system (What Your Mother Never Told You About SIGDEV Analysis, 29). It could produce reports about VPNs, DNI access essential information, MPLS reports, as well as five tuple reports. (What Your Mother Never Told You About SIGDEV Analysis, 30) When you queried the database with endpoint IP addresses it could return the inner label IP addresses for networks (What Your Mother Never Told You About SIGDEV Analysis, 32-33). See CSE covernames.
BLACKTIE (BKT) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 1).
BLACKVULTURE (BVE) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 1).
BLACKWIDOW (BKW) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 1).
BLADERUNNER – An NSA covername (Gellman, Dark Mirror, 210).
BLARNEY – BLARNEY refers to classified Special Source Operation (SSO) arrangements between telephone companies including AT&T and the NSA, dating back to the 1970s (Gellman, Dark Mirror, 199, 316). Any case where the street address of a BLARNEY covert site would be detailed in internal documents would result in the document being classified as TS//SI-ECI WPG//NF (Classification Guide for ECI WHIPGENIE, 5). It was assigned the SIGAD US-984 for FISA collection and US-984X* for FAA collection (SSO Corporate Portfolio Overview, 8), and it was targeted towards diplomatic establishments, counterterrorism, foreign governments, and economic intelligence while operating under the authorities of the NSA’s FISA and FBI’s FISA, as well as FAA (SSO Corporate Portfolio Overview, 14). BLARNEY was the leading source of FISA collection, was consistently “a top contributed to the President’s Daily Brief,” and contributed to over “60% of product reporting to the Counterterrorism product line and over 80% of the overall FAA reporting” (SSO Corporate Portfolio Overview, 14). While PRISM fall under BLARNEY it was just one access of many (SSO Corporate Portfolio Overview, 14). More generally, it was a part of the FAA 702 UPSTREAM program (PRISM/US-984XN Overview, 3-4).
BLARNEYNET – This covername refers to an individual access to information that was processed from FAIRVIEW and, specifically, to logs that was associated with metadata flow that was sourced from billing records and ICDRs that was linked to SEAGULL (FAIRVIEW Dataflow Diagrams, 10-11).
BLATSTING – A firewall software implant that was used with EGREGIOUSBLUNDER (Fortigate) and ELIGIBLEBACHELOR (TOPSEC) (Equation Group firewall operations catalogue).
BLINDDATE (BD) – This was used as a survey and vulnerability analysis tool for 802.11 networks, and was part of the toolset used to identify whether a target may have been susceptible to a FOXACID-based exploitation (Introduction to WLAN/802.11 Active CNE Operations, 7). BLINDDATE entailed being proximate to a target, insofar as its exploitation of WPA/WPA2 required relative nearness in order to exploit these protocols (Introduction to BADDECISION). It featured a plug-in architecture, which meant that it could be used for custom functions. Some such functions included: heat mapping, NITESTAND, BADDECISION, HAPPY HOUR, and more. BLINDDATE offered a graphical user interface for both active and passive CNE tools, and provided output data to various databases (including MASTERSHAKE) (Expeditionary Access Operations: NSA’s Close Access Network Exploitation Program, 6).
BLINDMARKSMEN –
BLOODDIAMOND – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
BLUESMOKE – This covername refers to snort rules which were used as part of HIDDENSALAMANDER to identify botnet activity, as part of the TURMOIL program (HIDDENSALAMANDER: Alerting and Characterization of Botnet Activity in TURMOIL, 15).
BLUEZEPHYR – This refers to an access for OAKSTAR that was assigned the SIGAD US-3277 (SSO Corporate Portfolio Overview, 8)
BMASSACRE – A module for BANANAGLEE and BARGLEE implants (Equation Group firewall operations catalogue).
BNSLOG – A module for BANANAGLEE and BARGLEE implants (Equation Group firewall operations catalogue).
BOOKISHMUTE – An exploit against an unknown firewall using Red Hat 6.0 (Equation Group firewall operations catalogue).
BORGERKING –
BOUNDLESSINFORMANT – This covername refers to a “live-updated map of surveillance intake around the world” (Gellman, Dark Mirror, 207). More specifically BOUNDLESSINFORMANT, which was used by the NSA’s Global Access Operations (GAO), refers to the use of “Big Data technology to query SIGINT collection in the cloud to produce near real-time business intelligence describing the [NSA’s] available SIGINT infrastructure and coverage” (BOUNDLESSINFORMANT Describing Mission Capabilities, 4). BOUNDLESSINFORMANT was designed to self-document the collection posture of the GAO and, in the process, do away with ad hoc estimations of what was being collected and from where in the world (BOUNDLESSINFORMANT Describing Mission Capabilities, 3-4). At a high-level, BOUNDLESSINFORMANT could show, in various graphical display formats, aggregate records against an entire country whereas focusing on particular countries would show how many records a given program or covername was collecting (BOUNDLESSINFORMANT Frequently Asked Questions, 1). BOUNDLESSINFORMANT was hosted completely on corporate servers and leveraged FOSS technology, meaning it was available to all NSA developers (BOUNDLESSINFORMANT Describing Mission Capabilities, 5).
BORESIGHT – This covername refers to a High Frequency Direction Finding (HFDF) program (NSA High Frequency (HF) Collaboration efforts with Japan).
BOXWOOD (BXD) – a covername used by S2H (Exceptionally Controlled Information (ECI) Compartments, 1).
BPATROL – A module for BANANAGLEE implants (Equation Group firewall operations catalogue).
BPICKER – A module for BANANAGLEE implants (Equation Group firewall operations catalogue).
BPIE – A module for BANANAGLEE and BARGLEE implants (Equation Group firewall operations catalogue).
BRAVENICKLE – This covername refers to a project that involves using an implant to copy and shape an entire physical network link without selection, with the passive middlepoint being responsible for the selection (Analytic Challenges from Active-Passive Integration, 2). The copied link is not disguised but, instead, is routed on an unused layer 2 path that a passive collector can monitor (Analytic Challenges from Active-Passive Integration, 3). In the past, it only had one operational flow past a single SSO site (Analytic Challenges from Active-Passive Integration, 11).
BRICKTOP – This refers to an NSA operation in 2009 targeting Russian telecommunications companies, anti-virus vendors, technological institutions, and other significant technological organizations such as Rosoboronexport, which is Russia’s sole state organization for exporting a full range of military, dual-use products and services and technologies (An Easy Win: Using SIGINT to Learn About New Viruses, 3). BRICKTOP was followed by, or integrated into, Project CAMERDADA (An Easy Win: Using SIGINT to Learn About New Viruses, 1).
BROADSIDE – a covert interception in the US embassy in the USSR, in the 1960s-1970s (The Secret Sentry: The Untold History of the National Security Agency, 152).
BROKENTHOUGHT – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
BULLDOZER –
BULLRUN – See GCHQ covernames.
BULLETTOOTH – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
BUSURPER – A module for BANANAGLEE implants (Equation Group firewall operations catalogue).
BUZZDIRECTION – A firewall software implant for Fortigate firewalls (Equation Group firewall operations catalogue).
BYZANTINE ANCHOR – This covername refers to a Chinese Computer Network Exploitation (CNE) actor that was engaged in relatively universal targeting, with some focus on weapon systems, information systems, and NASA (BYZANTINE HADES: An Evolution of Collection, 3).
BYZANTINE CANDOR (BC) – This covername refers to a Chinese Computer Network Exploitation (CNE) actor; as of June 2010, 80% of its targeted was focused on the Department of Defence, economic and commodities issues (i.e. oil deals), and on current geopolitical and economic events (BYZANTINE HADES: An Evolution of Collection, 3). The actor was formally referred to as TITAN RAIN III and used targeted email spearphishing tied to malware (BYZANTINE HADES: An Evolution of Collection, 3) and relied on Facebook posts to remain in command and control of the bots used as part of the actor’s operations (BYZANTINE HADES: An Evolution of Collection, 10). Tailored Access Operations (TAO) succeeded in identifying the operators behind BYZANTINE CANDOR by collecting information that was being exfiltrated by another operator, ARROWECLIPSE; using this collected information, TAO successfully identified the team leader of the operation, as well as future targets, malware samples and methods, and identified infrastructure (BYZANTINE HADES: An Evolution of Collection).
BYZANTINE FOOTHOLD – This covername refers to a Chinese Computer Network Exploitation (CNE) actor that, as of June 2010, spent 50% of its activity targeting TRANSCOM and 40% targeting PACOM and the U.S. Government and defence contractors (BYZANTINE HADES: An Evolution of Collection, 3). This actor used SSH and modified DES to encrypt its exfiltrated information (TRANSGRESSION Overview for Pod58, 13).
BYZANTINE HADES (BH) – This covername refers to Chinese Computer Network Exploitation (CNE) actors/operators (BYZANTINE HADES: An Evolution of Collection, 2) that the NSA was conducting fourth party collection against (TRANSGRESSION Overview for Pod58, 5). There were a range of BYZANTINE HADES sets, including BISHOP KNIGHT, BYZANTINE ANCHOR, BYZANTINE CANDOR (BC), BYZANTINE FOOTHOLD, BYZANTINE PRAIRIE, BYZANTINE RAPTOR, BYZANTINE TRACE, BYZANTINE VIKING, CARBON PEPTIDE, DIESEL RATTLE, MAVERICK CHURCH, POP ROCKS, SEEDSPHERE (BYZANTINE HADES: An Evolution of Collection, 3).
BYZANTINE PRAIRIE – This covername refers to a Chinese Computer Network Exploitation (CNE) actor that went inactive in March 2008 (BYZANTINE HADES: An Evolution of Collection, 3).
BYZANTINE RAPTOR – This covername refers to a Chinese Computer Network Exploitation (CNE) actor that resurfaced in the summer of 2008; as of June 2010, 90% of its activities were targeted towards the Department of Defence, though it had also targeted Congress (BYZANTINE HADES: An Evolution of Collection, 3).
BYZANTINE TRACE – This covername refers to a Chinese Computer Network Exploitation (CNE) actor that had previously targeted the Department of Defence, with 95% of its targeting in June 2010 focused on “Ministry of Affairs / Defense” (BYZANTINE HADES: An Evolution of Collection, 3).
BYZANTINE VIKING – This covername refers to a Chinese Computer Network Exploitation (CNE) actor (BYZANTINE HADES: An Evolution of Collection, 3).
C
CADENCE -This covername refers to “a DNI tasking tool. The CADENCE system fully automates the Front-End Dictionary Management process within Operations. Utilizing CADENCE, dictionary managers as well as target analysts are able to submit, review, and forward dictionary updates electronically. Receipts for these requests are automatically generated, statistics compiled and reported, and approved updates maintained in a database containing historical information for the DDO review of “USSID-18” compliance. Finally, CADENCE provides a transparent interface to BLACKNIGHT/SHIPMASTER, COURIERSKILL, and other site dictionaries” (SSO Dictionary, 1). It could take some time for CADENCE tasking to be updated; it could take anywhere up to a week when providing an update to SSO BLARNEY versus a few hours for STORMBREW (SSO Corporate Portfolio Overview, 5).
CADENCEFIST –
CAFFEINECRASH – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
CAMBERDADA – This covername refers to Project CAMBERDADA. The project monitored the communications of anti-virus vendors such as Kaspersky so as to collect malicious file samples for both offensive and defensive purposes (An Easy Win: Using SIGINT to Learn About New Viruses). As of sometime after 2009, the project was scoped to potentially include the following companies: AVG (Czechoslovakia), Viritpro (Italy), k7computing (India), Spy-Emergency (Slovakia), Emisoft (Austria), fsb-antivirus (France), F-prot (Iceland), Ikarus (Austria), Nod32 (Slovakia), Norman (Noway), Hauri (Korea), Avira (Germany), Ahnlab (South Korea), Eset (Slovakia), eAladdin (Israel), Bit-Defender (Romania), F-Secure (Finland), Arcabit (Poland), Novirusthanks (Italy), Avast (Czechoslovakia), DrWeb (Russia), Antiy (China), and Checkpoint (Israel).
CAMEL (CAMEL4) –
CAMELUS – Project CAMELUS was a multi-pronged negotiating effort that saw the NSA move one of its High Frequency (HF) Remote Collection Facilities from the island of Okinawa to Camp Hansen, in Japan. The US Government sought to, and was successful in, getting the Japanese government to pay full costs of the relocation and establishment of new replacement mission systems, which were themselves cover named STAKECLAIM. The cost to the Japanese government was approximately $500 million (USD) over 10-years (NSA SIGINT Site Relocated in Japan: The Story Behind the Move).
CANYON – A new type of SIGINT satellite launched in the late 1960s and 1970s. These satellites provided the NSA with access to high-level telephone traffic in the USSR that was carried over microwave radio-relay networks (The Secret Sentry: The Untold History of the National Security Agency, 155).
CAPTIVATEDAUDIENCE – This covername refers to a software tool that listened in on conversations by activating the microphone of a target’s mobile handset (Gellman, Dark Mirror, 209).
CARBON PEPTIDE – This covername refers to a Chinese Computer Network Exploitation (CNE) actor (BYZANTINE HADES: An Evolution of Collection, 3).
CASTLECRASHER – This covername refers to a project that operated out of the NSA’s Persistence Division, and which was available for interns to work on. CASTLECRASHER was the primary technique used in executing DNT Windows payloads from all payload persistence techniques (i.e. IRATEMONK and SIERRAMISTFREE). It was all Windows native mode code that was built using Visual Studio. CASTLECRASHER used many advanced techniques including threat injection and anti-stack backtracking. At least at one point, CASTLECRASHER didn’t work against systems with 360 Safe installed (S3285/InternProjects, 6-7).
CASTANET –
CASTLECREEK (CC) –
CATAPULT – This covername refers to a CSE-NSA bilateral project designed to advance common objectives and SIGINT aims (Communications Security Establishment (CSE) – Our Good Neighbor to the North). Specifically, CATAPULT was a data portal created to exchange SIGINT products between the NSA and its 2nd party partners. The CATAPULT data portal was implemented at CSE and accessible via the NSANet. It contained all 2nd party viewable SIGINT products, such as multimedia reporting, CRITICOMM released product, and SIGINT on Demand (SOD) items. CATAPULT was based on the CSE’s SLINGSHOT project (CATAPULT: A Bilateral Data Port). CATAPULT was folded within the NSA’s JOURNEYMAN program, which aimed to redesign SIGINT product authoring and dissemination (CATAPULT: A Bilateral Data Port). See CSE covernames.
CELESTIALGLOBE (CLG) – A covername used by S2B (Exceptionally Controlled Information (ECI) Compartments, 1).
CENTRICDUD – This covername refers to a project that was undertaken by the NSA’s Persistence Division, and which was available for interns to work on. CENTRICDUD was a tool to read and write bytes in the CMOS, and had to be rewritten and productized. The tool was used by the BIOS team and IT Geo team (S3285/InternProjects, 10-11).
CERFCALL – This covername refers to a technology that was used to collect DNI and DNR information in the Netherlands (BOUNDLESSINFORMANT Countries Data, 5).
CERFCALLMOSES1 – This covername refers to a technology used to collect DNI and DNR information in Germany (BOUNDLESSINFORMANT Countries Data, 3) and by third-parties (BOUNDLESSINFORMANT, 14).
CHALET – A new type of SIGINT satellite launched in the late 1960s and 1970s. These satellites provided the NSA with access to high-level telephone traffic in the USSR that was carried over microwave radio-relay networks (The Secret Sentry: The Untold History of the National Security Agency, 155).
CHAOSOVERLORD – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 10).
CHELSEABLUE –
CHIEFDOM (CFD) – A covername used by National Counterintelligence and Security Centre (Exceptionally Controlled Information (ECI) Compartments, 2).
CHIMNEYPOOL (CHM, CP) – This covername refers to a communications framework used to communicate with STRAITBIZARRE implanted devices (Moving Data Through Disconnected Networks, 31), including as part of the QUANTUM program (QUANTUM Shooter SBZ Notes, 3). With regards to its use for QUANTUM, CHIMNEYPOOL was managed by the GENIE Network Configuration Centre (NCC) (QUANTUM Shooter SBZ Notes, 3). It was also used to communicate between TURBINE and the HAMMERMILL implants, and was used to issue commands to the implants (APEX: Active/Passive Exfiltration, 47).
CHIPPEWA –
CHOCOLATESHIP – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 10). The project was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
CINEPLEX –
CLASSICBULLSEYE – an ocean SIGINT system that used high-frequency direction finding listening posts, which was used by the Five Eyes to track in near real-time the ocean movements of Soviet warships and submarines. In the 1970s there were 21 CLASSICBULLSEYE stations around the world, which were integrated with eight stations operated by the United States’ Five Eyes partners (i.e. Australia, Canada, New Zealand, United Kingdom) (The Secret Sentry: The Untold History of the National Security Agency, 128).
CLEARSIGHT – This covername refers to an element of site processing that takes place when information is obtained through FAIRVIEW (FAIRVIEW Dataflow Diagrams, 10). It is associated or linked with COURIERSKILL (FAIRVIEW Dataflow Diagrams, 10).
CLIMBINGSHIRT – An operation conducted by Expeditionary Access Operations Iraq (EAO-I) that involved gifting a pair of laptops to a target. The laptops were previously exploited by EAO-I and intended to provide intelligence pertaining to the communications of the targets and their broader network (Expeditionary Access Operations: NSA’s Close Access Network Exploitation Program, 12).
CLICKUMBER (CKU) – A covername used by S0242 (Exceptionally Controlled Information (ECI) Compartments, 1).
CLIFFSIDE – This covername refers to a FAIRVIEW site (SSO Dictionary, 2).
CLOUDSHIELD – This covername refers to an NSA DNS-blocking system (An Easy Win: Using SIGINT to Learn About New Viruses, 9).
CLUCKLINE – A module for BANANAGLEE implants (Equation Group firewall operations catalogue).
COALSHOVEL –
COBALTFALCON – This refers to an access for OAKSTAR that was assigned the SIGAD US-3217 (SSO Corporate Portfolio Overview, 8)
COBALTGUPPY -This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
COBRAFOCUS – an operations centre at Fort Gordon where analysts produce intelligence concerning Iraqi activities based on intercepted cell phone calls that were relayed to the station via satellite from inside of Iraq (The Secret Sentry: The Untold History of the National Security Agency, 301).
COCOAMELTDOWN – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
COLOSSUS – This covername refers to an element of the Tailored Access Operations (TAO) group’s botnet harvesting system. Specifically, COLOSSUS was used for FTP data that had been cleaned up by STORMPIG from TAO’s network to a DMZ FTP server between TAO Net and NSANet (DEFIANTWARRIOR and the NSA’s Use of Bots, 19).
CONTAINMENTGRID – A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version tos_3.3.005.066.1 (Equation Group firewall operations catalogue).
CONTRAOCTAVE – This covername was used within the ECHOBASE project as one of the foreignness criteria (Identifier Lead Triage with ECHOBASE, 6); CONTRAOCTAVE operated as a reference database that contained phone numbers “that should not be tasked in OCTAVE or UTT” (SSO Dictionary, 6).
CONUS – This covername refers to sites where passive IP sensors were deployed as part of an experiment, which is discussed under the covername SILVER (SSO Dictionary, 8).
CONVEY –
CONVEYANCE – This covername refers to a way of processing information. In the case of information obtained through the PRISM program, after information had been returned from a company vis-a-vis the FBI’s DITU, it was processed by PRINTAURA and protocol exploitation; this led to voice content being separated out and was sent through CONVEYANCE and then onto NUCLEON (PRISM/US-984XN Overview, 10). In the case of collecting transit voice, fax, and modem DNR and VoIP, as another example, CONVEYANCE was part of the NSA’s corporate processing of data, which involved processing data and then sending it to NUCLEON (FAIRVIEW Dataflow Diagrams, 6). CONVEYANCE was also meant to store VoIP information that was collected by HAMMERCHANT (TURMOIL/APEX/APEX High Level Description Document, 9).
COOKIEDOUGH – An NSA covername (Gellman, Dark Mirror, 210).
CO-TRAVELER – This covername refers to a set of analytic tools, fed by a database that stored cellphone location information on “at least hundreds of millions of devices” (Gellman, Dark Mirror, 325). The CO-TRAVELER data analysis toolkit enabled the NSA to find unknown associates of known intelligence targets through tracking people whose movements intersected (Gellman, Dark Mirror, 325).
COURIERSKILL – This covername refers to “a project under the THEORYMASTER program. It provides high performance content Filtering and Selection (F&S) capabilities to meet the current and future needs of Data Network
Intelligence. COURIERSKILL also provides content F&S services for the WEALTHYCLUSTER 2.0 system. It is designed to replace the legacy BLACKNIGHT system” (SSO Dictionary, 1). COURIERSKILL was, in the case of FAIRVIEW, deployed for site processing alongside CLEARSIGHT (FAIRVIEW Dataflow Diagrams, 7).
COWBOY – This covername refers to SIGAD US-984T, and which operated under FISA collection authorities associated with FAIRVIEW (SSO Corporate Portfolio Overview, 9).
CRIMSONREGENT (CSG) – A covername used by S2B (Exceptionally Controlled Information (ECI) Compartments, 1).
CRIMSONSTEAL (CSL) – A covername used by S2B (Exceptionally Controlled Information (ECI) Compartments, 1).
CRISPWARE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
CRISSCROSS –
CROSSBONES – A covername that refers to an analytic journal in which the NSA records intrusions which are detected and documented (The Northwest Passage (Volume 2, Issue 1), 3).
CROSSBONES2 – A covername that refers to an analytic journal in which the Tailored Access Operations (TAO) records information pertaining to Fourth Party Computer Network Exploitation (CNE) activities, as well as information which is collected about such activities (Fourth Party Opportunities, 25).
CROSSEYEDSLOTH – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).
CROSSHAIR – This covername refers to the NSA’s Direction Finding (DF) network. It was meant to be interoperable with foreign governments’ DF networks, such as Japan’s (NSA High Frequency (HF) Collaboration efforts with Japan). Canada possessed four sites as of 2005, Great Britain six, and Australia and New Zealand one each. Third-parties, including Austria, Denmark, Ethiopia, Hungary, Israel, India, Italy, Japan, Jordan, Korea, Netherlands, Norway, Pakistan, Saudi Arabia, Sweden, and Taiwan, also shared with the NSA and, in some cases, directly with one another (CROSSHAIR — Foreign Partners Filling HF/DF Gaps for the US).
CROWNROYAL –
CROWNPRINCE –
CRUMPET (CRM) – A covername used by TSMI/S34 (Exceptionally Controlled Information (ECI) Compartments, 1).
CRYPTICSENTINEL – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
CS – This refers to the CLIFFSIDE-A FAIRVIEW site (SSO Dictionary, 2).
CUDDLYBADGER – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
CULTWEAVE II – contained VOICESAIL events (GCHQ – Event (SIGINT), 4).
CUTEBOY – This covername refers to the probable team lead of BYZANTINE CANDOR, a Chinese-based Computer Network Exploitation (CNE) actor. The Tailored Access Operations (TAO) group successfully implanted his work machine as well as the physical machine associated with his ISP account (BYZANTINE HADES: An Evolution of Collection, 27).
CYBERCLOUD – This covername refers to a database which was used to store enriched metadata associated with botnet-related activities (HIDDENSALAMANDER: Alerting and Characterization of Botnet Activity in TURMOIL, 9).
CYBERQUEST (CQ) – This covername refers to a project that was operated by the NSA and which was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19). The NSA recognized the program as part of the NSA’s mission focused on cyber threat discovery (The Northwest Passage (Volume 2, Issue 1), 3).
CYBERTRANS –
CYGNUSOLOR – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
D
DANCING PANDA –
DANDERSPRITZ –
DAREDEVIL – An implant or shooter that was used as part of the QUANTUMTHEORY framework (QUANTUMTHEORY, 5).
DARKFIRE – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9). The project was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
DARKHELMET – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
DARKINTENT – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
DARKQUEST – This covername fit within the ‘exploit it all’ paradigm, in the context of the automated survey of FORNSAT (ELEGANT CHAOS, 4).
DARKRAVEN – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
DARKRAZOR – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
DARKSCREW – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
DARKTHUNDER – This covername refers to shared SSO/TAO Shaping project and was assigned SIGAD US-3105S1 which it shares with STEELFLAUTA (SSO Corporate Portfolio Overview, 8). It was associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 10). This project was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
DEADDRUMMER – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
DEADSEA – This covername refers to a database used to search for Fourth Party Computer Network Exploitation (CNE) instantiations (Fourth Party Opportunities, 24).
DECKSTOP (DKP) – A covername used by TSMI/S34 (Exceptionally Controlled Information (ECI) Compartments, 2).
DECODEORDAIN – This covername refers to a process associated with collection against SKYPE using PRISM. DECODEORDAIN enabled analysts to input a skypeMailToken to determine the email address associated with a given token (User’s Guide for PRISM Skype Collection, 2). Furthermore, using DECODEORDAIN analysts could find collected Skype video and chat content (User’s Guide for PRISM Skype Collection, 2-3).
DEEPFRIEDPIG – This covername refers to an element of the Tailored Access Operation (TAO) group’s botnet system. Specifically, DEEPFRIEDPIG was used to process some data from botnets and provide the sanitized data to YELLPIG, which was a FTP server located at the DMZ between TAO Net and NSANet (DEFIANTWARRIOR and the NSA’s Use of Bots, 19).
DEFIANTWARRIOR – This covername refers to a NSA/TAO program whereby access to other parties’ botnets or bots could be gained. Such botnets and bots were then used to engage in active Computer Network Exploitation, pervasive network analysis, and throw-away non-attributable Computer Network Attack activities (DEFIANTWARRIOR and the NSA’s Use of Bots).
DEMENTIAWHEEL (DMW) –
DEMONSPIT – A covername that refers to a then-new data flow (circa 2007) for bulk Call Detail Records (CDRs) from Pakistan. The CDRs were provided by major Pakistan telecommunications providers. Data was received from several clouds (e.g. GMHalo/DPS, GMPlace and Cloud 14, and Bulldozer/MDR2) and forwarded by TUSKATTIRE. DEMONSPIT data was used by NSA analysts to promote CDRs of interest, such as those belonging to potential Al’Qaeda couriers (SKYNET: Applying Advanced Cloud-based Behaviour Analytics, 6-7).
DEPUTYDAWG – An NSA covername (Gellman, Dark Mirror, 209).
DEPUTYSHIP – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
DESTO – This covername was associated with WAYLAND, and was part of the NSA’s corporate processing of information that was derived from FAIRVIEW (FAIRVIEW Dataflow Diagrams, 6).
DESTRO – SIGINT collection missions that were run off the Vietnam coast using US destroyers during the Vietnam war (The Secret Sentry: The Untold History of the National Security Agency, 83).
DETASSELJANICE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
DEVILFISH (DVF) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 2).
DEVILHOUND – An NSA covername (Gellman, Dark Mirror, 206).
DIESEL RATTLE – This covername refers to a Chinese Computer Network Exploitation (CNE) actor that was identified as targeting ISPs, defence contractors, and the government inside the United States, as well as Japanese interests (BYZANTINE HADES: An Evolution of Collection, 3).
DIRESCALLOP – This is an implant that was used to disable DeepFreeze, software that was used at Internet cafes and other public computers to ‘reset’ computers to their default state upon reboot. By disabling DeepFreeze other implants could be executed and then DeepFreeze is re-enabled, such that the secondary implants gain persistence. DIRESCALLOP’s deployment can be automated through FOXACID (FOXACID SOP For Operational Management of FOXACID Infrastructure, 10).
DIRTDIVER – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
DIRTSHED –
DISABLEVALOR –
DISCOROUTE – This covername refers to “a tool specifically designed to suck up and database router configuration files seen in passively collected telnet sessions.” (I hunt sysadmins, 4). More specifically, it was a NAC tool that was used to acquire, parse, database, and display configuration files from network devices including those made by Huawei, Juniper, and Cisco; it is used to let analysts “mine device configs for SIGDEV discovery” (What Your Mother Never Told You About SIGDEV Analysis, 9). As part of DISCOROUTE outputs which denote that TAO has presence on the targeted router, that it is a multihop router that an administrator telnetted into and then telnetted to another device, as well as associated cryptographic keys (What Your Mother Never Told You About SIGDEV Analysis, 17). This cryptographic information includes the pre-shared keys for Cisco, Huawei, or Juniper routers (What Your Mother Never Told You About SIGDEV Analysis, 18).
DISHFIRE – This covername refers to “a Short Message Service (SMS) storage and retrieval application developed by the Target Development Services (TAC/TDS) in response to formal requirements from the Counter Terrorism Office, and coordinated with the Rebuilding Analysis Center. DishFire offers retrieval, viewing, and some manipulation of SMS messages passed through various worldwide networks. As of September 2007, an Analyst Advisory Board (AAB) had been established to provide S2 Offices with insight into and an opportunity to comment on requirements levied on the DISHFIRE system” (SSO Dictionary, 2). Some of the data it contained came from FAIRVIEW (SSO Corporate Portfolio Overview, 9) and STORMBREW (SSO Corporate Portfolio Overview, 11).
DISTILLERY –
DISTORTAFFECT – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
DIXIESPRING (DXS) – A covername used by National Counterintelligence and Security Centre (Exceptionally Controlled Information (ECI) Compartments, 2).
DOMINATE (DOM) – A covername used by GAO/S35 (Exceptionally Controlled Information (ECI) Compartments, 2).
DOUBLETAP – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
DRAGGABLEKITTEN – This covername refers to an XKEYSCORE Map/Reduce analytic that was applied to packets collected and made accessible by XKEYSCOREDEEPDIVE (MHS Leverages XKS for QUANTUM Against Yahoo and Hotmail (Snippet)).
DRIFTWOOD –
DRINKMINT – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
DRINKMINT_AA – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
DRINKYBIRD – Monitoring information from this covername is used as an enrichment feed for ELEGANTCHAOS (ELEGANT CHAOS, 9). DRINKYBIRD’s GUI is an in-house network and tasking management GUI (ELEGANT CHAOS, 18), and is made for collection personnel to determine whether resources are available (ELEGANT CHAOS, 12).
DRTBOX – This covername refers to a technology used to collect DNI and DNR information in Afghanistan (BOUNDLESSINFORMANT Countries Data, 1), France (BOUNDLESSINFORMANT Countries Data, 2), Italy BOUNDLESSINFORMANT Countries Data, 4), Norway (BOUNDLESSINFORMANT Countries Data, 6), Poland (BOUNDLESSINFORMANT Countries Data, 6), and Spain (BOUNDLESSINFORMANT Countries Data, 7). It was a technology used by a foreign partner (BOUNDLESSINFORMANT, 12) and third-party (BOUNDLESSINFORMANT, 14).
DRUMBEAT – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
DURABLENAPKIN – A tool for injecting packets on LANs (Equation Group firewall operations catalogue).
DUSKPALLET – This covername refers to a MYSTIC access to a Kenyan GSM provider for DNR information. Collection took place on the Abis link. The access was similar to LAUNDROMAT’s access (SSO Dictionary excerpt MYSTIC).
E
EARLY BIRD – A covername that refers to the first INTELSAT communications satellites launched in the mid-1960s (The Northwest Passage (Volume 2, Issue 1), 1).
EASYHOOKUP – This covername refers to an exploitation tool used to attack removable media (FOXACID SOP For Operational Management of FOXACID Infrastructure, 25).
EASYKRAKEN – This covername refers to the effort to develop IRATEMONK implants for additional ARM-based Samsung hard drives. This project existed within the Persistence Division in the NSA, and was available for interns to work on (S3285/InternProjects, 5).
ECHELON – A cover name for the program designed to collect and process INTELSAT communications, and under the broader umbrella of the FROSTING program (The Northwest Passage (Volume 2, Issue 1), 1). ECHELON eventually grew to encompass non-Intelsat satellites, and included COMSAT/FORNSAT stations in all of the Five Eyes countries.
ECHOBASE – The ECHOBASE covername refers to an effort to use bulk analytics to present useful leads to NSA analysts. After enriching datasets with SIGINT-derived data analysts face too many ‘possible interest’ identifiers, whereas by doing bulk triage using behavioural analytics hundreds or thousands of selectors could be vetted quickly and only the most useful presented following a query. ECHOBASE relied on GHOSTMACHINE to analyze and identify which identifiers are most likely useful to analysts (Identifier Lead Triage with ECHOBASE).
EDITIONHAZE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
EFFABLELAMBDA – This covername refers to a project operated by either the NSA or GCHQ, and is involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
EGOTISTICALGIRAFFE (EGGI) – This covername refers to an exploit against the Tor anonymous browser, developed by an intern in the NSA’s Application Vulnerabilities Branch, S32313 (Gellman, Dark Mirror, 73). EGOTISTICALGIRAFFE worked on the Windows browser but not Mac or Linux, and was deployed against extremist web forums, and it did not work when a user turned off JavaScript (Gellman, Dark Mirror, 73).
EGREGIOUSBLUNDER A remote code execution exploit for Fortigate firewalls that exploits a HTTP cookie overflow vulnerability. It affects models 60, 60M, 80C, 200A, 300A, 400A, 500A, 620B, 800, 5000, 1000A, 3600, and 3600A. The model of the firewall is detected by examining the ETag in the HTTP headers of the firewall. This is not CVE-2006-6493 as detected by Avast (Equation Group firewall operations catalogue).
EINSTEIN –
ELECTRONSWORD – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
ELEGANTCHAOS (EC) – This program was meant to create a prioritized list of signals to automatically drive collection as collection activities increase, while delivering a way for analysts and collection managers to ‘see’ into the system using GUIs. It was created for exploiting, or making usable, information that was being collected at Menwith Hill Station (MHS). Its GUI was designed for analysts to examine the scores and impacts of different questions which, in turn, are used to automate the prioritization of certain data feeds based on current activities and high-value missions. (ELEGANTCHAOS, 12).
ELIGIBLEBACHELOR An exploit for TOPSEC firewalls running the TOS operation system, affecting versions 3.2.100.010, 3.3.001.050, 3.3.002.021 and 3.3.002.030. The attack vector is unknown but it has an XML-like payload that starts with <?tos length=”001e:%8.8x”?> (Equation Group firewall operations catalogue).
ELIGIBLEBOMBSHELL A remote code execution exploit for TOPSEC firewalls that exploits a HTTP cookie command injection vulnerability, affecting versions 3.2.100.010.1_pbc_17_iv_3 to 3.3.005.066.1. Version detection by ETag examination (Equation Group firewall operations catalogue).
ELIGIBLECANDIDATE A remote code execution exploit for TOPSEC firewalls that exploits a HTTP cookie command injection vulnerability, affecting versions 3.3.005.057.1 to 3.3.010.024.1 (Equation Group firewall operations catalogue).
ELIGIBLECONTESTANT – A remote code execution exploit for TOPSEC firewalls that exploits a HTTP POST paramter injection vulnerability, affecting versions 3.3.005.057.1 to 3.3.010.024.1. This exploit can be tried after ELIGIBLECANDIDATE (Equation Group firewall operations catalogue).
EMPTYMOCHA – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
ENCHANTED – refers to the covername for test servers used for Counter Computer Network Exploitation (CCNE) operations as part of the FOXACID program. All ENCHANTED CCNE operations, which included China, Russia, and ‘other’, concluded on January 18, 2010 (FOXACID SOP For Operational Management of FOXACID Infrastructure, 9).
ENLIGHTEN – This covername refers to a “long-standing NSA desktop collaboration and information distribution system” (SID Today: Write Right: Where Does It Say I Can’t, 2). It was for official use, only, and not to be used for disseminating either personal or non-official information (SID Today: Write Right: Where Does It Say I Can’t, 2).
EPICBANANA – A privilege escalation exploit against Cisco Adaptive Security Appliance (ASA) and Cisco Private Internet eXchange (PIX) devices. Exploitation takes advantage of default Cisco credentials (password: cisco). Affects ASA versions 711, 712, 721, 722, 723, 724, 80432, 804, 805, 822, 823, 824, 825, 831, 832 and PIX versions 711, 712, 721, 722, 723, 724, 804 (Equation Group firewall operations catalogue).
EPICFAIL – An NSA covername related to operational security (OPSEC) errors by surveillance targets (Gellman, Dark Mirror, 207).
EPICSHELTER – This covername refers to a backup and recovery system which could start small yet scale up to cover as much of the NSA’s digital data as needed (Gellman, Dark Mirror, 51). EPICSHELTER was designed by Edward Snowden (Gellman, Dark Mirror, 51).
EREPO – See GCHQ covernames.
ERRONEOUSINGENUITY – An NSA covername related to operational security (OPSEC) errors by surveillance targets (Gellman, Dark Mirror, 207).
ESCALATEPLOWMAN A privilege escalation exploit against WatchGuard firewalls of unknown versions that injects code via the ifconfig command (Equation Group firewall operations catalogue).
EVENINGEASEL – This covername refers to an access that is similar to that of MYSTIC’s LAUNDROMAT. Access was pending and was meant to collect on Mexican GSM communications against counter-narcotics. The site was to be located in Mexico (SSO Dictionary excerpt MYSTIC).
EXPLETIVEDELETED – This covername refers to an encryption software which used to be favoured by al Qaeda, and (Gellman, Dark Mirror, 213).
EXTRABACON A remote code execution exploit against Cisco Adaptive Security Appliance (ASA) devices affecting ASA versions 802, 803, 804, 805, 821, 822, 823, 824, 825, 831, 832, 841, 842, 843, 844. It exploits an overflow vulnerability using the Simple Network Management Protocol (SNMP) and relies on knowing the target’s uptime and software version (Equation Group firewall operations catalogue).
EXUBERANTCORPSE – This covername refers to an encryption software which used to be favoured by al Qaeda, and (Gellman, Dark Mirror, 213).
F
FABULOUSFABLE (FABFAB) – This was used for automated SECONDDATE tasking and triggers on particular selectors (i.e. MD5 hashed user names) used by Computer Network Exploitation (CNE) operators for targeted and untargeted operations (FOXACID SOP For Operational Management of FOXACID Infrastructure, 29).
FAIRVIEW – FAIRVIEW was the NSA’s covername for AT&T (Gellman, Dark Mirror, 401) and it operated under a Transit Authority and was designated SIGAD US-990 (SSO Corporate Portfolio Overview, 8). FAIRVIEW has a European collection site (Classification Guide for ECI WHIPGENIE, 4). More generally, it was a part of the FAA 702 UPSTREAM program (PRISM/US-984XN Overview, 3-4).
FAIRVIEWCOTS – This covername refers to a technology associated with FAIRVIEW, and which pertained to DNI and DNR information which was presented as part of the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 11) as Special Source Operations (BOUNDLESSINFORMANT, 13).
FAKEDOUBT – This covername refers to the effort to develop IRATEMONK implants for ARM-based Hitachi drives. This project existed within the Persistence Division in the NSA, and was available for interns to work on (S3285/InternProjects, 5)
FALLOUT – This covername refers a system that processed Internet metadata (Gellman, Dark Mirror, 401), and more specifically to a DNI ingest processor that was used for BOUNDLESSINFORMANT, and which was replaced by GM-PLACE (BOUNDLESS INFORMANT Frequently Asked Questions, 2). It was a technology associated with a foreign partner (BOUNDLESSINFORMANT, 12) as well as Special Source Operations (BOUNDLESSINFORMANT, 13) including FAIRVIEW (FAIRVIEW Dataflow Diagrams, 8).
FALLOWHAUNT (FH) – This covername refers to an NSA system that was capable of collecting and forwarding both hub and in-route intercepts from Hughes PES VSAT networks, to facilitate two-way collection (SID Today: Deployment of New System Improves Access to Iranian Communications, 1). At least one such system was deployed to SCS Kuwait City (SIGAD: US-967J) (SID Today: Deployment of New System Improves Access to Iranian Communications, 1).
FALSEMOREL Allows for the deduction of the “enable” password from data freely offered by an unspecified firewall (likely Cisco) and obtains privileged level access using only the hash of the “enable” password. Requires telnet to be installed on the firewall’s inside interface (Equation Group firewall operations catalogue).
FASCIA – This refers to a system which processed phone metadata before it reached MAINWAY (Gellman, Dark Mirror, 401) or DISHFIRE (FAIRVIEW Dataflow Diagrams, 10). More generally, FASCIA was a NSA corporate metadata repository (Atomic SIGINT Data Format (ASDF) Configuration Read Me, 1).
FASCIA II – This covername refers to the “call detail record warehouse” which fed MAINWAY (Gellman, Dark Mirror, 169). More specifically, “FASCIA II is a tool used as the primary source of metadata used in target development within the SIGINT community. The FASCIA II data warehouse contains PSTN, PCS, Media Over IP (MOIP), High Powered Cordless Phone (HPCP) Call Detail Records, ISAT, and VSAT contact events, It formerly contained Digital Network Intelligence (DNI) contact events which are now in MARINA. Analysts may login to FASCIA II to utilize its query and reporting facilities to identify and locate targets based on these call events, as well as adjust collection. FASCIA II also delivers high volumes of data to multiple data marts and follow-on analytical tools that aid in target development within the Intelligence Community. The number of users that have direct access to the FASCIA II database is restricted. Therefore, most analysts access FASCIA II data through BANYAN, a calling-tree analysis tool which contains all FASCIA II call records and LAMPSHADE INMARSAT data. Other tools that access FASCIA data include ASSOCIATION, MAINWAY, HOMEBASE and SEDB” (SSO Dictionary, 3).
FASHIONCLEFT – This covername refers to an NSA exfiltration protocol used by the Tailored Access Operations (TAO) group to exfiltrate collected network packets to the Common Data Reception (CDR) from TAO implants, including those associated with HAMMERMILL (TURMOIL/APEX/APEX High Level Description Document, 3). It preceded an exfil session with a “strongly encrypted Session Announcement that describes the parameters of the exfil session” (TURMOIL/APEX/APEX High Level Description Document, 3). FASHIONCLEFT was used as part of the TURBULENCE program (APEX: Active/Passive Exfiltration, 6) and was based on DNT exfiltration (FOGYNULL), exfiltration data format (FUNNELAPS), and exfiltration metadata format (SHELLGREY) (APEX: Active/Passive Exfiltration, 13). It provided support for metadata authentication/integrity, anti replay, and encryption, and used 1024-bit RSA, 128-bit RC6 (The FASHIONCLEFT Protocol, 2).
FASTIDIOUS (FDS) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 2).
FASTSCOPE (FS) – This covername refers to a database which held airline passenger information. Specific fields included the List of Flights (i.e. legs of a flight) and passenger manifest information (i.e. passenger names, name variants, passport numbers, flight departure airport, flight arrival airport, and flight departure date) (HOMING PIGEON, 4).
FEEDTROUGH – A technique for persisting BANANAGLEE and ZESTYLEAK implants for Juniper NetScreen firewalls (Equation Group firewall operations catalogue).
FELONYCROWBAR – This covername refers to a configuration script that was delivered to devices or machines which are implanted with STRAITBIZARRE. The configuration enabled an operator to subsequently use the implanted machine as a QUANTUM shooter (QUANTUM Shooter SBZ Notes, 2).
FERRETCANNON – a reference to CIA and JSOC tools that Computer Network Exploitation (CNE) operators were responsible for supporting (FOXACID SOP For Operational Management of FOXACID Infrastructure, 7). This could ‘throw’ any executable that was not normally thrown from a FOXACID server, including UNITEDRAKE, PEDDLECHEAP, PKTWENCH, and BEACHHEAD. Both .dll and .exe could be thrown (FOXACID SOP For Operational Management of FOXACID Infrastructure, 11).
FESTIVEWRAPPER –
FIGBUILD –
FINGERGNOME –
FINKCOAT –
FINKDIFFERENT – Associated with a FOXACID-automated process (DIRESCALLOP) that was designed to temporarily disable, then re-enable, DeepFreeze, FINKDIFFERENT was responsible for writing the implant meant to gain persistence to disk (FOXACID SOP For Operational Management of FOXACID Infrastructure, 10).
FIREBRUSH – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FIREEATER – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FIRESCREEN (FRE) – A covername used by CES/S31 (Exceptionally Controlled Information (ECI) Compartments, 2).
FIRESTORM – This covername refers to a NSA Radio-Frequency (RF)-based Computer Network Operation (CNO) capability that was “designed to provide the war fighter with a plug-and-play attack capability against High Powered Cordless Phones (SID Today: New CNO Capability Poised to Help Counter IEDs, Geolocate Terrorists, 2) that were often used in Afghanistan and Iraq for insurgent communications and the ability to detonate Improvised Explosive Devices (IEDs). FIRESTORM was designed to conduct both Denial Of Service (DOS) against high frequency communications networks, as well as enable the geolocation of individuals who used these networks (SID Today: New CNO Capability Poised to Help Counter IEDs, Geolocate Terrorists, 2).
FIRESWAMP – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FIRSTDOWN (FRS) – A covername used by National Counterintelligence and Security Centre (Exceptionally Controlled Information (ECI) Compartments, 2).
FIRSTFRUITS – This covername refers to a counterintelligence database which tracked unauthorized disclosures of information to the news media, falling within the remit of a Denial and Deception (D&D) Unit within the NSA’s Signals Intelligence Directorate (SID) (Gellman, Dark Mirror, 276). The FIRSTFRUITS program sought to “drastically reduce significant losses of collection capability” for the NSA and which was attributed to journalists and their reporting (Gellman, Dark Mirror, 277). Included among the names of FIRSTFRUITS was the US national security journalist Barton Gellman. The FIRSTFRUITS project further produced “crime reports to DOJ” (Gellman, Dark Mirror, 279).
FISHWAY – This covername refers to an element of corporate processing that is carried out by the NSA when intaking DNR and VoIP data from FAIRVIEW (FAIRVIEW Dataflow Diagrams, 20). Data processed by FISHWAY is ultimately sent to SCISSORS (FAIRVIEW Dataflow Diagrams, 20).
FISSURESALUTE (FST) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 2).
FLASHHANDLE – This covername refers to the mission manager that provided tasking to CDR/SURPASSPIN (The FASHIONCLEFT Protocol, 14).
FLAMINGO –
FLAWMILL – This covername refers to a system which users of BOUNDLESSINFORMANT used to request additional functionality. Global Access Operations (GAO) was responsible for receiving, prioritizing, and developing on BOUNDLESSINFORMANT based on feedback (BOUNDLESS INFORMANT Frequently Asked Questions, 3).
FLAXENPRECEPT – This covername refers to the Common Data Receptor (CDR); it was a data format used by Tailored Access Operations’ (TAO) implants to exfiltrate network packets (APEX: Active/Passive Exfiltration, 13).
FLOCKFORWARD – A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version 3.3.005.066.1 (Equation Group firewall operations catalogue).
FLYLEAF (FLE) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 2).
FOGHORN – A new data feed for ELEGANTCHAOS (ELEGANT CHAOS, 22).
FOGYNULL – This covername refers to a DNT exfiltration protocol (APEX: Active/Passive Exfiltration, 13).
FORBIDDEN (FBD) – A covername used by S2D (Exceptionally Controlled Information (ECI) Compartments, 2).
FORBORNE (FBD) – A covername used by S2D (Exceptionally Controlled Information (ECI) Compartments, 2).
FOREMAN – This covername was used within the ECHOBASE project as one of the foreignness criteria (Identifier Lead Triage with ECHOBASE, 6).
FORESTPLACE – A node that was used by the FOXACID team to test new payloads (FOXACID SOP For Operational Management of FOXACID Infrastructure, 12).
FOSHO – A Python library for creating HTTP exploits.
FOXACID (FA) – FOXACID was the covername for a joint Data, Network & Technologies (DNT) Branch and Remote Operations Center (ROC) project to deliver content-based exploits (CBE) to web browsers (Introduction to WLAN/802, 11). FOXACID was designed to conduct a vulnerability analysis and exploitation of a given target that had been forced to covertly contact a FOXACID server. FOXACID servers sat on the Internet and were publicly addressable, though a specially crafted FOXACID tag had to be presented to actually contact one of the servers. The servers used whitelists for security and filtering. Upon contacting a FOXACID server, the contacting web browser would ideally be exploited. Targets were redirected to FOXACID servers by way of NIGHTSTAND or BADDECISION (Introduction to WLAN/802.11 Active CNE Operations). This covername was initially assigned to a mission referring to counterterrorism targets within Al-Qaeda, then for a spam operation, and then for exploit servers that were used to provide initial access to targets through browser exploitation (FOXACID, 3). The ‘plugins’ for FOXACID were, in actuality, browser exploits and could include native browser exploits, to those targeting things like Flash (FOXACID 19). The cross scripting exploits that FOXACID relied on, as well as the bulk spam missions, were becoming less viable in 2007 and so QUANTUM was regarded as the best way to divert targets to FOXACID. This raised the basic issue of ‘how’ targets will be driven to FOXACID going forward (FOXACID, 22). At one point, FOXACID servers ran Microsoft Windows server 2003 and installed with requisite server software, FOXACID plugins, and payloads (FOXACID SOP For Operational Management of FOXACID Infrastructure, 8).
FOXACID2 –
FOXBASE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FOXCONTACT – A log that was used by FOXACID operators to determine why a FOXACID-related implant may not have deployed against a target (FOXACID SOP For Operational Management of FOXACID Infrastructure, 19).
FOXHEAT (FXH) – A covername used by TSMI/S34 (Exceptionally Controlled Information (ECI) Compartments, 2).
FOXHELP –
FOXSEARCH – This was a search tool used by FOXACID operators to determine the status of a possible payload drop. Several response-types could come back, indicating that the target could not be exploited, that an exploit wasn’t dropped but a SPAM message that initially had a FOXACID tag was opened, that an implant was already deployed or self-deleted, or that there was a problem with the tag itself (FOXACID SOP For Operational Management of FOXACID Infrastructure, 14).
FOXTRAIL – This was used to perform DNS lookups (The Unofficial XKEYSCORE Guide, 9).
FRANTICDANCER – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEACIDRAIN – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEAIRFARE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEARCADEZONE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEBACKGAMMON – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEBADFIBER – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEBADRENT – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEBALLROOM – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEBATTLEZONE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEBEACHTREE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEBIGBOSS – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEBITTERCLOUD – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEBLACKCLOUD – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEBLOODYWOLF – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEBLOWNTURBO – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEBLUEMAT – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEBRASSBRUSH – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEBUTTERCLOUD – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREECANALLOCK – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREECANESUGAR – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREECATBOX – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREECEMENTBLOCK – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREECHERRYCOLA – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREECHESSBOARD – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREECLEARTAPE – This covername refers to a project operated by either the NSA or GCHQ, and is involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREECOLDTEA – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREECORNHUSK – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREECORNMAZE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREECREEKMOOR – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREECRUSHEDDISK – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEDARKSUIT – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEDATALOSS – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEDEADBATTERY – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEDETOURSIGN – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEDIRTYTRICK – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEDISCOVERY – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEDISKBRAKE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEDOGCRATE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEDOMECUPOLA – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEDOVETAIL – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEEMUFARM – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEENERGYTAX – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEFAMILYTIE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEFASTCAR – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEFIBERBOARD – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEFILEDELETE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEFLATFIBER – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEFLOWCHART – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEFLOWERPEOPLE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEFRIEZEFRESCO – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEGEMSTONE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEGLASSTUBE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEGLUESTRIP – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEHAVEFUN – This covername refers to a project operated by either the NSA or GCHQ, and is involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEHOMEBASE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEHOOKHANDLE – This covername refers to a project operated by either the NSA or GCHQ, and is involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEHOOPDREAM – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEJETFUEL – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEKIDPOOL – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEKINGSPAWN – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEKNOCKOUT – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREELANDLINE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREELEADSHOT – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREELEADSINGER – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREELIFERAFT – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREELIKESAME – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREELINEDOWN – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREELOLLYPOP – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREELUNCH (FLH) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 2).
FREEMARBLEBASIN – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEMETALCRATE -This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEMETALFILE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEMETALSHARD – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEMINETUNNEL – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEMINTJELLY – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREENAVYBLUE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREENIGHTTRAIN – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEOBLIQUECASE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEOILLEAK – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEOILPAINT – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEOLDBIKE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEOUTRUN – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEPAINTBALL – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEPICKLEBRINE – This covername refers to a project operated by either the NSA or GCHQ, and is involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEPINEPLANK – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEPLASTICCASE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEPONGPLAYER – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEPOSTMARK – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEPOWERFAILURE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEPUFFYCLOUD – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEPULLCHAIN – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREERAINCLOUD – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREERAVENTICKET – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEREDBEER – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEREDERASER – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEREDMARKER – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEREDSHIRT – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEREDSTAIN – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREERIDEAROUND – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREERIGHTWHALE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREERIPPINGBLADE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEROCKSONG – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREESAFEKEY – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREESALTTRUCK – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREESASHCORD – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREESCHOOLLOCKER – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREESCREENDOOR – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREESEADADDY – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREESHORTCARD – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREESHORTPASS – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREESINEWAVE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREESLOWFAST – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREESNOWSHOVEL – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREESPACEFLIGHT – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREESPEEDTRAP – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREESTATEWARD – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREESTONESHIP – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREESTORAGEROOM – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREETANKSTAND – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREETESTSHEET – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREETHUNDERCLOUD – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREETICKETBOOTH – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREETIMELEGEND – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREETIMESHARE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREETINYTANK – This covername refers to a project operated by either the NSA or GCHQ, and is involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREETRICKYKICK – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREETROUTSTREAM – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREETRUEPINBALL – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREETWINBEE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEVINYLMESH – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEWARRIORPAINT – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEWATERBED – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEWATERGLASS – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEWATERTANK – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEWATERTOWER – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEWAVECREST – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEWAYPOINT – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEWHEELCOVER – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEWHEELNUT – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEWINDCLOUD – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEWINDSHEAR – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FREEWOODENSTICK – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FRIAR – This covername refers to FAIRVIEW’s east coast cable station (SSO Dictionary, 3).
FRIEZERAMP (FRZ, FR) – This covername refers to a covert network stack which was used by CHIMNEYPOOL, a communications system that interactsed with STRAITBIZARRE-implanted devices, including as part of the QUANTUM program (QUANTUM Shooter SBZ Notes, 3) and Delay Tolerant Networking (DNT) (Moving Data Through Disconnected Networks, 31).
FROSTING – A cover name used to describe the collection and processing of all communications emanating from communications satellites. It’s sub-programs were TRANSIENT (focused on Soviet satellite targets) and ECHELON (focused on processing and analyzing all INTELSAT communications) The Northwest Passage (Volume 2, Issue 1), 1).
FROTHYTWOPACK (FTP) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 2).
FROZENEARTH –
FROZENGAZE – This was part of the FOXACID system, and was associated with the FABULOUSFABLE and WATCHER covernames, which were also associated with FOXACID (used by Computer Network Exploitation (CNE) operators for targeted and untargeted operations (FOXACID SOP For Operational Management of FOXACID Infrastructure, 29).
FRUGALSHOT – This was a Tailored Access Operations (TAO) infrastructure that supported exploit callback. It was a FOXACID server running plugins that are compatible with deployment of exploits for removable media, such as EASYHOOKUP (FOXACID SOP For Operational Management of FOXACID Infrastructure, 25). As of early 2010 there were two operational FRUGALSHOT servers, one of which supported callbacks from CASTLECREEK deployments and the other which supported non-CASTLECREEK callbacks.
FUNNELAPS – This covername refers to a DNT exfiltration data format (APEX: Active/Passive Exfiltration, 13).
FURTIVERELIANCE (FUR) – a covername used by S2H (Exceptionally Controlled Information (ECI) Compartments, 2).
FURRYEWOK – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
FUSSYKEEL –
FUZZYLINT (FL) – This covername refers to a lightweight Bundle Protocol Agent (BPA) which was used as part of the NSA’s Delay Tolerant Networking system (Moving Data Through Disconnected Networks, 17).
G
GAMMAGUPPY – this covername was used in relation to conversations captured by US and UK intelligence services operating out of their respective embassies in Russia. The conversations were captured from car phones used by the Russian leadership in Russia during the 1960s and 1970s (The Secret Sentry: The Untold History of the National Security Agency, 144).
GATEKEEP –
GATEKEEPER – tool used by the NSA to apply for, and maintain access to, many of the NSA databases by second parties. GATEKEEPER was also used to help NSA auditors of the accessed databases (Cyber Defence Operations Legal and Policy, 10).
GENESIS – A language that was used by analysts to query GCHQ’s TEMPORA, which was a large-scale instantiation of XKEYSCORE (TEMPORA — “The World’s Largest XKEYSCORE” — Is Now Available to Qualified NSA Uses, 2).
GENIE – This covername refers to a project that underpinned the NSA’s Computer Network Operations (CNO) endpoint capabilities that were conducted by the Tailored Access Operations (TAO) group. GENIE was focused on the endpoints — such as laptops, mobile devices, router, and servers — that were targeted and exploited using either virtual or physical access to create and sustain a presence inside of targeted systems or facilities. Data was often exfiltrated either directly or by being shaped towards midpoint collection facilities (i.e. towards passive collection systems) (Computer Network Operations – GENIE, 1).
GENUINE DRAFT – the NSA gained entry into an email account and added a ‘tag’ to emails that were stored in the ‘Drafts’ folder of an email account. This tag appended an iframe to the message and thus rendered a browser vulnerable to exploits hosted on a FOXACID server. GENUINE DRAFT was designed to be used against multiple targets that had a webmail account, and to leave messages in the draft box for communications purposes (FOXACID, 8).
GEOSPATIALCELL – an intelligence fusion centre at Fort Gordon where analysts pulled together all of the SIGINT collected by the station and other NSA listening posts around the world in order to produce product for the NSA’s customers (The Secret Sentry: The Untold History of the National Security Agency, 301).
GHOSTHUNTER – This covername refers to a prototype developed and operated out of Menwith Hill Station (MHS), and which was designed to integrate FORNSAT geolocation information with very small aperture satellite terminals (VSATs) geolocations (APPARITION Becomes a Reality, 1). As of July 30, 2009 it had geolocated over 5,000 VSATs in Iraq, Afghanistan, Syria, Lebanon, and Iran in support of US Military activities in the Middle East and Northern Africa (New ‘R Spotlight’ Video).
GHOSTMACHINE (GM) – GHOSTMACHINE was used by the ECHOBASE project to ingest targeting information along with seeded analytics and legal information (e.g. user permitted to run query, justification for query, etc) to generate analytic-based information. This program was used during the 2012 Olympics to ingest and share information with GCHQ. Its purpose was to analyze raw signals intelligence information, after analysts had presented certain query boundaries, to analyze identifiers in bulk and present ones that were most pertinent to queries to analysts. Successfully presenting identifier-based information would overcome the problem whereby analysts were overwhelmed with the numbers of potentially interesting identifiers to follow up on by reducing the number of the most interesting identifiers (Identifier Lead Triage with ECHOBASE, 11-13).
GHOSTRECON – This was an operator that the NSA was conducting fourth party collection against (TRANSGRESSION Overview for Pod58, 5).
GINPENNANT – A covername referring to the framework the NSA used to ingest and structure FORNSAT data, such as that provided by Yakima Research Station (The Northwest Passage (Volume 2, Issue 1), 3).
GLAIVE – The covername refers to GCHQ’s HF/VHF/UHF collection architecture; GLAIVE systems were deployed to Kuwait in early 2003 to monitor Iraqi communications prior to Operation Iraqi Freedom, to Balad Iraq in December 2003 to collect local insurgents as well as provide a strategically located SIGINT capability in the Middle East. This latter system was used for COMSEC monitoring (NSA and GCHQ Team Up to Tackle HF).
GLOBALTIPPER (GT) – This covername refers to a system for querying internal requests for information within the NSA (AURORAGOLD Working Group, 17).
GLOBALREACH – This covername refers to a consolidated analytic metadata interface that allowed analysts to log into one and then search across all of the TAC/TDS datasets for their targets of interest. Datasets available through GLOBALREACH included: ASSOCIATION, BROOMSTICK, CONTRAOCTIVE, DISHFIRE, DISTANTFISH, ENTANGLER, FASCIA, GNDB, LAMPSHADE, MAINWAY, OCTAVE, SPOTBEAM, and YACHTSHOP. Tools available through GLOBALREACH included: BANYAN, CONTRAOCTIVE, DISHFIRE, ENTANGLER, GNDB, SPOTBEAM, and YACHTSHOP. As of August 2004, GLOBALREACH allowed for searches of telephony metadata but there were plans to bridge telephony and DNI (e.g. email) analysis as of September 2004 (One Login, Many Searches).
GLOBETROTTER – Geography-related information from this covername was used as an enrichment feed for ELEGANTCHAOS (ELEGANT CHAOS, 9). GLOBETROTTER was sometimes linked with specific countries, such as Syria, Libya, and Yemen (ELEGANT CHAOS, 17).
GMHalo – This covername refers to a cloud that promoted records to FASCIA and feeded SEDB Tower Question Focused Dataset (QFD) into the DEMONSPIT data set, which was itself used for the SKYNET project (SKYNET: Applying Advanced Cloud-based Behavior Analytics, 6).
GMPLACE (aka GM-PLACE) – This covername describes a cloud that ingested DEMONSPIT data into SORTINGLEAD summaries to support SKYNET analytics; such analytics were designed to identify persons of interest in the NSA’s pursuit of Al’Qaeda couriers in Pakistan. It ingested DEMONSPIT data into a perishable Question Focused Dataset (QFD) that was available to analysts via JEMA and CINEPLEX (SKYNET: Applying Advanced Cloud-based Behaviour Analytics, 6). GMPLACE operated as a DNI ingest processor for BOUNDLESSINFORMANT post-FALLOUT and post-TUSKATTIRE (BOUNDLESS INFORMANT Frequently Asked Questions, 2). The GMPLACE Callback Analysis was used to identify lost implants, or those which were no longer communicating (SPINALTAP: Making Passive Sexy for Generation Cyber, 17).
GNETWORKGNOME – GNETWORKGNOME was used to extract and correlate information from a variety of databases, including metadata databases, such as NAC, SSG, SSO, and NTOC (What Your Mother Never Told You About SIGDEV Analysis, 52).
GNOMEFISHER –
GNOMEVISION – This covername refers to a future upgrade to the TUTELAGE program. GNOMEVISION was intended to deobfuscate malicious packages to subsequently be analyzed (TUTELAGE 411, 17).
GOGADGET – This covername refers to a database which was used to store enriched metadata associated with botnet-related activities (HIDDENSALAMANDER: Alerting and Characterization of Botnet Activity in TURMOIL, 9).
GOLDENCALF (GDC) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 2).
GOLDENCARRIAGE – Refers to a type or class of NSA corporate servers, which was used for all application and data storage for the AURORAGOLD application (AURORAGOLD, 1).
GOLDENFORTIN – this may refer to a dataset containing information about SSL certificates used by Tor network (Source: Tracking Targets Through Proxies & Anonymizes (and the air speed velocity of an unladen swallow)).
GOODMONKEY – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
GOPHERRAGE – This covername refers to a project that was undertaken by the NSA’s Persistence Division, and which was available for interns to work on. GOPHERRAGE was a project that sought to develop a hypervisor implant that would leverage both AMD and Intel’s virtualization technology to provide DNT implant persistence capabilities and a persistent back door. GOPHERRAGE was intended to be able to use “the machine’s network interface card (NIC) to communicate independently of the host operating system (OS)” and, at the same time, have full read/write access of host memory so that it would be possible to change Host OS behaviour in ways that could allow for code execution, OS injection, system survey, VM break-in, etc (S3285/InternProjects, 10).
GOLDENRETRIEVER – This covername refers to a system for storage and distribution in the context of signals development (Center for Content Extraction, 5). GOLDENRETRIEVER was specifically related to record building (Center for Content Extraction, 6).
GOTHAMKNIGHT A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version 3.2.100.010.8_pbc_27. Has no BLATSTING support (Equation Group firewall operations catalogue).
GROK – This covername refers to an NSA key logging tool which recorded every character typed by a victim (Gellman, Dark Mirror, 210).
H
HAMMERBROTHERS – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
HAMMERCHANT – This covername refers to an implant module, active as of August 2009, which was operated by the Tailored Access Operations (TAO) group within the NSA. It was was used to target VoIP phone numbers (APEX: Active/Passive Exfiltration, 4) as well as to exfiltrate targeted call signalling metadata and voice content to TURMOIL (APEX: Active/Passive Exfiltration, 52). Specifically, it identified VoIP (H.323/SIP) “signaling passing through the router, extracts the user identifiers, and collects the call if one of the users corresponds to an entry on its target list” ((TURMOIL/APEX/APEX High Level Description Document, 3).
HAMMERCORE – an implant used by the Tailored Access Operations (TAO) group within the NSA. It was used to enable traffic shaping on Ogero’s network, a Lebanese ISP (SIGINT Development Support II Project Management Review, 4).
HAMMERMILL – This refers to a base capability implant that was for a family of routers, and was used by Tailored Access Operations (TAO to exfiltrate data (TURMOIL/APEX/APEX High Level Description Document, 3) by targeting what passes through the implanted router (APEX: Active/Passive Exfiltration, 47). The exfiltrated data was disguised to avoid detection using FASHIONCLEFT (TURMOIL/APEX/APEX High Level Description Document, 3) and a passive collector which ultimately ingested the data looks for IP source/destination information to detect the relevant traffic. If the collector was to do addition selection or processing, it had to be unwrapped by the collector. Regardless, exfiltrated information could be directed to either passive collection or TAO-specific collection by changing the exfiltrated data’s destination address (Analytic Challenges from Active-Passive Integration, 3). Other modules were built on top of HAMMERMILL, such as HAMMERSTEIN (TURMOIL/APEX/APEX High Level Description Document, 3).
HAMMERMILL 2.0 – This covername refers to a deployed version of HAMMERMILL that was commanded by a custom command interface (TURMOIL/APEX/APEX High Level Description Document, 3). Targeting commands had to be delivered using manually initiated commands to the HAMMERMILL application (TURMOIL/APEX/APEX High Level Description Document, 3)
HAMMERMILL 2.5 – This covername refers to a version of HAMMERMILL that can receive CHIMNEYPOOL commands, and is required for phase 2 of the APEX command and control development (TURMOIL/APEX/APEX High Level Description Document, 7). This version of HAMMERMILL was only available for low-end MIPS platforms (TURMOIL/APEX/APEX High Level Description Document, 7), though it remained to be tested TURMOIL/APEX/APEX High Level Description Document, 3).
HAMMERSTEIN – This covername refers to HAMMERMILL application module that was used by the Tailored Access Operations (TAO) (TURMOIL/APEX/APEX High Level Description Document, 3). It was used to enable traffic shaping on Ogero’s network, a Lebanese ISP (SIGINT Development Support II Project Management Review, 4). More generally, it could target any 5-tuple packet including the IKE used in VPN key exchanges and ESP which is present in VPN encrypted tunnels (APEX: Active/Passive Exfiltration, 4), as well as to capture and exfiltrate all VoIP signalling information (APEX: Active/Passive Exfiltration, 52).
HAMMERSTONE – This covername refers to a program which would shape TCP traffic to FORNSAT and, eventually, SSO collection; it would not be associated with TURMOIL (Analytic Challenges from Active-Passive Integration, 11).
HAMREX – an exploit used by the Tailored Access Operations (TAO) group to exploit an Ogero ISP gateway router, to enable a SECONDDATE man-in-the-middle exploit (SIGINT Development Support II Project Management Review, 4).
HANGARSURPLUS (HS) –
HAPPYFOOT –
HAPPYHOUR – An active Computer Network Exploitation (CNE) tool used in conjunction with FOXACID and BLINDDATE (Introduction to WLAN/802.11 Active CNE Operations, 6).
HASTYCOBRA – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
HAVASU – This covername refers to an ICDR metadata flow that was associated with collecting data vis-a-vis FAIRVIEW (aka AT&T) (FAIRVIEW Dataflow Diagrams, 12).
HAWALA –
HEADMOVIES – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).
HEARTBEAT –
HELLFIRE (HLF) – A covername used by National Counterintelligence and Security Centre (Exceptionally Controlled Information (ECI) Compartments, 2).
HERESYITCH – Refers to UC collateral (Center for Content Extraction, 5).
HIDDENSALAMANDER (HS) – This covername refers to a subsystem to TURMOIL, and was specifically designed to identify events associated with botnet activity and subsequently enrich collected data to then flow information into other databases and systems (HIDDENSALAMANDER: Alerting and Characterization of Botnet Activity in TURMOIL).
HIDDENTEMPLE – A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version tos_3.2.8840.1 (Equation Group firewall operations catalogue).
HIGHDECIBEL – This covername refers to a FAIRVIEW LAN, which was associated with NSA’s corporate processing of data from FAIRVIEW (FAIRVIEW Dataflow Diagrams, 12).
HISTORY (HST) – A covername used by National Counterintelligence and Security Centre (Exceptionally Controlled Information (ECI) Compartments, 2).
HOMEBASE – This covername refers to a tool that was able to access FASCIA data (SSO Dictionary, 3).
HOMING PIGEON – This covername refers to an effort by the NSA to correlate GSM telephone information on airlines with particular subscribers (HOMING PIGEON).
HORSEWRAP –
HUFFMUSH – linked to QUANTUMMUSH (QUANTUMTHEORY, 8).
HYSSOP (HYS) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 2.)
I
ICEBLOCK – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
ICEPIC – This covername refers to a kind of digital capture card that was used as part of the WORDGOPHER satellite signal demodulation program (Shift to Software Demodulation in Misawa Expands Collection, Saves Money, 2).
ICREACH – this covername refers to a toolkit that would permit federated query searches across all participating parties’ datasets in order to link telephony and DNI information, thus enabling participating agencies to better identify their targets (Sharing Communications Metadata Across the U.S. Intelligence Community – ICREACH). This program replaced PROTON.
IMPUREHOLSTER – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
INCAADAM – This covername refers to an operator against which the NSA was conducting fourth party collection, and was attempting to deobfuscate the data that was being passively collected (TRANSGRESSION Overview for Pod58, 5).
INCENSOR (INCENSER) – A GCHQ Special Source (TEMPORA — “The World’s Largest XKEYSCORE” — Is Now Available to Qualified NSA Uses, 2) that was sometimes used to tip QUANTUMBOT (DEFIANTWARRIOR and the NSA’s Use of Bots, 13). INCENSOR was associated with the SIGAD number DS-300 (GCHQ QUANTUMTHEORY, 10). See GCHQ covernames.
INDEPENDENCEPIE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
INDRA – This covername refers to an NSA site in Thailand (SID Today – Charlie Meals Opens New Engineering Support Facility in Japan, 2)
INQUIRY –
INTERQUAKE – This covername refers to a terrestrial environmental knowledge base, which was populated with PANOPLY information that includes: signal externals, radio and payload information, LACs and Cell IDs, and protocol stack (Special Collection Service: Pacific SIGDEV Conference, 8).
INTOLERANT – an email-stealing intrusion tool used by unknown hackers, which was principally targeted at the following targets: Indian Diplomatic and Indian Navy, Central Asian diplomatic, Chinese Human Rights Defenders, Tibetan Pro-Democracy Personalities, Uighur Activists, European Special Representative to Afghanistan and Indian photo-journalists, Tibetan Government in Exile. To hide traffic, hackers split a victim’s email into pieces and given a different (spoofed) origin IP address and different destination IP addresses; the hackers are then able to reassemble the traffic after collecting it from the end points, or once it passes through different listening posts. The result is that the fragments of messages are hidden amongst the general noise of the networking traffic (Who Else Is Targeting Your Target? Collecting Data Stolen by Hackers, 1).
INVEIGH (INV) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 2).
IPGeoTrap – An enrichment feed for ELEGANTCHAOS (ELEGANT CHAOS, 9).
IRATEMONK – This covername refers to projects that were part of the NSA’s Persistence Team. IRATEMONK implants were used to obtain persistence on a range of hard drives, USB drives, and server/RAID systems (S3285/InternProjects, 3-5).
IRISHBEAUTY – This covername refers to a unified targeting tool that was used, along with OCTAVE and KEYCARD, for target-based filtering and selection when using the TURMOIL system (SSO Dictionary, 4).
IRONAVENGER – The NSA used IRONAVENGER to hack into an ally’s surveillance technologies, which were themselves covernamed NIGHTTRAIN (Gellman, Dark Mirror, 209).
IRONPERSISTENCE – An operation undertaken by Expeditionary Access Operations Afghanistan (EAO-AF) that involved liaising with other groups to develop an exploit for a source with access to “key Taliban targets in Afghanistan.” It involved moving CNE-enabled devices to Afghanistan, to be used against the target (Expeditionary Access Operations: NSA’s Close Access Network Exploitation Program, 11).
ISLANDTRANSPORT – the messaging fabric used as part of the QUANTUMTHEORY framework (QUANTUMTHEORY, 5) and with TURBINE and TURMOIL more generally (TURMOIL/APEX/APEX High Level Description Document, 4).
J
JACKKNIFE – A covername provided to FROSTING’s West Coast project. FROSTING refers to an umbrella program to collect and process all communications emanating from communications satellites (The Northwest Passage (Volume 2, Issue 1), 1). In 1966, NSA established the FROSTING program, an umbrella program for the collection and processing of all communications emanating from communication satellites. FROSTING’s two sub-programs were TRANSIENT, for all efforts against Soviet satellite targets, and ECHELON, for the collection and processing of INTELSAT communications. Two years later, approval was given for FROSTING’s West Coast project (JACKKNIFE) to begin initial site surveys”; JACKKNIFE is the Yakima Research Station (The Northwest Passage (Volume 2, Issue 1), 1).
JAVAFRESCO – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
JEALOUSJOKER –
JEEPFLEA – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 10). This program was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
JEEPFLEA_MARKET – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
JEMA –
JETPLOW A firmware persistence implant for Cisco ASA and PIX devices that persists BANANAGLEE (Equation Group firewall operations catalogue).
JIFFYRAUL A module loaded into Cisco PIX firewalls with BANANAGLEE (Equation Group firewall operations catalogue).
JOINTENDEAVOR – This refers to a 1995-96 operation that took place in Italy, and in support of the NSA’s Balkans efforts (SID Today: InSIDer’s View of History… A Lesson in Personal Accountability, 1).
JOLLYROGER – This covername was related to CNE hunting (Tracking Courier Use of Secure Digital Cards, 8).
JOURNEYMAN – This covername refers to a broad NSA program which aimed to transform SIGINT product authoring and dissemination, and which included within it several other programs, such as CATAPULT (CATAPULT: A Bilateral Data Port).
JUBILEECORONA – This is a NSA covername that refers to WIMAX data which was collected (AURORAGOLD Working Group, 14).
JUGGERNAUT – This covername refers to a technology used to collect DNI and DNR information in Germany (BOUNDLESSINFORMANT Countries Data, 3) as well as a foreign partner (BOUNDLESSINFORMANT, 12) and third-party (BOUNDLESSINFORMANT, 14).
JUMPDOLLAR –
JUMPSEAT – A new type of SIGINT satellite launched in the late 1960s and 1970s. These satellites provided the NSA with access to high-level telephone traffic in the USSR that was carried over microwave radio-relay networks (The Secret Sentry: The Untold History of the National Security Agency, 155).
K
KEELSON – This covername refers to a technology associated with FAIRVIEW, and which pertained to DNI and DNR information which was presented as part of the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 11).
KESSELRUN (KES) – A covername used by CES/S31 (Exceptionally Controlled Information (ECI) Compartments, 3).
KEYCARD – This covername refers to “the premier Target-based Filtering and Selection database.” KEYCARD is an integral part of the TURMOIL collection system and a member of the TURBULENCE suite of tools, and generally used to look up identifiers used for targeting (TURMOIL/APEX/APEX High Level Description Document, 4). Using smart-collection capabilities, KEYCARD has transformed the way target-based development and collection is performed. KEYCARD rapidly determines whether data should be collected or ignored. Analysts develop targets for selection via the Unified Targeting Tool (IRISHBEAUTY), OCTAVE and the KEYCARD GUI” (SSO Dictionary, 4). As part of KEYCARD, analysis could target IP addresses for the purpose of identifying VPN key exchanges in order to recover their decryption keys from the NSA’s POISONNUT database (APEX: Active/Passive Exfiltration, 55). KEYCARD was, also, involved in normalizing and validating telephone numbers and call signalling (SSO Dictionary, 4). KEYCARD could be prefaced by another covername, such as FAIRVIEW, and be located in onsite processing SCIFs (FAIRVIEW Dataflow Diagrams, 20).
KIDSHIP_AA – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
KIRKBOMB – This covername refers to an aspect of the BERSERKR implant, which was developed by the NSA’s Persistence Division and was available for interns to work on. KIRKBOMB was a windows kernel examination intended to detect loaded drivers and running processes for Windows devices (S3285/InternProjects, 9).
KITTYBINGE – Used to process some lawful intercept-related information (Exploiting Foreign Lawful Intercept (LI) roundtable, 9).
KLEIGLIGHT – A covername which refers to a Japanese source of High Frequency Direction Finding (HFDF) network, which the NSA sought to develop an interoperable system as of 2013 (NSA High Frequency (HF) Collaboration efforts with Japan).
KOALAPUNCH – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).
KOBAYASHIMARU – This covername refers to a contract the NSA had with General Dynamics, which helped the NSA break into another country’s surveillance equipment (Gellman, Dark Mirror, 210).
KOOPATROOPA – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
KOZYKOVE – This covername refers to a FAIRVIEW site (SSO Dictionary, 4).
KRISPYKREME – An NSA covername (Gellman, Dark Mirror, 210).
KUKRISTEEL – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
L
LADYLOVE – This covername referred to the NSA’s facility at Misawa, Japan (APPARITION Becomes a Reality, 1).
LAUNDROMAT –
LEXHOUND –
LIFESAVER – An NSA covername (Gellman, Dark Mirror, 2010).
LIGHTDELAY – This covername refers to a piece of hardware which provided a 30 second cache for network traffic (The FASHIONCLEFT Protocol, 17).
LIGHTNINGTHIEF (LTF) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 2).
LITHIUM – This covername is BLARNEY’s covername for a corporate partner; a WPG ECI was needed to obtain the company’s name (SSO Dictionary, 4).
LITTLECROWN (LCN) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 2).
LITTLEDIPPER –
LIQUIDSTEEL –
LOCKSTOCK – This covername refers to a collection system used by MYSTIC and RAM-M. LOCKSTOCK was planned to process all MYSTIC data and data “for other NSA accesses), with the contract for the project having been tendered with General Dynamics over eight years and at a cost of $51 million (USD) (SSO Dictionary excerpt MYSTIC).
LOLLYGAG – This covername refers to a sub-element of SOMALGET, which operated under a lawful interception auspice to provide the Drug Enforcement Agency (DEA) with counter-narcotics intelligence. Host countries were unaware that LOLLYGAG was using these lawful interception systems to facilitate the NSA’s SIGINT collection (SSO Dictionary excerpt MYSTIC).
LONGSERPENT (LGS) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 3).
LOPER/LOPERS – This covername refers to a, “Dialed Number Recognition (DNR) system providing filtering, selection, and metadata extraction for intercepted telephony traffic. With the exception of the signal input card, LOPERS is entirely software based and runs on Linux on commodity Intel-based PC hardware. LOPERS also provides the ability to cluster multiple machines to operate as a single DNR system. LOPERS processes telephony traffic found on the Public Switched Telephone Network (PSTN); on GSM, CDMA, and UMTS Core networks; or in between the PSTN and a Core network. Input cards or a network-based Data Distribution Service (DDS) provide intercepted telephony traffic to the LOPERS system. LOPERS decodes the telephone numbers present in the call signaling and forwards the numbers to KEYCARD for normalization and validation. Calls including targeted selectors are captured and saved to an output directory, where MAILORDER picks them up for forwarding to follow-on processing systems. LOPERS offers four flavors of the system: one for use by first- and second-party installations and three different flavors for third-party partners” (SSO Dictionary, 4). This technology was used to collect DNI and DNR information in Germany (BOUNDLESSINFORMANT Countries Data, 3) as well as by a Foreign Partner (BOUNDLESSINFORMANT, 12). Information collected by it came, in at least some cases, directly from a Special Source Operation (SSO) (BOUNDLESSINFORMANT, 13) such as FAIRVIEW (i.e., AT&T) (FAIRVIEW Dataflow Diagrams, 4) and third-parties (BOUNDLESSINFORMANT, 14).
LUMBERYARD – This covername is defined as, “FAIRVIEW (satisfying POC with NTOC for anomaly detection/
situational awareness)” in the SSO Dictionary (page 4).
LUTEUSASTRO –
LUTEUSICARUS – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).
M
MACHINESHOP – This covername refers to a platform on which a Java web app was used to query Cloudbase. MACHINESHOP was either formally referred to as TURKEYTOWER or replaced TURKEYTOWER (BOUNDLESS INFORMANT Frequently Asked Questions, 3).
MADBISHOP –
MADCAPOCELOT – This covername refers to a SSO that was in the STORMBREW portfolio and assigned the SIGAD US-3140 (SSO Corporate Portfolio Overview, 8). MADCAPOCELOT targeted DNI under an EO 12333 authority and had access to multiple 10G backbone circuits (SSO Corporate Portfolio Overview, 13). Text that was collected was available through PINWALE whereas metadata was accessed in MARINA (SSO Corporate Portfolio Overview, 13)
MAGIC – A covername that referred to diplomatic communications intelligence during the second world war (The Secret Sentry: The Untold History of the National Security Agency, 6).
MAGICBEAN (MBEAN) – Used by Computer Network Exploitation (CNE) operators to conduct FOXACID-related man-in-the-middle attacks (FOXACID SOP For Operational Management of FOXACID Infrastructure, 7).
MAGICSQUIRREL – Used by Computer Network Exploitation (CNE) operators to conduct FOXACID-related man-in-the-middle attacks (FOXACID SOP For Operational Management of FOXACID Infrastructure, 7).
MAGICSTROKE (MGK) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 3).
MAGNUMOPUS – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9). This program was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
MAGNUMOPUS_CC – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
MAILORDER – This covername refers to a file sorting and forwarding system, whose ultimate destination was often MAINWAY (Gellman, Dark Mirror, 169) as well as other follow-on processing systems (SSO Dictionary, 4). MAILORDER was also a flow of data that, for the ELEGANTCHAOS program, involved copying data into the Menwith Hill Station (MHS) cloud for later processing (ELEGANT CHAOS, 8). Per the SSO Dictionary, MAILORDER is defined as, “an FTP-based file transport system used to move data between various collection, processing and selection management systems. Originally developed in 1990, MAILORDER has been ported to many hardware platforms over the years. The current platform runs Linux on Intel x86 hardware with the Sybase ASE 15 database for keeping track of statistics. Ultimately MAILORDER will be replaced by JDTS, but MAILORDER Systems will continue to serve in the Transport Architecture for years to come. MAILORDER relies on information in the filename to determine how to route data. The filename must begin with the PDDG of the originating site. This is followed by a three character File Routing Trigraph, which identifies a destination system and directory. Next is a two character Source System Digraph, which identifies an individual piece of equipment within the given site. Next is a priority digit, a number between one and seven (high to low priority), which is used to prioritize files” (SSO Dictionary, 5). MAILORDER was used to process data collected from FAIRVIEW (FAIRVIEW Dataflow Diagrams, 2).
MAINWAY – This covername refers to an NSA system that used “phone call contact chaining to identify targets of interest”, which was also provided to partners (JESI: Don’t Lose That Number!, 1) and was also known as the MAINWAY Precomputed Contact Chaining Service (Gellman, Dark Mirror, 170). MAINWAY was built by the NSA shortly after the attacks of 9/11 as a tool with which to carry out the STELLARWIND operation (Gellman, Dark Mirror, 167). American call data records from STELLARWIND were funneled to MAINWAY, so as to map out and reconstruct social networks (Gellman, Dark Mirror, 173); MAINWAY was able to access stored FASCIA data (SSO Dictionary, 3).. More specifically, MAINWAY took data sets of trillions of calls, and collapsed/reduced this down to a network diagram to illustrate who communicated with whom. In doing so, MAINWAY built a profile on every individual found in the database; this and other information in MAINWAY was further enriched by metadata and content from other NSA repositories, including PINWALE (Gellman, Dark Mirror, 174). US call records were supposed to be kept separate from other data sets in MAINWAY, and special permission was required for access. However, that restriction “all but disappeared” in November 2010 upon approval of more permissive rules for the Signals Intelligence Directorate (Gellman, Dark Mirror, 174). Some of the data it contained came from FAIRVIEW (SSO Corporate Portfolio Overview, 9).
Soon after its creation, MAINWAY became the NSA’s most important tool for mapping social networks, and underpinned the NSA’s efforts to conduct Large Access Exploitation (Gellman, Dark Mirror, 168). MAINWAY, which was built for operations at enormous scale, was able to find patterns in foreign and domestic metadata that were not revealed by content. MAINWAY’s mission as laid out in its first fiscal year was to enable the NSA “to dominate the global communications infrastructure, and the targets that currently operate anonymously within it” (Gellman, Dark Mirror, 169). Somewhat generally, MAINWAY has been referred to as a corporate metadata repository (Atomic SIGINT Data Format (ASDF) Configuration Read Me, 1).
Per the SSO Dictionary, MAINWAY is defined as, “MAINWAY, or the MAINWAY Precomputed Contact Chaining
Service, is an analytic tool for contact chaining. It’s helping analysts do target discovery by enabling them to quickly and easily navigate the increasing volumes of global communications metadata. Mainway attacks the volume problem of analyzing the global communications network. Automated traffic analytic processes support global multi- mode target development, alerting and intelligence reporting. Initial requirements include global contact chaining and timelining of all telephony, e-mail and pager contacts, from both collection and toll records. Automation processes use the global contact chains to identify potential tasking changes, new communities of interest, changes in communities of interest, activity patterns of interest, number normalization errors, COMSEC changes, and to help score/select content for forwarding and processing. Visualization tools are also available to document findings and help develop new automation algorithms” (SSO Dictionary, 4). Some of the data it contained came from FAIRVIEW (SSO Corporate Portfolio Overview, 9) and other metadata came from FALLOUT (PRISM/US-984XN Overview, 10).
MAKERSMARK – This covername refers to an operator that the NSA was conducting fourth party collection against (TRANSGRESSION Overview for Pod58, 5). More specifically, MAKERSMARK was a CSE covername for a Russian threat actor. See CSE covernames.
MARINA – This covername refers to a database used to store information associated with events identified by the TURMOIL system. Some events stored in the database included botnet-related attack events (HIDDENSALAMANDER: Alerting and Characterization of Botnet Activity in TURMOIL, 9) though it more generally contained Digital Network Intelligence (DNI) events (SSO Dictionary, 3). More broadly, MARINA was considered a corporate metadata repository (Atomic SIGINT Data Format (ASDF) Configuration Read Me, 1).
MASTERSHAKE – A database used to ingest BLINDDATE-related data (Expeditionary Access Operations: NSA’s Close Access Network Exploitation Program, 6) as well as information from APPARITION (APPARITION Becomes a Reality, 1). It was used as an enrichment feed for ELEGANTCHAOS (ELEGANT CHAOS, 9). MASTERSHAKE also contained information about VSAT terminals. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7). See CSE covernames.
MATCHMAKER – A new data feed for ELEGANTCHAOS (ELEGANT CHAOS, 23).
MATRIX – This covername refers to a technology used to collect DNI and DNR information in Germany (BOUNDLESSINFORMANT Countries Data, 3).
MAVERICK CHURCH – This covername refers to a Chinese Computer Network Exploitation (CNE) actor and was previously covernamed BISHOP (BYZANTINE HADES: An Evolution of Collection, 3).
MAXRANKLE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
MERCURYTAO (MYT) – A covername used by GAO/S35 (Exceptionally Controlled Information (ECI) Compartments, 3).
MERLIN – This covername refers to, “FAIRVIEW’S Effort to build-out the mobility network access. It will be a multi-year, multi-phased initiative to exploit various facets of the network, which include SMS messages, Mobile Application Part (MAP), packet data and voice. Consumers are rapidly abandoning traditional telephones and migrating towards mobile devices. Secondly, consumers are also changing the way they communicate, from voice calls to text messages and e-mail. Going forward, it will be essential to have mobile communications as part of the program’s comprehensive SIGINT strategy” (SSO Dictionary, 5).
METAWAVE – This covername refers to a corporate metadata repository (Atomic SIGINT Data Format (ASDF) Configuration Read Me, 1).
METROTUBE – This covername refers to a framework for hosting analytic processes that operate on items in PRESSUREWAVE (TURMOIL/APEX/APEX High Level Description Document, 4). Other services are hosted by METROTUBE, such as VPN analytics (TURMOIL/APEX/APEX High Level Description Document, 4).
MICEFUR – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
MIDDLEMAN – This covername refers to an aspect of the GENIE Network Configuration Centre (NCC) that was responsible for managing CHIMNEYPOOL communications for STRAITBIZARRE implants (QUANTUM Shooter SBZ Notes, 3).
MIDFIELD – This covernames refers to an elements of the NSA’s corporate processing process associated with FAIRVIEW collection (FAIRVIEW Dataflow Diagrams, 6).
MIDNIGHTSCORPION – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
MILKSTEAK – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
MISTRALWIND – This covername refers to calling card/private network access and associated with STORMBREW (SSO Corporate Portfolio Overview, 11).
MIRACLEMAX – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
MIRROR –
MISS MONEYPENNY – This covername refers to the NSA support system which provided covert operators with cover payroll, travel, and finance services, among other things (Gellman, Dark Mirror, 201).
MISTYVEAL – Sometimes referred to as ‘VALIDATOR II’, MISTYVEAL could be deployed using FOXACID and looked much like VALIDATOR. If Internet Explorer could go to google.com then MISTYVEAL could contact the Remote Operations Centre (ROC) (FOXACID, 21). MISTYVEAL is used for special requests, given that VALIDATOR is the default payload of FOXACID as of early 2010. It was much larger than VALIDATOR and piggybacked on Internet Explorer to call out on the network; this means that if the target used an alternate browser, then this implant could not communicate from the implanted/infected computer. Significantly, if Internet Explorer was configured to use a proxy, then MISTYVEAL could use it to communicate; this was a significant capability that VALIDATOR lacked (FOXACID SOP For Operational Management of FOXACID Infrastructure, 11).
MJOLNIR – This covername refers to an NSA tool that was used to break the anonymity of the Tor browser (Gellman, Dark Mirror, 209).
MOBILESEAGULL – This covername refers to a metadata flow which was sourced from billing records that were, themselves, obtained from FAIRVIEW (FAIRVIEW Dataflow Diagrams, 11).
MONKEYROCKET – This refers to an access for OAKSTAR (MONKEYROCKET (Snippet)) that was assigned the SIGAD US-3206 (SSO Corporate Portfolio Overview, 8) and operated from a foreign access point under E.O. 12333 (SSO Corporate Portfolio Overview, 17). It was a non-Western anonymization service that, as of July 12, 2012, had approximately 16,000 registered users generating about 2,000 events per day, with Iran and China representing a substantial part of the user base (MONKEYROCKET Achieves Initial Operational Capability By REDACTED on 2012-07-24 1442,1). Its key targets were counterterrorism focused, and specifically in the Middle East, Europe, and Asia (SSO Corporate Portfolio Overview, 17). The partner identity under MONKEYROCKET was THUNDERISLAND (OAKSTAR Travel Handbook: A Guide for Travelling, 3) and the partner had an office in Virginia (OAKSTAR Travel Handbook: A Guide for Travelling, 5) notwithstanding the SSO’s location outside the continental US (OAKSTAR Travel Handbook: A Guide for Travelling, 6).
MONKEYROCKET collected DNI metadata/content from full-take data sessions, and user data such as billing information and IP addresses of selected counter-terrorism (CT) targets who used a “Non-Western Anonymous Internet Browsing product.” MONKEYROCKET further served as “a key piece of the CT long-term strategy” by attracting targets involved in terrorism, including Al Qaida’s COMSEC security which the NSA could then exploit. MONKEYROCKET focused primarily on counter-terrorism but also targeted persons sought by other NSA offices, such as International Crime & Narcotics, Follow-The-Money, and Iran (MONKEYROCKET (Snippet)).
MONSTERMIND –
MOONPENNY – This covername refers to a site of information, which was added into XKEYSCORE (ELEGANT CHAOS, 23).
MOPNGO –
MOUSETRAP – This covername refers to an implant that was used by Sandia (S3285/InternProjects, 8).
MURPHYSLAW – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).
MUSHROOMKINGDOM – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
MUSCULAR – This refers to a GCHQ special source location where access to Google’s conduits was gained (TEMPORA — “The World’s Largest XKEYSCORE” — Is Now Available to Qualified NSA Uses, 2, and Gellman, Dark Mirror, 305). MUSCULAR functioned despite preexisting NSA access to Google through PRISM (Gellman, Dark Mirror, 306). Some data flows from MUSCULAR were diverted through the NSA’s TURMOIL processing system (Gellman, Dark Mirror, 305). See GCHQ covernames.
MUSICBOX (MBX) – A covername used by R3 (Exceptionally Controlled Information (ECI) Compartments, 3).
MUSKETEER –
MYSTIC –
N
NAPALAN – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
NATIVEDANCER –
NATIVEFLORA – This covername refers to a project operated by either the NSA or GCHQ, and is involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which are exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
NIAGARAFILES – This covername refers to a file-based real-time analytics system (Running Strategic Analytics Affecting Europe and Africa, 10).
NIGHTSTAND (NITESTAND) (NS) – An active Computer Network Exploitation (CNE) tool used in conjunction with BLINDDATE and FOXACID (Introduction to WLAN/802.11 Active CNE Operations, 6), as well as HAPPYHOUR (Gellman, Dark Mirror, 203). It was a plugin for BLINDDATE and injected a unique packet that forced a client to access a monitored listening post on the Internet for a payload deployment (Expeditionary Access Operations: NSA’s Close Access Network Exploitation Program, 9).
NIGHTTRAIN – This covername refers to the surveillance technology of a close US ally that the NSA was engaged in fourth party collection against, during operations alongside this ally against a common adversary (Gellman, Dark Mirror, 209). Specifically, the NSA was involved in decrypting and processing exfiltrated information collected by the Tailored Access Operations (TAO) operations as well as passive collection (TRANSGRESSION Overview for Pod58, 5). The NSA was also involved in conducting Software Reverse Engineering (SRE) against what was collected. The NSA hacked into NIGHTTRAIN using IRONAVENGER (Gellman, Dark Mirror, 209).
NITEHAWK (NHK) – A covername used by GAO/S35 (Exceptionally Controlled Information (ECI) Compartments, 3).
NOODY3 – This is “FAIRVIEW’S covername for Coverage of Current and Forecasted NRTM Circuits. The FAIRVIEW program is acquiring DNI access (SAGUARO) from the Partner’s DNI backbone which includes OC-192 and 10GE peering circuits. The Partner has provided a current view of the forecasted and equipped 10GE and OC-192 peering circuits at the eight SNRCs as of March 2009. Based on the information presented, by the end of 2009, the total number of forecasted 10GE peering circuits at the SNRCs will be approximately six times greater than OC-192 peering circuits. However, the growth in 10GE circuits in 2009 is about 19 times greater than the forecasted growth for OC-192 circuits. As these additional links become active it is imperitive that FAIRVIEW have the ability and the agility to follow SIGINT targets of interest. This action will provide 100% coverage of the 2009 forecasted 10GE and OC-192 links. This broad coverage approach is a key part of a larger effort to recast the FAIRVIEW DNI router access to be more agile and more high-value intelligence focused as part of the program’s effort to provide broad access, continuous survey and focused collection” (SSO Dictionary, 5).
NOPEN – A post-exploitation shell consisting of a client and a server that encrypts data using RC6. The server is installed on the target machine (Equation Group firewall operations catalogue).
NUCLEON – Some of the data it contained came from FAIRVIEW (SSO Corporate Portfolio Overview, 9) and STORMVIEW (SSO Corporate Portfolio Overview, 11), as well as PRISM. The latter information was exclusively voice content that had first been processed through CONVEYANCE (PRISM/US-984XN Overview, 10; see also (User’s Guide for PRISM Skype Collection, 4).
NUTHATCH – This covername is, “FAIRVIEW’S covername for the transport upgrade between FRIAR/PC access to accommodate growth in the cable system)” (SSO Dictionary, 6).
NYMROD – This covername refers to a program designed for name matching, and which was used as part of the Center for Content extraction’s work (Centre for Content Extraction, 5). More specifically, NYMROD sought to find reported information about targeted persons from the databases the Center had access to, which included overcoming linguistic variations in how names were presented to aggregate relevant information about targeted persons as well as coreferencing information based on contextual information (Center for Content Extraction (2), 2).
O
OAKSTAR – An NSA covername (Gellman, Dark Mirror, 318) for which MONKEYROCKET was an access (MONKEYROCKET (Snippet)); other covernames associated with OAKSTAR included BLUEZEPHYR, COBALTFALCON, MONKEYROCKET, ORANGEBLOSSOM, ORANGECRUSH, PRIMECANE, SHIFTINGSHADOW, SILVERZEPHYR, STEELKNIGHT, TRANSPORTORO, YAUGHTSHOP (OAKSTAR Travel Handbook: A Guide for Travelling, 1). Most travel associated with OAKSTAR was within the continental United States (OAKSTAR Travel Handbook: A Guide for Travelling, 3). More generally, it was a part of the FAA 702 UPSTREAM program (PRISM/US-984XN Overview, 3-4). OAKSTAR programs involve ventures with US companies and visiting them requiring travelers to hold either SSO WHIPGENIE ECI or NCSC AAA ECI clearance (OAKSTAR Travel Handbook: A Guide for Travelling, 3).
OBSCUREBLAZE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
OCELLUS (OCL) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 3).
OCONUS – This covername refers to sites where passive IP sensors were deployed as part of an experiment, which is discussed under the covername SILVER (SSO Dictionary, 8).
OCTAVE – This covername refers to a targeting feed that was submitted to GHOSTMACHINE on a daily basis as of June 2012 (Identifier Lead Triage with ECHOBASE, 11-12), and was more broadly a part of the targeting tools that were associated with TURMOIL and TURBULENCE (SSO Dictionary, 4). The SSO Dictionary defines the covername as, “the principal means for tasking of telephone numbers (and other telephone identification data such as IMSIs, IMEIs, and INMARSAT FTINs and RTINs) to the various DNR collection systems used by the National Security Agency and its Second Party partners. It also enables the management of those numbers. Conversely, CONTRAOCTAVE is a reference database that contains phone numbers that should not be tasked in OCTAVE or UTT. OCTAVE is scheduled to be replaced by UTT by 2011. See OCTAVE-UTT-Transition for the approximate timeline” (SSO Dictionary, 6). It could take some time for OCTAVE tasking to be updated; it could take anywhere up to a week when providing an update to SSO BLARNEY versus a few hours for STORMBREW (SSO Corporate Portfolio Overview, 5).
OCTSKYWARD – This covername refers to a database which included information about GSM cell phones, such as MCC and LAIC. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7).
ODDJOB – An NSA windows implant that was released in the Shadow Brokers leaks (Gellman, Dark Mirror, 201).
OFFICELINEBACKER – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
OFFICEQUARTERBACK – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
OILYRAG – This covername refers to a sub-element of SOMALGET, which operated under a lawful interception auspice to provide the Drug Enforcement Agency (DEA) with counter-narcotics intelligence. Host countries were unaware that LOLLYGAG was using these lawful interception systems to facilitate the NSA’s SIGINT collection (SSO Dictionary excerpt MYSTIC).
OLYMPIC GAMES (OPERATION OLYMPIC GAMES) – A covername used for the American government’s covert program to use CNE techniques to disrupt the Iranian nuclear program (Power Wars, 633).
OLYMPUS (OLY) – Team capability tools that were the responsibility of Computer Network Exploitation (CNE) operators responsible for FOXACID servers (FOXACID SOP For Operational Management of FOXACID Infrastructure, 7). OLYMPUS also refers to files which may be (re)formatted into the common data receptor (APEX: Active/Passive Exfiltration, 19).
OPALESCE – A program used by the NSA and U.S. Strategic Command’s Joint Functional Component Command – Network Warfare (JFCC-NW), which was marked as Exceptionally Controlled Information (ECI) (National Initiative Protection Program – Sentry Eagle, 5).
OPTICPINCH –
OPTIMUSPRIME – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
ORANGEBLOSSOM – This covername refers to a SSO under the OAKSTAR portfolio. It operated under a Transit Authority (SSO Corporate Portfolio Overview, 8).
ORANGECRUSH – This refers to an access for OAKSTAR that was assigned the SIGAD US-3230 (SSO Corporate Portfolio Overview, 8)
OZONE – This covername refers to a framework upon which the AURORAGOLD architecture and infrastructure was based (AURORAGOLD, 1).
P
PACKETRAPTOR – This covername refers to a process that filtered targeted data at the site of capture before exfill (SSO Dictionary, 6).
PACKAGEDGOODS (PG) – This covername refers to a database which contained traceroutes information. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6).
PAINTEDEAGLE (PEA) – A covername used by CES/S31 (Exceptionally Controlled Information (ECI) Compartments, 3).
PAINTBALL –
PALMCARTE –
PANDAROCK – A tool for connecting to a POLARPAWS implant (Equation Group firewall operations catalogue).
PANDORASMAYHEM –
PANOPLY – This covername refers to aerial-collected information, which included signal externals, radio and payload information, LACs and Cell IDs, and protocol stacks (Special Collection Service: Pacific SIGDEV Conference, 8).
PANT_SPARTY – This covername refers to “the injection of an NSA software tool into “a backdoor” in the target’s defenses” (Gellman, Dark Mirror, 203).
PARCAE – ELINT satellites that were launched by the US Navy and which, as part of a system that was given the unclassified covername WHITECLOUD, was used to track the movements of all warships in near-real time (The Secret Sentry: The Untold History of the National Security Agency, 155).
PARLAYBUFFET – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
PASSAGEHILL –
PASSIONATEPOLKA – This covername refers to a project that interns with the Tailored Access Operations (TAO) could be involved with. The intern(s) would be required to perform research and develop a deployable way of remotely bricking network cards (S3285/InternProjects, 2-3).
PASTEPIG – This covername refers to an element of the Tailored Access Operation (TAO) group’s harvesting of information from botnets. PASTEPIG moves cleaned data from YELLPIG, a FTP server, to SHOUTPIG (another FTP server); PASTEPIG, YELLPIG, and SHOUTPIG all operate in a DMZ between TAO Net and NSANet (DEFIANTWARRIOR and the NSA’s Use of Bots, 19). PASTEPIG is also referred to as a ‘NetApp’ within the TAO Net/NSANet DMZ (DEFIANTWARRIOR and the NSA’s use of bots, 19).
PATHMASTER – This covername refers to an element of creating a MAILORDER ticket, such as when configuring XKEYSCORE to ingest CADENCE dictionaries (CADENCE – Read Me, 1-2).
PAWLEYS (PAW) – A covername used by National Counterintelligence and Security Centre (Exceptionally Controlled Information (ECI) Compartments, 3).
PAWNSHOP (PWN) – A covername used by CES/S31 (Exceptionally Controlled Information (ECI) Compartments, 3).
PEDDLECHEAP – This refers to an exploit associated with FERRETCANNON (FOXACID SOP For Operational Management of FOXACID Infrastructure, 11).
PENCUP – This covername refers to an antenna/satellite interception project to upgrade DETs (unknown acronym) in Korea (Charlie Meals Opens New Engineering Support Facility in Japan, 2).
PENDLETON (PEN) – A covername used by CES/S31 (Exceptionally Controlled Information (ECI) Compartments, 3).
PENDRAGON (PND) – A covername used by GAO/S35 (Exceptionally Controlled Information (ECI) Compartments, 3).
PERFECTSTORM – This covername refers to SIGAD US-984P, which was used by STORMBREW to handle limited FISA-related tasking (SSO Corporate Portfolio Overview, 11).
PERKYAUTUMN (PRK) – A covername used by CES/S31 (Exceptionally Controlled Information (ECI) Compartments, 3).
PHANTOMSTARFISH – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
PHENYLDOUR (PHD) – A covername used by S0242 (Exceptionally Controlled Information (ECI) Compartments, 3).
PICARESQUE (PIQ) – A covername used by CES/S31 (Exceptionally Controlled Information (ECI) Compartments, 3).
PICAROON (PCR) – A covername used by CES/S31 (Exceptionally Controlled Information (ECI) Compartments, 3).
PIEDMONT (PIE) – A covername used by CES/S31 (Exceptionally Controlled Information (ECI) Compartments, 3).
PINECONE – This covername refers the LITHIUM site in New Jersey for FAIRVIEW (SSO Dictionary, 6) and was the centralized processing facility for POORWILL and BIGBIRD (SSO Dictionary, 1). More specifically, this refers to a SCIP where on-site processing could take place for data collected from FAIRVIEW (FAIRVIEW Dataflow Diagrams, 2).
PINWALE – This covername refers to a database which held content of intercepted emails and other digital text (Gellman, Dark Mirror, 174). It was the “NSA’s primary storage, search, and retrieval mechanism for SIGINT text intercept. PINWALE’s mission is to provide storage and on-line access to multiple terabytes of DNE and textual data upon analytical requests. It is to provide timely, accurate, and reliable Text Search and Retrieval Support to the user community. Target data is filtered through a Packet Raptor at site before exfill. Once brought back to NSAW, it is processed by a WC2, which is followed by an XKEYSCORE for selection” (SSO Dictionary, 6). Some of the data it contained came from FAIRVIEW (SSO Corporate Portfolio Overview, 9), STORMBREW (SSO Corporate Portfolio Overview, 11) and PRISM. In the latter case, DNI content and videos were sent to the PINWALE repository (PRISM/US-984XN Overview, 10; see also User’s Guide for PRISM Skype Collection, 4). In some cases, data which was sent to PINWALE was placed in a NOFORN partition (MONKEYROCKET Achieves Initial Operational Capability By REDACTED on 2012-07-24 1442,1).
PITCHFORD (PIT) – A covername used by CES/S31 (Exceptionally Controlled Information (ECI) Compartments, 3).
PITIEDFOOL – This covername refers to “a suite of technical attacks on the Windows operating system” (Gellman, Dark Mirror, 206).
PKTWench –
PLACEBO (PLC) – A covername used by CES/S31 (Exceptionally Controlled Information (ECI) Compartments, 3).
PLAIDDIANA – This covername refers to an operator against which the NSA was conducting fourth party collection, and was attempting to deobfuscate the data that was being passively collected (TRANSGRESSION Overview for Pod58, 5).
PLANK – This covername refers to “Access expansion and collection (content and metadata) via the deployment of a global SIGINT sensor grid through FAIRVIEW’s LITHIUM partner” (SSO Dictionary, 6).
PLANK-3A – This covername refers to the follow-on to FAIRVIEW’s FY11 PLANK-3 access expansion effort” (SSO Dictionary, 6).
PLUCKHAGEN – This covername refers to the effort to develop IRATEMONK implants for ARM-based Fujitsu drives. This project existed within the Persistence Division in the NSA, and was available for interns to work on (S3285/InternProjects, 4)
PLUMREVOLVER – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
PLUS YELLOWSTONE –
POISONIVY – This covername refers to a remote-access trojan which was used by “Chinese government spies” (Gellman, Dark Mirror, 209).
POISONNUT – This covername refers to all targeted VPN-related IKE which are used for VPN key recovery (APEX: Active/Passive Exfiltration, 39).
POLARPAWS – A firewall implant. Unknown vendor (Equation Group firewall operations catalogue).
POLARSNEEZE – A firewall implant. Unknown vendor (Equation Group firewall operations catalogue).
POLARSTARKEY – This covername refers to a workflow used as part of the TRANSGRESSION program, specifically in the context of network defence (TRANSGRESSION Overview for Pod58, 6).
POLITERAIN – This covername refers to one of the Tailored Access Operations (TAO) teams. The POLITERAIN team was tasked with remotely degrading or destroying opponent computers, routers, servers and network enabled devices by attacking the hardware using low-level programming. Interns had opportunities to join this team (S3285/InternProjects, 2).
POLYSTYRENE – This covername refers to a collection capability that was located in SCS Kuwait City (SIGAD: US-967J) that enabled one-sided collection of radio frequency communications, such as those associated with VSAT (SID Today: Deployment of New System Improves Access to Iranian Communications, 1). It was replaced in April 2006 by a FALLOWHAUNT system (SID Today: Deployment of New System Improves Access to Iranian Communications, 1).
POMPANO (POM) – A covername used by CES/S31 (Exceptionally Controlled Information (ECI) Compartments, 3).
POORWILL – This covername referred to the continued cable modernization of BIGBIRD, and would have focused on “providing increased DNR access capacity and processing across all existing cable sites” (SSO Dictionary, 1). The proposal would have, also, “increased processing capacity at the Program’s centralized processing facility – PINECONE.” (SSO Dictionary, 1).
POPQUIZ – A program that provided malicious discovery across sessions using heuristic-type approaches. It was used in the ELEGANTCHAOS program (ELEGANT CHAOS, 7) and was part of TURMOIL DEV (ELEGANT CHAOS, 9) and was also planned to be integrated into TUTELAGE (TUTELAGE 411, 17).
POPROCKS – This covername refers to a Chinese Computer Network Exploitation (CNE) actor that was involved in a 2009 navy router incident as well as in targeting video conference providers (BYZANTINE HADES: An Evolution of Collection, 3).
POTBED – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 10).
POUNDSAND – This covername refers to an experimental effort within the NSA to collect and promote information to analysts concerning botnet-related activities. Specifically, POUNDSAND was envisioned as making clearer the IP address(es) associated with a botnet, the country that IP address is associated with, city the address is linked with, the family of the malware, and the role of the endpoint in question (e.g. bot versus control channel) (HIDDENSALAMANDER: Alerting and Characterization of Botnet Activity in TURMOIL, 12). POUNDSAND would also let analysts understand what bots are active in what geographies, the targets of botnet activities, and who else the bot controller was commanding. Going forward, it might also identify if there are attack commands that could be exploited and the type of botnet activity in different regions and associated with different families (e.g. seeing increased infections in different geographies, or whether the botnet activity is linked with reconnaissance or DDoS), as well as the actual server, filename, comment, IP, or URL the bots send/grab/connect to (HIDDENSALAMANDER: Alerting and Characterization of Botnet Activity in TURMOIL, 13).
POWERPLANT – This covername refers to a specific method, technique, or device used to filter, select, or process WHIPGENIE target communications (Classification Guide for ECI WHIPGENIE, 5).
PRESSURETWIN (PTN) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 4).
PRESSUREWAVE (PWV) – This covername refers to a database used as an intermediary between TURBINE and the MARINA database (DEFIANTWARRIOR and the NSA’s Use of Bots, 19); such information was classified as Signals Development (SIGDEV) related (DEFIANTWARRIOR and the NSA’s Use of Bots, 25) . PRESSUREWAVE was, in part, used as a database to store metadata records from TURMOIL and which included data pertaining to UKE key exchanges (TURMOIL/APEX/APEX High Level Description Document, 4).
PRETZELDOG – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
PRINTAURA –
PRISM – This constituted “just one access of many” for BLARNEY (SSO Corporate Portfolio Overview, 14) and involved collection directly from the servicers of American service providers, including Microsoft (began 9/11/07), Yahoo (began 3/12/08), Google (began 1/14/09), Facebook (began 6/3/09), PalTalk (began 12/7/09), AOL (began 3/31/11), Skype (2/6/11), YouTube (9/24/10), and Apple (October 2012) (PRISM/US-984XN Overview, 6). The program cost approximately $20 million (USD) per year in 2012.
PRISM collected against DNI selectors, with DNR selectors coming soon in 2012, and also provided access to stored communications (search powers) as well as real-time collection (surveillance powers), though it’s voice collection was limited to Voice over IP. All relationships with communications providers were conducted through the FBI (PRISM/US-984XN Overview, 4). While what could be collected varied by authorizing legal authority, generally the following was available: e-mail, chat (voice and video), videos, photos, stored data, VoIP, file transfers, video conferencing, notifications of target activity (e.g., logins), online social networking details, as well as “special requests” (PRISM/US-984XN Overview, 5).
In general, NSA target analysts would input selectors into a Unified Targeting Tool (UTT) and, following a series of assessments and reviews of the selectors, would be provided to the FBI and its Data Intercept Technology Unit (DITU). The DITU then sent selectors to communications providers, received the results, and then sent them onward to the NSA while filtered the data and ultimately deposited it in a number of collection databases, such as FALLOUT, MARINA and MAINWAY (metadata), CONVEYANCE and NUCLEON (voice content), and PINWALE (DNI content and videos).
PROJECT AQUARIAN – A domestic program in the 1970s that enabled the NSA to tell which US government telephone calls were being intercepted by the Society government from with the USSR’s diplomatic facilities in Washington, New York, and San Francisco (The Secret Sentry: The Untold History of the National Security Agency, 163).
PROJECT CLEF – This covername refers to a third-man NSA radio interception facility at Wakkanai, Japan, in the 1970s (The Secret Sentry: The Untold History of the National Security Agency, 174).
PROTON – This covername refers to a database in which the NSA made available metadata — such as telephony information and Digital Network Intelligence (DNI) information — to parties in the US Government as well as Second Party agencies (Sharing Communications Metadata Across the U.S. Intelligence Community – ICREACH). It was ultimately replaced, at least in part if not in whole, by ICREACH.
PUZZLECUBE – A homepage used by FOXACID operators, from which they could access the YACHTSHOP tasking tool (FOXACID SOP For Operational Management of FOXACID Infrastructure, 22). PUZZLECUBE was sometimes explained as the Tailored Access Operation’s (TAO) tasking database (The FASHIONCLEFT Protocol, 13).
Q
QFIRE – This covername refers to a consolidated QUANTUMTHEORY platform under development in 2011 that “reduces latencies by co-locating (1) existing passive sensors with (2) local decision resolution, and (3) the ability to locally inject traffic to achieve the desired network effect.” (Forward-based Defense with QFIRE, 2). Low latency which was consolidated by QFIRE included trans-Atlantic and Pacific latency (Forward-based Defense with QFIRE, 8).
QUANTUM – This covername refers to an NSA worldwide hacking infrastructure, which deployed various tools to inject exploits, intercepted communications through Main in the Middle and Man on the Side attacks, and rerouted calls and emails through the NSA’s collection points (Gellman, Dark Mirror, 199). QUANTUM-based tools were used to support three classes of activities: Computer Network Exploitation (CNE), Computer Network Attack (CNA), and Computer Network Defence (CND). CNE iterations included: QUANTUMINSERT, QUANTUMBOT, QUANTUMBISCUIT, QUANTUMDNS, QUANTUMHAND, and QUANTUMPHANTOM. CNA iterations included: QUANTUMSKY and QUANTUMCOPPER. CND iterations included: QUANTUMSMACKDOWN (There is More Than One Way to QUANTUM). See GCHQ covernames and see CSE covernames.
This covername refers to a suite of tools which, when engaged in man-on-the-side attacks often entailed tricking Internet client software to re-direct to FOXACID servers instead of visiting the intended website or domain. FOXACID servers often contained malware designed to affect the re-directed Internet client. The CSE noted that QUANTUM was “easy to find” by analyzing the first content carrying packet and subsequently checking for sequence number duplication where duplicates have different payload sizes. Where content differs between the two packets by 10% then there is the possibility that a QUANTUM packet is being detected (CSE SIGINT Cyber Discovery: Summary of the current effort, 16).
QUANTUMBISCUIT (QB/QBISCUIT) – a member of the QUANTUM suite, QB utilized strong selectors within targeted web traffic (e.g. Yahoo! email address). The use of these selectors meant that the SIGAD where the user was active and their respective selector was all that was needed to inject into a HTML page which, once successful, diverted the target to a FOXACID server to be exploited (FOXACID, 17). It was regarded as new as of 2010 and relied on redirection based on keywords that was mostly based off of HTML cookie values (QUANTUMTHEORY, 7). The reason for developing this QUANTUM-based tool was that targets often used proxies and thus lacked sufficient unique web activity to properly target them. This program had been operational since 2007 and met with limited success due to high latency, though GCHQ used this for 80% of CNE accesses (There is More Than One Way to QUANTUM).
QUANTUMBOT (QBOT) – this covername refers to IRC bonnet hijacking using the QUANTUM system. It was part of the QUANTUM suite of tools, though regarded as a legacy tool as of 2010 (QUANTUMTHEORY, 6). It relied on XKEYSCORE to identify exploitable bots, TURMOIL to watch for such bots’ traffic, and TURBINE to generate man-on-the-size packets (DEFIANTWARRIOR and the NSA’s Use of Bots, 11).
QUANTUMBOT2 – this covername refers to a combination of QUANTUMBOT and QUANTUMBISCUIT for web-based command and controlled botnets. It was regarded as new as of 2010 (QUANTUMTHEORY, 7).
QUANTUMCOPPER – this was an experimental QUANTUM technique as of 2010 that was designed to disrupt file downloads (QUANTUMTHEORY, 8). It was in live testing starting in 2008 (There is More Than One Way to QUANTUM).
QUANTUMDEFENSE – used to identify and subsequently target adversaries attempting to gain entry, or implant, NIPRNET IP space using QUANTUM (QUANTUMTHEORY, 9).
QUANTUMDIRK (QDIRK) – a member of the QUANTUM suite, QUANTUMDIRK involved injecting into a chat message box (e.g. Yahoo! or Facebook messenger). This took advantage of the often long polling periods that were used to update information displayed in the browser (1 second to 2 minutes, whereas QUANTUM generally required approximately 50 milliseconds) and so success rates were up to 80% (in the case of Facebook). Payloads were unique to each service and, thus, more research and maintenance went into QUANTUMDIRK than some other members of the QUANTUM suite (FOXACID, 18).
QUANTUMDNS – this technique was regarded as new as of 2010, and was used for DNS hijacking and caching nameservers. It is part of the QUANTUM suite of tools (QUANTUMTHEORY, 7). It was seen as highly successful and in operation 2008 (There is More Than One Way to QUANTUM).
QUANTUMFALCON – This covername refers to an effort to better summarize collected events data, so that QUANTUM shots could be better targeted (QUANTUMFALCON: Summarization to support QUANTUM Targeting).
QUANTUMHAND – this tool exploited the computer of targets using Facebook, had been operational since 2010, and regarded as successful (There is More Than One Way to QUANTUM).
QUANTUMINSERT (QI) – regarded as the most basic of the QUANTUM suite, those targeted with this method were selected based on their home network and destination of their web activity. Targeting was IP-based and entailed shooting into random traffic with the goal of landing and situating an HTML redirect to FOXACID inside an HTML page. Given the relatively small amount of HTML traffic at the time of writing, this method had a low success rate given the number of shots that may be required, but its advantage was that an IP and web traffic at a ‘good’ passive collect site is all that was needed for a chance of success (FOXACID, 17). QUANTUMINSERT was recognized as a legacy technique as of 2010 (QUANTUMTHEORY, 6) and operated as a man-on-the-side kind of attack (There is More Than One Way to QUANTUM).
QUANTUMPHANTOM – this tool hijacked the IP of QUANTUM-able passive coverage to use as covert infrastructure and had been in live testing since 2010 (There is More Than One Way to QUANTUM).
QUANTUMMISH – this was an experimental QUANTUM technique in 2010 that was designed to interact with targeted spam exploitation, though it isn’t apparent what this means (QUANTUMTHEORY, 8).
QUANTUMSKY – this covername refers to HTML/TCP resets. It was part of the QUANTUM suite of tools, though regarded as a legacy tool as of 2010 (QUANTUMTHEORY, 6) and was operational as of 2004 (There is More Than One Way to QUANTUM).
QUANTUMSMACKDOWN – this tool prevented targets from downloading implants to Department of Defence computers while capturing malicious payloads for analysis. It was live tested starting in 2010 (There is More Than One Way to QUANTUM).
QUANTUMSPIN (QUANTUMSPIM, Q-SPIM) – an experimental QUANTUM technique in 2010 that was designed to target instant messaging such as MSN chat and XMPP (QUANTUMTHEORY, 8).
QUANTUMSQUEEL – an experimental QUANTUM technique in 2010 that was designed to inject into MYSQL persistent database connections (QUANTUMTHEORY, 8).
QUANTUMSQUIRREL – this experimental QUANTUM technique in 2010 was designed to be any IP in the world, thus being truly covert infrastructure (QUANTUMTHEORY, 8).
QUANTUMTHEORY – the overarching covername/mission name for a set of man-on-the-side techniques that utilized the NSA’s passive collection system and active components that were designed to react to real-time traffic captures. QUANTUM was a low latency operation: NSA must get a tip, process it, craft a response, and send a packet to the target before the actual expected response reached the target (FOXACID, 14). Further, the QUANTUMTHEORY mission leveraged the NSA’s vast system of distributed passive sensors to detect target traffic and tip a centralized command/control node. This node assessed the tip and injected a response toward the target using active Tailored Access Operations (TAO) assets. (Forward-based Defense with QFIRE, 2).
QUIDDITCH – This covername refers to exploits used by the NSA’s Special Collection Service (Gellman, Dark Mirror, 209).
R
RAGTIME (RGT) – This covername refers to a special handling caveat for operations which were originally classified under WHIPGENIE but later reflagged as STELLARWIND (Gellman, Dark Mirror, 118).
RAINFALL – This refers to a group, site or program that was successful in collecting 4G cellular communications in January 2010 (Site Makes First-Ever Collect of High-Interest 4G Cellular Signal).
RAISEBED –
RAM-A – This covername was used in reference to a Special Source Operation (SSO) (BOUNDLESS INFORMANT Frequently Asked Questions, 2).
RAM-M –
RAPTORGALAXY – This covername refers to an original Concept of Operations (CONOP) for inserting GPS trackers in cars or electronics that may never be seen again, and migrating data back from those vehicles using Delayed Transmission Networking (DTN) (Moving Data Through Disconnected Networks, 23).
RAPTORJOY – This covername refers to an operator against whom the NSA was conducting fourth party collection, and which set encryption keys in the message header (TRANSGRESSION Overview for Pod58, 14).
RAPTORROLEX – This covername refers to an operator against whom the NSA was conducting fourth party collection, and which set encryption keys in the packet header (TRANSGRESSION Overview for Pod58, 14).
RAPTORSAD –
RATWHARF – This covername refers to a group that engages in cyber missions, likely similar to those of the Tailored Access Operations (TAO) group (TRANSGRESSION Overview for Pod58, 2).
REACTOR –
RECORDER – This covername refers to an operator the NSA was conducting fourth party collection against by processing and decrypting passively collected information (TRANSGRESSION Overview for Pod58, 5).
REDHARVEST (RDV) – A covername used by GAO/S35 (Exceptionally Controlled Information (ECI) Compartments, 3).
REEFPOINT (RFT) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 3).
REFRACTOR (RFR) – A covername used by an organization referred to as “I” (Exceptionally Controlled Information (ECI) Compartments, 4). REFRACTOR was also a program used by the NSA and the U.S. Strategic Command’s Joint Functional Component Command – Network Warfare (JFCC-NW), marked as ECI (National Initiative Protection Program – Sentry Eagle, 5).
RENOIR –
REVELRY (RVL) – A covername used by National Counterintelligence and Security Centre (Exceptionally Controlled Information (ECI) Compartments, 4).
REXKWONDO – a TAO project that was targeted against Ogero (a Lebanese ISP) that enabled country-wide traffic shaping and man-in-the-middle capabilities against the country’s Internet traffic. Perhaps also the covername for Ogero (SIGINT Development Support II Project Management Review, 4).
RIMROCK – This covername refer to an access that was linked with foreign gateway switches and ATPs, and enabled as part of FAIRVIEW (i.e. AT&T) collection (FAIRVIEW Dataflow Diagrams, 2). This access occurred at TITANPOINT (FAIRVIEW Dataflow Diagrams, 2).
RIVERROAD (RVD) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 4).
ROADBED – A new data feed for ELEGANTCHAOS (ELEGANT CHAOS, 23).
RODEOSTAR – This covername refers to a FAIRVIEW site (SSO Dictionary, 7).
ROGUESAMURAI – This covername refers to a testing framework that was used by the NSA’s Persistence Division (S3285/InternProjects, 7).
ROLLEDHAT – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
ROLLERCOASTER –
RONIN[4] [5] [6] [7] – This covername refers to a database which is used to store enriched metadata associated with botnet-related activities (HIDDENSALAMANDER: Alerting and Characterization of Botnet Activity in TURMOIL, 9) as well as, more broadly, mobile IP information (IR.21 – A Technology Warning Mechanism, 15).[8] In the context of SIGDEV, RONIN is described as a device characterization database and one of the enrichments of the NSA’s Network Knowledge Base (NKB) which held server analytics (e.g., VPN identified through application layer information in ASDF), VPN analytics (e.g. endpoint in TOYGRIPPE), and router configuration information (What Your Mother Never Told You About SIGDEV Analysis, 49-50).
ROOTKNOT –
ROYALNET – This covername refers to a database that could be searched against; it could be used to find netstrings related to a target network or links that were likely to carry a target network’s communications (What Your Mother Never Told You About SIGDEV Analysis, 28).
RTRG – This acronym refers to a set of tools which were not integrated into the ECC, and which held spare data sets that were tactically oriented and used for “real-time” analytics. Problematically, unregulated alerts reliant on this system could quickly spam users (Running Strategic Analytics Affecting Europe and Africa, 10).
RUBIOUS (RBI) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 4).
RUMBUCKET – This covername refers to the protocol or service used to remotely access data held in GINPENNANT, which itself was the framework used to ingest and store FORNSAT data, such as at Yakima Research Station (The Northwest Passage (Volume 2, Issue 1), 3).
S
SADDLEBACK – This covername refers to an intern project available through the NSA’s Persistence Division. SADDLEBACK utilized a hard drive’s serial port to create a firmware implant that could pass to and from the implant running in the operating system. In practice, the serial port was connected to a short hop radio that could communicate with another radio in a system, which eliminated the need to tap the SATA bus as was done in earlier versions of SADDLEBACK (S3285/InternProjects, 4).
SAFEGUARD – This covername refers to a proposed American anti ballistic missile system (The Northwest Passage (Volume 2, Issue 1), 2).
SAGUARO – This covername refers to a the FAIRVIEW program’s acquisition of DNI access from the FAIRVIEW partner’s DNI backbone (SSO Dictionary, 5) which “includes OC-192 and 10GE peering circuits. The Partner has provided a current view of the forecasted and equipped 10GE and OC-192 peering circuits at the eight SNRCs as of March 2009. Based on the information presented, by the end of 2009, the total number of forecasted 10GE peering circuits at the SNRCs will be approximately six times greater than OC-192 peering circuits. However, the growth in 10GE circuits in 2009 is about 19 times greater than the forecasted growth for OC-192 circuits. As these additional links become active it is imperitive that FAIRVIEW have the ability and the agility to follow SIGINT targets of interest. This action will provide 100% coverage of the 2009 forecasted 10GE and OC-192 links. This broad coverage approach is a key part of a larger effort to recast the FAIRVIEW DNI router access to be more agile and more high-value intelligence focused as part of the program’s effort to provide broad access, continuous survey and focused collection” (SSO Dictionary, 7).
SAILWINDS (SLD) – A covername used by GAO/S35 (Exceptionally Controlled Information (ECI) Compartments, 4).
SANDPALACE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
SARATOGA –
SCABBARD (SBD) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 4).
SCALAWAG – This covername refers to a sub-element of SOMALGET, which operated under a lawful interception auspice to provide the Drug Enforcement Agency (DEA) with counter-narcotics intelligence. Host countries were unaware that LOLLYGAG was using these lawful interception systems to facilitate the NSA’s SIGINT collection (SSO Dictionary excerpt MYSTIC).
SCARFSLOOP – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
SCISSORS – This covername refers to a technology associated with FAIRVIEW, and which pertained to DNI and DNR information which was presented as part of the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 11). SCISSORS was involved in full-take and metadata collection (Atomic SIGINT Data Format (ASDF) Configuration Read Me, 1) though, more generally, has been considered as a processing system which sliced up data for sorting (Gellman, Dark Mirror, 206).
SCORECARD – This covername refers to an data element that integrates into the ICREACH toolkit (Sharing Communications Metadata Across the U.S. Intelligence Community – ICREACH, 29).
SCORPIOFORE – This refers to a tool for SIGINT reporting (AURORAGOLD Target Technology Trends Center/TC3 Support to WPMO, 3).
SCREAMINGHARPY – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 10).
SCREAMINGPLOW – Similar to JETPLOW (Equation Group firewall operations catalogue).
SEAGULL – This covername refers to “BR-FISA Metadata, LITHIUM’s billing records” (SSO Dictionary, 7).
SEAGULLFARO (SEAGULFARO) –
SEALION – This refers to a FAIRVIEW site (SSO Dictionary, 7).
SEARCHLIGHT – This covername refers to an data element that was integrated into the ICREACH toolkit (Sharing Communications Metadata Across the U.S. Intelligence Community – ICREACH, 25).
SECONDDATE – A packet injection module for BANANAGLEE and BARGLEE (Equation Group firewall operations catalogue). SECONDDATE was an exploitation technique that took advantage of web-based protocols and man-in-the-middle positioning to influence real-time communications between clients and servers. The goal was to redirect browsers to FOXACID servers for individual client exploitation. This project enabled mass exploitation for clients passing through network chokepoints but could be configured to conduct surgical targeting as well (FOXACID, 13).
SEDB – This covername refers to a tool that was able to access FASCIA data (SSO Dictionary, 3).
SEEDSPHERE – This covername refers to a Chinese Computer Network Exploitation (CNE) actor (BYZANTINE HADES: An Evolution of Collection, 3).
SEEKER –
SENTRYCONDOR (SCR) – this covername focused on the NSA’s assistance to the Department of Defence for computer network attack operations (National Initiative Protection Program – Sentry Eagle, 8).
SENTRYEAGLE (SEE) – this was the covername for all of the associated efforts, with the others in the ‘SENTRY’ series, which captured particular efforts that were involved in the NSA’s defensive activities for American cyberspace (National Initiative Protection Program – Sentry Eagle).
SENTRYFALCON (SFN) – this covername focused on computer network defense, and included the NSA’s activities to determine intruder attribution, facts related to NSA’s efforts to deceive networkers, and facts about the NSA’s attempts to redirect network data (National Initiative Protection Program – Sentry Eagle, 11).
SENTRYHAWK (SHK) – this covername pertained to Computer Network Exploitation (CNE) operations. Only some activities were classified as ECI, including: the fact that NSA attempted to (or succeeded in) exploiting vulnerabilities within targets’ IT infrastructure; facts about CNE operations that included command, control, and exfiltration of data; facts about NSA’s access to non-US worldwide cable/fibre optic structures (National Initiative Protection Program – Sentry Eagle, 10).
SENTRYOSPREY (SOY) – this covername concerned the NSA’s relationships with human intelligence, such as countries that employed national clandestine service (NCS) capabilities and facts about the assets and agents (covert or undercover) and their targets, locations, IT sites, and specific operations and techniques they used to exploit targets (National Initiative Protection Program – Sentry Eagle, 13).
SENTRYOWL (SOL) – this covername captured the NSA’s relationships with industry, including that industry partners enabled the NSA’s SIGINT operations, that certain industry partners worked with the NSA to make their products and device exploitable for SIGINT, and that industry partners made available worldwide metadata and content that was transiting the United States or is accessible via international mediums provided by US entities (National Initiative Protection Program – Sentry Eagle, 7).
SENTRYRAVEN (SRN) – this covername focused around the exploitation of enciphered communications, and specifically regarding supercomputers and special purpose hardware used to crack foreign ciphers, on which the NSA worked with certain US manufacturers to modify US manufactured encryption systems to make them exploitable to SIGINT, and invested heavily in special purpose computer systems to attack commercial encryption (National Initiative Protection Program – Sentry Eagle, 9).
SERENADE – This was BLARNEY’s covername for one of their Corporate Partner’s. Individuals needed WPG ECI to learn its name (SSO Dictionary, 7).
SERRATEDEDGE – This covername refers to a conflict number access, and was associated with STORMBREW (SSO Corporate Portfolio Overview, 11).
SHADOWDRAGON – This covername refers to an operator that the NSA was conducting fourth party collection against (TRANSGRESSION Overview for Pod58, 5).
SHADYNINJA – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
SHAKEWEIGHT – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
SHAREDVISION – This covername refers to a program used by other programs, such as WORDGOPHER, to distribute data into systems such as WEALTHYCLUSTER (Shift to Software Demodulation in Misawa Expands Collection, Saves Money, 1).
SHAREDTAFFY – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 10).
SHARPSHADOW – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 10).
SHATTEREDSHIELD – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
SHELLGREY – This covername refers to a DNT exfiltration metadata format (APEX: Active/Passive Exfiltration, 13).
SHEPHERD –
SHIFTINGSHADOW – This refers to an access for OAKSTAR that was assigned the SIGAD US-3217 (SSO Corporate Portfolio Overview, 8)
SHIPMASTER –
SHOUTPIG – This covername refers to an element of the Tailored Access Operation (TAO) group’s botnet data collection system. SHOUTPIG operates in the DMZ between TAO Net and NSANet, and was used to move cleaned CDR data to TURBINE within NSANet (DEFIANTWARRIOR and the NSA’s Use of Bots, 19).
SIERRAMIST – This covername refers to a project undertaken by the NSA’s Persistence Division, and which was available for interns to work on. SIERRAMIST was a partition that could be established on a hard drive (S3285/InternProjects, 7).
SIERRAMISTFREE –
SILENT_TONGUES – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
SILLYBUNNY – this covername refers to browser tags used as a selector type by the NSA (SPINALTAP: Making Passive Sexy for Generation Cyber, 4).
SILVERBOLT –
SILVERBLOSSOM –
SILVERCLOUD (SVC) – A covername used by GAO/S35 (Exceptionally Controlled Information (ECI) Compartments, 4).
SILVERCOLLAM (SC) – This refers to a FAIRVIEW site (SSO Dictionary, 7).
SILVERJUMP – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
SILVERZEPHYR – This covername refers to a SSO under the OAKSTAR portfolio and which operated under Transit Authority (SSO Corporate Portfolio Overview, 8).
SINKGOAL (SKG) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 4).
SKYJACKBRAD – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
SKYNET – A covername used to describe a collaborative research project meant to apply geospatial, geotemporal, pattern-of-life, and travel analytics to bulk telephony data to identify patterns of suspect activity (SKYNET: Applying Advanced Cloud-based Behaviour Analytics, 3). It was designed to detect possible couriers for Al Qaeda ((SKYNET: Courier Detection via Machine Learning).
SLIVER – This covername refers to a proof-of-concept that was “an effort to enable cross-mission (CNO) collaborative capabilities in a global setting. Under the SLIVER initiative, passive IP sensor nodes will be deployed at two CONUS sites and two OCONUS sites. These nodes will be fed by a small amount of traffic volume. The CONUS nodes will support both Lithium commercial network security functions, as well as SIGINT and SIGINT-enabled CND applications (i.e., end-point characterization data and IP flow data). Within the SLIVER timeframe, due to OPSEC constraints, the OCONUS nodes will only be configured to support Lithium commercial network security functions — any Lithium-derived metadata from the OCONUS nodes will be sent to FAIRVIEW’s centralized processing facility (PINECONE), under applicable SIGINT authority, for analysis and exploitation. In addition to these passive sensor nodes, active commercial security nodes will also be deployed at both the CONUS and OCONUS sites and used commercially in order to provide essential mission cover” (SSO Dictionary, 8).
SLYNINJA – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
SLYSNOW – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
SLYWIZARD – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
SMARTTRACKER – A covername used to describe a machine learning process, whereby the NSA detected “interesting” travel patterns based on bulk travel, pattern-of-life, and telephony metadata (SKYNET: Applying Advanced Cloud-based Behaviour Analytics, 34).
SMOKYSINK – This covername refers to a source that the NSA considered for diversifying QUANTUMBOT tipping (DEFIANTWARRIOR and the NSA’s Use of Bots, 15).
SNAPKEY – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
SNOWGLOBE – This covername refers to an operator against whom the NSA was conducting fourth party collection, which involved processing and decrypting passively collected data (TRANSGRESSION Overview for Pod58, 5).
SNOWHAZE –
SOCIOPATH –
SODAPRESSED – This covername refers to an aspect of the BERSERKR implant, which was developed by the NSA’s Persistence Division and was available for interns to work on. SODAPRESSED intended to install some application or inject something into memory when a given installation of Linux was running to achieve Linux persistence (S3285/InternProjects, 9).
SOLARSHOCK116 – This covername refers to a TAO endpoint machine which was associated with an Iranian target and synched with an iPhone. It was correlated with other identifiers found in the GCHQ’s metadata databases (iPhone target analysis and exploitation with unique device identifiers, 5).
SOMALGET – This is an umbrella covername, which encompasses SCALAWAG, OILYRAG, and LOLLYGAG collection systems, as well as BASECOAT which operates in the Bahamas. The umbrella term was provided by the NCSC. SOMALGET processed over 100 million calls, per day, and took place under the DEA’s lawful interception auspice; no host nations were aware that the NSA’s SIGINT collection also used these systems (SSO Dictionary excerpt MYSTIC)This covername refers to a sub-element of SOMALGET, which operated under a lawful interception auspice to provide the Drug Enforcement Agency (DEA) with counter-narcotics intelligence. Host countries were unaware that LOLLYGAG was using these lawful interception systems to facilitate the NSA’s SIGINT collection (SSO Dictionary excerpt MYSTIC)..
SORA2 – This refers to an “IP Access Expansion effort for FAIRVIEW. One of the areas of FAIRVIEW’s DNI backbone access (Saguaro) that has not yet been sufficiently exploited is the access side of the Common Backbone (CBB) network. The major reason for this is the sheer number of access links – tens of thousands – which would make 100% coverage prohibitively expensive. One way to overcome this constraint is to monitor uplinks out of the access routers toward CBB backbone or aggregation routers. Even so, the number of uplinks is still numerous, requiring an additional selection/prioritization strategy. Lithium, in concert with ODD, developed a strategy that rank orders access routers using several different metrics, such as the following: PRI Value, Country Value, PAA Value, CD Value and CCCD Value. The top eight router uplinks, as outlined in the attached proposal, have been analyzed and deemed of high SIGINT interest. Therefore, we are requesting approval to deploy monitoring on these uplinks (SSO Dictionary, 8).
SORTINGHAT – This covername refers to what the NSA called its traffic control system for the exchange of information with the GCHQ (Gellman, Dark Mirror, 209).
SORTINGLEAD – This covername refers to an data element that was integrated into the ICREACH toolkit (Sharing Communications Metadata Across the U.S. Intelligence Community – ICREACH, 29).
SPARECHANGE – A program used by the NSA and U.S. Strategic Command’s Joint Functional Component Command – Network Warfare (JFCC-NW), which was marked as Exceptionally Controlled Information (ECI) (National Initiative Protection Program – Sentry Eagle, 5).
SPARTANFURY – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
SPIKEYFARM – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
SPINALTAP – This covername refers to a database which stored selectors taken from implanted machines, so that those selectors could then be used to generate fingerprints for passive collection (SPINALTAP: Making Passive Sexy for Generation Cyber).
SPINDLE –
SPINNERET – This covername is used in reference to a Special Source Operation (SSO) (BOUNDLESS INFORMANT Frequently Asked Questions, 2).
SPITEFULANGEL –
STARGATE (SG) – This was a CNE-related program (STARGATE CNE Requirements).
STAIRWELL (STA) – A covername used by S2E (Exceptionally Controlled Information (ECI) Compartments, 4).
STAKECLAIM – This covername refers to the mission systems which were purchased for the new High Frequency (HF) antenna field at Camp Hansen, Japan, which replaced the mission systems that were located in Okinawa. The Japanese government paid the full costs for the new mission equipment, which combined with creating the new HF base, cost approximately $500 million (USD) over 10 years (NSA SIGINT Site Relocated in Japan: The Story Behind the Move).
STARBURST – An early cover name for STELLARWIND (Gellman, Dark Mirror, 167; STELLARWIND Classification Guide, 3).
STARCHART (SRC) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 4).
STARGATE (SG) – This refers to the FAIRVIEW-A site (SSO Dictionary, 7).
STARPROC (START PROC) – focused on “internet apps” (Source: Mobile Apps – Checkpoint meeting Archives) and used to process some lawful intercept-related information (Exploiting Foreign Lawful Intercept (LI) roundtable, 9).
STATEROOM – this covername refers to diplomatic facilities from which covert Signals Intelligence operations took place (STATEROOM Guide, 1).
STEELFLAUTA (STF) – This covername refers to shared SSO/TAO Shaping project and was assigned SIGAD US-3105S1, which it shares with DARKTHUNDER (SSO Corporate Portfolio Overview, 8).
STEELSKY_DELTA – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
STEELSKY_ECHO – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
STEELSKY_FOXTROT – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
STEELSKY_GOLF – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
STELLABLUE – This covername refers to a source that the NSA considered for diversifying QUANTUMBOT tipping (DEFIANTWARRIOR and the NSA’s Use of Bots, 15).
STELLARWIND (STLW) – This refers to a warrantless domestic surveillance program that was created in late 2001 (Gellman, Dark Mirror, 19) that collected DNI (STELLARWIND Classification Guide, 18) and DNR (STELLARWIND Classification Guide, 19), as well as content information (STELLARWIND Classification Guide, 22) and relied on U.S. telecommunications companies (STELLARWIND Classification Guide, 14). STELLARWIND was designated as ‘exceptionally controlled information’ the highest classification level for NSA programs (Gellman, Dark Mirror, 168). STELLARWIND involved the use of the MAINWAY program to map links between individuals and their social groups (Gellman, Dark Mirror, 173; STELLARWIND Classification Guide, 36). STELLARWIND was initially marked as ‘TSP’ and ‘Compartmented’ (STELLARWIND Classification Guide, 2), as well as with the covername STARBURST (Gellman, Dark Mirror, 167; STELLARWIND Classification Guide, 3).
STONEGATE – The SSO Dictionary defines this covername as, “an automated and scalable dial-up data modem and FAX modem demodulation system. It is used to collect, recognize, demodulate, format, forward, database, archive, and reporting on dial-up data modem, FAX modem, speech, and unknown signals. STONEGATE is designed to handle the 80% of the dial-up data modem and FAX modem traffic that can be automatically and correctly processed. The 20% of the traffic that can not be automatically and correctly processed is forwarded to a demodulation system that has the resources needed to process the traffic. If there are problems with the STONEGATE processed signal, the original signal can be automatically retrieved via the Archive Retrieval interface. Speech and unknown traffic are detected and forwarded. STONEGATE generates statistics and reports on dial-up data modem, FAX modem, speech, and unknown signals” (SSO Dictionary, 8-9).
STONEHENGE –
STORMBREW – This covername refers to a program related to Verizon. STORMBREW was active in the Middle East (Classification Guide for ECI WHIPGENIE, 4). It operated under a Transit Authority and was assigned SIGAD US-983 (SSO Corporate Portfolio Overview, 8), and operated globally (SSO Corporate Portfolio Overview, 11) using eight sites that were connected by a DS3 ring (SSO Corporate Portfolio Overview, 12). DNI collection against STORMBREW was limited to FAA and FISA, and provided access to mid-point collection at seven sites and approximately 130 circuits (SSO Corporate Portfolio Overview, 11). It operated under FAA Authorities on SIGADs Us-984X(A-H) for DNI and US-984-X1 (SSO Corporate Portfolio Overview, 11). It handled FISA-related tasking using SIGAD US-984P (PERFECTSTORM) as well as PDDG AX (SSO Corporate Portfolio Overview, 11). STORMBREW could be taked in UTT and OCTACT and its data could be retrieved from PINWALE, NUCLEON, and DISHFIRE (SSO Corporate Portfolio Overview, 11).
STORMFORCE – modems that, through a hardware and software combination, increased capacity of signals at Menwith Hill Station from 4 to 40 (ELEGANT CHAOS, 3).
STORMPIG – This covername refers to an element of the Tailored Access Operations (TAO) group’s botnet harvesting system. Specifically, STORMPIG was used to clean up data that was provided by bots such that it could subsequently be transmitted to other NSA databases (DEFIANTWARRIOR and the NSA’s Use of Bots, 19).
STRAITBIZARRE (SBZ, STRAITBIZZARE) – This covername refers to a cross-platform implant framework built using the Tailored Access Operations (TAO) CHIMNEYPOOL framework. It had ports for operating systems such as Linux and Windows, was used to exfiltrate files from endpoint devices, and integrated the FRIEZERAMP protocol for covert networking and the CHIMNEYPOOL framework for communications (Moving Data Through Disconnected Networks, 31). It was used for a variety of tasks, including Delay Tolerant Networking (DTN) (Moving Data Through Disconnected Networks) as well as part of the QUANTUMTHEORY framework (QUANTUMTHEORY, 5). STRAITBIZARRE received commands from TURBINE via SURPLUSHANGAR/HANGARSURPLUS diodes and implanted machines were configured using FELONYCROWBAR to subsequently be able to target QUANTUM ‘shots’ (QUANTUM Shooter SBZ Notes).
STRAITLACED – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
STRAWHORSE – This covername refers to a capability unveiled at the 2012 Jamboree conference that enabled the clandestine surveillance of iPhones (Gellman, Dark Mirror, 186). STRAWHORSE was developed in response to the need to gain access to iPhones in quantity, and at a distance, and worked equally well on Apple laptop and desktop computers (Gellman, Dark Mirror, 217). Specifically, STRAWHORSE was a ‘whacked’, or modified, version of the Apple compiler, which allowed for the insertion of a remote-controlled backdoor into each app that was compiled (Gellman, Dark Mirror, 218). STRAWHORSE was designed to “infect in-house developers employed by organizations, agencies, and companies whose software might be used by an NSA surveillance target” (Gellman, Dark Mirror, 219).
STYLISHCHAMP – This covername refers to a project that was undertaken by the NSA’s Persistence Division, and which was available for interns to work on. STYLISHCHAMP was a tool that could create a HPA on a hard drive and then provide raw reads and writes to the area (S3285/InternProjects, 11).
SUBTLESNOW –
SUITESWIVEL (STV) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 4).
SUPERDRAKE –
SURPASSPIN –
SURPLUSHANGAR (SH, SURPLUSHANGER) – High to low diodes that are used as part of the QUANTUMTHEORY framework (QUANTUMTHEORY, 5).
SWEEPFORWARD –
SWITCHDOWN_IR_AW – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
SWITCHDOWN_IR_BR – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
SWITCHDOWN_IR_CD – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
SYNAPSE – This covername refers to a program that did link analysis, and which was used as part of the activities undertaken by the Center for Content Extraction (Center for Content Extraction, 5).
T
TAPERLAY – This covername refers to a database for aggregating telephony and provider information (IR.21 – A Technology Warning Mechanism, 14).
TARMAC – this SIGINT feed (ELEGANT CHAOS, 9) provided information concerning target activity and network space, and was used as part of the ELEGANTCHAOS program (ELEGANT CHAOS, 7). It was sometimes referred to as ‘SLR’ (ELEGANT CHAOS, 9).
TATTOO – This covername refers to a server that was placed in a PINECONE SCIF as an elements of FAIRVIEW’s site processing when the TAO was shaping traffic into FAIRVIEW (FAIRVIEW Dataflow Diagrams, 19).
TEFLONDOOR – A self-destructing post-exploitation shell for executing an arbitrary file. The arbitrary file is first encrypted with a key (Equation Group firewall operations catalogue).
TERRAIN – This covername refers to a technology associated with collecting DNI or DNR information, and which was used by a foreign partner (BOUNDLESSINFORMANT, 12).
THIEVING MAGPIE (TM) – This covername refers to a database which contained IMSI numbers, Event Dates, and airline Flight Information (i.e. airline code and flight number) (HOMING PIGEON, 4).
THEORYMASTER – This was a program that contained the COURIERSKILL project (SSO Dictionary, 1).
THUNDERCLOUD –
THUNDERISLAND –[9] This covername is linked to MONKEYROCKET, which is a SSO; THUNDERISLAND is the term used to refer to that SSO partner’s identity.
THIEVESQUARTER – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
TICKETWINDOW –
TIMBERLINE –
TINSEL – This covername refers to an elements of NSA’s corporate processing of data, such as that received from FAIRVIEW (FAIRVIEW Dataflow Diagrams, 6).
TINT –
TITANPOINT – This covername is associated with FAIRVIEW (e.g., FAIRVIEW Dataflow Diagrams, 2).
TITANPOINTE – This covername refers to BLARNEY’S site in NYC (SSO Dictionary, 9).
TITANRAIN III – This covername was re-coded to BYZANTINE CANDOR (BYZANTINE HADES: An Evolution of Collection, 3).
TOADYTEAL – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
TOPROCK – This covername refers to a FAIRVIEW collection capability, which involved collecting transit DNR metadata and SMS (FAIRVIEW Dataflow Diagrams, 9).
TORNSTEAK – This covername refers to a project that was undertaken by the NSA’s Persistence Division, and which was available for interns to work on. TORNSTEAK was a persistence solution to two firewall devices from one vendor; interns were expected to work to port TORNSTEAK to several more firewalls provided by the same vendor (S3285/InternProjects, 10).
TOTALDAGGER – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
TOXICSNOW – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
TOYGRIPPE – This covername refers to a database which stored full take VPN-related IKE metadata (APEX: Active/Passive Exfiltration, 39). Database fields included a caseNotation, source ID of the SIGAD that provided the data, and there were plans to add Agent CaseNotation, Agent ID, and Passive CaseNotation, with a recognition that passively collected records would lack the proposed additive fields and Tailored Access Operations (TAO) returned data would also lack this information (Analytic Challenges from Active-Passive Integration, 10). It, also, could present IP addresses for VPNs (What Your Mother Never Told You About SIGDEV Analysis, 40). Some of the data it contained came from FAIRVIEW (SSO Corporate Portfolio Overview, 9).
TRAFFICTHIEF – This covername refers to a tipping system used by analysts (APEX: Active/Passive Exfiltration, 7).
TRAILBLAZER –
TRANSCOM –
TRANSGRESSION – This covername refers to a program meant to provide cryptanalytic exploitation support for Network Defense, fourth party SIGINT, and Cyber (i.e. Tailored Access Operations, RATWHARF) missions (TRANSGRESSION Overview for Pod58, 2).
TRANSIENT – A covername for all efforts to access, process, and analyze communications emanating from Soviet communications satellites (The Northwest Passage (Volume 2, Issue 1), 1).
TRAVELLINGWAVE – Scores from this covername were part of the enrichment feed for ELEGANTCHAOS (ELEGANT CHAOS, 9).
TREASUREMAP – This covername refers to a database which was used by the NSA, and specifically the Tailored Access Operations (TAO) group, to retain traceroute information (DEFIANTWARRIOR and the NSA’s Use of Bots, 25).
TREBLECLEF –
TRICKSHOT (TST) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 4).
TRIDENTSPECTRE – This covername refers to a location where the NSA demonstrated its Delay Tolerant Networking (DTN) system (Moving Data Through Disconnected Networks, 30).
TROPICALSTORM – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
TUBE – This acronym refers to “the TU[TURBULENCE] Back-end; it receives SOTF objects from TML (and potentially other TU systems), determine what forwarding actions should occur, and perform any requisite pre-forwarding preparation processing so as to create objects which can be ingested by the appropriate destination repositories. This includes 2nd and 3rd party legacy databases. TUBE will also forward objects to PWV in SOTF format (SSO Dictionary, 9).
TUMBRIL – This covername refers to a specific method, technique, or device used to filter, select, or process WHIPGENIE target communications (Classification Guide for ECI WHIPGENIE, 5).
TUMULT – This covername refers to a function within QUANTUMTHEORY (Forward-based Defense with QFIRE, 16). This function was deployed with FAIRVIEW (FAIRVIEW Dataflow Diagrams, 15).
TUNINGFORK – This covername refers to a database containing passwords that were searchable using XKEYSCORE (The Unofficial XKEYSCORE Guide, 9).
TURBINE – This covername refers to active mission logic of remote agents that was used as part of the QUANTUMTHEORY framework (QUANTUMTHEORY, 5) and classified as a kind of active SIGINT (APEX: Active/Passive Exfiltration, 7). TURBINE was used to automate the management and control of the network of implants and was located within the United States (APEX: Active/Passive Exfiltration, 9). It was also designed to manage a large number of covert implants for active SIGINT and active attacks that resided on the GENIE cover infrastructure (for endpoint data extraction). Moreover, TURBINE was designed to increase the capability to deploy and manage hundreds of Computer Network Exploitation (CNE) and Computer Network Attack (CNA) implants to potentially millions of implants. TURBINE was heavily integrated with QUANTUMBOT (DEFIANTWARRIOR and the NSA’s Use of Bots, 9). Whereas TURMOIL was used to watch for particular kinds of information as a passive sensor, TURBINE was used to subsequent generate packets, such as those used in QUANTUMBOT’s man-on-the-side operations (DEFIANTWARRIOR and the NSA’s Use of Bots, 11). TURBINE was also used to move information collected as part of DEFIANTWARRIOR to PRESSUREWAVE, which then transmitted information into MARINA (DEFIANTWARRIOR and the NSA’s Use of Bots, 19).
TURBOPANDA – A tool that could be used to communicate with a HALLUXWATER implant (Equation Group firewall operations catalogue).
TURBULENCE (TU) – This covername refers to an NSA program to combine passive (i.e. TURMOIL) and active (i.e. TURBINE) collection systems in order to better identify, collect, and decrypt VPN and VoIP traffic (APEX: Active/Passive Exfiltration, 6); it can be regarded as being responsible for storage and analytic processes for delivering content to analysts (TURMOIL/APEX/APEX High Level Description Document, 2). TURBULENCE also combined the active defense capabilities of TUTELAGE (Forward-based Defense with QFIRE, 4). KEYCARD was, also, part of the suite of tools associated with TURBULENCE (SSO Dictionary, 4). The SSO Dictionary defined the covername as “the Enterprise framework of mission modernization, an element of the Enterprise Architecture. As part of NSA/CSS Transformation, TURBULENCE unifies MidPoint and Endpoint SIGINT, and dynamic defense, and enables network attack in a manner that creates cooperative, interoperable, real-time exploitation/defense/attack-enabling capabilities between geographically distributed nodes in a peer-to-peer (P2P) manner. At one time TURBULENCE was equivalent to NCC, or more precisely, the NCC acquisition program was tasked to acquire TURBULENCE. However, in CY2008 acquisition responsibility for some parts of the TURBULENCE architecture were split off to other program offices so that the NCC program is now responsible for some but not all components of TURBULENCE” (SSO Dictionary, 9).
TURKEYTOWER – This covername refers to a platform on which a Java web app was used to query Cloudbase. TURKEYTOWER was either re-named as MACHINESHOP or replaced with MACHINESHOP (BOUNDLESS INFORMANT Frequently Asked Questions, 3).
TURMOIL (TML) – This covername refers to the high-speed passive collection systems that were designed to intercept foreign target satellite, microwave, and cable communications (APEX: Active/Passive Exfiltration, 8); KEYCARD was one of the target filtering and selection databases used in TURMOIL (SSO Dictionary, 4). Different ‘TURMOILs’ were located at MHS, MSOC, and YRS (DEFIANTWARRIOR and the NSA’s Use of Bots, 15). These systems operated as a passive sensor and were sometimes used as part of the QUANTUMTHEORY framework (QUANTUMTHEORY, 5). The passive collection collected, at least in part, DNI and DNR information from Special Source Operations (BOUNDLESSINFORMANT, 13) and WINDSTOP (BOUNDLESSINFORMANT, 15) and could be used as part of the tipping process to queue shots from QUANTUMBOT (DEFIANTWARRIOR and the NSA’s Use of Bots, 9). TURMOIL was used to watch for particular kinds of information as a passive sensor, whereas TURBINE was used to subsequent generate packets, such as those used in QUANTUMBOT’s man-on-the-side operations (DEFIANTWARRIOR and the NSA’s Use of Bots, 11). In certain cases TURMOIL could be used to detect information pertaining to IPSEC VPN connections, such as the first exchanged packets which establish the parameters and encryption keys (IKE) as well as the ‘content’ packets (ESP). It was possible to leverage TURMOIL to engage in real-time deception of targeted VPNs if the keys can be provided in time, with the decrypted data subsequently processed by TURMOIL apps for normal selection (e.g. VoIP, webmail) (Analytic Challenges from Active-Passive Integration, 5). TURMOIL was also used as part of the NSA’s efforts to identify, categorize, and prioritize botnet-related activities (HIDDENSALAMANDER: Alerting and Characterization of Botnet Activity in TURMOIL). Data flows from MUSCULAR were also diverted through TURMOIL (Gellman, Dark Mirror, 305).
The SSO Dictionary defined TURMOIL as “the passive Digital Network Intelligence (DNI) SIGINT collection component of the TURBULENCE architecture, funded by the Network Centric Capabilities (NCC) acquisition program. It consists of an architecture designed to be extensible and flexible, so that the collection posture on these accesses can be altered dynamically with minimal service interruption. TURMOIL delivers IP data, sessionized and processed, to the back-end of the SIGINT system, in an analyst-ready form” (SSO Dictionary, 9). It was deployed as part of FAIRVIEW (i.e. AT&T) collection (FAIRVIEW Dataflow Diagrams, 19).
TURMOILHIDDENSALAMANDER – See HIDDENSALAMANDER.
TURNSTILE – This covername refers to a partner-collected system, which processed data that FAIRVIEW (i.e., AT&T) had collected from SAGUARO (FAIRVIEW Dataflow Diagrams, 2).
TURNSTYLE – This covername refers, at least in part, to collars for antennas to support the al-Qa’ida spring offensive in Afghanistan (Charlie Meals Opens New Engineering Support Facility in Japan, 2).
TURTLEPOWER – This covername refers to an NSA system for the automated decryption of enciphered data (Gellman, Dark Mirror, 209).
TUSKATTIRE – This covername refers to a process by which Call Data Records (CDRs) from Pakistani telecommunications were normalized as part of the DEMONSPIT dataset, which was itself part of the SKYNET research project (SKYNET: Applying Advanced Cloud-based Behaviour Analytics, 6-7). It was used by BOUNDLESSINFORMANT, at one point, as a DNR ingest processor and ultimately replaced by GM-PLACE (BOUNDLESS INFORMANT Frequently Asked Questions, 2).
TUTELAGE – This covername refers to the American-based aspect of the TURBULENCE program (TURBULENCE (Snippet), 1) and was classified as a type of active defence (APEX: Active/Passive Exfiltration, 7). TUTELAGE used the NSA’s passive sensors to detect events and subsequently, in some cases, take action towards the events which were targeting government networks. At a high level, once SIGINT was retrieved from adversary space that may have characterized foreign adversary tradecraft, signatures and countermeasures were designed and pushed to the U.S. boundary sensors. Those sensors deployed countermeasures when adversary tradecraft was detected either at a boundary point or more generally through SIGINT sensors which were deployed more broadly. As of around February 2011 or later, TUTELAGE had seven operational capacities. First, passive sensors could generate alerts based on detecting events and then send those alerts into storage. Second, an inline packet processor could intercept packets and make it appear to an adversary that an activity was completed without disclosing that it did not reach or affect the intended target. Third, the same inline packet processor could perform bidirectional content detection and replacement to prevent an attack from succeeding against a target. Fourth, TUTELAGE could redirect the course or direction of an adversarial activity; this might have involved redirecting an outbound data exfiltration to an NSA-controlled server or modifying a given domain name lookup. Fifth, TUTELAGE could be used to block, or deny entry/exit of network activity at Internet Access Points based on source/destination IP addresses and ports. Sixth, latency could be added to packets such that an adversary’s packets suffered a diminished quality of service so that other TUTELAGE capabilities could be executed. Seven, it could inject TCP RST packets to prevent malicious activity by breaking the connection. In the future, there were plans to upgrade to 10G sensors so that there was an increased speed and capacity, the ability to use TS/SI signatures, and do session-based Snort analysis, as well as multi-event Snort. Future plans also called for integrating POPQUIZ (real-time behavioural analytics), GNOMEVISION (de-obfuscation of malicious packages), cryptoanalytic capabilities, and traffic analysis using GHOSTMACHINE. Other future capabilities involved establishing sidelines for session analysis. This would entail redirecting activity to a secondary level of intervention where an intermediate host provided additional processing or manipulation to better engage and/or thwart adversarial activities. This might involve shifting some traffic to virtualized listening posts that were associated with given physical servers. Another capability would integrate with the Department of Defense’s Host-Based Security System (HBSS) so that malicious activities detected by TUTELAGE could be dealt with at the host level and, by extension, trigger less sensitive alerts to local network administrators. QUANTUM might also be tipped by TUTELAGE to enable offensive actions in adversary spaces or activate shots, with real-time cryptanalytics enabling QUANTUM operations to take place at net-speed (TUTELAGE 411).
TWEEZERS – This covername refers to an operator against whom the NSA was conducting fourth party collection by processing and decrypting passively collected data (TRANSGRESSION Overview for Pod58, 5).
TWISTEDKILT – This covername refers to a project that was undertaken by the NSA’s Persistence Division, and which was available for interns to work on. TWISTEDKILT was used so implants could be used against SATA hard drives (S3285/InternProjects, 11).
TWISTEDPATH – Some of the data it contained came from FAIRVIEW (SSO Corporate Portfolio Overview, 9).
U
ULTRA – This covername refers to military decrypts during the second world war (The Secret Sentry: The Untold History of the National Security Agency, 6).
UMBRAGESPIDER – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
UNITEDRAKE (UR) – This refers to capability tools that were the responsibility of Computer Network Exploitation (CNE) operators responsible for FOXACID servers (FOXACID SOP For Operational Management of FOXACID Infrastructure, 7). UNITEDRAKE may also refer to files, emails, and more which could be converted to the common data receptor (APEX: Active/Passive Exfiltration, 19).
UNPACMAN –
UPPERMUTANT – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
UYCERVA –
V
VALIANTEAGLE – This covername refers to a “major system acquisition that will incrementally provide more efficient planning, management, and execution CNO to suppose a growing and diverse Computer Network Exploitation (CNE), Computer Network Defence (CND), and Computer Network Attack (CNA) requirements” (Computer Network Operations – GENIE, 2)
VALIDATOR – this was a program that was designed to be installed on target computers. Its main purpose was as a download agent for the Olympus installer but could also be used as an implant with exfiltration capabilities, such as uploading and downloading files, obtaining some system information, and finding a path out of a target. It could delete itself either by the command line or by built-in timer. It could be installed through FOXACID (FOXACID, 20).
VEILEDMAGIC – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
VENATOR – This covername refers to a MYSTIC access in the Phillipines that collects GSM, SMS, and CDR information. The access is provided by DSD. It was expected to become “a source of lucrative intelligence for terrorist activities in the Southern Philippines (SSO Dictionary excerpt MYSTIC).
VENUSAFFECT – this was a ‘interface kludge’ for DRINKYBIRD that was used for in-house network and tasking management (ELEGANT CHAOS, 18).
VERONA – A communications intelligence effort that targeted Russian traffic from 1943-1980s (The Secret Sentry: The Untold History of the National Security Agency, 6).
VINYLSEAT – This covername refers to email which is subsequently sent for conversion into the common data receptor format (APEX: Active/Passive Exfiltration, 19).
VIXEN – An NSA covername (Gellman, Dark Mirror, 203).
VOICESAIL –
VORTEX – this covername was for four satellites which were designed to collect large volumes of Russian communications traffic. They were covernamed CANYON in the 1970s, and capable of simultaneously intercepting over eleven thousand telephone calls and faxes carried on Soviet microwave radio-relay circuits. The satellites chose which to send back for analysis based on on-board watch lists held in their computers. These satellites collected operational and technical military traffic of Soviet forces in Afghanistan, the communications between mobile missile systems and their operating bases, intelligence related to the Chernobyl disaster, as well as an explosion at a fuel propellant factory of Soviet ICBMs (The Secret Sentry: The Untold History of the National Security Agency, 183).
VOYEUR – This covername refers to a compartment shared with the GCHQ for conducting fourth party collection, in other words, spying on another state’s intelligence operators as they spied on a target (Gellman, Dark Mirror, 206). An example was given of Voyeur in the context of the Iranian Ministry of Intelligence (MOIS), and Hezbollah (Fourth Party Opportunities, 11).
VULCANDEATHGRIP – This covername refers to the seizure of encryption keys during the handshake between two devices as they would establish a secure link (Gellman, Dark Mirror, 210).
VULCANMINDMELD – An NSA covername (Gellman, Dark Mirror, 210).
W
WAITAUTO – This covername refers to an element of the Tailor Access Operations (TAO) group’s botnet acquisition and control system. It was responsible, in aggregate, for acting as a middleman between TAO networks and public networks for the collecting of information pertaining to bots as well as issuing commands to harvested bots (DEFIANTWARRIOR and the NSA’s Use of Bots, 19).
WALKERBLACK –
WALKERRED –
WARNVOLCANO – This covername refers to a forward deployed piece of server infrastructure the TAO used as a listening post for botnets; it was inclusive of both the listening post server as well as the botnet server which could be used to (re)direct bots (DEFIANTWARRIOR and the NSA’s Use of Bots, 19).
WATCHER – This was used to tip the FROZENGAZE system, which was associated with FOXACID (used by Computer Network Exploitation (CNE) operators for targeted and untargeted operations (FOXACID SOP For Operational Management of FOXACID Infrastructure, 29).
WATERCASKET – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
WATERFRONT – This covername refers to an elements of the NSA’s corporate processing of shaped data that was sent by TAO to FAIRVIEW (i.e., AT&T); after processing information, data was then sent to VULCANDEATHGRIP (FAIRVIEW Dataflow Diagrams, 19).
WATERWINGS – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
WAVELEGAL – This covername refers to a database used to log analysts’ queries to the GHOSTMACHINE bulk identifier analytics system (Identifier Lead Triage with ECHOBASE, 11-12).
WAXCHIP – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
WAXOFF (WXF) – A covername used by Tailored Access Operations, TAO/S32 (Exceptionally Controlled Information (ECI) Compartments, 4).
WAXTITAN – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).
WAYLAND – This covername refers to an element of NSA corporate processing of DNR and VoIP information obtained from FAIRVIEW (i.e., AT&T) and which is linked or similar to DESOTO (FAIRVIEW Dataflow Diagrams, 6).
WEASELWAGGLE –
WEALTHYCLUSTER (WC) – This was a SIGINT repository that was used by WORDGOPHER (Shift to Software Demodulation in Misawa Expands Collection, Saves Money, 1). The technology was used as part of WINDSTOP to collect DNI and DNR information which is processed and displayed by BOUNDLESSINFORMANT (BOUNDLESSINFORMANT, 15).
WEALTHYCLUSTER2 (WC2) – This was a SIGINT feed used in ELEGANTCHAOS (ELEGANT CHAOS, 9) and, more broadly, defined as a collection and processing system (Atomic SIGINT Data Format (ASDF) Configuration Read Me, 2). It was used to process NSA FISA IP that was collected from FAIRVIEW (i.e., AT&T) (FAIRVIEW Dataflow Diagrams, 14).
WESTERNSTAR – An NSA covername (Gellman, Dark Mirror, 172).
WHARPDRIVE – This covername refers to a Special Source Operations (SSO) program to a program which was operated by commercial personnel on behalf of the NSA. When personnel of a consortium discovered the access point for WHARPDRIVE in March 2013, the personnel from the partner removed evidence and established a convincing cover story (Special Source Operations Weekly, 2).
WHIPGENIE (WPG) – A covername used by GAO/S35 (Exceptionally Controlled Information (ECI) Compartments, 4) to apply to special source operations (SSO) (S332) relationships between U.S. corporate partners (Classification Guide for ECI WHIPGENIE, 3). Internet and telephone communications surveillance operations within the US were also protected under the WHIPGENIE covername, but later reflagged as STELLARWIND with the special handling caveat RAGTIME (Gellman, Dark Mirror, 118).
WHISTLINGDIXIE – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 10).
WHITEBOX – This covername refers to a technology used to collect DNI and DNR information in France (BOUNDLESSINFORMANT Countries Data, 2).
WHITESQUALL – This covername refers to international gateway switch access, which was associated with STORMBREW (SSO Corporate Portfolio Overview, 11).
WHIZBANG -This program associated with this covername was accessible at Menwith Hill Station (Running Strategic Analytics Affecting Europe and Africa, 11).
WICKEDAMP –
WICKEDVICAR – This covername refers to a project that interns with the Persistence Division at the NSA could work on. WICKEDVICAR was the remote tool used to perform remote survey and installation of IMBIOS bootstraps. It was written in C++ (S3285/InternProjects, 4).
WIDOWKEY – This covername refers to an operator against whom the NSA intended to conduct fourth party collection (TRANSGRESSION Overview for Pod58, 5). The operator encrypted its exfiltrated traffic using a single byte XOR, fixed key mask, and 3DES (TRANSGRESSION Overview for Pod58, 13).
WILDCHOCOBO – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 10). This project was involved in exploiting machines to exfiltrate information back to the agencies. This covername could have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
WILDCOUGAR – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).
WILLOWVIXEN – this was a technique associated with FOXACID. Specifically, WILLOWVIXEN permitted exploitation by having the target browse to a website by clicking on an email sent by the NSA. The WILLOWVIXEN server received the contact from the target and performs a redirection to FOXACID (FOXACID, 7).
WINDSTOP – This covername refers to a program for the collection of DNR and DNI records, which was associated with the SIGAD numbers DS-200B and DS-300 (BOUNDLESSINFORMANT Countries Data, 15).
WISTFULTOLL – This covername refers to a project that was undertaken by the NSA’s Persistence Division, and which was available for interns to work on. WISTFUL woe was the premiere target survey tool for Windows that ran on almost all targets automatically. It brought back information about the target’s machine and operating system (S3285/InternProjects, 10).
WITHEREDFRUIT – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
WOBBLYLLAMA A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version 3.3.002.030.8_003 (Equation Group firewall operations catalogue).
WOLFACID_ANISE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
WOLFACID_ARGON – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
WOLFACID_BARIUM – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
WOLFACID_CHILI – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
WOLFACID_IODINE – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
WOLFACID_IRON – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
WOLFACID_JUPITER – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
WOLFACID_LEAD – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
WOLFACID_PRECIOUS – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
WOLFACID_TIN – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
WOLFACID_URANIUM – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
WOLFACID_ZINC – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
WORDGOPHER – This covername refers to a satellite demodulation system that the NSA’s Misawa Security Operations Centre (MSOC) base used to demodulate low-rate satellite signals (Shift to Software Demodulation in Misawa Expands Collection, Saves Money, 1). In 2009, WORDGOPHER enabled simultaneous processing of up to 48 “64kps phase-modulated carriers on a single server”, and this approach essentially negated the requirement for significantly more costly hardware demodulators for handling those signal types. WORDGOPHER was seen as saving the NSA “millions of dollars” over the next five years, and in 2009 had already saved over $300,000—thereby freeing up NSA resources for other developments related to MSOC’s collection posture, in line with the NSA director’s “collect-it-all” challenge (Shift to Software Demodulation in Misawa Expands Collection, Saves Money, 1).
X
XKEYSCORE (XKS) – XKEYSCORE performs filtering and selection to enable analysts to quickly find information they need based on what they already know, but it also performs SIGDEV functions such as target development to allow analysts to discover new sources of information (TEMPORA — “The World’s Largest XKEYSCORE” — Is Now Available to Qualified NSA Uses, 3). Some of the collected information includes DNI and DNR information from Special Source Operations (SSO) (BOUNDLESSINFORMANT, 13) such as FAIRVIEW (SSO Corporate Portfolio Overview, 9), from third-parties (BOUNDLESSINFORMANT, 14), and WINDSTOP (BOUNDLESSINFORMANT, 15); broadly, XKEYSCORE can be considered a collection and processing system (Atomic SIGINT Data Format (ASDF) Configuration Read Me, 1). Fingerprints were also created for XKEYSCORE that were designed to detect botnet-related activities (HIDDENSALAMANDER: Alerting and Characterization of Botnet Activity in TURMOIL, 15).
The SSO Dictionary defines XKEYSCORE as “ a computer network exploitation system that combines high-speed filtering with SIGDEV. XKEYSCORE performs filtering and selection to enable analysts to quickly find information they need based on what they already know, but it also performs SIGDEV functions such as target development to allow analysts to discover new sources of information. XKEYSCORE processes data at field sites, where it is collected, and allows analysts from all over the world to query it. At field sites, the XKEYSCORE software can run in clusters of few or many computers, giving it the ability to scale in both processing power and storage. All processing is plug-in based, which allows new capabilities to be quickly deployed to support operational needs. XKEYSCORE, in various configurations, is deployed around the world and is used by each FVEY partner” (SSO Dictionary, 9-10)..
XKEYSCOREDEEPDIVE –
XTRACTPLEASING – Extracts something from a file and produces a PCAP file as output (Equation Group firewall operations catalogue).
Y
YACHTSHOP (YS) – This was a tasking tool (FOXACID SOP For Operational Management of FOXACID Infrastructure, 22) that was used by Computer Network Exploitation (CNE) operators for targeted and untargeted operations (FOXACID SOP For Operational Management of FOXACID Infrastructure, 7). It included metadata, including potentially some user-agent information (Kaspersky User-Agent Strings, 5). YAUGHTSHOP was listed as an access for OAKSTAR and assigned the SIGAD US-3247 (SSO Corporate Portfolio Overview, 8)
YANKEE (YNKE) – This covername was associated with PINWALE, and some of the data it contained came from FAIRVIEW (SSO Corporate Portfolio Overview, 9).
YAUGHTSHOP –
YELLOWFAN – This covername refers to a project operated by either the NSA or GCHQ, and was involved in exploiting machines to exfiltrate information back to the agencies. This covername can have a number appended after it to identify specific machines which were exploited as part of this program (SPINALTAP: Making Passive Sexy for Generation Cyber, 19).
YELLPIG – This covername refers to an element of the Tailored Access Operation (TAO) group’s botnet harvesting system. YELLPIG was a FTP server that stood in the DMZ between TAO Net and NSANet, and received cleaned data from bots that were supplied by COLOSSUS (DEFIANTWARRIOR and the NSA’s Use of Bots, 19).
Z
ZEBEDEE –
ZESTYLEAK – A firewall software implant for Juniper NetScreen firewalls that is also listed as a module for BANANAGLEE (Equation Group firewall operations catalogue).
ZOMBIEARMY –
ZORIPIG –
Technology, Thoughts & Trinkets 