NSA Summaries

In 2013, journalists began revealing secrets associated with members of the Five Eyes (FVEY) intelligence alliance. These secrets were disclosed by Edward Snowden, a US intelligence contractor. The journalists who published about the documents did so after carefully assessing their content and removing information that was identified as unduly injurious to national security interests or threatened to reveal individuals’ identities. During my tenure at the Citizen Lab I provided expert advice to journalists about the newsworthiness of different documents and, also, content that should be redacted as its release was not in the public interest. In some cases documents that were incredibly interesting were never published on the basis that doing so would be injurious to national security, notwithstanding the potential newsworthiness of the documents in question.

Since 2013 I have worked with the Snowden documents for a variety of research projects. As part of these projects I have tried to decipher the meaning of the covernames that litter the document (e.g., CASCADE, MEMORYHOLE, SPEARGUN, or PUZZLECUBE), as well as objectively trying to summarise what is contained in the documents themselves without providing commentary on the appropriateness, ethics, or lawfulness of the activities in question.

In all cases the materials which are summarised on my website have been published, in open-source, by professional news organizations or other publishers. None of the material that I summarise or host is new and none of it has been leaked or provided to me by government or non-government bodies. No current or former intelligence officer has provided me with details about any of the covernames or underlying documents. This said, researchers associated with the Citizen Lab and other academic institutions have, in the past, contributed to some of the materials published on this website.

As a caveat, all descriptions of what the covernames mean or refer to, and what are contained in individual documents leaked by Edward Snowden, are provided on a best-effort basis. Entries will be updated periodically as time is available to analyse further documents or materials.

Summaries are organized by the year in which the underlying documents were made public, as opposed to the year they may have been authored internal to the agency.

This page was last updated January 17, 2023.

2019

SID Today-Managing Signal Surveys

Summary: This document provides an overview of the NSA’s creation of the Signal Survey Management (SSM) portfolio within the Collection Strategies and Requirements Center’s (CSRC) Office of Collection Initiatives & Strategies (CIS). The SSM was to be a focal point for signals surveys, govern surveys for data acquisition, and maintain a web-based knowledge base for surveys. This web-based knowledge base was expected to help “customers, planners, managers, and tasking enablers” to intuitively understand and correlate surveys, and assess if their requirements may have already been satisfied by another access provider.

Enablers for the SSM included: CSRC, Cryptanalysis & Exploitation Services (CES), Special Support Activity (SSA), MUSKETEER, Office of Target Reconnaissance and Survey (OTRAS), Link Access Programs (LAP), Special Collection Service (SCS), and Signals Development Center (SDC).

Document Published: May 29, 2019
Document Dated: July 22, 2005
Document Length: 2 pages
Associated Article: The SID Today Files
Download Document: SID Today-Managing Signal Surveys
Classification: TOP SECRET//SI/TK//Rel to USA AUS CAN GBR NZL
Authoring Agency: NSA
Codenames: MUSKETEER

NSA and CSE SIGINTers Hold Bilateral Conference

Summary: This document summarizes the highlights from the NSA-CSE SIGINT Bilateral Conference that took place November 15-16, 2004. The NSA and CSE both shared their intelligence outlooks, and Bob Brule, Deputy Chief for CSE SIGINT, shared information “on the implications of Canada’s National Security Policy on CSE” as well as an updated on the Integrated SIGINT Operational Model (ISOM) which was meant to better integrate CSE and Canadian Forces SIGINT operations.

Conversations also focused on lessons learned from the Olympics, NATO Summit, and Support to Military Operations (SMO), as well as the NSA’s Russia mission and Strategic Architecture, Computer Network Operations, and future direction in bilateral and five eyes context. Maritime security was also discussed. At the conclusion of the conference CSE “pointed out that strengthening its partnerships within the 5-Eyes community remain[ed] a priority”.

Document Published: May 29, 2019
Document Dated: January 6, 2005
Document Length: 2 pages
Associated Article: The SID Today Files
Download Document: NSA and CSE SIGINTers Hold Bilateral Conference
Classification: SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Covernames: None

SID Today: MGQ, Where Are You?

Summary: This document from SIGINT communications provides an overview of meetings that were taking place between the NSA and CSE. The Management Review Conference (MRC) was an annual set of meetings that took place between Canada and the United States. The MRC in question included Lt. General Hayden, Major General Quirk, IAD Director Dan Wolf, and six other NSa employees, along with their CSE counterparts.

Document Published: May 29, 2019
Document Dated: April 7, 2004
Document Length: 1 page
Associated Article: The SID Today Files
Download Document: SID Today: MGQ, Where Are You?
Classification: TOP SECRET//SI//TK//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Covernames: None

SID Today: 2003 CSE/NSA SIGINT Bilateral

Summary: This SID Today document provides a high level summary of the 2003 SIGINT Bilateral that was held between the CSE and NSA in Ottawa. Intense two-day discussions followed, and focused on how to better collaborate on information needs, metadata, target templating, access, and development of social networks; on implementing a commitment to “have SE Asia [counterterrorism] analysts” running on a shared information workspace; on discussions about a rehearsal of concept drill in preparation for Canada’s deployment to Afghanistan, on discussions pertaining to customs-intelligence sharing for homeland security, and on the adoption of the Layered Zone Model as a baseline SIGINT model.

Document Published: May 19, 2019
Document Dated: November 12, 2003
Document Length: 1 page
Associated Article: The SID Today Files
Download Document: SID Today: 2003 CSE/NSA SIGINT Bilateral
Classification: TOP SECRET//SI/TK//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Covernames: None

2018

SID Today: Open Source Signals Analysis: Not Your Grandfather’s SIGINT!

Summary: This document explains how the NSA uses samples of targets’ voices to confirm that the stated speaker is, in fact, the speaker in question. The NSA used open-source recordings from Abu-Mus’ab al-Zarqawi and matched them against one another as well as historical recordings to confirm that three recently released tapes were recorded by him. As the author of the document notes, the mathematical assessment methods were meant to serve as independent, though not errorless, corroboration of linguistic analysts who also analyze targets’ speeches and communications.

Document Published: August 15, 2018
Document Dated: June 9, 2006
Document Length: 2 pages
Associated Article: The SIDToday Files
Download Document: SID Today: Open Source Signals Analysis: Not Your Grandfather's SIGINT!
Classification: SECRET//SI
Authoring Agency: NSA
Covernames: None

SID Today: Embedded with USSOCOM: NSA Reps Provide Direct Analytic Support

Summary: This document notes how the NSA had been involved in providing support to the United States Special Operations Command (USSOCOM). Assistance included embedding representatives “through USSOCOM and the SOCOM Center for Special Operations (SCSO)” as well as providing analytic support, such as “passive and active exploitation, telephony, and DNI support” (1). These representatives were trained on the GeoCell mission and “possess an overall knowledge of the NSA SIGINT system” (1). The geo-intelligence functions were noted as being “particularly effective at funding things such as safe houses, ingress/egress “ratlines,” meeting sites or hide sites, suspect sites, or VIP facilities” and analysts used their capabilities to locate and track associates of al-Qu’ida, as well as to uncover networks of Iranian agents in Iraq who served in either the Iranian Ministry of Intelligence (MOIS) or the Islamic Revolutionary Guards Corps (IRGC).

Document Published: August 15, 2018
Document Dated: January 9, 2006
Document Length: 1 page
Associated Article: The SIDToday Files
Download Document: SID Today: Embedded with USSOCOM: NSA Reps Provide Direct Analytic Support
Classification: TOP SECRET//SI
Authoring Agency: NSA
Covernames: None

SID Today: Economic Reporting Strives to Interdict the Flow of ‘Improvised Explosive Device’ Components

Summary: This SID Today article explained the value of economic intelligence for tracking commercially-available products which were used to subsequently build improvised explosive devices (IEDs). The NSA’s economic reporting “identified Iranian-controlled front companies operating in the United Arab Emirates that import American-made, dual-use” microprocessors and then exported them to “customers in Iran and Syria, in violation of U.S. export laws” (1). From the reporting, the Under Secretary of Commerce issued a prohibition on specific businesses from exporting commodities and technologies, with the expected effect of mitigating “the flow of dual-use technologies to the enemy, ultimately saving American and coalition lives” (1).

Document Published: August 15, 2018
Document Dated: May 16, 2006
Document Length: 1 pages
Associated Article: The SIDToday Files
Download Document: SID Today: Economic Reporting Strives to Interdict the Flow of 'Improvised Explosive Device' Components
Classification: SECRET//SI//REL TO USA AUS CAN GBR NZL
Authoring Agency: NSA
Covernames: None

SID Today: Deployment of New System Improves Access to Iranian Communications

Summary: This SID Today document recounts how deploying a FALLOWHAUNT (FH) system to Kuwait significantly expanded the NSA’s access to Iranian VSAT communications. It enabled two-sided collection, with the result that the NSA was able to collect TDMA burst portion of signals. These signals provided “actual workable metadata (dialing)” that enabled the NSA to work on new targetable data (1).

Monitored communications provided insights into the influence that Iran’s external paramilitary and intelligence forces had on members of the Iraqi government, as well as into Iranian shelling in northern Iraq. The collected information was of sufficient importance that it had been included in the President’s Daily Brief, as well as in a briefing to the Joint Chiefs of Staff and the U.S. ambassador to Iraq.

Document Published: August 15, 2018
Document Dated: May 30, 2006
Document Length: 2 pages
Associated Article: The Intercept: The SID Today Files
Download Document: SID Today: Deployment of New System Improves Access to Iranian Communications
Classification: TOP SECRET//SI
Authoring Agency: NSA
Covernames: FALLOWHAUNT (FH), POLYSTYRENE

SID Today: Write Right: Caveat Scrutator (Or, ‘But I Saw It on the Internet!’)

Summary: This SID Today article reminds analysts that they must adopt formal processes for citing non-SIGINT material (i.e., ‘collateral’ information) and that such processes do not include directly citing Wikipedia. While the author recognizes that there is important value to using Internet-based sources, when analysts cite such sources they should be able to point to primary sources as opposed to summary articles on Wikipedia that synthesize information.

Document Published: August 15, 2018
Document Dated: June 27, 2006
Document Length: 2 pages
Associated Article: The SIDToday Files
Download Document: SID Today: Write Right: Caveat Scrutator (Or, 'But I Saw It on the Internet!')
Classification: SENSITIVE//SI
Authoring Agency: NSA
Covernames: ANCHORY

SID Today: Brown Bag Session: Exploiting Video from Third-Generation Cell Phones

Summary: This SID Today document is an announcement for a brown bag lunch course, where attendees were to learn about 3G and cell phone video data. It included a sample of cell phone videos collected by S3T1. The event was to be classified as TOP SECRET//COMINT/X1.

Document Published: August 15, 2018
Document Dated: February 7, 2006
Document Length: 2 pages
Associated Article: The Intercept: The SID Today Files
Download Document: SID Today: Brown Bag Session: Exploiting Video from Third-Generation Cell Phones
Classification: TOP SECRET//SI
Authoring Agency: NSA
Covernames: None

SID Today: Write Right: Loaded Words: Don’t Politicize Reports

Summary: This SID Today article reminded analysts that they were to avoid editorializing their reports; when they used a descriptor (e.g. “the corrupt official said…”) they had to clarify where their understanding of the individual being corrupt came from. Doing so might reference either collateral or SIGINT information. It was important to avoid editorializing so that the Director of the NSA wasn’t put in situations where they had to defend framings which were not, actually, born out by the SIGINT facts.

The document concludes with a firm assertion that analysts who worked in Crime & Narcotics, or Counterterrorism, could not simply assume that all their targets were criminals or terrorists. They must, instead, only report on what was specifically known or could be determined from gathered intelligence.

Document Published: August 15, 2018
Document Dated: December 14, 2006
Document Length: 2 pages
Associated Article: The SIDToday Files
Download Document: SID Today: Write Right: Loaded Words: Don't Politicize Reports
Classification: SECRET//SI//REL TO USA AUS CAN GBR NZL
Authoring Agency: NSA
Covernames: None

SID Today: Write Right: Where Does It Say I Can’t

Summary: This SID Today document warns employees that they can only use government communications and information storage systems in ways that are explicitly permitted; rather than asking “why can’t I?” the question is “why can I?”

The author explains that because the equipment is paid for by taxpayers, and their use is thus for official purposes only, that employees must closely adhere to stated policies to ensure that they only use equipment to accomplish the stated mission of the NSA. While policies can change this must occur “in an orderly, accountable manner to achieve the goal of compliance with all pertinent authorities” (2).

Document Published: August 15, 2018
Document Dated: October 26, 2006
Document Length: 2 pages
Associated Article: The SID Today Files
Download Document: SID Today: Write Right: Where Does It Say I Can’t
Classification: UNCLASSIFIED//FOUO
Authoring Agency: NSA
Covernames: ENLIGHTEN

SID Today: Write Right: Is That Collateral, or Is It a Comment?

Summary: This SID Today document reminds analysts to clearly distinguish between ‘collateral’ and ‘comment’ information. The former refers to information not derived from SIGINT, such as a piece of writing, broadcast, or other material produced by someone outside of the SIGINT community. Such information may be classified or unclassified. The latter, however, is “a sentence or paragraph that contains the reporter’s interpretations of the SIGINT facts” and received the same classification level as those facts (1).

Including collateral and comments were seen as important, so as to provide context to a customer, but it had to be made clear which kind of information a customer was receiving. Doing so was meant to make clear what was further research information (i.e., collateral information) versus analysis (i.e., comment information). One example of the importance of careful clarification comes through when discussing sharing information with law enforcement agencies. In such situations analysis must “clearly labed our analytic interpretation so that … law enforcement personnel use only the SIGINT facts as leads (leads, not evidence!) in a criminal investigation” (2, emphasis in original).

Document Published: August 15, 2018
Document Dated: May 18, 2006
Document Length: 2 pages
Associated Article: The SIDToday Files
Download Document: SID Today: Write Right: Is That Collateral, or Is It a Comment?
Classification: Confidential//SI
Authoring Agency: NSA
Covernames: None

SID Today-Instant-Gratification SIGINT

Summary: This SID Today document recounts the experiences of an intelligence analysis intern who was deployed to Mosul, Iraq in 2005. The intern recounts how they could “pass location information on a bad guy to the Army, and half an hour later would receive a message that Stryker teams had rolled that bad guy up. Nothing feels better than knowing you had direct involvement in the removal of a terrorist from the playing field” (1). The intern worked in collaboration with CIA, DIA, NIST, and Army unit commanders and intelligence officers. The author asserts that “[i]n a period of 90-days, the collaborative effort brought down the command structure of the Mosul QJBR terrorist network. I have no trouble believing that SIGINT was mostly responsible for this success” (2).

Document Published: August 15, 2018
Document Dated: February 16, 2006
Document Length: 2 pages
Associated Article: The SIDToday Files
Download Document: SID Today-Instant-Gratification SIGINT
Classification: TOP SECRET//SI
Authoring Agency: NSA
Covernames: None

SID Today: New SNA Tool (and More) to be Unveiled at Open House

Summary: This document is an invitation to an open-house, where attendees will learn about a new tool to analyze targets’ social networks. The tool, ASSIMILATOR, is described as letting analysts extract social relationships from manuscripts, store those relationships in a specialized database, and perform operations on aggregated social network data.

Document Published: August 15, 2018
Document Dated: March 8, 2006
Document Length: 1 page
Associated Article: The SIDToday Files
Download Document: SID Today: New SNA Tool (and More) to be Unveiled at Open House
Classification: CONFIDENTIAL//SI
Authoring Agency: NSA
Covernames: ASSIMILATOR

Exploiting US/UK/CAN Phone Numbers — In Compliance with USSID-18 Policy

Summary: This SID Today document discusses SIGINT challenges presented by a new Internet telephony service known as a “Pick Your Own Number” (PYON) service. Firms like Vonage or Deltathree provided PYON services, which enabled customers to choose their own phone numbers, including with US, UK, or Canadian area codes.

The SIGINT challenges posed by PYON services included problems related to permitting exploitation of a valid foreign target who was using a PYON number. For example, if a target used a number resembling a US number, then US legal protections such as USSID SP0018 (formerly USSID-18) would apply, leading to the number to be minimized upon presentation in FASCIA, and then subsequently restricted from contact chaining via connected numbers in MAINWAY. To exploit such a number, analysts had to identify the phone number on a foreign link and input the number into a “maximize” list. The NSA’s VoIP Normalization Working Group (VNWG) later developed methods to automate the process of extracting phone numbers in a way that complied with USSID-18 (whereby PYON numbers could be classified as not being US numbers), and the Office of General Counsel (OGC) supported these methods while also reaffirming the relevance of SP0018 in case NSA analysts came across information which could lead to a reasonable belief that a PYON user outside of the US was a US person.

Two paragraphs of the document are classified as Top Secret (all other sections are marked Secret or For Official Use Only). The first Top Secret paragraph identifies countries in which PYON US/UK/CAN phone numbers were found in SIGINT: Iran, Iraq, India, Kuwait, UAE, Pakistan, Bahrain, Qatar, Oman, and Sri Lanka. The second paragraph marked Top Secret notes that the VNWG can be contacted through the Global Network Development Activity (GNDA).

Document Published: August 15, 2018
Document Dated: January 1, 2006
Document Length: 2 pages
Associated Article: The Intercept: The SID Today Files
Download Document: Exploiting US/UK/CAN Phone Numbers -- In Compliance with USSID-18 Policy
Classification: TS//SI (Highest possible classification: TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL)
Authoring Agency: NSA
Codenames: FASCIA, MAINWAY

SID Today: New CNO Capability Poised to Help Counter IEDs, Geolocate Terrorists

Summary: This document discussed how the NSA developed a Radio Frequency (RF) Computer Networks Operation (CNO) capability to target and conduct surveillance or effects on High Power Cordless Phone (HPCP) networks. These networks were used in Afghanistan and Iraq to set up communications networks for enemy combatants, to both facilitate communications as well as triggering Improvised Explosive Devices (IEDs).

The NSA team developed FIRESTORM, which was “the first Radio Frequency (RF)-based Computer Network Operation (CNO) Capability designed to provide the war fighter with a plug-and-play attack capability against High Powered Cordless Phones” (2) that included Denial of Service (DOS) functionality, as well as the ability to identify the location of targets who were using a given HPCP. At the time, the NSA was still testing this CNO, though there were plans to assess whether it would be an effective tool for US Marines who were deployed in Iraq.

Document Published: August 15, 2018
Document Dated: May 10, 2006
Document Length: 2 pages
Associated Article: The SID Today Files
Download Document: SID Today: New CNO Capability Poised to Help Counter IEDs, Geolocate Terrorists
Classification: TOP SECRET//SI
Authoring Agency: NSA
Covernames: FIRESTORM

OAKSTAR Travel Handbook: A Guide for Traveling

Summary: This document is meant to familiarize individuals on how to travel and comport themselves under OAKSTAR, which primarily involves travelling in the continental United States. For individuals to travel within the program they must be read into either SSO WHIPGENIE ECI or NCSC AAA ECI. With only rare exceptions, contractors were not permitted to be part of these meetings with SSO partners.

The document outlines the guidelines for partner visits and interactions, including prohibitions of indicating that travelers are from the NSA or DOD, that clothing should be appropriate for the place being visited, the importance of being courteous to partners because while there are contractual relationships in place “these business associated are extremely patriotic, and deserve to be treated with the utmost respect and courtesy” (6). Finally, it is important to be cognizant of partners’ clearance levels and avoid assumptions that all people at the company are cleared about the NSA relationship.

Document Published: March 20, 2018
Document Dated: January 3, 2013
Document Length: 8 pages
Associated Article: The NSA Worked to “Track Down” Bitcoin Users, Snowden Documents Reveal
Download Document: OAKSTAR Travel Handbook: A Guide for Traveling
Classification: TOP SECRET // COMINT // NOFORN
Authoring Agency: NSA
Covernames: BLUEZEPHYR, COBALTFALCON, MONKEYROCKET, OAKSTAR, ORANGEBLOSSOM, ORANGECRUSH, PRIMECANE, SHIFTINGSHADOW, SILVERZEPHYR, STEELKNIGHT, TRANSPORTORO, WHIPGENIE, YAUGHTSHOP

MONKEYROCKET Achieves Initial Operational Capability By REDACTED on 2012-07-24 1442

Summary: This snippet reveals that a non-Western Internet anonymization service had achieved operational capacity on July 19, 2012; it would begin sending data to a NOFORN partition of PINWALE within a week. The site, at the time, had approximately 16,000 registered users and generated 2,000 events per day. Iran and China were two countries with a substantial user base.

Document Published: March 20, 2018
Document Dated: July 24, 2012
Document Length: 1 page
Associated Article: The NSA Worked to “Track Down” Bitcoin Users, Snowden Documents Reveal
Download Document: MONKEYROCKET Achieves Initial Operational Capability By REDACTED on 2012-07-24 1442 
Classification: TOP SECRET // SI // NOFORN
Authoring Agency: NSA
Covernames: MARINA, MONKEYROCKET, OAKSTAR, PINWALE

MONKEYROCKET (Snippet)

Summary: This snippet provides a dictionary-style explanation of MONKEYROCKET—which was, at the time, a pending access for OAKSTAR. MONKEYROCKET collected DNI metadata/content from full-take data sessions, and user data such as billing information and IP addresses of selected counter-terrorism (CT) targets who used a “Non-Western Anonymous Internet Browsing product.” MONKEYROCKET further served as “a key piece of the CT long-term strategy” by attracting targets involved in terrorism, including Al Qaida’s COMSEC security which the NSA could then exploit.

MONKEYROCKET focused primarily on counter-terrorism but also targeted persons sought by other NSA offices, such as International Crime & Narcotics, Follow-The-Money, and Iran. The Collection Authority for MONKEYROCKET was E.O. 12333.

Document Published: March 20, 2018
Document Dated: Undated
Document Length: 1 page
Associated Article: The NSA Worked To “Track Down” Bitcoin Users, Snowden Documents Reveal
Download Document: 
MONKEYROCKET (Snippet)
Classification: (TS//SI//NF)
Authoring Agency: NSA
Codenames: MONKEYROCKET, OAKSTAR, THUNDERISLAND, XKEYSCORE (XKS)

Summary: This SID Today provides a summary of the high-level discussions that took place at the annual SIGINT Seniors Europe (SSEUR) Principals conference that was held in Berlin, in June 2010. Topics to work more closely together on included: sharing social networking intelligence to support identifying IED networks in Afghanistan; sharing information on “key leaders” in Afghanistan, as part of an engagement strategy to address the counter-insurgency; sharing Terrorist Identities Intelligence (TI2) to enhance the effectiveness of “watchlisting”; sharing information concerning piracy on the horn of Africa in support of the EU’s Operation ATLANA and NATO’s Operation OCEAN SHIELD; develop a group to “identify future steps for collaboration on [computer-network-defense]” (1).

SSEUR membership included: Australia, Belgium, Canada, Denmark, France, Germany, Italy, Netherlands, New Zealand, Norway, Spain, Sweden, United Kingdom and United States. There was a similar “seniors” coalition for Asia called SIGINT Seniors Pacific (SSPAC). DIRNSA chairs both groups.

Document Published: March 1, 2018
Document Dated: July 12, 2010
Document Length: 2 pages
Associated Article: The SIDToday Files
Download Document: SID Today: SIGINT Partnership Agrees to Greater Sharing on Afghanistan, CT, Piracy, and CND
Classification: SECRET//SI//REL TO USA AUS CAN GBR NZL
Authoring Agency: NSA
Covernames: None

2017

What’s NSA’s Reputation Among Third Parties? What Are the Japanese Like as SIGINTers?

Summary: This is a short SID Today interview with a senior member of the NSA who has held a series of international posts, including in Japan, Pakistan, as well as one focused on targeting the Philippines. He argues that the NSA’s relationships with third-parties is good and that US state officials sometimes use access to/working with the NSA as a quid in negotiations. He also notes that while the Japanese are very capable in areas of signals analysis and technical SIGINT they possess a ‘cold war’ mentality insofar as they carefully stovepipe SIGINT-related information, decline to share it widely within their own government, and are generally recalcitrant to involve themselves in international multilateral exchanges—though bilateral cooperation is good.

In noting some of his ‘best’ past experiences, the interviewee notes how his unit was effective in preventing coup attempts, a political assassination, as well as the “Yellow Revolution” in the Philippines. When stationed in Islamabad in 2004 his unit was recognized by the CIA station chief as being exceptionally effective in providing valuable information on military engagements between Pakistan’s military and those in the tribal regions, amongst other things.

Document Published: April 24, 2017
Document Dated: November 19, 2008
Document Length: 3 pages
Associated Article: Japan Made Secret Deals With The NSA That Expanded Global Surveillance
Download Document: What’s NSA’s Reputation Among Third Parties? What Are the Japanese Like as SIGINTers?
Classification: S//SI//REL (Highest possible classification: TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL)
Authoring Agency: NSA
Codenames: None

Charlie Meals Opens New Engineering Support Facility in Japan

Summary: This SID Today document provides a breakdown of the new facilities in Japan that the Engineering Support Facility (ESF) has moved into. The salaries of the people who are working in the Japanese facility are paid for by the Japanese government and their tasks are to typically provide ad-hoc and quick-reaction repair and fabrication of SIGINT collection antennas. Most of the $6.6 million (USD) facility was paid for by the Japanese government, with the NSA paying approximately $939K (USD).

Notable production by the ESF team include 20 TURNSTYLE collars for antennas to support the al-Qa’ida spring offensive in Afghanistan, LPA antennas for the PENCUP project to upgrade the DETs in Korea, and the ongoing production of 8 stainless steel LPA antennas for FLAMINGO.

Document Published: April 24, 2017
Document Dated: July 21, 2004
Document Length: 2 pages
Associated Article: Japan Made Secret Deals With The NSA That Expanded Global Surveillance
Download Document: Charlie Meals Opens New Engineering Support Facility in Japan
Classification: TOP SECRET//SI/TK//REL TO USA AUS CAN GBR NZL
Authoring Agency: NSA
Codenames: FLAMINGO, INDRA, PENCUP, TURNSTYLE

Back in Time: The KAL-007 Shootdown

Summary: This SID Today article discusses the USSR’s shooting down of a Korean airliner that strayed into USSR airspace. It notes how the Japanese and American SIGINT agencies intercepted Soviet communications that proved their air force was responsible. The US Ambassador to the UN ultimately played the Japanese intercepts, after they had been laboriously shared with the NSA, on the basis that the audio was higher quality. This harmed the NSA-Japanese SIGINT relationship because the Japanese SIGINT Agency (G2 Annex) subsequently received instructions which “hamstrung” it in future cases while also casting a “shadow of concern” over the relationship until the end of the Cold War.

The SIDToday article is derived from Book IV, Cryptologic Rebirth, 1981-1989, American Cryptology during the Cold War, 1945-1989 by Dr. Tom Johnson.

Document Published: April 24, 2017
Document Dated: July 19, 2006
Document Length: 1 page
Associated Article: Japan Made Secret Deals With The NSA That Expanded Global Surveillance 
Download Document: Back in Time: The KAL-007 Shootdown
Classification: SECRET//SI (Highest possible classification: TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL)
Authoring Agency: NSA
Codenames: None

Request for ADET SIGDEV Materials to be Used for Training the Japanese Directorate for SIGINT Personnel

Summary: This is a request for NSA officials to train members of the Japanese Directorate for SIGINT (DFS) on how to use NSA systems for Cyber Network Defence (CND). Training focuses on the beginning to end of the intelligence process (i.e. research, collection, analysis, interpretation, dissemination phases) and on systems provided by the NSA to DFS, including: CADENCE, XKEYSCORE, and WEALTHYCLUSTER.

Document Published: April 24, 2017
Document Dated: April 13, 2013
Document Length: 1 pages
Associated Article: Japan Made Secret Deals With The NSA That Expanded Global Surveillance
Download Document: Request for ADET SIGDEV Materials to be Used for Training the Japanese Directorate for SIGINT Personnel
Classification: SECRET//REL TO USA, FVEY
Authoring Agency; NSA
Codenames: CADENCE, XKEYSCORE, WEALTHYCLUSTER

US, Japan Now Exchanging Collection from Reconnaissance Missions

Summary: This SID Today document discusses how, following the 2005 US-Japan Joint Service Bilateral ELINT/PROFORMA Conference, the governments had begun sharing reconnaissance mission information with one another. Such missions consist of four mission areas: the East China Sea, the South China Sea, Overland Korea, and the Sea of Japan. Preliminary Mission Summary Reports (PREMs) from all four mission areas could, at the time, be shared between both sides—giving the Japanese Directorate for SIGINT (DFS) access to Chinese, North Korean and Russian Military Collection acquired by Japan-based, US Airborne SIGINT collectors. Japan was reciprocating by sharing information from its own reconnaissance missions.

Document Published: April 24, 2017
Document Dated: March 14, 2007
Document Length: 1 page
Associated Article: Japan Made Secret Deals With The NSA That Expanded Global Surveillance
Download Document: US, Japan Now Exchanging Collection from Reconnaissance Missions
Classification: S//SI//REL (Highest possible classification: TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL)
Authoring Agency: NSA
Codenames: None

Special-Delivery SIGINT: How NSA Got Reports to US Negotiators In Time for Them To Be of Value

Summary: This SID Today document briefly outlines how SIGINT is brought to bear in negotiations involving the United States and other FVEY ally nations. The document recounts a case when New Zealand’s SIGINT Agency, GCSB, had ‘target access’ against Japanese parties in Japan who were advocating the ending of a commercial whaling ban. Information was sent via NSANet to a US military base proximate to where the international forum discussing whaling was meeting, and NSA officials then couriered SIGINT product to American, Australian, and New Zealand delegates, who found the material helpful. The hardcopy SIGINT products were then returned to the military base and destroyed.

Document Published: April 24, 2017
Document Dated: July 13, 2007
Document Length: 2 pages
Associated Article: Japan Made Secret Deals With The NSA That Expanded Global Surveillance
Download Document: Special-Delivery SIGINT: How NSA Got Reports to US Negotiators In Time for Them To Be of Value
Classification: SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: None

NSA and GCHQ Team Up to Tackle HF

Summary: This SID Today document provides an overview of the state of the NSA’s High Frequency (HF) collection position. It notes that the NSA and GCHQ established the Joint Strategic Off-Air (JSOA) Programme that leveraged the GCHQ’s technology roadmap to coordinate updates to the agencies’ respective HF capabilities. All legacy systems were to be replaced by 2009. GLAIVE systems were used during the Iraq war to, in part, monitor Iraqi communications and collect information on insurgents in Iraq. There were plans that the two countries would jointly manage systems deployed in response to the NSA and GCHQ’s requirements as well as have access to front-end resources.

Document Published: April 24, 2017
Document Dated: July 14, 2004
Document Length: 1 page
Associated Article: Why Soviet Weather was Secret, A Critical Gap in Korea, and other NSA Newsletter Tales
Download Document: NSA and GCHQ Team Up to Tackle HF
Classification: TOP SECRET // SI/TK // REL TO USA AUS CAN GBR NZL
Authoring Agency: NSA
Codenames: GLAIVE

NSA High Frequency (HF) Collaboration efforts with Japan

Summary: This is a briefing memo that summarizes challenges the NSA has had in collaborating with Japan over sharing High-Frequency Direction Finding (HFDF) networks and equipment. The NSA had a strong relationship with Japan until 2009, after which all DF-requests were manually submitted and performed by Japan manually, on the possible basis that Japan understood that collaboration using the direction-finding network covernamed CROSSHAIR would remove Japan’s own ability to engage in manual DF—which the NSA feels is not the case.

The memo outlines that Japan has swiftly exchanged HFDF lines of bearing to target Chinese and Korean targets and that, in the past, perceptions that the NSA wanted to replace Japanese technologies and techniques with their own led to strong, ‘negative’ reactions. The goal of the NSA is to develop interoperability between the NSA and Japanese systems, as well as to advance discussions with the Japanese to improve collaboration between the American and Japanese agencies.

Document Published: April 24, 2017
Document Dated: January 2, 2013
Document Length: 2 pages
Associated Article: Japan Made Secret Deals With The NSA That Expanded Global Surveillance
Download Document: NSA High Frequency (HF) Collaboration efforts with Japan
Classification: SECRET//COMINT//NOFORN
Authoring Agency: NSA
Codenames: BORESIGHT, CROSSHAIR, KLEIGLIGHT

NSA Assistance to Japanese Directorate for SIGINT in Developing Capabilities to Provide SIGINT Support to CND

Summary: This briefing memo covers how the NSA might assist the Japanese Directorate for Signals Intelligence (DFS) in conducting Computer Network Defence (CND). The DFS began engaging in such CND following actions undertaken by Japan’s Cabinet Intelligence and Research Organization (CIRO). In summarizing recent activities, although the NSA had shared selectors with the Japanese for Chinese activities, the DFS did not find the selectors particularly productive. The NSA was intending to work more closely with the DFS to improve its productivity, as well as providing high-level briefs on acting in response to Chinese efforts and offering platform training to Japanese analysts. This activity was to continue moving forward by way of determining how the NSA could support the DFS and to solicit feedback on Japan’s cyber architecture, organizations, and authorities.

Document Published: April 24, 2017
Document Dated: January 29, 2013
Document Length: 2 pages
Associated Article: Japan Made Secret Deals With The NSA That Expanded Global Surveillance
Download Document: NSA Assistance to Japanese Directorate for SIGINT in Developing Capabilities to Provide SIGINT Support to CND
Classification: SECRET//SI//NOFORN
Authoring Agency: NSA
Codenames: None

Shift to Software Demodulation in Misawa Expands Collection, Saves Money

Summary: This SIDToday document discusses the benefits of newly-established software demodulation of satellite signals (known as WORDGOPHER), how it came about, and future plans. The shift to software demodulation for certain low-rate satellite signals means the Misawa site’s collection will be significantly bolstered, allowing the site to collect more SIGINT, while saving ‘millions’ of dollars. This station is targeted at 16 satellites and over 8,000 signals, but actual capture/demodulation has historically been limited by hardware resources; the software demodulation will enable a broader collection protocol.

The Misawa team worked with the FALLOWHAUNT team to develop the software demodulation system, with demodulated bits sent to WEALTHYCLUSTER using SHAREDVISION’s data distribution service (DDS) protocol. In the future, it was hoped that additional demodulation of low-rate carriers would be performed and thus get the NSA closer to accomplishing the Director’s ‘collect it all’ challenge.

Document Published: April 24, 2017
Document Dated: March 23, 2009
Document Length: 2 pages
Associated Article: Japan Made Secret Deals With The NSA That Expanded Global Surveillance

Download Document: Shift to Software Demodulation in Misawa Expands Collection, Saves Money
Classification: TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: FALLOWHAUNT, ICEPIC, SHAREDVISION, WEALTHYCLUSTER, WORDGOPHER

NSA SIGINT Site Relocated in Japan: The Story Behind the Move

Summary: This SIDToday article discusses what was involved in relocating the NSA’s High Frequency (HF) Remote Collection Facility from a US base in Hanza to a base in Okinawa. Politically, the Japanese sought the United States to return the land apportioned for the Hanza mission, first, and then engage in developing a location for the mission’s new location. The NSA covername for this negotiation was Project CAMELUS, and involved the Japanese government paying full costs for the relocation, the construction by Japanese contractors of a new antenna field for the NSA, and the acquisition of new replacement mission systems. This broader set of mission systems was covernamed STAKECLAIM.

After approximately a decade of negotiation the Japanese government conceded to the US negotiating position, resulting in a new HF antenna field being created and finished by May 15, 2006 at Camp Hansen. The article ends by lauding Project CAMELUS as a success and as a ‘great example’ of the benefits of collaboration between diverse government organizations and external stakeholders.

Document Published: April 24, 2017
Document Dated: March 16, 2007
Document Length: 2 pages
Associated Article: Japan Made Secret Deals With The NSA That Expanded Global Surveillance
Download Document: NSA SIGINT Site Relocated in Japan: The Story Behind the Move
Classification: TOP SECRET//SI/TK//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: CAMELUS, STAKECLAIM

NSA Liaison in Tokyo Opens New Office

Summary: This SIDToday document discusses the NSA shifting its operations into the US Embassy in Japan as well as Yokota Air Base, from the Hardy Barracks. The move follows from improved relations with Japan’s Directorate for SIGINT (DFS) that was emphasized in the 2005 Security Consultative Committee Document signed by Japanese and US officials. The Document established a policy, follow-on initiatives, common strategic objectives, review roles and missions and capabilities, and realigned forces to ensure an enduring US presence in Japan. Part of strengthening the relationship requires the NSA and US intelligence community to enhance information sharing and intelligence coordination, thereby ensuring that Japan’s status as a US intelligence partner is taken to the ‘next level’.

Document Published: April 24, 2017
Document Dated: October 23, 2007
Document Length: 1 page
Associated Article: Japan Made Secret Deals With The NSA That Expanded Global Surveillance
Download Document: NSA Liaison in Tokyo Opens New Office
Classification: TOP SECRET//SI/TK//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: None

CROSSHAIR — Foreign Partners Filling HF/DF Gaps for the US

Summary: This brief article identifies the number of second-party High Frequency Direction Finding (HF/DF) resources, along with contributing third-parties, which collectively comprise the CROSSHAIR network with US government assets. The CROSSHAIR covername refers to a project that consolidated all US Service Cryptologic Element (SCE) HF/DF resources and enables data operability with partners.

Canada possessed four sites at the time of writing, Great Britain six, and Australia and New Zealand one each. Third-parties, including Austria, Denmark, Ethiopia, Hungary, Israel, India, Italy, Japan, Jordan, Korea, Netherlands, Norway, Pakistan, Saudi Arabia, Sweden, and Taiwan, also shared with the NSA and, in some cases, directly with one another. The NSA recognizes, in this document, that it would lack a world-wide network for Direction Finding without these third-party collaborators.

Document Published: April 24, 2017
Document Dated: February 24, 2005
Document Length: 1 pages
Associated Article: Japan Made Secret Deals With The NSA That Expanded Global Surveillance
Download Document: CROSSHAIR — Foreign Partners Filling HF/DF Gaps for the US
Classification: TOP SECRET//SI//TK//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: CROSSHAIR

2016

Anna Politkovskaya

Summary: This is the intellipedia page for Anna Politkovskaya, a Russian journalist who was assassinated in Russia on October 7, 2006. The page provides biographical information about her as well as information linked to attacks by Russian Federal Intelligence Services on her email address that was hosted with an American provider, as well as supposition that her death might be linked to Alexander Litvinenko (former Federal Security Service colonel who was poisoned after receiving documents that contained information about Politkovskaya).

Document Published: December 29, 2016
Document Dated: Undated (Post-October 2006)
Document Length: 3 pages
Associated Article: Top-Secret Snowden Document Reveals what the NSA Knew about Previous Russian Hacking
Download Document: Anna Politkovskaya
Classification: TOP SECRET//SI/NOFORN
Authoring Agency: NSA
Codenames: None

SID Today: InSIDer’s View of History… A Lesson in Personal Accountability

Summary: This article summarizes an experience that Charles H. Berlin III had while in an operating theatre and the subsequent lessons he derived that applied to SIGINT activities in 2004. When deployed in Italy in support of the American Balkans efforts he was preparing targeting packages and, to his surprise, the combat commander responsible for authorizing attacks insisted on reviewing every single package. The rationale given was that failures to adequately target could result in war crimes charges and the commander wanted to ensure that responsibility for any errors ultimately lay with him, and not his subordinates.

The application of this to SIGINT in 2004, was that NSA targeting information was leading to bombs being dropped. There was an immense responsibility to be fast and produce incredibly high-quality reporting on the basis that doing otherwise risks fratricide as well as the death of non-combatants.

Document Published: Dec. 7 2016
Document Dated: January 14, 2003
Document Length: 2 pages
Associated Article: The SIDtoday files
Download Document: SID Today: InSIDer's View of History... A Lesson in Personal Accountability
Classification: SECRET//SI
Authoring Agency: NSA
Covernames: JOINTENDEAVOR

GHOSTHUNTER Future Capabilities

Summary: This document snippet notes that 99% of the FORNSAT data for GHOSTHUNTER was provided by Menwith Hill Station (MHS), but that there was capability in some cases to get FORNSAT information from other locations. This provided almost global coverage, though there were still some blind spots.

ocument Published: September 6, 2016
Document Dated: 2008
Document Length: 1 page
Associated Article: Inside Menwith Hill: The NSA's British Base at the Heart of U.S. Targeted Killing
Download Document: GHOSTHUNTER Future Capabilities
Classification: Secret // SI // REL to USA, FVEY
Authoring Agency: NSA
Codenames: GHOSTHUNTER

GHOSTHUNTER Goes Global

Summary: This document merely provides a one-sentence explanation of GHOSTHUNTER, describing it as “…an effort to geolocate terminals used by high value targets in Iraq and neighboring countries in the Middle East.” The document then provides a link to a newsletter to learn more about the program.

Document Published: September 6, 2016
Document Dated: January 14, 2008
Document Length: 1 page
Associated Article: Inside Menwith Hill: The NSA's British Base at the Heart of U.S. Targeted Killing
Download Document: GHOSTHUNTER Goes Global
Classification: Secret // SI // REL
Authoring Agency: NSA
Codenames: GHOSTHUNTER

ELEGANT CHAOS

Summary: This document discusses how ELEGANTCHAOS is intended to address the NSA’s analysis challenge linked to conduct time-sensitive analysis of its ever-increasing amounts of data being collected at Menwith Hill Station (aka MHS). It is meant to create a prioritized list of signals to automatically drive collection as collection activities increase, while delivering a way for analysts and collection managers to ‘see’ into the system using GUIs.

Within the ‘exploit it all’ paradigm this covername is squarely associated with exploitation, as opposed to other aspects of that paradigm such as: sniffing (linked with TORUS collection); knowing (automated FORNSAT surveys conducted under DARKQUEST); collecting (linked to the increase of signals from software — APLUS — and STORMFORCE modems); processing (at-scale XKS); or partnering (work with the GCHQ and sharing of data at bases).

ELEGANTCHAOS is designed to prioritize certain signals by drawing data from Question Focused Datasets (QFDs) in the MHS cloud servers and applying analytical questions in order to ‘score’ case numbers to prioritize their collection. Such questions focus on targeting information, technology used, location of the traffic, and miscellany (e.g. modem capacity, ‘Quantumable’). Points are assigned to case notations based on current analytic priorities, such as whether there is a ‘surge’ against certain areas or targets. Analysts receive this information through the ELEGANTCHAOS GUI whereas the DRINKYBIRD GUI is for collection personnel to determine if resources are available.

The document lists a pair of ‘cases’ where ELEGANTCHAOS was used. The first was part of the Libya surge and designed to understand which satellite communications possessed a Libyan, Egyptian, or Afghan side. The second, cover named AMULETSTELLAR, was to determine which IP addresses and case notations in ELEGANTCHAOS were linked with Iranian activity or traffic of interest. The result of AMULETSTELLAR was to discover targets associated with the NSA’s Middle East/Asia section (S2E), potential exfiltration nodes, and 4th party collection opportunities. The slide deck concludes with a list of ongoing work, including efforts to increase the number of data sources available, better using cloud resources, working on a detailed study of scoring methodology, and closing the ‘auto-tasking loop’.

Document Published: September 6, 2016
Document Dated: Undated (Post May, 2011)
Document Length: 23 pages
Associated Article: The NSA's British Base at the Heart of U.S. Targeted Killing
Download Document: ELEGANT CHAOS
Classification: SECRET // REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: APLUS, AMULETSTELLAR, ASDF, ASPHALT, BILBOBADGER, CROSSBONES, DARKQUEST, DRINKYBIRD, ELEGANTCHAOS (EC), FOGHORN, GLOBETROTTER, IPMAILORDER, MATCHMAKER, MARINA, MASTERSHAKE, MOONPENNY, POPQUIZ, ROADBED, STORMFORCE, TARMAC (SLR), TINT, TRAFFICTHIEF, TRAVELLINGWAVE, TURMOIL (TU), VENUSAFFECT, WEALTHYCLUSTER2 (WC2), XKEYSCORE (XKS)

New ‘R Spotlight’ Video: GHOSTHUNTER and the Geolocating of Internet Cafes

Summary: This brief document announces the beginning of an upcoming webcast series at the NSA, focused on GHOSTHUNTER, a program designed to geolocate very small aperture terminals (VSATs) focused on the Middle East and Northern Africa in support of US military activities. As of the time of this document’s writing, it had geolocated over 5,000 VSAT terminals in Iraq, Afghanistan, Syria, Lebanon, and Iraq.

Document Published: September 6, 2016
Document Dated: July 30, 2009
Document Length: 1 page
Associated Article: Inside Menwith Hill: The NSA's British Base at the Heart of U.S. Targeted Killing
Download Document: New 'R Spotlight' Video: GHOSTHUNTER and the Geolocating of Internet Cafes
Classification: Top Secret // SI // REL to USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: GHOSTHUNTER

APPARITION Becomes a Reality: New Corporate VSAT-Geolocation Capability Sees Its First Deployment

Summary: This document provides an update to the APPARITION system, which is designed to provide precision geolocation information for VSAT terminals. APPARITION, as contrasted with GHOSTHUNTER, is designed to proactively target and geolocate VSATs and for that information to be populated in MASTERSHAKE. The result is that any location will be able to combine VSAT information with FORNSAT information to geolocate targets. APPARITION was first deployed at Misawa (i.e. LADYLOVE) in September 2008, and there were plans as of the time of writing to install APPARITIONs at special collection sites (SCS) in New Delhi, Ankara, Kuwait, and Istanbul by the end of 2008, and 27 FORNSAT/SCS locations (including 2nd party locations) by the end of 2010.

Document Published: September 6, 2016
Document Dated: November 12, 2008
Document Length: 2 pages
Associated Article: The NSA’s British Base at the Heart of U.S. Targeted Killing
Download Document: APPARITION Becomes a Reality
Classification: S//SI//REL to USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: APPARITION, GHOSTHUNTER, LADYLOVE, MASTERSHAKE

FOXACID SOP For Operational Management of FOXACID Infrastructure

Summary: This draft document provides descriptions of the standard operating procedures (SOP) for the different groups responsible for managing the FOXACID infrastructure. It begins with the billet of the FOXACID group, including persons responsible for:

Computer Network Exploitation (CNE) operations support
CNE operators responsible for Tailored Access Operation (TAO) exploitation infrastructure
CNE operators responsible for unique mission support
CNE operators responsible for tool testing and implementation
Pursuing professional development as a CNE operator

The majority of the document explains how different aspects of the FOXACID infrastructure interoperate with one another and specific command line instructions, and troubleshooting processes, that FOXACID operators are responsible for. Despite including a full billet of the persons involved in FOXACID, the draft document does not outline all of the specific activities undertaken by each of the billeted groups.

Some of the troubleshooting focuses on ways of successfully addressing problems associated with Symantec’s Deep Freeze program, as well as when the FOXACID system fails to exploit a target by dropping a payload on the device they are using. There are also guidelines for how to attach ‘tags’ to new implants that might be used, as well as the relative merits of different payloads that are meant to communicate with NSA infrastructure (e.g. VALIDATOR, MISTYVEAL, FERRETCANNON). The document ends with brief technical discussions of how to use different FOXACID tools.

Document Published: August 19, 2016
Document Dated: Undated, but post January 2010.
Document Length: 31 pages
Associated Article: The NSA Leak is Real, Snowden Documents Confirm
Download Document: FOXACID SOP For Operational Management of FOXACID Infrastructure
Classification: TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: BEACHHEAD, CASTLECREEK (CC), CRYPTICSENTINEL, DARKFIRE, DARKHELMET, DEMENTIAWHEEL (DMW), DIRESCALLOP, DISABLEVALOR, EASYHOOKUP, ENCHANTED, FABULOUSFABLE (FABFAB), FERRETCANNON, FINKCOAT, FINKDIFFERENT, FORESTPLACE, FOXACID (FA), FOXACID2, FOXCONTACT, FOXSEARCH, FROZENGAZE, FRUGALSHOT, MAGICBEAN, MAGICSQUIRREL, MISTYVEAL, OLYMPUS (OLY), PEDDLECHEAP, PKTWench, PUZZLECUBE, QUANTUM, QUANTUMINSERT (QI),  RAISEBED, SECONDDATE, UNITEDRAKE (UR), VALIDATOR, WAITAUTO, WATCHER, WILLOWVIXEN, YACHTSHOP (YS)

Introduction to WLAN/802.11 Active CNE Operations

Summary: This training document explains how to access target networks using off-path capabilities, such as FOXACID. BLINDDATE is used to facilitate this, which entails using analysis tool aids and active CNE tools to ultimately redirect a client to the Tailored Access Operations (TAO) FOXACID servers. These servers are responsible for ultimately compromising the targeted client.

The training focuses on the NIGHTSTAND (NS) and HAPPYHOUR active computer network exploitation (CNE) tools. Before selecting an active tool the operator must conduct a survey and vulnerability analysis on 802.11 networks using BLINDDATE.

The ultimate goal of NIGHTSTAND and HAPPYHOUR is to redirect the target to TAO infrastructure and inject a payload destined for the target. This forces the target to covertly contact a FOXACID server and, if possible, this server then conducts a vulnerability analysis and exploitation of the target.

Targets are directed to FOXACID servers using NIGHTSTAND or BADDECISION. FOXACID servers sit in the publicly addressable Internet but a special FOXACID tag is required to contact the servers. Those tags are designed to look ambiguous, are unique to particular targets or operations, and each tag denotes ‘something special’.

Document Published: August 19, 2016
Document Dated: December 15-16, 20110
Document Length: 16 pages
Associated Article: The NSA Leak is Real, Snowden Documents Confirm
Download Document: Introduction to WLAN/802.11 Active CNE Operations
Classification: TOP SECRET//COMINT//NOFORN
Authoring Agency: NSA
Codenames: BADDECISION (BDN), BLINDDATE, FOXACID, HAPPYHOUR, NIGHTSTAND (NS)

Wireless LAN/CNE Tool Training Course and Evaluation

Summary: These are introductory course slides that are used to familiarize students with computer network exploitation tools and techniques. A principal aim was to prepare students for ‘close proximity WLAN operations’.

Document Published: August 19, 2016
Document Dated: December 15-16, 2010
Document Length: 9 pages
Associated Article: The NSA Leak is Real, Snowden Documents Confirm
Download Document: Wireless LAN/CNE Tool Training Course and Evaluation
Classification: TOP SECRET//COMINT//NOFORN
Authoring Agency: NSA
Codenames: BADDECISION, BLINDDATE, NIGHTSTAND

SIGINT Development Support II Project Management Review

Summary: This short document outlines a pair of successful SIGINT developments for the NSA. The first successful development focused on positively identifying the users of Pakistan’s National Telecommunications Corporation’s VIP division, which maintains the Green Line used by senior Pakistani civilian and military leadership. After conducting SIGDEV to identify targets, a combination of SECONDDATE and QUANTUM were used to implant Computer Network Exploitation (CNE) accesses on Green Exchange-related machines.

The second success pertained to gaining country-wide shaping and man-in-the-middle capability against Lebanon’s Internet traffic. This involved successful CNE operations against the ISP Ogero (covername: REXKWONDO). One of the core outputs of this was to shape data traffic to exfiltrate information pertaining to Hezbollah Unit 1800 for counter terrorism project, a group formed to support Palestinian organizations on terrorist lists as well as infiltrate Israel for intelligence and terrorism activities. Shaped traffic was exfiltrated to STORMBREW from “core routers” and subsequently made available to the NSA.

Document Published: August 19, 2016
Document Dated: April 24, 2013
Document Length: 4 pages
Associated Article: The NSA Leak is Real, Snowden Documents Confirm
Download Document: SIGINT Development Support II Project Management Review
Classification: TOP SECRET//COMINT//NOFORN
Authoring Agency: NSA
Codenames:  CADENCE, CHELSEABLUE, HAMMERCORE,  HAMMERSTEIN, HAMREX, MARINA, MONSTERMIND, QUANTUM, REXKWONDO, SECONDDATE, STORMBREW, XKEYSCORE

Introduction to BADDECISION

Summary: This document discusses how the Close Access unit uses BADDECISION to direct target clients to FOXACID servers using the BLINDDATE program. BADDECISION is “an 802.11 CNE tool that uses a true man-in-the-middle attack and a frame injection technique to redirect a target client to a FOXACID server.” These servers are used to analyze vulnerabilities in the client web browser and, subsequently, deliver an exploit to the client.

Generally what is required is that the attacker and the target are associated with the same wireless network, which is itself running either WPA or WPA2. The attacker convinces the client device to route packets through the attacker’s own device, and uses this privileged position to ultimately (re)direct the target’s web browser to a FOXACID server. The ultimate goal is to deliver an exploit, but this does require the attacker to be in relative close proximity to the target.One of the drawbacks to this attack is that it depends on maintaining a reliable communication between the target and the FOXACID server: if the attacker loses their privileged man-in-the-middle then they are less able to actively direct the target to the exploit server. Though unclear as to what it means, the slides also note that BADDECISION has a larger signature than NIGHTSTAND.

Document Published: August 19, 2016
Document Dated: December 15-16, 2010
Document Length: 31 pages
Associated Article: The NSA Leak is Real, Snowden Documents Confirm
Download Document: Introduction to BADDECISION
Classification: TOP SECRET//COMINT//NOFORN
Authoring Agency: NSA
Codenames: BADDECISION, BLINDDATE, FOXACID, HAPPYHOUR, NIGHSTAND, SECONDDATE

Expeditionary Access Operations: NSA’s Close Access Network Exploitation Program

Summary: This document provides an overview and introduction to Expeditionary Access Operations (EAO) that are conducted by the NSA. EAO is an expeditionary arm of the Tailored Access Operations (TAO) group, and works to execute close access Computer Network Exploitation (CNE) operations, to certify SIGINT personnel to conduct human-enabled CNE operations, and to develop, test, and field CNE and geolocation systems and techniques.

At the time the document was prepared, it was headed exclusively by people from other branches of the military, including the US Army, Marine Corps, Navy, and Air Force.

EAO conducts both physical access and wireless payload implants. The former often involves targeting internet cafes, gifting devices, and targeting detainee computers, whereas the latter targets unsuspecting ISPs, banks, telecommunications, and consulates/embassies.

The document somewhat explains how the BLINDDATE and NITESTAND covername programs operate, gives examples of EAO operations in Afghanistan and Iraq, and indicates operational readiness in places like Libya and Syria. Long-term, EAO aimed to develop further partnerships with different branches of the military as well as to become the “expeditionary capability” of USCYBERCOM.

Document Published: August 19, 2016
Document Dated: Undated
Document Length: 15 pages
Associated Article: The NSA Leak is Real, Snowden Documents Confirm
Download Document: Expeditionary Access Operations: NSA’s Close Access Network Exploitation Program
Classification: TOP SECRET//COMINT//REL FVEY
Authoring Agency: NSA
Codenames:  BADDECISION, BLINDDATE (BD), CLIMBINGSHIRT, HAPPYHOUR, IRONPERSISTENCE, MASTERSHAKE, NITESTAND

SSO Corporate Portfolio Overview

Summary: This document provides an overview of the commercial partnerships that the NSA possesses with telecommunications companies, and the kinds of data which are collected by different special sources. Special Source Operations (SSO) provide 80% of the collection for the NSA, with much of that coming from the SSO’s corporate portfolio. In many cases the SSO partner will be responsible for filtering communications before sending them to the NSA; this can lead to a delay in OCTAVE, UTT, or CADENCE tasking. In the case of BLARNEY such delays can be weekly versus a few hours for STORMBREW. While filters are in place to ensure that communications collected under transit authorities exclusively pertain to foreign-to-foreign communications, sometimes it is determined that one end of the “intercept is actually in the US” (7). When this kind of “domestic incident” arises then the SSO corporate team must be notified, which then files a formal report to the NSA/SV for each occurrence.

After presenting an overview of the corporate portfolio, inclusive of SIGADs and their associated covernames, as well as the authority they operate under, the document provides high-level summaries of FAIRVIEW, STORMBREW, MADCAPOCELOT, BLARNEY, and MONKEYROCKET. Information includes the key targets (FAIRVIEW: Global; STORMBREW: Global; BLARNEY: Diplomatic establishment, counterterrorism, foreign government, economic; MADCAPOCELOT: Counterterrorism focused on the Middle East, Europe, and Asia) as well as the authorities under which they operate, the amount of data or types of content that flow through the SSOs, where data that is collected is then stored or accessible from, approximately where different SSO sites are located, and the relative amounts of data which are obtained from SIGADs associated with the different SSOs. Notably, BLARNEY, FAIRVIEW, and STORMBREW partners were assigned 11 different SIGADs, with PRISM constituting one amongst many accesses associated with BLARNEY.

Document Published: August 16, 2015
Document Dated: Undated (Post September 2011)
Document Length: 17 pages
Associated Article: AT&T Helped U.S. Spy on Internet on a Vast Scale
Download Document: SSO Corporate Portfolio Overview
Classification: TOP SECRET//COMINT//NOFORN
Authoring Agency: 
Covernames: BLACKPEARL, BLARNEY, BLUEZEPHYR, CADENCE, CADENCEFIST, COBALTFALCON, COWBOY, DARKTHUNDER, DISHFIRE, FAIRVIEW, MADCAPOCELOT, MAINWAY, MARINA, MISTRALWIND, MONKEYROCKET, NUCLEON, OAKSTAR, OCTAVE, ORANGEBLOSSOM, ORANGECRUSH, PERFECTSTORM, PINWALE, PRISM, SERRATEDEDGE, SHIFTINGSHADOW, SILVERBLOSSOM, SILVERZEPHYR,  STEELFLAUTA,  STORMBREW, TOYGRIPPE, TWISTEDPATH, UTT, WHITESQUALL, YANKEE, YAUGHTSHOP

JESI: Don’t Lose That Number!

Summary: This SID Today document describes the annual Joint Executive for SIGINT Interoperability (JESI) conference in Canberra, which was a “multi-national executive body responsible for ensuring continued interaction and interoperability” among the Five Eyes partners. JESI was designed to make it easier to collaborate with 2nd party partners to produce “the best possible SIGINT”, as well as to exchange information more generally.

JESI was formed in 1998 to bring structure and an operational focus to SIGINT interactions between the Five Eyes members. At the time of writing, recent JESI efforts and accomplishments included: deploying InfoWorkSpace (IWS) as an information exchange tool during Operation Enduring Freedom; supplying additional contact information to the MAINWAY system for target identification; the deployment of an interoperable public key security infrastructure (PKI); forwarding SIGINT data to the CSE using SLINGSHOT, cooperating with the CSE on the CATAPULT system; and establishing several protected websites to allow for secure data exchange with second party partners.

The July 2003 JESI meeting addressed: mission collaboration and knowledge sharing; information assurance for enabling SIGINT operations; the exchange of finished intelligence; and maintaining business continuity.

Document Published: August 10, 2016
Document Dated: August 25, 2003
Document Length: 2 pages
Associated Article: The Intercept: The SID Today Files
Download Document: 
JESI: Don’t Lose That Number!
Classification: U//FOUO (Highest possible classification: TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL)
Authoring Agency: NSA
Codenames: CATAPULT, MAINWAY, SLINGSHOT, TICKETWINDOW

Communications Security Establishment (CSE) – Our Good Neighbor to the North

Summary: This SID Today document was written by Toni Moffa, the CANSLO who worked at CSE until leaving her post of deputy chief IT security in 2016. In it, she describes the CSE’s partnership with the NSA. At the time, 450 Canadians visited NSA yearly to collaborate and work toward common objectives. The NSA and the CSE have a history of cooperation in which the CSE notes that it has contributed to the safety and prosperity of the U.S. and Canada. At the time of writing the CSE’s focus was on “mastering the global information infrastructure.”

Through updated legislation, increased resources, and “unique” geographical and technical niches, the CSE was able to contribute meaningfully to SIGINT collection efforts. A bilateral project known as CATAPULT helped to advance common objectives and SIGINT aims. At the time, the CSE prioritised the threats from terrorism, proliferation, and cybersecurity, and planned to dedicate 40% of its SIGINT resources to security initiatives. In particular, the CSE wanted to improve its capabilities for SIGINT development, so as to make it the foundation for all of its access and analysis programs.

Document Published: August 10, 2016
Document Dated: August 7, 2003
Document Length: 1 page
Associated Article: The Intercept: The SID Today Files
Download Document: Communications Security Establishment (CSE) - Our Good Neighbor to the North
Classification: S//SI (Highest possible classification: TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL)
Authoring Agency: NSA
Codenames: CATAPULT, TICKETWINDOW

Shaping Diagram

Summary: This one-page diagram shows the process by which Computer Network Exploitation (CNE) is used to direct traffic that otherwise is not seen by the SIGINT collection system. Specifically, the exploited network point creates a copy of the otherwise inaccessible data and forwards it to the collection system, where it is then analyzed.

Document Published: June 28, 2016
Document Dated: Undated
Document Length: 1 page
Associated Article: The Hunter: He Was a Hacker for the NSA and He Was Willing to Talk. I Was Willing to Listen.
Download Document: Shaping Diagram
Classification: Top Secret//SI//REL
Authoring Agency: NSA
Codenames: None

Tracking Targets Through Proxies & Anonymizes (and the air speed velocity of an unladen swallow)

Summary: This slide deck provides a high-level explanation of how the NSA attempts to pierce the anonymity that anonymizers (e.g. Hotspot Shield/AnchorFree or Tor) provide to their users. The broad goal is to reliably recognize the traffic flows in order to create XKEYSCORE (XKS) fingerprints that automatically identify the proxy traffic. From there, the aim is to correlate proxy traffic with known target activity to de-anonymize the user(s).

In the case of Hotspot Shield, the document notes that XKS fingerprints could be developed to automate the discovery of such proxy connections. In the case of Tor the NSA identifies what their SSL certificates look like to identify Tor circuits; such information may be retained in the GOLDENFORTIN dataset.

Document Published: June 28, 2016
Document Dated: Undated
Document Length: 25 pages
Associated Article: The Hunter: He Was a Hacker for the NSA and He Was Willing to Talk. I Was Willing to Listen.
Download Document: Tracking Targets Through Proxies & Anonymizes (and the air speed velocity of an unladen swallow)
Classification: TOP SECRET//COMINT//REL TO USA, FVEY
Authoring Agency: NSA
Codenames: GOLDENFORTIN, XKS (XKEYSCORE)

Network Shaping 101

Summary: This is a how-to document, to explain to analysts how to push traffic over specific network points (ASes) that the NSA has visibility into. The presentation responds to the following hypothetical question: where a company such as Yemennet has six links to the rest of the Internet, and the NSA has visibility into two of those links, how can traffic be pushed onto those links so that analysts can see what is being exfiltrated? It is noted that information provided for the example is outdated and sometimes made-up simply for the sake of instruction.

After explaining how connectivity between Yemen and its upstream providers function (i.e. Yemennet can control which provider it sends data to, but not which provider sends it data) the document explains how an analyst would determine if Special Source Operations (SSO) had successfully gained a network perspective into one of the upstream providers. If so, then sending data out of the network to an IP address associated with the upstream provider may let the NSA collect the information; data might be sent because a computer network exploitation (CNE) operation was collecting and trying to exfiltrate data from the device/network on which it is implanted. To shape into a country, an analyst should send data traffic to one of the IP addresses of the upstream provider that is situated in the target network (for why such an address will be in the target network, see pages 15-18).

The final slides explain common problems associated with network shaping. These include cases where: there is different pricing between different upstream providers, the same provider offers multiple links and only one is tapped by the NSA, or the SSO is not configured to actually collect the exfiltrated information.

Document Published: June 28, 2016
Document Dated: Undated
Document Length: 81 pages
Associated Article: The Hunter: He Was a Hacker for the NSA and He Was Willing to Talk. I Was Willing to Listen.
Download Document: Network Shaping 101
Classification:  Top Secret//COMINT//Rel to USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: BLACKPEARL

2015

Exploiting Foreign Lawful Intercept (LI) Roundtable

Summary: This document indicates the NSA’s interest in exploiting lawful interception devices in a range of countries of interest, including Pakistan, Afghanistan, Iran, Iraq, Yemen, Syria, China, Egypt, Algeria, Mexico, Indonesia, the United Arab Emirates, Saudi Arabia, and Russia. The agency had created approximately 60 XKEYSCORE (XKS) fingerprints that applied to: Aqsacom, ATIS, Ericsson, ETSI, Huawei, Motorola, Nokia, Siemens, Trovicor, Utimaco, ZTE, and to generic lawful interception devices. The devices were accessed using satellite, microwave, special source (SSO), and tailored access operations (TAO). The goal was to both be able to identify patterns in the numbers that were being targeted by each countries’ lawful interception systems, as well as to differentiate between internet and telephone traffic.

The NSA was involved in mapping the networks of companies providing communications services in-region, as well as determining the IP addresses and ports used by the devices, and which vendors serviced which communications services.

Document Published: September 28, 2015
Document Dated: Undated
Document Length: 12 pages
Associated Article: A Death in Athens: Did a Rogue NSA Operation Cause the Death of a Greek Telecom Employee?
Download Document: Exploiting Foreign Lawful Intercept (LI) Roundtable
Classification: TOP SECRET//SI//REL TO USA, FVEY
Authoring Agency: NSA
Codenames: KITTYBINGE, STARPROC, XKEYSCORE (XKS)

Crypt Discovery Joint Collaboration Activity

Summary: This document outlines the potential risks posed to NSA and GCHQ target discovery as targets increasingly adopt encrypted channels to communicate. TLS, VPNs, and equivalent levels of security are regarded as endangering both target discovery and development because such encryption makes it difficult, if not impossible, for the intelligence services to collect metadata needed for such discovery and development operations.

As a result, the NSA and GCHQ authors suggest developing a plan to evaluate the actual prevalence of encryption across the Internet and within SIGINT targets’ domains, assess the threat of HTTPS to existing target exploitation and development capabilities, understand and improve pairing rates within and between access points (e.g. correlate website access to volumes of encrypted links), and research new ways to maintain effective target discovery tradecraft and mitigate the threat of encrypted traffic. To conduct this kind of research, in particular, a range of GCHQ databases, as well as XKEYSCORE (XKS) are noted as potentially useful for the project.

Document Published: September 25, 2015
Document Dated: January 20, 2011
Document Length: 3 pages
Associated Article: Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: Crypt Discovery Joint Collaboration Activity
Classification: TOP SECRET
Authoring Agency: GCHQ (lead), NSA
Codenames: ASDF, BEARDEDPIGGY, KARMAPOLICE, MARBLEDGECKO, MEMORYHOLE, MUTANTBROTH, SOCIALANIMAL, TICKETWINDOW, xWINDOW, XKS

FAIRVIEW Dataflow Diagrams

Summary: This slide deck provides visual representations of how data was collected by, and then processed and delivered to, the NSA from FAIRVIEW. FAIRVIEW was the covername assigned to AT&T.

Each slide details a different mode of collection undertaken by AT&T for the NSA. Each data flow diagram details aspects of the access partner processing, site processing (which usually takes place in a PINECONE SCIF that is on-site), and then how the NSA subsequently handles the data when undertaking its own corporate processing. Almost each stage of the data flow process is associated with a covername which has the effect of making it somewhat clear how covername programs/capacities interlink with one another, inclusive of the intake processes, the intermediate data processing stages, and the final data repositories. The slides also make clear how selected kinds of data are collected and processed under different legal authorities; as examples, in some cases FISA provides the authorities for collection whereas in other cases it is the FAA that authorizes the collection.

Several of the slides visualize the collection of RAGTIME covered data; RAGTIME was the special handling caveat for operations associated with WHIPGENIE which, itself, ultimately was reflagged as STELLARWIND. Slides 18 and 19 provide dataflow diagrams that reveal how TAO implants were used to send data into FAIRVIEW processing locations to subsequently be shaped into NSA collection repositories, including VULCANDEATHGRIP.

Document Published: August 15, 2015
Document Dated: April 2012
Document Length: 20 pages
Associated Article: AT&T Helped U.S. Spy on Internet on a Vast Scale
Download Document: FAIRVIEW Dataflow Diagrams
Classification: TOP SECRET//COMINT//NOFORN
Authoring Agency: NSA
Covernames: BIGDIPPER, BLARNEY, BLARNEYNET, CADENCE, CLEARSIGHT, CONVEYANCE, COURIERSKILL, DARKTHUNDER, DESTO, DISHFIRE, DRIFTWOOD, FAIRVIEW, FALLOUT, FASCIA, FISHWAY, GATEKEEP, HAVASU, HIGHDECIBEL, KEYCARD, LILDIPPER, LOPERS, MAILORDER, MARINA, MIDFIELD, MOBILESEAGULL, NUCLEON, PINECONE, PINWALE, RAGTIME (RGT), RIMROCK, SAGUARO, SCISSORS, SEAGULL, STEELFLAUTA (STF) STONEGATE, TATTOO, TINSEL, TITANPOINT, TOPROCK, TUMULT, TURMOIL, TURNSTILE, UYCERVA, VULCANDEATHGRIP, WATERFRONT, WAYLAND, WEALTHYCLUSTER2 (WC2), XKEYSCORE (XKS), YANKEE

SSO Dictionary

Summary: This undated dictionary provides glosses for several terms associated with the corporate partner FAIRVIEW, including the AT&T-specific term ‘SNRC’. Glossary entries as extensive and include the following acronyms and abbreviations non-covernames: Analyst Advisory Board (AAB), Call Detail Records (CDR), CASE NOTATION, CCCD Value, CD Value, CNCI, Common Backbone (CBB), Data Distribution Service (DDS), DNE, DNI, DNR, FAA, Filtering & Selection (F&S), FISA, FTIN, High Powered Cordless Phone (HPCP), IMEI, IMSI, INMARSAT, ISAT, JDTS, Mobile Application Part (MAP), Media Over IP (MoIP), MSISDN, Network Address Translation (NAT), NRTM, NSAH, NSAW, NSOC, NTOC, ODD, PAA Value, PCS, PDDG, Pen Register / Track and Trace (PR/TT), PRI, Private Branch Exchange (PBX), Public Switched Telephone Network (PSTN), Reasonable Articulable Suspicion (RAS), RTIN, SCIF, SIGINT Emitter Database (SEDB), SNRC, Target Development Services (TAC/TDS), Unified Targeting Tool (UTT), Virtual Machine (VM), Virtual Passive Collection Suite (VPCS), VSAT.

Document Published: August 15, 2015
Document Dated: Undated
Document Length: 10 pages
Associated Article: AT&T Helped U.S. Spy on Internet on a Vast Scale
Download Document: 
SSO Dictionary
Classification: TS//SI//NF (highest classification)
Authoring Agency: NSA
Codenames: ARTIFICE, ASSOCIATION, BANYAN, BIGBIRD, BLACKBELT, BLACKNIGHT, BLARNEY, CADENCE, CLIFFSIDE (CS),  CONUS, CONTRAOCTAVE, COURIERSKILL, DISHFIRE, FAIRVIEW, FASCIA, FASCIA II, FRIAR, HOMEBASE, IRISHBEAUTY, KEYCARD, KOZYKOVE (KK), LAMPSHADE, LITHIUM, LOPERS, LUMBERYARD, MAINWAY, MAILORDER, MARINA, MERLIN, NODDY-3, NUCLEON, NUTHATCH, OCONUS, OCTAVE, PINECONE, PINWALE, PLANK, PLANK-3, PLANK-3A, POORWILL, RODEOSTAR, SAGUARO, SAGURA, SEAGULL, SEALION, SERENADE, SHIPMASTER, SILVERCOLLAM (SC), SLIVER, STARGATE (SG), STONEGATE, SORA-2, THEORYMASTER, TITANPOINTE, TUBE, TURBULENCE, TURMOIL (TML), WEALTHYCLUSTER 2.0 (WC2), WPG, XKEYSCORE (XKS)

The Northwest Passage (Volume 2, Issue 1)

Summary: This newsletter document provides a background to the activities historically undertaken at Yakima Research Station (YRS) and, more recently, how its capabilities are used to support CYBERQUEST.

YRS is designated SIGAD USF-787 and was created in response to the Soviet Union and United States launching satellites. Following those launches the United States established the FROSTING program to collect and process signals from communications satellites. Two sub-programs were established under FROSTING; TRANSIENT exclusively targeted Soviet satellites whereas ECHELON collected and processed all INTELSAT communications.

Within the past 2.5 years of the publication, YRS’s data collection has been relied on for the CYBERQUEST mission, which is focused on cyber threat discovery. FORNSAT data is identified as providing “an intrusion-rich” environment where operators conduct operations. Data for threat discovery is stored in the SSG cloud framework that has the cover name GINPENNANT. YRS recently received data snap-shots from four SSOs from an external source, and subsequently ingested the information into GINPENNANT, and YRS is also ingesting and processing network data from national resources such as NSA-Colorado.

Document Published: August 3, 2015
Document Dated: January 2011
Document Length: 3 pages
Associated Article: GCHQ and Me: My Life Unmasking British Eavesdroppers
Download Document: The Northwest Passage (Volume 2, Issue 1)
Classification: TOP SECRET // COMINT // REL TO USA, FVEY
Authoring Agency: NSA
Codenames: CROSSBONES, CYBERQUEST (CQ), EARLY BIRD, ECHELON, FROSTING, GINPENNANT, JACKKNIFE, RUMBUCKET, SAFEGUARD, TRANSIENT

TUTELAGE 411

Summary: This slide deck discusses the capabilities associated with the NSA’s TUTELAGE program. TUTELAGE uses the NSA’s passive sensors to detect events and subsequently, in some cases, take action towards the events which are targeting government networks. At a high level, once SIGINT is retrieved from adversary space that may characterize foreign adversary tradecraft, signatures and countermeasures are designed and pushed to the U.S. boundary sensors. Those sensors deploy countermeasures when adversary tradecraft is detected either at a boundary point or more generally through SIGINT sensors which are deployed more broadly.

At the time of publication, TUTELAGE had seven operational capacities. First, passive sensors could generate alerts based on detecting events and then send those alerts into storage. Second, an inline packet processor could intercept packets and make it appear to an adversary that an activity was completed without disclosing that it did not reach or affect the intended target. Third, the same inline packet processor could perform bidirectional content detection and replacement to prevent an attack from succeeding against a target. Fourth, TUTELAGE could redirect the course or direction of an adversarial activity; this might involve redirecting an outbound data exfiltration to a NSA-controlled server or modifying a given domain name lookup. Fifth, TUTELAGE could be used to block, or deny entry/exit of network activity at Internet Access Points based on source/destination IP addresses and ports. Sixth, latency could be added to packets such that an adversary’s packets suffer a diminished quality of service so that other TUTELAGE capabilities can be executed. Seven, it could inject TCP RST packets to prevent malicious activity by breaking the connection.

At the time of writing, TUTELAGE was operating against 28 major threat categories and used a total of 794 operational effects. Successes to date included stopping a particular BYZANTINEHADES spearphishing operation against high-profile users, including the Chairman of the Joint Chiefs of Staff and the Chief of Naval Operations. In another case, threat actors leveraging the Zeus malware were unable to successfully exfiltrate documents. In another case, AMULETSTELLAR operations were detected as targeting 10 general and flag grade officers, to the effect of ultimately deploying countermeasures as well as intercepting over 2000 emails from the actors, who were using an @yahoo.com account. TUTELAGE is also used to combat Anonymous’ Low Orbit Ion Cannon (LOIC).

In the future, there were plans to upgrade to 10G sensors so that there was an increased speed and capacity, the ability to use TS/SI signatures, and do session-based Snort analysis, as well as multi-event Snort. Future plans also called for integrating POPQUIZ (real-time behavioural analytics), GNOMEVISION (de-obfuscation of malicious packages), cryptoanalytic capabilities, and traffic analysis using GHOSTMACHINE. Other future capabilities involved establishing sidelines for session analysis. This would entail redirecting activity to a secondary level of intervention where an intermediate host provided additional processing or manipulation to better engage and/or thwart adversarial activities. This might involve shifting some traffic to virtualized listening posts that were associated with given physical servers. Another capability would integrate with the Department of Defense’s Host-Based Security System (HBSS) so that malicious activities detected by TUTELAGE could be dealt with at the host level and, by extension, trigger less sensitive alerts to local network administrators. QUANTUM might also be tipped by TUTELAGE to enable offensive actions in adversary spaces or activate shots, with real-time crytanalytics enabling QUANTUM operations to take place at net-speed.

Document Published: January 17, 2015
Document Dated: Post February 11, 2011
Document Length: 30 pages
Associated Article: The Digital Arms Race: NSA Preps America for Future Battle
Download Document: TUTELAGE 411
Classification: TOP SECRET//COMINT//REL TO USA, FVEY
Authoring Agency: NSA
Codenames: AMULETSTELLAR, BISHOPKNIGHT, BLINDMARKSMEN, BYZANTINE FOOTHOLD, BYZANTINE HADES, BYZANTINE VIKING, CARBON PEPTIDE, CYBERQUEST, DANCING PANDA, GHOSTMACHINE, GNOMEFISHER, GNOMEVISION, MAKERSMARK, MAVERICKCHURCH, NATIVEDANCER, PANDORASMAYHEM, POPQUIZ, QUANTUM, SUBTLESNOW, TURBINE, TUTELAGE, WEASELWAGGLE, WIDOWKEY, XKEYSCORE

TRANSGRESSION Overview for Pod58

Summary: This slide deck provides an overview of the TRANSGRESSION Group, which was originally mandated to “[d]iscover, understand, evaluate, and exploit foreign CNE/CNA exploits, implants, command & control and exfiltration” but had been reformed to “[p]rovide cryptoanalytic exploitation support for Network Defense (NTOc and IAD), 4th Party SIGINT (S2, NTOC and TAO), and Cyber (TAO, RATWHARF) missions.” It was composed of the leads who were responsible for tracking malware and malware used by particular adversaries, such as China and Iran, and numbered at least 17 people. Past successes were against a range of adversaries, and work relied upon XKEYSCORE (XKS) to manage daily workflows, such as by way of XKS fingerprints, microplugins, and GUI workflows and web services. Data came principally from XKEYSCORE, TUNINGFORK, directly from Tailored Access Operations (TAO), as well as NTOC internal and external parties (e.g. FBI, Cyber Command). Data analyses principally related to command and control, file transfers, email, and credentials, though such information was often secured using either commercial or custom encryption.

Document Published: January 17, 2015
Document Dated: February 7, 2010
Document Length: 16 pages
Associated Article: The Digital Arms Race: NSA Preps America for Future Battle
Download Document: TRANSGRESSION Overview for Pod58
Classification: TOP SECRET//COMINT//REL TO USA, FVEY
Authoring Agency: NSA
Codenames: ADJUTANTVENTURE, BYZANTINE HADES, BYZANTINE FOOTHOLD, BYZANTINE RAPTOR, CROWNROYAL, CROWNPRINCE, GHOSTRECON, INCAADAM, MAKERSMARK, MAVERICK CHURCH, NIGHTTRAIN, PINWALE, PLAIDDIANA, POLARSTARKEY, POPROCKS, RAPTORJOY, RAPTORROLEX, RAPTORSAD, RATWHARF, RECORDER, SCISSORS, SHADOWDRAGON, SHEPHERD, SNOWGLOBE, SUPERDRAKE, TRANSGRESSION, TUNINGFORK, TWEEZERS, VOYEUR, WALKERBLACK, WALKERRED, WIDOWKEY, XKEYSCORE (XKS), ZEBEDEE

Atomic SIGINT Data Format (ASDF) Configuration Read Me

Summary: This document explains how organizations can configure their XKEYSCORE servers to accomplish their missions, by way of generating and forwarding ASDF metadata to an intermediary (FALLOUT) before it is then delivered to metadata repositories such as MARINA, METAWAVE, FASCIA, or MAINWAY. FALLOUT receives metadata from collection and processing servers and then “converts, validates, normalizes, classifies, and distributes DNI metadata” (1).

The document provides specific commands that must be entered in order to configure XKEYSCORE for ASDF information, which involves two pre-configuration phases and a third that executes a group of set-up processes.

Document Published: July 1, 2015
Document Dated: Undated
Document Length: 2 pages
Associated Article: XKEYSCORE: NSA’s Google for the World’s Private Communications
Download Document: Atomic SIGINT Data Format (ASDF) Configuration Read Me
Classification: SECRET
Authoring Agency: Unknown (NSA likely)
Covernames: BLACKPEARL, FALLOUT, FASCIA, MAILORDER, MAINWAY, MARINA, METAWAVE, SCISSORS, TURMOIL, WEALTHYCLUSTER 2.0, XKEYSCORE

The Unofficial XKEYSCORE Guide

Summary: This document explains how analysts can run queries using XKEYSCORE. It describes many of the procedures that are required to make queries based on IP range, date range, selectors such as email addresses or usernames, websites visited, as well as by document-type or -name, phone number, or passwords.

Noteworthy aspects of the document include notes about targeting queries to specific countries instead of being able to query the global database, as well as how to create workflows for regular types of queries. The end of the document contains a series of flowcharts that are designed to help analysts use XKEYSCORE most effectively to successfully retrieve data about targets. Specifically, the flowcharts are meant to help analysts learn more about a network based on an IP address they have, to learn about email addresses and foreign domains, or learn about a target’s email address based on their phone number.

Document Published: July 1, 2015
Document Dated: Undated but likely late 2008/early 2009
Document Length: 27 pages
Associated Article: XKEYSCORE: NSA’s Google for the World’s Private Communications
Download Document: The Unofficial XKEYSCORE Guide
Classification: TOP SECRET//COMINT//REL TO USA, CAN, GBR, NZL
Authoring Agency: NSA / Booz Allen Hamilton
Codenames: CADENCE, FOXTRAIL, PINWALE, RAGTIME, TIMBERLINE, TUNINGFORK, XKEYSCORE (XKS)

An Easy Win: Using SIGINT to Learn About New Viruses

Summary: This document outlines how the NSA monitors for email or other communications sent to anti-virus companies in order to collect malicious file samples for defensive and offensive purposes, known as Project CAMBERDADA. An example of the kind of communication being monitored for is provided, where the NSA presents an email from a Canadian citizen that was alerting another party about malware about BMO Financial Group, a Canadian company.

This method of using SIGINT to collect malware for triage collected approximately 10 files per day. By analyzing these files, a series of CAMBERDADA signatures were created and deployed to NIPRnet for alerting purposes. The NSA was also conducting DNS interdiction, whereby 9 malicious domains were interdicted by the Cloudshield DNS blocking system, which returned the address of a DoD listening post and sent out a “munged” (disguised) version of the DNS request.

A range of sources were used for Project CAMBERDADA, including SSO, dozens of CADENCE selectors, and MAILORDER deliveries. Going forward, the Tailored Access Operations (TAO) could begin repurposing the detected malware, test to see if Kaspersky Anti-Virus had identified the malware, and also watch to see if people providing the malware were involved in more malicious activity. The penultimate slide, titled ‘More Targets!’, lists various Anti-Virus firms in various countries, including Russia, China, Israel, India, Italy, France, Germany, and Korea.

Document Published: June 22, 2015
Document Dated: Undated (post 2009)
Document Length: 13 pages
Associated Article: Popular Security Software Came Under Relentless NSA and GCHQ Attacks
Download Document: An Easy Win: Using SIGINT to Learn About New Viruses
Classification: TOP SECRET // COMINT // REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: BRICKTOP, CADENCE, CAMBERDADA, CLOUDSHIELD, MAILORDER, PINWALE

Kaspersky User-Agent Strings

Summary: This technical summary document describes how the NSA identified a machine identifier by analyzing Kaspersky User-Agent strings. The work began at SCAMP 2008 at Princeton and involved using YACHTSHOP metadata records along with information discovered using Google searches. In the conclusion of the report, its authors note that the User-Agent string holds information about the services contracted for or configurations of the software.

Document Published: June 22, 2015
Document Dated: September 2008
Document Length: 14 pages
Associated Article: Popular Security Software Came Under Relentless NSA and GCHQ Attacks
Download Document: Kaspersky User-Agent Strings
Classification: TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: YACHTSHOP

Medical Pattern of Life: Targeting High Value Individual #1

Summary: This document is a slide deck from a presentation delivered to the SIGINT Development Conference in 2010. It discusses a potential medical pattern of life (PoL) operation, which involves identifying all recurring, and therefore predictable, patterns of behaviour that constitute a specific treatment regimen for a target’s medical illness. This information and mode of tracking is helpful because medical requirements don’t go ‘stale’ and by tagging and tracking medications or supplies it is possible to track them using geolocation to where a high value individual resides. A medical pattern of life composite was created for Osama Bin Laden which was to be used to determine medical treatment signatures and likely medications and equipment that were linked to such signatures. Medical pattern of life requires a process of compromising and electronically tagging pharmaceuticals, which is then used to track the medication remotely. Once it arrives at its location an independent confirmation of the target’s location must take place, followed by an operation on the acquired target.

A slide titled ‘Project Planning’ notes the need to acquire support from stakeholders, including the GCHQ. It is unclear whether the medical pattern of life operation presented in this slide deck ever proceeded beyond the planning phase.

Document Published: May 21, 2015
Document Dated: June 2010
Document Length: 10 pages
Associated Article: The NSA Plan to Find Bin Laden by Hiding Tracking Devices in Medical Supplies
Download Document: Medical Pattern of Life: Targeting High Value Individual #1
Classification: TOP SECRET//COMINT//REL
Authoring Agency: NSA 
Codenames: None

CATAPULT: A Bilateral Data Port

Summary: This SID Today document describes CATAPULT, a joint project between the NSA and the CSE to prototype a data portal for the exchange of SIGINT product between the NSA and its 2nd party partners. CATAPULT was folded within the NSA’s JOURNEYMAN program, which was meant to redesign SIGINT product authoring and dissemination.

The CATAPULT data portal, which was implemented at CSE and accessible via the NSANet, contained all 2nd party viewable SIGINT product, such as multimedia reporting, CRITICOMM released product, and SIGINT on Demand (SOD) items. CATAPULT was based on the CSE’s SLINGSHOT project.

Beginning in February 2003, XML-formatted SOD items were incorporated into CATAPULT and SLINGSHOT; previously the two had been limited to a text-only email format. Lessons learned from CATAPULT were being applied to data exchanges of SOD product and metadata with other NSA 2nd party partners, such as the GCHQ.

At the time of writing, NSA analysts were increasingly being trained and identified as additional CATAPULT users, including from the China/Korea product line, TRAILBLAZER Target Operational Pilot (TOP), and from Customer Response organizations.

Document Published: May 16, 2016
Document Dated: May 8, 2003
Document Length: 1 page
Associated Article: The Intercept: The SID Today Files
Download Document: 
CATAPULT: A Bilateral Data Port
Classification: C//SI (Highest possible classification: TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL)
Authoring Agency: NSA
Codenames: CATAPULT, JOURNEYMAN, SLINGSHOT, TRAILBLAZER

SKYNET: Applying Advanced Cloud-based Behaviour Analytics

Summary: This document discusses how, through the SKYNET collaborative research project, analysts can use cloud analytics to correlate pattern of life activity, and then parse different patterns against attributes that are of interest to the analysts. By linking travel analytics and other attributes to telephony metadata (DNR) the NSA can identify patterns of suspect activity. The analytic question that drives the presentation revolves around who has acted as a courier for Al’Qaeda, and is subsequently proximate to other persons who also have attributes the NSA has linked with courier behaviours.

To respond to the aforementioned question analysts used DEMONSPIT, which is a dataflow for bulk call data records (CDR) from Pakistan. Data mining is done on DEMONSPIT data, in tandem with CDRs that are promoted by analysts, to ultimately identify data of interest to analysts. These analysts are ultimately responsible for examining travel reports to determine which seeds and phrases are appropriate to use in tracking individuals to meetings or sidekicks of targets. In the case of promoting seeds and phrasing to monitor for meetings, the associated selectors are assessed to determine if the selectors (and associated individuals) are at meetings consistently, and in the case of sidekicks the selectors are used to assess if there are CDRs that can be linked to the selectors linked to the individual.

The end of the document details at length how the NSA conducted its data analysis experiments to more accurately identify suspected couriers and those with whom they associate.

Document Published: May 8, 2015
Document Dated: Post June 5, 2012
Document Length: 40 pages
Associated Article: U.S. Government Designated Prominent Al Jazeera Journalist as “Member of Al Qaeda”
Download Document: SKYNET: Applying Advanced Cloud-based Behaviour Analytics
Classification: TOP SECRET // COMINT // REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: ASSOCIATION, BANYAN, BULLDOZER, CINEPLEX, DEMONSPIT, FASCIA, FASTSCOPE, GMHALO, GMPlace, JEMA, MAINWAY, ROLLERCOASTER, SKYNET, SMARTTRACKER, SNOWHAZE, SORTINGLEAD, TUSKATTIRE

SKYNET: Courier Detection via Machine Learning

Summary: This document discusses how the NSA attempted to detect couriers for Al Qaeda using machine learning techniques. The goal was to measure aspects of “selector’s pattern-of-life, social network, and travel behaviour” (3) and describes an experiment to assess the ability to detect possible couriers. This involved counting unique UCELLIDs associated with Al Qaeda senior leadership (AQSL) conducted locally, remotely, and in Pakistan. After running the experiment the NSA flagged Ahmed Zaidan as a probable courier, and also associated him with Al Qaeda, the Muslim Bortherhood, and Al Jazeera. Further, the experiment led to 21 of 500 selectors being tasked which led the NSA to “believe that we’re on the right track” (18) while also discovering “many untasked selectors with interesting travel patterns” (19). The NSA ultimately found that the experiment was “on the right track” and that it helped to discover selectors associated with “courier-like” travel patterns, while ultimately concluding that the high number of tasked selectors was “hopefully indicative of the detector performing well” (20).

Document Published: May 5, 2015
Document Dated: June 5, 2012
Document Length: 20 pages
Associated Article: U.S. Government Designated Prominent Al Jazeera Journalist as “Member of al Qaeda”
Download Document: SKYNET: Courier Detection via Machine Learning
Classification: TOP SECRET//COMINT//REL TO USA, FVEY
Authoring Agency: NSA
Covernames: SKYNET

Continued Effort Against South Pacific Region (Snippet)

Summary: This screenshot of a larger document notes that the GCSB focuses on accessing communications within the South Pacific region, while partnering closely with: DSD, NZSIS, and ASIS.

Document Published: May 5, 2015
Document Dated: June, 2009
Document Length: 1 page
Associated Article: The price of the Five Eyes club: Mass spying on friendly nations
Download Document: Continued Effort Against South Pacific Region (Snippet)
Classification: TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: Unknown (likely NSA)
Codenames: None

Tier B allies

Summary: This is a chart that denotes Tier A and Tier B partners to the NSA. Tier A partners, which engage in comprehensive cooperation, include Australia, Canada, New Zealand and the United Kingdom. Tier B partners, which engage in focused cooperation, include Austria, Belgium, Czech Republic, Denmark, Germany, Greece, Hungary, Iceland, Italy, Japan, Luxembourg, the Netherlands, Norway, Poland, Portugal, South Korea, Spain, Sweden, Switzerland, and Turkey.

Document Published: April 28, 2015
Document Dated: Undated
Document Length: 1 page
Associated Article: No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State (book)
Download Document: Tier B allies
Classification: Confidential/NOFORN
Authoring Agency: Unknown (likely NSA)
Covernames: None

SUSLOW Monthly Report for March 2013

Summary: This is a short update on the activities the GCSB undertook during March 2013. It notes that the GCSB has a WARRIORPRIDE capability — i.e. a targeted malware tool capable of affecting mobile devices that can collect against an ASEAN country, but that its authorization had expired. Additionally, the 3-5 year High Frequency strategy was being developed, including an upgrade of collection capability to GLAIVE.

The GCSB was also investing in certain capabilities meant to: make systems and networks less vulnerable to exploitation; improve detection of intrusions using known tools and techniques; increase discovery of new/unknown tools and techniques; and actively disrupt intrusions before they cause harm. A link was also established between DIA’s malware analysis team and FVEY partners.

The GCSB was expected to be affected by three legislative proposals (updates to the 2003 GCSB Act to expand the agency’s functions to include supporting external government agencies and the private sector; strengthened oversight, and network and supply chain security obligations). The agency was also working with NSA counsel to determine whether the Kim Dotcom litigation risked exposing any NSA equities.

Document Published: April 19, 2015
Document Dated: March 2013
Document Length: 2 pages
Associated Article: Leaked papers reveal NZ plan to spy on China for US
Download Document: SUSLOW Monthly Report for March 2013
Classification: TOP SECRET//SI/REL TO USA, FVEY
Authoring Agency: NSA
Codenames: GLAIVE, WARRIORPRIDE

Extended Enterprise Report: July 2008

Summary: This snippet of a broader document provides some information concerning a GCHQ integree’s activities while at the NSA. It notes that the integree had multiple meetings concerning the NSA’s Texas-based collection of Latin American data. The GCHQ’s interests in the area pertained principally to Argentina but, also, towards Columbia and Venezuela. The integree also spoke about NTOC Texas’ roles against Latin American and further abroad.

Document Published: April 2, 2015
Document Dated: July 2008
Document Length: 1 page
Associated Article: Britain Used Spy Team to Shape Latin American Public Opinion on Falklands
Download Document: Extended Enterprise Report: July 2008
Classification: TOP SECRET//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: None

SIGINT Development Forum (SDF) Minutes

Summary: This document summarizes the state of signals development amongst the Five Eyes (FVEY). It first outlines the core imperatives for the ‘SSG’ group, including: ensuring that the top technologies are being identified for use and linked with the capability they bring; that NSA shaping (targeting routers) improves (while noting that for the CSEC and the GCSB shaping involves “industry engagement and collection bending”); improving on pattern of life collection and analysis; improving on IP address geolocation that covers Internet, radio frequency, and GSM realms; analyzing how convergence of communications systems and technologies impacts SIGINT operations; and exploring how to train and maintain the NSA’s analytic workforce.

Privacy issues were seen as being on the SSG group’s radar, on the basis that the “Oversight & Compliance team at NSA was under-resourced and overburdened.” Neither the GCSB or DSD were able to sponsor or audit analysts’ accounts similar to the NSA, and the CSEC indicated it had considered funding audit billets; while dismissed at the time, the prospect has re-arisen. At the time the non-NSA FVEYs were considering how to implement ‘super-user’ accounts, where specific staff will run queries for counterparts who are not directly authorized to run queries on selective databases.

The GCSB, in particular, was developing its first network analyst team in October 2009 and was meant to prove the utility of network analysis so as to get additional staff for later supporting STATEROOM and Computer Network Exploitation tasks. Further, the GCSB was to continue its work in the South Pacific region, as well as expanding cable access efforts and capabilities during a 1 month project. There was also a problem that 20% of the GCSB’s analytic workforce lacked access to the DSD’s XKEYSCORE, which was a problem given that the GCSB provided the NSA with New Zealand data. The reason for needing external tools to access data is that GCSB staff are prohibited from accessing New Zealand data.

Document Published: March 11, 2015
Document Dated: June 8-9, 2009
Document Length: 3 pages
Associated Article: Snowden revelations: NZ’s spy reach stretches across globe
Download Document: SIGINT Development Forum (SDF) Minutes
Classification: TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: EREPO, STATEROOM, XKEYSCORE (XKS)

NSA Intelligence Relationship with New Zealand

Summary: This document summarizes the status of the NSA’s relationship with New Zealand’s Government Communications Security Bureau (GCSB). The GCSB has been forced to expend more of its resources on compliance auditing following recommendations after it exceeded its authority in assisting domestic law enforcement, but continues to be focused on government and five eyes priorities. The NSA encouraged GCSB efforts toward greater technical interoperability with the NSA and other FVEY nations.

The NSA provides the GCSB with “raw traffic, processing, and reporting on targets of mutual interest, in addition to technical advice and equipment loans.” The GCSB primarily provides the NSA with access to communications, including: China, Japanese/North Korean/Vietnamese/South American diplomatic communications, South Pacific Island nations, Pakistan, India, Iran, and Antarctica, as well as French police and nuclear testing activities in New Caledonia.

Of note, the GCSB is a member of SIGINT Seniors Pacific (SSPAC) (includes Australia, Canada, France, India, Korea, New Zealand, Singapore, Thailand, United Kingdom, and United States) as well as SIGINT Seniors Europe (SSEUR) (includes Australia, Belgium, Canada, Denmark, France, Germany, Italy, Netherlands, New Zealand, Norway, Spain, Sweden, United Kingdom, and United States).

Document Published: March 11, 2015
Document Dated: April 2013
Document Length: 3 pages
Associated Article: Snowden revelations: NZ’s spy reach stretches across globe
Download Document: NSA Intelligence Relationship with New Zealand
Classification: TOP SECRET//SI//REL TO USA, FVEY
Authoring Agency: NSA
Codenames: None

Rocoto: Implanting the iPhone (Snippet)

Summary: This snippet includes a presentation abstract. The presentation was to discuss developments in creating ‘tools’ for the iPhone 3G and how different tools (e.g. community jailbreaks) could be leveraged as intelligence community tools, as well as the challenges posed by the 3GS and the upcoming iPad.

Document Published: March 10, 2015
Document Dated: 2010
Document Length: 1 page
Associated Article: iSpy: The CIA Campaign to Steal Apple’s Secrets
Download Document: Rocoto: Implanting the iPhone (Snippet)
Classification: TOP SECRET//SI//NOFORN//ORCON
Authoring Agency: NSA
Codenames: None

Secure Key Extraction by Physical De-Processing of Apple’s A4 Processor (Snippet)

Summary: This snippet is for a presentation abstract. The presentation was focused on the iPhone and how it secures data using an on-board cryptographic key, the Global ID (GID). The abstract notes that Apple relies on industry partnerships for developing its devices and that Samsung is likely providing both processor and memory technology. The outcome of the talk is to present comparative research between a known Samsung product and an iPhone in order to determine the type and location of the programmable non-volatile memory. The talk also outlines progress made on determining where the GID key is located on the processors integrated circuit and “how it can be recovered by physical de-processing of the chip.”

Document Published: March 10, 2015
Document Dated: 2011
Document Length: 1 page
Associated Article: iSpy: The CIA Campaign to Steal Apple’s Secrets
Download Document: Secure Key Extraction by Physical De-Processing of Apple’s A4 Processor (Snippet)
Classification: S//NF (highest classification)
Authoring Agency: NSA
Codenames: None

Presentation Abstracts – Tuesday, 15 March: Differential Power Analysis on Apple A4 Processor (Snippet)

Summary: This snippet provides the abstract for a presentation on efforts to non-invasively extract a cryptographic key (Global ID (GID)) from iDevices. The crux of the presentation focuses on how the on-chip AES keys are extractable as a result of studying electromagnetic emissions occurring while the GID undertakes AES operations. Also noteworthy is that the Intelligence Community is “highly dependent on a very small number of security flaws, many of which are public, which Apple eventually patches.”

Document Published: March 10, 2015
Document Dated: 2011
Document Length: 1 page
Associated Article: iSpy: The CIA Campaign to Steal Apple’s Secrets
Download Document: Presentation Abstracts - Tuesday, 15 March: Differential Power Analysis on Apple A4 Processor (Snippet)
Classification: S//NF
Authoring Agency: NSA
Codenames: None

Apple A4/A5 Application Processors Analysis (Snippet)

Summary: This snippet indicates that there was a talk on analyzing Apple’s A4/A5 Application processors. Presenters included someone from Sandia National Laboratories and more information was available from a person associated with a CIA email address.

Document Published: March 10, 2015
Document Dated: Unknown
Document Length: 1 page
Associated Article: iSpy: The CIA Campaign to Steal Apple’s Secrets
Download Document: Apple A4/A5 Application Processors Analysis (Snippet)
Classification: S//NF
Authoring Agency: NSA
Codenames: None

Iran — Current Topics, Interaction with GCHQ

Summary: This is an executive briefing note preparing the Director of the NSA to speak to the state of GCHQ/NSA operations towards Iran.

The director is advised that Iran is engaging in DDoS attacks against US banks in retaliation for efforts to slow or disrupt the Iranian nuclear sector, and that Iran’s attack against Saudi Aramco was the first time NSA recorded Iran successfully launching such a destructive attack.

The NSA is prepared with contingency plans in the event of conflict with Iran and has a planned battle rhythm.

The NSA has successfully worked together with the GCHQ on “multiple high-priority surges” to collect intelligence after major events in Iran, e.g. storming of British embassy, Iran’s discovery of CNE tools in its network, and support for Iranian nuclear negotiations. However, the briefing ends by warning that though the GCHQ wants to establish a blanket agreement to target Iran, existing Signals Intelligence Directory (SID) policy opposes such a strengthened relationship on this file.

Document Published: February 10, 2015
Document Dated: April 12, 2013
Document Length: 2 pages
Associated Article: NSA Claims Iran Learned from Western Cyberattacks
Download Document: Iran — Current Topics, Interaction with GCHQ
Classification: TOP SECRET//COMINT//NOFORN
Authoring Agency: NSA
Codenames: None

Who Else Is Targeting Your Target? Collecting Data Stolen by Hackers

Summary: This document is a screenshot of SID Today, the National Security Agency’s (NSA) internal wiki. The page covers how the Communications Security Establishment (CSE), Government Communications Headquarters (GCHQ) and NSA operatives at Menwith Hill Station (MHS) began tracking and capturing data being exfiltrated by hackers. The hackers’ intrusion system is codenamed INTOLERANT and much of their exfiltrated information comes from, or pertains to, parties the intelligence community is interested in monitoring. ‘Fourth Party Exfiltration’ is the term that captures an unknown other party targeting a person or group of interest to Five Eyes agencies.

The NSA/CSE were unable to determine who the hackers were nor attribute them to a state, though they were believed to be state-sponsored. Hackers coded data exfiltrated as: Indian Diplomatic & Indian Navy; Central Asian diplomatic; Chinese Human Rights Defenders; Tibetan Pro-Democracy Personalities; Uighur Activists; European Special Rep to Afghanistan and Indian photo-journalism; and Tibetan Government in Exile. The NSA/CSE planned to learn more about the attack and attribution going forward.

US and UK authorities held an interest in alerting Indian and European special representatives of the collection given those groups’ engagement with American and British government bureaucrats. There was no mention of seeking to notify human rights defenders, pro-democracy personalities, Uighur activists, or journalists, nor any mention that the Canadian government desired to provide notification.

Document Published: February 4, 2015 
Document Dated: Last modified October 11, 2012 
Document Length: 1 page 
Associated Article: Western Spy Agencies Secretly Rely On Hackers For Intel And Expertise
Download Document: Who Else Is Targeting Your Target? Collecting Data Stolen by Hackers
Classification: TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL
Authoring Agency: NSA
Codenames Mentioned: INTOLERANT

SID Today – ‘4th Party Collection’: Taking Advantage of Non-Partner Computer Network Exploitation Activity

Summary: This SID Today article describes how the Menwith Hill Station (MHS) Computer Network Operations (CNO) team has successfully developed methods to engage in fourth party collection. This mode of collection entails identifying information that other, non-five eyes operators are exfiltrating through their own computer network exploitation (CNE) actions. In the SID Today article, the CNO team identified that the Kurdistan Democratic Party (KPD) had targeted Internet cafes in Iraq, and the persons who were specifically targeted had linked to the Kurdistan Regional Government. All operations involved in the installation of key loggers. At least one Iraqi Ministry of Foreign Affairs computer was also compromised. The author notes that collecting the exfiltrated information was useful because it produced information that might never have been seen via traditional signals intelligence, including logins and passwords, additional email addresses, phone numbers, and documents on the victim’s computer.

Document Published: January 17, 2015 
Document Dated: January 7, 2008
Document Length: 3 pages
Associated Article: The Digital Arms Race: NSA Preps America for Future Battle
Download Document: SID Today - ‘4th Party Collection’: Taking Advantage of Non-Partner Computer Network Exploitation Activity
Classification: S//SI//REL (Highest possible classification: TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL)
Authoring Agency: NSA
Codenames: None

HIDDENSALAMANDER: Alerting and Characterization of Botnet Activity in TURMOIL

Summary: This presentation outlines the NSA’s efforts to alert and characterize botnet activities, as well as how they intended to improve the alerting and characterization process. The intent of this kind of operation was to detect all botnet activity that is seen by NSA sensors, and only raise alerts when the activity is relevant and time-sensitive (e.g. involves entities commanding high interest, involves protected areas, or a defensive action could be prompted). In all cases there was an aim to generate metadata pertaining to the activity and to enrich as much of that metadata so as to alleviate the need for in-depth knowledge of the actors or malware in question. This activity of analyzing and enriching botnet-related information was covernamed HIDDENSALAMANDER and was, itself, a sub-component of the TURMOIL passive collection program.

At the time the presentation was prepared, the NSA was capable of tracking botnet events and had sensors at multiple different geographies. TURMOIL augmented defensive efforts that might be undertaken at the edge of networks by providing early warning tips for defensive action and, also, by generating metadata for characterization and to support attribution.

Future work was to focus on integrating XKEYSCORE (XKS) and redesigning analytics information to generate more valuable summaries, which might include the ability to decide the point of origin of botnet herders. The biggest challenges at the time, as linked to botnet tracking, were to track peer-to-peer botnet activities and, also, that encrypted botnets defeated most attempts at tracking and reporting. In both cases, TURMOIL was seen as a possible solution by either providing inspiration linked with Fast Flux capabilities or using re-injections.

The slide deck concludes by outlining what a future prototype that presented more information to analysts might look like. Covernamed POUNDSAND, it would make clearer the IP address(es) associated with a botnet, the country that IP address is associated with, the city the address is linked with, the family of the malware, and the role of the endpoint in question (e.g. bot versus control channel). POUNDSAND would also let analysts understand what bots are active in what geographies, the targets of botnet activities, and who else the bot controller was commanding. Going forward, it might also identify if there are attack commands that could be exploited and the type of botnet activity in different regions and associated with different families (e.g. seeing increased infections in different geographies, or whether the botnet activity is linked with reconnaissance or DDoS), as well as the actual server, filename, comment, IP, or URL the bots send/grab/connect to. For POUNDSAND to effectively develop, however, analysts would have to add extra detail to signatures they provided for XKEYSCORE collection, as well as redeveloping front end tools so that analysts could input the lifecycle stage group and stage instances, and other attributes.

Should the NSA refurbish how it tracks botnet activity, the flow model would involve inputting signatures in XKEYSCORE and BLUESMOKE, which are used by TURMOIL and HIDDENSALAMANDER to produce metadata. The metadata would be processed by CYBERCLOUD to produce analytic results from data sources and RONIN would be used to characterize the hardware involved. Finally, analysts would be able to search databases and GOGADGET would display analytic results from CYBERCLOUD and detailed metadata.

Document Published: January 17, 2015
Document Dated: 2010 or later
Document Length: 21 pages
Associated Article: The Digital Arms Race: NSA Preps America for Future Battle
Download Document: HIDDENSALAMANDER: Alerting and Characterization of Botnet Activity in TURMOIL
Classification: TOP SECRET//COMINT//REL TO USA, FVEY
Authoring Agency: NSA
Codenames: ASDF, ASDFReporter, BLACKENERGY, BLUESMOKE, CYBERCLOUD, FALLOUT, GHOSTMACHINE, GMPLACE, GOGADGET, HIDDENSALAMANDER (HS), MARINA, POUNDSAND, RONIN, TRAFFICTHIEF, TURMOIL, TUTELAGE, XKEYSCORE (XKS)

Moving Data Through Disconnected Networks: Delay-Tolerant Networking and the UC

Summary: This briefing slide deck outlines an intention by the NSA to develop a delay-tolerant networking (DTN) system for covert operations. This network would not depend on constant connectivity. Instead, a data source would intermittently and opportunistically send data to nearby receivers; the receiving devices would then pass data from receiver to receiver until the exfiltrated data arrived at its destination. Those who were carrying receiver devices might be unaware that their devices were even engaged in espionage; they would be the equivalent of data ‘mules’. Only the destination point would be able to decrypt the underlying exfiltrated data.

Intelligence community applications for such a DTN network included: providing “unattributable” covert communications in areas without existing infrastructure or where using existing infrastructure would compromise operations; gaining close access, such as to a secure facility or denied area; “crowd sourcing”, including providing data flow in and out of closed nations, e.g. during an internet shutdown; and tagging tracking and locating, including through GPS trackers in cars.

At the time, the NSA was developing this system using a cross-platform implant cover named STRAITBIZARRE, which itself relied on the Tailored Access Operation’s CHIMNEYPOOL framework for communication and the FRIEZERAMP protocol for covert networking. The NSA recognized a range of security challenges to implementing DTN, including protecting against rogue bundles of data being injected into the network, preventing an adversary from modifying legitimate bundles, protecting against eavesdroppers, authenticating neighbours before establishing links, and ensuring a low probability of detection and interception. The NSA envisioned multiple solutions — such as ones meant to facilitate bundle-layer encryption, authentication, and data integrity — though key management issues were recognized as particularly important. Similarly, there were concerns about covert discovery of the DTN devices and network, which had led the NSA to consider how to set up external triggers for initiating DTN links, and perhaps even using some of the NSA’s own radios for some hops to make it less apparent who or which devices were part of the network.

Document Published: January 17, 2015
Document Dated: June 2012
Document Length: 80 pages
Associated Article: The Digital Arms Race: NSA Preps America for Future Battle
Download Document: Moving Data Through Disconnected Networks: Delay-Tolerant Networking and the UC
Classification: TOP SECRET // COMINT // REL TO USA, FVEY
Authoring Agency: NSA
Codenames: CHIMNEYPOOL (CP), FRIEZERAMP (FR), FUZZYLINT (FL), RAPTORGALAXY, SPINDLE, STRAITBIZZARE (SBZ), TRIDENTSPECTRE, WARRIORPRIDE

QUANTUMFALCON: Summarization to support QUANTUM Targeting

Summary: This briefing document notes the challenges and possible solutions to triaging selectors for the QUANTUM program. At the time it was possible to manually query selectors in the MARINA database but there was not an automated workflow to query them as linked to QUANTUM activities. The solution was covernamed QUANTUMFALCON and was to develop a cloud analytic which was used to support targeting activities, to the effect of better correlating websites a target had visited and, by extension, collating information needed to engage in targeting of QUANTUM shots.

Document Published: January 17, 2015
Document Dated: Not Dated
Document Length: 7 pages
Associated Article: The Digital Arms Race: NSA Preps America for Future Battle
Download Document: QUANTUMFALCON: Summarization to support QUANTUM Targeting
Classification: TOP SECRET // SI // REL USA, FVEY
Authoring Agency: NSA
Codenames: ASDF, GHOSTMACHINE, INQUIRY, MARINA, QUANTUM, QUANTUMFALCON, REACTOR

QUANTUM Shooter SBZ Notes

Summary: This wiki page instructs a reader on how to configure devices which have been implanted with STRAITBIZARRE to operate as QUANTUM ’shooters’. The document details the communications process for sending instructions to implanted devices, as well as some of the limitations in identifying devices which can receive commands. Of note, the ‘Web Sniper Gateways’ (WSGs) that are located between MIDDLEMAN boxes and the QUANTUM shooters are classified at NOFORN. Also, the GCHQ has a different system for receiving information from STRAITBIZARRE implanted devices and, as such, the NSA’s own communications systems are not used when implanted devices are communicating with Menwith Hill Station (MHS).

Document Published: January 17, 2015
Document Dated: Undated
Document Length: 6 pages
Associated Article: The Digital Arms Race: NSA Preps America for Future Battle
Download Document: QUANTUM Shooter SBZ Notes
Classification: TOP SECRET//SI//REL TO USA, FVEY
Authoring Agency: NSA
Codenames: CHIMNEYPOOL (CHM), FELONYCROWBAR, FINGERGNOME, FORESTPLACE, FREEFLOW, FRIEZERAMP (FRZ), FROZENEARTH, FUSSYKEEL, GENIE, HANGARSURPLUS (HS), ISLANDTRANSPORT, MIDDLEMAN, PASSAGEHILL, QUANTUM, STRAITBIZARRE (SBZ), SURPLUSHANGER (SH), TURBINE, WAITAUTO, ZOMBIEARMY

Is there “fifth party” collection?

Summary: This forum thread provides responses to the question of whether there has been a situation in which a member of the Five Eyes obtained information from Actor One, who is exploiting Actor Two’s Computer Network Exploitation (CNE) activity. In such an instance, the NSA, and Actors One and Two, are all interested in the same target.

Respondents indicate that this was the case when the NSA targeted the South Korean government’s CNE activities. There were instances wherein South Korea had implants on some North Korean officials’ devices, and the same devices were also being targeted by the North Koreans. In another situation the NSA identified a fourth party using a zero day exploit to successfully exploit a target the NSA was interested in; they captured the exploit and repurposed it, which the respondent to the question identified as fifth party collection, though it was officially termed fourth party collection.

Document Published: January 17, 2015
Document Dated: Unknown
Document Length: 3 pages
Associated Article: The Digital Arms Race: NSA Preps America for Future Battle
Download Document: Is there “fifth party” collection?
Classification: TOPS SECRET // SI/TK// REL TO USA, FVEY
Authoring Agency: NSA
Codenames: None

DEFIANTWARRIOR and the NSA’s Use of Bots

Summary: This powerpoint slide deck outlines how the NSA is involved in collecting and harnessing botnets. When a botnet is taken over by the FBI there is a process whereby US-based bots are quarantined by the FBI, US military bots directed to the NTOC, and foreign bots to the Tailored Access Operations (TAO) IRC server.

The NSA leverages SIGINT systems from the other Five Eyes countries—including “extensively” using GCHQ collection platforms and personnel–to identify and target foreign bots. Having identified botnets, their infrastructure, and sometimes their herders’ credentials, the TAO may attempt to acquire bots to use them in active Computer Network Exploitation, pervasive network analysis, and throw-away non-attributable Computer Network Attack activities. The NSA uses QUANTUMBOT to often engage in man-on-the-side attacks designed to steal away adversaries’ bots by pushing them to TAO controlled bot servers (e.g. NSA IRC channels). The supply of available bots changes over time, though the NSA envisioned diversifying the ways in which they obtain bots by diversifying what tips QUANTUMBOT actions as well as diversifying techniques to acquire bots to include man-in-the-middle attacks and throwing exploits from bots which are controlled by the NSA.

The system for successfully gaining control of bots can be broken as the automated systems tend to be fragile. However, even when they do work, operators are warned to take care that the activities they undertake are “awesome enough to be useful” without leading to being trivially caught, identified as a state actor, and to notice when burned. There are processes in place to prevent such detection, such as uniquely packed shipped binaries and uniquely keyed shipped binaries, but in the future deployments were meant to be more carefully staged and adopt reverse honey-nets. There were also plans to more productively send data to a range of NSA databases so that obtained intelligence was more productive. The slide deck concludes with a walk-through of creating a botnet from available bots and resources.

Document Published: January 17, 2015
Document Dated: May 24, 2010
Document Length: 65 pages
Associated Article: The Digital Arms Race: NSA Preps America for Future Battle
Download Document: DEFIANTWARRIOR and the NSA’s Use of Bots
Classification: TOP SECRET//COMINT//REL USA, FVEY
Authoring Agency: NSA
Codenames: COLOSSUS, DEEPFRIEDPIG, DEFIANTWARRIOR, FESTIVEWRAPPER, FREEFLOW, HANGARSURPLUS, INCENSER, ISLANDTRANSPORT, MAILORDER, MARINA, OLYMPUS, PASTEPIG, PRESSUREWAVE, PUZZLECUBE, QUANTUM, QUANTUMBOT (QBOT), SEAGULLFARO, SEEKER, SHOUTPIG, SMOKYSINK, STELLABLUE, STORMPIG, STRAITBIZARRE, SURPLUSHANGAR, TREASUREMAP, TURBINE, TURBULENCE, TURMOIL, UNITEDRAKE, UNPACMAN, WAITAUTO, WARNVOLCANO, XKEYSCORE, YELLPIG, ZORIPIG

APEX: Active/Passive Exfiltration

Summary: This extensive powerpoint deck explains how the NSA intended to, circa August 2009, strategically collect and decrypt Virtual Private Network (VPN) and Voice over Internet Protocol (VoIP) communications. At the time of writing most of the VPN-related decryption materials were collected using passive programs, such as TURMOIL. This generated problems because TURMOIL didn’t have visibility of all VPNS. The proposed solution was to collect VPN as well as VoIP traffic using passive (i.e. TURMOIL) and active (i.e. Tailored Access Operations (TAO) implants). TURMOIL would collect information from high-speed passive collection systems to intercept foreign targeted satellites, microwaves, and cable communications as they transmitted the globe. In the case of TAO’s implants, the TURBINE system provides automated management and control of a large network of implants. Combined, these passive and active collection activities were cover-named TURBULENCE.

TURBULENCE relied on a particular exfiltration protocol, covernamed FASHIONCLEFT. The protocol would select and copy packets based on tasking and then subsequently modify IP characteristics in order to send it to its destination. The receiving destination possesses sufficient metadata to identify the exfiltrated packet(s) and their sources, recover the original IP destination information and other protocol fields, and decrypt the transport layer payload.

All VPN IKE information was sent to the TOYGRIPPE database, with targeted VPN IKE information sent to POISONNUT for VPN key recovery. In some cases, such as VPN ESP Packets, 15 minutes of data would be buffered and the VPN key requested from other NSA systems. When and if a key was identified, the buffered traffic could be decrypted.

Some of the challenges to be overcome included more effectively identifying networks and devices bearing interesting traffic and exfiltration path discovery from a device to the TURMOIL system. There were also metadata and processing challenges, such as ensuring relevant NSA databases (e.g. PRESSUREWAVE) has appropriate information for VoIP decrypts and CES with metadata for VPN missions. In both cases, a way of linking case notions between the active implant and the passive implant was needed. There were also some classification and legal authority questions; with regards to the former, some TAO implants were highly compartmentalized. There was also a need to demonstrate legal compliance between the collection and existing collection authorizations.

Moving into the future, the NSA envisioned a system that required less manual tasking and, instead, established systems that would automatically task selected communications for exfiltration and decryption, and dynamically target communications based on tasking instructions. This stands in contrast to manually configuring exfiltrations and decryption, or establishing semi-automatic systems of exfiltrating and decrypting material.

Document Published: January 17, 2015
Document Dated: August 2009
Document Length: 55 pages
Associated Article: The Digital Arms Race: NSA Preps America for Future Battle
Download Document: APEX: Active/Passive Exfiltration
Classification: TOP SECRET // COMINT // REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: CHIMNEYPOOL, COALSHOVEL, CONVEY, FASCIA, FASHIONCLEFT, FIGBUILD, FLAXENPRECEPT, FOGYNULL, FUNNELAPS, HAMMERCHANT, HAMMERMILL, HAMMERSTEIN, ISLANDTRANSPORT, KEYCARD, OLYMPUS, OPTICPINCH, PINWALE, POISONNUT, PRESSUREWAVE (PWAVE), PUZZLECUBE, QUANTUM, ROOTKNOT, SEAGULFARO, SHELLGREY, SURPASSPIN, SWEEPFORWARD, TOYGRIPPE, TRAFFICTHIEF, TREBLECLEF, TURBINE, TURBULENCE, TURMOIL, TUTELAGE, UNITEDRAKE, VINYLSEAT, XKEYSCORE

Fourth Party Opportunities

Summary: This slide deck outlines the four ways by which the NSA engages in fourth party collection activities. Such collection activities involve obtaining information which is being exfiltrated from devices from other, non-Five Eyes parties, such as competing intelligence agencies, criminals, or even spouses who are spying on one another. These kinds of activities are conducted by the NSA’s Cyber Counterintelligence Division, which is a part of the Tailored Access Operations (TAO).

The first method of engaging in fourth party collection comes from passive acquisition of information, as parties exfiltrating data pass their data along network points, which the NSA can identify and collect. The NSA often then decrypts and de-obfuscates the data. The second method is termed active acquisition, and involves targeting foreign Computer Network Exploitation (CNE) infrastructure to collect the exfiltrated information. The third method involves victim stealing (also known as ‘sharing’), which exploits weaknesses in foreign CNE implants to gain access to the implanted devices to either take control of the device or replace the foreign implant with one of the NSA’s own. The fourth method, repurposing, entails using captured foreign CNE components (e.g., implants, exploits, etc) to shorten the development cycle of the NSA’s own CNE tools. Actively exploiting a target only takes place until a time that the tasking has been sufficiently reprioritized so that passive collection alone is sufficient to obtain information about the exfiltrated data or party being targeted.

The remainder of the slides discuss the TAO’s successful operations targeting Iranian implants, and discussing the backend ways by which data is collected and how to query collected data. It also includes case examples of victim stealing and repurposing. At the time the slides were developed, TAO was also developing a user interface which displayed the victims of fourth party exfiltration, and that included a broad assortment of survey data that was used to, in part, engage in the discovery of fourth party actors.

Document Published: January 17, 2015
Document Dated: Post May 2011
Document Length: 26 pages
Associated Article: The Digital Arms Race: NSA Preps America for Future Battle
Download Document: Fourth Party Opportunities
Classification: TOP SECRET // COMINT // REL TO USA, FVEY
Authoring Agency: NSA
Codenames: BYZANTINE RAPTOR, CROSSBONES2, CYBERQUEST,  DEADSEA, DIRTSHED, HAPPYFOOT, HAWALA, PLAIDDIANA, SEEKER, SILVERBOLT, TUNINGFORK, VOYEUR, XKEYSCORE, ZEBEDEE

BYZANTINE HADES: An Evolution of Collection

Summary: This document contains a two-part powerpoint deck. The first half provides an overview of the targets of BYZANTINE HADES, an NSA covername that refers to Chinese-based Computer Network Exploitation (CNE) operators/threats. The reporting focuses on BYZANTINE CANDOR, an actor that focused on the Department of Defence, economic and commodities information, as well as information pertaining to contemporary geopolitical and economic events. The operator used spearphishing tied to malware and after passing along relevant information to the Tailored Access Operations (TAO) group, TAO evaluated whether the identified hosts were vulnerable and subsequently collected and reviewed what was collected. From the analysis, it became apparent that the operator worked differently than TAO, how they exfiltrated data, as well as future targets.

BYZANTINE CANDOR successfully targeted a pair of defence contractors and stole over 2,500 files. Though BYZANTINE CANDOR was ultimately compromised itself, this was the result of fourth party collection from ARROWECLIPSE; the NSA at the time of the presentation did not know who this actor was and, as such, they presented a knowledge gap. However, with the ARROWECLIPSE data TAO was able to identify and subsequently exploit a series of virtual and physical machines. One of the virtual machines was attributed to the People’s Liberation Army (PLA) and believed to be the team lead; subsequent efforts against the target led TAO to identify future targets, victim data, source code and new tools, and actor information–including sufficient information to profile the probable PLA team lead, who was cover-named CUTEBOY.

Document Published: January 17, 2015
Document Dated: June 2010
Document Length: 27 pages
Associated Article: The Digital Arms Race: NSA Preps America for Future Battle
Download Document: BYZANTINE HADES: An Evolution of Collection
Classification: TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: ARROWECLIPSE, BISHOP, BISHOP KNIGHT, BYZANTINE ANCHOR, BYZANTINE CANDOR (BC), BYZANTINE FOOTHOLD, BYZANTINE HADES (BH), BYZANTINE PRAIRIE, BYZANTINE RAPTOR, BYZANTINE TRACE, BYZANTINE VIKING, CARBON PEPTIDE, CUTEBOY, DIESEL RATTLE, MAVERICK CHURCH, PINWALE, POPROCKS, SEEDSPHERE, TITAN RAIN III, TRANSCOM, TUNINGFORK, XKEYSCORE

Chinese Exfiltrate Sensitive Military Technology (Snippet)

Summary: This slidedeck snippet indicates that sensitive military and US government information was accessed and exfiltrated by Chinese parties. Information included radar technologies, as well as logistics and officer information, missile tracking and design information, as well as information about military aircraft, space-based weapons, and contractor information. These intrusions, estimated to amount to 50 terabytes of data, cost over $100 million (USD) to assess the damage and rebuild defences. The concluding slide suggests that the NSA could use SIGINT to discover malware during the design process to better defend against intrusions prior to them even taking place.

Document Published: January 17, 2015
Document Dated: Undated
Document Length: 3 (of 11+) pages
Associated Article: The Digital Arms Race: NSA Preps America for Future Battle
Download Document: Chinese Exfiltrate Sensitive Military Technology (Snippet)
Classification: S//REL (Maximum Possible Classification: TOP SECRET // COMINT // REL USA, FVEY)
Authoring Agency: NSA
Codenames: BYZANTINEHADES

The FASHIONCLEFT Protocol

Summary: This slide deck provides an overview of the FASHIONCLEFT protocol, which is used by Tailored Access Operations (TAO) to exfiltrate collected network packets to the Common Data Receptor (CDR) format from TAO implants. The exfiltration process involves making a copy of the given packets, modifying the packet IP destination address, modifying other protocol fields as needed to bypass firewalls and tag packets for identification, optional encrypting/munging of the transport layer payload, and then sending the modified data packet to its destination. Receivers require metadata in order to identify the exfiltrated data and recover the information about the packets, to return them to their pre-modified state.

The supplemental slides for this presentation include information about how FASHIONCLEFT is used to copy VPN and VoIP data traffic, and the role of TURMOIL to recover and process the exfiltrated data packets. One of the challenges in recovering packets — as well as defeating VPN and VoIP encryption — was linked to the time that packets could be delayed for processing at TURMOIL locations, and how long it took to obtain decryption keys to recover encrypted traffic. Moreover, developing extended packet caches (of approximate 15 minutes) would ensure that data packets should be processed even if the initial signalling information was missed, but such caches violate the normal TURMOIL architecture and thus may not be implementable at all sites, would require additional manual searching for data packet hits instead of automating the analysis, and would require time and effort to implement.

Document Published: January 17, 2015
Document Dated: October 16, 2008
Document Length: 19 pages
Associated Article: The Digital Arms Race: NSA Preps America for Future Battle
Download Document: The FASHIONCLEFT Protocol
Classification: TOP SECRET//COMINT//REL TO USA, FVEY
Authoring Agency: NSA
Codenames: FASHIONCLEFT, FLASHHANDLE, FOGYNULL, FUNNELAPS, HAMMERCHANT, LIGHTDELAY, MBEAN, PUZZLECUBE, SHELLGREY, SURPASSPIN, TURMOIL

S3285/InternProjects

Summary: This wiki page includes a range of different projects that NSA interns could apply for within the Persistence Division, with some information about the different kinds of projects that were available. Nine different categories of projects were identified, many of which listed sub-projects. Some of these projects, and their details, included the following:

The Computer Network Attack (CNA) team POLITERAIN was looking for interns who could productize a range of attacks that relied on destroying network cards, zero out hard drives, or erase the BIOS of certain servers.
Projects in the Hard Drive Recovery category focused on fixing hardware and resolving firmware problems, in order to ultimately extract data off damaged hard drives.
IRATEMONK projects focused on maintaining the persistence of code implanted on different hard drives, with reversing different manufacturers’ drives receiving unique covernames.
OS Execution projects involved interns working to identify ways of obtaining code execution with the operating system kernel so that NSA payloads could be executed or installed. This included research into what kinds of execution techniques could enable payload execution inside Mac OSX.
Interns working on the SIERRAMIST/JUMPDOLLAR covernames were to find ways of running code such that the SIERRAMIST or JUMPDOLLAR partitions would either receive information from the visible operating system or be capable of running activities after receiving instruction sets.
Other interns could work on BERSERKR, a covername for a persistent backdoor that was implanted into the BIOS; specifically, they would have the opportunity to develop the backdoor so it included “new network interface card parasitic drivers as well as applications.”
Interns working on GOPHERRAGE would work with NSA staff to develop a hypervisor implant that leveraged AMD and Intel’s virtualization technologies in order to provide implant persistence capabilities and a persistent back door.

Interns also had the opportunity to contribute towards the development of Windows-centric tools used by the NSA for profiling, as well as Network Infrastructure projects intended to port a ‘persistence solution’ from a firewall sold by one network infrastructure provider to other products sold by the same provider.

Document Published: January 17, 2015
Document Dated: Undated
Document Length: 13 pages
Associated Article: The Digital Arms Race: NSA Preps America for Future Battle
Download Document: S3285/InternProjects
Classification: TOP SECRET // SI // REL TO USA, FVEY
Authoring Agency: NSA
Codenames: ALTEREDCARBON, ARGYLEALIEN, BARNFIRE, BENTWHISTLE, BERSERKR, BORGERKING, CASTLECRASHER, CENTRICDUD, EASYKRAKEN, FAKEDOUBT, GOPHERRAGE, IRATEMONK, JUMPDOLLAR, KIRKBOMB, MADBISHOP, MOPNGO, MOUSETRAP, PASSIONATEPOLKA, PLUCKHAGEN, POLITERAIN, ROGUESAMURAI, SADDLEBACK, SIERRAMIST, SIERRAMISTFREE, SODAPRESSED, SPITEFULANGEL, STYLISHCHAMP, TORNSTEAK, TWISTEDKILT, VALIDATOR, WICKEDVICAR, WISTFULTOLL

SPINALTAP: Making Passive Sexy for Generation Cyber

Summary: This slide deck outlines how extracted selectors from exploited machines are translated after being sent back to the NSA, so that the selectors of those machines can subsequently be used for passive collection. As part of this translation, fingerprints were created to label passive collection events as related to endpoint-derived selectors in an automated and scalable fashion. The process of labelling information depended on XKEYSCORE fingerprints being used to parse files collected from endpoints and the parsed data feeding the SPINALTAP database, which then generates the passive collection fingerprints.

Selector types included machine IDs associated with cookies, serial numbers, browser tags, Windows Error IDs, and Windows Update IDs; attached device information, including IMEIs for phones, UDID for Apple devices, and BlueTooth related identifiers; cipher key information; network information such as wireless MACs and VSAT MACs and IPs; as well as User Leads such as selectors from cookies, registry, and profile folders, as well as STARPROC-identified active users.

The long-term goal for SPINALTAP was to further automate the extraction and fingerprint creation process, to deprecate or expire old fingerprints, support new kinds of selectors, and improve both private network identification and how data could be used to enrich other tools. In addition, the process used to develop fingerprints for SPINALTAP was also used to identify fourth party tools; when a program crashed an error report was sent to Microsoft. The crash report sometimes contained information that identified if the machine was targeted by computer network exploitation by a foreign actor. Similarly, if there were crashed machines being targeted by the Tailored Access Operations (TAO) then the NSA could determine if there was a problem with an implant and subsequently troubleshoot the tools being used.

Document Published: January 17, 2015
Document Dated: Post May 2012
Document Length: 27 pages
Associated Article: The Digital Arms Race: NSA Preps America for Future Battle
Download Document: SPINALTAP: Making Passive Sexy for Generation Cyber
Classification: TOP SECRET // COMINT // REL TO USA, FVEY
Authoring Agency: NSA
Codenames: AARDVARKSTAKE, ABSOLINEDELTA, ACRIDMINI, AFTERBOOTSOLE, AFTERCLIFFDIVE, AFTERDOGHOUSE, AFTERGASSTATION, AFTERLASTTEAM, AFTERRICHGEAR, AFTERSHORTRUN, AFTERTANKERTRUCK, AFTERTREEFORM, AFTERWAYBACK, AFTERWINDBLOWN, AFTERYARDARM, ANCIENTBREW, APACHERIVER, ARMOREDCONDOR, ASPHALT, ATOMICCANNON, ATOMICCONDOR, ATOMICFIREBALL, ATOMICFOG, ATOMICMONKEY, ATOMICPUNCH, ATOMICSTRIKE, AZTECTOMB, BACKSNARF, BEDOUINSTRIKE, BEEFCAKE, BLACKAMETHYST, BLACKMESA, BLOODDIAMOND, BROKENTHOUGHT, BULLETTOOTH, CAFFEINECRASH, CHOCOLATESHIP, COBALTGUPPY, COCOAMELTDOWN, CRISPWARE, CRYPTICSENTINEL, CUDDLYBADGER, CYBERQUEST, CYGNUSOLOR, DANDERSPRITZ, DARKFIRE, DARKHELMET, DARKINTENT, DARKRAVEN, DARKRAZOR, DARKSCREW, DARKTHUNDER, DEADDRUMMER, DEPUTYSHIP, DETASSELJANICE, DIRTDIVER, DISTORTAFFECT, DOUBLETAP, DRINKMINT, DRINKMINT_AA, DRUMBEAT, EDITIONHAZE, EFFABLELAMBDA, ELECTRONSWORD, EMPTYMOCHA, FIREBRUSH, FIREEATER, FIRESWAMP, FOXACID, FOXBASE, FRANTICDANCER, FREEACIDRAIN, FREEAIRFARE, FREEARCADEZONE, FREEBACKGAMMON, FREEBADFIBER, FREEBADRENT, FREEBALLROOM, FREEBATTLEZONE, FREEBEACHTREE, FREEBIGBOSS, FREEBITTERCLOUD, FREEBLACKCLOUD, FREEBLOODYWOLF, FREEBLOWNTURBO, FREEBLUEMAT, FREEBRASSBRUSH, FREEBUTTERCLOUD, FREECANALLOCK, FREECANESUGAR, FREECATBOX, FREECEMENTBLOCK, FREECHERRYCOLA, FREECHESSBOARD, FREECLEARTAPE, FREECOLDTEA, FREECORNHUSK, FREECORNMAZE, FREECREEKMOOR, FREECRUSHEDDISK, FREEDARKSUIT, FREEDATALOSS, FREEDEADBATTERY, FREEDETOURSIGN, FREEDITRYTRICK, FREEDISCOVERY, FREEDISKBRAKE, FREEDOGCRATE, FREEDOMECUPOLA, FREEDOVETAIL, FREEEMUFARM, FREEENERGYTAX, FREEFAMILYTIE, FREEFASTCAR, FREEFIBERBOARD, FREEFILEDELETE, FREEFLATFIBER, FREEFLOWCHART, FREEFLOWERPEOPLE, FREEFRIEZEFRESCO, FREEGEMSTONE, FREEGLASSTUBE, FREEGLUESTRIP, FREEHAVEFUN, FREEHOMEBASE, FREEHOOKHANDLE, FREEHOOPDREAM, FREEJETFUEL, FREEKIDPOOL, FREEKINGSPAWN, FREEKNOCKOUT, FREELANDLINE, FREELEADSHOT, FREELEADSINGER, FREELIFERAFT, FREELIKESAME, FREELINEDOWN, FREELOLLYPOP, FREEMARBLEBASIN, FREEMETALCRATE, FREEMETALFILE, FREEMETALSHARD, FREEMINETUNNEL, FREEMINTJELLY, FREENAVYBLUE, FREENIGHTTRAIN, FREEOBLIQUECASE, FREEOILLEAK, FREEOILPAINT, FREEOLDBIKE, FREEOUTRUN, FREEPAINTBALL, FREEPICKLEBRINE, FREEPINEPLANK, FREEPLASTICCASE, FREEPONGPLAYER, FREEPOSTMARK, FREEPOWERFAILURE, FREEPUFFYCLOUD, FREEPULLCHAIN, FREERAINCLOUD, FREERAVENTICKET, FREEREDBEER, FREEREDERASER, FREEREDMARKER, FREEREDSHIRT, FREEREDSTAIN, FREERIDEAROUND, FREERIGHTWHALE, FREERIPPINGBLADE, FREEROCKSONG, FREESAFEKEY, FREESALTTRUCK, FREESASHCORD, FREESCHOOLLOCKER, FREESCREENDOOR, FREESEADADDY, FREESHORTCARD, FREESHORTPASS, FREESINEWAVE, FREESLOWFAST, FREESMALLSPACE, FREESMOKESCREEN, FREESNOWCLOUD, FREESNOWSHOVEL, FREESPACEFLIGHT, FREESPEEDTRAP, FREESTATEWARD, FREESTONESHIP, FREESTORAGEROOM, FREETANKSTAND, FREETESTSHEET, FREETHUNDERCLOUD, FREETICKETBOOTH, FREETIMELEGEND, FREETIMESHARE, FREETINYTANK, FREETRICKYKICK, FREETROUTSTREAM, FREETRUEPINBALL, FREETWINBEE, FREEVINYLMESH, FREEWARRIORPAINT, FREEWATERBED, FREEWATERGLASS, FREEWATERTANK, FREEWATERTOWER, FREEWAVECREST, FREEWAYPOINT, FREEWHEELCOVER, FREEWHEELNUT, FREEWINDCLOUD, FREEWINDSHEAR, FREEWOODENSTICK, FURRYEWOK, GMPLACE, GOODMONKEY, HAMMERBROTHERS, HASTYCOBRA, HORSEWRAP, ICEBLOCK, IMPUREHOLSTER, INDEPENDENCEPIE, JAVAFRESCO, JEALOUSJOKER, JEEPFLEA, JEEPFLEA_MARKET, KIDSHIP_AA, KOOPATROOPA, KUKRISTEEL, LIQUIDSTEEL, LUTEUSASTRO, MAGNUMOPUS, MAGNUMOPUS_CC, MAXRANKLE, MICEFUR, MIDNIGHTSCORPION, MILKSTEAK, MIRACLEMAX, MUSHROOMKINGDOM, NAPALAN, NATIVEFLORA, OBSCUREBLAZE, OFFICELINEBACKER, OFFICEQUARTERBACK, OPTIMUSPRIME, PARLAYBUFFET, PHANTOMSTARFISH, PLUMREVOLVER, PRETZELDOG, QUANTUMBISCUIT (QBISCUIT), QUANTUMDIRK (QDIRK), ROLLEDHAT, SANDPALACE, SCARFSLOOP, SHADYNINJA, SHAKEWEIGHT, SHATTEREDSHIELD, SILENT_TONGUES, SILLYBUNNY, SILVERJUMP, SKYJACKBRAD, SLYNINJA, SLYSNOW, SLYWIZARD, SNAPKEY, SPARTANFURY, SPIKEYFARM, SPINALTAP, STARPROC, STEELSKY_DELTA, STEELSKY_ECHO, STEELSKY_FOXTROT, STEELSKY_GOLF, STONEHENGE, STRAITLACED, SWITCHDOWN_IR_AW, SWITCHDOWN_IR_BR, SWITCHDOWN_IR_CD, THIEVESQUARTER, TOADYTEAL, TOTALDAGGER, TOXICSNOW, TROPICALSTORM, UMBRAGESPIDER, UNITEDRAKE, UPPERMUTANT, VALIDATOR, VEILEDMAGIC, WATERCASKET, WATERWINGS, WAXCHIP, WHIZBANG, WICKEDAMP, WILDCHOCOBO, WITHEREDFRUIT, WOLFACID_ANISE, WOLFACID_ARGON, WOLFACID_BARIUM, WOLFACID_CHILI, WOLFACID_IODINE, WOLFACID_IRON, WOLFACID_JUPITER, WOLFACID_LEAD, WOLFACID_PRECIOUS, WOLFACID_TIN, WOLFACID_URANIUM, WOLFACID_ZINC, XKEYSCORE (XKS), YELLOWFAN

Computer Network Operations – GENIE

Summary: This document provides an overview of the budget for the GENIE program and justifies modifications to the NSA’s budget requisitions pursuant to GENIE. GENIE is a project that underpins the NSA’s Computer Network Operations (CNO) endpoint capabilities that are conducted by the Tailored Access Operations (TAO) group. GENIE is focused on the endpoints — such as laptops, mobile devices, routers, and servers — that are targeted and exploited using either virtual or physical access to create and sustain a presence inside of targeted systems or facilities. Data is often exfiltrated either directly or by being shaped towards midpoint collection facilities (i.e. towards passive collection systems).

GENIE methods provide a range of actors with information they might otherwise not be able to access. Groups include law enforcement, military, and other customers with geolocation, lead information, target access, and unique technical services. Because of the rate of technological innovation regular work must be done to keep abreast of contemporary defensive tools and methods implemented by software and hardware developers. Though largely left undescribed, GENIE would become reliant on VALIANTEAGLE, which is itself a “major system acquisition that will incrementally provide more efficient planning, management, and execution CNO to suppose a growing and diverse Computer Network Exploitation (CNE), Computer Network Defence (CND), and Computer Network Attack (CNA) requirements.”

Much of the document outlines how, and why, GENIE is needed and what costing is being adjusted for the 2013 budget cycle. Requirements include improving or maintaining the ability to engage in endpoint operations with other members of the intelligence community, such as the FBI and CIA, as well as developing ways of shaping traffic from endpoints to middle points for collection, defending endpoints against other actors, developing, deploying, and sustaining CNO access to Pakistan and Afghanistan leadership, keeping pace with terrorists’ communications technologies, developing more persistent endpoint implants, improving reporting that emerges from implanted endpoints, and more.

Document Published: January 17, 2015
Document Dated: 2012
Document Length: 9 pages
Associated Article: The Digital Arms Race: NSA Preps America for Future Battle
Download Document: Computer Network Operations - GENIE
Classification: TOP SECRET//SI/TK//NOFORN
Authoring Agency: NSA
Codenames: GENIE, TURBULENCE, VALIANTEAGLE

2014

SID Today: SIGINT Strategy Threads 4 and 7

Summary: This SID Today document discusses how the rise of widely available, and commercially affordable, encryption is used by everyone whereas in the past encrypted communications were likely to contain foreign intelligence, because it was expensive and resource intensive to develop or implement communications encryption. The NSA was addressing challenges posed by encryption, with the developed capabilities being contained within the BULLRUN Community of Interest. Two specific sessions that pertained to defeating encryption, and which were advertised in the document, include “Countering the effects of strong commercial webmail encryption used by CT targets” and “Virtual Private Networks” (2).

This SID Today document was, also, part of a series on SIGINT strategy threads. Other threads included: analytic modernization and the information space; analyst-facing deliverables, midpoint injection, and mainstream shaping.

Document Published: December 28, 2014
Document Dated: September 14, 2011
Document Length: 3 pages
Associated Article: Inside the NSA's War on Internet Security
Download Document: SID Today: SIGINT Strategy Threads 4 and 7
Classification: TOP SECRET//SI//REL TO USA AUS CAN GBR NZL
Authoring Agency: NSA
Covernames: BULLRUN

User’s Guide for PRISM Skype Collection

Summary: This document describes how to task Skype selectors for PRISM, where to locate Skype PRISM data, and provides answers to miscellaneous issues. Skype collection into PRISM began on February 2011, where audio collection took place in situations where one end of the call used the Skype application and the other(s) used landlines or cell phones. In July 2011 collection expanded to include peer-to-peer Skype application communications, including “a mixture of audio, video, chat, and file transfers” (1). Selectors could be used for surveillance using the Unified Targeting Tool (UTT), but not for stored communications or search.

Analysts use the ‘SkypeUser’ to target communications, though they can use DECODERDAIN if needed to link the account’s skypeMailToken to the corresponding email address. Data collected under PRISM could be located in a number of collection repositories, including PINWALE (text and video content), MARINA, DECODEORDAIN (general Skype, Skype webcam, Skype chat, or raw selector information), or NUCLEON (audio content).

At the time the NSA encountered several challenges in its collection against Skype. Users with long usernames may be challenging to find in NUCLEON due to length limitations in NUCLEON itself, and it was possible that large files may not have been fully collected when they were transferred. Sometimes insufficient frames of a video chat were captured to present analysts with a video feed in PINWALE and timestamp problems associated with collection, as well as with user behaviours, could present analysts with confusing times and dates for collected communications.

Document Published: December 28, 2014
Document Dated: August 2012
Document Length: 9 pages
Associated Article: Inside the NSA's War on Internet Security
Download Document: User’s Guide for PRISM Skype Collection
Classification: TOP SECRET//COMINT//NOFORN
Authoring Agency: NSA
Covernames: DECODEORDAIN, MARINA, NUCLEON, PINWALE, PRINTAURA, PRISM

TURMOIL/APEX/APEX High Level Description Document

Summary: This document outlines future plans to obtain information from implanted routers and automate and scale access to VPN, VoIP, and dataflow processes. APEX describes the cross-organizational effort to achieve the capability of shaping TAO active collection from routers implanted with HAMMERMILL (and with HAMMERCHANT or HAMMERSTEIN modules) to TURMOIL, which is a midpoint passive collector. The end state of APEX was to do the following.

First, achieve the real-time exfil of HAMMERMILL active collection and direct it to a TURMOIL passive collector that could recognize, unwrap the packets from the TAO protocol (i.e., FASHIONCLEFT), and restore the packets to their original state. Second, to perform processing and forwarding of the unwrapped content to data repositories, and optionally perform further target identification and traffic selection in TURMOIL. Third, to engage TURBULENCE storage and analytic processes for delivery of content to analysis. Fourth, to enable TURBINE dynamic control of HAMMERMILL and TURMOIL, so as to allow for near real-time implant tasking on feedback from TURMOIL (TURMOIL/APEX/APEX High Level Description Document, 2). The effect would be to access two sides of IKE exchanges (TURMOIL/APEX/APEX High Level Description Document, 3).

The document provides details for each stage of the process involved in APEX, including in depth discussions of HAMMERMILL and its modules, the FASHIONCLEFT protocol that is used by HAMMERMILL (and other TAO implants) to deliver collected data to TAO common data receptors, as well as existing and planned capabilities for TURMOIL, TURBINE (responsible for command and control of covert implants, including enabling automated workflows), and METROTUBE VPN analytics which are then ingested by TOYGIPPE. Also included are details about the present, and planned, operational capacities for APEX command and control development, APEX application development associated with VPNs, VoIP, and dataflows, as well as the minimal goals for future development phases.

Document Published: December 28, 2014
Document Dated: Undated
Document Length: 12 pages
Associated Article: Inside the NSA’s War on Internet Security
Download Document: TURMOIL/APEX/APEX High Level Description Document
Classification: TOP SECRET//SI//REL TO USA, FVEY
Authoring Agency: NSA
Covernames: APEX, CHIMNEYPOOL, CONVEYANCE, FASHIONCLEFT, HAMMERCHANT, HAMMERMILL, HAMMERMILL 2.0, HAMMERMILL 2.5, HAMMERSTEIN, ISLANDTRANSPORT, KEYCARD, METROTUBE, PRESSUREWAVE, TOYGRIPPE, TURBINE, TURBULENCE, TURMOIL

What Your Mother Never Told You About SIGDEV Analysis

Summary: This slide deck is part of a presentation intended to explain VPN-related signals development activities by walking an analyst through available tools and how to string them together to conduct signals development operations against routers and their associated VPN networks.

It begins by explaining numerous tools which are available to conduct SIGDEV, including BLACKPEARL, TOYGRIPPE, and XKEYSCORE, as well as DISCOROUTE to generate VPN reports.

DISCOROUTE is used to acquire, parse, database, and display configuration files from network devices including those made by Huawei, Juniper, and Cisco; it is used to let analysts “mine device configs for SIGDEV discovery” (9). A part of DISCOROUTE includes outputs which denote that TAO has presence on the targeted router, that it is a multihop router that an administrator telnetted into and then telnetted to another device, as well as associated cryptographic keys. This cryptographic information includes the pre-shared keys for Cisco, Huawei, or Juniper routers.

In addition to DISCOROUTE searches, analysts could use BLACKPEARL. This was a tool that enabled the automated linking of DNI information and network characterization against survey collection across the SIGINT system. It could produce reports about VPNs, DNI access essential information, MPLS reports, as well as five tuple reports. BLACKPEARL could be used for finding access or gathering information on a network an analyst was assessing.

Another repository that could be used was TOYGRIPPE, which was a VPN metadata repository. It could present endpoint IP addresses that, once known, could be used to search in DISCOROUTE for device information or in BLACKPEARL for inner tunneled IP addresses.

RONIN, which was a device characterization database and one of the enrichments of the NSA’s Network Knowledge Base (NKB) which held server analytics (e.g., VPN identified through application layer information in ASDF), VPN analytics (e.g. endpoint in TOYGRIPPE), and router configuration information.

Finally, GNETWORKGNOME was used to extract and correlate information from a variety of databases, including metadata databases, such as NAC, SSG, SSO, and NTOC.

Document Published: December 28, 2014
Document Dated: Later than March 13, 2012
Document Length: 63 pages
Associated Article: Inside the NSA’s War on Internet Security
Download Document: What Your Mother Never Told You About SIGDEV Analysis
Classification: TOP SECRET // COMINT // REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Covernames: BLACKPEARL, DISCOROUTE, GNETWORK GNOME, RENOIR, RONIN, ROYALNET, TOYGRIPPE, XKEYSCORE

Analytic Challenges from Active-Passive Integration

Summary: This slide deck by the NSA’s Information Technology Directorate (ITD) outlines a problem facing analysts: data is being actively shaped by implants to subsequently either push data across TURMOIL passive collection sites or directly to Tailored Access Operations (TAO) collection systems. The result is that the exfiltrated data is associated with a pair of case notations, from the active and passive collection, which hinders analysts in their abilities to ascertain where the data is from and to correlate data across the NSA’s databases. The slide deck discusses this challenge by using the example of implanting routers and endpoints, and either the implant or the passive collector being responsible for selecting relevant traffic, as well as the passive collection site attempting to decrypt targeted VPN traffic. The slide deck concludes by raising questions for analysts and the parties developing the databases they depend on: how should the NSA consistently label collected information, what do analysts need, and how can data be labelled consistently across the entire enterprise (as opposed to on an individual and ad hoc basis)?

Document Published: December 28, 2014
Document Dated: Post-2007
Document Length: 13 pages
Associated Article: Inside the NSA's War on Internet Security
Download Document: Analytic Challenges from Active-Passive Integration
Classification: TOP SECRET // COMINT // REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: APEX, BRAVENICKEL, HAMMERMILL, HAMMERSTEIN, HAMMERSTONE, MARINA, METAWAVE, METROTUBE, PRESSUREWAVE, TOYGRIPPE, TURMOIL, TURBULENCE

SID Today – Site Makes First-Ever Collect of High-Interest 4G Cellular Signal

Summary: This short document mentions a joint effort by various NSA employees in mid-January 2010 at an NSA collection site known as RAINFALL. The effort in question successfully collected data from Time Division-Long Term Evolution (TD-LTE) 4G cellular signals, which was believed to be the first time such a collection had occurred. 4G is further described as “very high priority” for the NSA and the Intelligence Community, as the new cellular system was to “become globally important by 2012.”

Document Published: December 4, 2014
Document Dated: February 23, 2010
Document Length: 1 page
Associated Article: Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide
Download Document: SID Today - Site Makes First-Ever Collect of High-Interest 4G Cellular Signal
Classification: TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL
Authoring Agency: NSA
Codenames: RAINFALL (F78)

IR.21 – A Technology Warning Mechanism

Summary: This slide deck from the 2010 SIGINT Development Conference (SDV) discusses how and why the NSA sources GSM Association (GSMA)-mandated international roaming agreements between mobile phone companies, known as IR.21. These IR.21s enabled the NSA to determine trends in, and estimate forecasts for, mobile technology. For example, IR.21s provided insight into how the technology is evolving in various regions and how this might be used by targets, and further helped to reveal what the SIGINT threat posed by evolving technologies might be. IR.21 documents also helped the NSA understand what vulnerabilities existed within the current technology, as well as how to discover vulnerabilities or introduce new vulnerabilities where they did not previously exist. Notably, a slide focused on geopolitical regions and targets in the context of effective forecasting (page 4) includes bullet points about finding, or introducing, vulnerabilities in mobile infrastructures for later exploitation.

IR.21s were considered a classified source that were fed into the AURORAGOLD repository for analysis. An overview of the data flow and process for AURORAGOLD is provided, which shows the path of different data sources to prepare them for visualization.

In the future, the NSA hoped to make information from classified datasets (i.e., based on IR.21 sourcing) available to the SIGINT production chain, and the visualization of this information available to all authorized users rather than only to “appropriately cleared users” as was the case at the time. The NSA also sought to improve the usability and traceability of the IR.21 AURORAGOLD data, and was seeking further partnerships. Furthermore, the NSA sought to measure whether or not it covered all 3GPP networks.

Document Published: December 4, 2014
Document Dated: 2010
Document Length: 19 pages
Associated Article: Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide
Download Document: IR.21 - A Technology Warning Mechanism
Classification: TOP SECRET//COMINT//REL TO USA, FVEY
Authoring Agency: NSA
Codenames: AURORAGOLD, CAMEL (CAMEL4), RONIN, SCORPIOFORE, TAPERLAY

AURORAGOLD Target Technology Trends Center/TC3 Support to WPMO

Summary: This slide deck provides an overview of the data flows associated with AURORAGOLD, an NSA project which gathered data and analytics on global GSM and UMTS (cellphone) networks. The efforts to gather this data were automatically minimized so as to comply with NSA reporting requirements.

Data sources for AURORAGOLD included the World Cellular Information Service (WCIS), the International Telecommunications Union (ITU) ops bulletin, and IR.21 international roaming agreements—only the latter of which was noted as a classified data source.

In the future, the NSA hoped to add additional fields and sources, as well as to develop entity normalization, complex analytics, advanced auto-sourcing, and visualizations to enable time-series analyses. It noted that there were two risks to AURORAGOLD: that related to data sources and ingest, and the other to extending capability to encompass other wireless technologies.

Document Published: December 4, 2014
Document Dated: Undated
Document Length: 6 pages
Associated Article: Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide
Download Document: AURORAGOLD Target Technology Trends Center/TC3 Support to WPMO
Classification: S//SI//REL TO USA, FVEY
Authoring Agency: NSA
Codenames: AURORAGOLD, RONIN, SCORPIOFORE

AURORAGOLD Working Aid

Summary: This document is a working aid for AURORAGOLD operations. AURORAGOLD activities included: maintaining a database of Mobile Network Operators (MNOs), networks, and PWIDs collected from international roaming documents (IR.21s); targeting working groups of MNOs, roaming hubs, and of the GSM Association (GSMA); and merging open-source, licensed, commercial data with SIGINT to address wireless demands.

The working aid lists both sample SIGINT (IR.21) queries, as well as sample open-source (licensed commercial data) queries. The last two slides of the document lists how several IR.21 fields that are useful to SIGINT. Specifically, it discusses Mobile Country Code (MCC)/Mobile Network Code (MNC); Mobile Subscriber Integrated Services Digital Network Number (MSISDN); TADIG codes; Signalling Connection Control Part (SCCP); Subscriber Identity Authentication; Mobile Application Part (MAP); Network Element Information; and Packet Data Services Information.

Document Published: December 4, 2014
Document Dated: May 17, 2012
Document Length: 4 pages
Associated Article: Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide
Download Document: AURORAGOLD Working Aid
Classification: SECRET//SI//REL TO FVEY
Authoring Agency: NSA
Codenames: AURORAGOLD

AURORAGOLD Working Group

Summary: This slide deck as presented at the 2012 signals development (SIGDEV) conference. It explains the AURORAGOLD (AG) project for gathering data from global mobile phone networks—including its value, targeting efforts, successes, and plans for the future. AURORAGOLD’s “value proposition” was to offer primary source information pertaining to mobile networks, as well as to provide firsthand insight into upcoming changes to standards and practices within the industry.

As of May 2012, analysts from NSA’s Target Technology Trends Center (T3C) unit had access to data from 701 mobile networks (out of an estimated 985 globally) and also had access to information directly from Mobile Network Operators (MNOs). Graphics indicate that the NSA discovered virtually all of the 701 mobile networks from the November 2009 to May 2012 time period.

Also in May 2012, the T3C analysts had a comprehensive list of 1,201 actively-managed email selectors pertaining to IR.21 (international roaming documents). By monitoring the GSM Association (GSMA), the NSA was able to gauge changing practices and standards for roaming, signalling, billing, and interoperability. The NSA expected that email was likely to “give way” to SSL sessions to centralized servers to process the next generation Roaming Agreement EXchange (RAEX), which would make SIGINT access more challenging while also increasing the value of SIGINT and making it “easy” to use automated analytics on the captured data.

As a case of AURORAGOLD use, the document provides an example operation conducted with the U.S. Army’s African Command (AFRICOM) against Libyan mobile phone companies Libyana Mobile and Madar Al Jadida. Notable successes of AURORAGOLD, at the time of writing, included characterizing IR.21 collection from 67 high-priority networks, obtaining recent Egyption IR.21s, assessing possible new Chinese networks’ IR.21s, working towards commercial sharing of licensed commercial data (e.g., WiMAX data), and generally reporting on GSMA standards and practices. Future plans included ingesting RAEX IR.21 to facilitate querying about LTE, technologies and equipment, and frequencies, as well as modifying the AURORAGOLD interface to enable “SIGINT production chain access for querying and trending.”A world map marked as “TOP SECRET” (page 24) indicates that the NSA had varying degrees of “network coverage” in almost all countries—although it also indicates that there had been no significant analysis of Canadian mobile telecommunications infrastructure at the time the document was produced.

Document Published: December 4, 2014
Document Dated: June 6, 2012
Document Length: 26 pages
Associated Article: Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide
Download Document: AURORAGOLD Working Group
Classification: TOP SECRET//SI//REL TO FVEY
Authoring Agency: NSA
Codenames: AURORAGOLD, GLOBALTIPPER (GT), JUBILEECORONA, PINWALE, RONIN

AURORAGOLD

Summary: These slides provide an overview of the AURORAGOLD (AG) project. The mission of AURORAGOLD was to “maintain data about international GMS/UMTS networks for the Wireless Portfolio Program Office (WPMO), the Target Technology Trends Center (T3C/SSG4), and their customers.” The data gathered for AURORAGOLD helped the NSA to understand the current state of global cellphone networks, conduct trending and time-series analysis, and to forecast the evolution of GSM/UMTS networks.

Analysis and developmental activity related to AURORAGOLD data was, at the time, focused solely on GSM/UMTS infrastructure, voice-data convergence, UMTS technology migration, and UMTS technology deployments. Data from AURORAGOLD was shared with other NSA and U.S. intelligence community entities, as well as with other Five Eyes partners.

AURORAGOLD was intended to obtain a replica of the World Cellular Information Service (WCIS) database, as well as SIGINT-collected IR.21 documents that included email selectors as well as metadata obtained using SIGINT, so as to enhance subsequent collection.

The AURORAGOLD repository listed information on: networks and suppliers, handsets and devices, network features, network coverage, licenses, and license spectrum. At the time, there existed only a capability to query against a small portion of the World Cellular Information Service (WCIS) database.

Document Published: December 4, 2014
Document Dated: 2011 or later
Document Length: 4 pages
Associated Article: Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide
Download Document: AURORAGOLD
Classification: SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: AURORAGOLD (AG), GOLDENCARRIAGE, OZONE

Summary: This NSA document indicates some NSA cooperation with other nations’ military and intelligence organizations. The policy document applies to sharing computer network exploitation and computer network defence information between intelligence agencies, such as the CSE, as well as to sharing cryptologic information with other militaries. Canada is listed as one of the “Tier A: Comprehensive Cooperation” partners along with Australia, New Zealand, and the United Kingdom.

Document Published: October 30, 2014
Document Dated: (Unknown, perhaps Nov 2004 - Jan 2007 based on declassification date)
Document Length: 2 pages
Associated Article: El CNI facilitó el espionaje masivo de EEUU a España (ES) // Spain colluded in NSA spying on its citizens, Spanish newspaper reports
Download Document: Sharing Computer Network Operations Cryptologic Information With Foreign Partners
Classification: SECRET//COMINT//NOFORN//20291123
Authoring Agency: NSA
Codenames: None

SENTRY EAGLE – National Initiative — Security Framework

Summary: This powerpoint presentation gives an outline of what types of information would be accessible to which parties involved in the SENTRYEAGLE program. This program is a national initiative program designed to provide protection to US government systems, using Computer Network Defense, Exploitation, and Attack capabilities.

Document Published: October 10, 2014
Document Dated: November 23, 2004
Document Length: 3 pages
Associated Article: Core Secrets: NSA Saboteurs in China and Germany
Download Document: SENTRY EAGLE - National Initiative — Security Framework
Classification: TOP SECRET//COMINT//NOFORN
Authoring Agency: NSA
Codenames: SENTRYCONDOR, SENTRYEAGLE, SENTRYFALCON, SENTRYHAWK, SENTRYOSPREY, SENTRYOWL, SENTRYRAVEN

National Initiative Protection Program – Sentry Eagle

Summary: This draft document outlines a series of operations the National Security Agency (NSA) carried out in order to provide defensive services to the United States government. SENTRYEAGLE is the covername for all of the associated efforts, with the others in the ‘SENTRY’ series capturing particular efforts that are involved in the defensive activities. As an indoctrination document, or a document which explains what an individual is being read into, it clarifies how sensitive different components of each compartment are: while it might be permissible to state in official (non-classified) situations that the NSA keeps abreast of new technologies, it would be Exceptionally Controlled Information (ECI) that the NSA has contractual relationships with commercial entities to conduct SIGINT enabling operations and programs.

The NSA describes the facts in this document as constituting “a combination of the greatest number of highly sensitive facts related to the NSA/CSS’s overall cryptologic mission” and that disclosing SENTRYEAGLE information to non-indoctrinated persons may result in criminal prosecution. SENTRYEAGLE’s compartmentalized program is related to other ECIs, including: SPARECHANGE, WHIPGENIE, AUNTIE, AMBULANT, OPALESCE, REVELRY, and REFRACTOR. Some aspects of the program may be shared with second or third-parties.

SENTRYOWL details the NSA’s relationships with industry, including that industry partners enable the NSA’s SIGINT operations, that certain industry partners work with the NSA to make their products and device exploitable for SIGINT, and that industry partners make available worldwide metadata and content that is transiting the United States or is accessible via international mediums provided by US entities. SENTRYCONDOR focuses on the NSA’s assistance to the Department of Defence for computer network attack (CNA) operations. SENTRYRAVEN concerns the exploitation of enciphered communications, including specifically supercomputers and special purpose hardware used to crack foreign ciphers. SENTRYRAVEN also covers the NSA’s work with certain US manufacturers to modify US manufactured encryption systems to make them exploitable to SIGINT, and heavy investment into special purpose computer systems to attack commercial encryption.

SENTRYHAWK pertains to Computer Network Exploitation (CNE) operations. Only some activities are classified as ECI, including: the fact that NSA attempts to (or succeeds in) exploiting vulnerabilities within targets’ IT infrastructure; facts about CNE operations that include command, control, and exfiltration of data; facts about NSA collaboration with US and foreign commercial entities for CNE; and facts about NSA’s access to non-US worldwide cable/fibre optic structures. SENTRYFALCON focuses on computer network defense, and includes the NSA’s activities to determine intruder attribution, facts related to NSA’s efforts to deceive networker users, and facts about the NSA’s attempts to redirect network data. SENTRYOSPREY concerns the NSA’s relationships with human intelligence, such as countries that employ national clandestine service (NCS) capabilities and facts about the assets and agents (covert or undercover) and their targets, locations, IT sites, and specific operations and techniques they use to exploit targets.

Document Published: October 10, 2014
Document Dated: November 23, 2004
Document Length: 13 pages
Associated Article: Core Secrets: NSA Saboteurs in China and Germany
Download Document: National Initiative Protection Program - Sentry Eagle
Classification: TOP SECRET//COMINT//NOFORN
Authoring Agency: NSA
Codenames: AMBULANT, AUNTIE, OPALESCE, REFRACTOR, REVELRY, SENTRYCONDOR (SCR), SENTRYEAGLE (SEE), SENTRYFALCON (SFN), SENTRYHAWK (SHK), SENTRYOSPREY, SENTRYOWL (SOL), SENTRYRAVEN (SRN), SPARECHANGE, WHIPGENIE

Exceptionally Controlled Information (ECI) Compartments

Summary: This document includes lists of ECI names, their Trigraph (i.e. three-letter acronym), and the organization which controls the given name.

Document Published: October 10, 2014
Document Dated: January 2013
Document Length: 4 pages
Associated Article: Core Secrets: NSA Saboteurs in China and Germany
Download Document: Exceptionally Controlled Information (ECI) Compartments
Classification: CONFIDENTIAL//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: AMBULANT (AMB), APERIODIC (APR), AUNTIE (AUN), BLACKANT (BAT), BLACKAXE (BAX), BLACKBALL (BKL), BLACKCLOUD (BCL), BLACKHOLE (BLH), BLACKJACK (BKJ), BLACKTIE (BKT), BLACKVULTURE (BVE), BLACKWIDOW (BKW), BOXWOOD (BXD), CELESTIALGLOBE (CLG), CHIEFDOM (CFD) CLICKUMBER (CKU), CRIMSONREGENT (CSG), CRIMSONSTEAL (CSL), CRUMPET (CRM), DECKSTOP (DKP), DEVILFISH (DVF), DIXIESPRING (DXS), DOMINATE (DOM), FASTIDIOUS (FDS), FIRESCREEN (FRE), FIRSTDOWN (FRS), FISSURESALUTE (FST), FLYLEAF (FLE), FORBIDDEN (FBD), FORBORNE (FBR), FOXHEAT (FXH), FREELUNCH (FLH), FROTHYTWOPACK (FTP), FURTIVERELIANCE (FUR), GOLDENCALF (GDC), HELLFIRE (HLF), HISTORY (HST), HYSSOP (HYS), INVEIGH (INV), KESSELRUN (KES), LIGHTNINGTHIEF (LTF), LITTLECROWN (LCN), LONGSERPENT (LGS), MAGICSTROKE (MGK), MERCURYTAO (MYT), MUSICBOX (MBX), NITEHAWK (NHK), OCELLUS (OCL), PAINTEDEAGLE (PEA), PAWLEYS (PAW), PAWNSHOP (PWN), PENDLETON PEN), PENDRAGON (PND), PERKYAUTUMN (PRK), PHENYLDOUR (PHD), PICARESQUE (PIQ), PICAROON (PCR), PIEDMONT (PIE), PITCHFORD (PIT), PLACEBO (PLC), POMPANO (POM), PRESSURETWIN (PTN), REDHARVEST (RDV), REEFPOINT (RFT), REFRACTOR (RFR), REVELRY (RVL), RIVERROAD (RVD), RUBIOUS (RBI), SAILWINDS (SLD), SCABBARD (SBD), SILVERCLOUD (SVC), SINKGOAL (SKG), STAIRWELL (STA), STARCHART (SRC), SUITESWIVEL (STV), TRICKSHOT (TST), WAXOFF (WXF), WHIPGENIE (WPG)

Classification Guide for ECI WHIPGENIE

Summary: This document provides guidance for how to classify different aspects of the Exceptionally Controlled Information (ECI) WHIPGENIE program. This covername applies to the relationships between U.S. corporate partners and the NSA.

The guidelines reveal that WHIPGENIE involves cable collection of domestic traffic, and classifies most highly (NOFORN) any situation where a specific special source partner would be revealed by name. The FBI is involved in compelling information from, as well as facilitating cooperative relationships with, ‘partners’. One of these partners, FAIRVIEW (AT&T) has a European collection site and another, STORMBREW (Verizon), is active in the Middle East. The document highly classifies any information pertaining to the region/country of a collection site, and even more highly (NOFORN) any information that provides WHIPGENIE access and/or collection by a specific entity. As an example, this would include the street address of BLARNEY covert sites.

Though the fact that there are a variety of techniques associated with WHIPGENIE is unclassified, all the actual types of techniques are classified. These include ‘unconventional’ collection techniques that include cable taps or switch operations, information about the scope of information collected by different types of WHIPGENIE operations (e.g. these programs collect plaintext and encrypted facsimiles, printer and voice, when they are transmitted over cable), the specific methods, tools, or devices which filter communications, or information concerning the cost of individual items linked to WHIPGENIE programs or that would reveal the technical characteristics of any WHIPGENIE program.

The fact that raw intercepts are performed is not classified as highly as the fact that Foreign Intelligence Surveillance Act (FISA) warranted collections take place and which are targeted towards domestic providers. The outputs of such interceptions, including verbatim transcripts, both processes and unprocessed, minimized and unminimized, are highly classified. Any revelations of the targets of WHIPGENIE collection are classified TOP SECRET // COMINT at a minimum, and could include specific phone numbers, email addresses, agents of a foreign power, or NGO headquarters. Any survey information that would reveal the special source operations (SSOs) involved, i.e., partners’ identities, is classified at the ECI level.

Both the facts that domestic information is collected, and that the collection occurs under FISA orders, is classified at TOP SECRET // COMINT.

Document Published: October 10, 2014
Document Dated: May 21, 2004
Document Length: 7 pages
Associated Article: Core Secrets: NSA Saboteurs in China and Germany
Download Document: Classification Guide for ECI WHIPGENIE
Classification: TOP SECRET // COMINT // REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: BLARNEY, FAIRVIEW, PLUS YELLOWSTONE, POWERPLANT, RAGTIME (RGT), STORMBREW, TUMBRIL, WEALTHYCLUSTER, WHIPGENIE (WPG)

Summary: This briefing document outlines the NSA’s plans to expand how metadata is shared across the Intelligence Community (IC) and, potentially in the future, with Second Parties (i.e. Five Eyes countries). The intent of doing so is to both implement recommendations from the 9/11 Commission to better share information across the IC and, in the process, expand the numbers of analysts who can make use of the metadata that is accessible to the NSA. Other agencies in the IC may also share information, as may Second Parties. At the time of writing only GCHQ was sharing metadata in bulk with the NSA, while the CSE, DSD, and GCSB were ‘in development.’

The metadata to be shared included telephony and digital network intelligence (DNI). ICREACH would be the NSA toolkit that would permit federated query searches across all parties’ datasets in order to link telephony and DNI information, thus better identifying targets. The NSA would share audit logs with relevant auditing bodies as well as conduct its own spot audits to ensure compliance with terms of access. If the NSA discovered impropriety it would notify the appropriate agency; it would not necessarily notify auditors, though would terminate the individual’s access to the toolkit.

The NSA would share over 850 million event records, with approximately another 1-2 billion added daily at the time of writing. At the time, existing information was stored in PROTON, and included called and calling numbers, data, time, and duration of calls. There would be an extensive listing of telephony information added — 27 total — as well as DNI information that included email addresses, chat handles, date and time, and protocols.

There was a sharp explosion in the amount of communications metadata collected by NSA in 2006 (both call events and DNI events), with amounts of data increasing significantly based on monthly totals in 2007. There is no explanation of the exponential growth of collected metadata in 2006.

Document Published: August 25, 2014
Document Dated: May 15, 2007
Document Length: 36 pages
Associated Article: The Surveillance Engine: How the NSA Built Its Own Secret Google
Download Document: Sharing Communications Metadata Across the U.S. Intelligence Community - ICREACH
Classification: TOP SECRET//COMINT//NOFORN
Authoring Agency: NSA
Codenames: CRISSCROSS, ICREACH, PROTON, SCORECARD, SEARCHLIGHT, SORTINGLEAD

NSA Intelligence Relationship with Saudi Arabia

Summary: This document codifies the NSA’s position concerning its relationship with Saudi Arabia, and specifically its Ministry of Defence Radio Reconnaissance Department (MOD RRD) and Technical Affairs Directorate (TAD). The NSA had an interest in expanding the relationship with the TAD principally to leverage Saudi Arabia’s “strategic location and unique access to communications” unavailable by other means, as well as to enable tracking of persons of mutual interest within Saudi Arabia. In turn, Saudi Arabia was motivated to gain equipment that would enhance its collection, targeting, decryption, and analysis capabilities (MOD RRD). The NSA consented to provide sensitive source collection capability to the TAD, as well as a “sensitive decryption service” to the Ministry of the Interior against terrorist targets of mutual interest.

The NSA recognizes that the relationship has been complex and challenging, and that though it was going through a period of rejuvenation the Agency’s hesitance to reveal sensitive SIGINT equities, along with differences in strategic direction, could cause tension in the relationship. The NSA also planned to work with the CIA’s head of station to protect unilateral HUMINT assets from scrutiny.

Document Published: July 25, 2014
Document Dated: April 8, 2013
Document Length: 4 pages
Associated Article: The NSA's New Partner In Spying: Saudi Arabia's Brutal State Police
Download Document: NSA Intelligence Relationship with Saudi Arabia
Classification: S//SI//REL TO USA, SAU
Authoring Agency: NSA
Codenames: None

FISA Recaps (Snippet)

Summary: This document shows what a spreadsheet containing information about persons targets under the Foreign Intelligence Surveillance Act (FISA) looks like. All examples were created between 2006 and 2007 by either the NSA, CIA, or FBI. Also indicated are the status of the collection, the ‘expire date’, and the nationality of the target. The snippet notes a series of high profile persons were targeted by the FBI, including Faisal Gill, Asim Ghafoor, Agha Saeed, Nihad Awad, and Hooshang Amirahmadi.

Document Published: July 9, 2014
Document Dated: Undated; 2007 or later
Document Length: 4 pages
Associated Article: Meet the Muslim-America Leaders the FBI and NSA have been Spying On
Download Document: FISA Recaps (Snippet)
Classification: TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: PALMCARTE, RAGTIME, TRAFFIC THIEF

Non-targetable 2nd Party Countries, Territories & Individuals

Summary: This NSA-published document identifies the territories that are controlled or administrated by the United States, Australia, the United Kingdom, and New Zealand. Canada is noted as lacking any territories beyond its national borders. The territories controlled or administered by members of the Five Eyes intelligence network cannot be targeted by fellow members of the signals intelligence alliance.

The second page of the document juxtaposes the different signals intelligence targeting authorization requirements between the aforementioned five nations. This juxtaposition includes the CSE’s limitations in targeting nationals in Canada, nationals overseas, foreign nationals in Canada, and foreign nationals overseas. Though not included in the document, the CSE can and does target Canadians when fulfilling its mandate to assist federal law enforcement and security agencies.

Document Published: June 30, 2014
Document Dated: August 1, 2007
Document Length: 2 pages
Associated Article: Court gave NSA broad leeway in surveillance, documents show
Download Document: Non-targetable 2nd Party Countries, territories & individuals
Classification: SECRET//COMINT//REL TO USA, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: None

Special Source Operations Weekly

Summary: These two slides note that personnel at a commercial consortium discovered the presence of WHARPDRIVE, which led to partner personnel (who knew about the WHARPDRIVE access point) to remove evidence and create a convincing cover story for other personnel. The partner, in light of this, requested a delay in both training and shipping.

Document Published: June 18, 2014
Document Dated: March 14, 2013
Document Length: 2 pages
Associated Article: Spying Together: Germany’s Deep Cooperation with the NSA
Download Document: Special Source Operations Weekly
Classification: TOP SECRET//SI//NOFORN
Authoring Agency: NSA
Codenames: WHARPDRIVE

TEMPORA — “The World’s Largest XKEYSCORE” — Is Now Available to Qualified NSA Uses

Summary: This document explains what the GCHQ’s TEMPORA is, its value, and the requirements for using it. TEMPORA is a massive XKEYSCORE instantiation that uses over 1000 machines to make over 40 billion pieces of content available to analysts per day, functioning as an “Internet buffer” that contains up to three days of traffic. This buffer is useful for querying traffic coming from the Middle East, North Africa, and Europe, among others. Work product from TEMPORA collection has been used for SIGINT, as well as defensive and cyber mission elements.

TEMPORA provides content-based discovery, and is queried using the GENESIS language. Users must meet compliance requirements before having access to TEMPORA, including ensuring they meet American and UK legal requirements.

Document Published: June 18, 2014
Document Dated: September 9, 2012
Document Length: 4 pages
Associated Article: The NSA in Germany: Snowden’s Documents Available for Download
Download Document: TEMPORA — “The World’s Largest XKEYSCORE” — Is Now Available to Qualified NSA Uses
Classification: C//REL
Authoring Agency: NSA
Codenames: GENESIS, INCENSER, MUSCULAR, TEMPORA, XKEYSCORE (XKS)

Special Collection Service: Pacific SIGDEV Conference

Summary: This slide deck provides a high-level overview of the Special Collection Service (SCS), noting its organizational structure, range of partners,how HUMINT enables SIGINT and vice versa, as well as efforts to modernize SCS. Central to this modernization was the adoption of modern IT services and infrastructures to support net-centric operations, which also has meant capability changes including next generation virtual infrastructure, interoperable desktops, improved email services, site destruct enablers, and more..

The deck then moves to discuss SCS operations associated with collecting aerial-transmitted signals. INTERQUAKE, a terrestrial environmental knowledge base, is populated with PANOPLY information that includes: signal externals, radio and payload information, LACs and Cell IDs, and protocol stacks.

One of the ‘surge’ goals for SCS revolved around evaluating VPN access to determine better methods of identifying and exploiting networks of interest. This meant that SCS was interested in better understanding how to use VPN-related information that was already ingested (e.g. report VPN stats and exploitation determinations from CES to SCS and the site) and finding methods to better identify and survey VPNs to provide CES the information they need. This latter goal might entail better leveraging existing NSA databases and programs, such as MIRROR, DARKQUEST, and PANOPLY survey information, or using BIRDWATCHER or other means to automatically resurvey for key exchanges and obtain paired collections.

Ultimately, SCS is regarded as providing a cyber advantage on the basis that it has a geographic advantage (plays in the adversary’s space), signals access advantage (signals provide for collection, exfiltration, and infiltration), analytic advantage (living in the environment means insights on infrastructure and configurations, as well as discovery of targets, signatures, and behaviours), and also a tailored intelligence products advantage (the products are driven by national objectives combined with local needs, that can lean on local understandings and situational awareness). Combined, this means that SCS can offer a “[u]nique platform for conducting and enabling IC operations” because they can leverage both NSA and CIA enterprises and existing authorities.

Document Published: June 18, 2014
Document Dated: March 2011
Document Length: 12 pages
Associated Article: The NSA in Germany: Snowden’s Documents Available for Download
Download Document: Special Collection Service: Pacific SIGDEV Conference
Classification: TOP SECRET // COMINT // REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: BIRDWATCHER, CASTANET, DARKQUEST, EINSTEIN, INTERQUAKE, MIRROR, PANOPLY

Running Strategic Analytics Affecting Europe and Africa

Summary: This partial document (only 14 of 51 pages provided) provides insights into the NSA’s challenges in Africa and in Europe. With regards to the former, relatively few resources are allocated to monitoring Africa which means that the Agency doesn’t know what it doesn’t know; it is highly reliant on partners to provide information about this continent. In Europe, the challenge is that targets engage in active countermeasures to hide their identities and activities.

The NSA and its partners relied on metadata for geolocation and content for confirmation of the identities of persons engaged in human trafficking, weapons smuggling, and drug smuggling in various regions at the time this document was produced. They lacked collection assets for identity confirmation linked to elections and biometrics in Africa.

A challenge faced at the time the document was produced was generating sufficiently ‘real time’ data: there wasn’t clarity surrounding how quickly information could be presented to analysts. However, batch oriented analysis, such as enabled by MapReduce style analytics, were seen as enabling analysts to access “data 24 number hours ago”, whereas XKEYSCORE fingerprints were better for presenting information that was streaming in from collection sites. At the time, the NSA regarded its limited processing power and bandwidth as inhibiting its activities to engage in some tracking, and that addressing these deficiencies would at least in part rely on turning to third-party partners.

Document Published: June 15, 2014
Document Dated: Undated
Document Length: 14 (of 51) pages
Associated Article: Terrorverdächtige: NSA nutzte Erkenntnisse aus Deutschland-Filiale für Tötungen
Download Document: Running Strategic Analytics Affecting Europe and Africa
Classification: TOP SECRET//COMINT//REL USA, FVEYS
Authoring Agency: NSA
Codenames: BIG PIPE, DISTILLERY, GHOSTMACHINE, NIAGARAFILES, RTRG, WHIZBANG, XKEYSCORE

SSO Dictionary excerpt MYSTIC (Snippet)

Summary: This document is an excerpt which provides explanations of various covernames or acronyms, all of which are associated with MYSTIC. Covernames and acronyms for which explanations are provided are: BASECOAT, DUSKPALLET, EVENINGEASEL, GSM (Groupe Speciale Mobile), LI (Lawful Intercept), LOCKSTOCK, SOMALGET, and VENATOR. There is one covername, which is redacted, as associated with the GCHQ’s National Cyber Security Centre (NCSC). SOMALGET had an overt mission associated with lawful interception that enabled DEA access to communications; host countries “are not aware of NSA’s SIGINT collection using these systems.”Some of the covernames are associated with counter-narcotics work, including in collaboration with the Drug Enforcement Administration (DEA). Countries mentioned in the context of some of these covernames are: Bahamas (BASECOAT), Kenya (DUSKPALLET), Mexico (EVENINGEASEL), The Philippines (VENATOR) via DSD source, as well as one redacted country.

Document Published: May 19, 2014
Document Dated: Undated
Document Length: 1 page
Associated Article: Data Pirates of the Caribbean: The NSA Is Recording Every Cell Phone Call in the Bahamas
Download Document: SSO Dictionary excerpt MYSTIC (Snippet)
Classification: (TS//SI//NF)
Authoring Agency: NSA
Codenames: BASECOAT, DUSKPALLET, EVENINGEASEL, LAUNDROMAT, LOCKSTOCK, LOLLYGAG, MYSTIC, OILYRAG, RAM-M, SCALAWAG, SOMALGET, VENATOR

Stealthy Techniques Can Crack Some of SIGINT’s Hardest Targets

Summary: This SID Today article discusses how the NSA’s Tailored Access Operations (TAO) group is involved with interdicting equipment with the assistance of the Remote Operations Centre and its Intelligence Community Partners. Supply-chain interdiction is helpful because it lets the NSA pre-position access points into hard target networks, with the example in the article focusing on how the NSA was able to access the Syrian Internet backbone and GSM network. The GSM network access let the NSA automatically exfiltrate Call Detail Records that showed who people were speaking with and where they were geographically located, as well as providing access to other Call Detail Records for other GSM providers in the region.

Document Published: May 13, 2014
Document Dated: June 2010
Document Length: 2 pages
Associated Article: No Place to Hide (Book)
Download Document: Stealthy Techniques Can Crack Some of SIGINT’s Hardest Targets
Classification: TOP SECRET//COMINT//NOFORN
Authoring Agency: NSA
Codenames: None

HOMING PIGEON

Summary: This partial slide deck notes that the NSA is interested in knowing the identities of handset subscribers who are on airplanes, and proposes automatically correlating GSM handsets to subscribers observed on more than two flights. Data sources to try and accomplish this correlation come from THIEVING MAGPIE (i.e. IMSI, Event Date, Flight Fields) and FASTSCOPE (i.e. List of Flights and Manifest Information).

Document Published: May 13, 2014
Document Dated: 2012
Document Length: 4 pages
Associated Article: No Place to Hide (Book)
Download Document: HOMING PIGEON
Classification: TOP SECRET//COMINT//REL TO USA, FVEY
Authoring Agency: NSA
Codenames: FASTSCOPE (FS), HOMING PIGEON, THIEVING MAGPIE (TM)

Identifier Lead Triage with ECHOBASE

Summary: The ECHOBASE covername refers to an effort to use bulk analytics to present useful leads to NSA analysts. After enriching datasets with SIGINT-derived data, analysts faced too many identifiers of ‘possible interest’, as compared to identifiers of ‘definite interest’ or for which no further analysis was needed.. In contrast, doing bulk triage using behavioural analytics enables hundreds or thousands of selectors to be vetted quickly, presenting only the most useful identifiers following a query.

Analysts are able to gather data, using the ‘Identifier Scoreboard’, which does not involve a raw SIGINT query. Instead it focuses on the realm in which data is stored (e.g. Yahoo!, SkypeUser, targeting authorities, targets, foreignness, etc.) A bulk triage then occurs which involves asking yes/no questions about behaviour, e.g.: has a given identifier had direct communications with a targeted identifier? Has it been seen in captured media? Has it been seen in France? tSuch behavioural questions are queried against raw SIGINT data. Based on the selected behaviours, analytics then promote identifiers that most prominently meet the criteria established, thus letting analysts better hone in on potentially valuable identifiers.

The analytics architecture is undergirded by GHOSTMACHINE, which ingests targeting information along with seeded analytics, as well as legal information (e.g. user permitted to run query, justification for query, etc) to generate analytic-based information. This program was used during the 2012 Olympics to ingest and share information with the GCHQ.

Document Published: April 30, 2014
Document Dated: June 2012
Document Length: 14 pages
Associated Article: British Spy Chiefs Secretly Begged to Play in NSA's Secret Data Pools
Download Document: Identifier Lead Triage with ECHOBASE
Classification: TOP SECRET // COMINT // REL TO USA, CAN, AUS, GBR, NZL
Authoring Agency: NSA
Codenames: CONTRAOCTAVE, ECHOBASE, FOREMAN, GHOSTMACHINE (GM), OCTAVE, RUMOUR MILL, WAVELEGAL

2009 SIGDEV Conference: ‘Best Yet and Continuing to Improve’

Summary: This document briefly explains some of the activities that took place during a 2009 iteration of an annual Signals Development (SIGDEV) conference (SDC). Over 1300 people participated, including 100 persons from Second Party agencies (i.e. CSE, ASD, GCHQ, and GCSB). The size and diversity of the SDC is described as enabling the intelligence community to “achieve results none could achieve on their own.”

Areas that received attention in the post-event summary included: the ‘Future Technology Threat’, botnets, tools and techniques for identifying and processing malicious software (and which led to ways for identification and exploitation). The document also notes that there is a potential need to better integrate SIGINT (identified as offensive) and Information Assurance (identified as defensive), and that SIGDEV was increasingly seen as the necessarily underpinning of everything that was done in cyberspace.

Document Published: April 4, 2014
Document Dated: August 14, 2009
Document Length: 2 pages
Associated Article: The “Cuban Twitter” Scam Is a Drop in the Internet Propaganda Bucket
Download Document: 2009 SIGDEV Conference: 'Best Yet and Continuing to Improve'
Classification: S/SI/REL
Authoring Agency: NSA
Codenames: None

I hunt sys admins

Summary: This series of six internal blog posts mainly describe how NSA analysts can successfully identify and subsequently target system administrators. System administrators are useful targets on the basis of their escalated privileges to access network routing equipment; with such privileges, analysts can subsequently better identify their end-targets.

Three of the posts are particularly significant, focusing on hunting sys admins that use telnet and SSH, as well as people who hack routers (i.e. foreign actors). In each case, it is imperative that the NSA identify the IP addresses most likely used by the administers, and this is generally determined by analyzing either router configuration files in DISCOROUTE (for telnet-based connections) or logging when session sizes are above a set limit between port 22 (default for SSH) and another IP address. Once identifying the IP addresses that are successfully logging into the network appliances, the analyst can query other databases to correlate the IP addresses that likely belong to the administrators with other identifiers, such as personal email accounts. With this information in hand the administrators themselves can be targeted using something like QUANTUM or malware.

The blog post on the subject of hunting people who hack routers, which would explain how to identify foreign actors who have successfully intruded into or implanted a router, does not have information about the specific methods used because the information would help “those countries improve their ability to hack foreign routers and spy on people undetected.”

Document Published: March 20, 2014
Document Dated: February 8, 2012 - December 14, 2012
Document Length: 6 pages
Associated Article: Inside the NSA’s Secret Efforts to Hunt and Hack System Administrators // The Hunter: He Was a Hacker for the NSA and He Was Willing to Talk. I Was Willing to Listen
Download Document: I hunt sys admins
Classification: Top Secret//SI//Rel to USA, FVEY
Authoring Agency: NSA
Codenames: ASDF, GM Place, QUANTUM, DISCOROUTE

What Are We After with Our Third Party Relationships? — And What Do They Want from Us, Generally Speaking?

Summary: This SID Today article includes an interview with someone from the NSA’s Foreign Affairs Directorate (FAD) to better understand why, and under what conditions, the NSA partners with third-parties for SIGINT purposes. The interviewee explains that short-term relationships might be exclusively coordinated by the CIA and its local Chiefs of Station whereas long-term relationships may emerge following approval from the Director of National Intelligence.

These relationships are sought because third-parties possess some kind of resource the NSA is seeking, including geography, access to high-priority targets’ communications, and local expertise and language skills. The relationships are rarely disrupted by politics, largely because few government officials outside of senior military or intelligence roles are aware that the relationships even exist. Partners tend to receive technology – hardware and software – as well as access to technology related to their areas of interest.

Document Published: March 13, 2014
Document Dated: September 15, 2009
Document Length: 1 pages
Associated Article: Foreign Officials In the Dark About Their Own Spy Agencies’ Cooperation with NSA
Download Document: What Are We After with Our Third Party Relationships? — And What Do They Want from Us, Generally Speaking?
Classification: TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL
Authoring Agency: NSA
Codenames: None

There is More Than One Way to QUANTUM

Summary: This single-page document summarizes the different iterations of QUANTUM, when the respective iteration’s use was initiated, and the operational success of the relevant QUANTUM program.

QUANTUM-based tools were used to support three classes of activity: Computer Network Exploitation (CNE), Computer Network Attack (CNA), and Computer Network Defence (CND).

There were six types of QUANTUM used for CNA. QUANTUMINSERT was first used in 2005 to engage in man-on-the-side attacks to hijack connections to terrorist websites and use FOXACID servers to deploy malware to targets. Over five years this program was used to employ 300 Tailored Access Operations (TAO) implants. QUANTUMBOT is used to take control of idle IRC bots and began in 2007. At the time of writing, the program had been highly successful in co-opting bots by hijacking command and control channels. QUANTUMBISCUIT enhanced QUANTUMINSERT’s man-on-the-side technique and was driven by the fact that targets often use proxies and thus lack sufficient unique web activity to properly target them. This program had been operational since 2007 and met with limited success due to high latency, though the GCHQ used this for 80% of CNE accesses. QUANTUMDNS redirected based on A Record queries and targeted single hosts and caching services. It had been highly successful and in operation since 2008. QUANTUMHAND exploited the computer of targets using Facebook, had been operational since 2010, and was regarded as successful. QUANTUMPHANTOM hijacked the IP of QUANTUMMARBLE passive coverage to use as covert infrastructure and had been live tested since 2010.

There were two types of QUANTUM for CNA. QUANTUMSKY denied access to webpages through RST spoofing and had been operational since 2004. QUANTUMCOPPER had been live tested since 2008 and was used to disrupt and corrupt file uploads and downloads.There was one type of QUANTUM for CND. QUANTUMSMACKDOWN prevented targets from downloading implants to Department of Defence computers while capturing malicious payloads for analysis. QUANTUMSMACKDOWN was live tested beginning in 2010.

Document Published: March 12, 2014
Document Dated: Undated (post-2010)
Document Length: 1 page
Associated Article: How the NSA plans to infect 'millions' of computers with malware 
Download Document: There is More Than One Way to QUANTUM
Classification: TOP SECRET//COMINT//REL USA, FVEY
Authoring Agency: NSA
Codenames: FOXACID, QUANTUM, QUANTUMBISCUIT, QUANTUMBOT, QUANTUMCOPPER, QUANTUMDNS, QUANTUMHAND, QUANTUMINSERT, QUANTUMPHANTOM, QUANTUMSMACKDOWN, QUANTUMSKY

Selector Types

Summary: This document outlines a range of selector types that the NSA uses to identify data traffic of interest. Machine-related IDs include cookies, serial numbers, browser tags, Windows Error IDs, and Windows Update IDs. Attached device identifiers include IMEIs for phones, UDIDs for Apple devices, and Bluetooth information. Cipher Keys associated with particular users are also used for traffic selection. Network identifiers include wireless MAC addresses, VSAT MACs and IP addresses, as well as remote administration IPs. User leads come from cookies, the registry, and profile folders, as well as STARPROC.

Document Published: March 12, 2014
Document Dated: Undated
Document Length: 1 page
Associated Article: How the NSA Plans to Infect ‘Millions’ of Computers with Malware
Download Document: Selector Types
Classification: TOP SECRET//COMINT//REL TO USA, FVEY
Authoring Agency: NSA
Codenames: SILLYBUNNY

QUANTUMTHEORY

Summary: This joint NSA-GCHQ SigDev Conference presentation provides an overview of how the QUANTUM system operates. QUANTUM is a protocol injection technique that relies on both active and passive techniques to carry out a man-on-the-side attack. It outlines the pieces of the QUANTUM infrastructure, which is composed of a passive sensor (TURMOIL), mission logic of remote agents (TURBINE), message fabric (ISLANDTRANSPORT), diodes (SURPLUSHANGAR), and the implant and shooter (STRAITBIZARRE or DAREDEVIL). The document also notes legacy QUANTUM techniques (e.g. QUANTUMINSERT, QUANTUMSKY, and QUANTUMBOT) as well as contemporary uses (e.g. QUANTUMBISCUIT, QUANTUMDNS, and QUANTUMBOT2) and experimental uses (e.g. QUANTUMCOPPER, QUANTUMMUSH, QUANTUMSPIN, QUANTUMSQUEEL, and QUANTUMSQUIRREL). There is also a figure showing how QUANTUM can be used for defensive purposes.

Document Published: March 12, 2014
Document Dated: 2010
Document Length: 11 pages
Associated Article: How the NSA Plans to Infect ‘Millions’ of Computers with Malware
Download Document: QUANTUMTHEORY
Classification: TOP SECRET//COMINT//REL TO USA, FVEY
Authoring Agency: NSA
Codenames: DAREDEVIL, HUFFMUSH, INCENSOR, ISLANDTRANSPORT, NINJANIC, QUANTUMBISCUIT (Q-BISCUIT), QUANTUMBOT (Q-BOT), QUANTUMBOT2, QUANTUMCOPPER (Q-COPPER), QUANTUMDNS (Q-DNS), QUANTUMDEFENSE, QUANTUMINSERT (Q-INSERT), QUANTUMMUSH, QUANTUMSKY (Q-SKY), QUANTUMSPIM (Q-SPIM), QUANTUMSQUEEL (Q-SQUEEL), QUANTUMSQUIRREL, QUANTUMTHEORY, SARATOGA, SMOKEYSINK, STRAITBIZZARE (STRAIGHTBIZZARE), SURPLUSHANGER (SURPLUSHANGAR), TRAFFIC THIEF, TURBINE, TURMOIL

(U) MHS Leverages XKS for QUANTUM Against Yahoo and Hotmail (Snippet)

Summary: This snippet explains how by leveraging an XKEYSCORE Map/Reduce Analytic (covername: DRAGGABLEKITTEN) on packets collected and made accessible by XKEYSCOREDEEPDIVE, the NSA is able to analyze Hotmail and Yahoo sessions to determine if they possess a keyword that is being targeted by QUANTUMTHEORY.

Document Published: March 12, 2014
Document Dated: Undated
Document Length: 1 pages
Associated Article: How the NSA Plans to Infect ‘Millions’ of Computers with Malware
Download Document: (U) MHS Leverages XKS for QUANTUM Against Yahoo and Hotmail (Snippet)
Classification: TOP SECRET//SI/REL TO USA, FVEY
Authoring Agency: NSA
Codenames: DRAGGABLEKITTEN, QUANTUM, QUANTUMTHEORY, XKEYSCORE (XKS), XKEYSCOREDEEPDIVE

Router Hacking (Snippet)

Summary: This document notes that other nation-states are developing capacity to hack core internet routers and identified five threats linked with this kind of hacking: 1) adding credentials so they can log in whenever they want; 2) add or change routing rules; 3) set up packet capture capability; 4) weaken VPN encryption by forcing it to use decryptable tunnels; 5) install customized version of a router’s operating system to add whatever capabilities are desired.

Document Published: March 12, 2014
Document Dated: December 2012
Document Length: 1 page
Associated Article: How the NSA Plans to Infect ‘Millions’ of Computers with Malware
Download Document: Router Hacking (Snippet)
Classification: TS//SI//REL
Authoring Agency: Unknown (likely NSA)
Codenames: None

Expanded Implant Capacity (Snippet)

Summary: This snippet discusses how expanding the operational space afforded to an unstated part of the NSA will improve the Agency’s ability to provide real-time support to other government agencies (‘customers’) and mean that the NSA can go from actively managing 100-150 implants a day to simultaneously managing thousands of implants. It will also lead to improved planning and execution of endpoint operations.

Document Published: March 12, 2014
Document Dated: September 17, 2004
Document Length: 1 page
Associated Article: How the NSA Plans to Infect ‘Millions’ of Computers with Malware
Download Document: Expanded Implant Capacity (Snippet)
Classification: (S//SI)
Authoring Agency: NSA
Codenames: None

STELLARWIND Classification Guide

Summary: This NSA document explains how information and materials associated with the STELLARWIND program should be classified. The document was created because, in 2008, the Director of National Intelligence (DNI) authorized the removal of some information from the STELLARWIND compartment, though not all such information was removed.

STELLARWIND was initially marked as “TSP” and “Compartmented”, and the covername STARBURST was also used in the earliest days of the (now named) STELLARWIND project. While TSP and Compartmented should be considered the same as STELLARWIND, they should not be directly associated with STELLARWIND. STARBURST can also be considered the same as STELLARWIND.

A large volume of information associated with STELLARWIND was to remain classified following the DNI’s decision. This included:

information linking STELLARWIND with anti-terrorism activities;
that the TSP was part of STELLARWIND;
links between STELLARWIND and activity under the Large Content FISA (LCF) or activity under the Protect America Act (PAA);
lists of individuals who were cleared for STELLARWIND or had access to associated data;
information revealing the scope of STELLARWIND’s collection against different methods of communication;
the number of reports that emerged from STELLARWIND (e.g., a total of 15,000 Requests for Information (RFIs) were generated under STELLARWIND);
techniques and selectors targeted under STELLARWIND; or
information that revealed the scope of operations under the Presidential authorization.

Similarly, the operational roles of the FBI and CIA in STELLARWIND were to remain classified, as well as any information that revealed the cooperative relationships with U.S. telecommunications providers and their names; all names, in particular, were protected as ECI. Costs linked with STELLARWIND and its collection capabilities, as well as sources, were to remain classified as were any dataflow or associated data linked with STELLARWIND. The metadata analysis and target development, techniques, and results, as well as specific information linked to targeting terrorism-related groups, was to be kept secret, as was information associated with Digital Network Intelligence (DNI) (i.e., metadata) and Dialed Number Recognition (DNR) and content analysis that took place under STELLARWIND.

STELLARWIND’s SIGAD was US-3170 and traffic processed through this SIGAD or program traffic that was acquired but not disseminated were all to remain classified.

While the Director of National Intelligence allowed the NSA to remove certain information from the STELLARWIND compartment, not all legacy information (e.g., that from 2004 or earlier) was automatically removed and thus some reporting in NSA databases continued to have the STLW marking and had to be protected as such.

Document Published: March 11, 2014
Document Dated: January 21, 2009
Document Length: 37 pages
Associated Article: How a Court Secretly Evolved, Extending U.S. Spies’ Reach
Download Document: STELLARWIND Classification Guide
Classification: TOP SECRET//SI//ORCON/NOFORN
Authoring Agency: NSA
Covernames: MAINWAY, STARBURST, STELLARWIND (STLW), WHIPGENIE (WPG)

2013

FOXACID

Summary: This document provides an overview of the FOXACID program, which is designed to provide the initial access to target devices and systems, for subsequent tasking and analysis by other NSA groups. FOXACID relied on cross site scripting (XSS), bulk spam, man-in-the-middle and man-on-the-side attacks, as well as the QUANTUM suite to divert targets to FOXACID servers. FOXACID generally refers to exploit servers that are used to provide initial access to targets vis-a-vis browser exploitation (back-door implants).

The document notes several ways to move a target to a FOXACID server. The WILLOWVIXEN system involves a target clicking a link in an email, and GENUINE DRAFT appends an iframe to emails in a ‘Draft’ folder in a web-based email account. There are also techniques that rely on man-in-the-middle as well as man-on-the-side attacks. SECONDDATE relies on the former and involves influencing real-time communications between the client and server to redirect the target to a FOXACID server. The QUANTUMTHEORY suite of tools, in contrast, exploits race conditions to direct targets to a FOXACID server by delivering responses to GET requests before the actual server the target is trying to contact. This can involve both HTML-based sites, as well as messaging clients, and traffic that just contains ‘strong’ selectors, such as Yahoo! email addresses.

FOXACID can deploy a range of browser exploits (referred to as ‘plugins’ for FOXACID). One is VALIDATOR, which permits some file upload/download and system information along with discovering the network path from the target to NSA-controlled space. MISTYVEAL is similar (and sometimes referred to as VALIDATOR II) but exploits Internet Explorer’s Browser Helper Object in order to use proxies the system has access to. Thus, if Internet Explorer can go to google.com, then MISTYVEAL can contact the Remote Operations Centre (ROC). At the time of publication, cross site scripting and bulk/mass emails were becoming less effective. So the QUANTUMTHEORY suite of tools was a preferred way of directing users to FOXACID servers; some QUANTUM missions had a success rate of up to 80% as compared to less than 1% for bulk spam emails.

Document Published: December 30, 2013
Document Dated: January 8, 2007
Document Length: 23 pages
Associated Article: NSA’s Secret Toolbox: Unit Offers Spy Gadgets for Every Need
Download Document: FOXACID
Classification: TOP SECRET//COMINT//NOFORN
Authoring Agency: NSA
Codenames:  FOXACID, GENUINE DRAFT, MISTYVEAL, QUANTUM, QUANTUMBISCUIT (QB), QUANTUMDIRK, QUANTUMINSERT (QI), QUANTUMTHEORY, SBZ (STRAITBIZZARE), SECONDDATE, TURBINE, TURMOIL, VALIDATOR, WILLOWVIXEN

Forward-based Defense with QFIRE

Summary: This NSA slide deck discusses QFIRE, a consolidated QUANTUMTHEORY platform for the real-time detection and mitigation of malicious threats, known as ‘forward-based defense.’ The NSA conducted forward-based defense through the TURBULENCE architecture, which combined the capabilities of TURMOIL (passive SIGINT), TURBINE (active SIGINT), and TUTELAGE (active defense) for use within the QUANTUMTHEORY mission. Sensors associated with TURBULENCE were used for passive collection as well as active mission management. Passive collection used the TUTELAGE system located in the United States, as well as TURMOIL systems spread external to the United States, and implants targeting locations such as Internet cafes external to the US. TURMOIL included high-speed passive collection systems that were designed to intercept foreign target satellite, microwave, and cable communications.

The integration of TURMOIL, TURBINE and TUTELAGE provided the NSA with “[e]xtremely powerful” network effects for the computer network exploitation, defence, and attack (CNE, CND, & CNA) activities conducted for QUANTUMTHEORY. QUANTUMTHEORY used TURMOIL to detect target traffic and tip TURBINE command and control servers. TURBINE mission logic was then used to decide on a response, and to forward target traffic to a Tailored Access Operations (TAO) node. The TAO node would then inject a response toward a target through the Internet.

The NSA found that the propagation delay from tip to target was a key determinant of the success rate of the network effects, with less latency yielding more success. QFIRE was introduced to consolidate low latency QUANTUMTHEORY capability, such as by eliminating trans-Atlantic/Pacific latency. At the time of writing, a QFIRE prototype was under development for deployment at special collection service (SCS) and special source operations (SSO) cable sites, and dependencies were planned, including to increase points-of-presence, to develop local or regional insertion capabilities at SSO cable accesses, and to enhance cloud analytics and QUANTUM missions, such as a bot mitigation pilot project.

Document Published: December 29, 2013
Document Dated: June 3, 2011
Document Length: 16 pages
Associated Article: Inside TAO: Documents Reveal Top NSA Hacking Unit
Download Document: Forward-based Defense with QFIRE
Classification: TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: BLINDDATE, ISLANDTRANSPORT, MIDDLEMAN, QFIRE, QUANTUM, QUANTUMBOT, QUANTUMCOPPER, QUANTUMINSERT (QI), QUANTUMSKY, QUANTUMTHEORY, STRAIGHTBIZZARE, SURPLUSHANGAR, TUMULT, TURBINE, TURBULENCE, TURMOIL, TUTELAGE

NSA Intelligence Relationship with Canada’s Communications Security Establishment Canada (CSEC)

Summary: This NSA memo notes that Canada and the United States enjoy a cooperative relationship that is driven by a mutual desire to protect North America. The memo also discusses that Canada is a large consumer of the NSA’s products and works with the NSA to target approximately 20 countries. It also explains that the NSA provides funds for some CSE research and development projects. In addition to providing analysis of received intelligence, the CSE “shares with NSA their unique geographical access to areas unavailable to the U.S.”

Document Published: December 9, 2013
Document Dated: April 3, 2013
Document Length: 2 pages
Associated Article: Snowden document shows Canada set up spy posts for NSA
Download Document: NSA Intelligence Relationship with Canada’s Communications Security Establishment Canada (CSEC)
Classification: TOP SECRET//SI//NOFORN
Authoring Agency: NSA
Codenames: None

The International Security Issues Build-Out

Summary: This snippet notes that The International Security Issues (ISI) division within the NSA was planning to expand its footprint into NSA facilities in Georgia, Hawaii, Texas, as well as the European Security Command. In part, the ISI focuses on 13 states including: Belgium, France, Germany, Italy, Spain, Brazil, Japan, and Mexico. ISI is responsible for collecting information about some of these states’ intelligence and military activities, and the Aegean and Ukrainian division also focuses on all aspects of Turkish diplomatic, governmental/leadership, military, and intelligence activities.

Document Published: December 2, 2013
Document Dated: May 17, 2006
Document Length: 1 page
Associated Article: Veja os documentos ultrassecretos que comprovam espionagem a Dilma
Download Document: The International Security Issues Build-Out
Classification: TOP SECRET//SI//TK//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: None

Cheltenham Working Document (Fragments)

Summary: Only 4 out of 48+ paragraphs were published of the Cheltenham Working Document. Paragraph 4 summarizes the CSE’s inability to share bulk, unselected data to other intelligence agencies circa 2008, though that position was being evaluated at the time of writing. Also included are summarizations of the DSD’s general willingness to share unredacted metadata with its intelligence partners so long as those partners are not intending to target Australian nationals using the shared data. Any effort to ultimately target an Australian would require Ministerial Authorization. Given the nascent nature of the bulk acquisition and sharing programs there were no restrictions of proportionality or propriety (e.g. not collecting information linked to legal, religion, or medical data) established on collection. Within Australia, there was an ongoing shift regarding how SIGINT-related information would be shared within-country and how it could be used by non-intelligence agencies.

Document Published: December 2, 2013
Document Dated: April 22-23, 2008 (Alleged)
Document Length: 4 pages
Associated Article: Australian spy agency offered to share data about ordinary citizens
Download Document: Cheltenham Working Document (Fragments)
Classification: SECRET
Authoring Agency: NSA
Covernames: None

NSA Lends Support to Upcoming G8 and G20 Summits in Canada

Summary: This SID Today article outlines the kinds of support that the Agency will provide to G8 and G20 event security. The event took place in Canada.

The NSA identified the primary threats as “issue-based extremists” who had engaged in vandalism at past Summits. The NSA and broader Intelligence Community did not assess a credible terrorist threat to the event. It is unclear whether the Community referred to is the American Intelligence Community or if it includes the Five Eyes and other parties, though common parlance would suggest it refers to the American Community..

NSA support planning was coordinated with the Special U.S. Liaison Office in Ottawa (SUSLOO), NSA’s representatives at CSE. NSA officers were not physically in the threat integration centre at the U.S. Embassy in Ottawa. They instead operated through the Director of National Intelligence Representative in Ottawa. The memo also recognizes that the National Security Operations Centre (NSOC) would “provide reachback” to Target Offices of Primary Interest (TOPIs) as well as policy support.

Document Published: November 27, 2013
Document Dated: June 23, 2010
Document Length: 4 pages
Associated Article: New Snowden docs show U.S. spied during G20 in Toronto
Download Document: NSA Lends Support to Upcoming G8 and G20 Summits in Canada
Classification: TOP SECRET // SI / TK // REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: None

SIGINT Strategy 2012-2016

Summary: The document summarizes the NSA’s Signals Intelligence strategy from 2012-2016. After outlining a series of vision, mission, and values statements, the document assesses the 2012 and forthcoming environment in which the NSA expected to operate. Challenges facing the NSA included applying interpretations and guidelines for its authorities, insofar as they “have not kept pace with the complexity of the technology and target environments, or the operation expectations levied on NSA’s mission” (1). Other challenges included the rapid increase in the amount of data which was produced annually, the risks that cyberattacks from potential adversaries posed to “overcoming U.S. advantages in conventional military power,” (2) and an international system that would be “almost unrecognizable by 2025” as a result of “the rise of emerging powers, a globalizing economy, an [sic] historic transfer of relative wealth and economy power from West to East, and the growing influence of non-state actors” (2).

In outlining expectations, the strategy notes that the NSA must move from its “mission approach” to a “SIGINT system that is as agile and dynamic as the information space we confront” (2). Five goals were established to “close gaps between the environment and expectations” (2).

First, the NSA was to revolutionize how it conducted analysis by adopting an analytic approach that was biased towards discovery, customer and partner engagement, and increasing operational impact across its mission domains.

Second, the NSA was to “[f]ully leverage internal and external NSA partnerships to collaboratively discover targets, find their vulnerabilities, and overcome their network/communication defenses” (4). Much of this involved identifying, and overcoming, cryptanalytic challenges and specifically included countering “the challenge of ubiquitous, strong, commercial encryption,” countering “indigenous cryptographic programs by targeting their industrial basis with all available SIGINT and HUMINT,” influencing “the global commercial encryption market through commercial relationships, HUMINT, and second and third party partners,” and continuing “to invest in the industrial base and drive the state of the art of High Performance Computing to maintain pre-eminent cryptanalytic capability for the nation” (4). Furthermore, it was important to defeat adversary cybersecurity practices.

Third, SIGINT collection was intended to “[d]ynamically integrate endpoint, midpoint, industrial, enabled, and cryptanalytic capabilities to reach previously inaccessible targets in support of exploitation, cyber defense, and cyber operations” (4).

To accomplish the aforementioned three goals, the NSA established two further goals. The first was to “foster an environment that encourages and rewards diversity, empowerment, innovation, and risk-taking and agility” whereas the second was attentive for enabling “better, more efficient management of the mission and business by establishing new, modifying current, and eliminating inefficient, business processes; by strengthening customer relationships; and by building necessary internal and external partnerships” (5).

Document Published: November 22, 2013
Document Dated: February 23, 2012
Document Length: 5 pages
Associated Article: N.S.A. Report Outlined Goals for More Power
Download Document: SIGINT Strategy 2012-2016
Classification: TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Covernames: None

SSO Collection Optimization

Summary: This document discusses how TUDDS blocked the NSA’s fingerprint sessions. The effect was that the number of fingerprints hit, per month by SIGAD, had declined from a height of approximately 2.5 million hits on DS-200B to approximately zero four months later. (All other SIGADs were redacted in the document.) Specifically, this affected fingerprints applied to Yahoo and Google traffic.

The NSA’s research targeting Google’s protocols, however, had led it to identifying Google’s internal server-to-server authentication based on a “hard selector,” though the user agent strings derived from this had not been populated in MARINA at the time the slidedeck was prepared. The result of this targeting was that new protocols were available to select against, including: Google authorization/security question; iGoogle; chrome-sync; teragoogle-indexing, Youtube, talkgadget, picasaweb, and gaia/permission_whitelist.

Document Published: November 4, 2013
Document Dated: Undated
Document Length: 6 pages
Associated Article: How we know the NSA had access to internal Google and Yahoo cloud data
Download Document: SSO Collection Optimization
Classification: TOP SECRET//SI//NOFORN
Authoring Agency: NSA
Covernames: MARINA, PINWALE

STATEROOM Guide

Summary: The STATEROOM Guide outlines the classification of facts about covert signals intelligence collection that takes place from diplomatic facilities. Included in the leaked document are two screenshots of a much larger Guide.

Canada is noted, on page 2, as hosting intelligence collection sites at some US, UK, Australian, and Canadian diplomatic facilities. Notably these covert sites are “small in size and number of personnel staffing them” and “their true mission is not known by the majority of the diplomatic staff at the facility where they are assigned.” It is unclear from the document whether these collection sites are run by the countries’ respective intelligence agencies, or whether they host NSA equipment or operations.

Document Published: October 28, 2013
Document Dated: Unknown
Document Length: 2 pages
Associated Article: US on Spying Scandal: 'Allies Aren't Always Friends’
Download Document: STATEROOM Guide (NSA)
Classification: SECRET // SI // REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: STATEROOM

Memorandum Of Understanding (MOU) Between the National Security Agency/Central Security Service (NSA/CSS) And The Israeli SIGINT National Unit (ISNU) Pertaining To The Protection Of U.S. Persons

Summary: This NSA document outlines the privacy protections and policies that the Israeli SIGINT National Unit (ISNU) agrees to in order to receive SIGINT technology and equipment, as well as ‘raw SIGINT’. Raw SIGINT includes collected data that has not been “evaluated for foreign intelligence and minimized.” Minimization involves evaluating whether a U.S. person’s identity is essential to “understand the significance of the foreign intelligence” as well as applying identity-shielding protections to persons who are to be minimized. Per the document, citizens of Canada, Australia, the United Kingdom, and New Zealand enjoy the same protections as Americans and thus all procedures outlined in this MoU must also apply to persons of these countries..

ISNU is expected not to use U.S.-supplied equipment or raw intelligence to intentionally target other ‘U.S. Persons’ (including Canadians), to limit access to raw NSA intelligence generally, to only disseminate raw-intelligence based information after shielding the identities of U.S. Persons (and receive written permission from the NSA prior to disclosing shielded identities), to retain files with Canadians/U.S. Persons for no more than one year to destroy any communications from raw NSA SIGINT that are either to or from an official in the U.S. Government, and to only process communications that refer “to activities, policies, and views of U.S. officials” for purposes unrelated to intelligence against the US.

It is unclear from the document whether protections ascribed to U.S. government officials, such as members of the Executive Branch, U.S. House of Representatives and Senate, or U.S. Federal Court system, also are ascribed to equivalent Canadian government officials. Similarly, it is unclear whether the CSE would provide written authority to disclose Canadians’ identities to ISNU customers. However, since the memorandum is between the NSA and ISNU, the CSE might not be contacted directly by ISNU about revealing the identities of Canadians to Israeli intelligence customers.

Document Published: September 11, 2013
Document Dated: Unknown (likely March 2009)
Document Length: 5 pages
Associated Article: NSA shares raw intelligence including Americans’ data with Israel
Download Document: Memorandum Of Understanding (MOU) Between the National Security Agency/Central Security Service (NSA/CSS) And The Israeli SIGINT National Unit (INSU) Pertaining To The Protection Of U.S. Persons
Classification: TOP SECRET//COMINT//REL TO USA, ISR
Authoring Agency: NSA
Codenames: CHIPPEWA

BOUNDLESSINFORMANT Maps

Summary: This document consists of three screenshots which show the amounts of data that can be aggregated against different countries. Page 2 reveals the global aggregate number of records parsed by BOUNDLESSINFORMANT (221,919,881,317) as well as the aggregate Dialed Network Recognition (DNR) and Dialed Network Intelligence (DNI) collected against the United States (2,095,533,478). DNR refers to information collected from phone networks themselves, whereas DNI refers to information collected from data communications (Internet). The screenshots also indicate the existence of 504 SIGINT Activity Designators (SIGADs), which refer to signals collection stations such as in diplomatic facilities, at undersea cable landing points, and at Internet exchange points, in addition to other locations.

On page 2, the United States is shown in yellow, whereas Canada is shown in green, suggesting there are fewer aggregate DNI and DNR records collected against the United States as compared to Canada. Page 3 shows that of the world aggregate of 124,808,692,959 DNR records; there were 203,190,032 collected against the United States. Based on the colouring of the global map on page 3, more DNR records were collected against Canada.

Document Published: June 11, 2013
Document Dated: Undated.
Document Length: 3 pages
Associated Article: Boundless Informant: the NSA's secret tool to track global surveillance data
Download Document: BOUNDLESSINFORMANT Maps
Classification: TOP SECRET//SI//TK//NOFORN
Authoring Agency: NSA
Codenames: BOUNDLESSINFORMANT

BOUNDLESSINFORMANT Countries Data

Summary: This collection of documents consist of data which show the number of Dialed Number Recognition (DNR) and Digital Network Intelligence (DNI) information records collected about mobile devices day-by-day between December and January of an unspecified year, for various countries, collection sites, and other groups. DNR refers to information collected from phone networks themselves, whereas DNI refers to information collected from data communications (Internet).

Specifically, DNR and DNI data from the last 30 days is shown for Afghanistan, France, Germany, Italy, the Netherlands, Norway, Poland, and Spain, as well as for FAIRVIEW, Foreign partner, SSO, WINDSTOP, and 3rd Party. In each of the previous cases, data shown includes signal profile, SIGADs where the greatest volume of records came from, as well as the top five technologies used to collect records.

Two of the pages show collection information for both the UK and the US, respectively listing the top five projects, validator IDs, and IPs, for the past 30 day period.

Document Published: June 11, 2013
Document Dated: Undated
Document Length: 15 pages
Associated Article: Boundless Informant: the NSA's secret tool to track global surveillance data
Download Document: BOUNDLESSINFORMANT Countries Data
Classification: Unknown
Authoring Agency: NSA
Codenames: ACRIDMINI, APERTURESCIENCE, BALLOONKNOT, BOUNDLESSINFORMANT, CERFCALL, CERFCALLMOSES1, CHAOSOVERLORD, CHOCOLATESHIP, CROSSEYEDSLOTH, DARKFIRE, DARKTHUNDER, DRTBOX, FAIRVIEW, FAIRVIEWCOTS, FALLOUT, HEADMOVIES, JEEPFLEA, JUGGERNAUT, KEELSON, KOALAPUNCH, LOPERS, LUTEUSICARUS, MAGNUMOPUS, MATRIX, MURPHYSLAW, POTBED, SCISSORS, SCREAMINGHARPY, SHAREDTAFFY, SHARPSHADOW, TERRAIN, TURMOIL, WAXTITAN, WEALTHYCLUSTER, WHISTLINGDIXIE, WHITEBOX, WILDCHOCOBO, WILDCOUGAR, WINDSTOP, XKEYSCORE

BOUNDLESSINFORMANT – Frequently Asked Questions

Summary: This document is a June 2012 FAQ which answers thirteen questions about various aspects of the BOUNDLESSINFORMANT tool.

BOUNDLESSINFORMANT was an NSA prototype tool for a self-documenting SIGINT system. More specifically, BOUNDLESSINFORMANT revealed the Global Access Operations’ (GAO’s) collection capabilities by automatically revealing the volume of metadata collection as well as other select details about collection that occured against any given country. At a high-level, BOUNDLESSINFORMANT could show, in various graphical display formats, aggregate records of the collection against an entire country, whereas focusing on particular countries would show how many records a given program and covername was collecting.

In addition to collection record counts, BOUNDLESSINFORMANT provided information about the type of collection as well as the contributing SIGINT Activity Designator (SIGAD). SIGADs refer to signals collection stations, such as in diplomatic facilities, at undersea cable landing points, and at Internet exchange points, in addition to other locations.

Questions covered in the FAQ include those related to: intended users; different views (i.e. Map View, Organization View, Similarity View); where metadata records come from; what data is missing; how to distinguish between sustained versus survey collect; details about technical architecture; upcoming enhancements and how these are requested or prioritized; and why record counts differ from other tools, such as ASDF.

Document Published: June 11, 2013
Document Dated: June 9, 2012
Document Length: 3 pages
Associated Article: Boundless Informant: the NSA's secret tool to track global surveillance data
Download Document: BOUNDLESS INFORMANT Frequently Asked Questions
Classification: UNCLASSIFIED//FOR OFFICIAL USE ONLY 
Authoring Agency: NSA (likely)
Codenames: BOUNDLESSINFORMANT, FALLOUT, FASCIA, FLAWMILL, GM-PLACE, JUGGERNAUT, LOPER, MACHINESHOP, MUSCULAR, RAM-A, SPINNERET, TURKEYTOWER, TUSKATTIRE

BOUNDLESSINFORMANT: Describing Mission Capabilities from Metadata Records

Summary: This slide deck from Global Access Operations (GAO) describes the collection capabilities and posture of GAO’s SIGINT infrastructure. BOUNDLESSINFORMANT refers to the use of “Big Data technology to query SIGINT collection in the cloud to produce near real-time business intelligence” which described the SIGINT infrastructure and coverage available to the NSA at the time. Key questions answered by BOUNDLESSINFORMANT included, inter alia: how many records were collected for a given unit or country; whether or not there were visible trends; and what assets ‘collected against’ a specific country.

Before BOUNDLESSINFORMANT, answers to SIGINT data calls/questions were achieved in a more ad hoc way, for example through mapping the physical location of SIGINT assets, guessing as to who could answer the question, reviewing static spreadsheets from previous data calls, or relying on experts with decades of experience.

As of July 2012, BOUNDLESSINFORMANT focused on SIGINT/COMINT, and reviewed every valid Dialed Network Intelligence (DNI) and Dialed Number Recognition (DNR) metadata record which passed through the NSA’s SIGINT infrastructure. Future work was intended to add new technology types (JUGGERNAUT, LOPER) to provide granularity to numbers, add anomaly detection and alerts, integrate other ‘INTs’ such as ELINT and FISINT, as well as add in selected data indicators.

Document Published: June 8, 2013
Document Dated: July 13, 2012
Document Length: 8 pages
Associated Article: Boundless Informant: the NSA's secret tool to track global surveillance data
Download Document: BOUNDLESSINFORMANT: Describing Mission Capabilities from Metadata Records
Classification: TOP SECRET//SI//NOFORN 
Authoring Agency: NSA
Codenames: BOUNDLESSINFORMANT, JUGGERNAUT, LOPER

PRISM/US-984XN Overview

Summary: This is a slide deck which was created by the PRISM collection manager to explain how the program operates. A large volume of the world’s communications transit American gateways and are accessible under the FAA, which pertains to upstream collection of communications on fibre cables and infrastructure as it flows past, and another swathe of communications are available through the PRISM program, which collects “directly from the servers” of Microsoft, Yahoo!, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple. At the time of writing, PRISM could collect on DNI selections, was planned to collect on DNR selectors, had access to stored communications, could undertake real-time collection, and could facilitate Voice over IP collection. However, direct relationships with the communications providers took place through the FBI. In contrast, upstream collection would apply DNI and DNR selector to worldwide sources, conduct real-time collection, abouts collection, voice collection, and involved a direction relationship with communications providers and the NSA.

The program cost approximately $20 million (USD) in 2012. Using both PRISM and STORMBREW upstream collection the NTOC was able to tip the FBI to an implant that was in CDC networks. Generally, the NSA would input selectors into Unified Targeting Tool (UTT), and from there the request would be validated and approved and then advanced to the FBI’s Data Intercept Technology Unit (DITU). DITU would provide targeting selectors to communications providers (e.g., Google, Apple) and then, after receiving the returned information, it would be returned to PRINTAURA, where data would move either to TRAFFICTHIEF or SCISSORS. Data which had been moved into SCISSORs would be processed, with metadata moving into FALLOUT as well as MARINa and MAINWAY. Voice content was processed through CONVEYANCE and be deposited into NUCLEON. DNI content and videos, in contrast, would be processed through SCISSORS and ultimately be deposited into PINWALE.

Document Published: June 6, 2013
Document Dated: April 2013
Document Length: 11 pages
Associated Article: NSA slides explain the PRISM data-collection program
Download Document: PRISM/US-984XN Overview
Classification: TOP SECRET//SI//ORCON//NOFORN
Authoring Agency: NSA
Covernames: BLARNEY, CONVEYANCE, FAIRVIEW, FALLOUT, MAINWAY, MARINA, NUCLEON, OAKSTAR, PINWALE, PRINTAURA, PRISM, SCISSORS, STORMBREW, TRAFFICTHIEF

Center for Content Extraction

Summary: This slide deck provides a demonstration of the NSA’s content extraction analytics. The aim of content extraction, generally, was to find essential elements of information in documents. The collection of these documents (and their exploitation) benefited Signals Development (SIGDEV), and vice versa.

The extraction process was classed into different steps known by the acronym STAIRS, which referred to: Selection, Translation & Transliteration, Analysis, Interpretation/Enrichment, Retrieval, and Storage & Distribution. The document further lists which databases and programs were associated with each respective step.

There were two classes of customers for the Center’s activities: those who would request information on demand, and those who received extracted reports or transcripts from content; the latter class of subscribers were identified as major databases (e.g. MARINA, SYNAPSE, NYMROD) as opposed to particular persons or organizations. The goal was to develop automated extraction to grow the number of records each year, on the basis that manual record formation was slow, and prone to omissions and inconsistencies.

Slide 7 lists examples of machine-extracted citations for NYMROD, a name-matching program, which includes the names of world leaders such as German Chancellor Angela Merkel.

Document Published: March 29, 2013
Document Dated: May 21, 2009
Document Length: 8 pages
Associated Article: ‘A’ for Angela: GCHQ and NSA Targeted Private German Companies and Merkel
Download Document: Center for Content Extraction
Classification: TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: CYBERTRANS, GOLDENRETRIEVER, HERESYITCH, JOURNEYMAN, LEXHOUND, MARINA, NYMROD, PAINTBALL, SOCIOPATH, SYNAPSE, THUNDERCLOUD

Center for Content Extraction (2)

Summary: This short snippet of a powerpoint slide provides information about the Center for Content Extraction (CCE) and the NYMROD project. CCE is responsible for distributing multilingual content extraction services to the NSA, and supporting and enhancing functions pertaining to selection, translation, analysis, investigative research, retrieval, and storage. NYMROD, in particular, is aimed at addressing analytic problems such as finding reported information about targeted persons, with humans being the focus of the effort. Some of this meant that the NYMROD project had to cope with linguistic variation around how names are presented as well as reference information using contextual information to specific entities.

Document Published: March 29, 2013
Document Dated: July 2008
Document Length: 3 pages
Associated Article: ‘A’ for Angela: GCHQ and NSA Targeted Private German Companies and Merkel
Download Document: Center for Content Extraction (2)
Classification: TOP SECRET // COMINT // REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: NYMROD

2012

Tracking Courier Use of Secure Digital Cards

Summary: This slide deck was produced for the 2012 SIGDEV conference by the SIGINT Forensics Center (SFC). The goal is to establish unique characteristics of SD cards so that the SIGINT Forensics Centre and Tailored Access Operations (TAO) could automate “solutions between seized media & CNE media”. Specifically, the goal was to determine the machines that a SD Card had been inserted into, with the goal of then determining whether those machines had either been seized for forensic analysis or a TAO CNE operation targeted the media.

Document Published: Unclear
Document Dated: 2012
Document Length: 9 pages
Associated Article: Unknown
Download Document: Tracking Courier Use of Secure Digital Cards
Classification: TOP SECRET//COMINT//REL FVEY
Authoring Agency: NSA
Codenames: JOLLYROGER