As part of my ongoing research into the Edward Snowden documents, I have added an additional document to the Canadian SIGINT Summaries. The Summaries include downloadable copies of leaked Communications Security Establishment (CSE) documents, along with summary, publication, and original source information. CSE is Canada’s foreign signals intelligence agency and has operated since the Second World War.

Documents were often produced by CSE’s closest partners which, collectively, form the ‘Five Eyes’ intelligence network. This network includes the CSE, the National Security Agency (NSA), the Government Communications Headquarters (GCHQ), Australian Signals Directorate (ASD), and Government Communications Security Bureau (GCSB).

All of the documents are available for download from this website. Though I am hosting the documents they were all first published by another party. The new documents and their summaries are listed below. The full list of documents and their summary information is available on the Canadian SIGINT Summaries page.

Hackers are Humans too: Cyber leads to Cl leads

Summary: This slide set showcases one method that CSE uses to expose the management structure and operators behind Computer Network Exploitation (CNE) activities, namely using passive infrastructure tasking and contact chaining. By monitoring infrastructure that was exposed through malware or content delivery for anomalous network sessions the CSE was subsequently able to trace MAKERSMARK (i.e. Russian) operations.

While MAKERSMARK’s less attributed systems can make it challenging to effectively trace to operators, these were poorly used and the operators exposed information associated with their’ personal lives. Furthermore, the development organization responsible for MAKERSMARK less attributed systems was infected by crimewave and CSE (or other friendly intelligence agencies) were consequently able to collect information which was being exfiltrated to criminal organizations.

The slide deck concludes with the warning the it is important to follow counter intelligence leads, quickly, because opportunities don’t last forever. Moreover, there was a warning that as a CNE program matures, such as that run by MAKERSMARK, the operational security associated with the program will similarly mature.

Document Published: August 2, 2017
Document Dated: Post 2009
Document Length: 13 pages
Associated Article: White House Says Russia’s Hackers Are Too Good To Be Caught But NSA Partner Called Them “Morons”
Download Document: Hackers are Humans too: Cyber leads to Cl leads
Classification: TS//SI/REL TO CAN, AUS, GBR, NZL, and USA
Authoring Agency: CSE
Codenames: MAKERSMARK