The Communications Security Establishment (CSE)1 is Canada’s foreign signals intelligence agency. CSE has operated since the Second World War. Despite existing as long as it has, and operating under a legislative mandate since 2001, it is only as journalists publish stories based on documents first provided by Edward Snowden and other whistleblowers that Canadians have begun paying attention to the agency’s actions. The stories have revealed the extent to which CSE has partnered with other Western intelligence agencies as well as the kinds of activities that CSE has themselves taken part in.

CSE is responsible for fulfilling a series of mandates per s.273.64(1) of the National Defence Act. They are:

  • to acquire and use foreign signals intelligence in accordance with the Government of Canada’s intelligence priorities
  • to help protect electronic information and information infrastructures of importance to the Government of Canada; and
  • to provide technical and operational assistance to federal law enforcement and security agencies, including helping them obtain and understand communications collected under those agencies’ own lawful authorities.

This page currently collates leaked documents that are linked to CSE’s operations as well as the annual reports issued by the Office of the Communications Security Establishment Commissioner. In the future it will also include CSE procedural documents which have been released to the public using Access to Information and Privacy (ATIP) legislation. While I have tried to exhaustively collate these documents it is entirely possible that I have missed some; if you have a primary document and would like me to add it to the lists below, please contact me with the document and some information about it. A more comprehensive repository of all agencies’ Snowden-leaked documents is available at the Snowden Surveillance Archive.

Table of Contents

Leaked CSE Documents

CSE Procedures Documents

  • Forthcoming

Office of the Communications Security Establishment Commissioner Reports

Footnotes

Leaked CSE Documents

CSE documents are listed with the most recently released documents towards the top of the list. I have tried to collect the most complete version of documents and I have only included entries where a document has been released to the public.

Where possible I have identified when the documents were created and provided an overview summary of the CSE-relevant aspects of the document. I have noted the length of the documents but, in the process, exclude information added by advocacy organizations to the source documents (e.g. their notations of the original source of the document). I have also included a link to the article that was first associated with the document.

Documents were often produced by CSE’s closest partners which, collectively, form the ‘Five Eyes’ intelligence network. This network includes the CSE, the National Security Agency (NSA), the Government Communications Headquarters (GCHQ), Australian Signals Directorate (ASD),2 and Government Communications Security Bureau (GCSB)). 

All of the documents are available for download from this website. Though I am hosting the documents they were all first published by another party.

Hackers are Humans too: Cyber leads to Cl leads

Summary: This slide set showcases one method that CSE uses to expose the management structure and operators behind Computer Network Exploitation (CNE) activities, namely using passive infrastructure tasking and contact chaining. By monitoring infrastructure that was exposed through malware or content delivery for anomalous network sessions the CSE was subsequently able to trace MAKERSMARK (i.e. Russian) operations.

While MAKERSMARK’s less attributed systems can make it challenging to effectively trace to operators, these were poorly used and the operators exposed information associated with their’ personal lives. Furthermore, the development organization responsible for MAKERSMARK less attributed systems was infected by crimewave and CSE (or other friendly intelligence agencies) were consequently able to collect information which was being exfiltrated to criminal organizations.

The slide deck concludes with the warning the it is important to follow counter intelligence leads, quickly, because opportunities don’t last forever. Moreover, there was a warning that as a CNE program matures, such as that run by MAKERSMARK, the operational security associated with the program will similarly mature.

Document Published: August 2, 2017
Document Dated: Post 2009
Document Length: 13 pages
Associated Article: White House Says Russia’s Hackers Are Too Good To Be Caught But NSA Partner Called Them “Morons”
Download Document: Hackers are Humans too: Cyber leads to Cl leads
Classification: TS//SI/REL TO CAN, AUS, GBR, NZL, and USA
Authoring Agency: CSE
Codenames: MAKERSMARK

Synergising Network Analysis Tradecraft: Network Tradecraft Advancement Team (NTAT)

Summary: This slide deck showcases some of the activities, and successes, of the Network Tradecraft Advancement Team (NTAT). The slides focus on how to develop and document tradecraft which is used to correlate telephony and Internet data. Two separate workshops are discussed, one in 2011 and another in 2012. Workshop outcomes included identifying potentially converged data (between telephony and Internet data) as well as geolocating mobile phone application servers. A common mobile gateway identification analytic was adopted by three agencies, including DSD. NTAT had also adopted the CRAFTY SHACK tradecraft documentation system over the courses of these workshops.

In an experiment, codenamed IRRITANT HORN, analysts explored whether they could identify connections between a potentially ‘revolutionary’ country and mobile applications servers. They successfully correlated connections with application servers which opened up the potential to conduct Man in the Middle attacks or effect operations towards the mobile devices, as well as the potential to harvest data in transit and at rest from the devices. In the profiling of mobile applications servers it appears that EONBLUE was used to collect information about a company named Poynt; that company’s application was being used by Blackberry users, and the servers profiled were located in Calgary, Alberta (Canada).

The agencies successfully found vulnerabilities in UCWeb, which was found to leak IMSI, MSISDN, IMEI, and other device characteristics. These vulnerabilities were used to discover a target and it was determined that the vulnerabilities might let a SIGINT agency serve malware to the target. A ‘microplugin’ for XKeyscore was developed so that analysts could quickly surface UCWeb-related SIGINT material. (NOTE: The Citizen Lab analyzed later versions of UCWeb and found vulnerabilities that were subsequently patched by the company. For more, see: “A Chatty Squirrel: Privacy and Security Issues with UC Browser.”)

Document Published: May 21, 2015
Document Dated: 2012 or later
Document Length: 52 pages (slides plus notes)
Associated ArticleSpy agencies target mobile phones, app stores to implant spyware
Download DocumentSynergising Network Analysis Tradecraft: Network Tradecraft Advancement Team (NTAT)
Codenames mentioned: ATLAS, ATHENA, BLAZING SADDLES, CRAFTY SHACK, DANAUS, EONBLUE, FRETTING YETI, HYPERION, IRRITANT HORN, MASTERSHAKE, PEITHO, PLINK, SCORPIOFORE

CASCADE: Joint Cyber Sensor Architecture

Summary: This document discusses the configuration of CSE’s sensor networks as of 2011, and CSE’s plans for developing the network in the future. The discussion only revolved around passive sensors and their supporting infrastructure. Two sensors systems were identified, PHOTONIC PRISM, for monitoring Government of Canada networks, and EONBLUE, which is a passive SIGINT system that was used to collect ‘full-take’ data, as well as conduct signature and anomaly based detections on network traffic.

EONBLUE systems were deployed in select government networks, and were also used for monitoring Foreign Satellite (FORNSAT) communications; it also may be used for monitoring cellular or radio-based telecommunications traffic. The INDUCTION system, which has similar capacities as EONBLUE, was deployed domestically at gateways between domestic and international network domains. The document also discusses a metadata production and processing program, THIRD-EYE, which operated at select new sites and an unclassified sensor, CRUCIBLE, which was designed to track targets in pre-Sensitive Compartmentalized Information Facilities (SCIF).

CASCADE is the codename for a project focused on standardizing Information Technology Security (ITS) and SIGINT sensors, so that the above-mentioned sensors can be seamlessly integrated and enable a common analyst platform for captured data.

By 2015, CSE hoped to increase its Special Source (SSO) access to include all international gateways accessible from Canada along with a multi-layered sensor network meant to enhance the security of Government of Canada systems. Further, operational capacity was meant to be enhanced, such that SIGINT, ITS, and cryptologic partner sensors interoperated seamlessly. It is unclear what, precisely, these partner sensors may encompass. Authority was also sought for ‘Effects’ operations, as well as the infrastructure, policies, and tradecraft required to conduct such operations.

As a result of these activities, CSE hoped to detect threats before they entered national infrastructure, to identify exfiltration and command and control systems, and transform the network itself into a defensive domain. This final objective would require CSE to be able to change data traffic routes, silently discard packets, and insert payloads into data packets. CSE regarded such expansive ‘defensive’ activities as necessary because gateway or end-node defence was insufficient to protect government systems.

If the sensors were upgraded, then CSE suggested that changes to basic Five Eyes interoperations might follow. Such changes included the following: tipping and queuing might not longer be used for sharing threats to government systems and instead could be exclusively used to enable intelligence collection; and there would be no need to make tasking/targeting requests concerning those common actors who target CSE and other Five Eyes alliance members. The result would be that foreign SIGINT would become a domain for ‘hunting’ and domestic defence would be integrated into the very core of the Internet — domestic and foreign — itself.

Document Published: March 23, 2015
Document Dated: 2011
Document Length: 66 pages
Associated ArticleCommunication Security Establishment's cyberwarfare toolbox revealed
Download DocumentCASCADE: Joint Cyber Sensor Architecture

Cyber Network Defence R&D Activities

Summary: This slide deck provides an overview of the research and development activities that were being undertaken by the Cyber Network Defence (CND) group. The core focus of CND at the time was on PHOTONIC PRISM, a sensor network designed to protect Government of Canada networks and devices from external threats.

CND primarily leveraged the R&D of external partners because its size precluded it from conducting low level research. As examples, it used POPQUIZ from R23 and an email attachment scanner from GCHQ. Projects CND was engaged in at the time include PONYEXPRESS, an email  scanning program, the previously mentioned PHOTONIC PRISM, and dynamic defence enabled by software installed on Consumer Off The Shelf (COTS) hardware.

CND noted that challenges included the length of its research activities, translating classified requirements to an unclassified domain, properly engaging industry and academia, and policy, amongst other challenges.

Document Published: March 23, 2015
Document Dated: 2010
Document Length: 26 pages
Associated ArticleCommunication Security Establishment's cyberwarfare toolbox revealed
Download DocumentCyber Network Defence R&D Activities

CSEC ITS/N2E Cyber Threat Discovery

Summary: This slide deck provides some context about the N2E unit of Information Technology Security (ITS), its existent capabilities, and a series of experiments run during a 2010 workshop held in Canada. The N2E team was established in 2010 and uses full-take data and (at the time) was making headway on putting policies in place to use intercepted private communications and either share, or gain access to shared, data. They stored full packet captures of Government of Canada-destined traffic for days to months, and metadata for months to years.

The core issue facing N2E, or perhaps CSE more broadly, was the volume of data that is acquired, retained, summarized, analyzed, and presented to analysts. The 2010 workshop held in Canada addressed some of these challenges by developing a process to reduce the volume email URL metadata information presented to analysts, which lowered false positive rates compared to URL inspections. The workshop also analyzed how to predict whether email attachments were malicious, which led to reducing data retention by 85% with only a 1-3% loss of ‘interesting’ emails. Participants also investigated how to more effectively detect threat actors who used masquerading Windows Preinstallation Environment (PE) downloads which led to progress in identifying offending kinds of downloads.

Document Published: March 23, 2015
Document Dated: 2010
Document Length: 60 pages
Associated ArticleCommunication Security Establishment's cyberwarfare toolbox revealed
Download DocumentCSEC ITS/N2E Cyber Threat Discovery

CSEC Cyber Threat Capabilities: SIGINT and ITS: an end-to-end approach

Summary: This slide deck provides an overview of how SIGINT and government Information Technology Security (ITS) interoperate for ‘defensive’ operations. Analysis of data traffic takes place by Government of Canada sensors, as well as ones tasked by CSIS for warranted full take collection, those located at Canadian/International Internet gateways, those situated within the broader internet, as well as data traffic analyzed on devices CSE has ‘exploited’.

EONBLUE is used for non-Government of Canada network analysis and involves discovering targets, tracking them, as well as producing metadata out of the traffic exposed to EONBLUE. EONBLUE is a deep packet inspection-based system that, when paired with warranted full-take, lets CSE discover network beacons. ITS’s equivalent program is PHOTONIC PRISM.

CSE’s network sensors were processing 125GB/hour of HTTP metadata and relied on 50TB of high-speed storage to conduct analysis towards the front end of the data intake. ITS stored 300TB of full-take data, the equivalent of months of traffic.

In the process of analyzing data from ITS and SIGINT sensors, anomalies and events are detected, which are processed through alerting engines and decision logic servers; the logic information is shared with all Five Eyes partners as a result of the Sydney Resolution. The logic is based, in part, on tipping and cueing information; such information can facilitate warnings or indications of attacks in near real time and enable collaborative defence across all Five Eyes nations.

CSE identified ’dynamic defence’ as involving both localized actions at the network edge by ITS, as well as operating in the core of the global internet to act on, and modify, data traffic, as well as implanting malware on foreign infrastructure to probe, explore, and learn about adversary network space and gather information and tools used by adversaries. These ‘defensive’ operations may be supplemented with influencing technology, such as anti-virus companies’ signatures, developing relationships with supply chains, or political maneuvers. Such activities are segregated in the ‘Cyber Activity Spectrum’ from active operations and deception techniques.

The final slide identifies next steps, which include sychonizing the SIGINT and ITS missions, funding, developing joint sensor and analytics capabilities and more international interoperability and policy co-ordination. It also has, as a consideration, legislative amendments. Specific amendments are not mentioned in the slide.

Document Published: March 23, 2015
Document Dated: 2009 or 2010 (possibly; document not formally dated)
Document Length: 46 pages
Associated ArticleCommunication Security Establishment's cyberwarfare toolbox revealed
Download DocumentCSEC Cyber Threat Capabilities: SIGINT and ITS: an end-to-end approach

Cyber Threat Detection

Summary: This document summarizes how CSE monitors for threats using the EONBLUE system alongside traditional metadata collection systems. These latter systems are deployed at Special Source (SSO) locations, rely on warrant access, and tap into foreign satellite communications. Domestic and SIGINT (international) sensors are used in detecting and mitigating threats, with China (i.e. SEEDSPHERE) used as an example of a recurring threat actor.

OLYMPIA, CSE’s network knowledge engine, is used in analyzing or sorting data stored at high-speed clustered storage at CSE’s collection sites to facilitate DNS Response harvesting and to de-dupe data.

The detection of Fast Flux Botnets, denoted as CROSSBOW, relies on target discovery algorithms deployed at CSE SSO sites; the sensors these algorithms run on may be CRUCIBLE servers that are low-cost, rapidly deployed passive systems that use Top Secret/Special Intelligence targeting signatures in non-Sensitive Compartmentalized Information Facilities (SCIF).

Document Published: March 23, 2015
Document Dated: November 2009
Document Length: 14 pages
Associated ArticleCommunication Security Establishment's cyberwarfare toolbox revealed
Download DocumentCyber Threat Detection

NSA Intelligence Relationship with New Zealand

Summary: This document summarizes the status of the NSA’s relationship with New Zealand Government Communications Security Bureau (GCSB). The GCSB has been forced to expend more of its resources on compliance auditing following recommendations after it exceeded its authority in assisting domestic law enforcement, but continues to be focused on government and five eyes priorities and encouraged to pursue technical interoperability with NSA and other FVEY nations.

The NSA provides GCSB with “raw traffic, processing, and reporting on targets of mutual interest, in addition to technical advice and equipment loans.” The GCSB primarily provides the NSA with access to communications which would otherwise remain inaccessible. These communications include: China, Japanese/North Korean/Vietnamese/South American diplomatic communications, South Pacific Island nations, Pakistan, India, Iran, and Antartica, as well as French police and nuclear testing activities in New Caledonia.

Of note, GCSB is a member of SIGINT Seniors Pacific (SSPAC) (includes Australia, Canada, France, India, Korea, New Zealand, Singapore, Thailand, United Kingdom, and United States) as well as SIGINT Seniors Europe (SSEUR) (includes Australia, Belgium, Canada, Denmark, France, Germany, Italy, Netherlands, New Zealand, Norway, Spain, Sweden, United Kingdom, and United States).

Document Published: March 11, 2015
Document Dated: April 2013
Document Length: 3 pages
Associated Article: Snowden revelations: NZ’s spy reach stretches across globe
Download Document: NSA Intelligence Relationship with New Zealand
Classification: TOP SECRET//SI//REL TO USA, FVEY
Authoring Agency: NSA
Codenames: None

SIGINT Development Forum (SDF) Minutes

Summary: This document summarizes the state of signals development amongst the Five Eyes (FVEY). It first outline the core imperatives for the group, including: ensuring that the top technologies are being identified for use and linked with the capability they bring; that NSA shaping (targeting routers) improves (while noting that for CSE and GCSB shaping involves “industry engagement and collection bending”); improving on pattern of life collection and analysis; improving on IP address geolocation that covers Internet, radio frequency, and GSM realms; analyzing how convergence of communications systems and technologies impacts SIGINT operations.

Privacy issues were seen as being on the groups’ radar, on the basis that the “Oversight & Compliance team at NSA was under-resourced and overburdened.” Neither GCSB or DSD were able to sponsor or audit analysts’ accounts similar to the NSA, and CSEC indicated it had considered funding audit billets; while dismissed at the time, the prospect has re-arisen. At the time the non-NSA FVEYs were considering how to implement ‘super-user’ accounts, where specific staff will run queries for counterparts who are not directly authorized to run queries on selective databases.

GCSB, in particular, was developing its first network analyst team in October 2009 and was meant to prove the utility of network analysis so as to get additional staff for later supporting STATEROOM and Computer Network Exploitation tasks. Further, GCSB was to continue its work in the South Pacific region, as well as expanding cable access efforts and capabilities during a 1 month push.  There was also a problem where 20% of GCSB’s analytic workforce lacked access to DSD’s XKEYSCORE, which was a problem given that GCSB provided NSA with raw data. The reason for needing external tools to access data is GCSB staff are prohibited from accessing New Zealand data.

Document Published: March 11, 2015
Document Dated: June 8-9, 2009
Document Length: 3 pages
Associated Article: Snowden revelations: NZ’s spy reach stretches across globe
Download Document: SIGINT Development Forum (SDF) Minutes
Classification: TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: STATEROOM, XKEYSCORE

Open Source for Cyber Defence/Progress

Summary: This GCHQ wiki entry identifies current and future sources of data for cyber defence actions. All of the sources are open source. In the future there are plans to integrate sources of vulnerability intelligence, bulk infrastructure data, as well as a set of miscellaneous kinds of data (e.g. what .gov.uk addresses should be protected).

The wiki entry describes GhostNet as a “known ORB server” under the ‘Bulk Infrastructure Data’ heading. GhostNet is a command and control infrastructure that was mainly used by the People’s Republic of China in the course of targeting organizations such as foreign embassies and the Tibetan Government-In-Exile. Research on GhostNet was conducted by a collection of academic institutions, including the Citizen Lab at the Munk School of Global Affairs, University of Toronto. Operational Relay Boxes (ORBs) are used by SIGINT agencies as proxies and let SIGINT actors to take actions that victims cannot positively attribute to the responsible agency. It is unclear from the document whether GCHQ or other Five Eyes agencies plan to use GhostNet infrastructure as their own ORBs or whether they classified activities coming from that infrastructure as likely attributable to Chinese-signals intelligence groups.

Document Published: February 4, 2015
Document Dated: Last Updated June 25, 2012
Document Length: 2 pages
Associated ArticleWestern Spy Agencies Secretly Rely On Hackers For Intel And Expertise
Download DocumentOpen Source for Cyber Defence/Progress

Who Else Is Targeting Your Target? Collecting Data Stolen By Hackers

Summary: This NSA bulletin describes CSE and GCHQ discovery of hackers who are exfiltrating email data from targets of interest to the agencies. CSE and GCHQ have exploited hacker-based stolen data (codenamed INTOLERANT) and used it to enrich the agencies’ own data stores. Victims targeted by the hackers, and thus exploited by the SIGINT agencies, fell into the following categories: Indian Diplomatic and Indian Navy, Central Asian Diplomats, Chinese Human Rights Defenders, Tibetan Pro-Democracy Personalities, Uighur Activists, European Special Representative to Afghanistan and Indian photo-journalists, and the Tibetan Government-In-Exile. Though the hackers are believed to be state-sponsored neither CSE or CCHQ could positively attribute their actions to a particular state. Canadian, American, or other Five Eyes nations’ institutions that liaise with the victims may have been notified of the hacking though there is no evidence that the actual victims were notified.

Document Published: February 4, 2015
Document Dated: June 5, 2010 (Last Updated October 11, 2012)
Document Length: 1 page
Associated Article: Western Spy Agencies Secretly Rely On Hackers For Intel And Expertise
Download DocumentWho Else Is Targeting Your Target? Collecting Data Stolen By Hackers

LEVITATION and the FFU Hypothesis

Summary: This CSE slide deck describes the effectiveness the LEVITATION program. LEVITATION is used to monitor and identify persons who download materials from Free File Upload (FFU) sites. At the time of the presentation, LEVITATION monitored for file URLs, as well as for sequential numbers, selector names, and web search terms. In the future CSE proposed integrating GPS data, devices close to places, telephony gaps, information about the targets of foreign SIGINT agencies, and missed call data. The document does not state how integrating this data would enrich the LEVITATION program.

LEVITATION begins with CSE’s Web Operations Centre (CWOC) identifying URLs on FFU sites linking to documents of interest. A special source, codenamed ATOMIC BANJO, provides 10-15 million ‘download events’ to CSE each day from 102 FFU sites. All of these events are available using OLYMPIA, CSE’s network knowledge engine. CSE examines the aggregate events against CWOC’s list of roughly 2,200 URLs, which yields roughly 350 download events of interest each month. It is unclear whether the remaining event data is purged from CSE’s databases.

Information from interesting download events are then processed by CSE. The Establishment first examines whether the IP address associated with the download event has been seen five hours previous and following the event by Five Eyes listening posts. If the IP address was seen then the MARINA or MUTANT BROTH databases are queried to correlate the IP address with personally-identifying identifiers in those databases, thus identifying the person who likely downloaded the material in question. MARINA is a NSA database containing intercepted metadata and GCHQ’s MUTANT BROTH database contains similar metadata. Though not discussed elsewhere, CSE notes successes derived from monitoring file uploads — and then disseminating intelligence to organizations such as the CIA — for intelligence gathering as well.

Document Published: January 27, 2014
Document Dated: Unknown (Post March 2012)
Document Length: 21 pages
Associated ArticleCSE tracks millions of downloads daily: Snowden documents
Download DocumentLEVITATION and the FFU Hypothesis

Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure

Summary: This CSE document describes how the Establishment analyzes its targets as part of Counter Computer Network Exploitation (CCNE) operations. CCNE operations draw data from the Computer Network Exploitation (CNE) group, the Global Network Discovery group, and the Cyber Counter Intelligence group. CCNE analyses ideally identify whether a foreign party has already exploited a CSE targeted device or infrastructure and, if so, which part has done so.

CCNE relies heavily on the outputs of WARRIOR PRIDE, which is CSE’s computer network exploitation platform. These outputs, codenamed REPLICANTFARM, let CCNE identify whether there are other actors, implant technologies, or other anomalies present on the targeted device or system.3

As part of its operations, CCNE can use covert infrastructure that is identified and mapped as part of the LANDMARK system. The infrastructure, referred to as ‘Operational Relay Boxes’ (ORBs), lets CCNE plausibly deny its activities.

The core takeaway for this document is that CCNE provides situational awareness to CNE, insofar as it alerts the CNE team about possible cohabitation of common infrastructure. CCNE also lets CSE identify new actors when detecting previously-unseen anomalies as well as lets the Establishment track known actors. As a result, CCNE is able to ‘deconflict’ where a piece of infrastructure has multiple state agencies intruding upon it while providing information about the tradecraft and tools used by foreign actors discovered in the world.

Document Published: January 17, 2015
Document Dated: June 2010
Document Length: 30 pages
Associated ArticleThe Digital Arms Race: NSA Preps America for Future Battle
Download Document: Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure

CSE SIGINT Cyber Discovery: Summary of the current effort

Summary: This CSE slide deck describes the integration between the Counter Computer Network Exploitation (CCNE), Global Network Discovery (GND), and Cyber Counterintelligence (CNT1) units. Whereas CCNE and GND are responsible for collecting data, CNT1 is responsible for analyzing and reporting on the discovered data.

CCNE uses plugins from the WARRIOR PRIDE to parse data sent from CSE-exploited devices and systems. CCNE’s goal is to determine if a non-CSE implant or other actor has already exploited the device or system, as well as evaluate whether anomalous files are present on the device or system, or whether anomalous data traffic is coming from the device or system.

GND uses over 200 sensors deployed around the world to track threats; this sensor network is codenamed EONBLUE. EONBLUE sensors scale to 10Gbps of data traffic and there were plans to increase detection speeds to multi-10Gbps rates. Data traffic is analyzed to discover targets (relying on the SLIPSTREAM machine reconnaissance WARRIOR PRIDE plugin), as well as to track targets (codenamed SNIFFLE) and extract Domain Name System and HTTP metadata.

As part of future work, GND planned to test EONBLUE’s ability to send metadata into a localized XKEYSCORE database and, potentially, to share metadata with other nations’ XKEYSCORE databases. XKEYSCORE is used to hold raw and unselected communications data. GND also planned to share CSE EONBLUE data with the DSD’s EONBLUE program. Curiously, the GND also has a system of detecting QUANTUM, which is a system that injects data packets into network traffic for computer network exploitation activities.

CNT1 analyzes the data or leads provided by CCNE and GND groups to pursue interesting leads and conducts analyses of information derived from the other groups. Received data can come from special source, warranted, and second party data, malware analysis and reverse engineering, as well as forensic analyses of implants. The analysis is used to produce reports on the anomalies or activities seen by CCNE and GND, as well as to try and attribute the data or leads to specific actors.

Document Published: January 17, 2015
Document Dated: November 2010
Document Length: 22 pages
Associated Article: "The Digital Arms Race: NSA Preps America for Future Battle"
Download Document: CSEC SIGINT Cyber Discovery: Summary of the current effort

Summary: Inspired by their British colleagues, CSE initiated analyses of the warranted4 SSL/TLS traffic they capture. These analyses are designed to identify trends and let CSE proactively understand the state of online encryption. Operationally, the project lets analysts identify the known services that a target used and changes in the target’s use of TLS. The project also provided broader analyses of sites’ TLS traffic.

The slide deck draws examples from warranted traffic, though also included is a flow chart of receiving SSL/TLS traffic from a special source. Special source traffic, unlike warranted traffic, is passed into OLYMPIA. OLYMPIA is CSE’s network knowledge engine.

Future work included conducting trend analyses on special source traffic. Such work also included enhancing collaboration between the team conducting TLS trend analysis and the Establishment’s data mining team.

Document Published: December 28, 2014
Document Dated: Unknown
Document Length: 15 pages
Associated Article: Prying Eyes: Inside the NSA's War on Internet Security
Download Document: TLS Trends A roundtable discussion on current usage and future directions

Automated NOC Detection

Summary: Major enterprise networks manage their networks from Network Operations Centres (NOCs). GCHQ and CSE analysts evaluated whether they could implement NOCTURNAL SURGE in OLYMPIA, CSE’s network knowledge engine, during a March 2011 meeting in Canada.

Analysts use NOCTURNAL SURGE to find NOCs. The system draws from pre-existing databases to identify ‘Access Control Lists’. GCHQ draws from the 5-ALIVE database and CSE from the HYPERION databases. Access control lists include commonly used ports that network administrators use in initiating TELNET or SSH connections to systems they administrate. Similar port information is recorded for Virtual Teletype (VTY) lines; VTY is a legacy term associated with older systems’ (e.g. routers) command line interfaces.

After combing through databases using NOCTURNAL SURGE and identifying NOCs, the NOCs can be targeted for computer network exploitation operations. Exploitation involves correlating NOC IP addresses with affiliated identifiers from the MUTANT BROTH database. MUTANT BROTH stores correlations between IP addresses with cookies and other identifying data. The QUANTUM INSERT5 exploitation system is used to target administrators after analysts have correlated NOC data with information from MUTANT BROTH.

Document Published: December 13, 2014
Document Dated: Unknown
Document Length: 25 pages
Associated Article: Operation Socialist: The Inside Story of How British Spies Hacked Belgium’s Largest Telco
Download Document: Automated NOC Detection

2nd SCAMP at CSEC process (Part of AURORAGOLD)

Summary: The SCAMP document outlines progress made in enhancing and evaluating existing CSE capabilities focused around signals intelligence. The document does not explicitly address CSE’s network exploitation or government defence operations.

New systems (IRASCIABLE RABBIT and TOYGRIPPE) were integrated with OLYMPIA according to the document. Progress was also made towards identifying virtual private networks of interest for cryptanalysis. The SCAMP document notes that there was ‘progress’ in sharing and analyzing SIGINT-collected International Roaming documents (i.e. IR.21).

The CSE-specific document is part of a larger collection of documents linked to the AURORAGOLD project. AURORAGOLD maintains and collects information about mobile telecommunications networks’ properties so analysts can understand the current state of global mobile systems’ networks, trending patterns in the state of these networks, and future evolutions of the networks. Much of this information is contained in IR.21 documents. Also included are e-mail selectors and metadata that is captured alongside the content of the documents themselves. Page 38 of the AURORAGOLD documents indicates that there had been no significant analysis of Canadian mobile telecommunications infrastructure at the time the document was produced.

Significantly, a slide linked to AURORAGOLD includes bullet points about finding, or introducing, vulnerabilities in mobile infrastructures for later exploitation (page 45). It is unclear whether this is a process flow for the AURORAGOLD group itself; it is possible that another party within the NSA or other agency is responsible for these aspects of the signals intelligence or development process.

Document Published: December 4, 2014
Document Dated: Unknown
Document Length: 1 page (SCAMP) // 63 pages (AURORAGOLD)
Associated Article: Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide
Download Document: SCAMP // AURORAGOLD

Sharing Computer Network Operations Cryptologic Information With Foreign Partners

Summary: This NSA document identifies the extent of the NSA’s cooperation with other nations’ military and intelligence organizations. The policy document applies to sharing computer network exploitation and computer network defence information between intelligence agencies, such as CSE, as well as to sharing cryptologic information with other militaries. Canada is listed as one of the “Tier A: Comprehensive Cooperation” partners along with Australia, New Zealand, and the United Kingdom.

Document Published: October 30, 2014
Document Dated: Unknown (likely November 23, 2005 based on declassification date of November 23, 2029)
Document Length: 2 pages
Associated Article: El CNI facilitó el espionaje masivo de EEUU a España (ES) // Spain colluded in NSA spying on its citizens, Spanish newspaper reports
Download Document: Sharing Computer Network Operations Cryptologic Information With Foreign Partners

LANDMARK (Associated with HACIENDA)

Summary: The LANDMARK presentation outlines CSE’s plan to automate the identification of devices that can be used as operational relay boxes. These boxes (i.e. computer devices and systems that are linked to the internet) are used by CSE and other intelligence partners to provide a level of non-attribution for their activities online. The boxes are also used to access networks or network traffic.

Analysts use LANDMARK to run queries against the aggregate of data that is accessible via CSE’s OLYMPIA network knowledge engine. These queries reveal whether a network is already known to be vulnerable based on historically collected data that is accessible using OLYMPIA, as well as whether any device on the network has already been compromised. This analysis takes less than 5 minutes and has been integrated into OLYMPIA itself.

LANDMARK operates within, or as part of, a broader international intelligence project codenamed HACIENDA. HACIENDA was developed by GCHQ and partnered agencies include CSE, NSA, and ASD. HACIENDA maps the contours of the internet by conducting port scans of Internet-connected devices. The IP addresses of these devices are correlated with geolocation information to situate identified addresses and their corresponding ports. Intelligence partners use HACIENDA information to conduct computer network exploitation and signals discovery operations.

Document Published: August 15, 2014
Document Dated: Unknown
Document Length: 6 pages (LANDMARK) // 26 Pages (The HACIENDA Program)
Associated Article: NSA/GCHQ: The HACIENDA Program for Internet Colonization
Download Document: LANDMARK // HACIENDA and LANDMARK

Non-targetable 2nd Party Countries, Territories & Individuals

Summary: This NSA-published document identifies the territories that are controlled or administrated by the United States, Australia, United Kingdom, and New Zealand. Canada is noted as lacking any territories beyond its national borders. The territories controlled or administered by members of the Five Eyes intelligence network cannot be targeted by fellow members of the signals intelligence alliance.

The second page of the document juxtaposes the different signals intelligence targeting authorization requirements between the aforementioned five nations. This juxtaposition includes CSE’s limitations in targeting nationals in Canada, nationals overseas, foreign nationals in Canada, and foreign nationals overseas. Though not included in the document, CSE can and does target Canadians when fulfilling its mandate to assist federal law enforcement and security agencies.

Document Published: June 30, 2014
Document Dated: January 8, 2007
Document Length: 2 pages
Associated Article: Court gave NSA broad leeway in surveillance, documents show
Download Document: Non-targetable 2nd Party Countries, territories & individuals

SNOWGLOBE: From Discovery to Attribution

Summary: CSE’s Counter Intelligence branch identified a spyware-based intelligence program, codenamed SNOWGLOBE, that may have been crafted by France’s intelligence service. SNOWGLOBE was found using the REPLICANTFARM anomaly detection system that is part of CSE’s WARRIOR PRIDE computer network exploitation platform.

Various versions of the spyware implants were found since November 2009 (SNOWBALL 1, SNOWBALL 2, and SNOWMAN). Together they compose the SNOWGLOBE program. The program’s infrastructure was identified using CSE’s passive collection system (EONBLUE). Infrastructure was found in the US, Canada, UK, Czech Republic, Poland, and Norway. The infrastructure was found on free hosting services as well as attached to existing non-free systems. CSE could not determine if access to those systems involved the foreign actor using an exploit or special source access, or a combination of the two.

The spyware was found to have infected Iranian (e.g. Atomic Energy Organization), European (e.g. European Financial Association), African, and Canadian organizations. A French-language Canadian news organization was also infected by SNOWGLOBE. Based on the victims CSE did not believe that SNOWGLOBE fit a cybercrime profile. At the time CSE presented these findings they could not positively attribute SNOWGLOBE or a particular French intelligence agency nor could they identify the person(s) running it, nor did CSE know how the French agency gained access to the non-free parts of its infrastructure.

Document Published: March 21, 2014 // January 17, 2015
Document Dated: 2011
Document Length: 9 pages // 25 pages
Associated Article: Quand les Canadiens partent en chasse de ‘Babar’ (Fr); French spy software targeted Canada: report (En); The Digital Arms Race: NSA Preps America for Future Battle
Download Document: SNOWGLOBE: From Discovery to Attribution (9 pages) // SNOWGLOBE: From Discovery to Attribution (Expanded Edition) (25 pages)

IP Profiling Analytics & Mission Impacts

Summary: CSE used domestic Canadian data to develop and test a system to geolocate IP addresses as individuals moved around the world. CSE used IP address information from Canadian airports, hotels, internet cafes, ‘transportation hubs’, conference centres, wifi hotspots, enterprises, libraries, and wireless gateways more generally.

The system was also designed to associate individuals’ identities to ‘air gapped’ communications. An air gap attempts to separate secured from unsecured communications systems. This aspect of the test correlated unencrypted identity-linked information (e.g. web cookies that could be tied to identifiable persons) with air gapped landline phone calls. By correlating the phone information and web cookies CSE and its partners could attribute who was likely to have been making the call.

Document Published: January 30, 2014
Document Dated: May 10, 2012
Document Length: 27 pages
Associated Article: CSEC used airport Wi-Fi to track Canadian travellers: Edward Snowden documents
Download Document: IP Profiling Analytics & Mission Impacts

Mobile Theme Briefing

Summary: This GCHQ briefing presentation outlines the importance of mobile communications devices for the intelligence agency and discusses the development of the Mobile Applications Project. The Mobile Applications Project was created to develop capacities towards mobile applications writ large, as well as to facilitate target-centric analysis of voice, text, computer-to-computer, and geolocation data.

A part of the Mobile Applications Project included GCHQ porting WARRIOR PRIDE to the iPhone. WARRIOR PRIDE is a computer network exploitation program. GCHQ also developed specialized plugins for iOS.

CSE initiated a similar port of WARRIOR PRIDE to the Android platform. The Establishment created Android plugins similar to those created for iOS.

Document Published: January 28, 2014
Document Dated: May 28, 2010
Document Length: 6 pages
Associated Article: Angry Birds and 'leaky' phone apps targeted by NSA and GCHQ for user data
Download Document: Mobile Theme Briefing

NSA Intelligence Relationship with Canada’s Communications Security Establishment Canada (CSEC)

Summary: This NSA memo notes that Canada and the United States enjoy a cooperative relationship that is driven by a mutual desire to protect North America. The memo also discusses that Canada is a large consumer of the NSA’s products and works with the NSA to target approximately 20 countries. It also explains that the NSA provides funds for some CSE research and development projects. In addition to providing analysis of received intelligence, CSE “shares with NSA their unique geographical access to areas unavailable to the U.S.”

Document Published: December 9, 2013
Document Dated: April 3, 2013
Document Length: 2 pages
Associated Article: Snowden document shows Canada set up spy posts for NSA
Download Document: NSA Intelligence Relationship with CSEC

BOUNDLESSINFORMANT Documents (Collection)

Summary: BOUNDLESSINFORMANT is a NSA tool that reveals the Global Access Operations’ (GAO’s) collection capabilities by revealing the volume of metadata record collections that occur against any given country. At a high-level, BOUNDLESS INFORMANT can show aggregate records against an entire country whereas drilling into particular countries will show how many records a given program or cover term is collecting. In addition to record counts, BOUNDLESSINFORMANT provides information about the type of collection (e.g. signals versus communications intelligence) and the contributing SIGINT Activity Designator (SIGAD). SIGADs refer to signals collections stations, such as in diplomatic facilities, at undersea cable landing points, and at internet exchange points, in addition to other locations.

The BOUNDLESSINFORMANT Maps show the amounts of data that can be aggregated against different countries. Page 2 of that document reveals the global aggregate number of records parsed by BOUNDLESSINFORMANT (221,919,881,317) as well as the aggregate number records collected against the United States (2,095,533,478). The United States is shown in yellow, whereas Canada is shown in green, suggesting there are fewer records collected against Canada than the United States. Page 3 shows that of the world aggregate of 124,808,692,959 Dial Network Recognition (DNR)6 there were 203,190,032 collected against the United States. Based on the colouring of the global map, fewer DNR records were collected against Canada.

It is unclear from the slides what ‘collected against’ means; it could refer to data that is shared by nations’ intelligence services or data the NSA collects from its SIGINT sites located within those nations. Alternately, it could include both of these ways of collecting data.

Document Published: June 11, 2013 - December 5, 2013
Document Dated: BOUNDLESSINFORMANT: Describing Mission Capabilities from Metadata Records (July 13, 2012) // BOUNDLESS INFORMANT Frequently Asked Questions (June 9, 2012) // BOUNDLESSINFORMANT Countries Data (Unknown) // BOUNDLESSINFORMANT Maps (January 8, 2007)
Document Length: 8 pages (BOUNDLESSINFORMANT: Describing Mission Capabilities from Metadata Records) // 3 pages (BOUNDLESS INFORMANT Frequently Asked Questions) // 15 pages (BOUNDLESSINFORMANT Countries Data) // 2 pages (BOUNDLESSINFORMANT Maps)
Associated ArticlesBoundless Informant: the NSA's secret tool to track global surveillance data // France in the NSA's crosshair : phone networks under surveillance // La NSA espió 60 millones de llamadas en España en sólo un mes // Friedrichs Wunschliste: Datensaugen wie die NSA // NSA-files repeatedly show collection of data «against countries» - not «from» // Revealed: How the Nsa Targets Italy
Download Document
BOUNDLESSINFORMANT: Describing Mission Capabilities from Metadata Records // BOUNDLESS INFORMANT Frequently Asked Questions // BOUNDLESSINFORMANT Countries Data // BOUNDLESSINFORMANT Maps

Cheltenham Working Document (Fragments)

Summary: Only 4 out of 48+ paragraphs were published of the Cheltenham Working Document.  Paragraph 4 summarizes CSE’s inability to share bulk, unselected data to other intelligence agencies circa 2008. Also included are summarizations of the ASD’s general willingness to share unredacted metadata with its intelligence partners so long as those partners are not intending to target Australian nationals using the shared data.

Document Published: December 2, 2013
Document Dated: April 22-23, 2008 (Alleged)
Document Length: 4 pages
Associated Article: Australian spy agency offered to share data about ordinary citizens
Download Document: Cheltenham Working Document (Fragments)

And They Said To The Titans: Watch Out Olympians In The House

Summary: This slide deck discusses the OLYMPIA system that CSE uses, and used, to monitor the the Brazilian Ministry of Mines and Energy. After a brief introduction to OLYMPIA the authors demonstrate how the system was used as part of a signal intelligence development operation. The operation was successful in analyzing the Brazilian targets’ telecommunications environment and, as a result, there were subsequent proposals to conduct network exploitation, passive tasking, and human intelligence-enabled operations to collect information concerning the targets’ communications.

Document Published: November 30, 2013
Document Dated: June 2012
Document Length: 18 pages
Associated Article: Read a CSEC document that was first acquired by Edward Snowden
Download Document: And They Said To the Titans: Watch Out Olympians In The House

NSA Lends Support to Upcoming G8 and G20 Summits in Canada

Summary: This NSA memo outlines the kinds of support that the Agency will provide to G8 and G20 event security. The event took place in Canada.

The NSA identified the primary threats as “issue-based extremists” who had engaged in vandalism at past Summits. The NSA and broader Intelligence Community did not assess a credible terrorist threat to the event. It is unclear whether the Community referred to is the American Intelligence Community or if it includes the Five Eyes and other parties.

NSA support planning was coordinated with the Canadian Special U.S. Liaison Officer in Ottawa (SUSLOO). NSA officers were not physically in the threat integration centre at the U.S. Embassy in Ottawa. They instead operated through the Director of National Intelligence Representative in Ottawa. The memo also recognizes that the National Security Operations Centre (NSOC) would “provide reachback” to Targets of Primary Interest (TOPIs) as well as policy support.

Document Published: November 27, 2013
Document Dated: June 23, 2010
Document Length: 4 pages
Associated Article: New Snowden docs show U.S. spied during G20 in Toronto
Download Document: NSA Lends Support to Upcoming G8 and G20 Summits in Canada

STATEROOM Guide (NSA)

Summary: The STATEROOM Guide outlines the classification of facts about covert signals intelligence collection that takes place from diplomatic facilities. Included in the leaked document are two screenshots of a much larger Guide.

Canada is noted, on page 2, as hosting intelligence collection sites at some Canadian diplomatic facilities. Notably these covert sites are “small in size and number of personnel staffing them” and “their true mission is not known by the majority of the diplomatic staff at the facility where they are assigned.” It is unclear from the document whether these collection sites are run by CSE or host NSA equipment or operations.

Document Published: October 28, 2013
Document Dated: Unknown
Document Length: 2 pages
Associated Article: US on Spying Scandal: 'Allies Aren't Always Friends’
Download Document: STATEROOM Guide (NSA)

Memorandum Of Understanding (MOU) Between the National Security Agency/Central Security Service (NSA/CSS) And The Israeli SIGINT National Unit (INSU) Pertaining To The Protection Of U.S. Persons

Summary: This NSA document outlines the privacy protections and policies that the Israeli SIGINT National Unit (INSU) agrees to in order receive ‘raw SIGINT’. Raw SIGINT includes collected data that has not been “evaluated for foreign intelligence and minimized.” Minimization involves evaluating whether a U.S. person’s identity is essential to “understand the significance of the foreign intelligence.” Per the document, citizens of Canada, Australia, the United Kingdom, and New Zealand enjoy the same protections as Americans.

INSU is expected to not use U.S.-supplied equipment or raw intelligence to target Canadians (or other ‘U.S. Persons’), to limit access to raw intelligence generally, to only disseminate raw-intelligence based information after shielding the identities of Canadians/U.S. Persons (and receive written permission from the NSA prior to disclosing shielded identities), to retain files with Canadians’/U.S. Persons’ for no more than one year, and to only process communications that refer “to activities, policies, and views of U.S. officials” for non-intelligence purposes.

It is unclear from the document whether protections ascribed to U.S. government officials, such as members of the Executive Branch, U.S. House of Representatives and Senate, or U.S. Federal Court system, also are ascribed to equivalent Canadian government officials. Similarly, it is unclear whether CSE would provide written authority to disclose Canadians’ identities to INSU customers. However, since the memorandum is between the NSA and INSU, CSE might not be contacted directly by INSU about revealing the identities of Canadians to Israeli intelligence customers.

Document Published: September 11, 2013
Document Dated: Unknown (likely March 2009)
Document Length: 5 pages
Associated Article: NSA shares raw intelligence including Americans’ data with Israel
Download DocumentMemorandum Of Understanding (MOU) Between the National Security Agency/Central Security Service (NSA/CSS) And The Israeli SIGINT National Unit (INSU) Pertaining To The Protection Of U.S. Persons

CSE Procedures Documents

Forthcoming.

Office of the Communications Security Establishment Commissioner Reports

Footnotes


  1. Formally known as the Communications Security Establishment Canada (CSEC). 
  2. The ASD was formerly known as the Defence Signals Directorate (DSD). 
  3.  Codenamed actors that are monitored for include: MAKERSMARK / FANNER, SEEDSPHERE / BYZANTINE (i.e. China), ALOOFNESS, VOYEUR, SUPERDRAKE, and GOSSIPGIRL. The documents note that selectors for CCNE are always approved against actors such as MAKERSMARK for WATERMARK operations. The document does not reveal what such operations entail. 
  4. It is unclear how CSE is using the term ‘warranted’. It could refer to the collection of information when providing assistance to other federal agencies under the Establishment’s mandate (c) or an alternate meaning of the term 
  5.  The QUANTUM series involves modifying packet streams, such that individuals either receive modified data or are redirected to compromised websites controlled by either the NSA or GCHQ. 
  6.  DNR records include metadata about telephony events. DNR records can be contrasted against Digital Network Intelligence (DNI) records that are about metadata linked with Internet-based events.