This page contains a listing of covernames associated with the Communications Security Establishment (CSE). GCHQ responsible for providing signals intelligence (SIGINT) and information assurance services to the government of Canada, as well as assistance to federal agencies.
I have produced similar lists for Government Communications Headquarters (GCHQ), Australian Signals Directorate (ASD), Government Communications Security Bureau (GCSB), and National Security Agency (NSA). You may also want to visit Electrospaces.net, which has also developed lists of covernames for some of the above mentioned agencies.
In some cases, you may find that covernames are listed across different agencies. This results from how covernames lists have often been created, which involved close reading of documents that were associated with different agencies and then listing covernames under the agency which authored the documents. In all cases, I would suggest you search across agency covername lists when researching a given covername.
All material provided below is derived from publicly available documents, books, and other resources. Descriptions of what the covernames mean or refer to are done on a best-effort basis; if you believe there is additional publicly referenced material derived from CSE documents which could supplement descriptions please let me know. Entries will be updated periodically as additional materials come available.
Last updated January 12, 2023.
#
FIVE ALIVE (5-ALIVE) – This covername refers to a prototype GCHQ database used to retain 5-TUPLE metadata (Automated NOC Detection, 11). This dataset had a record of each IP event seen, consisting of the 5-tuple (time stamp, source IP, source port, destination IP, destination port) plus some information on session length and size (HIMR Data Mining Research Problem Book, 11). See also: GCHQ covernames.
8BALL – This covername refers to a wrapper which is used to process email attachments, as is associated with PONYEXPRESS. It is designed to rebuilt email SMTP sessions to, subsequently, extract and metadata and content to generate alerts for analysts and to catch new implants or their first stages that are delivered using email attachments (CSEC ITS/N2E Cyber Threat Discovery, 37).
A
AGGPONY – This covername refers to part of the PONYEXPRESS defensive program operated by the CSE to, in part, defend Government of Canada networks and devices from external threats. AGGPONY collated information from SCANPONY and POOLCUE, which were responsible for scanning metadata and attachments, respectively (Cyber Network Defence R&D Activities, 11).
ALOOFNESS – This covername refers to a signature in REPLICANT FARM for a known actor, filename, process, or covert store (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 17) that pertained to an actor whose shortcode was AF (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 13).
ATHENA – This covername refers to a database which included port information. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6).
ATLAS – This covername refers to a database which included geolocation and network information (e.g. data range and IP address information) (Synergising Network Analysis Tradecraft: Network Tradecraft Advancement Team (NTAT), 13), some of which included Government of Canada network information. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6).
ATOMICBANJO – This covername refers to a Special Source Operation (SSO) that was collecting HTTP metadata for 102 known Free File Upload (FFU) sites, and was identifying about 10-15 million FFE events each day. These events were available through OLYMPIA (LEVITATION and the FFU Hypothesis, 9).
AURORAGOLD – This NSA covername refers to a program to gather and analyze GSM/UMTS networks and network information: see NSA covernames.
B
BLACKPEARL – This covername refers to a database which included survey information. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6). See NSA covernames.
BLACKINGANGEL – This covername refers to a GCHQ implant, and was detected by CSE’s REPLICANTFARM as part of deconfliction processes (Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure, 13).
BLAZINGSADDLES – This refers to a GCHQ database. See GCHQ Covernames.
BOLSHIEPOSSUM – This covername refers to a Question Focused Dataset (QFD) that was designed to process signalling over IP analysis (SCAMP, 1).
BYZANTINE – This covername refers to a signature in REPLICANT FARM for a known actor, filename, process, or covert store (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 17). It likely refers to Chinese threat actors (BYZANTINE HADES: An Evolution of Collection).
C
CANDLEGLOW – This covername refers to the FORNSAT collection that was used as part of the EONBLUE program (SNOWGLOBE: From Discovery to Attribution, 9), though CANDLEGLOW presumably pre-dates the EONBLUE program.
CARBON – This refers to a file or process which was detected by REPLICANTFARM. CARBON was associated with MAKERSMARK, a covername which referred to Russian operators (Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure, 13).
CARBONCOPY – This covername refers to analyses that the CSE conducted with regards to billing records and SIGINT collected data, and which showed there was a significant disparity between the Establishment’s view of the world and ground truth reality (HIMR Data Mining Research Problem Book, 31).
CASCADE – CASCADE was operated on non-government of Canada networks as well as Government of Canada networks, and was designed to analyze network traffic. The analysis involved discovering and tracking targets, as well as isolating content or metadata from traffic exposed to the network probes (CSEC Cyber Threat Capabilities: SIGINT and ITS: an end-to-end approach). The CASCADE project, broadly, sought to standardize Information Technology Security (ITS) and SIGINT sensors, so that the different versions could be seamlessly integrated and enable a common analyst platform for captured data (CASCADE: Joint Cyber Sensor Architecture). Within the CASCADE program were a series of differently-classified and covernamed network sensors. Some could capture metadata and content alike (EONBLUE and INDUCTION) whereas others could solely collect and analyze metadata (THIRD-EYE and CRUCIBLE) (CASCADE: Joint Cyber Sensor Architecture). All of these sensors relied on deep packet inspection technology, which enables operators to analyze the metadata and contents of unencrypted communications and take actions on it, such as blocking certain traffic or modifying other traffic (CSEC Cyber Threat Capabilities: SIGINT and ITS: an end-to-end approach).
CASSIOPEIA –
CATAPULT – See NSA covernames.
CHAINGUARD –
CHOCOPOP – This covername refers to a component of SNOWGLOBE (Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure, 23). SNOWGLOBE was believed to be a French-speaking operator, which was ultimately discovered to be French intelligence.
CHOKEPOINT – This covername refers to a GCHQ solution which was used as part of EONBLUE’s Foreign Satellite (FORNSAT) mission (CASCADE: Joint Cyber Sensor Architecture, 6). See GCHQ covernames.
CHORDFLIER – This covername refers to a file identification and retrieval plugin for WARRIORPRIDE, which was useful for Counter Computer Network Exploitation (CCNE) (CSE SIGINT Cyber Discovery: Summary of the current effort, 8).
CIVETCAT – This refers to a file or process which was detected by REPLICANTFARM. CIVETCAT was associated with the United Kingdom (Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure, 13).
COEUS – This covername refers to a database which included WHOIS information. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7).
CORNERPOCKET – This covername refers to part of the PONYEXPRESS defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. CORNERPOCKET was the covername for the part of the PONYEXPRESS program that scanned unencoded attachments (Cyber Network Defence R&D Activities, 11).
COVENANT – This is the covername for CSIS’s Section 16 authorized, warranted, collection of data traffic that was conducted by CSE on behalf of CSIS.
CRAFTYSHACK – This covername refers to a wiki used for tradecraft documentation (Synergising Network Analysis Tradecraft: Network Tradecraft Advancement Team (NTAT), 8).
CROSSBOW – This covername refers to CSE’s fast flux botnet detection. It involved a target-discover algorithm that was deployed at CSE’s Special Source Operations (SSO) sites and detected botnets that used the DNS protocol for command and control (Cyber Threat Detection, 6)
CRUCIBLE – This covername refers to a sensor that was part of the CASCADE program, which was an effort to align CSE’s ITS and SIGINT sensors. CRUCIBLE sensors were deployed in newly emerging pre-SCIF environments and capable of tracking metadata from Top Secret-derived signatures (CASCADE: Joint Cyber Sensor Architecture, 4-5). The sensor was to be deployed at Government of Canada departments as well as in systems of importance (CASCADE: Joint Cyber Sensor Architecture, 19).
D
DANAUS – This covername refers to a database which was used for reverse DNS lookups. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6).
DAREDEVIL – This covername refers to GCHQ’s scalable, flexible, and portable CNE platform that paralleled the Canadian WARRIORPRIDE program. Some plugins were used for machine recon and operational security assessments, as well as for counter computer network operations. Specifically, the plugins enabled machine reconnaissance, implant detection, rootkit detection, file identification and retrieval, DNS analysis, and network sniffing and characterization. See GCHQ covernames.
DARKSPACE – This covername refers to a deception technique adopted by CSE that leveraged a Special Source Operation (SSO) for I&W (CSEC Cyber Threat Capabilities: SIGINT and ITS: an end-to-end approach, 22).
DEADSEA – This covername refers to either an ability to share metadata, or a repository within which CSE retained some metadata (CSE SIGINT Cyber Discovery: Summary of the current effort, 18).
DIESELRATTLE – This covername refers to a ‘friend’ of SEEDSPHERE (Cyber Threat Detection, 3). It was integrated into REPLICANTFARM to detect processes or files used by allies and adversaries, and may refer to a United Kingdom Process (Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure, 13).
DISHFIRE –
DOGHOUSE – This refers to a file or process which was detected by REPLICANTFARM. DOGHOUSE was associated with MAKERSMARK, a covername which referred to Russian operators (Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure, 13).
DOURMAGNUM – This covername was a reference to Imam Hussein University, in Iran. CSE identified an implant at that location while investigating another unattributed actor (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 22); the impact’s process was coded as SNOWGLOBE CHOCOPOP (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 24), with SNOWGLOBE attributed to a French actor (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 26 )(and confirmed as activity by France by a French intelligence chief).
DOWNGRADE – This covername refers to a ‘friend’ of SEEDSPHERE (Cyber Threat Detection, 3).
E
EONBLUE – This covername refers to a SIGINT program which was used defensively as part of the CASCADE program, which was an effort to align CSE’s ITS and SIGINT sensors. EONBLUE took over 8 years to develop and was used by CSE for passive cyber threat detection, and as of November 2010, had over 200 sensors around the globe. It was designed to track known threats, discover unknown threats, and provide “[d]efence at the core of the Internet” (CSE SIGINT Cyber Discovery: Summary of the current effort, 13). The program took in data from Myricom network cards that operated at 10Gbps network flows, and then retained 2GB in a packet buffer while separately engaging in target tracking (covername: SNIFFLE) and DNS and HTTP metadata production, as well as target discovery (covername: SLIPSTREAM) (CSE SIGINT Cyber Discovery: Summary of the current effort, 14). In 2010 there were plans for EONBLUE to share signatures as well as anomalies across sensor networks (CSE SIGINT Cyber Discovery: Summary of the current effort, 17) and, as part of EONBLUE, it was capable of detecting QUANTUM-like behaviours (CSE SIGINT Cyber Discovery: Summary of the current effort, 16). Longer-term, there were plans to move EONBLUE-detected events into a local, and then federated, XKEYSCORE system. Such events would apply to metadata as well as content. There were also plans to send EONBLUE cues to CSE special source operations and passive programs, and enable EONBLUE to send and receive cues with GCHQ and DSD (CSE SIGINT Cyber Discovery: Summary of the current effort, 18). EONBLUE was designed to enable defensive operations vis-a-vis: robust communication with host-based capabilities; direct manipulation of network communications; and interaction with telco infrastructure to affect change (CASCADE: Joint Cyber Sensor Architecture, 28).
The capabilities of EONBLUE in 2011 included full-take (on specific accesses), signature-based discovery, as well as anomaly-based discovery. For threat tracking, EONBLUE relied on Deep Packet Inspection (DPI) signatures for ‘known’ intrusions whereas, for cyber threat discovery, the sensors rely on anomaly detection for discovering unknown intrusions (Cyber Threat Detection, 1). EONBLUE’s additional features were offloaded and existed downstream of the sensors, and included: an analytic environment, data flow and targeting, and oversight and compliance tools (CASCADE: Joint Cyber Sensor Architecture, 4). There were many ‘shades’ of EONBLUE, which included INDUCTION (capable of multiple Gbps, analyzed content and metadata), THIRD-EYE (engaged solely in metadata processing in unclassified situations), and CRUCIBLE (metadata-only tracking, for unclassified situations) (CASCADE: Joint Cyber Sensor Architecture, 5). EONBLUE-class sensors were deployed along a Secure Channel, as well as at points in foreign Internet space where they could collect Foreign Satellite information and radio-telecommunications information (CASCADE: Joint Cyber Sensor Architecture, 19).
EVILOLIVE – This covername refers to a database which contained geolocation information. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6).
F
FANNER – This covername refers to a signature in REPLICANT FARM for a known actor, filename, process, or covert store (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 17)
FASCIA – See NSA covernames.
FASTBALL –
FASTFLUX – This covername refers to a metadata sharing and tipping/cueing activity that took place between CSE and GCHQ as part of CSE’s cyber threat detection operations (CSE SIGINT Cyber Discovery: Summary of the current effort, 18)
FLOWPONY – This covername refers to part of the PONYEXPRESS defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. FLOWPONY was responsible for intaking messages into the rest of the PONYEXPRESS scanning system (Cyber Network Defence R&D Activities, 11) and conducting TCP session reconstruction (Cyber Network Defence R&D Activities, 12).
FRETTINGYETI –
FRIARTUCK – This covername refers to a database which contained VPN events. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7).
G
GAZEBO – This covername refers to a type of access to communications that took place in foreign Internet space using EONBLUE sensors to process radio-based communications (CASCADE: Joint Cyber Sensor Architecture, 19).
GLOBALTIPPER – See NSA covernames.
GOLDENCARRIAGE – This refers to corporate servers used by AURORAGOLD. See NSA covernames.
GOSSIPGIRL – This covername refers to a signature in REPLICANT FARM for a known actor, filename, process, or covert store (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 17)
H
HACIENDA – This covername refers to a GCHQ bulk port scanning project (Automated NOC Detection, 19). More specifically, this was a fully operational port scanning tool used by JTRIG to scan an entire country of city. It used GEOFUSION to identify IP locations. Banners and content were pulled back on certain ports. Content was put into the EARTHLING database, and all other scanned data was sent to GNE and is available through GLOBALSURGE and Fleximart (JTRIG tools and techniques, 3). See GCHQ covernames.
HALTERHITCH – This covername refers to a signature management system and replaced a previously used system. It was also to be used for targeting processes; in 2010, there were plans to open the SIGINT-related HALTERHITCH program to ITS for signature sharing as well as with Five Eyes partners to retrieve signatures (CSE SIGINT Cyber Discovery: Summary of the current effort, 18). See GCHQ covernames.
HYPERION – This covername refers to a database that was used to store 5-TUPLE metadata (Automated NOC Detection, 11). This included IP-IP communications summaries. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6).
I
INDUCTION – This covername refers to a sensor that was part of the CASCADE program, which was an effort to align CSE’s ITS and SIGINT sensors. INDUCTION sensors were deployed to conduct Top Secret content and metadata processing for targeting and discovery purposes. The actual processing was distributed and considered cloud-based (CASCADE: Joint Cyber Sensor Architecture, 4-5). INDUCTION sensors operated at the main Special Source Operations (SSO) locations at the borders between Canadian Internet space and foreign Internet space (CASCADE: Joint Cyber Sensor Architecture, 19).
INTOLERANT – See NSA covernames.
IRASCIABLEHARE – This covername refers to a GCHQ Question Focused Dataset (QFD) that entailed analyzing or collecting data on GPRS Roam Exchange (GRX) operators who transmitted data over VPNs (2nd SCAMP at CSEC, 1). See GCHQ covernames.
IRASCIABLERABBIT – See GCHQ covernames.
IRRITANTHORN (OP IRRITANTHORN) – This covername refers to an experiment wherein CSE tested tradecraft by exploring whether they could identify connections between a potentially ‘revolutionary’ country and mobile applications servers. CSE successfully correlated connections with application servers which opened up the potential to conduct Man in the Middle attacks or effect operations towards the mobile devices, as well as the potential to harvest data in transit and at rest from the devices. In the profiling of mobile applications servers it appears that EONBLUE was used to collect information about a company named Poynt; that company’s application was being used by Blackberry users, and the servers profiled were located in Calgary, Alberta (Canada). (Synergising Network Analysis Tradecraft: Network Tradecraft Advancement Team (NTAT), 12-21).
J
JAZZFLUTE –
JUBILEECORONA – This is a NSA covername that refers to WIMAX data which was collected (AURORAGOLD Working Group, 14). See NSA covernames.
L
LANDMARK – This covername refers to an automated tradecraft process designed to further expand Computer Network Exploitation (CNE) covert infrastructure. Using OLYMPIA, CSE’s network knowledge engine with automated tradecraft, analysts were able to develop lists of potential devices with exploitable vulnerabilities that could be used as Operational Relay Boxes (ORBs) (LANDMARK Presentation Outline).
LASEX – This refers to a file or process which was detected by REPLICANTFARM. LASEX was associated with the United Kingdom (Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure, 13).
LEVITATE – This covername refers to a database which included information pertaining to Free File Upload (FFU) events. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6).
LEVITATION – This covername refers to a behaviour-based target discovery project that sought to correlate access to certain files with specific digital network identifiers (DNIs) and, subsequently, to the persons behind those identifiers (LEVITATION and the FFU Hypothesis). At one point, likely in 2012, it was focused on about 2,200 URLs that pointed to documents of interest to CSE and, out of approximately 300-465 million events recorded each month, the program identified about 350 interesting download events per month (LEVITATION and the FFU Hypothesis, 9). Information from interesting download events were then processed by CSE. The CSE first examined whether the IP address associated with the download event had been seen five hours previous and following the event by Five Eyes listening posts. If the IP address was seen, the MARINA or MUTANT BROTH databases were queried to correlate the IP address with personally-identifying identifiers in those databases, thus identifying the person who likely downloaded the material in question. MARINA was an NSA database containing intercepted metadata and GCHQ’s MUTANT BROTH database contained similar metadata.
LODESTONE – This covername refers to a scanning detection capability (Cyber Threat Detection, 7).
LONGRUN – This covername refers to a dataset that was accessible using OLYMPIA, CSE’s network knowledge engine with automated tradecraft (LANDMARK Presentation Outline, 3).
M
MADRIGAL – This is a covername used to refer to CSIS Section 16 warranted surveillance powers, and which was assisted by the CSE. This covername was adopted in the 1980s, which corresponds with CSIS’ inception (Robinson, “CSE’s Transition from the Industrial Age to the Information Age”).
MAILPONY – This covername refers to part of the PONYEXPRESS defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. MAILPONY took in data from STMPPONY and outputted it to METAPONY (Cyber Network Defence R&D Activities, 11) and, in the process, engaged in RFC822 email parsing and MIME attachment extraction (Cyber Network Defence R&D Activities, 12).
MAINWAY – See NSA covernames.
MAKERSMARK (MM) – This covername refers to a signature in REPLICANT FARM for a known actor, filename, process, or covert store (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 17). MAKERSMARK is the covername for Russian operators (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 2). See NSA covernames.
MARINA – This covername refers to a database which included Target Detection Identifier (TDI) information. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6). See NSA covernames.
MASTERSHAKE – This covername refers to a database which contained information about VSAT terminals. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7). See NSA covernames.
METAPONY – This covername refers to part of the PONYEXPRESS defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. METAPONY sent the metadata and attachments to SCANPONY (Cyber Network Defence R&D Activities, 11) and, in the process, conducted an evaluation and scoring or parsed metadata (Cyber Network Defence R&D Activities, 12).
MUTANT BROTH – See GCHQ covernames.
N
NAMEDROPPER – This covername refers to a plugin in WARRIORPRIDE, which was used to assess DNS information (Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure, 8).
NOCTURNAL SURGE – This covername refers to a GCHQ tool that was used to identify Network Operation Centres (Automated NOC Detection). See GCHQ covernames.
O
OCTSKYWARD – This NSA covername refers to a database which included information about GSM cell phones, such as MCC and LAIC. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7). See NSA covernames.
OLYMPIA – This covername refers to the CSE’s network knowledge engine with automated tradecraft (LANDMARK Presentation Outline, 3). Tradecraft includes the ability to determine vulnerable devices the CSE can use as Operational Relay Boxes (LANDMARK Presentation Outline, 5) by way of running a DNS query to determine a given IP range, a network range to port scan, or IP address to network range (LANDMARK Presentation Outline, 6).
P
PACKAGEDGOODS (PG) – This NSA covername refers to a database which contained traceroutes information. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6). See NSA covernames.
PEITHO – This covername refers to a database which included credentials. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6). More broadly, the database held TDI Online Events information (Synergising Network Analysis Tradecraft: Network Tradecraft Advancement Team (NTAT), 18).
PENTAHO – This covername is used by GCHQ and CSE alike. CSE used it for tradecraft modelling. GCHQ’s use of TIDAL SURGE was based on “AS”, whereas CSE’s use was based on country (Automated NOC Detection, 9). This covername may have been how GCHQ and CSE refer to Hitachi’s Pentaho Data Integration tool (see: http://www.pentaho.com/product/data-integration).
PEPPERBOX – This covername refers to a database that contained targeting requests. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7).
PHOENIX – This covername refers to an effort to “push” new moduli for testing against publicly known weaknesses associated with TLS/SSL connection (TLS Trends: A roundtable discussion on current usage and future directions, 14).
PHOTONICPRISM (P2) – This covername refers to a defensive sensor network that was designed to protect Government of Canada networks and devices from external threats. It was also known as ‘P2’ and was composed of SLIPSTREAM, POPQUIZ, PONYEXPRESS, and Snort rules (Cyber Network Defence R&D Activities, 3). PHOTONICPRISM was a 10Gb/s sensor (Cyber Network Defence R&D Activities, 10) that included full-take packet capture, signature-based detection, anomaly-based discovery, an analytic environment, and oversight compliance tools (CASCADE: Joint Cyber Sensor Architecture, 4).
PILGRIM – This covername refers to the CSE’s surveillance from Canadian embassies, which began in the 1980s (Robinson, “CSE’s Transition from the Industrial Age to the Information Age”).
PLINKO –
PONYEXPRESS – This covername refers to a defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. It was part of PHOTONICPRISM (Cyber Network Defence R&D Activities, 3). It functioned to scan email metadata and attachments, and was made up of a series of ‘Pony’ components, such as FLOWPONY, SMTPPONY, MAILPONY, METAPONY, SCANPONY, AGGPONY, and SYNCPONY, with the actual scanning framework being composed of the POOLTABLE scanning framework (Cyber Network Defence R&D Activities, 11).
POOLCUE – This covername refers to part of the PONYEXPRESS defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. POOLCUE was the covername for scan results of email metadata and attachments (Cyber Network Defence R&D Activities, 11).
POOLTABLE – This covername refers to part of the PONYEXPRESS defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. POOLTABLE was the scanning framework for email metadata and attachments (Cyber Network Defence R&D Activities, 11).
POPEYESEAR –
POPQUIZ – This covername refers to a defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. It was part of PHOTONICPRISM (Cyber Network Defence R&D Activities, 3).
PROMETHEUS – This covername refers to a database which included Computer Network Operation (CNO) event summaries. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6).
Q
QUANTUM – This covername refers to an NSA worldwide implant infrastructure. The infrastructure used various tools to inject exploits, intercepted communications through Man in the Middle and Man on the Side attacks, and rerouted calls and emails through the NSA’s collection points (Gellman, Dark Mirror, 199). The CSE noted that QUANTUM was “easy to find” by analyzing the first content carrying packet and subsequently checking for sequence number duplication where duplicates have different payload sizes. Where content differs between the two packets by 10% then there is the possibility that a QUANTUM packet is being detected (CSEC SIGINT Cyber Discovery: Summary of the current effort, 16). See NSA covernames and see GCHQ covernames.
QUANTUM INSERT (QI) – See NSA covernames.
QUIVERINGSQUAB – This refers to a file or process which was detected by REPLICANTFARM. QUIVERINGSQUAB was associated with the United Kingdom (Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure, 13).
QUOVA – This covername refers to a database which included information about anonymizers and geolocation maps. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6).
R
REGBACKUP – This refers to a file or process which was detected by REPLICANTFARM. REGBACKUP was associated with MAKERSMARK, a covername which referred to Russian operators (Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure, 13).
REPLICANTFARM – This covername refers to an aspect of CSE’s Counter Computer Network Exploitation (CCNE) operations. REPLICANTFARM leveraged WARRIORPRIDE’s XML output by applying a module-based parser/alert system that ran on real-time CNE operational data. Some of the module-based analysis could alert about actors, implant technology, host-based signatures, or network-based attributes. (CSE SIGINT Cyber Discovery: Summary of the current effort, 10). There were over 14 additional generic modules, including ones that look for cloaked material, packed files, System 32 ‘variables’, strange DLL extensions, and kernel cloaking (CSE SIGINT Cyber Discovery: Summary of the current effort, 10).
S
SAMUELPEPYS – See GCHQ covernames.
SCANPONY – This covername refers to part of the PONYEXPRESS defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. SCANPONY analyzed the metadata associated with an email message and passes attachments for scanning to CORNERPOCKET (Cyber Network Defence R&D Activities, 11) after conducting analysis pre-processing and scan dispatching (Cyber Network Defence R&D Activities, 12).
SCORPIOFORE – See NSA covernames.
SEEDSPHERE – This covername refers to a signature in REPLICANT FARM for a known actor, filename, process, or covert store (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 17). Specifically, SEEDSPHERE referred to Chinese operators (Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure, 13).
SHARPR – This refers to a file or process which was detected by REPLICANTFARM. SHARPR was associated with SEEDSPHERE, a covername which referred to Chinese operators (Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure, 13).
SHEPHERD – This refers to a file or process which was detected by REPLICANTFARM. SHEPHERD was associated with MAKERSMARK, a covername which referred to Russian operators (Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure, 13).
SIENNABLUE – This covername refers to a ‘friend’ of SEEDSPHERE (Cyber Threat Detection, 3).
SLINGSHOT – This covername refers to a database which included end product reports, partly based on SIGINT data forwarded by the NSA (JESI: Don’t Lose That Number!, 1). It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6).
SLIPSTREAM – This covername refers to a defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. It was part of PHOTONICPRISM (Cyber Network Defence R&D Activities, 3), and was more broadly part of CSE’s Global Network Discovery (GND) operations (CSE SIGINT Cyber Discovery: Summary of the current effort, 7), as well as part of the target discovery aspect of EONBLUE (CSE SIGINT Cyber Discovery: Summary of the current effort, 14). As of 2010 there were over 50 modules associated with SLIPSTREAM, including: RFC validation, heuristic checks, periodicity, simple encryption, streaming attack detection, and analyst utilities (CSE SIGINT Cyber Discovery: Summary of the current effort, 15).
SMTPPONY – This covername refers to part of the PONYEXPRESS defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. SMTPPONY took data from FLOWPONY and passed it to MAILPONY (Cyber Network Defence R&D Activities, 11) after conducting SMTP parsing and header extraction (Cyber Network Defence R&D Activities, 12).
SNIFFLE – This covername refers to the target tracking aspects of EONBLUE (CSE SIGINT Cyber Discovery: Summary of the current effort, 14).
SNOWBALL – This covername refers to an implant that was linked to SNOWGLOBE activities (SNOWGLOBE: From Discovery to Attribution). Victims of the SNOWBALL-class of implants include in Iran, a French-language Canadian media organization, parties in Greece, France, Norway, Spain, as well as Ivory Coast and Algeria (This covername refers to an implant that was linked to SNOWGLOBE activities (SNOWGLOBE: From Discovery to Attribution, 17)).
SNOWBALL2 – This covername refers to an implant that was linked to SNOWGLOBE activities (SNOWGLOBE: From Discovery to Attribution). Victims of the SNOWBALL-class of implants included those in Iran, a French-language Canadian media organization, parties in Greece, France, Norway, Spain, as well as Ivory Coast and Algeria (This covername refers to an implant that was linked to SNOWGLOBE activities (SNOWGLOBE: From Discovery to Attribution, 17).
SNOWGLOBE – This covername refers to a signature in REPLICANT FARM for a known actor, filename, process, or covert store (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 17). CSE believed it to be a French-speaking actor, and their intelligence priorities suggested that it was a nation-state actors as opposed to a criminal organization, though CSE couldn’t ascertain for certain which agency might have driven the operation (SNOWGLOBE: From Discovery to Attribution, 22, 24).
SNOWMAN – This covername refers to an implant that was linked to SNOWGLOBE activities. It was discovered in mid-2010 (SNOWGLOBE: From Discovery to Attribution, 7).
SOCIALIST (OP SOCIALIST) – See GCHQ covernames.
SSLINST – This refers to a file or process which was detected by REPLICANTFARM. WINBEE was associated with SEEDSPHERE, a covername which referred to Chinese operators (Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure, 13).
STALKER – This covername refers to a database which contained web forum events. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7).
STARSEARCH – This covername refers to a database which contained target knowledge. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7).
STATEROOM – This covername refers to diplomatic facilities from which covert Signals Intelligence operations took place (STATEROOM Guide, 1).
STEPHANIE – This covername refers to a covert interception station in the Canadian embassy, during the years of the 1960s and 1970s. STEPHANIE’s equipment was supplied by the NSA, and intercepted many radio and telephone signals which were broadcast from the top of the Ostankino radio and television tower, which was in Moscow. The collection was linked with the collection of Society intercept-based intelligence that was given the covername GAMMAGUPPY by the NSA (The Secret Sentry: The Untold History of the National Security Agency, 152).
STRATOS – This covername refers to a database which holds GPRS events. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6).
STREAMINGSENTRY –
STRIPSEARCH – This covername refers to the system that stood in front of Government of Canada networks for defensive network operations (CSEC Cyber Threat Capabilities: SIGINT and ITS: an end-to-end approach, 15).
SUNWHEEL –
SUPERDRAKE – This covername refers to a signature in REPLICANT FARM for a known actor, filename, process, or covert store (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 17)
SYNCPONY – This covername refers to part of the PONYEXPRESS defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. SYNCPONY aggregated information from the PONYEXPRESS output buffer, to subsequently pass it to the PONYEXPRESS output (Cyber Network Defence R&D Activities, 11).
T
TERMINALSURGE – This covername refers to a database which was used to retain telnet session information collected by GCHQ’s Network Access Centre (Automated NOC Detection, 15). See GCHQ covernames.
TEXPRO –
THIRD-EYE – This covername refers to a sensor that was part of the CASCADE program, which was an effort to align CSE’s ITS and SIGINT sensors. THIRD-EYE sensors were deployed to conduct unclassified processing on metadata at select new sites (CASCADE: Joint Cyber Sensor Architecture, 4-5). This sensor-type was deployed in Government of Canada networks as well as in foreign Internet space (CASCADE: Joint Cyber Sensor Architecture, 19).
TIDALSURGE – This covername refers to a database which contained router configurations. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6). This database scheme was also implemented for GCHQ and DSD. GCHQ’s use of TIDALSURGE was based on Autonomous Systems (ASes), whereas the CSE’s use was based on country (Automated NOC Detection, 9).
TINYWEB – This covername refers to an element of REPLICANTFARM and, specifically, a file or process (Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure, 13).
TONTO – This covername refers to part of the PONYEXPRESS defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. TONTO took metadata and attachment scan results to format alerts based on what was detected (Cyber Network Defence R&D Activities, 11).
TOYGRIPPE – This covername refers to a database which contained both non-detailed and detailed VPN events information. While one document indicates that it was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7) another suggests that it was not going to be integrated into OLYMPIA (SCAMP, 1). See NSA covernames.
TRITON – This covername refers to a database which contained information about TOR nodes. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7).
TWINSERPENT – This covername refers to a database which held phone book information, and included DNR selectors and free text. It was accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7).
U
UMBRA – This codename refers to a top secret code for highly classified documents (AURORAGOLD Working Group, 6).
V
VOYEUR – This NSA/GCHQ covername refers to a signature in REPLICANT FARM for a known actor, filename, process, or covert store (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 17). See NSA covernames.
W
WALKER – This refers to a file or process which was detected by REPLICANTFARM. WALKER was associated with MAKERSMARK, a covername which referred to Russian operators (Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure, 13).
WARRIORPRIDE (WP) – This covername refers to the CSE’s scalable, flexible, and portable CNE platform that paralleled the GCHQ’s DAREDEVIL program. Some plugins were used for machine recon and operational security assessments, as well as for counter computer network operations. Specifically, the plugins enabled machine reconnaissance, implant detection, rootkit detection, file identification and retrieval, DNS analysis, and network sniffing and characterization (CSE SIGINT Cyber Discovery: Summary of the current effort, 8). The CSE and GCHQ worked to port WARRIORPRIDE to the Android platform and completed the activity in the third quarter of 2010 (Mobile Briefing, 6). WARRIORPRIDE is an implementation of the WZOWSKI 5-eyes API (CSE – Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure, 6).
WATERMARK – This covername refers to an operation conducted against MAKERSMARK (CSE – Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure, 19). MAKERSMARK was a covername for Russian operators.
WINBEE – This refers to a file or process which was detected by REPLICANTFARM. WINBEE was associated with SEEDSPHERE, a covername which referred to Chinese operators (Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure, 13).
WINDO – This refers to a file or process which was detected by REPLICANTFARM. WINDO was associated with the United Kingdom (Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure, 13).
WINDOWKEY – This refers to a file or process which was detected by REPLICANTFARM. WINDOWKEY was associated with the United Kingdom (Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure, 13).
WORMWOOD – This covername refers to a plugin for WARRIORPRIDE, and was used for network sniffing characterization (Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure, 8).
X
XKEYSCORE (XKS) – This covername refers to a system for intaking and sharing information linked with content sharing. Content-based collection and sharing using XKS was proposed in 2010, and would be used as part of CSE’s defensive operations (CSE SIGINT Cyber Discovery: Summary of the current effort, 18). See NSA covernames, and see GCHQ covernames.
Technology, Thoughts & Trinkets 