This page contains a listing of covernames associated with the Communications Security Establishment (CSE). GCHQ responsible for providing signals intelligence (SIGINT) and information assurance services to the government of Canada, as well as assistance to federal agencies.

I have produced similar lists for the Government Communications Headquarters (GCHQ) and Government Communications Security Bureau (GCSB). A list for the National Security Agency (NSA) is forthcoming. You may also want to visit Electrospaces.net, which has also developed lists of covernames for some of the above mentioned agencies, as well as the National Security Agency (NSA).

All material provided below is derived from publicly available documents, books, and other resources. Descriptions of what the covernames mean or refer to are done on a best-effort basis; if you believe there is additional publicly referenced material derived from CSE documents which could supplement descriptions please let me know. Entries will be updated periodically as additional materials come available.


#

FIVE ALIVE (5-ALIVE) – This covername refers to a prototype databased used to retain 5-TUPLE metadata (Automated NOC Detection, 11). This dataset has a record of each IP event seen, consisting of the 5-tuple (time stamp, source IP, source port, destination IP, destination port) plus some information on session length and size (HIMR Data Mining Research Problem Book, 11). See also: GCHQ covernames.

8BALL


A

AGGPONY – This covername refers to part of the PONYEXPRESS defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. AGGPONY collates information from SCANPONY and POOLCUE, which were responsible for scanning metadata and attachments, respectively (Cyber Network Defence R&D Activities, 11).

ALOOFNESS – This covername refers to a signature in REPLICANT FARM for a known actor, filename, process, or covert store (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 17)

ARK – This covername refers to a database which contains traceroutes information. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7). This is a publicly accessible database, available from http://www.caida.org/projects/ark/ (Bad guys are everywhere, good guys are somewhere!, 10).

ATHENA – This covername refers to a database which includes ports information. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6).

ATLAS – This covername refers to a database which includes geolocation and network information (e.g. data range and IP address information) (Synergising Network Analysis Tradecraft: Network Tradecraft Advancement Team (NTAT), 13), some of which includes Government of Canada network information. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6).

ATOMICBANJO – This covername refers to a Special Source Operations (SSO) that was collecting HTTP metadata for 102 known Free File Upload (FFU) sites, and was identifying about 10-15 million FFE events each day. These events were available through OLYMPIA (LEVITATION and the FFU Hypothesis, 9).

AURORAGOLD – This NSA covername refers to a program to gather and analyze GSM/UTMS networks and network information (AURORAGOLD, 6). This program involves collecting unclassified information, such as a complete replica of Informa Telecoms and Media’s World Cellular Information Service (WCIS) queryable database as well as classified data. Classified data includes SIGINT-collected IR.21 (International Roaming agreements) documents from around the world, parsed of their information, analyzed, and giving users the ability to trend this information over time (time-series analysis). In addition, e-mail selectors from within IR.21s and from SIGINT metadata captured, analyzed and managed back into the SIGINT system for enhanced collection (AURORAGOLD, 2).


B

BLACKPEARL – This covername refers to a database which includes survey information. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6). See also: NSA covernames.

BLAZINGSADDLES – This is a GCHQ database. See: GCHQ Covernames.

BOLSHIEPOSSUM – This covername refers to a Query Focused Data (QFD) that is designed to process signalling over IP analysis (SCAMP, 1).

BYZANTINE – This covername refers to a signature in REPLICANT FARM for a known actor, filename, process, or covert store (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 17). It likely refers to Chinese threat actors (BYZANTINE HADES: An Evolution of Collection).


C

CANDLEGLOW – This covername refers to the FORNSAT collection that is used as part of the EONBLUE program (SNOWGLOBE: From Discovery to Attribution, 9), though CANDLEGLOW presumably pre-dates the EONBLUE program.

CARBONCOPY – This covername refers to analyses that the CSE conducted with regards to billing records and SIGINT collected data, and which showed there was a significant disparity between the Establishment’s view of the world and ground truth reality (HIMR Data Mining Research Problem Book, 33).

CASCADE – CASCADE was operated on non-government of Canada networks as well as Government of Canada networks, and was designed to analyze network traffic. The analysis involved discovering and tracking targets, as well as isolating content or metadata from traffic exposed to the network probes (CSEC Cyber Threat Capabilities: SIGINT and ITS: an end-to-end approach). The CASCADE project, broadly, sought to standardize Information Technology Security (ITS) and SIGINT sensors, so that the different versions could be seamlessly integrated and enable a common analyst platform for captured data (CASCADE: Joint Cyber Sensor Architecture). Within the CASCADE program were a series of differently-classified and covernamed network sensors. Some could capture metadata and content alike (EONBLUE and INDUCTION) whereas others could solely collect and analyze metadata (THIRD-EYE and CRUCIBLE) (CASCADE: Joint Cyber Sensor Architecture). All of these sensors relied on deep packet inspection technology, which enables operators to analyze the metadata and contents of unencrypted communications and take actions on it, such as blocking certain traffic or modifying other traffic (CSEC Cyber Threat Capabilities: SIGINT and ITS: an end-to-end approach).

CASSIOPEIA

CHAINGUARD – 

CHOKEPOINT – This covername refers to a GCHQ solution which was used as part of EONBLUE’s Foreign Satellite (FORNSAT) mission (CASCADE: Joint Cyber Sensor Architecture, 6).

COEUS – This covername refers to a database which includes WHOIS information. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7).

CONVERGENCE – This term is capitalized, once, in the Synergising Network Analysis Tradecraft: Network Tradecraft Advancement Team document, but may refer to work related to the technology convergence discussed on the earlier pages of the same document.

CORNERPOCKET – This covername refers to part of the PONYEXPRESS defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. CORNERPOCKET was the covername for the part of the PONYEXPRESS program that scanned unencoded attachments (Cyber Network Defence R&D Activities, 11).

COVENANT – This is the covername for CSIS’s Section 16 authorized, warranted, collection of data traffic that is conducted by CSE on behalf of CSIS.

CRAFTYSHACK – This covername refers to a wiki used for tradecraft documentation (Synergising Network Analysis Tradecraft: Network Tradecraft Advancement Team (NTAT), 8).

CROSSBOW – This covername refers to CSE’s fast flux botnet detection. It involves a target-discover algorithm that is deployed at CSEs Special Source Operations (SSO) sites and detects botnets that use the DNS protocol for command and control (Cyber Threat Detection, 6)

CRUCIBLE – This covername refers to a sensor that was part of the CASCADE program, which was an effort to align CSE’s ITS and SIGINT sensors. CRUCIBLE sensors were deployed in newly emerging pre-SCIF environments and capable of tracking metadata from Top Secret-derived signatures (CASCADE: Joint Cyber Sensor Architecture, 4-5). The sensor was to be deployed at Government of Canada departments as well as in systems of importance (CASCADE: Joint Cyber Sensor Architecture, 19).


D

DANAUS – This covername refers to a database which is used for reverse DNS lookups. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6).

DAREDEVIL – This covername refers to GCHQ’s scalable, flexible, and portable CNE platform that parallels the Canadian WARRIORPRIDE program. Some plugins are used for machine recon and operational security assessments, as well as for counter computer network operations. Specifically, the plugins enable machine reconnaissance, implant detection, rootkit detection, file identification and retrieval, DNS analysis, and network sniffing and characterization.

DARKSPACE – This covername refers to a deception technique adopted by CSE that leverages a Special Source Operation (SSO) for I&W (CSEC Cyber Threat Capabilities: SIGINT and ITS: an end-to-end approach, 22).

DEADSEA – This covername refers to either an ability to share metadata, or a repository within which CSE retains some metadata (CSE SIGINT Cyber Discovery: Summary of the current effort, 18).

DIESELRATTLE – This covername refers to a ‘friend’ of SEEDSPHERE (Cyber Threat Detection, 3).

DISHFIRE – This covername refers to a SMS repository and retrieval analysis tool (TAC’s Target Development Services (TDS): In the Spotlight and Behind the Scenes, 2).

DOURMAGNUM – This covername is a reference to Imam Hussein University. CSE identified an implant at that location while investigating another unattributed actor (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 22); the implant’s process was coded as SNOWGLOBE CHOCOPOP (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 24), with SNOWGLOBE attributed to a French actor (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 26 )(and confirmed as activity by France by a French intelligence chief).

DOWNGRADE – This covername refers to a ‘friend’ of SEEDSPHERE (Cyber Threat Detection, 3).

DREAMYSMURF – This covername is for an iPhone specific plugin that GCHQ uses to manage or analyze power management (Capability – iPhone).


E

EONBLUE – This covername refers to a SIGINT program which is used defensively as part of the CASCADE program, which was an effort to align CSE’s ITS and SIGINT sensors. EONBLUE took over 8 years to develop and is used by CSE for passive cyber threat detection, and as of this slide’s production had over 200 sensors around the globe. It was designed to track known threats, discover unknown threats, and provide “[d]efence at the core of the Internet” (CSE SIGINT Cyber Discovery: Summary of the current effort, 13). The program intakes data from Myricom network cards that operate at 10Gbps network flows and then retains 2GB in a packet buffer while separately engaging in target tracking (covername: SNIFFLE) and DNS and HTTP metadata production, as well as target discovery (covername: SLIPSTREAM) (CSE SIGINT Cyber Discovery: Summary of the current effort, 14). In 2010 there were plans for EONBLUE to share signatures as well as anomalies across sensor networks and (CSE SIGINT Cyber Discovery: Summary of the current effort, 17), as part of EONBLUE, it was capable of detecting QUANTUM-like behaviours (CSE SIGINT Cyber Discovery: Summary of the current effort, 16). Longer-term, there were plans to move EONBLUE-detected events into a local, and then federated, XKEYSCORE system. Such events would apply to metadata as well as content. There were also plans to send EONBLUE cues to CSE special source operations and passive programs, and enable EONBLUE to send and receive cues with GCHQ and DSD (CSE SIGINT Cyber Discovery: Summary of the current effort, 18). EONBLUE was designed to enable defensive operations vis-a-vis: robust communication with host-based capabilities; direct manipulation of network communications; and interaction with telco infrastructure to affect change (CASCADE: Joint Cyber Sensor Architecture, 28).

The capabilities of EONBLUE in 2011 included full-take (on specific accesses), signature-based discovery, as well as anomaly-based discovery. For threat tracking, EONBLUE relies on Deep Packet Inspection (DPI) signatures for ‘known’ intrusions whereas, for cyber threat discovery, the sensors rely on anomaly detection for discovering unknown intrusions (Cyber Threat Detection, 1). EONBLUE’s additional features are offloaded and exist downstream of the sensors, and include: an analytic environment, data flow and targeting, and oversight and compliance tools (CASCADE: Joint Cyber Sensor Architecture, 4). There were many ‘shades’ of EONBLUE, which included INDUCTION (capable of multiple Gbps, analyzed content and metadata), THIRD-EYE (engaged solely in metadata processing in unclassified situations), and CRUCIBLE (metadata-only tracking, for unclassified situations) (CASCADE: Joint Cyber Sensor Architecture, 5). EONBLUE-class sensors were deployed along Secure Channel, as well as at points in foreign Internet space where they could collect Foreign Satellite information and radio-telecommunications information (CASCADE: Joint Cyber Sensor Architecture, 19).

Documents released about EONBLUE have principally focused on its use for defensive purposes, thought the same sensors are capable of collecting metadata and intelligence for more traditional foreign intelligence and signals intelligence operations.

EVILOLIVE – This covername refers to a database which contains geolocation information. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6) and is an NSA database.


F

FANNER – This covername refers to a signature in REPLICANT FARM for a known actor, filename, process, or covert store (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 17) and is related to MAKERSMARK.

FASCIA – NSA’s corporate COMINT call event repository is called FASCIA II. This database provided access to metadata records on: telephone[,] wireless[,] billing data[,] media over IP (MoIP)[,] and high-powered cordless phone (HPCP)[.] In future, FASCIA II was planned to provide more sources for all of the above, plus INMARSAT and email (also known as DNI) metadata (The Rewards of Metadata, 1).

FASTBALL

FASTFLUX – This covername refers to a metadata sharing and tippiing/cueing activity that takes place between CSE and GCHQ as part of CSE’s cyber threat detection operations(CSE SIGINT Cyber Discovery: Summary of the current effort, 18)

FLOWPONY – This covername refers to part of the PONYEXPRESS defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. FLOWPONY is responsible for intaking messages into the rest of the PONYEXPRESS scanning system (Cyber Network Defence R&D Activities, 11) an conducting TCP session reconstruction (Cyber Network Defence R&D Activities, 12).

FRETTING YETI

FRIARTUCK – This covername refers to a database which contains VPN events. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7).


G

GAZEBO – This covername refers to a type of access to communications that take place in foreign Internet space using EONBLUE sensors to process radio-based communications (CASCADE: Joint Cyber Sensor Architecture, 19).

GLOBALTIPPER

GNDB – This covername or acronym refers to a range of mobile network information, including IMSI, LAIC, and ITU E164. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7).

GOLDENCARRIAGE

GOSSIPGIRL – This covername refers to a signature in REPLICANT FARM for a known actor, filename, process, or covert store (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 17)


H

HACIENDA – This covername refers to a GCHQ bulk port scanning project (Automated NOC Detection, 19). More specifically, this is a fully operational port scanning tool used by JTRIG to scan an entire country or city. It uses GEOGUSION to identify IP locations. Banners and content are pulled back on certain ports. Content is put into the EARTHLING database, and all other scanned data is sent to GNE and is available through GLOBALSURGE and Fleximart (JTRIG tools and techniques, 3).

HALTERHITCH – This covername refers to a signature management system and replaces a previously used system. It was also to be used for targeting processes; in 2010, there were plans to open the SIGINT-related HALTERHITCH program to ITS for signature sharing as well as with Five Eyes partners to retrieve signatures (CSE SIGINT Cyber Discovery: Summary of the current effort, 18).

HYPERION – This covername refers to a database that is used to store 5-TUPLE metadata (Automated NOC Detection, 11). This includes IP-IP communications summaries. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6).


I

INDUCTION – This covername refers to a sensor that was part of the CASCADE program, which was an effort to align CSE’s ITS and SIGINT sensors. INDUCTION sensors were deployed to conduct Top Secret content and metadata processing for targeting and discovery purposes. The actual processing was distributed and considered cloud-based (CASCADE: Joint Cyber Sensor Architecture, 4-5). INDUCTION sensors operated at the main Special Source Operations (SSO) locations at the borders between Canadian Internet space and foreign Internet space (CASCADE: Joint Cyber Sensor Architecture, 19).

IRASCIABLEHARE -This covername refers to a Query Focused Data (QFD) that entails analyzing or collecting data on GPRS Roam Exchange (GRX) operators who transmit data over VPNs (SCAMP, 1).

IRASCIABLERABBIT


J

JAZZFLUTE

JUBILEECORONA – This is a NSA covername that refers to WIMAX data which is collected (AURORAGOLD, 28).


L

LANDMARK – This covername refers to an automated tradecraft process designed to further expand Computer Network Exploitation (CNE) covert infrastructure. Using OLYMPIA, CSE’s network knowledge engine with automated tradecraft), analysts are able to develop lists of potential devices with exploitable vulnerabilities that can be used as Operational Relay Boxes (ORBs) (LANDMARK Presentation Outline).

LEVITATE – This covername refers to a database which includes information pertaining to Free File Upload (FFU) events. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6).

LEVITATION – This covername refers to a behaviour-based target discovery project that sought, among other things, to correlate access to certain files to specific target detection identifiers (TDIs) and, subsequently, to the persons behind those identifiers (LEVITATION and the FFU Hypothesis). At one point it was focused on about 2,200 URLs that pointed to documents of interest to CSE and, out of approximately 300-465 million events recorded a month, the program identified about 350 interesting download events per month (LEVITATION and the FFU Hypothesis, 9). Information from interesting download events are then processed by CSE. The Establishment first examines whether the IP address associated with the download event has been seen five hours previous and following the event by Five Eyes listening posts. If the IP address was seen then the MARINA or MUTANT BROTH databases are queried to correlate the IP address with personally-identifying identifiers in those databases, thus identifying the person who likely downloaded the material in question. MARINA is a NSA database containing intercepted metadata and GCHQ’s MUTANT BROTH database contains similar metadata.

LODESTONE – This covername refers to a scanning detection capability (Cyber Threat Detection, 7).

LONGRUN – This covername refers to a dataset that is accessible using OLYMPIA, CSE’s network knowledge engine with automated tradecraft (LANDMARK Presentation Outline, 3).


M

MADRIGAL – This is a covername used to refer to CSIS Section 16 warranted surveillance powers, and which are assisted by the CSE. This covername was adopted in the 1980s, which corresponds with CSIS’ inception (Robinson, “CSE’s Transition from the Industrial Age to the INformation Age”).

MAILPONY – This covername refers to part of the PONYEXPRESS defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. MAILPONY intakes data from SMTPPONY and outputs it to METAPONY (Cyber Network Defence R&D Activities, 11) and, in the process, engaged in RFC822 e-mail parsing and MIME attachment extraction (Cyber Network Defence R&D Activities, 12).

MAINWAY – This covername refers to a NSA repository tool. MAINWAY was used for storage, contact chaining, and for analyzing large volumes of global communications metadata (ST-09-0002 Working Draft).

MAKERSMARK – This covername refers to a signature in REPLICANT FARM for a known actor, filename, process, or covert store (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 17)

MARINA  – This covername refers to a database which includes Target Detection Identifier (TDI) information. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6). MARINA is a database created by the NSA. See: NSA Covernames.

MASTERSHAKE – This covername refers to a database which contains information about VSAT terminals. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7).

METAPONY – This covername refers to part of the PONYEXPRESS defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. METAPONY sends the metadata and attachments to SCANPONY (Cyber Network Defence R&D Activities, 11) and, in the process, conducts an evaluation and scoring or parsed metadata (Cyber Network Defence R&D Activities, 12).

MUTANT BROTH –  This covername refers to a database which retains all Target Description Identifiers (TDIs) in bulk (Target Detection Identifiers, 14). TDIs have a type (e.g. Yahoo-Y-cookie) and a value (e.g. tom123@yahoo.com) (Black Hole Analytics, 7). The database is used to create a profile of a target’s activities (Black Hole Analytics, 8) by correlating it with a range of other Question Focused Databases (QFDs) (Blazing Saddles, 1-4). At one point, the database retained 4 months of data at one point, which amounted to 7.7 TB of data. Extending retention to 6 months was estimated to use 11.55 TB of space (Data Stored in BLACK HOLE, 2). Information in this includes presence events (Event (SIGINT), 4). When used to assist in targeting Belgacom for OP SOCIALIST, MUTANT BROTH was used to identify TDIs/selectors coming from previously identified ranges and proxies (Mobile Networks in My NOC World, 14).


N

NOCTURNAL SURGE – This covername refers to a GCHQ tool that is used to identify Network Operation Centres (Automated NOC Detection).

NOSEYSMURF – This covername is for an iPhone specific plugin that GCHQ uses to activate the mic on the phone (Capability – iPhone).


O

OCTSKYWARD – This covername refers to a database which includes information about GSM cell phones, such as MCC and LAIC. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7).

OLYMPIA – This covername refers to the CSE’s network knowledge engine with automated tradecraft (LANDMARK Presentation Outline, 3). Tradecraft includes the ability to determine vulnerable devices the CSE can use as Operational Relay Boxes (LANDMARK Presentation Outline, 5) by way of running a DNS query to determine a given IP range, a network range to port scan, or IP address to network range (LANDMARK Presentation Outline, 6).

OP IRRITANTHORN – this covername refers to an experiment where CSE tested tradecraft by exploring whether they could identify connections between a potentially ‘revolutionary’ country and mobile applications servers. They successfully correlated connections with application servers which opened up the potential to conduct Man in the Middle attacks or effect operations towards the mobile devices, as well as the potential to harvest data in transit and at rest from the devices. In the profiling of mobile applications servers it appears that EONBLUE was used to collect information about a company named Poynt; that company’s application was being used by Blackberry users, and the servers profiled were located in Calgary, Alberta (Canada). (Synergising Network Analysis Tradecraft: Network Tradecraft Advancement Team (NTAT), 12-21).

OP SOCIALIST – This covername refers to a Network Analysis Centre (NAC) event focused on exploitation of a GRX operator (Mobile Networks in My NOC World, 7). A core focus of this was to enable Computer Network Exploitation (CNE) access to Belgacom; after compromising its GRX routers GCHQ intended to undertake Man-in-the-Middle (MITM) operations against targets roaming on smartphones while, also, expanding the NAC’s breadth of knowledge about GRX operators (Mobile Networks in My NOC World, 9). Ultimately, after identifying engineering and support staff and targeting them with QUANTUM INSERT, GCHQ successfully achieved CNE access: this meant the agency could further target Belgacom staff, expand internal CNE access throughout the Belgacom network with the ultimate goal of implanting GRX routers, and to better understand Belgacom’s network, credentials assigned to staff, and identification of different staff and their associated roles (Mobile Networks in My NOC World, 20).

OPULENTPUP – This GCHQ covername refers to a requirement adopted by GCHQ to ‘prosecute’ A5/3 enciphered GSM air-interface interceptions by changing each part of the current A5/1 processing chain (TALIS Phase 2 Test & TTO Plan, 1)


P

PACKAGEDGOODS – This covername refers to a database which contains traceroutes information. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7).

PARANOIDSMURF – This covername is for an iPhone specific plugin that GCHQ uses to employ self-protection, presumably of the SMURF-malware family  (Capability – iPhone).

PEITHO – This covername refers to a database which includes credentials. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6). More broadly, the database holds TDI Online Events information (Synergising Network Analysis Tradecraft: Network Tradecraft Advancement Team (NTAT), 18).

PENTAHO – This covername is used by GCHQ and CSE alike. CSE uses it for tradecraft modelling. GCHQ’s use of TIDAL SURGE is based on AS, whereas CSE’s use is based on country (Automated NOC Detection, 9). It may be how GCHQ and CSE refer to Hitachi’s Pentaho Data Integration tool (see: http://www.pentaho.com/product/data-integration).

PEPPERBOX – This covername refers to a database that contains targeting requests. It is accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7).

PHOENIX  – This covername refers to an effort to “push” new moduli for testing against publicly known weaknesses associated with TLS/SSL connection (TLS Trends: A roundtable discussion on current usage and future directions, 14).

PHOTONICPRISM – This covername refers to a defensive sensor network that was designed to protect Government of Canada networks and devices from external threats. It was also known as ‘P2’ and was composed of SLIPSTREAM, POPQUIZ, PONYEXPRESS, and Snort rules (Cyber Network Defence R&D Activities, 3). PHOTONICPRISM was a 10Gb/s sensor (Cyber Network Defence R&D Activities, 10) that included full-take packet capture, signature-based detection, anomaly-based discovery, an analytic environment, and oversight compliance tools (CASCADE: Joint Cyber Sensor Architecture, 4).

PILGRIM – This covername refers to CSE’s surveillance from Canadian embassies, which began in the 1980s (Robinson, “CSE’s Transition from the Industrial Age to the Information Age”).

PINWHEEL

PLINK

PONYEXPRESS – This covername refers to a defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. It was part of PHOTONICPRISM (Cyber Network Defence R&D Activities, 3). It functioned to scan email metadata and attachments, and was made up of a series of ‘Pony’ components, such as FLOWPONY, SMTPPONY, MAILPONY, METAPONY, SCANPONY, AGGPONY, and SYNCPONY, with the actual scanning framework being composed of the POOLTABLE scanning framework (Cyber Network Defence R&D Activities, 11).

POOLCUE – This covername refers to part of the PONYEXPRESS defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. POOLCUE was the covername for scan results of email metadata and attachments (Cyber Network Defence R&D Activities, 11).

POOLTABLE – This covername refers to part of the PONYEXPRESS defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. POOLTABLE was the scanning framework for email metadata and attachments (Cyber Network Defence R&D Activities, 11).

POPQUIZ – This covername refers to a defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. It was part of PHOTONICPRISM (Cyber Network Defence R&D Activities, 3).

PORUS – This covername is for an iPhone specific plugin that GCHQ uses to ensure kernel stealth on the device, presumably for the SMURF-malware or exploit family (Capability – iPhone).

PROMETHEUS – This covername refers to a database which includes to Computer Network Operation (CNO) event summaries. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6).


Q

QUANTUM – This covername refers to a suite of tools developed by the NSA to engage in man-on-the-side attacks, which often entail tricking Internet client software to re-direct to FOXACID servers instead of visiting the intended website or domain. FOXACID servers are hosted by the NSA and often contain malware designed to affect the re-directed Internet client. CSE notes that QUANTUM is “easy to find” by analyzing the first content carrying packet and subsequently checking for sequence number duplication where duplicates have different payload sizes. Where content differs between the two packets by 10% then there is the possibility that a QUANTUM packet is being detected (CSE SIGINT Cyber Discovery: Summary of the current effort, 16).

QUANTUM INSERT (QI) – The QUANTUM family of tools were designed by the National Security Agency (NSA). Most information pertaining to this tool is available under the summaries and explanations of NSA covernames. However, GCHQ documents reveal that QI’s capacity was enhanced to allow shots on LinkedIn and to allow ‘white listing’ when shooting on proxies (Mobile Networks in My NOC World, 14).

QUOVA – This covername refers to a database which includes information about anonymizers and geolocation maps. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6).


R

RAINFALL – This is a NSA covername, and refers to a group that was successful in collecting 4G cellular communications in February 2010 (Site Makes First-Ever Collect of High-Interest 4G Cellular Signal).

REPLICANTFARM – This covername refers to an aspect of CSE’s Counter Computer Network Exploitation (CCNE) operations. REPLICANTFARM leverages WARRIORPRIDE’s XML output by applying a module-based parser/alert system that runs on real-time CNE operational data. Some of the module-based analysis can alert about actors, implant technology, host-based signatures, or network-based attributes. (CSE SIGINT Cyber Discovery: Summary of the current effort, 10). There are over 14 additional generic modules, including ones that look for cloaked material, packed files, System 32 ‘variables’, strange DLL extensions, and kernel cloaking (CSE SIGINT Cyber Discovery: Summary of the current effort, 10).

RONIN – This NSA covername refers to the collection of mobile IP information (AURORAGOLD, 55).


S

SAMUELPEPYS – This covername refers to a Question Focused Database (QFD) (Black Hole Analytics, 6) that is designed to correlate near real-time presence alerting (GCHQ Analytic Cloud Challenges, 3). The database is used to find out what has been happening in real time(Black Hole Analytics, 9) by fusing all available traffic (content and events) in one place so that answers can be derived based on all of the available traffic that it contains (Blazing Saddles, 3). This can include HTTP Host URI as well as FTP information (Event (SIGINT), 4).

SCANPONY – This covername refers to part of the PONYEXPRESS defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. SCANPONY analyzes the metadata associated with an email message and passes attachments for scanning to CORNERPOCKET (Cyber Network Defence R&D Activities, 11) after conducting analysis pre-processing and scan dispatching (Cyber Network Defence R&D Activities, 12).

SCORPIOFORE

SEEDSPHERE – This covername refers to a signature in REPLICANT FARM for a known actor, filename, process, or covert store (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 17)

SIENNABLUE – This covername refers to a ‘friend’ of SEEDSPHERE (Cyber Threat Detection, 3).

SLINGSHOT – This covername refers to a database which includes end product reports. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6).

SLIPSTREAM – This covername refers to a defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. It was part of PHOTONICPRISM (Cyber Network Defence R&D Activities, 3). It is part of CSE’s Global Network Discovery (GND) operations (CSE SIGINT Cyber Discovery: Summary of the current effort, 7) and part of the target discover aspect of EONBLUE (CSE SIGINT Cyber Discovery: Summary of the current effort, 14). As of 2010 there were over 50 modules associated with SLIPSTREAM, including: RFC validation, heuristic checks, periodicity, simple encryption, streaming attack detection, and analyst utilities (CSE SIGINT Cyber Discovery: Summary of the current effort, 15).

SMTPPONY – This covername refers to part of the PONYEXPRESS defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. SMTPPONY takes data from FLOWPONY and passes it to MAILPONY (Cyber Network Defence R&D Activities, 11) after conducting SMTP parsing and header extraction (Cyber Network Defence R&D Activities, 12).

SNIFFLE – This covername refers to the target tracking aspects of EONBLUE (CSE SIGINT Cyber Discovery: Summary of the current effort, 14).

SNOWBALL – This covername refers to an implant that was linked to SNOWGLOBE activities (SNOWGLOBE: From Discovery to Attribution). Victims of the SNOWBALL-class of implants include in Iran, a French-language Canadian media organization, parties in Greece, France, Norway, Spain, as well as Ivory Coast and Algeria (This covername refers to an implant that was linked to SNOWGLOBE activities (SNOWGLOBE: From Discovery to Attribution, 17).

SNOWBALL2 – This covername refers to an implant that was linked to SNOWGLOBE activities (SNOWGLOBE: From Discovery to Attribution). Victims of the SNOWBALL-class of implants include in Iran, a French-language Canadian media organization, parties in Greece, France, Norway, Spain, as well as Ivory Coast and Algeria (This covername refers to an implant that was linked to SNOWGLOBE activities (SNOWGLOBE: From Discovery to Attribution, 17

SNOWGLOBE – This covername refers to a signature in REPLICANT FARM for a known actor, filename, process, or covert store (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 17). CSE believed it to be a French-speaking actor, and their intelligence priorities suggested that it was a nation-state actors as opposed to a criminal organization, though CSE couldn’t ascertain for certain which agency might have driven the operation (SNOWGLOBE: From Discovery to Attribution, 22, 24).

SNOWMAN – This covername refers to an implant that was linked to SNOWGLOBE activities. It was discovered in mid-2010 (SNOWGLOBE: From Discovery to Attribution, 7).

STALKER – This covername refers to a database which contained web forum events. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7).

STARSEARCH – This covername refers to a database which contained target knowledge. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7).

STATEROOM – This covername refers to diplomatic facilities from which covert Signals Intelligence operations take place (STATEROOM Guide, 1).

STEPHANIE – This covername refers to a covert interception station in the Canadian embassy, during the years of the 1960s and 1970s. STEPHANIE’s equipment was supplied by the NSA, and intercepted many radio and telephone signals which were broadcast from the top of the Ostankina radio and television tower, which was in Moscow. The collection was linked with the collection of Society intercept-based intelligence that was given the covername GAMMAGUPPY by the NSA (The Secret Sentry: The Untold History of the National Security Agency, 152).

STRATOS – This covername refers to a database which holds GPRS events. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6).

STREAMINGSENTRY

STRIPSEARCH – This covername refers to the system that stands in front of Government of Canada networks for defensive network operations (CSEC Cyber Threat Capabilities: SIGINT and ITS: an end-to-end approach, 15).

SUNWHEEL

SUPERDRAKE – This covername refers to a signature in REPLICANT FARM for a known actor, filename, process, or covert store (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 17)

SYNCPONY – This covername refers to part of the PONYEXPRESS defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. SYNCPONY aggregates information from the PONYEXPRESS output buffer, to subsequently pass it to the PONYEXPRESS output (Cyber Network Defence R&D Activities, 11).


T

TAPERLAY – This covername refers to a NSA effort to aggregate telephony and provider information (AURORAGOLD, 55)

TERMINAL SURGE – This covername refers to a database which is used to retain telnet session information collected by GCHQ’s Network Access Centre (Automated NOC Detection, 15).

TEXPRO

THIRD-EYE – This covername refers to a sensor that was part of the CASCADE program, which was an effort to align CSE’s ITS and SIGINT sensors. THIRD-EYE sensors were deployed to conduct unclassified processing on metadata at select new sites (CASCADE: Joint Cyber Sensor Architecture, 4-5). This sensor-type was deployed in Government of Canada networks as well as in foreign Internet space (CASCADE: Joint Cyber Sensor Architecture, 19).

TIDALSURGE – This covername refers to a database which contains router configurations. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 6).This database scheme has also been implemented for GCHQ and DSD. GCHQ’s use of TIDALSURGE is based on AS, whereas the CSE’s use is based on country (Automated NOC Detection, 9).

TONTO – This covername refers to part of the PONYEXPRESS defensive program operated by CSE to, in part, defend Government of Canada networks and devices from external threats. TONTO takes metadata and attachment scan results to format alerts based on what was detected (Cyber Network Defence R&D Activities, 11).

TOYGRIPPE – This covername refers to a database which contains both non-detailed and detailed VPN events information. This database is accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7).

TRACKERSMURF – This covername is for an iPhone specific plugin that GCHQ uses to conduct high-precision geolocation of the phone (Capability – iPhone).

TRITON – This covername refers to a database which contains information about TOR nodes. It is accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7).

TWINSERPENT – This covername refers to a database which holds phone book information, and includes DNR selectors and free text. It’s accessible via OLYMPIA (And They Said To The Titans: Watch Out Olympians In The House, 7).


U

UMBRA – This codename refers to a top secret code for highly classified documents (AURORAGOLD, 20). UMBRA was the final codeword used by the UKUSA countries to designate Category III COMINT, the highest security category. It was in use from December 1968 to 1999, when it and the other COMINT category codewords began being replaced by the designator COMINT, sometimes abbreviated as SI for Special Intelligence. The changeover was still underway in May 2003, however, due to the necessity of modifying software.


V

VOYEUR – This covername refers to a signature in REPLICANT FARM for a known actor, filename, process, or covert store (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 17). An NSA document identifies VOYEUR as Iran’s Ministry of Intelligence and Security (MOIS) (Forth Party Opportunities, 11-20).


W

WARRIORPRIDE – This covername refers to the CSE’s scalable, flexible, and portable CNE platform that parallels the GCHQ’s DAREDEVIL program. Some plugins are used for machine recon and operational security assessments, as well as for counter computer network operations. Specifically, the plugins enable machine reconnaissance, implant detection, rootkit detection, file identification and retrieval, DNS analysis, and network sniffing and characterization (CSE SIGINT Cyber Discovery: Summary of the current effort, 8). The CSE and GCHQ worked to port WARRIORPRIDE to the Android platform and completed the activity in the third quarter of 2010 (Mobile Briefing, 6).

WATERMARK – This covername refers to an operation conducted against MAKERSMARK (Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure, 19).

WOLFRAMITE – This is a GCHQ covername, and refers to efforts to define and prototype GSM A5/3 decryption effort. This attack was to be developed along with the NSA (TALIS Phase 2 Test & TTO Plan, 1 and 3).


X

XKEYSCORE (XKS) – This covername refers to a system for intaking and sharing information linked with content sharing. Content-based collection and sharing using XKS was proposed in 2010, and would be used as part of CSE’s defensive operations (CSE SIGINT Cyber Discovery: Summary of the current effort, 18). XKS was initially developed and deployed by the NSA, with access to system results and to the technologies shared with some allies. The CSE is amongst the allies that have deployed their own XKS systems for some purposes.