OCR of the Document

View the Document >>

National Security Agency//CSS, SIGINT Development Support ll Program Management Review, Powerpoint Presentation, April 24, 2013

TOP SECRET SI NOFORN 24 April 2013 The overall classification of this brief is Derived From NSA CSSM 1-52 Dated 20070108 Declass ify On 20291123 TOP SECRET COMINT NOFORN TOP SECRET SI NOFORN I II # TOP SECRET SI NOFORN PMRAgenda Strategic Technical Overview - Placemats Highlights - Client Service Leads CSLs Senior Mission Technical Leads SMTLs PMR Spotlight MONSTERMIND - SOS Support to CHELSEABLUE - Technical Health - TOP SECRET SI NOFORN I II # TOP SECRET SI NOFORN SIDPriority Traditionally Inaccessible Network TS SI RELTOUSA FVEY SIGINTDevelopmentChallenge Establish a provenfoundation of targetsin Pakistan's NationalTelecommunications Corporation's NTC VIPDivision MissionExampleand Result Successfully enabledpositiveidentification of usersin NTC'sVIPdivisionwhofocuson maintaining theGreenExchange TheGreenExchange branchhousesZXJ-10switches whicharethebackbone of Pakistan's GreenLine communications network Thisnetworkis usedby seniorPakistanicivilianandmilitaryleadership Fourmachines in theVIPdivision whohaveGreenExchange relateddocuments on theirmachines weresuccessfully implanted 0 OurApproach • Evaluated currentlytaskedselectorsrelatedto NTC'sVIPdivision • Conducted SIGDEVagainstknownselectorsto identifyother relatedtargets r·· DOOR O • Collaborated withR Tto useSECONDDATE andQUANTUM to successfully implantfournewCNEaccesses withintheGreen Exchange D •••• RML ¥ 11D • CHJIIR DTAII _ -faititioni - - LE AluriniJn'l l I vtPll e SIGINTDevelopmentOutcome FournewCNEaccesses weregainedfortheVIPDivisionanda baselineof collectionrelatedto the GreenExchange wasestablished · TS SI RELTOUSA FVEY TOP SECRET SI NOFORN # TOP SECRET SI NOFORN - TS SI NF SID Priority TraditionallyInaccessibleTargetNetworks SIGINTDevelopmentChallenge Passiveaccessin Lebanonis limited therebyhinderingSIGDEV Discovery andMobilityExploitation TAO projectREXKWONDO successfully enabledCountry-Wide ShapingandMan-in-the-Middle MiTM capabilities againstLebanon 's Internettraffic for thefirsttimeever MissionExampleand Result Combined CTSIGDEVandCNEanalysiseffortwithinREXKWONDO theLebaneseownedOGEROISP resultedin multiplesuccessfulCNEoperationsthatyieldedinitialaccessandcollectionfromLebanon'sInternational Gatewayrouters Currently shapingHizballah-related trafficto SSO-STORMBREW providingSIGDEVdiscoveryopportunities for S21 S2E andSSG NACvia M Lo Proioo I o 11y s ·· Ap ppio on ApplD n p o XKEYSCORE andMARINA Our Approach • S2153CTSIGDEVSOSanalystsprovidedtechnicalsupporton varioushigh-interest targetsandassistedin exploitation andimplantof the headof the OGERONOCand the corerouters • Collaboration betweenmultipledivisionswithinTAOandS215led to the development of a custom-built routerexploitandnewHAMMERCORE implantbuilds • TheOGEROISPgatewayrouter RB wasexploitedvia HAMREXto enable SECONDDATE MiTM • TheOGEROupstreamLibanTelecomrouterswereexploitedwithCGDB then implantedwith HAMMERCORE and HAMMERSTEIN to enablesuccessfulShapingof HizballahUnit 1800relatedtrafficfor multipleCT projects • Trafficwasexfiltratedto STORMBREW fromcoreroutersandwasaccessibleto S21 S2E andSSG NACanalystsvia XKEYSCORE in lessthan24 hoursfollowingthe successfulshapingtasking U1 TCP O us 11o S11 1wfottd1«4W Yll t 8-t TCP 9 US-310$$$ http1 0et heuri•tiee U TCP g US-310Sst U u TCP TCP 9 9 US·3IOS5'l us3105S8 Cdunn A TCP • US·3IOS5'l Ea Ja map googo _oi ltl 10 pc L v U TCP g US·$10S5'l Aep Not TCP 9 U TCP TCP 9 9 us 11oist us msst « 3ttim11ont http 93t oo ertisement http gL u 7S f l r opicaticn I US·$10S5'l US J1-0SSJI Ntp • k' f TCP us 310$$$ http ·1 0et TCP US·310Sst TCP US l ft SSJI http 'u0$l • r--0 - mrn 9 -- TCP US-310S5 TCP US-$10SS t TCP US-'HMS$ TCP U$·3'10SS$ JD Ec olsFilter TCP 1 1 r -----n • --- CERT II ·eABHAl tu•e• http got t1tte· 4 t t http 4 st Ip _ I el 8HAt11 'll tH http he« http post 8HAlrl ·u•o• htt p post oCO' l ea est 611Al 1 u$et - m • •m u n • http po t ·W IW·fo rm tiJ c ' r tts wetr o ro il ctcrn n gcogo ia 0 tE I rrniVwetmafJhJtmal •iw bPRJ Lin m3iVwetmaiJwhdJwslYe m3ps ooaoe _ea-th oet m ps ooooB_eath rea m ps goage_er th res OGERO ISP l OS 2 StlMll ·uo BHAlrl ·'u•o• OS·l10 SS3 LE QTIIABJAAMOU l•1n cl70 13ktc t di Yilhoq uid-t « 11 1m 17o•31t tcy• l- oo8 o tl ie OGfRO ISP '6 0S 2 US J1 5S3 U Ont ABJAAMOTl t l• tn d7oa3ktCJ lt Y 1h00-ll l t tt1f1nd7oa 31Ct ya 1 0o8 to l te OGERO ISP UHOS 2 Lf QTHABJAAUOTl b31t 5b'94 tahba OQ ROISP UEEOS2 US l106$8 U QTHABfAAUOH OGERO ISP l OS 2 U QTHABfAAUOH Co glePAERO b311Sl 4 t8cSd ••Go gk mEAO US J1D5S3 OS·l10 SS3 SIGINTDevelopmentOutcome SOScollaboration acrosstheTAOandS215previously deniedaccessto the International Gatewayroutersin LebanonandSole-Source DiscoveryagainstHizballah 100 MBof HizballahUnit1800datahasbeencollectedandingestedinto XKEYSCORE S2122confirmsCADENCE dictionaryandXKEYSCORE fingerprinthits NSASIGINTEnterprise analystscannowconduct SIGDEVon anytargetIPrangeof interestin Lebanonusinga singlepassivedatabase US-3105S8 in XKEYSCORE _ TOP SECRET SI NOFORN TS IS1 N F #