Program Definition: Detects and mitigates web-based malware Zero-Day and Advanced Persistent Threats using COTS technology by leveraging, dynamically producing, and enhancing global threat knowledge to rapidly protect the networks.
IAP Protection: Provide highly available and reliable automated sensing and mitigation capabilities to all 10 DOD IAPs. Commercial behavioral and heuristic analytics and threat data enriched with NSA unique knowledge, through automated data analysis processes, form the basis for discovery and mitigation.
Cyber Situational Awareness and Data Sharing: Consume public malware threat data, enrich with NSA unique knowledge and processes. Share with partners through automation systems, for example the SHARKSEER Global Threat Intelligence (GTI) and SPLUNK systems. The data will be shared in real time with stakeholders and network defenders on UNCLASSIFIED, U//FOUO, SECRET, and TOP SECRET networks.
39°36’54.30″ N 74°19’43.42″ W
NSA Fairview Cliffside SIGINT Station (ATT Manchester Cable Landing Station)
The U.S. should brace itself for more attacks like one on the U.S. Office of Personnel Management—in which millions of sensitive government records were stolen, the director of the National Security Agency warned on Wednesday
The U.S. government last week said that two cyberattacks on the agency compromised more than 21 million Social Security numbers, 1.1 million fingerprint records, and 19.7 million forms with data that could include a person’s mental-health history.
“I don’t expect this to be a one-off,” said Navy Adm. Mike Rogers, who heads the NSA and the U.S. military’s Cyber Command.
The incident is causing the government to review cybersecurity policies, he added. “As we are working through the aftermath of OPM,” Adm. Rogers said one of the questions is “what is the right vision for the way forward in how we are going to deal with things like this.”
Cyber Command, though responsible for protecting Defense Department networks, wasn’t charged with defending the Office of Personnel Management’s system, he added.
Director of National Intelligence James Clapper last month said China is suspected to be behind the hack.
Adm. Rogers likened the hacking of U.S. government records to last year’s attack on Sony Pictures Entertainment, which revealed sensitive company information. He said such events required a governments and companies to step back and review procedures.
Adm. Rogers was speaking at the London Stock Exchange as part of an outreach effort to the financial sector to raise awareness of cybersecurity threats.
“We are in a world now where, despite your best efforts, you must prepare and assume that you will be penetrated,” he told the group. “It is not about if you will be penetrated, but when,” he said.
David Omand, the former head of the U.K. Government Communications Headquarters, said at the event that the average cost of a breach on U.S. companies is around $20 million. U.K. figures suggest a lower cost, though he said those may be too conservative.
Adm. Rogers said companies and the government needed to work together to protect networks. “Cyber to me is the ultimate partnership. There is no single entity out there that is going to say: ’don’t worry, I’ve got this.’”
Under operation Eikonal, the NSA cooperated with the German foreign intelligence service BND for access to transit cables from Deutsche Telekom in Frankfurt. Here follows an overview of what is known about this operation so far. New information may be added as it comes available.
Operation Eikonal was revealed by the regional German paper Süddeutsche Zeitung and the regional broadcasters NDR and WDR on October 4, 2014. They reported that between 2004 and 2008, the German foreign intelligence service BND had tapped into the Frankfurt internet exchange DE-CIX and shared the intercepted data with the NSA.
For this operation, NSA provided sophisticated interception equipment, which the Germans didn’t had but were eager to use. Interception of telephone traffic started in 2004, internet data were captured since 2005. Reportedly, NSA was especially interested in communications from Russia.
To prevent communications of German citizens being passed on to NSA, BND installed a special program (called DAFIS) to filter these out. But according to the reporting, this filter didn’t work properly from the beginning. An initial test in 2003 showed the BND that 5% of the data of German citizens could not be filtered out, which was considered a violation of the constitution.
Süddeutsche Zeitung reported that it was Deutsche Telekom AG (DTAG) that provided BND the access to the Frankfurt internet exchange, and in return was paid 6000,- euro a month. But as some people noticed, Deutsche Telekom was not connected to DE-CIX when operation Eikonal took place, so something didn’t add up.
As we will see, this was right, and the actual cable tap was not at DE-CIX, but took place at Deutsche Telekom. Nonetheless, many press reports still link Eikonal to the DE-CIX internet exchange.
Eikonal as part of RAMPART-A
As was first reported by this weblog on October 15, 2014, operation Eikonal was part of the NSA umbrella program RAMPART-A, under which the Americans cooperate with 3rd Party countries who “provide access to cables and host U.S. equipment”.
Details about the RAMPART-A program itself had already been revealed by the Danish newspaper Information in collaboration with The Intercept on June 19, 2014. The program reportedly involved at least five countries, but so far only Germany and, most likely, Denmark have been identified.
On October 20, Information published about a document from NSA’s Special Source Operations (SSO) division, which confirms that an operation codenamed “EIKANOL” was part of RAMPART-A and says it was decommissioned in June 2008.
The slide below shows that under RAMPART-A a partner country taps an international cable at an access point (A) and then forwards the data to a joint processing center (B). Equipment provided by the NSA processes the data and analysts from the host country can then analyse the intercepted data (C), while they are also forwarded to NSA sites in the US (D, E):
Because of the confusion about the role of Deutsche Telekom in operation Eikonal, the NSA investigation commission of the German parliament (NSAUA) decided to also investigate whether this company assisted BND in tapping the Frankfurt internet exchange.
During hearings of BND officials it became clear that operation Eikonal was not about tapping into the Frankfurt internet exchange DE-CIX, but about one or more cables from Deutsche Telekom. This was first confirmed by German media on December 4, 2014.
Hearing of November 6, 2014 (Live-blog)
According to witness T.B., who was heard on on November 6, 2014, it was just during the test period that the filter system was only able to filter out 95% of German communications. When the system went live, this percentage rose to 99% with a second stage that could filter out even more than 99%. When necessary, a final check was conducted by hand.
During this hearing, the witness W.K. said that Eikonal was a one of a kind operation, there was targeted collection from traffic that transited Germany from one foreign country to another.
This was focussed on Afghanistan and anti-terrorism. Selected data were collected and forwarded to NSA. The internal codename for Eikonal was Granat, but that name wasn’t shared with NSA. There was even a third codename.
For Germany, Eikonal was useful because it provided foreign intelligence for protecting German troops and countering terrorism. The NSA provided better technical equipment that BND didn’t had. In return, BND provided NSA with data collected from transit traffic using search profiles about Afghanistan and anti-terrorism. BND was asked to cooperate because NSA isn’t able to do everything themselves.
Eikonal provided only several hundred useful phone calls, e-mail and fax messages a year, which was a huge disappointment for NSA. This, combined with the fact that it proved to be impossible to 100% guarantee that no German data were collected and forwarded, led BND to terminate the program.
For Eikonal, the cable traffic was filtered by using selectors provided by both NSA and BND. Although not all selectors can be attributed to a particular country and there may have been up to several hundred thousand selectors, witness W.K. said that BND was still able to check whether every single one was appropriate: only selectors that could be checked were used.
During this hearing, BND-employee S.L., who was the project manager of operation Eikonal at BND headquarters, testified. He told that BND had rented two highly secured rooms of ca. 4 x 6 meters in the basement of a Deutsche Telekom switching center in the Frankfurt suburb Nied.
These rooms were only accessible for BND personnel and contained the front-end of the interception system, existing of 19 inch racks, with telecommunications equipment like multiplexers, processors and servers. These devices were remotely controlled from the headquarters in Pullach.*
Based upon analysis of public information about telecommunication networks, BND choose specific cables that would most likely contain traffic that seemed useful for the goals of the operation. It became clear that for redundancy purposes, cables only used 50% of their capacity. For example, 2 cables of 10 Gbit/s carried only 5 Gbit/s of traffic, so in case of a disruption, one cable could take over the traffic of the other one.
After a specific coax or fiber-optic cable had been selected, technicians of Deutsche Telekom installed a splitter and a copy of the traffic was forwarded to one of the secure rooms, where it was fed into a (de-)multiplexer or a router so the signal could be processed. After they got rid of the peer-to-peer and websurfing traffic, the remaining communications data, like e-mail, were filtered by selectors from BND and NSA.
The selected data were sent back to BND headquarters in Pullach over a leased commercial line, of which the capacity was increased after the internet collection became fully operational. From Pullach to the JSA in Bad Aibling there was a 2 Mbit/s line.
Eikonal started with access to a telephone cable (Leitungsvermittelt). Project manager S.L. told that the first cable was connected (aufgeschaltet) in December 2004, but that it’s signal was too weak. Therefore, in January 2005, an amplifier was installed.
In February, March and April additional cables were connected, so telephony collection started in the spring of 2005. By the end of 2006, Deutsche Telekom announced that its business model for dedicated transit cables would be terminated, so in January 2007 the telephone collection ended.*
BND also wanted access to internet traffic (Paketvermittelt), for which the first cable became available by the end of 2005, but because the backlink was missing, collection was technically not possible. This was solved in 2006, and in the spring of 2006 a second cable was added, and they tested the front-end system and subsequently the filter systems until mid-2007 (Probebetrieb).
During this stage, data were only forwarded to the joint NSA-BND unit JSA after a manual check. Fully automated forwarding only happened from late 2007 until operation Eikonal was terminated in June 2008 (Wirkbetrieb).*
The collection of telephone communications from transit cables was done under the general authority of the BND Act, with details specified in the “Transit Agreement” between BND and Deutsche Telekom, which for the latter was signed by Bernd Köbele.
For the collection of internet data it was impossible to fully separate foreign and domestic traffic, so it couldn’t be ruled out that German communications were in there too. Therefore, BND requested an order from the G10-commission, which, like the FISA Court in the US, has to approve data collection when their own citizens could be involved.
A G10-order describes the communication channel (Germany to/from a specific foreign country) that BND is allowed access to, the threat profile and it also authorizes the search terms that may be used for filtering the traffic.*
Such an order allows the collection of G10-data (communications with one end German), which were processed within BND’s separate G10 Collection program. As a bycatch, this G10-interception also yielded fully foreign traffic (Routine-Verkehre), which was used for operation Eikonal:
Some employees from Deutsche Telekom and from BND had doubts about the legality of this solution, which seemed to use a G10-order as a cover for getting access to fully foreign internet traffic.
Eventually, the federal Chancellery, apparently upon request of the BND, issued a letter saying that the operation was legal. This convinced the Telekom management and the operation went on. It didn’t become clear under what authority this letter was issued.
After BND had learned how to collect internet traffic from fiber-optic cable, it applied for G10-orders to intercept (one end German) communications from 25 foreign and domestic internet service providers in 2008. This time these cables were being tapped at the DE-CIX internet exchange, which is also in Frankfurt.
The collection under operation Eikonal resulted in only a few hundred intelligence reports (German: Meldungen) a year, each consisting of one intercepted e-mail, fax message or phone call. These were burned onto a CD to hand them over to NSA personnel at the JSA.*
According to S.L., metadata (containing up to 91 fields) were “cleaned” so only technical metadata (Sachdaten) were forwarded to the JSA, where they were used for statistical and analytical purposes.
Personal metadata (personenbezogene Daten), like e-mail and IP addresses were not shared. Technical metadata are for example used to identify the telecommunication providers, transmission links and the various protocols.
During this hearing, a talkative general Reinhardt Breitfelder, head of the SIGINT division from 2003-2006, confirmed many of the details from the earlier hearings of his subordinates. He also gave impressions of the dilemmas in dealing with the NSA and what to do with the equipment they provide.
In this hearing, the commission questioned two employees from Deutsche Telekom (Harald Helfrich and Wolfgang Alster), but they provided very little new information, except for that Deutsche Telekom personnel only knows between which cities a cable runs, but they don’t know what kind of traffic it contains – they are not allowed to look inside.
Disclosures from Austria
On May 15, 2015, Peter Pilz, member of the Austrian parliament for the Green party, disclosed an e-mail from an employee of the Deutsche Telekom unit for lawful intercept assistance (Regionalstelle für staatliche SonderAuflagen, ReSa), who notified someone from BND that apparently a particular fiber-optic cable had been connected to the interception equipment. The e-mail describes this cable as follows:
Transit STM1 (FFM 21 – Luxembourg 757/1), containing 4 links of 2 Mbit/s:
Channel 2: Luxembourg/VG – Wien/000 750/3
Channel 6: Luxembourg/CLUX – Moscow/CROS 750/1
Channel 14: Ankara/CTÜR – Luxembourg/CLUX 750/1
Channel 50: Luxembourg/VG – Prague/000 750/1
STM1 stands for Synchronous Transport Module level-1, which designates a transmission bit rate of 155,52 Mbit/second. A similar multiplexing method is Wavelength-Division Multiplexing (WDM) commonly used in submarine fiber-optic cables. The latter having a much larger capacity, generally STM-64 or 9,5 Gbit/second.
The number 757 is a so-called Leitungsschlüsselzahl (LSZ), which denotes a certain type of cable. In this case it stands for a channelized STM-1 base link (2 Mbit in 155 Mbit), which seem to be used for internal connections.
According to the meanwhile updated LSZ List, the number 750 stands for a “DSV2 Digitalsignal-Verbindung 2 Mbit/s”, which is a digital signal path.
The cable mentioned in the e-mail therefore only has a small capacity, which seems to indicate that NSA and/or BND selected it carefully.
FFM 21 stands for “Frankfurt am Main 21”, which according to Deutsche Telekom’s network map is the name of the Point-of-Presence (PoP) located at its facility in the Frankfurt suburb Nied – the location where that Eikonal tapping took place.
This means we have a physical cable running between Luxembourg and the Deutsche Telekom PoP in Frankfurt, but containing channels to cities which are much further, so they have to connect to channels within other physical cables that run from Frankfurt to Moscow, Prague, Vienna and Ankara, respectively:
As the e-mail is from February 3, 2005, it must relate to telephone collection, because for Eikonal, the first cable containing internet traffic only became available by the end of that year.
The Transit agreement
On May 18, the Austrian tabloid paper Kronen Zeitung published the full “Transit Agreement” (pdf) between BND and Deutsche Telekom, in which the latter agreed to provide access to transit cables, and in return will be paid 6.500,- euro a month for the expenses. The agreement came into retrospective effect as of February 2004.
This disclosure got little attention, but is rather remarkable, as such agreements are closely guarded secrets. The Transit agreement existed in only two copies: one for BND and one for Deutsche Telekom.
It is not known how Pilz came into possession of these documents, but it seems the source must be somewhere inside the German parliamentary investigation commission. They are the only persons outside BND and Deutsche Telekom who, for the purpose of their inquiry, got access to the agreement and the other documents.
Leaking these documents to Pilz seems not a very smart move, as it will further minimize the chance that the commission will ever get access to the list of suspicious NSA selectors.
On May 19, Pilz held a press conference (mp3) in Berlin, together with the chairman of the Green party in Luxembourg and a representative of the German Green party. Here, Pilz presented a statement (pdf), which includes the aforementioned e-mail, 10 questions to the German government, and two tables with cable links to or from Austria and Luxembourg:
According to Pilz, the full list contains 254 (or 256) cable links. 94 of them connect EU member states, 40 run between EU members and other European countries like Switzerland, Russia, Serbia, Bosnia-Herzegovina, Ukraine, Belarus and Turkey. 122 links connect European countries with nations all over the world, with Saudi Arabia, Japan, Dubai and China being mentioned most.
The country which most links (71) run to or from is the Netherlands. The list for that country was disclosed by Peter Pilz during a press conference in Brussels on May 28, 2015. The US, the UK and Canada are not on the list, although there were apparently 156 links from/to Britain too.
On June 5, 2015, Peter Pilz held a press conference in Paris, where he presented a statement (.docx) containing a list of 51 transit links to or from France. Interestingly, this list now also includes some additional technical identifiers for these links, which were apparently left out in the earlier ones:
According to the updated LSZ List, the new codes in this list stand for:
– 703: VC3 Virtual Container connection with 48,960 MBit/s
– 710: (not yet known)
– 712: VC12 Virtual Container connection with 2,240 MBit/s
– 720: (not yet known)
– 730: (not yet known)
VC3 and VC12 are from the Synchronous Digital Hierarchy (SDH) protocol to transfer multiple digital bit streams synchronously over optical fiber. This has the option for virtual containers for the actual payload data. VC3 is for mapping 34/45 Mbit/s (E3/DS3) signals; VC4 for 140 Mbit/s (E4); VC12 for 2 Mbit/s (E1).
The new identifiers in this list stand for: O-nr.: Ordnungsnummer; GRUSSZ: Grundstücksschlüsselzahl; FACHSZ: Fachschlüsselzahl.
No information about these identifiers was found yet, but by analysing the data in the list, it seems that the FACHSZ codes are related to a telecom provider. France Telecom for example appears with FACHSZ codes CFT, VPAS, VCP3, VB5 or 0.
The GRUSSZ number identifies a particular city, with the first two or three digits corresponding with the international telephone country codes. The last two digits seem to follow a different scheme, as we can see that a capital always ends with “10”:
Paris = 33010
Lyon = 33190
Reims = 33680
Brussels = 32010
Prague = 42010
Oslo = 47010
Warsaw = 48010
Poznan = 48020
Moscow = 70010
It’s possible that these are just internal codes used by Deutsche Telekom, as internationally, connections between telephone networks are identified by Point Codes (PC). From the Snowden-revelations we know that these codes are also used by NSA and GCHQ to designate the cable links they intercept.
NSA or BND wish lists?
Initially, Peter Pilz claimed these links were samples from a priority list of the NSA, but on May 27, he said in Switzerland, that the list was from BND, and was given to NSA, who marked in yellow the links they wanted to have fully monitored.
The German parliamentary hearings were also not very clear about these lists. On December 4, project manager S.L. confirmed that NSA had a wish list for circuit-switched transit links, but in the hearing from January 15 it was said that there was a “wish list of BND” containing some 270 links. And on March 5, former SIGINT director Urmann said he couldn’t remember that NSA requested specific communication links.
Maybe the solution is provided by the Dutch website De Correspondent, which reports that there is a much larger list (probably prepared by BND) of some 1000 transit links, of which ca. 250 were marked in yellow (probably those prioritized by NSA).
Media reports say that these cables belong to the providers from various European countries, but that seems questionable. As we saw in the aforementioned e-mail, it seems most likely that the lists show channels within fiber-optic cables, and that the physical cables all run between the Deutsche Telekom switching facility in Frankfurt and the cities we see in the lists.
In theory, these cables could be owned or operated by those providers mentioned in the lists, but then they would rather connect at a peering point like the DE-CIX internet exchange, instead of at the Deutsche Telekom switching center. Deutsche Telekom runs its own Tier 1 network, a worldwide backbone that connects the networks of lower-level internet providers.
It is not clear how many of the over 250 links on the list were actually intercepted. We only know that for sure for the STM-1 cable with the four channels described in the aforementioned e-mail from Deutsche Telekom to BND.
Strange is the fact that during the parliamentary hearings, most BND witnesses spoke about “a cable in Frankfurt”, which sounds like one single physical cable, whereas the disclosures by Peter Pilz clearly show that multiple channels must have been intercepted.
During the commission hearing of January 29, 2015, BND technical engineer A.S. said that under operation Eikonal, telephone traffic came in with a data rate of 622 Mbit/s. This equals a standard STM-4 cable, which contains 252 channels of 2 Mbit/s. This number comes close to the channels on the “wish list”, but it seems not possible that those were all in just one physical cable.
Another question is whether it is possible to only filter the traffic from specific channels, or that one has to have access to the whole cable.
It should be noted that not the entire communications traffic on these links was collected and stored, but that it was filtered for specific selectors, like phone numbers and e-mail addresses. Only the traffic for which there was a match was picked out and processed for analysis.
Based upon these documents, Peter Pilz filed a complaint (pdf) against 3 employees of Deutsche Telekom and one employee of BND for spying on Austria, although at the same time he said he was convinced the NSA was most interested not in Austrian targets, but in the offices of the UN, OPEC and OSCE in Vienna.
Apparently he didn’t consider the fact that Eikonal was part of the RAMPART-A umbrella program, which is aimed at targets in Russia, the Middle East and North Africa. Many cities mentioned in the disclosed lists seem to point to Russia as target, and project manager S.L. testified that Eikonal was mainly used for targets related to Afghanistan, which fits the fact that there are for example 13 links to Saudi Arabia.
Green party members from various countries claimed that this cable tapping was used for economical or industrial espionage, but so far, there is no specific indication, let alone evidence for that claim.
Has the Land of the Free become the Land behind the digital Berlin Wall? The government of East Germany collected information on its .
Senior NSA executive Thomas Drake is an expert on spying in Stasi Germany . having studied it for years. Drake told Washington’s Blog that the U.S. has the wildest dreams of the Gestapo. KGB and East German Stasi comes into full being to protect you from TERRA TERRA TERRA. (You know why THIS word is being used here ?!)
Julia Angwin talks about her new book, Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance.
DEPARTMENT OF DEFENSE AGENCY CHIEF FREEDOM OF INFORMATION ACT OFFICER REPORT FOR 2014
DIRECTOR OF ADMINISTRATION AND MANAGEMENT
The NSA FOIA and Declassification Services Offices identified records appropriate for posting based on requester interest. These offices did not wait for there to be frequent requests, but based the decision to post information on the likelihood that others would have a significant interest in having access to the information. NSA added two new sections to the front page of its public website www.nsa.gov. With these new sections, the general public was able to see NSA information released in response to news reporting on the unauthorized disclosure of classified information. Examples included statements to the press, as well as public speeches, found at the following link: http://www.nsa.gov/publi_info/speeches_testimonies/index.shtml. The NSA FOIA and Declassification Services office reviewed, released, and posted 136 editions of the Cryptolog (4,400 pages), along with frequently asked questions about the history of the journal and the significance of the release. NSA posted 100 additional documents (249 pages) relating to the USS PUEBLO incident, History Today articles, an NSA Technical Journal article, Cryptologic History documents, NSA policies, and several miscellaneous documents, totaling over 1,000 pages.
o The NSA Research Directorate posted the following new material on NSA.gov at http://www.nsa.gov/research/index.shtml: Science of Security contest winners; information about the NSA partnership with North Carolina State University; the 20th Anniversary issue of its quarterly publication, The Next Wave.
o The NSA Information Assurance Directorate (IAD) published information on both the NSA web page, as well its web page at www.iad.gov.
o Examples of new information made available in 2013 by IAD were as follows: