24 April 2013 The overall classification of this brief is Derived - - PowerPoint PPT Presentation

SLIDE 1

TOP SECRET//SI//NOFORN

~

24 April 2013 The overall classification of this brief is TOP SECRET//COMINT//NOFORN

TOP SECRET//SI//NOFORN

Derived From: NSA/CSSM 1-52 Dated: 20070108 Declassify On: 20291123

.,..... I II

<#>

SLIDE 2

TOP SECRET//SI//NOFORN

PMRAgenda

~ Strategic & Technical Overview - ~ Placemats & Highlights - Client Service Leads (CSLs) &

Senior Mission Technical Leads (SMTLs)

~ PMR Spotlight ~ MONSTERMIND - ~ SOS Support to CHELSEABLUE - ~ Technical Health -

.,..... I II

TOP SECRET//SI//NOFORN

< #>

SLIDE 3

TOP SECRET//SI//NOFORN

(TS //SI //REL TO USA , FVEY)

SID Priority: Traditionally Inaccessible Network SIGINT Development Challenge: Establish a proven foundation

• f

targets in Pakistan's National Telecommunications Corporation's (NTC) VIP Division. Mission Example and Result: Successfully enabled positive identification

• f

users in NTC's VIP division who focus

• n

maintaining the Green Exchange. The Green Exchange branch houses ZXJ-10 switches , which are the backbone

• f

Pakistan's Green Line communications network. This network is used by senior Pakistani civilian and military leadership. Four machines in the VIP division who have Green Exchange related documents

• n

their machines were successfully implanted. Our Approach

• Evaluated

currently tasked selectors related to NTC's VIP division.

• Conducted

SIGDEV against known selectors to identify

• ther

related targets.

• Collaborated

with R&T to use SECONDDATE and QUANTUM to successfully implant four new CNE accesses within the Green Exchange.

r· ·~

DO OR

\,

O

RML ¥11D

....

• CHJIIR

DTAII L E _ Al uriniJn'l

• faititioni

l"(I

• vtPll

D

• .

====- ~ .)

e

.. .......

\

SIGINT Development Outcome: Four new CNE accesses were gained for the VIP Division and a baseline

• f

collection related to the Green Exchange was established.

(TS //SI //REL TO USA , FVEY)

;, ·~

.

..

TOP SECRET//SI//NOFORN

< #>

SLIDE 4

TOP SECRET//SI//NOFORN

~-

TS //SI/ /NF)

SID Priority: Traditionally Inaccessible Target Networks SIGINT Development Challenge: Passive access in Lebanon is limited , thereby hindering SIGDEV , Discovery , and Mobility Exploitation. TAO project REXKWONDO successfully enabled Country-Wide Shaping and Man-in-the-Middle (MiTM) capabilities against Lebanon 's Internet traffic for the first time ever. Mission Example and Result: Combined CT SIGDEV and CNE analysis effort within REXKWONDO, the Lebanese

• wned

OGERO ISP , resulted in multiple successful CNE

• perations

that yielded initial access and collection from Lebanon's International Gateway routers. Currently shaping Hizballah-related traffic to SSO-STORMBREW, providing SIGDEV discovery

• pportunities

for S21 , S2E , and SSG\NAC via XKEYSCORE and MARINA.

M,Lo Proioo:I o

...

11y

s;~··

Ap~;, .. ~ppio~on ApplD(""n;,,,p,;~o)

Our Approach

• S2153

CT SIGDEV SOS analysts provided technical support

• n

various high-interest targets and assisted in exploitation and implant

• f

the head

• f

the OGERO NOC and the core routers.

• Collaboration

between multiple divisions within TAO and S215 led to the development

• f

a custom-built router exploit and new HAMMERCORE implant builds.

• The

OGERO ISP gateway router (RB) was exploited via HAMREX to enable SECONDDATE MiTM.

• The

OGERO upstream Liban Telecom routers were exploited with CGDB, then implanted with HAMMERCORE and HAMMERSTEIN to enable successful Shaping

• f

Hizballah Unit 1800 related traffic for multiple CT projects.

• Traffic

was exfiltrated to STORMBREW from core routers and was accessible to S21 , S2E , and SSG\NAC analysts via XKEYSCORE in less than 24 hours following the successful shaping tasking.

U1 TCP O us.11o;S11

~

~1wfottd1«4W,Yll:t CERT II 8-t TCP 9 US-310$$$ http1>0et ~heuri•tiee · eABHAl,tu•e• U TCP g US-310Sst Ec,.,ols Filter

f ~l ia

U TCP 9 US·3IOS5'l

r

:.:JD

~ ~ TCP

9

us

3105S8 Cdunn:A

• picaticn

tiJ

~

u

TCP

• US·3IOS5'l

Ea Ja~: map;/googo _oi<ltl/10,pc L

v "

U TCP g US·$10S5'l Aep~ Not: «!"3ttim11o nt)http/93t ~; ~ u TCP 9

us

11oist

• o,ertisement)http/gL

!!! " TCP 9

us.msst

I

c "'~rtts)wetr/o:ro:il: Ip

I el

U TCP 9 US·$10S5'l ctcrn;;n{gcogo _

~

..

.. ..

..

TCP

TCP TCP

TCP US.J1-0SSJI

us

310$$$ US·310Sst US.l"ft!SSJI Ntp • )k')!:f http · 1>0et http :'u0$l

http/got http/he«! http/post

8HAt11.'ll!tH

8HAlrl. · u•o• 611Al,1:u$et

~

htt p/post/oCO'.l <ea,est ..,.,.,, .. ,

1 "1 ,.r,-----n, ,.•,---, 9,-- ..,.

0, -.mrn

,, • .,.

r---

• .:

m =

• ~

=

• m

= u ..

:n

• http/po;t/>:·W\\IW·fo

rm ..

0 ,..tE>I

?7S

..

"

..

TCP US-310S5* TCP US-$10SS,t TCP US-' HMS$ TCP U$·3'10SS$

~

rrniVw etmafJhJt mal :=•iw,,bPRJ Lin

~

m3 iVw etmaiJwhdJw s lYe ~ t1tte · ,)4)t:t

m3 ps{o

• aoe_

ea-th}

• et

StlMll · uo,

http))4)st m;ps{o

• B_ea-

th}re a..

BHAlrl. ·' u•o•

m;ps{g

• age_er th}

res ... =

OGER O ISP l&OS 2 OS·l10,SS3 LE. QTII ABJAAMOU , l•1ncl70<13ktc:t di;Yil hoq,.uid-t> > « 11 1m:17o•31t tcy• l-.oo8,o.tl ie> OGfRO ISP '6:0S 2 US.J1&5S3 U. OntABJAAMOTl

t l• tn d7oa3ktCJ< lt Y .1h00-ll<l.t) > tt1f1nd7oa 31Ct <ya 1\0o8 to()l(te )

b31t5b'94,tahba < Co+glePAERO :> b311Sl>"4,t8cSd>••Go+gk:mEAO >

OGE RO ISP UHOS 2 US.J1D5S3

OQ:RO ISP UEEOS 2 US~l106$8 OGER O ISP l&OS 2 OS·l10,SS3

Lf .QTH ABJAAUOTl

U.QTHABfAAUOH

• U. QTH

ABfAAUOH

SIGINT Development Outcome: SOS collaboration across the TAO and S215 previously denied access to the International Gateway routers in Lebanon and Sole-Source Discovery against Hizballah. 100 +MB

• f Hizballah

Unit 1800 data has been collected and ingested into XKEYSCORE. S2122 confirms CADENCE dictionary and XKEYSCORE fingerprint hits. NSA SIGINT Enterprise analysts can now conduct SIGDEV

• n

any target IP range

• f interest

in Lebanon using a single passive database [US-3105S8] in XKEYSCORE.

(TS/IS 1//N F)

_,.~

. ..

TOP SECRET//SI//NOFORN

<#>