Sunday, December 14, 2014

CSE and hacking of telecom operations

More evidence of the extent to which CSE is involved in Five Eyes efforts to hack into the systems of telecommunications providers can be found in this document, which was published by The Intercept in conjunction with its most recent article on the Belgacom penetration (Ryan Gallagher, "Operation Socialist: The Inside Story of How British Spies Hacked Belgium’s Largest Telco," The Intercept, 13 December 2014).

The document is a 2011 joint presentation titled "Automated NOC [Network Operations Centre] Detection" authored by the Head of the GCHQ Network Analysis Centre and a Senior Network Analyst at CSE's own Network Analysis Centre. It discusses the work of the Five Eyes "Network Analysis community" to "automate the detection of Network Operations Centres" in order to facilitate subsequent efforts to hack into those centres.

The presentation reports that
During March 2011 GCHQ Analysts visited CSEC to look at the [sic] using PENTAHO for tradecraft modelling working with CSEC NAC and CSEC/H3 software developers to see if could model NOCTURNAL SURGE in PENTAHO and then implement in OLYMPIA

Only possible to attempt because:
– GCHQ NAC use PENTAHO
– CSEC NAC/H3 use PENTAHO
– CSEC NAC have implemented GCHQ NAC TIDAL SURGE Database Schema (DSD also have this..)
According to the article in The Intercept, NOCTURNAL SURGE is a tool developed by GCHQ "to search for particular engineers and system administrators by finding their IP addresses, unique identifiers that are allocated to computers when they connect to the internet."

OLYMPIA is a more general-purpose CSE-developed tool to help analysts identify potential SIGINT targets and compile information about their communications systems and contacts. It provides automated access to a wide variety of CSE and allied SIGINT and communications databases. (More information here.)

The Intercept report interprets the presentation to mean that "GCHQ refined the NOCTURNAL SURGE system with the help of its Canadian counterparts, who had developed a similar tool, named PENTAHO."

I wonder whether PENTAHO might simply be the data analysis software produced by the company of the same name, but either way the presentation is clear evidence of CSE interest in targeting telecom operators.

A report earlier this month in The Intercept also provided evidence of CSE involvement in such efforts.

Interestingly, CSE's infamous "airport wi-fi" experiment was also conducted by the CSE Network Analysis Centre, which seems to be the go-to place at CSE for anything related to analyzing/monitoring the Internet or computer networks in general.

The H3 unit, on the other hand, seems to be a software development shop. H3 also turns up in this document.


(H/T to Ron Deibert.)