Sunday, December 14, 2014

CSE and hacking of telecom operations

More evidence of the extent to which CSE is involved in Five Eyes efforts to hack into the systems of telecommunications providers can be found in this document, which was published by The Intercept in conjunction with its most recent article on the Belgacom penetration (Ryan Gallagher, "Operation Socialist: The Inside Story of How British Spies Hacked Belgium’s Largest Telco," The Intercept, 13 December 2014).

The document is a 2011 joint presentation titled "Automated NOC [Network Operations Centre] Detection" authored by the Head of the GCHQ Network Analysis Centre and a Senior Network Analyst at CSE's own Network Analysis Centre. It discusses the work of the Five Eyes "Network Analysis community" to "automate the detection of Network Operations Centres" in order to facilitate subsequent efforts to hack into those centres.

The presentation reports that
During March 2011 GCHQ Analysts visited CSEC to look at the [sic] using PENTAHO for tradecraft modelling working with CSEC NAC and CSEC/H3 software developers to see if could model NOCTURNAL SURGE in PENTAHO and then implement in OLYMPIA

Only possible to attempt because:
– CSEC NAC have implemented GCHQ NAC TIDAL SURGE Database Schema (DSD also have this..)
According to the article in The Intercept, NOCTURNAL SURGE is a tool developed by GCHQ "to search for particular engineers and system administrators by finding their IP addresses, unique identifiers that are allocated to computers when they connect to the internet."

OLYMPIA is a more general-purpose CSE-developed tool to help analysts identify potential SIGINT targets and compile information about their communications systems and contacts. It provides automated access to a wide variety of CSE and allied SIGINT and communications databases. (More information here.)

The Intercept report interprets the presentation to mean that "GCHQ refined the NOCTURNAL SURGE system with the help of its Canadian counterparts, who had developed a similar tool, named PENTAHO."

I wonder whether PENTAHO might simply be the data analysis software produced by the company of the same name, but either way the presentation is clear evidence of CSE interest in targeting telecom operators.

A report earlier this month in The Intercept also provided evidence of CSE involvement in such efforts.

Interestingly, CSE's infamous "airport wi-fi" experiment was also conducted by the CSE Network Analysis Centre, which seems to be the go-to place at CSE for anything related to analyzing/monitoring the Internet or computer networks in general.

The H3 unit, on the other hand, seems to be a software development shop. H3 also turns up in this document.

(H/T to Ron Deibert.)


Blogger Michael And Ingrid Heroux said...

Michael Heroux said

Interesting, in the last month we found a rootkit on our daughter's computer and then shortly after that we found a rootkit on our son's computer and about a week ago we found one on my computer. We have been finding rootkits on our systems for about 15 years, ever since we first got a computer. Since we switched to Linux we get a lot less malware but it still happens and I know alot of them are installed through the ISP's. When you have a fresh system with no malware on it and you take it online for the first time and the first and only connection you make is to your ISP and then you test for malware right after that connection and you have a rootkit installed and you perform that fresh system test 5 times in a row and you get the same result then it is fair to say it is coming from your ISP. ISP's will always be agents for the state. If they don't play ball they won't be in business to much longer. Follow the money. Thanks

December 14, 2014 5:35 pm  
Blogger Alison said...

ICANN hacked

December 18, 2014 2:27 pm  

Post a Comment

<< Home