Tailored Access Operations 2007
Jan. 24 2019 — 6:47p.m.
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL Development Derived From: NSA/CSSM 1-52 Dated: 20070108 Declassify On: 20360401 TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
This Briefing is Classified TOP SECRET//COMINT//ORCON//NOFORN Tailored Access Operations This Briefing is Classified TOP SECRET//COMINT//ORCON//NOFORN DERIVED FROM: NSA/CSS Manual 1-52, Dated: 20070108, Declassify On: 20320108 IOEC1000
SECRET//COMINT//REL TO USA, FVEY TAO Mission • Sustain a deep, persistent, and pervasive presence on critical target networks • Rapidly penetrate and track the communications of high-value individuals • Continually execute CNE; support CNA and CND • CNE: Exploit networks for foreign intelligence • CNA: Provide access and capabilities to support authorized network attacks • CND: Hunt foreign cyber actors on foreign networks • Deconflict DoD CNO with IC/Foreign partners • Build the techniques, tools and infrastructure required • Subvert endpoint devices • Servers, workstations, firewalls, routers, handsets, phone switches, SCADA systems, etc. • Covertly communicate with implants in target networks • Automate CNE operations and maintenance of a large number of accesses Aggressively Scale CNO Capabili3es and Opera3ons SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY TAO Organization TAO Requirements & Targeting Manage ops requirements Perform target development Remote Operations Center Conduct On-net ops (exploit, collect, geolocate) Data Network Technologies Develop operational concepts and software implants to exploit computer networks Telecommunications Network Technologies Access Technologies & Operations Mission Infrastructure Technologies Develop operational concepts and software implants to exploit phone switches Develop network warfare capabilities Network shaping Conduct physical access (off-net) operations Conduct expeditionary CNO Develop hardware and firmware implants to access isolated or complex networks Design, development and delivery of the end-to end infrastructure that supports GENIE operations TOP SECRET//COMINT//REL TO USA, FVEY
Access Technology & Operations • conducts global off-net operations with HUMINT partners to develop and deploy technology that enables on-net operations targeting high priority target networks and individuals. • works closely with development organizations to create technical and operational solutions using specialized TAO hardware and software tools that are tailored to each mission and opportunity. • bring unique talents to gaining access to intelligence when conventional collection methods prove ineffective. • The diverse skill sets that ATO personnel bring to the mission leverages the support of our HUMINT partners, unique access, and sophisticated tools and techniques that provide physical access to networks and communications.
Access & Target Development • (S//SI) Develop deep understanding of target communication techniques and practices of target entities with goal of identifying vulnerabilities that can be exploited via physical access. • Define and develop physical access strategies, aligned to national requirements and TAO priorities, with emphasis on hard targets and isolated networks. • Build and maintain significant relationships within the HUMINT community necessary for achieving access. • Drive resulting operations to achieve end-to-end SIGINT successes.
Access Technology & Operations Field Operations (TS//SI//REL) The Field Operations Division is responsible for the developing and deploying customized SIGINT collection and data exfiltration solutions that enable remote network operations by gaining access to isolated target networks. The Division is also responsible for maintaining access to selected targets, exploring methods of enhancing the value from existing access, efficiently managing sustained operations, and working closely with the FBI and other HUMINT partners to plan and conduct operations. Expeditionary Access Operations (EAO) (TS//SI//REL TO USA FVEY) S3283 is the expeditionary arm of TAO which conducts worldwide Human-Enabled Close Access Cyber Operations to satisfy National and Tactical SIGINT access requirements. Access and Target Development Persistence Divison - (S//SI) Develop deep understanding of target communication techniques and practices of target entities with goal of identifying vulnerabilities that can be exploited via physical access. Define and develop physical access strategies, aligned to national requirements and TAO priorities, with emphasis on hard targets and isolated networks. Build and maintain significant relationships within the HUMINT community necessary for achieving access. Drive resulting operations to achieve end-to-end SIGINT successes. (U//FOUO) The Persistence Division (S3285) conceives, develops, tests, and integrates sophisticated firmware and software-based capabilities and techniques to directly support three of Tailored Access Operations’ (TAO’s) mission technology focus areas: Persistence - IT/GEO - Computer Network Attack (TS//SI//REL FVEY) These firmware and software techniques are remotely deployable to target devices via a network connection or by physical interdiction. Regardless of the deployment methodology, these highly developed accesses operate covertly without any indication of their presence and provide TAO with unique and advanced capabilities that directly support NSA and its other Intelligence Community partners with some of their most significant successes.
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL Telecom Network Technologies • Providing logically intrusive methods of manipulating or extracting data from telecommunications networks. TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
TOP SECRET // COMINT // X1 TNT Mission: “Define, design, develop, & test, logically intrusive methods of manipulating & extracting data from telecommunication networks, public infrastructures, and public broadcasting networks – and supporting enabling efforts, remote operations, initial deployments, and information operations.” Fixed Satellite Systems PSTN Satcom Gateways GSMC Packet Data & Voice Tactical Comms BTS MSC Control Links Servers Internet / Intranets Routers Global Information Network GPS BSC Pagers Abis Cellular Switches / PBX Telephones Modems FAX TOP SECRET // COMINT //
TOP SECRET // COMINT // X1 Targeted Technologies: • Telephony: • • • • • • • • VOIP - Voice Over Internet Protocol ISDN – Integrated Services Digital Network GSM - Global Systems for Mobile Communications GPRS – General Packet Radio Service 3G – 3rd Generation Mobile Telephony SMS – Short Messaging Service MMS – Multimedia Messaging Service SDH – Synchronous Digital Hierarchy • Facilities & Infrastructure: • Data communications standards (ITU & IEEE) • Broadcast: • ITU standards for digital video communications TOP SECRET // COMINT //
CBND Overview • Control Platforms Branch – Large Scale SCADA Energy Management Systems (EMSs) – Vendors • Siemens • Areva • ABB • Control Devices Branch – Substation SCADA Technologies – Technologies • Programmable Logic Controllers (PLCs) • Intelligent Relays • Video Technologies Branch – Video Teleconferencing Systems (VTCs) – Personal Video Technologies • Webcams • Internet Chat (Skype, etc)
Project Descriptions • OPERATIONAL – GSM implants deployed in several target networks – Geolocation tools used with great success – Metadata and other voice collection tools • DEVELOPMENT – GPRS and UMTS • STRATEGIC EFFORTS – IP exfiltration – Enabling passive SIGINT collection
VND Overview • Enterprise Telephony – – – – Private Branch Exchanges (PBXs) VoiceMail Systems Network Management Systems Technologies • • • • SIP, H.323, SCCP Linux & Windows development platforms C, Assembly, Perl/Python Ghidra, IDA Pro, JTAG for reverse engineering • Transport Services – SDH, SONET Multiplexers – ATM Routers – Technologies • • • • SDH, SONET, ATM Linux & Windows development platforms C, Assembly, Java Ghidra, IDA Pro, JTAG for reverse engineering
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL Data Network Technologies • Providing the software-based capabilities needed to surreptitiously exploit computer networks and the technology needed to covertly pass endpoint access commands and data across public networks to support endpoint operations. TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Data Network Technologies Access Division, S3231 (TS//SI) The Chief, Access Division is responsible to the Chief, Data Net-work Technologies Office to develop access to targets of interest to NSA. The Access Division focuses on developing remote access techniques and tools, ensuring continued remote access through the deployment of tools via remote or human assets, and assisting with remote access operations under the authority of the Remote Operations Center. The Access Division will act as the front door for DNT-wide efforts. The techniques developed should be scalable, automatable, and robust. Network Technology Division, S3235 (S//SI//REL) The Chief, Network Technology Division is responsible to the Chief, Data Network Technologies Office for the development of tools and techniques to exploit components on global and private networks supporting endpoint operations. Computer Technology Division, S3234 Cyber Networks Technology Division, S3232 (TS//SI) The Chief, Computer Technology Division is responsible to the Chief, Data Networks Technologies Office for collection against target networks. The Computer Technology Division focuses on the development of software implants, automation, and control tools to support endpoint operations. (TS//SI) The Chief, Cyber Networks Technology Division (CNTD) is responsible to the Chief, Data Net-work Technologies Office to develop and deploy logically intrusive, software-based, end-point access techniques to enable Computer Network Operations (CNO) across multiple target operating systems and platforms. CNTD's purpose is to collect or enable collection of data for Foreign Intelligence and Operational Information and to include support to Information Operations.
TOP SECRET//COMINT//NOFORN Data Network Technologies Cyber Network Technologies Division (CNTD) • • • Mission: – (TS//SI//NF) Develop and deploy logically intrusive, software-based, end-point access techniques to enable Computer Network Operations (CNO). Purpose: – (TS//SI//NF) Collect or enable collection of data for Foreign Intelligence and Operational Information, to include support to Information Operations. The Bottom Line – (TS//SI//NF) “Provide the War-fighter with a world class capability for computer network attacks and counter-computer network exploitations”. – (TS//SI//NF) Develop mission applications that Deny, Destroy, Degrade, Disrupt, Manipulate, Mislead, and Collect against enemy targets. – (TS//SI//NF) Design and develop techniques that enable stealthy sustained operation of our mission applications on target. – (TS//SI//NF) Accomplish the above points across many target operating systems and platforms. TOP SECRET//COMINT//NOFORN
TOP SECRET//COMINT//NOFORN CNTD Overview Acquisitions and Evaluations Branch (AEB) • Search for or identify opportunities to purchase tools and their source code • Validate, prioritize opportunities with appropriate development organization • Acquire tools and their source code, provide in-depth evaluation to accurately assess the tools functionality • Productize tools by modifying/developing for OPSEC, tradecraft, integration, testing with other TAO capabilities in order to meet operational requirements. TOP SECRET//COMINT//NOFORN
TOP SECRET//COMINT//NOFORN Methodology Prioritization Customer Requirements Rogue Nations Systems Toolbox Diversity Sources Acquisition Research Intel Assessments Industry Academia Evaluation CNO Community Agencies, Partners NTOC, ANO, TAO Productized/ Integration Code Modifications Testing Release TOP SECRET//COMINT//NOFORN Services ROC Submission
TOP SECRET//COMINT//NOFORN CNTD Overview Forensics and Engineering Branch (FEB) • Mission: – (TS//SI//NF) Evaluate, Reverse Engineer, Exploit, and Repurpose software for use in CNE, CCNE and CNA operations. • Purpose: – (TS//SI//NF) Reverse engineer and evaluate software from malware, nation-state, and commercial sources for the purpose of identifying tradecraft signatures and vulnerabilities. TOP SECRET//COMINT//NOFORN