Documents
Project CAMBERDADA – NSA
June 22, 2015
TOP SECRETHCOMINTHREL TO USA. AUS, CAN, GBR. NZL
An Eas -
Using
TOP TO USA. AUS, CAN, GER, NZL
"1:34
TOP SECRETHCOMINTHREL TO USA. AUS, CAN, GBR. NZL
An Eas -
Using
TOP TO USA. AUS, CAN, GER, NZL
"1:34
Overall classification
REL TO USA, AUS, CAN, GBR, NZL
Overall classification
REL TO USA, AUS, CAN, GBR, NZL
BRICKTOP (2009)
Tascom RusComNet
Kaspersky
Rosoboron
nstitute oflnformation mt Moscow
TelecommunicaTion
Analytical Technology corporation
Comstar Komet
BRICKTOP (2009)
Tascom RusComNet
Kaspersky
Rosoboron
nstitute oflnformation mt Moscow
TelecommunicaTion
Analytical Technology corporation
Comstar Komet
"Rail?
Kacnepcxoro
a
Jo?.
"Rail?
Kacnepcxoro
a
Jo?.
Sample Email Received by an
AV Vendor
PWZA201 2051 021 8350000 1 97506
Good day,
A phishing scam file is attached for your analysis.
Zip file password virus
The file tricks the user into giving her/ his bank account
credentials. This can be verified by clicking on the Sign In
button.
FYI: ..
Regards,
Francois Picard
NewRoma. net
Attachment: BMOFinancialGroup.zip
Sample Email Received by an
AV Vendor
PWZA201 2051 021 8350000 1 97506
Good day,
A phishing scam file is attached for your analysis.
Zip file password virus
The file tricks the user into giving her/ his bank account
credentials. This can be verified by clicking on the Sign In
button.
FYI: ..
Regards,
Francois Picard
NewRoma. net
Attachment: BMOFinancialGroup.zip
Work Flow
Work Flow
Analytic value
brings in ~10 potentially malicious
files per day for malware triage
Over 500 potentially malicious files collected
since 2009
aa- 50 CAMBERDADA signatures deployed to
for alerting
iris?39 domains mitigated
Analytic value
brings in ~10 potentially malicious
files per day for malware triage
Over 500 potentially malicious files collected
since 2009
aa- 50 CAMBERDADA signatures deployed to
for alerting
iris?39 domains mitigated
DNS Interdiction
e9 domains under DNS Interdiction
Cloudshield intercepts the DNS request
Returns the address of a listening post
ieMunged version of the request is sent out
DNS response is sent to a log
DNS Interdiction
e9 domains under DNS Interdiction
Cloudshield intercepts the DNS request
Returns the address of a listening post
ieMunged version of the request is sent out
DNS response is sent to a log
Current status
CRN
550
Overhead
SCS
FORNSAT
gem L-C-2010-147 Multi-Country: Computer
Network Ops
Dozens of CADENCE selectors
PINWALE daily queries; models
Current status
CRN
550
Overhead
SCS
FORNSAT
gem L-C-2010-147 Multi-Country: Computer
Network Ops
Dozens of CADENCE selectors
PINWALE daily queries; models
What else can we do?
can repu rpose the malware
Check Kaspersky AV to see if they continue to
let any of these virus files through their Anti-
Virus product
iaMonitor the folks who provide the malware
to see if they?re into more nefarious activity
Establish automated reporting
What else can we do?
can repu rpose the malware
Check Kaspersky AV to see if they continue to
let any of these virus files through their Anti-
Virus product
iaMonitor the folks who provide the malware
to see if they?re into more nefarious activity
Establish automated reporting
More Targets!
fsb-antivirus Bit-Defender
. . (France) (Romania)
eAladdin
Norman (Israeu secure Drwe'D
AVG F'Prot Norwa .
(Czech) (Iceland) Y) (F?nland)
Hau?
k7computing Ikarus (Korea) A b.t
(India) (Austria) ma Antly
Avira (POLand) (Chinese)
(Germany)
SIDS/Emergency N0d32' Novirusthanks
(Slovakia) (Slovakla) Ahnlab (Italy)
(5 Korea)
Emsisoft Eset Avast Checkpoint
(Austria) (Slovakia) (Czech) (Israel)
More Targets!
fsb-antivirus Bit-Defender
. . (France) (Romania)
eAladdin
Norman (Israeu secure Drwe'D
AVG F'Prot Norwa .
(Czech) (Iceland) Y) (F?nland)
Hau?
k7computing Ikarus (Korea) A b.t
(India) (Austria) ma Antly
Avira (POLand) (Chinese)
(Germany)
SIDS/Emergency N0d32' Novirusthanks
(Slovakia) (Slovakla) Ahnlab (Italy)
(5 Korea)
Emsisoft Eset Avast Checkpoint
(Austria) (Slovakia) (Czech) (Israel)
- co~<
TOP SECRETNCOMINTHREL TO USA, AUS, CAN, GER, NZL
4121
V252
(S) (S)
De?ved From: 1-52
Dated: 20070108
Declass'rfy On: 20370301
TOP SECRETNCOMINTHREL TO USA. AUS, CAN, GBR, NZL
- co~<
TOP SECRETNCOMINTHREL TO USA, AUS, CAN, GER, NZL
4121
V252
(S) (S)
De?ved From: 1-52
Dated: 20070108
Declass'rfy On: 20370301
TOP SECRETNCOMINTHREL TO USA. AUS, CAN, GBR, NZL