Title: APEX Active/Passive Exfiltration

Release Date: 2015-01-17

Document Date: 2009-08-01

Description: This NSA TURBULENCE presentation dated August 2009 explains the APEX method of combining passive with active methods to exfiltrate data from networks attacked: see the Der Spiegel article The Digital Arms Race: NSA Preps America for Future Battle, 17 January 2015.

Document: Active/Passive Exfiltration

"go apex"

STDP: S32354 & T112, NCSC/C91

August 2009

OP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

TOP SECRET//COMHMT//REL TO USA. AUS. CAN. GBR. NZL//20291123

UNCLASSIFIED

This presentation is classified

TOP SECRET//COMINT//REL TO
USA, AUS, CAN, GBR,
NZL//20291123

2

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

Motivation: CES needs VPN keys!

NCCJncrement 3 Planning

NCC CA Service Rei

'aggregate for all VPN exploitation-enabled systems).

Q4 FY09 (Risk Reç
Q4 FY10
Q4 FY11

NCC front end systems sttajj^lly jb\pceis's(t4e\ decrypt and re-inject) at least 20% of CA service requests (-20% Reinject Rate?)

For tasked IP addresses, NCQfr/ont eciq systems shall Identify relevant IPSec sessions and generate attack requests (Rates?)

NCC front end systems shall buffer VPN data for up to 15 minutes (900 seconds) while waiting for response from Attack Orchestrater (AO)

After successful key reboyery and cle&ryptlojn PIO services shall re-inject decrypted VPN for Stagel & Stage2 processing
Aggregate VPN bufferlng^nd^rooessInVrate peFTÎVIL/system (Assumptions - LPT? T16? U64?)

Q4 FY09 (Risk Reduction)-^ 4 VPN Systems L——-2£ Concurrent VPN Flows / System 100 Mbps Aggregate VPN Data / System

Q4 FY10 10 VPN Systems 100 Concurrent VPN Flows / System 100 Mbps Aggregate VPN Data / System

Q4 FY11

100 VPN Systems

30 Concurrent VPN Flows / System 500 Mbps Aggregate VPN Data / System

► CES receiVebA/1^/N tKE packets from passive collection
(TURMOIL) and recovers VPN keys.

► TURMOIL receives VPN ESP packets and decrypts them
using the keys recovered by CES.

► But there are many VPNs that TURMOIL(s) can’t see.

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

3

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

Motivation: Leverage TAO

► TAO/DNT active implants have a powerful Man-in-
the-Middle capability to access data deep within
target networks.

■ They can select packets and exfiltrate them back to the
Common Data Receptor (CDR) at the Remote Operations
Center (ROC).

■ HAMMERSTEIN: target any 5-tuple packet

• {SrclP, SrcPort, DstIP, DstPort, Protocol}

■ IKE: VPN key exchanges

■ ESP: VPN encrypted tunnels

■ HAMMERCHANT: target VoIP phone numbers

• Process SIP/H.323 VoIP signaling

• Forward targeted phone call RTP media sessions

► But CDR has limited input bandwidth.

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

4

S ECRET//CO MINT//20291123

Hmmmm

Maybe... Combine Active & Passive?

SECRET//COMINT//20291123

5

Agenda

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

► Motivation: Why?

►TURBULENCE High Level Concept: What?

► Details: How?

■ FASHIONCLEFT Exfiltration Protocol

• Definition

• Processing Required

■ Turmoil Architecture

■ Turmoil Implementation

• Packet Reinjection: Stage 1 Prime

• Packet Processing Framework: AEG/SEG

• Packet Routing: different Transform Engines

► Complexity

► Challenges

► Phased Development

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

6

ÜËJ



INFRASTRUCTURE

mÜRBUUENGEi

ÏÏNTEGRATldiïË

TUTELAGE

Active Defense

TRAFFICTHIEF

Tipping

ANALYTICS

Analysis/

\i rJ'i J i

EITC

Networking l

SECRET//COMINT//20291123

7

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

(U) Sensors: Passive Collection

Accesses
TURMOIL
m TUTELAGE
• Implants (TAO)

W' iMTrvsystems intercept foreign target satellite, microwave,
and cable communications as they transit the globe.

s

Internet
4 Cloud

Internet
i Cloud

Internet
4 Cloud

DoD Network

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

8

J OCI loUl O -

Management

r

Ml/ LI V C lt¥l lÄ«)Ci)lulll//lEL TO USA, AUS, CAN, GBR, NZL//20291123



Accesses
TURMOIL
9 TUTELAGE
0 Implants (TAO)

. _ (TS//SI//REL) TURBINE enables the
V 4p automated management and control of a
large network of active implants

s

Internet
4 Cloud

^Internet ^

Internet >
^»oud /

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

9

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, N,

APEX VPN IKE Mission

niernaI
Network

TAO Inside

Tailored Access
Office Remote
Operations Center

Tasking

A^-mks

Taskin

PRESSURE WAVE I

ET//CdTvHNT//REL TO USA, AUS, CAN, GBR,

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, N,

APEX VoIP Mission

niernaI
Network

TAO Inside

Tailored Access
Office Remote
Operations Center

Tasking

/TURBINE

NSAW

PRESSURE WAVE,

ET//COM1NT//I

FASHIONCLEF1

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

Exfiltration Protocol

12

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

FASHIONCLEFT

► Definition: TAO/DNTprotocol used by implants to
exfiltrate collected network packets to the Common
Data Receptor (CDR, aka FLAXENPRECEPT).

► Provides support for:

■ Metadata Authentication/I integrity + AntiReplay + Encryption

■ Data Encryption

■ Uses 1024-bit RSA, 128-bit RC6, SHA-1

► Based on DNT standards:

■ FOGYNULL (DNT Exfiltration Protocol)

■ FUNNELAPS (DNT Exfiltration Data Format)

■ SHELLGREY (DNT Exfiltration Metadata Format)

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

13

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

How To Exfiltrate IP Packets

1. Select packet based on tasking.

2. Make a copy of the selected packet.

3. Modify packet IP destination address.

4. Modify other protocol fields (IP, UDP, TCP) as needed
to bypass firewalls and to tag packets for ID.

5. Optionally encrvpt/munge Transport layer payload.

6. Send modified Data Packet (DP) to new destination.

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

14

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

Receiver: Needs Metadata

► Metadata explains how to:

1. Identify an exfil packet and the implant source.

2. Recover original IP destination address.

3. Recover other original protocol fields (IP, UDP, TCP).

4. Contains Key to decrvpt/unmunge transport layer payload.

► Metadata sent in a Session Announcement (SA)

• SAs is an IP/UDP packet sent to a destination IP/port.

• Multiple copies of SA sent to mitigate dropped SA packets.

► Receiver is dynamically configured with:

• SA IP/ports, Infrastructure & Implant Private Keys

• Processing Mode: Reconstruct or Reinject

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

15

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

FASHIONCLEFT

Session Announcement Format

► IP Header

► UDP Header

► SA Payload in UDP Transport Layer

■ Infrastructure Header (128 bytes)

• RSA Encrypted w/ Infrastructure Public Key

• Contains SHA-l(INF-HDR), Cryptold

- Cryptold = {Deploymentld, Targetld, Implantld}

■ Implant Header (128 bytes)

• RSA Encrypted w/ Cryptold ’s Public Key

• Contains SHA-l(IMP-HDR)

• 128-bit CV, Ml, and CRC-16 checksum for
Exfil/Metadata Block

■ Exfil/Metadata Block (variable)

• RC6 Encrypted w/ CV & Ml

► Minimum packet length = 344 bytes

INF-HDR

Deployment-Id = 0x00
Target-Id = Qxa1a2a3a4
m plant-id = 0xb1 b2
Packet-IF-Selector = 0x01
Packet-IF-Data = [’]

IMP-HDR

Opcode = 0x09
lnst-ld = 0x00
Implant-Ver = 0xd1
Encrypt-Mode = 0x02



in

Q_

<

Ï

ÙL

(3

i l

exfil-blk

MetaData-Len = M L
Data-Len = 0

METADATA-B LK

Exfil-ld = 0x0C0000e2
Exfil-Type = Packet
Time-of-lntercept = OxffOO
Filter-Id = 0x12

ML

Bytes

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

16

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

FASHIONCLEFT

Session Announcement Processing

l. Look for SA packets:

1) at destIP/destPort; protocol=UDP,

2) that are at least 344 bytes long, and

3) whose first 128-bytes of Transport Payload “look random”.

* (Easy/quick initial checks)

l. RSA Decrypt INF-HDR w/ Infrastructure Private Key.

Authenticate w/ SHA-1

(Slow secondary check; can’t withstand much non-SA traffic on IP/port)
l. RSA Decrypt IMP-HDR w/ Cryptold’s Private Key.

* Authenticate w/ SHA-1

l. RC6 Decrypt Exfil/Metadata w/ CV and Ml
Perform CRC-16 integrity check.

1. Anti-Replay Check & New Session/Retransmit Check

2. Extract Metadata and create Collection Filter rule for DPs

* Metadata contains either 5-tuples or pattern/mask/offset that match DPs

* PpfEvent.DfceCF.tuple (5-tuple)

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

17

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

FASHIONCLEFT
Data Packet Processing

1. Identify an exfil packet that matches DP filter rule.

2. Modify to original IP destination address.

3. Modify to original protocol fields (IP, UDP, TCP).

4. Decrypt/unmunge transport layer payload.

- Have now recovered the original captured packet.

i. Associate metadata with recovered packet.

- agentCaseNotation, Turmoil link caseNotation
i. Perform protocol specific processing.

- Pre-selected: forward all traffic to TUBE/PWAVE

- Re-inject back into Turmoil Stage-1

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

18

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

VINYLSEAT

(Email)

VINYLSEAT

(Email)

OLYMPUS

(Files)

TAO Remote Operations Center
Common Data Receptor

/
-
n i i 1 !

PINWALE

Office of Target Pursuit
(Forensics Lab)

Manual

Processing and
FTP

Common Data Receptor

SWEEPFORWARD

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

19

UNCLASSIFIED

TURMOIL Architecture

UNCLASSIFIED

20

TURMOIL Architecture

S ECRET//CO MINT//20291123

Crucial for SSO and the
desire of dynamic
tasking.

What we are currently
focused on

Ermines Examines Examines Examines
sequences of sequences of sequences of sequences of
associated associated associated associated
packets sessions applications entities
assessing the assessing the assessing the assessing the
value of their value of their value of their value of their
associated associated associated entities associated
sessions applications (targets/people). social network.

SECRET//COMINT//20291123

21

S ECRET//CO MINT//20291123

Inside Stage 1

Opérât

e

Message

Bus

State Engine
State Engine

Transform

Engine

SECRET//COMINT//20291123

22

S ECRET//CO MINT//20291123

Inside Stage 1

Physical

Delay Flow Control
Engine

Delays packets for 3-30
sec then drops un-
wanted packets and
sends the rest to
requested Transform
engines



PreProc

"V

Delay Flow
Control
_Enqine

Dete

ct

D-

Message

Bus

Event

ingine

State Engine
State Engine

*

SECRET//COMINT//20291123

23

Event Engines: Detect

SECRET//COMINT//20291123

► Stateless - does not store data or
metadata

(Atomic Event Generator = AEG)

► Evaluation of traffic

► Publish observations

► Each engine can be specialized and
optimized based on incoming speed

■ Software and/or Hardware

Examples:

1. Detect VPN setup:

IKE key exchange.

2. Detect VPN tunnel:

ESP packets.

3. Detect VoIP signaling:
H.323, SIP, Skype, etc.

4. Detect FASHIONCLEFT
Session Announcement.

/ 7 ■
Delay Flow r 4
Control L
Engine r 1

Event
.»ngine

State Engine
State Engine

SECRET//COMINT//20291123

24

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

State Engines: Control

► Receives published events from Event Engines and makes processing
decisions.

► Choreographs activity for data flows (Stateful Event Generator = SEG)

■ Correlates multiple published events

■ Starts/stops transform processing engines

■ Publishes decisions about the flow

► Each State Engine can be specialized and optimized

Examples:

1. Associate VPN IKE/ESP
traffic with recovered VPN
keys.

2. Associate VoIP signaling
w/ phone call.

3. Track FASHIONCLEFT

SA’s: new, keepalive, replay?

Data

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

25

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

Transform Engines: Grooming

► Receives orders from State Engines

► Operation applied to a data object that does not change its level of
abstraction.

■ Packet ^Packet(s)

■ Session ^-Session(s)

► Groomed data object can then be re-injected or sent forward

Examples:

1. Decompress/decrypt
packet.

2. Reconstruct original
packet from
FASHIONCLEFT Data
Packet.

Az.



71

Delay Flow
Control
__Engine

"N

l

r



IL

J Contr L

Operat
e

Message

Bus

Event

* State Engine

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

26

UNCLASSIFIED

TURMOIL Implementation

27

UNCLASSIFIED

TURMOIL Stage 1 with Stage 1’

Reinjected Packets

UNCLASSIFIED

UNCLASSIFIED

TURMOIL Stage 1’ (Stage One Prime)

Reinjected Packets (>2 )

UNCLASSIFIED

SECRET//COMINT//20291123

TURMOIL Stage 1 PPF Engines

Packets Matching
Criterion to AEGs

Filter Criterion
from AEGs

PSC AEG

PSC Hits to FCP

Subnet
Promotion AE

}

Subnet Hits to FCP

Technology
■Tomotion AE

J

■ PSP

PA AEG

J

¡Ei/enfs. /\

I------►( PSP SEG J-

PSP Hits to FCP

PA Events

QUANTUM AEG

J

QT Events

APEX AEG

VoIP SIP AEG

VoIP H.323 AEG

VPN IKE AEG

VPN ESP AEG

APEX SEG
)■■■■" Ç SIP SEG
(jH.323 SEG
) " (VPN IKE SEG
(VPN ESP SEG

PPF Engines


* Event Filter

(EF)
1

-----------S]ir

Targeting
Query/Response

Selected

Hits

•SIP Hits Æ) DFCE
■H.323 Hite to DFCE
■IKE Hits fc> DFCE
■ESP Hits To DFCE

QT Alerts

.....

PftÄlerts

Core WAN Bridge
(CWB)

Application

Message

Converter

Selection

Distribution

Element

KEYCARD

TURBULENCE
Enterprise Messaging

SECRET//COMINT//20291123

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

TURMOIL Stage 1 Packet Router

Stage 1: Packet Processing
Stage 1’: Packet Re-Processing

DFCE

All Selected
Packets

Packet

Router

Routing Rules
Table

^ ‘Sessionizing TE

‘Bundling TE

APEX Bundling TE

•Detunneling TE

APEX Reinjecting TE

VPN Decrypt TE

-Re-inject (Stage l'f-

Sessionlzed

Jackets

Bundled Pi

ckets

Bundled

/olP Packe
--------»

Stage 2

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

S ECRET//CO MINT//20291123

TURMOIL Stage 1 Sessionizing

Stage 2

♦TDAL

SECRET//COMINT//20291123

SECRET//COMINT//20291123

TURMOIL Stage 1 APEX Bundling TE

Selec 3d
Pack> ts m

All

Packets

Packet

Router

APE

Roui id Packets

< VoIP

Fast IP

Processor(FIP)
APEX Bundling TE

APEX Bundle
Reconstruct

VoIP Bu idle: :

Stage 2

Home

SECRET//COMINT//20291123

S ECRET//CO MINT//20291123

TURMOIL Stage 1 APEX Re-Injecting TE

SECRET//COMINT//20291123

SECRET//COMINT//20291123

TURMOIL Stage 1 Metadata Processor

Stage 1: Packet Processing

Metadata

Atomic Event Generator Events Stateful Event Generator Events Event Filter

(AEG) (SEG) (EF)

PPF Engines

Metadata Processor



'Hits"

Stagel ASDF
Reporter

IKE

Events to BME

ESP

Events to BME

IVE Metadata
Tabulator

ASDF Metadata to Stage 2

VPN IKE/ESP Metadata
to Stage 2

IVE Metadata to Stage 2

EF Metadata to Stage 2

SECRET//COMINT//20291123

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

TURMOIL Stage 1 VPN TE

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

S ECRET//CO MINT//20291123

APEX Spin 15 Design

SRI->


ApexAeg CF (5TUP + CAID + PicLPSel + MD)

Metadata Event

Control Flow

----------------►

Criteria Registration

DFA Interface

< »

SRI Broadcast

<4.................

| TDKS Container |

|Mission Components]
| Turmoil Components]

Stagel PicLPSel
I CAID Pid PSell r\/niPt

SA Keyword
| ApexSeg 11 XFSPF |
i i ApexSeg CF
i 1 XDFCE

SECRET//COMINT//20291123

rev002

37

Complexity

UNCLASSIFIED

38

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

Complexity

► APEX Sequence Diagram

■ Tasking

• Look for: FASHIONCLEFT Session Announcements.

■ Recognize SA

• Look for: FASHIONCLEFT Data Packets

■ Recognize DP

• Route DP to Bundling or Packet Reinjection TE

• Reconstruct, Attach Metadata, Output/Reinject

► VPN Dataflow & Sequence Diagram

■ Recognize VPN IKE Packets

• Send all IKE Metadata to CES TOYGRIPPE database

• Send targeted IKE to CES POISON NUT for VPN key recovery.

■ Recognize VPN ESP Packets

• Save targeted ESP in big buffer and request VPN key from CES.

• If receive VPN key, decrypt and Reinject.

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

39

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

I APEX Tasking & Data Flow Sequences

Active/Passive Exfiltration (APEX)

Stage 0 DFID 2 second FSPF Apex Apex DFCE Packet FIP Metadata Apex Apex Tbus tDAL TUBE Pressure VoIP Apex CWB ITx Turbine PUZZLE 01M Analyst
Allocator Pkt Delay AEG SEG Router Bundler Injector SSTE PPTE loPort Wave Analytic MBean CUBE

Packet Stream with

Packet Stream with

ponfiqure SA Filter

ublish Tasking to Apex Mission Components

'ASHlONpLETT Session Announcements (SA)

Filtered £jA Packets j |

"Decrypted SA Packets

^|AntiReplay/Retransmit Check

I I

Publish session Initiation/UpdatefTerminatlon PpfEvent containing:

* DP collectionFilter & SA metadata extracted from SA

* unique message ID = communicationsAssociationld (cald)

* routing ID = PROCESS_ID; specifies processing path (SSTE/PPTE) based on Tasking or

3Jstore PpfEvent in local cachej

i i T

Packets (DP) j j

Taq each .packet with a streamld(Data Flow identifier = DFID) based on Staqe-C

J,

Filtered DP Packets; tagged with cald of PpfEvent that caused collection

Make routing decision; use caid to lookup PpfEvent which contains route (PROCESSJD)

. I i I ! I I

PROC ESS_ID=AP EX-S STE (Packets have been pre-selected by Implant)

Bundle packets based on 5-tuple (or possibly cald) |

^*Use cald to query PpfEvent cache and retrieve SA metadata
Use streamld(DFID) to query DFID Allocator and retrieve Stage-0 metadata/SRI

I I I

DP Packet Bundle tagged with SA and Stage-0 metadata

'Decrypted/Reconstructed DP Packet Bundle tagged with metadata

! ^|store exfiltrated DP in Pressurewave (e.g. VoIP Packets)

:ets will be reinjected far Turmoil selectlorVprocessing)

^ l l I

Use cald to query PpfEvent cache and retrieve SA metadata
Is this the first packet received with this cald? (Is the channelld empty?)

Task Turmoil; Task Implant (not shown)

Del iver Tasking to Apex AEG

__________Create Exfil Task

^tore/Retrieve Keys & Implant Config

Task Turbine

Look for VoIP traffic in Pressurewave
Retrieve exfiltrated VoIP packets + metadata and process

Use streamld(DFID) to query DFID Allocator and retrieve Stage-0 metadatafSRI

1 I I 1 1 I I

new SOTF session with unique channelld, tagged with SA and Stage-0 metadata
Allocate new streamld(DFID) from DFID Allocator for this channelld and save metadata

Reconstructed DP sent to SOTF(channeld)

i i r

Packet Stream with IKE or ESP (Begin Turmoil VPN Mission Dataflow)

—| | |

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

40

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

VPN Flow

(ReinjectMnDecompJ SIGDEV Router

V J
IPNormalizer

TDK Component

Packet Data

Keyword Management
Session Data

PPF Component

External Service

Mission

Application

Component

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

41

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

VPN Decrypt Sequence Diagram

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

42

UNCLASSIFIED

Challenges

UNCLASSIFIED

43

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

Challenges

►SIGDEV

■ Find target networks/devices with desired traffic.

• TAO/R&T

■ Exfiltration path discovery from device to Turmoil.

• COALSHOVEL

► End-to-End Metadata & Processing

■ Provide CES with appropriate metadata for VPN mission.

■ Provide TUBE/PRESSUREWAVE with appropriate
metadata for VoIP analytic.

■ Two Case Notations:

• Link collected by Active Implant: “new” agentCaseNotatlon

• Link collected by Passive System: “current” caseNotation.

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

44

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

Challenges

► Classification & Legal Authority

■ Some TAO implants/accesses are compartmented.

• The highest priority VPNs are likely on compartmented accesses.

■ We’d like to exfil packets to high-bandwidth SSO sites

• Ensure compliance with FISA / FAA / PAA / USSID SP0018.

► Future Automation

■ Turbine tasks both Active & Passive collectors

■ Automated Path Discovery

■ Dynamically task Active system using Passive selectors

• Exfil VoIP signaling to Turmoil for selection:

■ task selected calls for exfil.

• Exfil VPN ESP tunnel starts to Turmoil for selection:

■ task exploitable tunnels for exfil.

• Apply automated OPSEC policy to manage exfil bandwidth & CPU
utilization on implanted device.

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

45

UNCLASSIFIED

APEX Phased Development

► Command & Control
►VPN

► VoIP

UNCLASSIFIED

46

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

APEX Command & Control Phases

► C&C Phase 1: Manual Configuration (Spin 15)

■ HAMMERMILL is configured via existing command interface.

■ Simultaneously TURMOIL APEX is provided a configuration file for this HAMMERMILL mission.

■ A human is responsible for keeping the two in sync.

► C&C Phase 2: Semi-automatic Configuration

■ TURBINE receives mission parameters and automatically configures both the HAMMERMILL
implant and the TURMOIL APEX components.

■ TURBINE-HAMMERMILL interface uses CHIMNEYPOOL RPC commands and requires
HAMMERMILL version 2.5.

■ TURBINE-TURMOIL interface uses ISLANDTRANSPORT.



C&C Phase 3: Dynamic Targeting

■ TURBINE sets initial configuration as in Phase 2.

■ Exfiled traffic is evaluated by TURMOIL components+KEYCARD for selection decisions.

■ TURMOIL messages to TURBINE to dynamically target a particular flow through the implant.

■ Example:

• TURMOIL receives an IKE key exchange (and possibly a few initial packets)

• TURMOIL evaluates the IP addresses to decide if the VPN being set up corresponds to a target

• If so, TURMOIL message to HAMMERMILL via TURBINE to capture/exfil corresponding ESP traffic.

This phase must be managed so that router exfil does not exceed the tolerable bandwidth limits set
by OPSEC and operational concerns. TURBINE may need to implement additional workflows to
monitor and control exfil volume.

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

47

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

Tasking ICF (Implant Control File)

TEST-APEX-1 INFRASTRUCTURE CONFIGURATION FILE

ICF NAME

ICF_DTG

ICF_INFO

IMPLANT_ID

IMPLANT_VER

TARGET ID

DEPLOYMENT_ID

TARGET_CN

TARGET IP

TARGET HOST

TEST-APEX-1

Wed Jan 28 14:38:59 2009
Test ICF for Apex Development
0x0001
1

0x00000002

0x00000003

TESTTECHNIQUE_TESTHOST

10.0.0.1

TESTH0ST

#

# IMPLANT_LP[1-9] [:][: port(s)]

# Tunnel-Id: l-TCP_Redir, 2-Fashioncleft, 3-HTTP_BT_S, 4-UDP_S

# ./genkey -1 128

IMPLANTJ.P1 2:10.1.1.2:10002

IMPLANT RC6CV1 5366fbel 7f7a05fd 33d66a6f 3581de48

#

IMPLANT_RSA_INF

RSANAME TEST_APEX_INF_KEY-1

RSAINFO Wed Jan 28 14:38:59 2009r ./rsagenkey v2.0

RSASIZE 1024
RSAM0D 32

0xdb532e9d, 0x93c792fc, 0x4459fc40, 0x07744c65, ...

RSAMU 33 ...

RSAPRIV 32 ...

RSAPUB 32 ...

#

IMPLANT RSA IMP

RSANAME TEST APEX IMP KEY-1

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

48

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

Tasking XML (FlashHandle Mission Manager)










FN

2.0



2

l

l

Q



2
2009-01-30T12:19:05.910-05:00







l

100

0

l800







2

l0.1.1.2

l0002


...

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

49

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

Tasking XML (Turbine - ITx - Turmoil)



ctask:message schemaVersion="l.0" xmlns:task="urn://control.exo/Taskinglnterface/vl">
ctask:taskAdd>

O0110OO0-1111-2222-3333-444455556666

2c/task:timestamp>



ctaskSecurityMarking classification="TS" coi="C0MlNT" disseminationControls="REL"

sCIcontrols="SI" releasableTo="USA AUS CAN GBR NZL" legalAuthority="RAWSIGINT" />
...





creplayPrevent>lc/replayPrevent>

chistoryLimit>100c/historyLimit>

0

ctimeWindow>1800c/timeWindow>





00010001-1111-2222-3333-444455556666

80010001-1111-2222-3333-444455556666

cagentCaseNotation>UA.AAABBBCCCMMlc/agentCaseNotation>

cprocessingMode>Reinjectc/processingMode>





2

l0.1.1.2
10002

...

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

50

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

APEX VPN Phases

► VPN Phase 1: IKE Metadata Only (Spin 15)

■ IKE packets are exfiled to TURMOIL APEX.

■ APEX reconstructs/reinjects IKE packets to the TURMOIL VPN components.

■ TURMOIL VPN extracts metadata from each key exchange and sends to the
CES TOYGRIPPE metadata database. This database is used by SIGDEV
analysts to identify potential targets for further exploitation.

► VPN Phase 2: Targeted IKE Forwarding (Spin 15)

■ TURMOIL VPN looks up IKE packet IP addresses in KEYCARD.

■ If either IP address is targeted, the key exchange packets are forwarded to
the CES Attack Orchestrator (POISON NUT) for VPN key recovery.

► VPN Phase 3: Static Tasking of ESP

■ HAMMERSTEIN receives static tasking to exfil targeted ESP packets.

■ APEX reconstructs/reinjects ESP packets to the TURMOIL VPN components.

■ TURMOIL VPN requests VPN key from CES and attempts decryption.

► VPN Phase 4: Dynamic Targeting of ESP

■ Based on the value returned by KEYCARD, the ESP for a particular VPN may
be targeted as well.

■ TURMOIL sends to HAMMERSTEIN (via TURBINE) the parameters for
capturing the ESP for the targeted VP1\I.

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

51

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

APEX VoIP Phases

► VoIP Phase 1: Static Tasking of VoIP (Spin 16)

■ HAMMERCHANT monitors VoIP SIP/H.323 signaling and exfiltrates only targeted VoIP
RTP sessions to TURMOIL.

■ APEX reconstructs and bundles the voice packets into a file, attaches appropriate
metadata, and delivers to PRESSUREWAVE.

■ This triggers a modified VoIP analytic to prepare the VoIP for corporate delivery.

► VoIP Phase 2. VoIP Call Survey

■ HAMMERCHANT monitors VoIP SIP/H.323 signaling and exfiltrates all call signaling
metadata to TURMOIL.

■ APEX inserts call signaling metadata into an ASDF record and publishes it to the
TURMOIL AsdfReporter component for target SIGDEV.

► VoIP Phase 3. Dynamic Targeting of VoIP

■ HAMMERSTEIN captures/exfils all VoIP signaling

■ APEX reconstructs/reinjects the signaling to the TURMOIL VoIP components.

■ TURMOIL VoIP extracts call metadata and sends to FASCIA; checks KEYCARD for hits.

■ If called/calling party is targeted for active exfil, then TURMOIL sends to HAMMERSTEIN
(via TURBIN IE) the parameters to capture the targeted RTP session.

► Implementation of VoIP Phase 2 and 3 will be driven by mission need.

■ Phase 3 leverages all TURMOIL VoIP signaling protocol processors to expand beyond
SIP and H.323 (e.g. Skype) without additional development on the implant.

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

52

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

Performance & Status Metrics

M H S f n rn d c - a p ex: j u r m oil I n p u +• C £ 0 0 3 - 0 8 -17 15: 3 0 : 47]

600.0 -

1----1----1----1----1----1----1----1----r

A u g p a c k e t size B u t e s Cl 0 m i n u t e s 01 d ]

I n p u t M a x M b its / s e c Cl 0 m i ji u t e s o 1 d ]

I n p u t A k> g N b i +• s / s e c C 5 m llmj t e s 01 d ]
Input ets/sec CIS n|y p e s old]

500.0

4 0 0.0

£00.0

100.0

0.0

08xl £
00: 00

08 / 1 3
0 0 : 0 0

08/1 4
00: 00

08/15
00:0 0

08/ 1 6
00: 00

M H 8 / n rn d c - a p ex: A p e x S e s s i o n s C £ 0 0 9 - 08 -17 15: 3 0 : 5 2 ]

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

700. 0

600. 0

500. 0

400. 0

£00. 0

100. 0

0. 0

08/17

0 0: 0 0

£5. 0

£0. 0

15. 0

10. 0

0. 0

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

Performance & Status Metrics

M H S / n rn d c - a p ex: A p e x S e s s i o n s C £ 0 0 9 - 08 -17 15: 3 0 : 5 2 ]

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

£5. 0

£0. 0

15. 0

10. 0

5. 0

0. 0

Questions?

go apex

apex chat room on LINKUP

STDP: S32354 & Till, NCSC/C91

OP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

TOP SECRET//COMINT//REL TO USA. AUS. CAN. GBR. NZL//20291123

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh