Title: AURORAGOLD Working Aid

Release Date: 2014-12-04

Document Date: 2012-05-17

Description: This NSA briefing document from May 2012, originally presented at that year’s Five Eyes SIGDEV conference, gives a high-level overview of the NSA’s AURORAGOLD project and names the GSM Association (GSMA) as a specific target: see the Intercept article Operation Auroragold: How the NSA Hacks Cellphone Networks Worldwide, 4 December 2014. auroragold-working-aid

Document: SECRET//SI//REL TO FVEY

AUR OR/ \GI ] L D

Working Aid (Updated 17 May
2012)

(U//FOUO) AURORAGOLD is a team of SSG4 analysts, developers and wireless SMEs
working on:

• (S//SI//REL) Database of Mobile Network Operators (MNOs), networks, and
PWlDs collected from GSM/UMTS/LTE roaming documents (IR.21s),

• (S//SI//REL) Target development effort against MNOs, roaming hubs, and GSM
Association (GSMA) working groups, and

• (U) Fusion of open source, licensed, commercial data with SIGINT to answer
wireless needs.

(S//SI//REL) Sample SIGINT (IR.21) Queries

• (S//SI//REL) What IR.21s have we seen for networks within a country or set of
countries?

• (S//SI//REL) What IR.21s have we seen for networks managed by a mobile
network operator?

• (S//SI//REL) What IR.21s have we seen for a particular network or set of
networks?

(U) Sample Open Source (Licensed Commercial Data)
Queries

• (S//SI//REL) What are all of the cellular network operators within a country
currently in service?

• (S//SI//REL) What suppliers have sold equipment to which operators within a
country?

• (S//SI//REL) What networks are currently in service/planned within a country
for each operator?

• (S//SI//REL) Which network technology equipment exists within a country for
each operator?

SECRET//SI//REL TO FVEY

SECRET//SI//REL TO FVEY

(S//SI//REL) What is the network name for each network within a country for
each operator?

(S//SI//REL) When was each network placed into service for each operator
within a country?

(S//SI//REL) What cellular network technology (e.g., GSM, W-CDMA, HSPA,
etc.,) is in service for each operator in a country?

(S//SI//REL) Which frequency spectrum bands are being used by which
operators in a country?

(S//SI//REL) What 4G/LTE networks are currently in service/planned for each
operator within a country?

(S//SI//REL) What CDMA or CDMA Wireless Local Loop networks are currently
in service/planned for each operator within a cour>1~rw?

(S//SI//REL) What network license auctions are
planned within a country?

Derived From:
NSA/CSSM 1-52
Dated: 20070108

SECRET//SI//REL TO FVEY

SECRET//SI//REL TO FVEY

(S//SI//REL) Some IR.21 Fields Useful to SIGINT

(U) IR.21 Field (U) What is it? (U) How is it used?

Mobile Country Code (MCC)/ Mobile Network Code (MNC) (U) A decimal digit code which uniquely identifies a (U) Provide unique identification of networks to mobile network. The MCC which identifies the identify network boundaries, interfaces, protocols, country is used as the first three digits of any user's software, hardware, etc. IMSI, followed by the two digit MNC which identifies the network within that country.
Mobile Subscriber Integrated Services Digital Network Number (MSISDN) (U) A number uniquely identifying a subscription in a (U) Allow identification of real phone number dialed GSM or a UMTS mobile network (the telephone number to the SIM card in a mobile/cellular phone).
TADIG codes (U) A number allocated by the GSMA for use as (U) Identify the network for billing purposes and primary identifiers, both within file contents and file help identify targets names. Also used as a more generic entity identifier in the mobile industry
Signaling Connection Control Part (SCCP) (U) A network layer protocol that provides extended (U) Provides routing information within the Public routing, flow control, segmentation, connection- Land Mobile Network and provides access to orientation, and error correction facilities in applications such as 800-call processing and Signaling System 7 telecommunications networks calling card processing to identify targets and other information
Subscriber Identity Authentication (U) This field indicates whether or not authentication (S//SI//REL) It would also show the emergence of is performed for roaming subscribers at the start of new cipher algorithms and support target analysis, GSM service and the type of A5 cipher algorithm trending and the development of exploits. version in use.
Mobile Application Part (MAP) (U) A SS7 protocol which provides an application (S//SI//REL) Provides a clearer understanding of layer for the various nodes in GSM and UMTS mobile network features when roaming agreement core networks and GPRS core networks to information is published. Current information about communicate with each other in order to provide subscribers, mobility management and services to mobile phone users. The Mobile applications can be used for targeting and target Application Part is the application-layer protocol development. used to access the Home Location Register, Visitor Location Register, Mobile Switching Center, Equipment Identity Register, Authentication Centre, Short message service center and Serving GPRS Support Node (SGSN).
Network Element (U) Specific network components, their (S//SI//REL) This specific information is necessary manufacturer, software & hardware versions, etc. for targeting and exploitation. Includes core and

SECRET//SI//REL TO FVEY

SECRET//SI//REL TO FVEY

Information radio interface information.
Packet Data Services Information (U) Packet Data Services identifies the affected GPRS networks. An Access Point Name is also included in this information. APNs can identify the type of service provided by GPRS networks provided to mobile users. APNs also help identify the network and operator's packet network involved in the IR.21 and could be used for targeting. (S//SI//REL) This data element also provides information on the WAP gateway being access and multimedia messaging services gateway IP addresses which is useful for target development. Insight into the GPRS Tunneling Protocol versions being used within the networks is provided as well. GPRS, EDGE and HSPA technologies are covered.

SECRET//SI//REL TO FVEY

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh