Title: Expeditionary Access Operations: NSA’s Close Access Network Exploitation Program

Release Date: 2016-08-19

Description: This undated presentation from the NSA’s Expeditionary Access Operations discusses how malware techniques are used in the field: see the Intercept article The NSA Leak is Real, Snowden Documents Confirm, 19 August 2016.

Document: EXPEDITIONARY ACCESS OPERATIONS

NSA’s Close Access Network Exploitation Program

Expeditionary Access Operations

(S//SI//REL) S3283 is the expeditionary arm of TAO which
conducts worldwide Human Enabled Close Access Cyber
Operations to satisfy National and Tactical SIGINT access
requirements.





Technologies of Interest:

♦ Computers

• 802.11 (WiFi)

Customer Set:

Various Task Forces
COCOM Planners
SOCOM Operations
Service Cyber Elements
902nd Ml Group
DIA/CIA/FBI
CSTs / CSGs
NSA TOPIs
Conventional SIGINT
Elements
2nd Partv Partners

Tasks

Deploy certified operational teams to tactical
environments to execute close access Computer
Network Exploitation (ONE) in support of national and
tactical requirements

Certify SIGINT personnel to conduct human-enabled
CNE missions

Develop, test, and field solutions for future tactical CNE
and endpoint geolocation systems and techniques

EAO Division

Analysis Cell

Human Enabled CNE Tools

• Software implants that act as the
initial “hook” into target systems to
enable remote operations (ROC)

• Internet Cafes

• Gifting

• Detainee Computers

• Wireless payload delivery/injection tool

• Monitors target’s web traffic

• Injects special ROC tag

• Target unknowingly owned by the ROC

- ISPs

- Banks

- Telecommunications

- Consulates/Embassies

BLINDDATE

• 802.11 a/b/g Survey/Exploitation Hardware

- Handheld, laptop, deep install form factors

- Plug-in architecture for custom functions: hec
mapping, NITESTAND, HAPPY HOUR,
BADDECISION, more

- GUI used for active and passive CNE tools

- Provides output data ingested by numerous
databases (MASTERSHAKE, etc)

Kabul BD Survey Results

00156DA^5588

00156DW6zZE38

001D0FF110C5

000FB5EA’79A2i

02RRAADDEEDQ

0 O.CO.CA 1E493G.

*"00,156 DA755 8 ffjQQ/l 9E0/79 Fj0_4^

0OT56DA75588 ''VMM

! 00G0GA206599C

00026F49 A'7.9 G

OOP 2 6 FL4 9A'7,9 B

00156 DA 7558 8U



001D7E5591C3

001D0FD1T870







Heat Map Analysis

Red Indicates
Probable Location of
Wireless Client

Overflow Parking

Each Grid Square is
Approx. 20m x 20m

Static Collection Site

NITESTAND

BLINDDATE Plug-in

802.11 a/b/g wireless injection tool

Monitors target’s web traffic

Injects unique packet that forces client t
access a monitored listening post on the
internet for payload deployment

Transparent to target

Current Operations

EAO-W: Columbia Annex (CANX)

- Supports Global CNE Operations in support of customers

- Coordinates with R&T access priorities

- Provides WiFi geo-location operator expertise to customers

Afghanistan: OIC, Analyst, 7 x Operators - Bagram

- Presence in Bagram, Kabul, and Kandahar

- Requirements from TOPIs, TF 3-10, IOC, CJSOTF-A, tactical CST’s

Germany: 2 x operators- Stuttgart

- Part of the ETC

- Support EUCOM and AFRICOM requirements

Southwest USA: 4 x operators- Texas

- Supporting

- Requirements from NSA Texas

TOP SECRET//COMINT//REL TO USA, FVEY

Operation IRONPERSISTENCE

ATO Support to DIA and TF 3-10 in Afghanistan

Ongoing

DIA approached EAO-AF about a source with
access to some key Taliban targets in
Afghanistan. These targets are two of TF 3-10’s
highest priority targets.

EAO-Washington coordinated with DIA as well
as ATO’s MX Team, Bridging and Exploitation
Division, and Persistence Division to create the
proper tool that addresses the target’s sensitive
OPSEC practices.

CNE enabled devices have since been forward
deployed to Afghanistan to be used against this
target. The devices will be delivered as soon as
the source can schedule a meeting with the Task
Force Target.

TOP SECRET//COMINT//REL TO USA, FVEY

OPPORTUNITY: EAO-lraq was requested to conduct a CAT E implant on two laptops which
were gifted to This is an opportunity to establish long term collect on and

refine intelligence pertaining to Intelligence gain will identify

the network communications of these individuals, and possibly serve to enhance the overall
operational picture of the networks that these agents are operating on..

Result - SGT deployed tc _ _

and gifted two pre-implanted laptops to
The items gifted included other items, such as

under the auspices of The items were heartily

accepted and EAO-I is awaiting results.

^^■NSA/CSSM 1-52
^^^Dated: 20070108
Declassify On: 20360401

TOP SECRET//NOFORN

Operations in Development

Libya and Syria - EAO is prepared to support contingency operations
regarding any requirements in hostile environments

EAO Way Ahead

- Continue to use partnerships with DoD to meet National
and Military access requirements

- Formalize Partnership with USCYBERCOM

- Become their expeditionary capability

- Respond to Cyber requirements in non-CENTCOM AORs

- BPT conduct Title 10 operations

- BPT respond to worldwide contingency Operations

- Expand the Close Access Network Operator training
pipeline with respect to ADET’s CANO work role

- Continue to work with sister offices, the Services, and
commercial vendors for advancements in CANO capabilities
and provide testing support when required

Division Chief

Deputy Chief

Operations Branch
Analysis Cell

Training Branch
Tech Branch

CONTACT INFORMATION

MAJ

lt(

|

SFC

CTN1

General Inquires Afghanistan

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh