Title: Fourth Party Opportunities

Release Date: 2015-01-17

Description: This undated NSA presentation describes the process of Fourth Party collection – “I drink your milkshake”: see the Der Spiegel article The Digital Arms Race: NSA Preps America for Future Battle, 17 January 2015.

Document: TOP SECRET//COMINT//REL TO USA, FVEY

(U) Fourth Party
Opportunities

O

TOP SECRET//COMINT//REL TO USA, FVEY

SECRET//COMINT//REL TO USA, FVEY

(U) What is 4th Party

.........................O.....................-.

• (S//SI//REL) 4th party collection leverages
CCNE accesses to provide Foreign
Intelligence from foreign CNE victims

• (U) Types of 4th Party opportunities

° (U) Passive Acquisition
° (U) Active Acquisition
° (U) Victim Stealing / Sharing
° (U) Re-purposing

SECRET//COMNT//REL TO USA, FVEY

n

SECRET//COMINT//REL TO USA, FVEY

(S//SI//REL) Passive
acquisition utilizes
mid-point collection
to target information
being ex-filtrated
from victims of
foreign CNE activities.
This often involves
CES efforts to decrypt
or de-obfuscate the
collected data.

S//SI//REL

(U) Passive Acquisition

SECRET//COMNT//REL TO USA, FVEY

n

SECRET//COMINT//REL TO USA, FVEY

(S//SI//REL) Active
acquisition utilizes
end-point collection
to target foreign CNE
infrastructure in order
to collect victim
information.

S//SI//REL

(U) Active Acquisition

SECRET//COMNT//REL TO USA, FVEY

SECRET//COMINT//REL TO USA, FVEY

(S//SI//REL) Victim
stealing exploits
weaknesses in foreign
CNE implants and C2
systems to gain
access to victims and
either take control of
the foreign implant or
replace it with our
own. This is NOT a
disruption or CNA
activity. It is solely
used to further CNE
accesses.

S//SI//REL

(U) Victim Stealing / Sharing

SECRET//COMNT//REL TO USA, FVEY

n

SECRET//COMINT//REL TO USA, FVEY

(S//SI//REL) Re-
purposing utilizes
captured foreign CNE
components
(implants, exploits,
etc) to shorten the
development cycle of
our own CNE tools.

v

S//SI//REL

(U) Re-purposing

SECRET//COMNT//REL TO USA, FVEY

SECRET//REL TO USA, FVEY

(U) 4th Party
Decision Tree

(S//REL) The best
sustained outcome is
passive acquisition
of valuable 4th party
collected

information. Where
the 4th party is not
collecting
information of
interest, but the
victim is still of
interest victim
stealing can be
pursued. Where
passive or

cryptographic issues
prevent (or delay)
passive acquisition,
active acquisition will
be pursued.

Passive

Acquisition

S//SI//REL

SECRET//REL TO USA, FVEY

SECRET//REL TO USA, FVEY

Discove

(U) 4th Party
Lifecycle

(S//REL) The
prioritization,
development and
exploitation cycle is
continuous until the
priority is lowered to
standby or the
intelligence value is
being realized
through passive
alone.

Prioritize

J

Develop

Passiv

SECRET//REL TO USA, FVEY

Fourth Party Example

O

VOYEUR

UNCLASSIFIED//FOR OFFICIAL USE ONLY

TOP SECRET//COMINT//REL TO USA, FVEY

(U) VOYEUR Backend

.............O.................

□le Edit View I listory Dookmerk5 Tools JJelp

sa m

0 Hcz Start g MOIS Start
0 Start page M ® Start page



££ 0 Infection Statistics 2? Infection Statistics

Console - Archive - Packed - Upload RunThis - Sysinfo Datamine - Pack All

^ I |ï| nre2 - Console

' me2 - Console

]D
Dl M2 2
D? 2421
□ 3 3782
□ 4 5364
□ 5 44&3
□ 6 1869
n7 5426
□ s 0411
□ 9 5622
□ 10 5443
□ ll 1&1Ï-
□ l2 KIRI
□ l3 6265
□ l4 3549
□ l5 6360
□ l6 =.i;-32
n i7 6223
□ l8 3352
□ 19 6281
□ ?n 5673
□ 21 5S28
□ 22 6513

Syslrto FileMan Keyloq NoninterShell Hide _c
Run~hisEnFlash n 1 UserPass Monitor

■^Previous + Next .Highlight al DMatchcase

*

« *

Logout

Last Connect Platform Actions Datn
34 day(s) acu 4 41 Svslnfo FileMan Kevba NoninterShell Hide ~oMe2a
Run_hisEnFlash EnVer4 UserPass Monitor
34 day(s) aco 4.41 Svslnfo FileMan Keyloq NoninterShell Hide ~oMe2a
Run_hlsEnFlash EnVer4 UserPass Monitor
34 day(s) aco 4.41 Svslnfo FileMan Kcvloa NoninterShell Hide "oMc2a
Run_hlsEnFlash EnVer4 UserPass Monitor
34 day(s) aco 4.41 Svslnfo FileMan Keyloq NoninterShell Hide _oMe2a
Run-hisEnl .■■hEr 4UserPass Monitor
34 day(s) aco 441 Svslnfo HleMan Keyloq NoninterShell Hide _oMe2a
Run~hisEnFlash EnVer4 UserPass Monitor
34 day(s) aco 441 Svslnfo FileMan Kevloq NoninterShell Hide ~oMe2a Run~hisl FlashEnV* 4UserPass Monitor
34 day(s) aco 4.41 Svslnfo FileMan Keyloq NoninterShell Hide ~oMe2a
RurriiisEnFlash EnVer4UserPass Munilui
34 day(s) aco 4.40 Svslnfo FileMan Kevloa NoninterShell Hide "uMeZa
Run_hlsEnFlash EnVer4 UserPass Monitor
34 day(3) aco 4.41 Svslnfo FileMan Kevloq NoninterShell Hide _oMe2a
Run_hlsEnFlash EnVer4 UserPass Monitor
34 day(s) aco 441 Svslnfo FileMan Kevloq NoninterShell Hide _oMe2a
Run-his Lnl a&hln UserPass Monitor
34 day(3) aco 441 Svslnfo FileMan Kevloa NoninterShell Hide ~oMe2a
Run_hisEnFlash EnVer4 UserPass Monitor
34 rtay(s) aco 4 41 Svslnfo FileMan Keyloq NoninterShell Hide “oMe2a
Run hisi i i i 4 UserPass Monitor
34 day(s) aco 4.41 Svslnlo FileMan KevIJd NuriinLei Shell Hide "oMe2a
Run_hisEnFlash EnVer4 UserPass Monitor
34 day(s) aco 4.41 Sysinfo FileMan Keyloq NoninterShell Hide "oMe2a Run_hlsEnFlash EnVer4 UserPass Monitor
34 day(3) aco 441 Svslnfo FileMan Kevloq NoninterShell Hide _oMe2a
Run_hi3Lnriash EnVer4U3erPa33 Monitor
34 day(3) aco 441 Svslnfo FileMan Kevloa NoninterShell Hide “oMe2a
Run~hisl FlashEnV* 4UserPass Monitor
34 day(s) aco 4 41 Svslnfo FileMan Keyloq NoninterShell Hide ~oMe2a
Run_hisEnFlash EnVer4 UserPass Monitor
34 day(s) aco 4.41 sysmto HleMan Keyloq NoninterShell Hide “oMe2a
Rnn-hlsFnFlash FnVerd UserPass Monitor
34 day(s) aco 4.41 Svslnfo FileMan Kevloa NoninterShell Hide -oMe2a
Run_hlsEnFlash EnVer4 UserPass Monitor
34 day(3) aco 441 Svslnfo FileMan Kevloq NoninterShell Hide _oMe2a
RunTiisEnFlash En 4UserPass Monitor
34 day(3) aco 441 Svslnfo HleMan Kevloa NoninterShell 1 lide ~oMe2a
Run_hisEnFlash EnVer4 UserPass Monitor

TOP SECRET//COMNT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

(U) VOYEUR SQL Interface

..................Q.....................

125.XO.42.238:10443 / localhost / me2 / SenderLog | phpMyAd

Jjle Edit View I listory Dookmarks Tools Me P

- z «

@Hcz Start @MOIS Start

I®] Start page M I©] Start page

~ÿ] [¿1 v | Google

M |©| Infection Statistics ££ j [cl Infection Statistics ^ me2 - Console

I me2 - Console |

§3 localhost t |§l me2 ► mil SenderLog

S3 Browse gf? structure 5|j%SQL >'Search >. T racking »¿Insert jjjExport fjjlmport

^Operations M Empty BlDrop

V? Showing row«; T - ?Q (S.tV fi total. Query fork n 01 54 s?r)

select *

LIBIT r.ir

□ Profiling [ Edit ] [ Explain SQL ] [ Create PHP Cade ] [ Refresh ]

B Alias
@ Allow Rules
m AllowTcMeia
g AiiowversioT4
Hj Attacks
Hj DenyRules
H Events

gj FileManCommands

■ toward Lin ks
IÜ Croups

gj NoninterShellCommand5
m RunThis
gj SenderLog
gj ShellRequests
g Sy»info-adaptor
g] Sy'info-arp

■ Svsinfo-info

■ Sysinfo-program
H Victims

Show : | 130 | row(s) starting from record # 30

in horizontal

Sert by key: None
+ Options

| nrode and repeat headers after | loo | cells

[ > | | » | Page number: L |v

Id User
□ X 1 admin
□ y X 2 admin
n y X 3 admin
a y Y. 4 admin
□ y X 5 admin
□ y Y. 6 admin
□ y Y 7 admin
□ y X 8 admin
a y Y. 9 admin
□ y Y. 10 admin
□ y Y. Ll admin
□ y X 12 admin
a y X 13 admin
□ y Y. 14 admin
□ y X L5 admin

FromName

AttackSerial AttackID GroupName Message EffectivePlugins
4d4977754675776a636a 44277 mehrab -link- 88121/ Please use UTF-8 Character Encoding to view this e... linkPlugin
69775941306d78423944 44278 mehrab -link- 8R1717 Please uss utf-8 character Fnrnding tn view this e linkPlugin
4'5a58684b7063637032 44279 mehrab -link- 881217 Please use UTF-8 Character Encoding to view this e... linkPlugin
7 L38706d4a4d4b4c764a 44280 mehrab -link- 881217 Please uss UTF-8 Character Encodiny Lu view Lliis e... linkPlugin
5231575fG7315a713331 44281 mehrab -link- 881217 Please use UTF-8 Character Encoding to view this e... linkPlugin
3356505a55726c615953 44282 mehrab -link- 881217 Please uss UTF-8 Character Encoding to view this e... linkPlugin
597575765f493L574132 44283 mehrab -link- 881217 Please use UTF-8 Character Encoding to view this e... linkPlugin
6(685667305445552d71 44284 mehrab link 881217 Please use UTF 8 Character Encoding to view this e... linkPlugin
65693578797445463345 44285 mehrab -link- 881217 Please use UTF-8 Character Encoding to view this e... linkPlugin
75713441726364496b?1 44286 mehrab -link- 881217 Please uss UTF-8 Character Encoding to view this c... linkPlugin
4a 5a44737574525f34E2 44287 hi
3331456a384f5254S259 44288 mehrab -link- 881217 Please usa UTF-8 Character Encoding to view this e... linkPlugin
776d5a49586848576333 44289 mehrab -link- 881217 Please use UTF-8 Character Encoding to view this e... linkPlugin
3468624a48726e756b4f 44290 hi
78485363666f53345234 44291 hicbr />

K Find: aaou

4* Previous +Next Highlight all □ v|ateh case

TOP SECRET//COMNT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

(U) UIS

O

|jS [MS ^vf

t) 'Q C

L-s-i Far;jr. M Fri»



Drifia Pin D« Cepy

cownwL iCiKR CK wewwcfl täMMSgfy

irrita.a »o íp

♦»TifceilDrîlDPSOJOi/ai/ÏOll 12 3< 11+

MSf>è£-Cti'1-CM+Fùiiu£-|Q.>.eCl?aC|iliijùti4 InCi*£Tiii CS3 - [1 l AM 4 1&Ä!*

PTul»hlP»|0iPCItpt IC \prpçrn* fl j vxXvdgfceliVdpfe« lnft|i|ii *#11fcí*|CxBD7BCl04/0L/7Q11 1? 3< *2*

**SprE -t'EL í 1 '.+**■ pnc-flaç^ïpirF+a+ipnç-OeirÉ ft*i*'ipiC"OÍL£ ff **frH..FflS-0£U If • i. ‘j*»1 c* ■: «íisirrti h*iS prc »Ctr
OC4JÏ-IÜK2DDBB219 ■ He^o Photo3nap Yiege-r*

**í i r'Lulnbl c“ I Ûi2 ÛÛBB2J £ Vpi-üir ai r i ¡ rï\ahrad-¡n* i ú phú (ú-.r: ip'.pf-ÆÏ6-Jrip--f «vt r ci-r*
**Ti«e-IDîc2D0BBÏ]0*/ôl/2011 12 33 30+

lüiôtiTBC] Adune Inttesífn Cíi ■ |i mao 9 7Sä|*
xecut+bleMOxOOTOCic \pro|™« M I «'.adobe^dofcie indesifn csï*tnd&es»fn «■*+

+4l 1 ht> |9?.BD7BC] D4/DL/2 Üll 12 39 34+

♦iiHïMÏme^lÙïSTÙAÏ#]^^ JfMt ^iXUi - Ptsireifliïl ¥gr**A4ttfTl ti t-1DX&7DAÏ61 Hl CfOSü ft Mo 'd*
rwl 1 *- ¡ 0ïÏ> 0B30J Hi ergi-p f t Mn n d+

C***■ ? tiulftb 1 r- I Üi21 ÜDS-tl 11.. \pr ü(r am f l I riAa I £ rú-Lú f E ù 111 tc'.'jP f1 tm 12 '. vt r.v*r-J ei-r*
+*T1«e*lf)xïMïDSD]Di/Pl/ÎDll 12 33 32+
f+Fi'GUÏ- I £'.■ J ËÛAAA] LrL;__ii'.+

xeOJÎ+bleMÔXÏGOiiMJc Ipro^rsa ri Lcs%iqz1 L l3 f1 t* fw^M-re «g* «.«+

*4l i kir I Ï) < 3 t-ÜJ.f 4 I IJl.' Û1/2 Ui 1 12 59 EE#

•Kfaevf-HinCMCaij,^^ xo. ^ , T#h++i **n ■ *y>,

tc*jt*blt-|0xCCr9CB]c ‘■.proem’s* fi Ies\»öiiLLa fl retfo«\f i ref+a
♦*1ipr.|íiC0?tej(l4/ÍIÍ/J0l3 1Î » i?*

'+DUÏ-I-0XBD2 Hl Adobe Photoshop C33 Extended ■ ISA ti f 9 33 3* +*l,rulBblr- .|Ü?EÜ2lÄ.|t Vpr ú[r ni r i I vi\jdubr'i. jdübr ph+liihdp £Ü\pfc*!ö-dM+ tht*

" »e* I0■BOZ141 0*-''P1/2011 12 S3 37+

+*F octii- |Dï.*iDôfiflJ Tr-ùfiscerni (J ■+

ïtClfti&leMOï+iOSGOÏC ^i*indOM3^CKPICíi*

+4lï tat- IDX44D9ËB ! 04/Q1/2Ú11 13 ÚÚ ÛE #

I0S-B021A] Adot»e Photoshop ÊJÏ ÈS tendí d+
fcCiit*blt-|DxBD21fc]c Vproffafc fi Ies'1,adobe'1,aoobe phoroshop cs3'\piVM&sfwp e»e+

**T1*r-iCreeï3Ajo*/oi/ïeji n eo □■*+

irwcrcH**i ndPBf '*mr: pec«C tr | + z+#*PaasMO ro+MCnoPjj s+t+3pec t I«Bk t sr>K«+w

? ri! u I olí I r*-1 Ù? ÚLlTÚL I c \pr u[r ni M I riX jduhP'.BslOhP Indiiljn CJ S I rvfr« d I tr. fic4

**Ti#e-lf!xBD7Bn!Ji/01/mi U OJ 0»

fr I II • • • ' ■ „r-rmf ff I >7M4\n*|i.iih 1/MMtW .rill. 'Ui-,- .-T-.l

■Í PK-Ctrl - :+**5 Dtc-CtFl

-■■C • ' - Mi

JirF

UWVÎRSA !RWf¥0
Ttttwti 2 ) JiSii.
eeld73 îïîïc*
taiflTi 2 ÏÎÏ#
eeld73 n±n
iDlM ütïi-
Í19I33 2itT7»
<13133 1 J€4fl
<19133 2 3tî6“
ladSïb 23S9J
I-id-L-h i»*«™1
c€cb3c , Ï4232.
c4cbJc... u:
Lvj32l
c«5cb3c 2Î2SÏ*jJ
CÎïbSç í +îtt
cicb3c 242 S3.
3ÏOe*e Z419T*
LrJi.L ji. 24252;
32deae 24. a
Ein
IPnpi
■jHüvOond ripi-iWAAit+inPiTe.i

All*g»mrtï O H^*ÿtïQ î*^çhMfcf&

[■w_i-*rí oafdÉrf oHtÿfeHire leund)

TOP SECRET//COMNT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

(U) UIS

a,

à US: lúui Píttünlúr (PW YA/Ul lüCMl J3D4300021 J0/203

*' UB¡ I «idar

ES®.

TOP ffiCBÎTl CQMOTT

||£ [et*. r

tí úí Z

Lud R.Kjn « Fûfcta

L J ?h»rfd
L . PfrsiMl
^3 Print ftwt

O-0-#S#teiíiíi)3i'^I]

□-m£+- Pm Doc Copr

to CflüTÉ 100 SefeÆlM fe

HflP ’ GCIWjKtL ICNXR C2C HIWpOPDS COMMENTS(DO

HTtm 0 ÄC ÈK

J.MimSMOT jff

CHUMT-lf f +

I«*s ïiewwï [yrt
3 1
firfow«! fnn#fl 1

# IcervPE m>
Jj * MÍE
40 V KKF
Si rhtiE
Sï ïHkE
4Î thkjE
>< Y H HE
« THKqS
S6 VttKE
£7 T» ra
« 4
S3 rhfiE
CO THKÎ
qL VHKE
6Î YHKï
CS FHKÉ
64 Y H HE
55 ïHht
cc THWE
67 Y H HI
AK THfc>
Cl 1

ftwin aril*’ I «f i 4* ^ A A i£*\ LIUS "£ *
3m*Vy OS«l 1«W PWi^U.|JHl Wtalçir^tO
[v:«w( adpati* cotftMíirci ítgfágfcs icrjétkï'^

"jpitvERSa R«*'-]
eeïtiï, . 23
lldrF 24
«■cldîi ïï:
«WTÎ n:
fiSdîi n.
€713«: îï:
ïj;
■a? ci-aï ïï:
H9ÍII îi^

c^L-aJÍ ---

i-rïaîi 2 ii*—1
419IÏ5 ïï!
4È*ISÏ ïïi
i'.v Sïi ïïl
4 i ?ï 55 ÏJI
L kdS2b ïïl
k+TÎJ!t ÏÏL—i

PiEi
TOP SECRET//COMNT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

(U) TUNINGFORK

..................................................................O.

[3 h t tps: //cnedata... .ata/rep ository / y } DIRT5HED - SEEKER | M- CLOUD t ABR - WikilnFo

TOP SECRET / / CD MINT / / REL TO USA, AUS, CAN, GBR, Nr11

Index of /Piocessed/DIRTSHED,^^^^®201105-04/081700/opt/me2site
/ d ata/re pos if ory

Name Last modified Size Description

4^ Parent Direstory
□ 1654/ (ifi-May-2011 02:02
□ 186?/ 06-May-2011 02:01
□ 2421/ 06-May-2011 02:11
Q 2644/ 06-May-2011 01:54
Q 3027/ 06-May-2011 01:25
Q 3427/ 06-May-2011 00:47
□ 3505/ 06-May-2011 00:44
□ 3537/ (ifi-May-2011 01:24
□ 3551/ 06-May-2011 02:00
□ 368-4/ 06-May-2011 00:45
□ 3303/ 06-May-2011 02:14
□ 3349/ 06-May-2011 01:54
Q 4493/ 06-May-2011 01:57
□ 4617/ 06-May-2011 01:26
□ 4683/ 06-May-2011 02:11
□ 4365/ (ifi-May-2011 01:55
□ 525-4/ 06-May-2011 01:29
□ 5352/ 06-May-2011 02:11
□ 5364/ 06-May-2011 02:13
□ 5390/ 06-May-2011 02:16
□ 5426/ 06-May-2011 01:26
□ 5436/ 06-May-2011 01:56

TOP SECRET / / CD MINT / / REL TO USA, AUS, CAN, GBR, Nr11

TOP SECRET//COMNT//REL TO USA, FVEY

DYNAMIC PAGE - HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRETWSWREL TO USA, AUS. CAN, GBR. NZL

TOP SECRET//COMINT//REL TO USA, FVEY

(U)SEEKER

o

Targets

preferences

^ r - -m
W r Tk W
Q DIRTSHED

SEE ER turning exploration into knowledge os

I Qj UIIIX [621 ]

M &l et« [6] f collected
M Ell IIOSEHD [282] 282 collected 13 new!
M Si opt [94] 86 collected 6 new!
H El me2site [S3] 86 collected 6 new!
M El data [84] 82 collected 4new!
ID [J packed [S3] 82 collected 4new!
@ IJ default [82] 82 collected 4new!
D 2oii .oi.ioM ■c-l ients-a r chi ve. 7z .001 SI

D 2011.M1.12
IJ 2*11.01.1*

IJ 2*11.Ml .22 J

J 2*11.01.27

J 2*11.01 .M
D 2011.02.01

IJ 2*11.02.07

J 2*11.02.16|

J 2*11.02.

IJ 2OII.O2.27I
IJ 2*11.03.06
IJ 2*11.03.1*

J 2*11.03.13
J 2*11.03.19
D 2011.03.?7|

J 2G11.Û4JÜU
J 2*11.04,1«)

J 2*11.04,13
IJ 2*11.04,17
IJ 2*11.04,?*)

J clie-nts-archive-MI-
I 1 clie-iit$-Archiue-M1-

|J clteiii$-archiue-M1-
|J clienfs-archiue-MI-

«lierrts

ardiive.7z.*M1

.irchive.7z.001
■arcliive.7z.001
-archive.7z.001
¡-arcliive.7z.0M1
¡-arcliive.7z.041
¡■arcliive.7z.001
¡-arcliive.7z.001
-arcliive.7z.001
aicliive.7z.00l
-arcliive.7z.001
■arcliive.7z.001
-archive.7z.001
Il i ente -a rc hiwe.7z.001
lients-a r« h ive.7z.O 01
lients-a rchive.7z.O 01
lients-a re 11 hre.7z.fl 01
«lienls-arcIiive.7z.0M1
lients-a re hive.7z.00l
|clienls-archive.7z.001
J ai ill Aiy-2011.7 z.* 01
J ai in ary-2011 .rar.pa rt1. ra r
J a i hi ary-2011 .rar.pa rt2. ra r
Jai hi ary-2011 .rar.pa rt3. ra r

«lients-a

client-:-.i
clients-;*
clients-s
«lieiïts-ü
«lients-a
clients-a
clients-a
clients-a
«lients-a

client i
clients-.i

UNIX | opt | me2site | data | packed | default | 2011.01 10-1 B.22.51 -clients-archive.7r:.DD1

Collection Info (1 )

Hash Comments

Sise Compressed Name

8;57;OS
8:57:02
8:57:37
8:57:08
8:57:33
8: 58: 08
8:57:56
8:58:40
8:53:12
S:SS:23
S:SS:26
S:SS:28
8:53:31
8;53;11
8:53:41
8:53:44
8:58:55
8:59:42
8:59:12
8:59:25
8:59:23
9:00:13
S:59:45
9:00:02
9:00:12
9:00:44
9:00:35
9:00:40
9:00:44
9:01:16
9:00:57
9:00:59
9:00:58
9:01:47
9:01:29
9:02:18
9:01:57

140

173

140

173

173

140

173

140

173

7775

18243

173

664679

140

76619

£3720

173

140

173

2271

173

140

173

173

173

140

173

173

11712

140

173

173

180

140

173

140

173

1276719703

FileHan/2
01_08.
[FileHan/2
0i_08
0i_08i
|F i le Han/ 2
Eeporc/20
|FileHsn/2
oijoe
:/2011_01_
_CI1_03
|m/20ii
Q1_Q8
FileHan/2

01_08___0

[01_08__0

¡rt/2011
|FileHan/£
08_E9_12_
011_01_08_
2011_01_0
FileHan/2
11_01_0

01_08___

l_01_08i

¡FileHan/2

01_0 8__0

|£011_01_0
/£011_01_
FileHan/2
Report./ 20

|l_°l_08.

Q1_Q8_

|FileHsn/2

,/2011_0

|FileHan/2

irb/2011

011_01_0 8_0 3_56_36__2.

S7_0£__62.220.113.113,

011_01_03__0 8_57_07__2.

03_57_08__85.133.189.1:

8_57_33__217.218.133. 6:

Q11_01_Q3__08_S7_38___2.

110108____0 8_E7 56__21 :

011_01_08__08_SS_10___2.

SS 11 94.193.22S.20.

:2__92.242. :

03_58_26__92.242.222. 2_

1_08__08_S3_28__89.165

08_58_31__95.82.105.23;

Q11_01_Q8__03_SS_41__2.

_S8_41__217.213.133. 68

_SS_44__217.213.133. 68

01_08__0 8_S 8_5S_119. 2 :

011_01_03__Q3_S9_12__2.

91.99.185.141___98.bin

08 59 25__92.242. 222

__0S_£9_27___92.242.22:

011_ül_03__03_59_43__2.

_08_59_45___89.144.174. :

_00_02__62.220.113.113_

09_00_i2__SS.133.189.II

Q11_01_Q8___09_00_14_2.

Q0_35__217.218.133. 6:

_09_00_4 0__92.242.22:

__09_00_42__92.£4£_ 2:

011_01_0 3_0 9_00_4 5_2.

11_01_08__0 9_Q0_S7__21 :

09_00_58__77.36.153. 21,

9 00 58__77.36.15-3. 21_

Oil 01_08___09_01_17_2.

09_01_29__S9.165

011_ül_03___09_01_4S_2.

01 08 09 01 57 119.2:

I nfoimati on Owner: T12t2 717-3600 Page Publisher: SEEKER Team, 11212 717-3600 DERIVED FROM: NSWCSSM 1-52 V DATED: 08 January 2007 J DECLASSIFY ON: 20320108

DYNAMIC PAGE - HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRETWSIV/REL TO USA, AUS. CAN. GBR. NZL

TOP SECRET//COMNT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

(U) Cloud/ABR

iQ

(TS//SI//REL TO USA, FVEY) Project DIRTSHED (E>

File Type | Hash | Language] Ccne | Classified] H itlist | Overlaps]

SHOCKWAVE 0 0 0 0 2 2 8
SOURCECODE_C_CPP 0 0 0 28 40 40 74
SOURCECQDE_JAVA 0 0 0 0 2 2 80
SOURCECODE_JAVA SCRIPT 0 0 0 1 15 27 n
SOURCECODE_PHP 0 0 0 127 521 537 1284
SOURCECODE_PYTHON 0 0 0 138 546 546 546
SOURCECODE_RUBY 0 0 0 H 70 70 H
SQLITE.DATABASE 0 0 6 6 6 15 40
TAR 0 0 0 n u n 12
TAR-UN WRAPPED 0 0 0 209 209 209 364

TEXT 0 0 1 278 833 859 4528
THUMBS_DB 0 0 0 0 4 6 il
TIFF 0 0 3 3 3 3 143
TRUETYPE 0 0 0 0 0 0 98
UNIX-BASH-SCRIPT 0 0 0 11 90 90 133
UNIX-PERL-SCRIPT 0 0 0 1 4 4 43
UNIX-SH-SCRIPT 0 0 0 177 490 490 513
UNIX_PASSWORD_FILE 0 0 0 u 21 38 260
UNKNOWN 0 0 0 0 0 0 1
UNKNOWN-ENORMOUS 0 0 0 35 41 44 56
IINKNOWN-HIIFIF 1 57

TOP SECRET//COMNT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

(U//FOUO) Repurposing

..............Q.................

muss

¡2311

Pile Edit Analysis Graph Navigation Search Select Tools Window help

y ^ - it'Kt T s ï ffi F is dH

v'Bü.Cf.hoaia#

Function Graph: FUN_lO0012c0 [CodeBrowser: sdsnd32_dll:/SDSND32.DLL]

Edit Analysis Navigation Search Select Tools help

Program Trees Q ^ cÇ-j | X

B 5D5NF32,DLL
.text

m
m
m

13 relot

F7| .rdata
fvj .data

Program Tree ¡
'i;x, 5ymbol Tree EU X

Eh <3 Global

& ij] Imports
® Q Exports
El- PIT Functions
ffl- Labels
EE pQ Classes
Sh-Fai Namespaces

afj Data Type Manager

3F

^1 ^ Data Types
If]BuiltlnTypes
ÍhI^S D5ND32.DLL
0-lfr wlndows_V59

j~| Listing: SDSND32.DLL - SDSND32.DLL

IF ¿

□H



, FOMCTIOH 1000 12(0 - FUN_109Q12(0 Ei • ■ ; - ;Q ¡eà
**** ******** *************************** 100 oi2c 0 sirs SP, 0x40 0
jndefined stdcall FIIH_10a012cO() 1990i:c7 PUSH EBP
undefined -3fc local 3Ec 199 012 c 9 PUSH 31
unde£ined4 -400 local 400 199012c? h;v IBP,[ USIRSi.DLL ; EecEt-
run 100O12CO 190 Ol^cf PUSH El
% ioaoi2co 81 ec 00 SUB ESP,0x400 199912dS X0R
04 00 00 10001237 LE * DI, [ESP + local_ 3ft:]
10ûûl2cS S3 PUSH EBX 100012 A> H0U mid ptrr [ESP + 0 c al
1Q0Q12c7 55 PUSH ESP ^,u,aiJK
100012CB 56 PUSH ESI lOOOlCea MOV EE I iI'.-.T 1000 aîIS
100012C9 83a 2d 04 HOV EBP, [JJSER32 .DLL: : GetKe 199012«£ ST OSD. S:EBI
81 00 10
100012CE 57 PUSH EDI
100012d0 b9 ff 00 MOV ECX,Oxff
00 00
100012d5 33 cO X0R EAX,EAX
10QQ12d7 8d 7c 24 14 LEA EDI, [ESP +■ local 3£c] 1090 Hfl - LAB IOOOI2EI Zi T
100012db c7 44 24 HOV duord ptE [ESP + local 100 012 £1 PUSH xO
10 00 00 [_KEEHEL32.DLL: : S leep]
00 00 bxTebx

10a012e5 b9 96 00 MOV ECX,0x96
00 00
100012ea bf 18 a8 MOV EDI,DAT lOOOaSlS
00 10 I 1
10QQ12e£ £3 at STQSD.EEP EiJiEPI 10901309 - LAB_10901309 S ’ tP Si
LAB 100C12Ê1 100 01300 PUSH BP = > TJSXP.32 .DLL : OecKe...
100012E1 6a 08 PUSH Ox; 8 19901904 HOV IS I, [DAT_100 9SÎÏ8 + IEX]
100012E3 ff IS 00 CALL [_KEEBEL32.DLL::Sleep] - 199013Ob MO USX n. !V
80 00 10 —' 1900130e CALL U3EEÏ2 .DLL : : Se-t AsyncK.,
100012E9 e8 d2 fe CALL FUIT lOOOlldO 199013L4 TEST hH. 0x90

1 1 fuTiT 1 2f p .3 3 ri.h vnij FF;'/ -FRY

Ip Console
1 f
1000 1380 - LAB_1Q00 1380 5« ' icS
10001300 MOU . ‘i --
19991904 TEST EDMiEDX

-ln I xi

IS ‘ - - • ED- B- Bt t , • •
|c" Function Graph: FUN_100012(0 - (5D5ND32.DLL) Ô |VJ - Q. - Si X

Í1G00121

TOP SECRET//COMNT//REL TO USA, FVEY

UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U) Current Efforts

O

UNCLASSIFIED//FOR OFFICIAL USE ONLY

TOP SECRET//COMINT//REL TO USA, FVEY

(U) VicDB

o

Ö TAQSuite - Mozilla Firefox

Q TA05uite

TAO Application Suite

DYNAMIC PAGE - NIGHEST POSSIBLE CLASSIFICATION IS:



I

Implant Type:

SILVERBOLT '

Depth: | Monthly |T|

E

][Wi

[ Callback Density || Victim Density |

V

*

*

05>'10 06/10 07/10 04/10 02/10 03/10 10,'03 11/03 01/10 03,'03 12/03

0

driogoline-lli.net ^ || transfers is.g

0 total

SILVERBOLT

SILVERBOLT

SILVERBOLT

SILVERBOLT

SILVERBOLT

SILVERBOLT

SILVERBOLT

SILVERBOLT

SILVERBOLT

SILVERBOLT

SILVERBOLT

SILVERBOLT

First Heard

Last Heard



Callback Count

|2010-04-03 06:40:34 Z
2010-04-02 02:34:17Z
12010-04-01 14:03:41 Z
2010-04-13 12:25:28 Z
2010-04-15 04:45:08 Z
2010-04-13 08:23:52Z
2010-04-24 06:28:43Z
|2010-04-23 04:34:28 Z
2010-04-13 04:57:29Z
2010-04-07 02:19:58 Z
2010-04-20 07:01:34Z
12010-04-1B 10:51:39Z

2010-04-03 07:25:35 Z
2010-04-0212:54:53 Z
2010-04-01 14:0341 Z
2010-04-1312:25:28 Z
2010-04-16 14:41 14 Z
2010-04-13 09:27:43 Z
2010-04-24 07:30:01 Z
2010-04-23 12:47:44 Z
2010-04-13 06:07:24 Z
2010-04-08 12:12:43 Z
2010-04-28 07:14:16 Z
2010-04-18 11:00:49 Z

4

40

1

1

43

2

6

17

12

51

4

3

IpName

country

mcee.org KW
mcee.org KW
mcee.org KW
mcee.org KW
mcee.org KW
mcee.org KW
mcee.org KW
mcee.org KW
mcee.org KW
mcee.org KW
mcee.org KW
mcee.org KW

DYNAMIC PAGE - HIGHEST POSSIBLE CLASSIFICATION IS:



TOP SECRET//COMNT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

(S//SI) Survey Data

o.................,

SYSTEH2'\WETWORK SERVICE
SYSTE M2'\ BUTLTIN

SYSTEH2
SYSTEH2

NETWORK SERVICE
BUILTIW

S-1-5-20

----------------------------UserAccount --------

AccountType Caption Domain

512 SYSTEH2\AdminiStrator SYSTEH2

512 SYS TE H2 \ AS P N E T S YSTE H 2

512 SYS TE H2 \ Gue s t S YSTE H 2

512 SYSTEH2\HelpAssistant SYSTEH2

512 SYSTEM2\ SUPPORT 388915a0 SYSTEH2

FullName

ASP.NE T Hach ine Account

Remote Desktop Help Assistant Account
CN=Hicrosoft Corporation, L = Redmond,S=Washingtc

B las
2 10

Caption
(GHT+03:30)

---Time Zone

SettingID

----------------------------dir rrC : \ Documents and. Sett ings\ Administrât or \ de stet op\ rr

Volume in drive C has no label.

Volume Serial Number is C437-1E2D

Directory of C:\Documentes and Settings\Administrator\desktop

05/12/2011 05:31 PH

05/12/2011 05:31 PH

05/08/2011 08:08 PH 131,915 1256691986[1].jpg

05/08/2011 08:15 PH 155,166 croppedbusiness success - graph nip jpg nls2[l] .jpg

04/08/2011 09:48 PH 606 GetFLV.lnk

05/03/2011 07:40 PH Hardware

05/03/2011 08:03 PH 2,473 Microsoft Office Excel 2007. Ink

05/09/2011 06:40 PH 2,497 Hicrosoft Office Word 2003.Ink

05/11/2011 11:24 AH 2,515 Hicrosoft Office Word 2007.ink

04/22/2011 01:15 PH 1,515 Paint.Ink

7 File Js) 2 99, 687 bytes

3 Dir (s) 51,504,803,340 bytes free

------------------------------dir ""C : \Documents and Settings'^ Administrator'^ Ky Documents\"

Volume in drive C has no label.

Volume Serial Number is C437-1E2D

Connection-specific DNS Suffix . : MyDslDomain

Description..............: Broadcom NctXtrcme Gigabit Ethernet

Physical Address...........: 00-0E-7F-62-5C-49

Dhcp Enabled...............: Yes

Autoconfigur ation Enabled . . . . Yes
IP Address
Subnet Mask
Default Gateway
DHCP Server
DNS Serv ers

Lease Obtained.............: Thursday, May 19, 2011 11:39:16 AM

Lease Expires.............: Saturday, May 21, 2011 11:39:16 AM

These Windows sendees are stalled:

Automatic Updates

Background Intelligent Transfer Sendee

Client Sendee for NetWare

COM+ Event System

Computer Browser

Cryptographic Sendees

DCOM Server Process Launcher

DHCP Client

Distributed Link Tracking Client
DNS Client

TOP SECRET//COMNT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

(U)DEADSEA

o

a Home Q*. Search îî" Workflow Central

TOP SECRET//COMINT//RELTO USA, AUS, CAM, GBR, and IMZL//2Ü3201D8

X KEYS CORE Welcome JJUJgWarning: your password has expired!

, Results ^ Fingerprints £31 Statistics Map My Account ?i£.XK Forum

Log Out

I» Help

Navigation Filter | * |I=J |tv]

^~l iwLiie pyx-aiimic n.fl|Jiui nsycuiuz

^ Ccne Byzantine Ftapior Rolex
^Ccne Byzantine Raptor Trajan 3
pJCcne F'laiddiana Command Packet
^3 Ccne Traffic
21 Ccne Victim id
3 Ccne Zebedee Parse
21 Cdrna A11 Metadata
21 Computer Serial Numbers-
21 DNS High Entropy
21 D a t a FI u rryP h o n e I nfo Extra c.to r
13 D i a rn eter AVP Meta data
21 Diameter Header Metadata
2] Dynamic DNS Updates
21 E Ticket

O ESP SPI

21 Eclectic-plot

21 Electronic Attack Heuristics
21 Email

33 Encryption Steg Camo
33 Encryption Steg JSTEG
33 Exit'Metadata
21 Expression Engine
33FACEBOOK

21 Face-book Chat Jabber
^ Fourth Party CNE_DE AD SEA_

21 Generic IDirect
21 Google Analytics
!3 Google StreetView
21 Google Street View Thumb
21 Google StreetView Tile
=3 Gtp Pdp Context
21 HAWALA
21 Happyfoot
21 IE Cookies

Help

Show/Hide Fields*^ Advanced Features t ShowHidden Search Fields Clear Search Values Reload Last Search Values There are hidden Fields.

Search: Fourth Party CNE _DEADSEA_ «

Query Name: asmaestO

Justification:

Additional Justification:
Miranda Number;

Datetime:

activity:
attributes a me:
attribute_value:
bluesmoke_id:
computer_id:
direction:
implant_command:

Recent Justifications

Current Time: 2011-05-13 13;33:l& GMT

I 1 Day 1 start: 12011-05-12 JO| 100:00 j-y Stop: 12011-05-14JH] 100:00 |0|

TOP SECRET//COMNT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

(S//SI) Discovery for 4th Party

Q......................

DYNAMIC PAGE ■ HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRET flCOMIN T>OR CO MAN O FORN

CROSSBONES2

LOGGED IN AS|

S ft i v ft ? ft) ft i i ft) bftrs t

Home j Entries Reports Activity Groups User Groups Tasking Tags Profile

Navigation

home

Entries

New Journal Entry
List Snippets
New Snippet
List Personas
New Individual
New Organization
List Events
Reports
Activity Groups
User Groups
Tasking
Tags
Profile

(TS//SI//REL) Perefect Key logger Activity

XBJEft/16d9&05Æ0f f

TOP SECRET,JI/GQMfNTA/REL TO USA FVEY

9ISIA

May06, 20If

Warning: There are no diamond model events defined on this journal entry.

Content Enrichments

author___________________

project i user group

CYBERQUEST - MHS

Events History

intrusion sets
UNKNOWN

access

PUBLIC

source

SIQINT:FORNSAT

source site J source signal
USJ-759 /

source classification

TOP SECRETffOO MINTtfREL TO USA, FVEY

source date

2011-05-06 00:00:00 UTC

source description

New Journal Entry

Attach File
|f,a-i New Association
'.¿New Signature
\_j Like This
^Followthis Entry

Rescan for Data Facets-
Export Events

Add a Link

CROSSBONES JOURNAL ENTRIES

(UÜFOUO) This entry may contain
information not fully assessed
arid is intended for analytic
collaboration only. The recipient
may not use, report or further
disseminate this information
unless or until it is published in a
report.

Perfect Keylogger is installed on hostname DQM (Russian, for 'home'), private IP address
|for user 'Home*. ETebsites surfing information and screenshots have been stored at an
account at Russian IP inbox.ru mail server, and are being delivered to a U.S. IP.

A. courtesy copy of Che logs is delivered to user a Moscow-based

software services company, member of a leading Russian technology grcupi - probably

Apparently, the victim(sj of the keylegging are members of the |

possibly wife to the referented above, as well as |

...Keylogger is probably installed to monitor children's and wife's activity

| is well-connected. Her email is |
Linked in. And her Fa c ebook password was sniffed as
and have been captured. Possibly is

I Moscow.

She has a presence on
Several other passwords for both

Head of PR and Advertising at

Assigned Tags

o direction
o intent
o result
O methodology
G phase
O actor
Q victim
o capability
O infrastructure
Q geopolitical environment
o technology

q other: positive correlations
Q other: negative correlations

director for Corporate Development at I

probably husband.

@[

Upload / Attach File

TOP SECRET//COMNT//REL TO USA, FVEY

UNCLASSIFIED//FOR OFFICIAL USE ONLY

Contact us

EMAIL: DL 4THPARTY
N SAN ET: GO 4TH PARTY
JABBER: S2 CYBER ANALYSIS

UNCLASSIFIED//FOR OFFICIAL USE ONLY

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh