Title: LEVIATHAN and the FFU Hypothesis

Release Date: 2015-01-28

Document Date: 2012-01-01

Description: This CSE (then CSEC) presentation from 2012 describes the Canadian agency’s file download monitoring operation: see the Intercept article Canada Casts Global Surveillance Dragnet Over File Downloads, 28 January 2015. cse-presentation-on-the-levitation-project

Document: TOP SECRET//SI//REL CAN, AUS, GBR, NZL, USA

LEVITATION and
the FFU Hypothesis

cse-cst.gc.ca

TOP SECRET//SI//REL CAN, AUS, GBR, NZL, USA

What is LEVITATION?

A behaviour-based target discovery project
Multi-disciplinary team

Prototyping and delivering advances in:

• Behavioural tradecraft

• Hypothesis tradecraft

• Tradecraft automation

TOP SECRET//SI//REL CAN, AUS, GBR, NZL, USA

Current

Active

FFU

Sequential numbers
Obvious selector names
Web search terms

^■ —

Hypotheses

In Development

GPS waypoints
Devices close to places
Telephony gaps

Targets of foreign SIGINT
agencies

Missed calls

TOP SECRET//SI//REL CAN, AUS, GBR, NZL, USA

FFU Hypothesis

Extremists use Free File
Upload (FFU) sites
differently than the general
public.

Al-Qaida uses FFU sites to
distribute Jihadist propaganda

Extremists use FFU sites to
distribute training materials

lJjuU.Qju cl>\Luu

TOP SECRET//SI//REL CAN, AUS, GBR, NZL, USA

What do we need?

A list of suspect documents
A list of FFU URLs referring to those documents
A list of IPs downloading those URLs

New documents are found by CWOC (CSEC Web
Operations Centre) retrieval from URLs, so
that's the easy part.

TOP SECRET//SI//REL CAN, AUS, GBR, NZL, USA

New URLs

CSEC's web forums team

2nd Party reports & alerts

Machine Learning

Learning the textual
context for the URLs in
web forums

HTTP Referrers

Follow URL referrers back
to the originating site

Previous Correlations
analysis

Using tech techniques to
figure out what else that
user was up to at the
same time

e.g. Google analytics
cookies



5



¥

J Get STALKER Hostnames Sytng operations Build SQL for STALKER Referers Dummy 1 Query FFU for STALKER Referers T Oil nit

FT

wf t ♦ c=3 f ax
ÄJrTi U 1“ X

Sort rows

Select values 2

SelectMalues IP Geo and Network Info



Add constants

i FFU Requests Master List Remove spaces

Stream lookup

TC Init 2

Output duplicated URLs Format Date

E

Mail New URLs

Get Variables



Mail Configs



\ ax
J a X

Blocking Step

New URLs File

SeiectftfeJues A

I

Output new URLs

FFU Events Collection

ATOMIC BANJO (Special Source) is collecting HTTP
metadata for 102 known FFU sites.

We see about 10-15 million FFU events per day
All the FFU Events are available thru OLYMPIA

TOP SECRET//SI//REL CAN, AUS, GBR, NZL, USA

Looking for a few good documents

We only care about the 2,200 URLs
that point to documents of
interest.

e.g. How to make a gas bomb

www.sendspace.com/file

Every day we sort through the 10-
15M events for the interesting
ones.

We're finding about 350 interesting
download events per month.

Documents vary

Chloroform in a Lowes bucket

Bajadin Explosives Manual

And lots of pictures of cars on fire

Filtering out Glee Episodes





Ik

Create HTTFLRLINE SQL Dummy 1 Query HT 'P_RLINE /TCInit

Master List Extremist Documents URLs

Sort b/time



Get URL Length

C3X

*

X

Convert String IPs Master FFU Hits Add constants »m lookup

A

Create HTTP_LOCATION SQL Dummy 2 Query HTTP_LOCATION

Processed FFU records

New FFU records

TOP SECRET//SI//REL CAN, AUS, GBR, NZL, USA

Resulting events

Computer ▼ shares (Wcorp) (R:) ▼ Share_l » Levitation ▼ FFU ▼ FFU Hits

i Search FFU Hits

File Edit View Tools Help
Organize ▼ Open New folder

■ Favorites
H Desktop
4 Downloads
V, Recent Places

■ Desktop
^ Libraries
* Documents
^ Music
Su! Pictures
H Videos

Computer
^ Windows (C)

^ DVD Drive (D:)

j.' '.corp\users’ :;ec_u;-er; (H:)

shares (\\corp) (R:)

[g> Reserved
fg. Share_l
Share_2
[g Share_3
{g. Share_4
QB. Share_5
[g Share_6
[g, Tempshare

apps (\\corp\groups\sigint) (S:)
Network

!SP Control Panel
£ Recycle Bin
¡3] CERRID DM Extension
SQL Developer
i. XMind

^5 sqldeveloper-31.06.82

- a •

■ 01-20-2012 FFU Hit Selecto

I T>'PC

01-20-2012 FFU Hit Selector!

Flip fnloW

01-20-2012 FFU Hit Select.

01-20-2012 FFU Hit Select.

01-21-2012 FFU Hit Select.

01-21-2012 FFU Hit Select.

01-21-2012 FFU Hit Select.

01-22-2012 FFU Hit Select.

01-23-2012 FFU Hit Select.

01-25-2012 FFU Hit Select.

01-27-2012 FFU Hit Select.

01-2S-2012 FFU Hit Select.

01- 31-2012 FFU Hit Select.

02- 01-2012 FFU Hit Select.

02-02-2012 FFU Hit Select.

02-06-2012 FFU Hit Select.

02-13-2012 FFU Hit Select.

02-13-2012 FFU Hit Select.

02-14-2012 FFU Hit Select.

02-15-2012 FFU Hit Select.

02-17-2012 FFU Hit Select.

02-18-2012 FFU Hit Select.

02-20-2012 FFU Hit Select.

. 02-22-2012FFU Hit Select.

02-24-2012 FFU Hit Select.

02-28-2012 FFU Hit Select.

02-28-2012 FFU Hit Select.

02- 28-2012 FFU Hit Select.

03- 01-2012 FFU Hit Select.

03-03-2012 FFU Hit Select.

03-03-2012 FFU Hit Select.

03-04-2012 FFU Hit Select.

03-07-2012 FFU Hit Select.

03-07-2012 FFU Hit Sel
03-10-2012 FFU Hit Select.

03-16-2012 FFU Hit Select.

03-20-2012 FFU Hit Select.

[j FFU From Mathieu

Date modified: 06/03/2012 10:27

Offline avaiUhilHv Not ilahle

Iraq

udi Arabia
emen

:cupied Palestinian Territory
iudi Arabia

Occupied Palestinian Territory

Occupied Palestinian Territory

06'03/2012 10:27...

06/03/2012 8-32 AM
07/02/2012 12:15...
19/03/201211:47...
08/03/201210-36...
10/02/20121:41 PM
07/02/2012 12:15...
09/02/2012 10:41...
06/03/20121220...
06/03/20121238...
09/02/2012 10:54...
05/03/20121026...
05/03/2012 10:36...
07/02/20121217...
08/03/2012 935 AM
23/03/20121002...
08/03/2012 932 AM
05/03/2012 10:57...
22/03/20121225...
09,03/2012 8:57 AM
0503/20121:16 PM
0903/2012 855 AM
0903/2012 854 AM
0903/2012 9:50 AM
0903/2012 2:26 PM
2003/2012 933 AM
2003/2012 953 AM
2203/201212:45...
2203/2012118 PM
2703/20121059...
2203/20121:29 PM
27/03/20121258...
28/03/201211.-07...
2803/20121113...
2803/20121.-09 PM
2903/20121118...
0903/2012 3:02 PM

File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
File folder
Microsoft Excel W...

Offline status: Online

TOP SECRET//SI//REL CAN, AUS, GBR, NZL, USA

Start analysis with event info

FFU hit from selector on

7/03/2012 7:46:51 geolocated to Kenya,

accessing The Explosives Course through
FFU site sendspace.com with HTTP user
agent Mozilla/5.0 (Ubuntu; Xll; Linux
x86_64; rv:9.0.1) Gecko/20100101 Firefox/
9.0.1

TOP SECRET//SI//REL CAN, AUS, GBR, NZL, USA

Correlating other selectors with the IP

FFU hit from selector^^^Hion
7/03/2012 7:46:51 geolocated to Kenya,
accessing The Explosives Course through
FFU site sendspace.com with HTTP user
agent Mozilla/5.0 (Ubuntu; Xll; Linux
x86_64; rv:9.0.1) Gecko/20100101 Firefox/
9.0.1



'f Can we correlate any other selectors with this IP address?
- Mutant Broth query on IPm^^or 5 hours on either side of 7/03/2012 7:46:51


682 events including 77 with an exact match of the user agent above yielding
a Facebook ID HMHa Google Prefid CookieH^^H^Han
MAdnxsUuid2Cooki^^^^^HH||HIH an MQuantserve Me Cookie

| - r- BH9HHHI


-
- FFU Hit Selector: 1 ! March 7,2012. Mutant Broth query..xlsx 1]

TOP SECRET//SI//REL CAN, AUS, GBR, NZL, USA

Correlating Facebook cookie

FFU hit from selector|||H|on
7/03/2012 7:46:51 geolocated to Kenya,
accessing The Explosives Course through
FFU site sendspace.com with HTTP user
agent Mozilla/5.0 (Ubuntu; Xll; Linux
x86_64; rv;9.0.1) Gecko/20100101 Firefox/
9.0.1

Open Source research indicates
that the user of Facebook ID
Bs based in Dubai,
United Arab Emirates i

A—?-----------------

; Marina Profile Query on Facebook User Cookie|

[observed in Mutant Broth Query above

- Lots of events includingregistration email addifssHBgmail.com and Facebook namel



! I Can we correlate any other selectors with this Facebook ID Cookie?

U FFU Hit Selector

larch 7,2012. Marina Profile Query on Facebook Id

sxÇ

Lj Mutant Broth Sub-Query on Facebook User Cookie I

bbserved in Mutant Broth Query above

946 events with 893 matching exactly the user agent above

- FFU Hit Selector HHHMarch 7.2012. Mutant Broth Sub-Query on Facebook IDIHHvsx 1]

TOP SECRET//SI//REL CAN, AUS, GBR, NZL, USA

IP Correlation

FHJ Hits Analysis.kjb íí MUTANTBROTHTDIs.ktr g
| ► li ■ Üy «b ^ IS, S too1* V

rar

¡Hide the execution results pone ¡

Get rowsiom result



fit

f

Multi-Threads Cut justification to 150 chars MUTANXBROTH Filter Emoty Result MB Raw Results Sort by Sequence Group TDIs/User-Agents

TAr^

I



Error Handling Ignore Empty Result

Calc Co ifidence

MB TDIs

Sort by Confidence Filter on User-Agent Different U.-A.

DocumentJJnk Document_Titie/Description EVENTJTMESTAMP ACTIVITY DATE Confidence_Number ACTIVE USER
archive. org /almapl. mp4 German hostage video Wed Mar 28 18:32:32 GMT 2012 2012-03-28T18:18:00Z 1.0
archive. org/almapl. mp4 German hostage video Wed Mar 28 18:32:32 GMT 2012 2012-03-28T18:18:00Z 1.0
archive. ora/aimapl. mp4 German hostage video Wed Mar 28 18:32:32 GMT 2012 2012-03-2ETT18:18:17Z 1.0
archive. org/almapl. mp4 German hostage video Wed Mar 23 18:32:32 GMT 2012 2012-03-28T18:18:17Z 1.0
archive. org .’almapl. mp4 German hostage video Wed Mar 28 18:23:42 GMT 2012 2012-03-28T18:09:27Z 0.5 ■■■■■■■■■
archive .org/almapl. mp4 German hostage video Wed Mar 28 18:23:42 GMT 2012 2012-03-28T18:09:27Z 0.5 ■■h^HMUüüI
archive. org/almapl. mp4 German hostaoe video Wed Mar 28 18:23:42 GMT 2012 2012-03-28T18:18:00Z 0.5 ■H
archive.org /almapl.mp4 German hostage video Wed Mar 28 18:23:42 GMT 2012 2012-03-2ST18:18:00Z 0.5
archive. org/almapl .mp4 German hostage video Wed Mar 28 18:23:42 GMT 2012 2012-03-2ST18:18:00Z 0.5
archive. org/almapl. mp4 German hostage video Wed Mar 28 18:23:42 GMT 2012 2012-03-28T18:18:17Z 0.5

Q Mozilla/4.0 (compatible; MSΠ6.0; Wit
1(2)
rs)

) (compatible; MSIE 8.0; Wir
|(5)

TOP SECRET//SI//REL CAN, AUS, GBR, NZL, USA

Automated analysis documentation

S3 Workbook 1 S3*20120120000848 188.51.88.22saudi arabia.xmnd

jCreate a relationship (Ctrl-H.fl

FFU hit from selector
20120120000848000GMT geolocated to
SA, accessing Inexhaustible weapons
part 2 through FFU site GET /download/
sela7_la_yndb_02/part24.mp4 HTTP/
1.1 with HTTP user agent Mozilla/5.0
(SymbianOS/9.3; U; Series60/3.2
NokiaN79-l/11.049; Profile/MIDP-2.1
Configuration/CLDC-1.1 ) AppleWebKit/
413 (KHTML, like Gecko) Safari/413

f ..- ■ .....•■■■
Can we correlate any other selectors with this IP address?

I *..............................................................................j

Mutant Broth query on IP |

• 5 hours on either side of 20120120000848000GMT

4



1(_MUTANTBROTH_EVENT_COUNT_) events with only
{_ MUTANTBROTH MATCHING EVENT COUNT ) matching exactly the us
agent above.

(_MARINA ACTTVrTY_EVENT_COUNT_) events with possible correlation
(_MARINaZaCT[V[TY_P05SIBLE_CORRELATIONS_)____________

TOP SECRET//SI//REL CAN, AUS, GBR, NZL, USA

What happens then?

Compare control and experimental groups to
show statistical differences

Analyse experimental group to determine
statistical power of the hypothesis

Assemble selectors across all hypotheses

Rank selectors according to the number and
power of the hypothesis behaviors they show

Deliver an ordered list of suspects to OCT

Personae

TOP SECRET//SI//REL CAN, AUS, GBR, NZL, USA

Scoreboard

Hypotheses

FFU

Totals

Weights 0.6 0.55 0.52 0.48
PI 4 2 0 4 5.42
P2 4 4 0 1 5.08
P3 4 1 0 4 4.87
P4 3 4 4 0 3.14
...

Known New

TOP SECRET//SI//REL CAN, AUS, GBR, NZL, USA

Successes

An HTTP-referred URL gave us a German
hostage video from a previously unknown
target.

An upload event gave us an

AQIM's hostage strategy. The resulting report
was disseminated widely including by the CIA
to their counterparts overseas.

TOP SECRET//SI//REL CAN, AUS, GBR, NZL, USA

The End

Team

(^^^^B@cse-cst.gc.ca)

Tech Lead:

(^^M@cse-cst.gc.ca)

(

pcse-cst.gc.ca)


e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh