Title: Profiling SSL and Attributing Private Networks

Release Date: 2014-12-28

Description: This undated GCHQ presentation introduces the FLYING PIG and HUSH PUPPY tools: see the Der Spiegel story Prying Eyes: Inside the NSA’s War on Internet Security, 28 December 2014.

Document: TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

PROFILING SSL AND ATTRIBUTING

PRIVATE NETWORKS

An introduction to FLYING PIG and HUSH PUPPY

ICTR - Network Exploitation
GCHQ

T R

Jv

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

NTORMATION 19 EXEMPT UNDER THE FREEDOM OF INFORMATICS)
REFER ANY FGIA QUERIES TO GCHQ □

□ RMATION LEGISLATION.

Contains Intellectual Property owned and/or managed by GCHQ.

The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation.

^GCHQ^

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

Outline

- Two separate prototypes - FLYING PIG and HUSH
PUPPY

- Both are cloud analytics which work on bulk unselected
data

- FLYING PIG is a knowledge base for investigating TLS/
SSL traffic

- HUSH PUPPY is a tool for attributing private network
traffic

T R

Jv

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

This information 19 exempt under the Freedom of iNFORMATiOf^c^DODjFoiAj^ANgjjAY^gF^rxFMP^iNorB^GTHFRjJKjNrnoMATiQN legislation.

REFER ANY FDIA QUERIES TO GCHQ

Contains Intellectual Property

The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained FOR DIS 5 EM IN ATI ON OUTSIDE the ORGANISATION.

^FOlAMN^Aj^^XFMP^JNOE

WNE^NS^ANAGn^^CHT

^GCHQ^

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

FLYING PIG - TLS/SSL Background

- TLS/SSL (Transport Layer Security / Secure Sockets Layer)
provides encrypted communication over the internet

- Simple TLS/SSL handshake:

Client

Server

Client hello
Server hello
Certificate
¡rver hello done

Application data

TR

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

This information is exempt unoer the Freedom or informatii

REFER AMY FOIA QUERIES TO GCHQ □

MATION LEGISLATION.

Contains Intellectual Property owned and/or managed by BCHQ.

The material may be disseminated throughout the recipient organisation, but echo permission must be obtained for dissemination outside the ORGANISATION.

^GCHQ^

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

T R

JV

Motivations for FLYING PIG

More and more services used by GCHQ targets are moving to TLS/SSL to
increase user confidence, e.g. Hotmail, Yahoo, Gmail, etc.

Terrorists and cyber criminals are common users of TLS/SSL to hide their
comms (not necessarily using the big providers).

A TLS/SSL knowledge base could provide a means to extract as much
information from the unencrypted traffic as possible.

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

iiiiifaiajMii|iiiifeiig^^

MATION LEGISLATION.

This information is exempt uimoer the Freedom of information^ac

REFER ANY FOIA QUERIES TO GCHQ ON

Contains Intellectual Property owned and/or managed by GCHQ.

The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation.

^GCHQ^

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL



T R

JV

FLYING PIG implementation

Federated QFD approach

- Multiple separate cloud analytics, each of which produce a QFD (Query
Focussed Dataset).

- Analytics are run once a week, on approximately 20 billion events.

- A single query in the web interface results in calls to multiple QFDs,
which are returned to the user in separate panels.

- Results in:

(a) fast queries,

(b) easy-to-maintain modular code, and importantly

(c) easy to add future TLS/SSL QFDs.

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

N FORM ATI ON 19 EXEMPT UNDER THE FREEDOM OF iNFORMATIOl
REFER ANY FOIA QUERIES TO G C H Q □

°1

mm

¡QRMATION LEGISLATION.

Contains Intellectual Property owned and/or managed by BCHQ.

The MATERIAL MAY BE DISSEMINATED THROUGHOUT the RECIPIENT ORGANISATION. BUT ECHO PERMISSION MUST BE OBTAINED FOR Dl S 5 EM IN ATI ON OUTSIDE THE ORGANISATION.

^GCHQ^

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

Query by certificate metadata

FLYING PIG

TLS/SSL Knowledge Base

HRA Justification Query FLYING PIG - general SSL toolkit
Query FLYING PIG
IP / network / certificate field %mail.£jj
Query as: Q Client IP Q Server IP O Both
or: O Network [e.g. 1.2,3.0/24]

or: ® Server Certificate [e.g. %example.com (use %for wildcards)]
Run Query!

[Certificate field search: Qfrmail.rul
All HTTP requests matching your query ( ? [yj)

Query QUICK ANT - Tor events QFD

Server certificate fields to search within:

Subject common name 0
Subject organisation name Q
Issuer common name
Issuer organisation name
RSA modulus

Prototype owner:!

ft

1 - 5 of 500 items 10 1 25 1 50 1 100 1 2 5 6 7 ► M ♦
Server IP Host name First seen Last seen Count w/e 25th Nov Count all time
184,105 swa.mail.ru 2011-10-13 16:05:53,0 2011-11-25 21:11:59.0 6085663 42640739
184,104 swa.mail.ru 2011-10-13 17:29:18,0 2011-11-25 21:11:55.0 6073183 36825411
134.201 fc.ef.d4.cf.bd.al.top.mail.ru 2011-10-13 21:43:10,0 2011-11-25 21:10:49.0 4049743 19360920
135,13 top5.mail.ru 2011-10-14 20:00:00.0 2011-11-25 21:12:05.0 3006868 14168963
135,12 top3.mail.ru 2011-10-14 20:00:00,0 2011-11-25 21:10:48.0 2480950 12386999

All certificates matching your query ( ? ) 1 Server IPs(? 1
Tip 1: Right click on a row to find all server IPs that serve that certificate! I Tip 1: Right click on a server IP to I
Tip 2: Click on the disk icon in the title bar to download data in CSV format! explore it further!
Tip 3: Double-clidk on a field to enable copy and paste! 1 - 25 of 500 12 3 4
Tip 4: Change displayed columns ('Basic1 is default; 'Advanced' adds RSA Modulus and cipher suite distribution columns): Basic columns Advanced columns items 5 6 7_ ► M
Server IP Cert Cert
1 - 10 of 70 items 10 1 25 1 50 1 100 12 3 4 5 6 7 ► >i * count w/e 25th count all time
Full First seen Last seen Count Count all Valid from Valid to Subject common Subject Subject org Issuer common Issuer issuer org Self
Certificate w/e 25th time name country name name country name signe Nov
Nov f Explore this .server IP further!
308203CD308212011-09-22 13:17:32 2011-11-25 19:01:59 2952729 16638958 2011-01-31 00:00:00 2012-03-27 23:59:59 *.mail.ru ru lie mail.ru thawte ssl ca us thawte; inc. N 177.1 333592 1052618
191,213 330212 1388617
308203613082(2011-09-22 14:05:50 2011-11-25 18:58:32 249926 1085232 2010-01-21 00:00:00 2011-02-20 23:59:59 *. mail.ru ru lie mail.ru thawte premium server ca z a thawte consulting cc N
184.16 308599 2496916
184,17 297282 2226133
308203D33082( 2011-10-07 2011-11-25 10059 30520 2011-09-25 2013-11-23 *. money, mail.ru ru lie mail.ru thawte ssl ca us thawte; inc. N
20:29:55 18:53:40 00:00:00 23:59:59 184,15 294437 2395012
308203513082(2011-09-23 2011-11-25 976 8517 2010-01-25 2012-01-27 mail.ru. is is mail.ru .is us equifax N 189,160 158414 659037
17:01:58 15:40:05 15:42:05 18:12:59 184.77 120533 560336
308202C83082( 2011-08-22 2011-09-06 0 1482 2011-03-04 2012-03-03 mail.ru-sib.ru us mail.ru-sib.ru us Y 184,74 113555 515169
08:14:21 06:15:36 □6:42:12 06:42:12 184,75 112574 538512
308204383082(2011-10-17 14:09:52 2011-11-25 18:50:10 22 1236 2011-05-27 00:00:00 2012-07-25 23:59:59 mail.ru-com.ru mail.ru-com.ru thawte dv ssl ca US thawte; inc. N 184,76 110325 690098
135,55 3779 6023
308203C43082(2011-10-08 00:05:24 2011-11-25 17:04:02 301 1150 2010-02-13 14:19:06 2012-11-08 14:19:06 mxl.shogo-mail.ru ru shogo shogo.ru ru shogo N
135,56 3740 7358
308204153082(2011-11-01 07:36:53 2011-11-25 14:26:29 246 693 2011-09-15 11:47:51 2012-09-14 11:47:51 limgs.mail.ru ru isp.cegedim .fr fr cegedim N 134,151 3564 8498
63.121 2532 4887
308202E43082(2011-10-14 2011-11-21 201 306 2011-10-05 2014-10-04 moder.foto.mail.ru ru mail.ru moder.foto.mail.ru ru mail.ru Y 136,43 2523 9226
18:20:34 05:13:34 08:07:34 08:07:34 134,98 2360 9165
308204153082(2011-10-31 2011-11-25 99 259 2011-09-15 2012-09-14 auth.mail.ru ru isp.cegedim .fr fr cegedim N 179,89 2227 7600
14:14:12 15:45:50 11:47:51 11:47:51 179,90 2051 7320

■ti TR ••

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

NFORMATION 19 EXEMPT UNDER THE FREEDOM OF INFOHMATlOf^____

refer any td u<

Contains Intellectual PROPER^^wNE^NO/SnANAOE^^CHg^^^^^^^^

The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation.

THI9 I

_OTHERUKINFORMATION LEGISLATION.

^GCHQ^

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

Query by server IP

FLYING PIG

TLS/SSL Knowledge: Base

HRA Justification Query FLYING PIG - general SSL toolkit Query QUICK ANT - Tor events QFD
Query FLYING PIG

IP / network / certificate fiel L8414

Query as: Q Client IP (§) Server IP Q Both
or: O Network [e.g. 1.2,3,0/24]

or: Q Server Certificate [e.g. %examp!e,com (use % for wildcards)]

Run Query!

Prototype owner*

Server IP-specific panels

General IP info ✓ SSL Server certificates seen on this IP0
Top 10 SSL client geos SSL Pattern of life 0
Top 10 SSL server ports HTTP requests to this IP
Top 10 SSL case notations Top 100 SSL clients
SSL Traffic stats

[Certificate field search: %mail.ru| Iserver I

■ 184.141 O

General IP info for server IP ,184.14__________________________________

Geolocation ( ? ): WHOIS info ( ? ):

Country: RU (M) Network: 76.0/20. Network type: No results.

City: MOSCOW (L) Company: Mail.Ru. Domain: mail.ru.

ASinfo(?): DNS ( ? ):

Advertised by AS: 47764. Found within network: No results

76.0/20.

AS name: MAILRU-AS Limited liability company Mail.Ru

Tor node ( ? ):

No matches

Top 10 SSL client geos ( ? )

Top 10 SSL server ports ( ? )

Top 10 SSL case notations C ? )

SSL Traffic stats ( ? ):

Overall

Paired (approximate)

o

-------tr

For week ending 2011-12-23:

No. unique clients - 104317.

% client-server IPs with traffic seen in both directions = 14.7AV

200,000 -I

Unique clients with client-server ^Jumque clients with server-client Unique clients with
traffic only traffic only bidirectional traffic

SSL Certificates seen on this IP ( ? ) * 1

Tip 1: Right cliek on a certificate to explore it further!

1 - 3 of 3 items

10 I 25 I 50 I 100

First seen on this IP

2011-09-22 13:31:06
2011-06-08 12:23:45
2011-11-16 14:13:03

Last seen on this IP

2011-11-25 19:01:47
2011-11-25 07:50:07
2011-11-16 14:13:03

Count w/e 25th
Nov

357643

1441

0

Count all time

2359179

1447304

1

Valid from

2011-01-31 00:00:00
2011-01-31 00:00:00
2011-08-05 18:34:19

Valid to

2012-03-27 23:59:59
2012-03-27 23:59:59
2014-08-05 18:34:19

Subject common name

*.mail.ru
*. mail.ru
vkontakte.ru

Issuer common name

thawte ssl ca
thawte ssl ca

go daddy secure certification authority

Average pattern of life for a client (seeded around SSL events to this server IP) ( ? ) HTTP requests to this IP (top 100) ( ? )
Tip 1: Filter by min. % occurrences of event:£^t 1 ,, Apply filtering Tip 1: Right click on a server IP to explore it as an SSL server!
1 - B Df 233 items 10 1 25 1 50 1 100 1 2 3 4 5 6 7 ► M ♦ 1 - 10 of 226 items 10 1 25 1 5D 1 100 12 3 4 5 6 7 ► H *
Correlated event Event IP Event port Percentage occurrences of event Server IP Host name requested First seen Last seen Count last week Count all time
L84.14 e,mail.ru 2011-10-14 2011-11-25 1989215 13992636
GET requesttotop3.mail.ru 135.12 80 28.1 L84.14 rn.mail.ru 2011-10-14 2011-11-25 89268 664189
GET request to top5.mail.ru L35.13 80 15.1 L84.14 184,14 2011-10-14 2011-11-25 17426 108536
GET request to d0.cl.bf.al.top.mail.ru L34.253 80 14.2 L84.14 auth.mail.ru 2011-10-14 2011-11-25 11738 70020
GFT renuesttn mv.mail.ru IR4.40 flfl 13.2 IQJ. U fcal mail ri i onn.i n_i a omi.11 .os PQQi fissin

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

00! ti TR ••

r' j

N FORM ATI ON 19 EXEMPT UNDER THE FREEDOM OF iNFORMATIOl
REFER ANY FDIA QUERIES TO GCHQ □

Contains Intellectual Pi

INFORMATION LEGISLATION.

The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the ORGANISATION.

0

^GCHQ^

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

Query by server IP

FLYING PIG

TLS/SSL Knowledge Base

HRA Justification Query FLYING PIG - general SSL toolkit Query QUICK ANT - Tor events QFD
Query FLYING PIG

IP / network / certificate fiel L84.14

Query as: (§> Client IP Q Server IP O Both
or: O Network [e.g, 1.2.3.0/24]

or: O Server Certificate [e.g. %example.com (use %for wildcards)]

Run Query!

Prototype owner:l

General IP info
Top 10 SSL client geos
Top 10 SSL server ports
Top 10 SSL case notations
SSL Traffic stats

Server IP-specific panels

•L SSL Server certificates seen on this IP 0
0 SSL Pattern of life 0

0 HTTP requests to this IP 0

0 Top 100 SSL clients 0

0

ICertificate field search: %mail.ru| IServer I Gbl request to tops,mail.ru .184.141 135.12 8U 28.1 184.14 rn.mail.ru 2011-10-14 2011-11-25 89268 664189
GET request to tops,mail,ru 135.13 80 15.1 184.14 94.100.184.14 2011-10-14 2011-11-25 17426 108536
GET request to d0.cl.bf.al.top.mail.ru 134.253 80 14.2 184.14 auth.mail.ru 2011-10-14 2011-11-25 11738 70020
GET request to my.mail.ru 184,40 80 13.2 184.14 tel,mail.ru 2011-10-14 2011-11-25 8994 65540
GET request to my.mail.ru 184.41 80 12.9 184.14 e. 2011-10-15 2011-11-25 307 616
GET request to stat.my.mail.ru 184.40 80 10.8 184.14 e.mai 2011-10-14 2011-11-25 155 1101
GET request to stat.my.mail.ru 184.41 80 10.5 184.14 email. 2011-10-14 2011-11-25 119 705
GET request to mhmrakerl.mail.ru 189.183 80 10.4 184.14 mail.ru 2011-10-24 2011-11-23 110 367
184.14 e.m 2011-10-15 2011-11-25 107 400

0

Top 100 SSL clients of serve

L84.14 ( ? )

Tip 1: Filter by country of client IP (e.g. enter nothing to avoid filtering or PK.IRJQ to filter by multiple countries): GB,US,CAjNZ,AU
OOnly show clients in these countries • Remove clients in these countries
\s Remove clients that also act as servers
Number of results returned: 100
Filter! RESET

Tip 2: Right click on a client or server IP to explore it further !

1 - 20 of 100 items

Client IP

10 1 25 1 50 1 1DD 1 2 3 4 5 ► h
Client country (conf) Client company First seen Last seen Count w/e 25th Nov Count all time Pairing status w/e 25th Nov Pairing status all time
ES(V) Telefonica_de_Espana_SAU ; rima-tde .net 2011-10-16 2011-11-19 1415 50136 Server -> Client only Both directions
E5(H) R_Cable_y_Telecomunicaciones_Galicia_5.A.; mundo-r,2011-10-24 2011-11-25 424 726 Client -> Server only Client -> Server only
DE(V) Bertelsmann_2I_GmbH; media ways.net 2011-11-23 2011-11-23 417 417 Server -> Client only Server -> Client only
NO(V) Telenor_Nextel_AS;telenor.net 2011-11-21 2011-11-24 403 403 Server -> Client only Server -> Client only
IE (VO Vodafone_I5P; UNKNOWN 2011-11-23 2011-11-23 330 330 Both directions Both directions
DE(V) Bertelsmann_21_GmbH; media ways, net 2011-11-23 2011-11-23 329 329 Server -> Client only Server -> Client only
KR(M) Korea T e lecoÉ “2 " ~T "“T-““-! 2011-09-04 2011-11-25 1325 12266 Both directions Both directions
-(-) 2011-11-18 2011-11-18 296 296 Both directions Both directions
ec(h) Ecuadortelecom_S A.; ecutel.net.ec 2011-11-10 2011-11-25 290 291 Both directions Both directions
IE(V> Vodafone_I5P; UNKNOWN 2011-11-20 2011-11-20 196 196 Both directions Both directions
MY(H) TMNETjholdm.net 2011-09-03 2011-11-24 189 383 Both directions Both directions
KR(M) QRlXNETj UNKNOWN 2011-10-20 2011-11-25 181 198 Both directions Both directions
MY(H) C O RE_I P_D EVE LO P M E NT ; dancom, com .my 2011-11-19 2011-11-25 179 179 Both directions Both directions
IR(V) Static-Pool-TP3jpol.ir 2011-11-21 2011-11-21 177 177 Client -> Server only Client -> Server only
1E(V) U7V_PLC; utvinternet.net 2011-11-19 2011-11-20 167 167 Both directions Both directions
KR(M) KRNICjktcu.or.kr 2011-09-03 2011-11-25 150 1007 Both directions Both directions
BP.(K) CDmite_Gestor_da_Internet_no_Brasiljampernet.com 2011-11-23 2011-11-25 145 145 Server -> Client only Server -> Client only
KR(H) Korea_Telecomjpostman.co,kr 2011-10-16 2011-11-25 143 161 Both directions Both directions
KR(H) Korea_Telecomjkornet.net 2011-10-24 2011-11-24 138 583 Both directions Both directions
IE(V) Vodafone_ISP; UNKNOWN 2011-11-18 2011-11-18 137 158 Client -> Server only Both directions

00! ti TR

r' j

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

NFORMATION 19 EXEMPT LINDER THE FREEDOM OF INFORMATION__

any T□ gchq u

Contains Intellectual

The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation.

This i

iOTHEPUKINFQRMATION LEGISLATION.

^GCHQ^

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

Query by client IP

FLYING PIG

TLS/SSL Knowledge Base

HPA Justification Query FLYING PIG - general SSL toolkit
Query FLYING PIG

IP / network / certificate field ,127

Query as: (•) Client IP Q Server IP Q Both
or: O Network [e.g. 1.2,3.0/24]

or: O Server Certificate [e.g. %example.com (use % for wildcards)]
Run Query!

ICertificate field search: %mail.ru| IServer IP~

Query QUICK ANT - Tor events QFD

Client IP-specific panels

General IP info 0

SSL Servers visited

Prototype owner*

184.141 Client IP:

.127

General IP info for client IP

.127

Geolocation ( ? ): WHOIS info ( ? ):

Country: KR (M) Network: Network type; No results.

City; SEOUL (L) Company: Korea Telecom. Domain: groupon.kr.

AS info ( ? ):

Advertised by AS: 4766. Found within network:
AS name: KIXS-AS-KR Korea Telecom.

DNS ( ? ):
.0.0/13. No results

Tor node ( ? ):

. 127 ( : ):

Top 100 SSL servers visited by

Tip 1: Filter by country of server IP (e.g. enter PK to filter by Pakistan only or PK,IR,IQ to filter by multiple countries):
Tip 2: Right click on a client or server IP to explore it further!

1 - 8 of 8 items 10 I 25 I 50 I 100

Client IP

Only show servers in these countries Remove servers in these countries RESET

Server IP Server country (conf ) Server company info (from GEOFUSION export) First seen Last seen Count w/e 25th Nov Count all time Pairing status w/e 25th Nov Pairing status all time
.127 184.14 RU(M) Mail.Ru; mail.ru 04-09-11 02:23:55 25-11-11 13:47:52 325 2266 Both directions Both directions
.127 184.17 RU(M) Mail.Ru; mail.ru 04-09-11 02:13:48 25-11-11 13:23:36 299 2207 Both directions Both directions
.127 184,16 RU(M) Mail.Ru; mail.ru 03-09-11 05:18:48 25-11-11 10:15:23 269 2240 Both directions Both directions
.127 184.15 RU(M) Mail.Ru;mail.ru 03-09-11 03:20:27 25-11-11 11:49:27 213 2354 Both directions
.127 213.87 NL(L) Explore this server IP further! 09-10-11 05:07:48 06-11-11 22:38:50 0 8 No traffic w/e 25th Nov Server -> Client only
.127 181.127 RU(M) Mail.Ru;mail.ru 16-10-11 19:05:16 13-11-11 21:31:31 0 13 No traffic w/e 25th Nov Client -> Server only
.127 191,213 RU(M) Mail .Rujmail.ru 24-10-11 17:53:21 24-10-11 17:53:21 0 1 No traffic w/e 25th Nov Client -> Server only

OOlti TR ••

r- j

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

This information is exempt unoer the Freedom of information Act 2QQQ IFQIA) and may be exempt under other UK information legislation.

REFER ANY QUERIES TO □

Contains Intellectual

The MATERIAL MAY BE DISSEMINATED THROUGHOUT the RECIPIENT ORGANISATION. BUT GCHQ PERMISSION MUST BE OBTAINED FOR DISSEMINATION OUTSIDE THE ORGANISATION.

^GCHQ^

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

Query by network range

FLYING PIG

TLS/SSL Knowledge Base

HRA Justification Query FLYING PIG - general SSL toolkit
Query FLYING PIG

Query QUICK ANT - Tor events QFD

Prototype owner:!

.0/24

IP / network / certificate field
Query as: O Client IP Q Server IP O Both
or: (§t Network [e.g, 1.2.3.0/24]

or: O Server Certificate [e.g. %example.com (use % for wildcards)]
Run Query!

[Certificate field search: %mail.ru| [Server IP~

Network-specific panels

General network info 0

SSL Clients present in network 0

SSL Servers present in network 0

HTTP requests to IPs in network 0

184.14] Q IClient IP:

.1271 Network:

.0/241

General network info for

.0/24

Geolocation ( ? ): WHOIS info ( ? ):

Country: KR (M) Network: No results. Network type: No results.

City: SEOUL (L) Company: No results. Domain: No results.

AS info ( ? ):

Advertised by AS: No results, Found within network: No results.
AS name: No results.

DNS ( ? ):

No results

.0/24: ( , ):

SSL clients in network

Tip 1: Right click on a client IP to explore it further!

1 - 20 of 57 items

Client IP Client company info (from GEOFUSION export)

Korea_Telecom;mailplug.co.kr
Korea_Telecom; mail plug. co. kr

10 I 25 I 50 I 100

Korea_TelecorrT

Explore this client IP further!

marlplug

mailplug

mailplug

mailplug

mailplug

mailplug

mailplug

mailplug

mailplug

mailplug

mailplug

mailplug

mailplug

mailplug

mailplug

mailplug

co.kr

co.kr

co.kr

.co.kr

co.kr

co.kr

.co.kr

co.kr

co.kr

.co.kr

co.kr

co.kr

.co.kr

co.kr

co.kr

co.kr

First seen Last seen Total SSL traffic w/e 25th Nov Total SSL traffic all time Num. unique servers contacted w/e 25th Nov Num. unique servers contacted all time
2011-09-04 2011-09-04 0 1 0 1
2011-10-26 2011-11-23 1 7 1 3
2011-10-22 2011-10-22 WKKKÊÊÊÊÊÊÊÊÊM KBHHHHHHHH KHHHHMMHHi
2011-11-16 2011-11-18 1 2 i 2
2011-11-19 2011-11-22 7 7 i 1
2011-10-14 2011-11-16 0 21 0 5
2011-10-24 2011-10-26 0 2 0 2
2011-10-21 2011-10-21 0 1 0 1
2011-11-09 2011-11-11 0 3 0 2
2011-09-09 2011-09-09 0 1 0 1
2011-10-12 2011-10-12 0 1 0 1
2011-10-08 2011-10-31 0 18 0 5
2011-10-14 2011-11-07 0 14 0 1
2011-11-15 2011-11-15 0 2 0 1
2011-11-18 2011-11-18 1 1 1 1
2011-11-12 2011-11-12 0 1 0 1
2011-11-04 2011-11-04 0 2 0 1
2011-10-25 2011-11-21 3 12 2 5
2011-09-05 2011-09-05 0 1 0 1
2011-11-03 2011-11-03 0 1 0 1

All SSL servers in network

■0/24: (? )

HTTP requests to IPs in network

.0/24 (top 100) (? )

Tip 1: Right click on a server IP to explore it further!

1 - 3 of 3 items

10 I 25 I 50 I 100

Tip 1: Right dick on a server IP to explore it as an SSL server!

1 -1 of 1 items xo I 25 I 5 I loo

Server company info (from
GEOFUSION export)

.18 Korea_Telecom;mailplug.co.kr
.205 test

Last week
seen:

2011-11-11

2011-12-09

Paired
clients that
week

0.0

0.0

Num.
unique
clients that
week

1....

1

Num.
unique
clients all
time

"l....

1

Server IP Host name requested

.40..liliiiiii .40

First seen Last seen Count last Count all time
week

2011-10-30 2011-10-30 0 5

OOlti TR ••

r- j

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

tPT UNDE

Wf

THIS IN FDR MAT! ON IS EXEMPT UNDER THE FREEDOM OF INFORMATION ACT 2000 IFOIAI AND MAY BE EXEMPT UNDER OTHER UK INFORMATION LEGISLATION.
REFER ANY FOIA QUERIES TO GCHQ ON

Contains Intellectual Property owned and/or managed by l
The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the ORGANISATION,

^GCHQ^

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

Cyber applications

How the attack was done:

• Diginotar certificate
authority compromise:

- Private keys of legitimate certificate
authority, Diginotar, stolen by
hacker.

- FLYING PIG was used to identify a
FIS using them to launch a MITM
against their own citizens.

FLYING PIG screenshot showing fake certificate:

30B2043030820392011-09-16 20:54:29 2011-10-20 17:14:05 0 3154 2011-09-05 06:05:49 2012-09-D5 06:15:49 * google, com US google inc zscaler US www.zscaler.comY
3082052A30S2049 2011-10-11 16:56:45 2011-11-25 15:41:29 5 1214 2011-09-20 06:07:12 2012-09-20 06:17:12 'google.com google internet authority N
30B20452308203B2011-11-11 02:30:27 2011-11-25 06:20:50 26 572 2011-11-02 21:08:36 2012-11-02 21:18:36 'google.com US google inc zscaler US www.2scaler.c0mY
303202DA30820242011-11-01 01:23:06 2011-11-25 17:48:58 71 547 2010-09-02 07:56:28 2011-09-02 08:06:28 *,google.com US google inc sfibluecoat.sficorp.com US is N
30B204303082039 2011-08-25 13:03:12 2011-10-13 07:51:24 0 467 2011-08-12 03:49:02 2012-08-12 03:59:02 *, google.com US google inc zscaler US www.zscaler.comY
30B2052830S2041Í2011-08-19 121:04:42 12011-08-26 ¡19:51:50 ;o 441 12011-07-10 ¡19:06:30 12013-07-09 ¡19:06:30 'google.com US google inc diginotar public ca 2D25 I’ll ¡diginotar N
30B204AA30320392011-11-08 09:35:22 2011-11-25 15:00:37 173 440 2011-09-20 06:07:12 2012-09-20 06:17:12 'google.com US google inc lore alinternetb rowsing fr loreal N
30320464308203C2011-11-17 2011-11-25 436 433 2011-11-10 2012-11-10 'google.com US google inc zscaler us www.zscaler.comY

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

T R

J



MATION LEGISLATION.

This information is exempt unoer the Freedom of information^ac

REFER ANY F □ IA QUERIES TO GCHQ On

Contains Intellectual ■

The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation.

^GCHQ^

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

Cyber applications

• Other Cyber applications:

- Multiple examples of FIS data exfiltration using SSL have been found using
FLYING PIG.

- In particular, certificates related to LEGION JADE, LEGION RUBY, and
MAKERSMARK activity were found on FLYING PIG using known signatures

- These were then used to find previously unknown servers involved in
exfiltration from US companies.

- FLYING PIG has also been used to identify events involving a mail server used
by Russian Intelligence.

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

TR

N FORM ATI ON 19 EXEMPT UNDER THE FREEDOM OF iNFORMATIOl
REFER ANY FOIA QUERIES TO GCHQ □

°1

¡RMATION LEGISLATION.

Contains Intellectual Property owned and/or managed by BCHQ.

E MATERIAL MAY BE DISSEMINATED THROUGHOUT THE RECIPIENT ORGANISATION. BUT GCHQ PERMISSION MUST BE OBTAINED FOP DISSEMINATION OUTSIDE THE ORGANISATION.

^GCHQ^

Thi

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

Identification of malicious TLS/SSL

• Can identify malicious TLS/SSL using signatures if known

• However this approach generally does not allow discovery of new threats

• Alternative is to use “behavioural” features to automatically identify potentially
malicious traffic

• Features currently being investigated include:

- Certificates with same subject but different issuers - may be indicative of
Diginotar-style attack

- Beaconing in TLS/SSL (indicative of botnets/FIS implants)

- Number of client cipher suites offered

- Repeated identical random challenges

T R

Jv

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

NTORMATION IS EXEMPT UNDER THE FREEDOM OF iNFORMATIfl
REFER AMY FDIA QUERIES TO GCHQ □

Contains Intellectual Propei

The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation.

/NE^iN?n^ANABE^^cH^^

umflMATION LEGISLATION,

^GCHQ^

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

HUSH PUPPY - motivation

• Much private network traffic seen but previously discarded

• If traffic could be attributed, potential high value - close access

• HUSH PUPPY is a bulk private network identification Cloud analytic

• Basic idea is to look for the same TDI being seen coming from a
private address and then from a public address within a short time

• The private traffic can then be attributed to the owner of the public
address

• Works for SSE & COMSAT

T R

Jv

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

N FORM ATI ON 19 EXEMPT UNDER THE FREEDOM OF iNFORMATIOl
REFER ANY FOIA QUERIES TO GCHQ □

°1

JPMATION LEGISLATION.

Contains Intellectual Property owned and/or managed by BCHQ.

The MATERIAL MAY BE DISSEMINATED THROUGHOUT THE RECIPIENT ORGANISATION. BUT GCHQ PERMISSION MUST BE OBTAINED FOR DIS 5 EM IN ATI ON OUTSIDE THE ORGAN! S ATIDN.

^GCHQ^

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

HUSH PUPPY-example

S \
□ □ □ □

NAT or
proxy

^ Oplti TR ••
/v

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

CTLIAL PHnPEHT^WNE^ND,O^ANAQ?^^Cn^

This information is exempt under the Freedom of iNFORMATiON_AÇT_2D2ËJ£âlàl^îiË11tiil1SL£ÂLÏÏ£Lli⣣L£IiiLS-ü£-lii£2£MAT|oN legislation.

REFER ANY FOI A QUERIES TO GCh

Contains Intellectual f

The MATERIAL MAY BE DISSEMINATED THROUGHOUT THE RECIPIENT ORGANISATION, BUT GCHQ PERMISSION MUST BE OBTAINED FOR DIS 5 EM IN ATI ON outside the organisation.

^GCHQ^

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

Other HUSH PUPPY datasets

• HUSH PUPPY also makes use of Yahoo T-cookies to do correlations

• A T-cookie contains the IP address of the client as Yahoo sees it

• Hence a T cookie coming from a private IP can give the public IP of the
NAT or proxy

• In addition, HUSH PUPPY uses the following data to help verify results

• Kerberos & Lotus Notes: Domains, organisations, departments, countries,
machine names, user names

• HTTP: Heuristic detection of Intranet web servers

• SSL: Issuers, subjects, countries

• SMTP: From & to domains

T R

Jv

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

This information 19 exempt uimoer the Freedom of information Act 2QQQ IFOIA) and may be exempt under other UK information legislation.

REFER ANY FOIA QUERIES TO G C H Q ON

Contains Intellectual ■

-üiPiiiHiHfmifiiPüip

The MATERIAL MAY BE DISSEMINATED THROUGHOUT the RECIPIENT ORGANISATION, BUT GCHQ PERMISSION MUST BE OBTAINED FOR DIS 5 EM IN ATI ON OUTSIDE THE ORGANISATION,

^GCHQ^

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

Results - what do we find?

• Foreign government networks

• Airlines

• Energy companies

• Financial organisations

• In cases of good collection, 50-80% of collected private network
traffic has been attributed

• Some false positives can arise if few events correlated, due to factors
such as TDIs not being completely unique and public internet proxies
giving misleading public IP results

• Results can frequently be verified using Kerberos etc data

T R

Jv

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

NTORMATION 19 EXEMPT UNDER THE FREEDOM OF INFORMATION
REFER ANY FDIA QUERIES TO GCHQ ON

LEGISLATION.

Contains Intellectual Property owned and/or managed by BCHQ.

The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation.

^GCHQ^

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

Examples of operational successes

• A large private network related to the Afghan government was
identified, with -800,000 events correlated.

• Examination of the case notations suggested it belonged to the
Afghan MOD

- A Kerberos domain mod.local

- HTTP servers *.mod.local & mail

- SSL certificates with the subject “Ministry of Defense” and the geo “AF”

• Results confirmed by analysis of content on XKEYSCORE

• A VSAT private network belonging to a Ministry of Foreign Affairs
was identified

• NOSEY PARKER events were correlated with SSE

TR

Jv

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

gtual Property owned and'or managed by GCHg.

WfORMATIQN LEGISLATION .

This information is exempt unoer the Freedom of iimformatht^^^^^j^^

REFER ANY FOIA QUERIES TO GCh

Contains Intellectual ■

The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained FOR DI55EMINATIDN OUTSIDE THE ORGANISATION.

^GCHQ^

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

Contacts

FLYING PIG -

HUSH PUPPY

T R. n “'00
Jv

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

This in fq r nation is exempt unoer the Freedom of information Act 2QQQ IFOIA) and may be exempt under other UK information legislation,

REFER ANY QUERIES TO □ N

Contains Intellectual Property owned and/or managed by BCHQ.

The material may be disseminated throughout the recipient organisation, but BCHQ permission must be obtained for dissemination outside the organisation.

^GCHQ^

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh