Title: TRANSGRESSION Overview for Pod58

Release Date: 2015-01-17

Document Date: 2010-02-07

Description: This 7 February 2010 NSA presentation outlines techniques to “discover, understand, evaluate, and exploit foreign CNE/CNA exploits”: see the Der Spiegel article The Digital Arms Race: NSA Preps America for Future Battle, 17 January 2015.

Document: TOPSECRET//COMINT//REL TO USA, FVEY

TRANSGRESSION Overview for Pod58

S31177
7 Feb 2010

DERIVED FROM: NSA/CSSM 1-52
DATED 08 JAN 2007
DECLASSIFY ON: 20320108

TOPSECRET//COMINT//REL TO USA, FVEY

TOPSECRET//COMINT//REL TO USA, FVEY

fRANSGRESSION Charter

Original:

Discover, understand, evaluate, and exploit foreign
CNE/CNA exploits, implants, command & control
and exfiltration.

Moving Forward:

Provide cryptanalytic exploitation support for
Network Defense (NTOC and IAD), 4th Party
SIGINT (S2, NTOC and TAO), and Cyber (TAO,
RATWHARF) missions.

TOPSECRET//COMINT//REL TO USA, FVEY

ùSmsoy

Organizational Structure

v"

/*

PersistentTargets

CES

SAO

OTP

S31111S3112 1S3117

Emerging Threats

TRANSGRESSION

TOPSECRET//COMINT//REL TO USA, FVEY

* NAT/,

Personnel

- Branch Chief
-Team Lead/TD
- OTP CNE Co-Lead
- MAKERSMARK Lead

- BYZANTINE HADES Lead
- VOYEUR/lran Lead

- Malware Lead

- Emerging Threats Lead
MAKERSMARK, RDP Lead

1 CADP, 2 CMP (including DSD Integree), 1

RSE, 2 NIE, 2 STDP

TOPSECRET//COMINT//REL TO USA, FVEY

TOPSECRET//COMIN1

Major Intrusioi

MAKERSMARK

Enable WALKERBLACK/RED
exploitation/improve collection

CROWNROYAL, CROWNPRINCE,
SHEPHERD, Zebedee

BYZANTINE HADES

NetDef RDP exploitation

Trojan/beacon deobfuscation

MAVERICK CHURCH PPTP, POPROCKS

VOYEUR(GHOSTRECON

Victim Exfil

SSL Collection

NIGHTTRAIN

Decryption and processing of TAO exfil
and passive collect

SRE of malware

SHADOWDRAGON

RDP and password recovery

FAA password recovery

TOPSECRET//COMIN

17/REL TO USA, FVEY

i Set Efforts

RECORDER

Processing and decryption of passive
collect

PLAIDDIANA/INCAADAM

Deobfuscation of passive collect
TWEEZERS

Processing and decryption of passive
collect

SNOWGLOBE

t Processing and decryption of passive
collect

WIDOWKEY/SUPERDRAKE

Future processing and decryption

Numerous other watchlist intrusion sets

Many one off customer requests - cyber
cryptanalysis support

IT//REL TO USA, FVEY

XKEYSCORE:

A Critical TRANSGRESSION Tool
Over 50 daily workflows

SIGINT and POLARSTARKEY (NetDef)

Fingerprints and Microplugins
GUI Workflows and Webservice

TOPSECRET//COMINT//REL TO USA, FVEY

XKS Webservice

xksql and xkproc
tfsql and tfproc

TOPSECRET//COMINT//REL TO USA, FVEY

Victim -►

LP -

TAO Op -
TUNINGFORK -
TRANSGRESSION -
SCISSORS -
PINWALE and Cloud

TOPSECRET//COMINT//REL TO USA, FVEY

Where does our data
come from?

XKEYSCORE
TUNINGFORK
TAO Direct
NTOC Internal
NTOC External

AFOSI/NCIS
FBI

Cyber Command

TOPSECRET//COMINT//REL TO USA, FVEY

What Kinds of Data?

(What is the plaintext)
Command & Control

RDP, R Ad min (heavyweight)
many home-grown (lightweight)

File Transfer

Actor -* Victim (malware)

Victim -> Actor (exfil)

Email

Credentials

TOPSECRET//COMINT//REL TO USA, FVEY

What Kinds of Encryption?
1 - “Commercial”

SSL/TLS

SSH

PGP

PPTP

RDP / RAdmin

TOPSECRET//COMINT//REL TO USA, FVEY

*\

What Kinds of Encryption?

2 - Other

F Block Ciphers (DES, 3DES)

Stream Ciphers (RC4)

Masking

short or long, fixed or variable
Layered Encryption

TOPSECRET//COMINT//REL TO USA, FVEY

Crypt Examples:
Layered Encryption

BYZANTINE FOOTHOLD

SSH

Mod DES

WIDOWKEY

Single Byte XOR
Fixed Key mask
3DES

TOPSECRET//COMINT//REL TO USA, FVEY

s

h'

Crypt Examples:
Setting Key

Fixed (ADJUTANT VENTURE)

From Message Header (RAPTOR ROLEX)

From Packet Headers (RAPTOR JOY/SAD)



TOPSECRET//COMINT//REL TO USA, FVEY

TOPSECRET//COMINT//REL TO USA, FVEY

(U//FOUO) Who to Contact?

Email:

Wiki:

TOPSECRET//COMINT//REL TO USA, FVEY

Encodings

None (raw binary)
base64

Modified base64 (BYZANTINE RAPTOR)

A permutation of the 64 base64 characters
HTML Character encoding (ADJUTANT VENTURE)
e.g., 0xl278cd = ,xÍ'

TOPSECRET//COMINT//REL TO USA, FVEY


e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh