Title: TRANSGRESSION Overview for Pod58
Release Date: 2015-01-17
Document Date: 2010-02-07
Description: This 7 February 2010 NSA presentation outlines techniques to “discover, understand, evaluate, and exploit foreign CNE/CNA exploits”: see the Der Spiegel article The Digital Arms Race: NSA Preps America for Future Battle, 17 January 2015.
Document: TOPSECRET//COMINT//REL TO USA, FVEY
TRANSGRESSION Overview for Pod58
S31177
7 Feb 2010
DERIVED FROM: NSA/CSSM 1-52
DATED 08 JAN 2007
DECLASSIFY ON: 20320108
TOPSECRET//COMINT//REL TO USA, FVEY
TOPSECRET//COMINT//REL TO USA, FVEY
fRANSGRESSION Charter
Original:
Discover, understand, evaluate, and exploit foreign
CNE/CNA exploits, implants, command & control
and exfiltration.
Moving Forward:
Provide cryptanalytic exploitation support for
Network Defense (NTOC and IAD), 4th Party
SIGINT (S2, NTOC and TAO), and Cyber (TAO,
RATWHARF) missions.
TOPSECRET//COMINT//REL TO USA, FVEY
ùSmsoy
Organizational Structure
v"
/*
PersistentTargets
CES
SAO
OTP
S31111S3112 1S3117
Emerging Threats
TRANSGRESSION
TOPSECRET//COMINT//REL TO USA, FVEY
* NAT/,
Personnel
- Branch Chief
-Team Lead/TD
- OTP CNE Co-Lead
- MAKERSMARK Lead
- BYZANTINE HADES Lead
- VOYEUR/lran Lead
- Malware Lead
- Emerging Threats Lead
MAKERSMARK, RDP Lead
1 CADP, 2 CMP (including DSD Integree), 1
RSE, 2 NIE, 2 STDP
TOPSECRET//COMINT//REL TO USA, FVEY
TOPSECRET//COMIN1
Major Intrusioi
MAKERSMARK
Enable WALKERBLACK/RED
exploitation/improve collection
CROWNROYAL, CROWNPRINCE,
SHEPHERD, Zebedee
BYZANTINE HADES
NetDef RDP exploitation
Trojan/beacon deobfuscation
MAVERICK CHURCH PPTP, POPROCKS
VOYEUR(GHOSTRECON
Victim Exfil
SSL Collection
NIGHTTRAIN
Decryption and processing of TAO exfil
and passive collect
SRE of malware
SHADOWDRAGON
RDP and password recovery
FAA password recovery
TOPSECRET//COMIN
17/REL TO USA, FVEY
i Set Efforts
RECORDER
Processing and decryption of passive
collect
PLAIDDIANA/INCAADAM
Deobfuscation of passive collect
TWEEZERS
Processing and decryption of passive
collect
SNOWGLOBE
t Processing and decryption of passive
collect
WIDOWKEY/SUPERDRAKE
Future processing and decryption
Numerous other watchlist intrusion sets
Many one off customer requests - cyber
cryptanalysis support
IT//REL TO USA, FVEY
XKEYSCORE:
A Critical TRANSGRESSION Tool
Over 50 daily workflows
SIGINT and POLARSTARKEY (NetDef)
Fingerprints and Microplugins
GUI Workflows and Webservice
TOPSECRET//COMINT//REL TO USA, FVEY
XKS Webservice
xksql and xkproc
tfsql and tfproc
TOPSECRET//COMINT//REL TO USA, FVEY
Victim -►
LP -
TAO Op -
TUNINGFORK -
TRANSGRESSION -
SCISSORS -
PINWALE and Cloud
TOPSECRET//COMINT//REL TO USA, FVEY
Where does our data
come from?
XKEYSCORE
TUNINGFORK
TAO Direct
NTOC Internal
NTOC External
AFOSI/NCIS
FBI
Cyber Command
TOPSECRET//COMINT//REL TO USA, FVEY
What Kinds of Data?
(What is the plaintext)
Command & Control
RDP, R Ad min (heavyweight)
many home-grown (lightweight)
File Transfer
Actor -* Victim (malware)
Victim -> Actor (exfil)
Email
Credentials
TOPSECRET//COMINT//REL TO USA, FVEY
What Kinds of Encryption?
1 - “Commercial”
SSL/TLS
SSH
PGP
PPTP
RDP / RAdmin
TOPSECRET//COMINT//REL TO USA, FVEY
*\
What Kinds of Encryption?
2 - Other
F Block Ciphers (DES, 3DES)
Stream Ciphers (RC4)
Masking
short or long, fixed or variable
Layered Encryption
TOPSECRET//COMINT//REL TO USA, FVEY
Crypt Examples:
Layered Encryption
BYZANTINE FOOTHOLD
SSH
Mod DES
WIDOWKEY
Single Byte XOR
Fixed Key mask
3DES
TOPSECRET//COMINT//REL TO USA, FVEY
s
h'
Crypt Examples:
Setting Key
Fixed (ADJUTANT VENTURE)
From Message Header (RAPTOR ROLEX)
From Packet Headers (RAPTOR JOY/SAD)
TOPSECRET//COMINT//REL TO USA, FVEY
TOPSECRET//COMINT//REL TO USA, FVEY
(U//FOUO) Who to Contact?
Email:
Wiki:
TOPSECRET//COMINT//REL TO USA, FVEY
Encodings
None (raw binary)
base64
Modified base64 (BYZANTINE RAPTOR)
A permutation of the 64 base64 characters
HTML Character encoding (ADJUTANT VENTURE)
e.g., 0xl278cd = ,xÍ'
TOPSECRET//COMINT//REL TO USA, FVEY