Title: VPN and VOIP Exploitation With HAMMERCHANT and HAMMERSTEIN

Release Date: 2014-03-12

Description: Slides from an NSA Turbulence presentation describe two of the agency’s specialised implants, aimed at compromising virtual private networks (VPNs) and online telephony (VOIP): see the Intercept article How the NSA Plans to Infect ‘Millions’ of Computers with Malware, 12 March 2014.

Document: TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

APEX VPN Phases

► VPN Phase 1: IKE Metadata Only (Spin 15)

- IKE packets are exfiled to TURMOIL APEX.

■ APEX reconstructs/reinjects IKE packets to the TURMOIL VPN components.

■ TURMOIL VPN extracts metadata from each key exchange and sends to the
CES TOYGRIPPE metadata database. This database is used by SIGDEV
analysts to identify potential targets for further exploitation.

► VPN Phase 2: Targeted IKE Forwarding (Spin 15)

- TURMOIL VPN looks up IKE packet IP addresses in KEYCARD.

■ If either IP address is targeted, the key exchange packets are forwarded to
the CES Attack Orchestrator (POISON NUT) for VPN key recovery.

► VPN Phase 3: Static Tasking of ESP

■ HAMMERSTEIN receives static tasking to exfil targeted ESP packets.

■ APEX reconstructs/reinjects ESP packets to the TURMOIL VPN components.

■ TURMOIL VPN requests VPN key from CES and attempts decryption.

► VPN Phase 4: Dynamic Targeting of ESP

■ Based on the value returned by KEYCARD, the ESP for a particular VPN may
be targeted as well.

- TURMOIL sends to HAMMERSTEIN (via TURBINE) the parameters for
capturing the ESP for the targeted VPN.

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

APEX VoIP Phases

► VoIP Phase 1: Static Tasking of VoIP (Spin 16)

■ HAMMERCHANT monitors VoIP SIP/H.323 signaling and exfiltrates only targeted VoIP
RTP sessions to TURMOIL

■ APEX reconstructs and bundles the voice packets into a file, attaches appropriate
metadata, and delivers to PRESSUREWAVE.

■ This triggers a modified VoIP analytic to prepare the VoIP for corporate delivery.

► VoIP Phase 2. VoIP Call Survey

■ HAMMERCHANT monitors VoIP SIP/H.323 signaling and exfiltrates all call signaling
metadata to TURMOIL.

■ APEX inserts call signaling metadata into an ASDF record and publishes it to the
TURMOIL AsdfReporter component for target SIGDEV.

► VoIP Phase 3. Dynamic Targeting of VoIP

■ HAMMERSTEIN captures/exfils all VoIP signaling

■ APEX reconstructs/reinjects the signaling to the TURMOIL VoIP components.

■ TURMOIL VoIP extracts call metadata and sends to FASCIA; checks KEYCARD for hits.

■ If called/calling party is targeted for active exfil, then TURMOIL sends to HAMMERSTEIN
(via TURBINIE) the parameters to capture the targeted RTP session.

► Implementation of VoIP Phase 2 and 3 will be driven by mission need.

■ Phase 3 leverages all TURMOIL VoIP signaling protocol processors to expand beyond
SIP and H.323 (e.g. Skype) without additional development on the implant.

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

HAMMERSTEIN

FASHION CLEFT
Wrapped
Exfil

Key exchange
Encrypted Data

IKE Full take
Metadata
(Files)

FC Unwrapper

Turmoil
Vletadatcj TE-VPN
Extractor—PIQ Blade

Look Up IP
Address For
Content Targeting

Selected Decrypted
Content

Socket Connection (SSL) IKE Exchanges

Socket Connection (SSL) Key Requests/Responses

11M "[,* . Web

W\L Services

NSA Net* ■■►I Gateway

----------

Full take

metadata repository

Pairing & Crypt Attacks
CA Resources

BBSS VPN Attack Orchestration

CORAL

REEF

TOYGRIPPE

Cry ptovari able
Management

TOP SECRET//COMINT//REL USA, FVEY

*01 «-01 '-Ol '-oi >v91 '-Ol '••91 '-Ol '••31 '••31 'V9t '"Ol '-Ol '••31 •••91 '-Ol '••31 '-Ol •••3t >-01 '••31 '••3t '-Ol '-Ol '••91 l?
0t0'!10tCî10t0i10ICî10tô*10tôî10tCî10tÇî10t0î10IC-10l0-10tôî10>510tôî10tCî10tÇî10t0î10tÇî10tôî10ieî10t0î10IC-10tô210tCî10IC-10t0*10>510tet10tôî10tÇî10tôî10tCî10I

101-fl 1OVO101OO1OVO1 ovo 1 ovo 1 ovo 1 ovo 10V01 ovo 1 ovo 10V010’01 ovo 10V01 ovo 1 ei OO 10V01 ovo 1010010V010V01 ovo 1 ovo 1 ovo 10V010’01 ovo 101"fl 1OVO 1 ei "fl 102010

APEX VoIP Exploitation

FASHION CLEFT
Wrapped
Exfil

HAMMERCHANT

CLProcess

VoIP Signaling
VoIP Content

Targeted VoIP Content

Exf Mied

Content uh

Mil

NSA Net

A ^ l|"

IM1 I

A

TOP SECRET//COMINT//REL USA, FVEY

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh