Selasa, 19 Februari 2019

Wikileaks Publishes Classified Documents From Within German Nsa Inquiry Commission

(UPDATED: May 15, 2017)

On Dec 1, Wikileaks published xc gigabytes of classified documents from the High German parliamentary committee that investigates NSA spying together with the cooperation betwixt NSA together with the High German unusual intelligence service BND. The documents include 125 files from BND, 33 from the safety service BfV together with 72 from the information safety agency BSI.

It should live noted though that all documents are from the lowest classification degree together with lots of them are simply formal letters, copies of press reports together with duplications within email threads. Nonetheless, the files also render interesting novel details, for instance most the High German classification system, BND's internal structure, the way they handled the Snowden-revelations together with the job of XKEYSCORE.



These topics volition live updated or topics volition live added when novel information is flora inwards the documents published past times Wikileaks



The High German parliamentary investigation committee simply before a hearing
(photo: DPA)
 

About

Some background information was provided inwards an article from the paper Die Zeit, which says that only documents amongst the lowest classification degree (VS NfD or RESTRICTED) are scanned together with made available to the investigation committee on a regime server. They are also available at the federal Chancellery.

Documents amongst a higher classification degree are non digitalized together with convey to live read inwards a secure room (German: Geheimschutzstelle) inwards the parliament building. Most of the documents classified Top Secret tin bathroom only live viewed at the Chancellery or the novel Berlin headquarters of BND.



Classified documents provided to the investigation commission
(still from the ARD documentary Schattenwelt BND)


Regarding the source of this leak, information technology experts of the High German parliament said that they flora no indications of a hack. Der Spiegel suggests that the source mightiness live a fellow member of the parliamentary committee for unusual affairs or for the affairs of the European Union, because one document published past times Wikileaks (meanwhile removed) was only available to members of those 2 commissions.

Update:

On Dec 11, 2016, High German press reported that according to a high-level safety officer, there's a high plausibility that the committee documents published past times Wikileaks were stolen during a large hacking attack on the High German parliament's internal network piece of cake 2014/early 2015.
This assail was discovered inwards May 2015 together with showed patterns similar to APT28 a.k.a. Operation Pawn Storm, the Sofacy Group, or Fancy Bear - a hacker collective which is in all probability sponsored past times the Russian government. The timeframe of this hacking assail could explicate why Wikileaks has no committee documents dated after Jan 2015.

It seems also possible that the subway scheme documents most the articulation NSA-BND functioning Eikonal, which were published lastly yr past times the Austrian fellow member of parliament Peter Pilz, came from this cyber assail on the High German parliament servers.

Wikileaks hasn't redacted anything. Almost everything that is redacted is inwards blue, which is plainly the way BND is redacting its documents. Therefore, the files even so comprise all the internal organizational designators every bit good every bit the email aliasses or addresses of many High German regime units together with employees.



Internal BND email from the EAD branch for the relationships amongst western countries &
cooperation partners, together with the EADD unit of measurement for relationships amongst North America & Oceania
(click to enlarge)

 

BND classifications

Documents from BND are classified according to the official High German classification system, which has iv levels, corresponding to those used inwards many other countries:

- VS NUR FÃœR DEN DIENSTGEBRAUCH (VS NfD)
color code: bluish or black; equivalent: RESTRICTED

- VS VERTRAULICH (VS Vertr. / VSV)
color code: bluish or black; equivalent: CONFIDENTIAL

- GEHEIM (Geh. / Stufe I)
color code: red; equivalent: SECRET

- STRENG GEHEIM (Str. Geh. / Stufe II)
color code: red; equivalent: TOP SECRET

Besides these mutual classification levels, it was suspected that in that place would live at to the lowest degree 1 higher or to a greater extent than restrictive category to protect highly sensitive information. This has right away been confirmed past times diverse letters from the Wikileaks trove, which call the next 2 classification markings:

- STRENG GEHEIM-ANRECHT (?)

- STRENG GEHEIM-SCHUTZWORT (Str. Geh. SW)
color code: ?; equivalent: TOP SECRET/SCI

The job of these markings is plainly a subway scheme itself, because also members of the parliamentary committee US Classification System, which was explained hither earlier.

The High German mark ANRECHT plainly way that for sure information is classified Secret or Top Secret, but that within that particular level, it's only meant for those people who convey a need-to-know (German: Anrecht), dissemination markings.

The mark SCHUTZWORT is also meant to confine access, but inwards this case, the originator of a particular document determines a codeword (German: Schutzwort) which he Sensitive Compartmented Information (SCI) used inwards the US, where meanwhile several formerly subway scheme codewords convey been declassified.

Influenza A virus subtype H5N1 safety manual from the High German armed forces from 1988 also mentions special classification categories, similar for instance SCHUTZWORT together with KRYPTO, the latter plainly for classified cryptographic information.




Letter from the Chancellery which was classified STRENG GEHEIM-ANRECHT,
which was marked every bit cancelled (UNGÃœLTIG) after the attached
documents at that classification degree were removed
(click to enlarge)

Internal markings

From the committee files nosotros also larn that BND uses te next internal markings. When disseminated exterior BND, such information was meant to live classified GEHEIM.

- Meldedienstliche Verschlusssache - amtlich geheimgehalten

- Ausgewertete Verschlusssache - amtlich geheimgehalten

- Operative Verschlusssache - amtlich geheimgehalten

- FmA Auswertesache - amtlich geheimgehalten

 

BND organization

The files published past times Wikileaks also comprise a laid of charts showing the organizational construction of BND betwixt the yr 2000 together with 2014. There are some changes inwards the agency's divisions, amongst a reorganization inwards 2009, every bit tin bathroom live seen inwards the next charts:


BND organisation chart, province of affairs until 2009
(click to enlarge)



BND organisation chart, province of affairs since 2009
(click to enlarge)


Influenza A virus subtype H5N1 to a greater extent than detailed BND organisation chart was amid the Snowden documents together with was published before past times Der Spiegel.

Internal designators

The BND's divisions, branches together with units are designated past times codes that consist of letters, written inwards capitals. In the electrical flow province of affairs the primary divisions convey a two-letter designator which is to a greater extent than or less an abbreviation of their total name. The SIGINT segmentation is for instance TA, which stands for Technische Aufklärung.

From the e-mails published past times Wikileaks nosotros larn that lower units are designated past times adding additional letters or words to the segmentation designator. It seems that these addtional letters tin bathroom live the firstly missive of the alphabet of a total name, a to a greater extent than or less random letter, or Influenza A virus subtype H5N1 for the firstly unit, B for the instant unit, etc.

For example, "PLSA-HH-Recht-SI" is the firstly branch (A) of PLS, which is the BND president's staff. The term "Recht" indicates that this is plainly a unit of measurement for legal issues. Influenza A virus subtype H5N1 simpler designator is "GLAAY", which is a unit of measurement of the segmentation GL (Gesamtlage)

By combining several documents related to XKEYSCORE, the next listing of designators for BND's acre stations could live reconstructed:
- 3D10: Schöningen or Rheinhausen (satellite interception)
- 3D20: Schöningen or Rheinhausen (satellite interception)
- 3D30: Bad Aibling (satellite interception)
- 3D40: Gablingen (HF radio interception)*
Similar designators are used for BND liaison offices:
- 2D01: London (with contacts to seven British partner agencies, denoted every bit GBR01, GBR02, GBRMD, GBRND, GBRSD, GBRPS, together with GBRTF)
- 2D02: Paris
- 2D03: Brussels/NATO
- 2D30: Washington
- 2D33: Canberra

Some divisions

The organisation charts for BND's construction since 2009 shows that in that place are iv divisions for analysis together with production, which is where analysts laid upward intelligence reports:
- Two divisions are for topical missions: TE for international terrorism together with organized crime, together with TW for proliferation of weapon systems together with ABC weapons.
- The other 2 divisions, LA together with LB, are responsible for a geographical area. From their logos inwards the signature block inwards internal e-mails nosotros larn that LB is responsible for Africa, the Middle East together with Afghanistan, piece LA has the residual of the world:


Secure communications

Influenza A virus subtype H5N1 letter from BND from July 2013 says that BND's wide-area networks (WANs) which are classified Secret (Geheim) are secured past times SINA encryption devices certified past times the BSI. Communications betwixt unusual together with domestic BND facilities are transmitted through MPLS (Multiprotocol Label Switching) networks.

The missive of the alphabet also says that BND-unit SICD for eavesdropping techniques domestically checks only whether BND facilites may convey been bugged, but flora cipher over the past times several years. Outside Germany, the embassies together with consulates of the High German unusual ministry building were checked inwards regular turns.

 

XKEYSCORE

According to Wikileaks, 1 of the to a greater extent than interesting documents from their unloose is 1 that allegedly proofs that "a BND employee volition live tasked to job together with write software for XKeyscore." However, the High German tech website Golem says that this seems to live based on a text department that only refers to BND employee A.S. who helped install XKEYSCORE at the Berlin headquarters of the domestic safety service BfV, which uses this scheme only for analysing terrorism-related information sets.

More interesting are several other documents most XKEYSCORE. For instance In a list of answers prepared for the coming together of the parliamentary oversight committee on Nov 6, 2013 it is said that XKEYSCORE is used since 2007 inwards Bad Aibling together with that this scheme is beingness tested since Feb 2013 at the satellite intercept stations Schöningen together with Rheinhausen. It was planned to job XKEYSCORE on a regular ground at the latter 2 locations too.

According to some other document, BND uses XKEYSCORE for the next purposes:
- Check whether satellite links amongst meshing traffic (only foreign-to-foreign together with particularly crisis regions, so no links to or from Federal Republic of Federal Republic of Germany or cables within Germany) could comprise information relevant for BND's mission
- Search for novel relevant targets
- Make communications traffic from already known together with selected targets readable to transfer them to analysts for preparing reports
XKEYSCORE processes information streams inwards existent time, but for analysis purposes it tin bathroom also buffer both metadata together with content for a for sure time, which depends on the available storage infinite of the buffer. Because XKEYSCORE is used for regular processing purposes, BND deemed it non necessary to inform the federal chancellery or the parliamentary oversight committee (PKGr) most this scheme specifically.

An internal BND email from Nov 5, 2013, explains that at Schöningen together with Rheinhausen, XKEYSCORE is used for intercepting unusual satellite communications. The specific role for the scheme is determining which satellite links are most useful together with afterward checking whether the traffic contains the communications of people the BND is looking for (so-called survey):


Internal BND email most the job of XKEYSCORE at BND's satellite stations
(source: Wikileaks, pdf-page 248 - click to enlarge)


This is a rather unexpected job of XKEYSCORE, because for NSA together with GCHQ the strength of the scheme lies inwards its capability to reassemble meshing packets, filter them together with allow analysts to search buffered content. It is even so non fully clear whether BND uses XKEYSCORE also inwards this way.

In Nov 2014, W.K. from BND's SIGINT segmentation testified that XKEYSCORE was used for decoding together with demodulating IP traffic. Decoding for making things readable happens both online together with on stored data, piece (demodulating for) selecting the proper satellite links only happens on online information streams.

At Schöningen together with Rheinhausen XKEYSCORE was only used for the latter purposes, inwards the pre-analysis stage. This also came forrad from some testimonies before the investigation commission. For instance E.B., caput of the Schöningen station, said that XKEYSCORE was only used for looking at a few days of satellite traffic to decide which communication links where inwards it.

An before presentation most satellite interception at Menwith Hill Station inwards the Great Britain shows that NSA together with GCHQ convey other systems, similar DARKQUEST, for surveying satellite links, after which XKEYSCORE is used for processing together with analysing the data.


Another file that was sent to the parliamentary committee contains 2 diagrams most how BND uses the XKEYSCORE system:

In the firstly diagram nosotros consider that what comes inwards through the satellite antenna firstly goes to an actual collection scheme (Erfassungssystem) which has some form of database attached that says which satellite links convey to live selected (Streckenauswahl). The resultant so goes to XKEYSCORE, which is fed past times a database amongst rules (Regeln), which plainly decide which information to pick out together with forrad for farther analysis (Weiterverarbeitung):




Another diagram shows the divergence betwixt XKEYSCORE together with traditional collection processing systems: inwards the traditional set-up, it seems that first, IP packets from a information flow were reassembled (sessionized) together with so went through a filter to pick out only those of involvement (the light-green one), which were forwarded for farther analysis. XKEYSCORE could create all that at once:




IBM servers

The Wikileaks files also contain an internal BND gild shape from Feb 25, 2014, used for ordering half dozen servers for acre station 3D20: 2 IBM X3650 M4 together with iv IBM X3550 M4 servers, amongst a total toll of 58.000,- euros. Influenza A virus subtype H5N1 split text explains that these servers were needed for both PDBD together with XKEYSCORE:

- PDBD was the novel centralized BND tasking database, which would supercede the proprietary tasking databases used at the diverse acre stations.

- XKEYSCORE is described every bit a scheme that decodes packet-switched telecommunicatiosn traffic similar e-mail, messenger, chat, geolocation information, etc. together with is used for analysing telecommuncations traffic. At BND the scheme was needed because it became increasingly hard to extract relevant information from the ever growing amount of data. The servers were needed to motion XKEYSCORE from essay out to operational status.


Internal BND gild shape for several IBM servers to live used for XKEYSCORE together with PBDB
(source: Wikileaks, pdf-page 72 - click to enlarge)

 

PRISM

Influenza A virus subtype H5N1 large file from the committee documents is most the reaction on the revelation of PRISM. In August 2013, members of the Bundestag asked so many questions most this NSA program, that 1 BND employee complained that it was unreasonable to facial expression that his agency could render all the answers.

At that time, many details most PRISM weren't clear yet together with statements from the U.S. regime together with from meshing companies seemed to contradict eachother. Among the documents that BND forwarded to the parliamentary committee was also 1 study from July 2013, which summarizes what was known most PRISM at that time.

This study was made past times civil servants from unit of measurement ÖS I 3 of the Public Safety segmentation of the High German Interior Ministry (BMI). After summarizing what was known from the press reports, the study also describes a instant tool that is named PRISM - based upon an earlier article on this weblog:



Summary of a instant PRISM computer program every bit described on this weblog
(source: Wikileaks, pdf-page 104 - click to enlarge)


Shortly after the existance of PRISM was revealed early on June 2013, much was unclear, so I did some opened upward source research together with flora that the U.S. armed forces uses a computer program named PRISM, which inwards this instance is an acronym for "Planning tool for Resource Integration, Synchronization together with Management".

Shortly afterwards, inwards July 2013, High German press published an NSA missive of the alphabet maxim that in that place are truly three dissimilar programs amongst the call PRISM: 1 that collects information from the large meshing companies, 1 that is used every bit a armed forces tasking together with planning tool, together with finally 1 that is used for internal information sharing inwards NSA's Information Assurance Directorate (IAD).

 

BOUNDLESSINFORMANT

On July 29, 2013, the High German magazine Der Spiegel published a nautical chart from the NSA tool BOUNDLESSINFORMANT. The nautical chart was related to Federal Republic of Federal Republic of Germany together with it was idea that it showed that NSA had intercepted over 550 meg pieces of communications traffic.

But within simply a few days, BND contacted Der Spiegel, maxim that they collected those data, together with shared them amongst NSA. The SIGADs US-987LA together with US-987LB designated collection at the BND satellite station inwards Bad Aibling together with interception of telephone calls inwards Afghanistan, respectively. This was confirmed past times NSA together with published past times Der Spiegel on August 5, 2013.

Influenza A virus subtype H5N1 document published past times Wikileaks explains that inwards Afghanistan, BND had a satellite interception facility (for downlinks to complement the uplinks intercepted at Bad Aibling) together with also intercepted point-to-point microwave links (generally used for (mobile) telephony backbones).


BOUNDLESSINFORMANT screenshot showing metadata related to Germany
every bit beingness published past times Der Spiegel on July 29, 2013
(click to enlarge)


An email published past times Wikileaks shows that meanwhile, M.J. from unit of measurement 3D3D of the Bad Aibling station was comparison the numbers from the BOUNDLESSINFORMANT nautical chart amongst those from his logfiles together with Nagios Checks. In the e-mail, from August 12, 2013 to his boss R.U., he concluded that at the starting fourth dimension of the calendar month in that place was a relatively clear similarity amongst the nautical chart from Der Spiegel:


The nautical chart that seems to live prepared past times BND employee M.J. to compare
amongst the 1 from BOUNDLESSINFORMANT (note the dissimilar scale)
(click to enlarge)


It should live noted that BND didn't count the numbers of metadata they provided to NSA, they did so only for content, so the numbers from M.J.'s nautical chart may non live fully accurate. Even to a greater extent than puzzling is a tabular array that was also amongst the email from M.J. together with contains the daily numbers for the metadata during this period:


The nautical chart that seems to live prepared past times BND employee M.J. to compare
amongst the 1 from BOUNDLESSINFORMANT (note the dissimilar scale)
(click to enlarge)


The unusual thing hither is that on the correct side, the tabular array has daily numbers broken downwards for several processing systems - unusual because the nautical chart from Der Spiegel only provided aggregated numbers, together with because 3 codenames weren't seen inwards the published BOUNDLESSINFORMANT charts: POPTOP, CRON together with SNOWHAZE. Did NSA render these to a greater extent than detailed numbers so BND could compare them?

In a missive of the alphabet from August 13, 2013, BND president Schindler asks NSA managing director Alexander to confirm that the metadata collected through 987LA together with US-987LB came entirely from BND. This would assist to brand Earth ground to a greater extent than rational.

Update:
During a hearing of the High German parliamentary investigation committee on Jan 19, 2017, sometime BND president Schindler said that the BOUNDLESSINFORMANT charts that Snowden took, were from preparation class material. This was said hither for the firstly fourth dimension together with given the problems these charts caused for BND, it's possible that they asked NSA for to a greater extent than details after which this explanation came up.

 

Cooperation inwards Afghanistan

In Afghanistan SIGINT Coalition, or AFSC). Partner agencies acquire into the information they collect into a database (similar or identical to SIGDASYS) managed past times NSA together with they tin bathroom asking from the database those information that are relevant for their mission task.

Between 2011 together with 2013, BND requested together with received 216.423 information sets from this syetem. For the Transitional Islamic State of Afghanistan "burden sharing", BND was working on some 5000 targets, which resulted inwards ca. 1 meg information sets each day. These were shared amongst the AFSC grouping together with thus also amongst NSA together with GCHQ. Most of this is most localisation.

Furthermore, NSA provided BND amongst several K selectors of targets to collect the related information from satellite links from or to Transitional Islamic State of Afghanistan together with other crisis regions. BND does this through its satellite intercept station inwards Bad Aibling, which results inwards ca. 3 meg information sets each month. After passing the G-10 filter (to block communications related to Germans), these information are provided to NSA.

 

Intelligence sharing

In 2012, BND's SIGINT segmentation TA shared 580 intelligence reports (Meldungen) amongst U.S. agencies, 184 amongst British services together with 553 amongst multinational groups. Influenza A virus subtype H5N1 total of 879 reports contained personal information from intercepted communications. In the firstly one-half of 2013 in that place were 200 reports shared amongst the US, 55 amongst the Great Britain together with 220 amongst multinational groups. Influenza A virus subtype H5N1 total of 408 contained personal data.

In return, BND received 7976 reports together with information packages most terrorism together with the proliferation of weapons of mass devastation inwards 2012. This total number is made up of ca. 750 reports from NSA, 4538 from CIA, 519 from DIA together with 2169 from the U.S. Central Command (CENTCOM).

 

Cyber security

Some insights most the cooperation betwixt BND together with NSA on the acre of cyber defence tin bathroom live read inwards a report most the see of NSA managing director Keith Alexander to Berlin, on June 6 together with 7, 2013 (which were the instant together with tertiary days of the Snowden revelations!).

When it came to cyber issues, Alexander compared the meshing to a "fibre ring" operated past times meshing service providers (ISPs), amongst "pipes" leading to the networks of industry, finance together with government. Any malware, whether for destroying things or stealing data, should live stopped inwards the "fibre ring" before it reaches the "pipes" - "you demand to consider it first".

Influenza A virus subtype H5N1 High German regime official said that Federal Republic of Federal Republic of Germany has goodness cyber specialists, but they move only inwards a defensive way. When it comes to offensive cyber attacks, Federal Republic of Federal Republic of Germany is inactive. Also, contacts to manufacture should live revived. The full general sentiment was that High German manufacture should protect itself, but minor together with medium businesses are real naiv together with without obligations, companies volition non pass coin for cyber defense.

The study says that for cyber issues, a minor grouping of "trusted states" could live created, because international regulations similar the Budapest Convention seem hardly effective. According to full general Alexander, the U.S. is edifice partnerships, but sharing information depends on trust, which is non ever given.

General Alexander also told BND that NSA had 27 teams of 56 persons each, which back upward the U.S. Combatant Commands together with that additional 6000 novel cyber specialists volition follow. NSA also supports the U.S. Cyber Command amongst a detachment of 407 cyber experts. According to Alexander, NSA identified most l Chinese "intrusion sets" together with gained access to Chinese networks to uncovering out who the victims were of these massive together with global cyber attacks.

In an answer to questions past times fellow member of parliament Oppermann from July 23, 2013, BND says that they back upward domestic safety service BfV together with information safety agency BSI inwards recognizing unusual cyber attacks, which is called "SIGINT Support to Cyber Defence" (SSCD). Only BND is able to build technical systems to uncovering cyber attacks in(!) unusual countries.

The reply also says that "within the SSCD-working grouping of a international SIGINT coalition, BND exchanges information most the international detection of cyber attacks" - this international SIGINT coalition is most probable the SIGINT Seniors Europe (SSEUR or 14-Eyes) group. And plainly it's this working grouping that that BND managing director Schindler referred to when he talked most international cybersecurity cooperation inwards May 2014.

 

Index

Finally, a listing of some of the most interesting files flora so far (would convey been useful when Wikileaks provided this form of index though):

- MAT_A_BND-1-3a_2 (employees of U.S. armed forces together with intelligence contractors inwards Germany)

- MAT_A_BND-1-5 (NSA's mass metadata collection, PRISM together with XKEYSCORE)

- MAT_A_BND-1-11a (BOUNDLESS INFORMANT, ECHELON)

- MAT_A_BND-1-11c (pdf-page 315: options how NSA could convey intercepted Merkel's jail cellular telephone phone)

- MAT_A_BND-1-11j (pdf-page 145 ff.: cyber safety cooperation betwixt NSA together with BND; page 155: brusk history of Bad Aibling Station; page 280: NSA missive of the alphabet most 3 dissimilar PRISMs)

- MAT_A_BND-1-11k (letter of BND president Schindler to NSA managing director Alexander)

- MAT_A_BND-1-13a (pdf-page 61 together with 88: initially, BND assumed that PRISM was most collecting metadata; page 99: since 2012, NSA sent BND ca. 450 reports most terrorist threats)

- MAT_A_BND-1-13b (pdf-page 84 together with 85: XKEYSCORE diagrams; page 227: targeted interception requires a "sessionizer" similar to XKS; page 277: SSCD working grouping of the SSEUR)

- MAT_A_BND-1-13c (pdf-page 127: information sharing inwards Afghanistan)

- MAT_A_BND-1-13h (pdf-page 108 ff.: study most the VERAS metadata system)

- MAT_A_BND-1-2a (pdf-page xix ff.: Various presentations from the Black Hat 2013 conference)

- MAT_A_BND-3a (very extensive index of topics used past times BND)

- MAT_A_BND-3-1a (BND organisation charts from 2000-2014)

- MAT_A_BND-8a (contacts amongst GCHQ, cooperation betwixt BND together with NSA, reports most the refugee interview unit, internal G10 manual)

More to follow...


Tidak ada komentar:

Posting Komentar