Incenser, Or How Nsa In Addition To Gchq Are Tapping Meshwork Cables

(Last edited: Jan 9, 2018)

Recently disclosed documents exhibit that the NSA's fourth-largest cable tapping program, codenamed INCENSER, pulls its information from only i unmarried source: a submarine fiber optic cable linking Asia amongst Europe.

Until now, it was solely known that INCENSER was a sub-program of WINDSTOP as well as that it collected only about fourteen billion pieces of meshing information a month. The latest revelations at nowadays tell that these information were collected amongst the aid of the British fellowship Cable & Wireless (codenamed GERONTIC, at nowadays purpose of Vodafone) at a location inward Cornwall inward the UK, codenamed NIGELLA.

For the starting fourth dimension time, this gives us a persuasion on the whole interception chain, from the nurture programme all the way downwards to the physical interception facility. Here nosotros volition slice together what is known nigh these unlike stages as well as programs from recent as well as before publications.

- NIGELLA - GERONTIC - INCENSER - WINDSTOP -

The cables tapped at NIGELLA yesteryear GERONTIC nether the INCENSER as well as WINDSTOP programs
(Map: ARD.de - Text: - Click to enlarge)

NIGELLA

Last week's articulation reporting yesteryear the British broadcaster Channel 4, the High German regional broadcasters WDR as well as NDR as well as the High German paper Süddeutsche Zeitung, identified NIGELLA equally an interception facility at the intersection of Cable & Wireless as well as Reliance cables at Skewjack Farm.

There, only north-west of Polgigga Cottage inward Cornwall, is a large building that was constructed inward 2001 for FLAG Telecom United Kingdom of Great Britain as well as Northern Ireland Ltd for 5.3 meg pounds. It serves equally a terminus for the 2 ends of a submarine optical cable: i from across the Atlantic which lands at the beach of nearby Sennen, as well as i that crosses the Channel to Brittany inward France:

- FLAG Atlantic 1 (FA1)
Connecting the due east coast of North America to the United Kingdom of Great Britain as well as Northern Ireland as well as French Republic (6.000 kilometers)

The FLAG Atlantic 1 cable to America consists of six fibre pairs, each capable of carrying forty (eventually upward to 52) split upward lite wavelengths, as well as each wavelength tin move deportment 10 Gigabit/s of traffic. This gives a potential capacity of 2.4 terabit/s per cable. However, inward 2009, solely 640 gigabit/s were genuinely used, which went patently upward to 921 gigabit/s inward 2011.

The FLAG terminus station inward Skewjack Farm, Cornwall
(still from 'The Secrets of Cornwall' - click to enlarge)

The cable was initially owned yesteryear FLAG Telecom, where FLAG stands for Fiber-optic Link Around the Globe. This fellowship was renamed into Reliance Globalcom when it became a fully owned subsidiary of the Indian fellowship Reliance Communications (RCOM). In March 2014, Reliance Globalcom was i time to a greater extent than renamed, at nowadays into Global Cloud Xchange (GCX).

More of import is another, much longer submarine cable, which was also owned yesteryear this company, as well as which has its landing call for on the shore of Porthcurno, a few miles south-west of Skewjack Farm:

- FLAG Europe-Asia (FEA)
Connecting the United Kingdom of Great Britain as well as Northern Ireland to Nihon through the Mediterranean, amongst landing points inward Egypt, the Saudi Peninsula, India, Malaysia, Thailand, Hong Kong, China, Taiwan, Republic of Korea as well as Nihon (28.000 kilometers)

This cable has 2 fibre pairs, each capable of carrying upward to forty split upward lite wavelengths, as well as each wavelength tin move i time to a greater extent than deportment 10 gigabit/s of traffic. This gives a potential capacity of 800 gigabit/s, but inward 2009 solely seventy gigabit/s were used, which went upward to 130 gigabit/s inward 2011 - yet an unimaginable 130.000.000.000 bits per second.

The FLAG Atlantic 1 as well as FLAG Europe-Asia landing points
as well as the Skewjack Farm terminus station
(Map: Channel 4 - Click to enlarge)

The backhaul connectedness betwixt the FLAG Atlantic 1 (FA1) as well as the FLAG Europe-Asia (FEA) is provided yesteryear a local surface area network of Cable & Wireless, which also connects both submarine cables to its terrestrial meshing backbone network.

According to the newly disclosed GHCQ Cable Master List from 2009, the interception of the FA1 as well as the FEA cables takes house at the intersection amongst this backhaul connection:

This listing also shows that the interception of these 2 cables is accompanied yesteryear a Computer Network Exploitation (CNE) or hacking performance codenamed PFENNING ALPHA.

Because the possessor of the cables (Reliance Globalcom, at nowadays Global Cloud Xchange) is non a cooperating partner of GCHQ, they hacked into their network for getting additional "router monitoring webpages" as well as "performance statistics for GTE [Global Telecoms Exploitation]".

Interception equipment

How the actual interception takes place, tin move live on learned from an article inward The Guardian from June 2013, which provides only about details nigh the highly sophisticated reckoner equipment at cable tapping points.

First, the information current is filtered through what is known equally MVR (Massive Volume Reduction), which at i time rejects high-volume, low-value traffic, such equally peer-to-peer downloads. This reduces the book yesteryear nigh 30%.

Selectors

The side yesteryear side measurement is to push clit out packets of information that incorporate selectors similar telephone numbers as well as e-mail, IP as well as MAC addresses of interest. In 2011, only about 40,000 of these were chosen yesteryear GCHQ as well as 31,000 yesteryear the NSA, according to The Guardian. This filtering is most probable done yesteryear devices from Boeing-subsidiary Narus, which tin move analyse high-volume meshing traffic inward real-time.

Influenza A virus subtype H5N1 unmarried NarusInsight machine tin move monitor traffic upward to 10 Gigabit/second, which agency at that topographic point have got to live on upward to a dozen of them to filter the relevant traffic from the FA1 as well as FEA submarine cables. Most of the information extracted inward this way is meshing content, such equally the center of email messages.

Full sessions

Besides the filtering yesteryear using specific selectors, the information are also sessionized, which agency all types of IP traffic, similar VoIP, e-mail, spider web post service as well as instant messages are reconstructed. This is something the Narus devices are also capable of.

These "full take" sessions are stored equally a rolling buffer on XKEYSCORE servers: content information for solely 3 to 5 days, as well as metadata for upward to thirty days. But "at only about sites, the total of information nosotros have per solar daytime (20+ terabytes) tin move solely live on stored for equally petty equally 24 hours" according to an NSA document from 2008.

The aim is to STRAP 2 dissemination restrictions. But nonetheless, High German media already revealed that GERONTIC is Cable & Wireless terminal year.

In july 2012, Cable & Wireless Worldwide was taken over yesteryear Vodafone for 1.04 billion pounds, but according to the GCHQ documents, the covername GERONTIC was continued, as well as was seen active until at to the lowest degree Apr 2013.

According to the press reports, GCHQ had access to 63 undersea meshing cables, 29 of which amongst the aid of GERONTIC. This accounted for nigh 70% of the total total of meshing information that GCHQ had access to inward 2009.

Cable & Wireless was involved inward these 29 cables, either because it had Direct Cable Ownership (DCO), an Indefeasible Right of Use (IRU) or Leased Capacity (LC). Besides that, the GCHQ Cable Master List from 2009 lists GERONTIC also equally a landing partner for the next nine cables:

- FLAG Atlantic 1 (FA1)
- FLAG Europe-Asia (FEA)
- Apollo North
- Apollo South
- Solas
- UK-Netherlands 14
- UK-France 3
- Europe Republic of Republic of India Gateway (EIG)
- GLO-1

Disclosed excerpts from internal GCHQ wiki pages exhibit that Cable & Wireless held regular meetings amongst GCHQ from 2008 until at to the lowest degree 2010, inward guild to amend the access possibilites, similar selecting which cables as well as wavelenghts would furnish the best opportunities for catching the communications GCHQ wanted.

GCHQ also paid Cable & Wireless tens of millions of pounds for the expenses. For example, inward Feb 2009 six meg pound was paid as well as a 2010 budget references a 20.3 meg pound payment to the company. By comparison, NSA paid all its cooperating telecommunication companies a total of 278 meg dollars inward 2013.

The intensive cooperation betwixt Cable & Wireless as well as GCHQ may non come upward equally a surprise for those knowing a combat to a greater extent than of British intelligence history. The fellowship already worked amongst predecessors of GHCQ during World War I: all international telegrams were handed over so they could live on copied before beingness sent on their way, a exercise that continued for over 50 years.*

INCENSER (DS-300)

Among the documents nigh the GCHQ cable tapping is also a modest purpose of an internal glossary. It contains an entry nigh INCENSER, which says that this is a special root collection organization at Bude. This is farther specified equally the GERONTIC delivery from the NIGELLA access, which tin move live on viewed inward XKEYSCORE (XKS):

This entry was also shown inward the High German tv magazine Monitor, although non fully, but without the redactions, so from this root nosotros know the few extra words that were redacted for only about reason.

The entry also says that INCENSER traffic is labeled TICKETWINDOW amongst the SIGINT Activity Designator (Sigad) DS-300. From only about other Sigads starting amongst DS is yet non clear, but likely also denotes 2nd Party collection.

TEMPORA

In Bude, GCHQ has its Regional Processing Center (RPC), which inward 2012 had a so-called "Deep Dive" processing capability for 23 channels of 10 gigabit/second each nether the TEMPORA program.

TEMPORA comprises unlike components, similar the actual access points to fiber-optic cables, a Massive Volume Reduction (MVR) capability, a sanitisation programme codenamed POKERFACE, as well as the XKEYSCORE system. As nosotros have got seen, most of the hardware components are located at the interception point, inward this instance the facility inward Skewjack (NIGELLA).

Analysing

These collection systems tin move live on remotely instructed ("tasked") from Bude, or mayhap fifty-fifty also from NSA headquarters. For i purpose that involves entering the "strong selectors" similar telephone numbers as well as meshing addresses. For only about other part, that is yesteryear using the additional capabilities of XKEYSCORE.

Because the latter organization buffers total have got sessions, analysts tin move also perform queries using "soft selectors", similar keywords, against the torso texts of email as well as chat messages, digital documents as well as spreadsheets inward English, Standard Arabic as well as Chinese. XKEYSCORE also allows analysts to hold back for the usage of encryption, the utilization of a VPN or the TOR network, as well as a issue of other things that could Pb to a target.

This is peculiarly useful to describe target's meshing activities that are performed anonymous, as well as thence cannot live on establish yesteryear only looking for the known email addresses of a target. When such content has been found, the analyst powerfulness live on able to detect novel intelligence or novel strong selectors, which tin move so live on used for starting a traditional search.

Hacking operations

According to a 2010 NSA weblog of Robert Sesek as well as the tapped yesteryear other means, as well as both GCHQ as well as NSA aren't interested inward the somebody communications of ordinary meshing users. On the contrary, yesteryear tapping into a submarine cable that connects to Asia as well as the Middle East, INCENSER looks rather focussed at high-priority targets inward the latter region.

Update: The redacted root trigraphs of the instance notations inward the internal GCHQ glossary, which start amongst IR as well as YM, seem to call for to Islamic Republic of Iran (Iraq is IQ) as well as Republic of Yemen equally target countries of the INCENSER program.

> See also: NSA's Strategic Mission List

Reporting

Despite INCENSER beingness NSA's fourth-largest cable tapping programme regarding to the book which is collected, the intelligence reports analysts are able to write based upon this solely made it to the 11th seat of contributors to the President's Daily Brief - according to a slide from a 2010 presentation nigh Special Source Collection, published yesteryear The Washington Post inward Oct terminal year:

WINDSTOP (2nd Party)

Data collected nether the INCENSER programme are non solely used yesteryear GHCQ, but also yesteryear NSA, which groups such 2nd Party sources nether the codename WINDSTOP. As such, INCENSER was starting fourth dimension mentioned inward a slide that was published yesteryear the Washington Post on inward Oct 2013 for a storey nigh the MUSCULAR program:

According to NSA's 2nd Party countries (primarily Britain, but also Canada, Commonwealth of Australia as well as New Zealand) as well as focusses on access to (mainly internet) "communications into as well as out of Europe as well as the Middle East" through an integrated as well as overarching collection system.

MUSCULAR is a programme nether which cables linking large information centers of Google as well as Yahoo are tapped. The intercept facility is also located somewhere inward the United Kingdom of Great Britain as well as Northern Ireland as well as the information are processed yesteryear GCHQ as well as NSA inward a Joint Processing Centre (JPC) using the Stage 2 version of XKEYSCORE.

Influenza A virus subtype H5N1 novel slide from this presentation nigh WINDSTOP was published yesteryear Süddeutsche Zeitung on Nov 25, which reveals that a 3rd programme is codenamed TRANSIENT THURIBLE. About this programme The Guardian reported i time inward June 2013, proverb that it is an XKeyscore Deep Dive capability managed yesteryear GHCQ, amongst metadata flowing into NSA repositories since August 2012.

In Nov 2013, the Washington Post published a screenshot from BOUNDLESSINFORMANT amongst numbers nigh information collection nether the WINDSTOP program. Between Dec 10, 2012 as well as Jan 8, 2013, to a greater extent than than fourteen billion metadata records were collected:

The bar nautical chart inward the superlative purpose shows the numbers yesteryear date, amongst DNR (telephony) inward light-green as well as DNI (internet) inward blue. The department inward the optic of the lower purpose shows these information were collected yesteryear the next programs:

- DS-300 (INCENSER): 14100 meg records
- DS-200B (MUSCULAR): 181 meg records

XKEYSCORE, which is used to index as well as search the information collected nether the INCENSER program, tin move live on seen inward the bottom correct department of the chart.

With only over fourteen billion pieces of meshing information a month, INCENSER is the NSA's fourth-largest cable tapping program, accounting for nine % of the total total collected yesteryear Special Source Operations (SSO), the segmentation responsible for collecting information from meshing cables. According to only about other BOUNDLESSINFORMANT chart, the NSA's Top 5 of cable tapping programs is:

SSO worldwide total:

DANCINGSOASIS:
SPINNERET (part of RAMPART-A):
MOONLIGHTPATH (part of RAMPART-A):
INCENSER (part of WINDSTOP):
AZUREPHOENIX (part of RAMPART-A):
...
Other programs:

160.168.000.000 (100%)

57.788.148.908 (36%)
23.003.996.216 (14%)
15.237.950.124   (9%)
14.100.359.119   (9%)
13.255.960.192   (8%)
...
38.000.000.000 (24%)

It's remarkable that only i unmarried cable access (NIGELLA inward Cornwall) provides almost i 10th of everything NSA collects from meshing cables. This also agency that also a large issue of modest cables accesses, NSA seems to rely on only a few of import cables for nigh 2/3 of it's collection from this type of source.