Olympia: How Canada's Csec Maps Outcry Upward Too Cyberspace Connections

On Oct 6, 2013, the Brazilian television set computer program Fantástico revealed the existance of a software computer program called OLYMPIA. In this case, the computer program was used past times the Communications Security Establishment Canada (CSEC) to map the telephone too estimator connections of the Brazilian Ministry of Mines too Energy (MME).

OLYMPIA is a sophisticated software framework that combines access to a hit of databases too analytic tools. It's used to regain too seat the telephone too estimator infrastructure used past times potential targets. This information tin so live used for setting upwards tapping, bugging and/or hacking operations. OLYMPIA itself does non collect whatever actual content of communications.

In this article nosotros convey a closed expect at the OLYMPIA tool, based on the powerpoint presentation that was firstly shown on Brazilian television set on Oct 6, 2013. On Nov 30, the Canadian paper The Globe too Mail published most of the slides on its website. Here, all available slides are pulled together, including i that had to live reconstructed from the video footage (click the slides to enlarge them).

The OLYMPIA presentation was dissected too analysed inwards depth past times a reader of this weblog, who wants to remain anonymous, but kindly allowed me to bring out his interpretation here. I did some editing to brand his text fit the format of this weblog.

For some readers these explanations may live likewise complex too detailed, but for those who are interested, they render a unique expect at this business office of the signals intelligence tradecraft. We tin assume that similar tools are used past times NSA, GCHQ too other agencies.

The OLYMPIA presentation was held inwards June 2012 during the "SD Conference", where SD stands for SIGINT Development - an intelligence term for testing too creating novel ways to collect signals intelligence information. According to Fantástico this is an annual conference for members of the Five Eyes partnership, which consists of the United States, United Kingdom, Canada, Commonwealth of Australia too New Zealand.

This instance study was presented past times what seems to live someone from the Advanced Network Tradecraft unit of measurement of CSEC, in all probability because "one of the things Canada does real good is analysis" - according to NSA historian Matthew Aid. (or could Advanced Network Tradecraft live the ANT unit of measurement of NSA's Tailored Access Operations (TAO) division?)

This slide gives an overview of the Olympia interface which tin introduce all sorts of different types of information at the same fourth dimension too in all probability tin live customized past times the user. Right inwards the middle, in all probability just to have got something graphical amidst all the tables, at that topographic point is a map, showing the primal business office of Brasil, amongst a royal dot mark the working capital missive of the alphabet Brasilia. It's non a Google map, because that would have got replaced the jagged coastline amongst bathyometeric shaded relief too would expect much nicer than this geolocation satellite view.

This slide shows the same picture of the Olympia interface equally inwards the previous slide, but this fourth dimension amongst a pop-up bill of fare open. The listing shows viii previously known NSA tools too databases, a GCHQ tool, commercial software, too software tools developed past times CSEC staff which are recognizable past times their classical Greek names. Arranged inwards alphabetical order, the tools too databases listed inwards the pop-up bill of fare too inwards some other listing from the interface are:

ATHENA - Ports Information (CSEC)
ATLAS - Geolocation too Network Information (CSEC)
BLACKPEARL - Survey Information (NSA)
COEUS - WHOIS Information (CSEC)
DANAUS - Reverse DNS (CSEC)
EONBLUE - Decoding Hostnames? (commercial)
EVILOLIVE - Geolocation (NSA)
FRIARTUCK - VPN Events
GCHQ Geofusion - Geolocation (GCHQ)
HYPERION - IP-IP Communication Summaries (CSEC)
LEVITATE - FFU (FireFox User??) Events
MARINA - TDI Online Events (NSA)
MASTERSHAKE - VSAT Terminals (NSA)
OCTSKYWARD - GSM Cells (NSA)
PACKAGEDGOODS/ARK - Traceroutes (NSA)
PEITHO - TDI Online Events (CSEC)
PEPPERBOX - Targeting Requests
PROMETHEUS - CNO Event Summaries (CSEC)
QUOVA - Anonymizers, Geolocation Map (commercial)
SEDB - FASCIA PCS too PSTN Events (NSA)
SLINGSHOT - End Product Reports
STALKER - Web Forum Events
STARSEARCH - Target Knowledge
STRATOS - GPRS Events (CSEC)
TIDALSURGE - Router Configs
TOYGRIPPE - VPN Detailed Events (NSA)
TRITON - TOR Nodes (CSEC)
TWINSERPENT - Phone Book

Only a handful of Olympia's tools make all the heavy lifting inwards the slide algorithms. The balance acquire passing cite inwards pull-down menus. Thus the presentation provides only a glimpse of Olympia's capabilities - nosotros catch for representative TRITON for attacking the TOR network too TOYGRIPPE too FRIARTUCK for attacking VPN (virtual private networks) but non examples of their actual use.

The tools of Olympia represents a real large squad attempt at CSEC over several years amongst sheltering nearly all its database processing resources nether the Olympia umbrella. The shelf life of the Olympia surround may live longer than its tools.

Of the thirteen tools that are used, their occupation inwards the next algorithmic slides is almost exclusively restricted to ATLAS, DANAUS, HYPERION, PEITHO too HANDSET. The reporting tool of course of educational activity finishes every slide but ii others, EONBLUE too QUOVO, only appear obliquely equally written report sources.

This slide presents a elementary algorithm past times using drag 'n' drib icons linked past times arrows to specify its operations step-by-step. It draws on entries information records already stored inwards NSA's huge telephony database MAINWAY of telephone retrieve metadata. As NSA does the hoovering downwards inwards Brazil, the slide does non build occupation fresh Canadian surveillance past times intercepts or insertion of malware on Brazilian prison theatre cellular telephone phones or servers - that comes subsequently inwards partnership amongst NSA's Tailored Access Operations (TAO) equally warranted too informed past times initial results obtained here.

Olympia is therefore modular software that allows a mid-level analyst (who cannot write estimator code) to specify too examine advanced NoQYL database queries from inside an intuitive visual environment. It provides an intuitive graphical interface allowing to assembly some xl constituent tools into a flexible fit-for-purpose logic pipeline past times elementary drag too drib of icons. Such pipe-and-flow visual programming environments have got a rich history – they fit how Unix developers tin apace position together complex processes from the elementary ones provided past times the operating system.

Should an analyst drag i of the widgets into the design, a cast window volition popular upwards asking for parameters to live supplied. After stepping through the algorithm to fill upwards inwards diverse pop-up forms that address database housekeeping issues, Olympia tin so push upwards (compile) the tested production into a novel icon that the side past times side analyst tin occupation equally a trusted constituent for an fifty-fifty to a greater extent than complex investigative process. This allows analysts to behave sophisticated target-development amongst minimal additional training.

With a database similar MARINA consisting of trillions of rows (records) too thirteen columns (fields), it is real slowly to pose a query (play a design) that, after hours of delay, returns way likewise much data, or submit a query so complex or boolean-illogical that it freeezes NSA's server. To preclude this, it would brand feel to have got proficient analysts locomote out chief designs i time too for all. Low-level analysts so just come inwards specific parameter ranges inwards the forms, but this of course of educational activity would undercut the whole modular pattern ability of Olympia.

So the whole procedure tin live buttoned up, enabling one-button automation from a few line of piece of work organisation cards to the best phones to plough into coming together listening devices. While Olympia is a MySQL query builder, it does much to a greater extent than than that, notably advanced post-processing analytics of query results (which amount to a derived special-purpose database or QFD inwards NSA-speak: Question-Focused Dataset) resulting inwards convenient output to CSEC's reporting tool Tradecraft Navigator.

In the slide nosotros catch the next process:
-1- The procedure begins amongst a 'TC Init' widget that initializes processes Olympia needs to run. That may include starting upwards software, locating Five Eyes network resources, too verifying safety authorizations for the analyst's 'thin client' interface to Olympia too NSA's remote network databases. That is, for safety purposes next the Jeffrey Delisle spy case, Canadian analysts are given desktop computers without difficult drives that cannot re-create files to inserted pollex drives nor write to blank CDs. TC is used subsequently inwards lower instance to personalize information land header names so could alternatively stand upwards for the initials of the analyst (for logging purposes).

-2- The analyst side past times side fills inwards a pop-up cast called 'Dynamic Configuration' to render initial information too works life project-specific terminology. The cast amounts to a little database amongst i tape (row) for each configuration needed too 7-8 fields (columns) amongst the specifics: configuration call too number, initial data, default value to occupation if actual value is missing after enrichment, true/false selection to principle whether a subsequently filter status is met, land names to start out amongst tc_ (for sparse client), too land type.

Configuration hither seeds the coming uncovering procedure amongst the MSISDN (SIM card routing number) for nine prison theatre cellular telephone phones linked to staff at Brazil's Minerals Mining Energy (MME), either from line of piece of work organisation cards acquire past times Canadian diplomats too mining executives or equally metadata incidentally ingested past times NSA from rooftop mobile telephone intercepts at the American diplomatic mission inwards Brasilia. Recalling that MAINWAY has many billions of records just for Brazil, a narrow appointment hit volition choke along the number of records, too so the subsequent latency (processing delay), manageable

-3- The initial laid of telephone numbers is so greatly expanded (enriched) past times contact-chaining inwards the huge NSA metabase MAINWAY. This procedure collects the MSISDN of recipients of calls from the seed numbers, too recipients of their calls (two or to a greater extent than hops). Some of these volition live just pizza joints or calls dwelling but others volition belong to coworkers at MME.

TAPERLAY is i of the most mutual skills listed inwards LinkedIn profiles, amongst i SIGINT analyst writing he "was responsible for entering numbering information for 132 countries too multiple service providers inwards each province past times reviewing forms too reports too conferring amongst management." It is oftentimes used inwards conjunction amongst CHALKFUN, a NSA tool that searches the vast FASCIA database of device location information to regain past times or electrical flow location (notably US roaming) of mobile phones.

-6- The master phoneNumber land has directly been supplemented past times Last Seen (last recorded use), City too Country of initial registration, Identity (target's name), FIPS, destination number called too its fields, too others nosotros cannot catch on the alphabetical pulldown list. Here FIPS is an opened upwards source geolocation code maintained past times the US government.

-7- The 'Sort' widget is so configured to re-order the records inwards some sensible way, state contrary chronological society too most frequent MSISDN.

-9- Prior to writing upwards a in conclusion report, the analyst could render to measuring seven too insert farther operational icons - 29 options are shown (even amongst A-E too Q-Z missing from the pop-up menu).

This slide says that the presentation is a instance study nearly how to map the target's communication infrastructure when there's only real piddling information to start with, inwards this case:

- One known e-mail domain: @mme.gov.br
- Nine known telephone numbers
- Very piddling information collected earlier

Starting amongst the unmarried e-mail domain @mmm.gov.br for Brazil's Ministry of Mines too Energy (MME), the algorithm works out IP numbers of MME's post too meshing servers plus their network owners too backbone carriers. Note the potential target hither is the entire department, non an individual.

-0- After initialization, the input - hither just a unmarried domain @mmm.gov.br but optionally a listing of thousands - is position inwards a storage expanse (buffered) until its entries tin live processed.

-1- The CSEC-developed tool DANAUS looks upwards the domain inwards its DNS (Domain Name System) repository. For i domain, this tin easily live done past times google search on the opened upwards meshing but that is inefficient on a larger scale. Olympia volition non only automates this procedure but tin re-package it equally a meta-tool icon that tin live re-used equally a constituent (sub-routine) of to a greater extent than ambitious algorithms.

-2- The DNS are side past times side sorted past times IP tape type which splits them into ii streams (Type Influenza A virus subtype H5N1 too Type MX records inwards DNS nomenclature). Here MX (Mail Exchanger) records specify the post servers accepting e-mail messages on behalf of the recipient's domain. Type Influenza A virus subtype H5N1 (address) records specify IP numbers of the post servers sending electronic mail from this domain.

-3a- The MX fork of the diagram filters records according to analyst specifications (pop-up window non shown), changes out value names, too merges text strings amongst sure information (extracted past times the little 'i' icon, never explained) derived from records rejected past times the filter. The output to Tradecraft Navigator is a elementary database called 'Mail Servers' having 6 fields discussed below: Response_MX, Hostname, IPv4, Source, FirstSeen too LastSeen.

-3b- The Influenza A virus subtype H5N1 fork is filtered differently but hither rejects are discarded. Influenza A virus subtype H5N1 novel Canadian tool icon labelled ATLAS acts on the records that have got been stored inwards fastBuffer to expect upwards geospatial locations of the IPs. After a sort, duplicated IP locations tin live eliminated past times a touchstone database reporting characteristic (break on modify inwards geolocation field). Duplicates mightiness arise from a unmarried server location hosting multiple IPs or a server cluster.

-4b- Records passing some other filter (e.g. geolocation Brasilia) are so sorted past times IP number for orderly output to Tradecraft Navigator for report-generation. Here the resulting database 'Domain's IPs' has nine columns (fields) for IP Range, Country, ASN, Owner, too Carrier inwards improver to the ones above. The Autonomous System Number (ASN) provides the officially registered IP routing prefix that uniquely identifies each network on the Internet. Here the IPv4 numbers correspond to Global Village Telecom, Embratel too Pelpro. The analyst wants to know this because some carriers sell access to NSA piece others have got been hacked.

From the post server records, it turned out the Ministry only used correio.mme.gov.br too correio2.mme.gov.br for their post servers (correio agency post inwards Portuguese). Journalists have got inexplicably blacked out IPv4 numbers but anyone tin expect upwards the IP address for a given domain call at WHOIS websites, or apply the COEUS widget if they locomote at CSEC.

The analyst has directly genuinely determined the IP addresses, their blocks of consecutive numbers (ranges), geolocation of servers used past times MME's meshing services providers plus the identities of backbone carrier networks. Some 27 IPs shown associated amongst the domain @mme.gov.br came out of processing Influenza A virus subtype H5N1 type records.

Some of this is unremarkable (the hostname www.mme.gov.br is MME's world dwelling page, ns1.mme.gov.br is just a call server) piece others have got undeterminable relevance (being barely legible) to commercial espionage. One of these, acessovpn.mme.gov.br (189.9.36.98) running on http port lxxx amongst A, comes upwards subsequently equally a potential target for a man-on-the-side attack.

- The Source land is a fleck mysterious. It takes on only ii values, EONBLUE too QUOVA. These are tool icons inside Olympia whose names prevarication exterior the Greek mythology theme, suggesting software from elsewhere. The explanation: a US companionship named Quova provides online blocking based on geolocation of a computer's IP address, similar for representative blacking out URL access to a football game game inwards the dwelling team's metropolis so people buy stadium tickets. Quova was acquired inwards 2010 past times Neustar which provides a much broader hit of backbone meshing registry services. EonBlue is also corporate but to a greater extent than obscure.

- Between them, EONBLUE too QUOVA tin written report on recorded activities too attributes of the IPs at Brazil's MME: the MX tape of correio.mme.gov.br shows it was firstly seen active from 17 Jun 09 too in conclusion seen active on xv February 10; similar dates for correio2.mme.gov.br active are subsequently too don't overlap, namely 21 Jun 10 to nineteen Jun 11.

- Later Olympia slides exhibit QUOVA inside a diagram, so this i should exhibit both QUOVA too EONBLUE but does neither. QUOVA concerns itself amongst IP ranges, IP geolocation, too anonymizers (proxy servers relaying on a user's behalf, hiding identifying information), yet ATLAS provided IP geolocation inwards subsequently slides too HYPERION too PEITHO the IP proxies. So it must live that QUOVA add together value to the in-house DNS lookup tool DANAUS.

This slide shows how the analyst tin seat a proxy server at the Ministry of Mines too Energy based on its observed behavior. It's non clear whether a discovered proxy server has been identified for certain, or that is only the strongest candidate seen, nor whether the total laid of MME proxy servers have got been located or just i of several. However, this is the most promising site for defeat of SSL past times a man-on-the-side assault to intercept of transiting documents before they tin live encrypted.

-1- After initialization, the Dynamic Configuration for the IPs of MME determined inwards a higher house is laid amongst 3 lines: high, low, high - depression +1 = hit for each block. Here a contrary proxy server (firewall surrogate) oftentimes holds the firstly number of the hit block too sits inwards front end of a local network of other computers utilizing the balance of the hit block equally their addresses. Those other IPs don't exhibit upwards inwards metabases because the URL requested past times an exterior visitor passes through the proxy on its way to the server (that genuinely tin fulfill the request) is returned equally if it came from the proxy server.

-2- The initial information is divide at an enhancement fork which is non described further. Buffers should have got been created for ii subsequent tools PEITHO too HYPERION because they are sent large files (as indicated past times the piddling 2-page icon on the connecting line). Those icons are missing from the algorithm, breaking it. Both PEITHO too HYPERION also demand demultiplexing equally followup but the De-Mux icons (the all-purpose dummy widget) are also missing from the diagram.

Recall many different ongoing processes on a given server are sending (and receiving data) simultaneously using the same Internet Protocol software. To achieve this, packets of different types are intermingled ('multiplexed') inwards the acquire out stream. As the flow of packets is received, it is sorted out past times type (demultiplexed) too passed to appropriate application on the receiving client.

-3a- PEITHO specializes inwards "TDI events" too has the same iconography equally MARINA, tinted blueish instead of pink. Influenza A virus subtype H5N1 bill of fare inwards some other slide ties MARINA to these same mysterious TDI events. MARINA is known to live a vast NSA metabase of meshing metadata. An online LinkedIn profile speaks of having "used MARINA equally a raw SIGINT information viewer for detection too analysis of priority targets too equally a tracking too pattern-of-life tool."

PEITHO tin therefore live presumed real similar to MARINA, in all probability a refined subset of it adapted to dissecting out the TCP/IP connexion metadata needed here, inwards special recognizing too compiling the central of SSL certificates that are the hallmark of a secure (https) site. In i scenario, an off-site MME staffer uploading stone oil lease information points a spider web browser at the MME server that volition host the documents, which sits inside a LAN (local expanse network) behind a proxy server running port 443 for https.

After central of SSL certificates, the content tin live sent over the meshing encrypted rather than equally champaign text, too volition decrypted at the MME repository. NSA information trawling - piece non specifically seeking them out - intercepts these exchanges too stores them equally a Sigint tape subset inwards MARINA. PEITHO extracts these for the specified IP address ranges. This has zilch to make amongst defeating SSL - that comes later.

PEITHO tin only render one-half of a total TCP/IP 4-tuple (the output of this algorithm), namely the connexion pairs amongst mentioning MME too server port numbers. This is done past times filtering records inwards PEITHO high too depression IP values provided past times the initial configuration file, partitioning it into passing too not-passing. Values from both are renamed too retained inwards output because they define IP blocks.

-3b- Meanwhile, HYPERION works inwards parallel to PEITHO to render IP to IP communication summaries, how information flows inwards too out of MME servers too their IP hit blocks, inwards answer to remote IP requests. This information likewise undergoes similar filtering too re-mapping of value names too formats, i time to a greater extent than amongst ultimate retentivity of both streams equally the entity_IP too remote_IP components of the TCP/IP 4-tuple.

-4- The iv fields of a TCP/IP 4-tuple are called entity_IP, remote_IP, remote_port, entity_port too volition appear equally a little tabular array on the proxy output page. They are obtained past times merger of the PEITHO 2-tuple amongst that of HYPERION.

-5- At this point, only https (port 443) too http (port 80) metadata remains equally remote_port values. The latter is discarded on the ground of its port value nether the supposition that high-value information volition live encrypted inwards transit past times a secure socket layer (SSL) using port 443. Note electronic mail servers occupation port 25 - that volition exhibit upwards inwards the side past times side slide inwards the context of correio.mme.gov.br.

On the results page provided past times Tradecraft Navigator, only the ii port columns are visible from the master socket span 4-tuple. Ports are described past times an esoteric compressed four-field format such equally 6:443:TS(1) where the minute chemical element is the actual port number.

Here every port entry starts amongst 6: (making it uninformative) followed past times 443 inwards the instance of a remote https port, respectively high too variable (ephemeral) port numbers inwards the instance of the entity_port column. The port description is so completed past times a cryptic digraph drawn from TS, TC, FS, FC too a little qualifying number inwards parentheses.

It's non clear whether whatever to a greater extent than than just the direct port number needed to live retained hither to substantiated a discovered proxy. Curiously, Olympia contains a distinct tool called ATHENA specializes inwards port information but it is non applied inwards this algorithm or whatever of the other slides.

The bottom line hither is the analyst seems to have got identified MME's proxy server too so a line of assault to live described later. That is of involvement because closely held documents (like providing extents of offshore stone oil reserves or assay flat of mineral deposits existence auctioned off) would live sent through this server equally a mensurate to protect them from theft.

This slide presents a to a greater extent than complicated diagram of how an analyst tin regain IP addresses the target, inwards the instance the Brazilian MME, communicates with. This information tin subsequently live used to intercept these communications links.

-1- This starts amongst DNS lookup of the hostnames (eg correio.mme.gov.br). That procedure tin give duplicates too other records that are empty amongst abide by to fields of interest. These are discarded.

-2- After appropriate bill of fare enrichments have got expanded out from the initial seeds, PEITHO too HYPERION deed i time to a greater extent than inwards parallel to reconstruct the TCP 4-tuples (or socket pairs). The flow of meshing packets sent out past times a given server are a mix of packets from whatever processes are running, for representative http, https, ftp, smtp too telnet on the TCP side too dns, dhcp, tftp, snmp, rip, voip via UDP.

-3- As only http too https are of involvement here, the other packets are discarded via the De-Mux widget. Note the packets are non genuinely multiplexed inwards the traditional feel used inwards signal electronics but remain discrete too only alternate inwards the packet flow connecting server to client. De-multiplexing inwards this context simply agency separating the packets equally they come upwards along, retaining only the subset of interest.

-4 - Not everything is of involvement here, so the 'select values to carry' widget is necessary to whittle downwards the fields retained. Since TCP processes are bi-directional, amongst some of the packets coming from the server too others heading to the server, it's necessary to flip the latter laid so that FROM ever goes amongst the MME server too TO goes amongst IP addresses it communicates with. The ii streams are so sorted past times IP contacted which allows them to merge coherently to the 4-tuples described before.

-5a- The results are duplicated too divide amongst i fork - after a sort too break-on-same land value reduction - sent to Tradecraft Navigator equally a summary of the number of times each IP span has connected, amongst most frequent presumably on top. No information page is provided inwards the slides.

-5b- The other duplicate is sorted so that each customer is represented just i time for geolocation lookup past times ATLAS. That needs some other version of de-multiplexing, followed past times discard of empty rows. ATLAS is mentioned inwards 3 slides; from those annotations, it has to make amongst geolocation of network information too is filterable past times appointment too IP range.

-6- The output to Tradecraft Navigator is sorted past times ASN (Autonomous System Number, the unique identifier for an Internet access provider network). The meshing had some 42,000 unique autonomous networks inwards the routing organisation at the get-go of 2013; 10 distinct ASN networks that MME connects amongst are discovered here. These include ASNs 6453 too 32613 inwards Canada, 16322 for Iran, 25019 too ii others for Saudi Arabia, plus inexplicable IPs inwards Eritrea, Hashemite Kingdom of Jordan too Thailand. ASN lookup is readily available too it provides country, appointment of registration, registrar, too possessor name.

The information page is quite instructive. It shows the silliness of paper redactions: Fantástico/Greenwald scrubbed out all tool annotations on the algorithm too blocked columns 2, 4, 5, too 8 inwards the output whereas the Globe & Mail showed the whole algorithm legibly too redacted columns 2, 3 too 8.

Column 2 is only DNS lookup, freely available on the opened upwards internet. Column 3 inwards the Globe & Mail tin live restored using the months-earlier Fantástico publication. The IP ranges of MME's contacts inwards Column 8 are non likewise difficult to acquire at using the initial IP contact from Fantástico equally they volition live a block extending the in conclusion 3 digits of the initial IP contact out to 255, e.g. the firstly row gives the hit 196.200.208.114 to 196.200.208.255, all assigned to Eritrea.

Here MOEM, the Ministry of Energy too Mines inwards Eritrea, is located at www.moem.gov.er. While their server is non oftentimes working, the IP address at that topographic point 196.200.102.242 does non correspond to whatever number found past times the algorithm. Those IP addresses are assigned to Eritrea but make non have got Hostnames too may live routers. Note that British Telecom provides the ASN network so all traffic at that topographic point is routinely ingested past times GCHQ too available to the Canadians. However at that topographic point is no evidence from this algorithm that MME had whatever involvement inwards its Eritrean counterpart MOEM.

The algorithm hither re-uses tools too widgets seen before amongst real similar logic: previously determined hostnames associated amongst Brazil's MME seed the IP address look-up via 'Forward DNS' (Danaus) followed past times DNI enrichment at unspecified NSA databases, the symmetric same divide to PEITHO too HYPERION to collect IPs too ports, followed past times filters, sorts too land renaming (no pop-up details provided) equally seen inwards slides 2 too 4. After Atlas provides geolocation of the retained IPs (note the never-explained x5 inwards the upper left corner of the ATLAS icon), the fields are consolidated, amongst just the ones geo-located to non-Five Eyes countries retained.

It's non clear why results for the Five Eyes countries are discarded. These countries past times understanding don't launch spying operations on each other; Canada could certainly launch assault on IPs on itself but that may non live inside the remit of CSEC. It's difficult to believe the analyst would non convey a top at friendly province IPs - perhaps these were only discarded for purposes of this presentation (at which NSA too GCHQ analysts were for certain represented).

From other Snowden leaks, it's known NSA also runs its ain Brazilian espionage program; if Canada installed its ain man-in-the-middle malware on top of a pre-existing NSA attack, these could conceivably collide too crash the Brazilian system, or at to the lowest degree alarm the Brazilians via degradation of network performance. For this reason, the analyst contacted TAO prior to the presentation, turning over subsequent man-in-the-middle assault details to them. TAO maintains the primal malware repository too is meliorate positioned to vett installations for redundancy too collisions.

These iv output tables render the best sentiment to what CSEC learned nearly MME's vulnerabilities from applying the algorithm:

-1- The firstly tabular array consists of ii records for acessovpn.mme.gov.br. This Brazilian server was obtained before equally tape five from the slide 2 processing (which started amongst mme.br.gov too provided IPs too ISPs inwards the 'Domain's IPs Output' table). Here journalists have got blacked out the target column out of meshing illiteracy (they are 189.9.36.98 too 177.43.69.130) too the IP it contacts. The port numbers dot the target server is using ephemeral ports too the contact http port 80, important it is non a post server nor secure similar https.

This server inwards Brasilia has been assigned a novel database land amongst value Case Notation MA10099(1) hither that was added past times the analyst subsequently (certainly non produced from running the algorithm). It's non clear whether this instance notation is that of GSEC or articulation notation amongst NSA's TAO.

It's instructive to expect at what anyone tin larn inwards seconds for gratuitous on the opened upwards meshing -- too how this works. In the instance of acessovpn.mme.gov.br, the TLD (top flat domain) acessovpn is recognized past times the Root Server i.root-servers.net which redirects to c.dns.br which redirects to ii call servers ns1.mme.gov.br too ns1.mme.gov.br which themselves have got Influenza A virus subtype H5N1 type records 177.43.69.148 too 189.9.36.101 so separate IP addresses both located at the same geolocation inwards Brazil.

-2- This span of tables unfortunately has the headers censored. They may simply stand upwards for the ii IP addresses 189.9.36.98 too 177.43.69.130. They are sorted past times society of occupation - number IPs contacted. Thus the ASN contacted the most (26 too xv times respectively inwards the fourth dimension frame considered) was 18881. That indicates the IPS was Global Village Telecom, a formerly Brazilian telecom owned since 2010 past times the French companionship Vivendi. After that, the firstly IP contacted ASN 7738 eleven times whereas the minute IP contacted ASN 26599 nine times. Farther downwards the list, providers inwards Columbia, Mexico, Republic of Republic of India too mainland People's Republic of China are listed.

-3- The in conclusion number tabular array utilizes ii tools non mentioned inwards the script suggesting these were applied from inside Tradecraft Navigator: Reverse DNS (DANAUS) too EONBLUE. The latter is a closely held corporate tool, apparently used hither for decoding Hostnames behind proxies, though zilch came of it here. EONBLUE surfaced before inwards slide 2 paired amongst corporate tool QUOVA (that was the source of acessovpn.mme.gov.br there). The entire tabular array refers to Influenza A virus subtype H5N1 type rather than MX (email servers).

This slide shows the contact chaining for Brazil's Ministry of Mines too Energy on both the meshing too telephony side, to a greater extent than oftentimes than non the latter. The procedure is initialized from a little plaintext file of initial selectors (CSV comma separated values, records separated past times railroad vehicle returns) which is reconfigured to a standardized database format amongst administrative oversight (front door rules: legal too policy justifications for collection) before existence passed to the sparse customer of the analyst. This is the only appearance of 'Justification' inwards the slide set.

-1- Another land is added, 'SelectorRealm'. Realm isn't explained hither past times a popup or sample output slide but inwards the MonkeyPuzzle memo it meant divisions of a large database (emailAddrm, google, msnpassport, too yahoo). Realm hither mightiness specify a subset of collection SIGADS. Thus this measuring is narrowing the land of inquiry past times adding a realm land to the input records to confine subsequent processing to that realm.

-2a- The records are directly filtered past times their DNR (telephony) selectors inwards an unspecified manner. The fork coming together filter weather is expanded past times DNI (internet) chaining via unspecified databases (web electronic mail contacts mayhap existence the realm) too using i hop (see below) for output to Tradecraft Navigator. The fork of records failing to encounter filter weather is discarded.

-2b- The other fork coming together filter conditions, after specifying appointment ranges etc, is sent out to live expanded DNR contacted chaining. This enrichment measuring is quite instructive: it involves iv telephony databases (FASTBAT, DISHFIRE, FASCIA, MAINWAY). Here FASTBAT appears for the firstly fourth dimension inwards Snowden document releases. It must live partially non-redundant amongst abide by to the others or it would brand no feel to include it. It is mayhap a SIGAD specific to Brazil or South America, mayhap CSEC collection at the Canadian Embassy inwards Brasilia (the other 3 are NSA). DISHFIRE holds SMS records (cell telephone texting).

It would live amazing if this contact-chaining measuring did non convey overnight (or at to the lowest degree involve long latency) - these databases comprise many trillions of records too NSA could live running thousands of multi-hop contact-chaining requests simultaneously for analysts throughout Five Eyes. It's non clear whether NSA's motility to the cloud volition expedite such searches or interruption algorithms such equally this for whom the haystack has gotten likewise large.

-3- Because of how realms, appointment ranges, province of telephone retrieve root etc were initially specified, non all records produced past times contact chaining having whatever information left inwards the fields of interest. (It is real mutual for some fields to live blank inwards database records) These empty records are discarded so they don't contribute rubbish to the output.

-4a- After renaming records for consistent output, the records are sorted past times an of import land (e.g. MSISDN telephone number) too split, amongst i fork going to summary statistics (how many records had a given value for the fixed field), equally seen past times the working capital missive of the alphabet greek missive of the alphabet Sigma (symbol for total inwards math) inwards the 'Group by' icon. These are probable sorted to highest frequency order.

-4b- The other fork simply outputs all the records to Tradecraft Navigator, which may have got its ain social networking visualization tool or just exceed it on to RENOIR. The master presentation may have got contained a sample of output but if so, Greenwald may non have got included it or if he did, the Globe too Mail didn't bring out it.

In this of import Olympia algorithm slide, CSEC leverages an initially pocket-size collection of nine prison theatre cellular telephone phone telephone retrieve records (called DNR selectors) to successively recover the 3 identification numbers characterizing a prison theatre cellular telephone phone, which inwards plough Pb the analyst to identification of ii obsolete handset models (Nokia 3120c-1c too Motorola MURQ7) owned past times top MME staffers at i time. The handset models mightiness side past times side live checked against NSA's collection of prison theatre cellular telephone phone malware at TAO or NAC to catch if existing tools could hack the phones too plough them into surveillance devices.

Influenza A virus subtype H5N1 Snowden document disclosed before revealed the NSA asking State Department to exceed along all prison theatre cellular telephone phone numbers they had been given inwards the course of educational activity of normal high flat contacts amongst unusual counterparts. Thus numbers turned inwards past times the American Embassy representatives inwards Brazil amongst day-to-day dealings amongst MME were ingested into an NSA database to which Canada had ready access to. These nine selectors in all probability have got originated past times this route.

What all tin live deciphered from this slide?

-1- The overall logic catamenia is real clear: start from the nine DNR telephone retrieve tape seeds, decide the MSISDN number of the ii prison theatre cellular telephone phones, amongst that regain the IMSI, from that the IMEI, too finally the handset model. This is far from trivial due to the properties of prison theatre cellular telephone phone numbers (see below) too devious manufacturing practices inwards countries such equally China. Unlike inwards previous slides (where anyone online tin make contrary DNS lookup inwards seconds), prison theatre cellular telephone phone owners cannot follow CSEC's logic catamenia fifty-fifty for their ain phone.

-2- The 3 ellipses exhibit a practically identical logic flow. Even though the tool too widget logos are barely legible, they are manifestly the same. In fact, the ellipse processes brand real piddling occupation of high-powered Olympia tools. The icons primarily stand upwards for housekeeping widgets (filter, dummy, rename, sort, delete, etc) that are useful but don't render plenty musculus to make to a greater extent than than shuffle tape formats. The existent locomote is done almost exclusively past times the large outlined-text H icon, non named inwards the redacted slide or seen elsewhere inwards menus or other algorithms. It volition live called H for HANDSET here.

-3- The output (smaller orangish rectangle on far right belongings the Tradecraft Navigator icon) is key to understanding the steps of the algorithm. The output is provided for us below the schematic inwards the cast of a little database amongst 8 fields too ii records (the upper dark blueish line is highlighted). Although it is highly unlikely these phones are yet inwards use, the MSISDN numbers providing the master input are blued-out equally are the IMSI too IMEI. Interestingly, their land names include the locomote 'correlation' suggesting that they cannot live unambiguously determined but are instead inferred from associations. The Motorola model is to a greater extent than specifically the MURQ7-3334411C11.

-4- The in conclusion column TOPI (Target Office of Primary Interest) hither takes on the value CSEC, suggesting it is Five Eyes terminology. It's non clear why TOPI needs to live included equally a database field. Perhaps adding MME to the NSA's target database - where priority, legal authority, resources needed too operational adventure are reviewed - requires tracking of the originating partner agency. Since Canada lacks the malware too insert capabilities of NSA, Brazil's MME must acquire inwards the queue to compete amongst many other projects inwards the works.

-5- The output line 'Bands Supported past times IMEI' tin live read good plenty that google search tin live used to right whatever letters mis-read initially. The number provides a look-up of the band wavelengths that the prison theatre cellular telephone phone tin occupation - that mightiness live useful downwards the roar for DRTBOX interception - too the diverse communication protocols, similar GSM, WCDMA, FDD, HSUPA too HSDPA.

-6- To sympathise the chief algorithm flow, it is necessary to delve into the important of the MSISDN, IMSI too IMEI, the 3 chief numbers associated amongst a prison theatre cellular telephone phone. While that seems straightforward, nominal explanations have got to live corrected for online tools that brand cease runs to a greater extent than or less official protocols. Cell phones are unremarkably lost, stolen, re-sold, unlocked, unblocked, registered inwards i province but used inwards another, SIM cards replaced, chip sets re-soldered too so on. And that tin convey house on phones whose manufacturers violated all the rules for unique series numbers, billing information too so forth.

MSISDN (Mobile Subscriber ISDN Number) is just the ordinary telephone number of a mobile prison theatre cellular telephone that would live on a line of piece of work organisation card. CSEC may have got asked their Brazilian diplomatic mission to scan line of piece of work organisation cards of high flat MME staff acquired inwards the course of educational activity of ordinary interaction. These selectors could line of piece of work organisation human relationship for the nine DNR records mentioned hither equally initializers.

-7- Due to the blurred slide too erased annotations, nosotros cannot follow precisely how CSEC acquire from the MSISDN to the IMSI to IMEI to the handset model. This cannot live straightforward because the headers dot correlation (possibly via different databases that percentage fourth dimension of call) rather than a determinative algorithm.

In the Computer Network Exploitation, such equally cookie-replay, man-on-the-side attacks, CDR, etc.)

- Passive tasking (Upstream collection through backbone cable splitting too filtering, router intercept or telecom carrier cooperation)

- HUMINT-enabled (Human Intelligence, similar information derived from voluntary, paid or bribed informants)
It's non clear whether CSEC could convey things only so far too so NSA too GCHQ had to measuring inwards to assist inwards an actual tapping, bugging or hacking operation.

This slide is reconstructed from the video footage too shows a diagram containing all the telephone too meshing connections discovered inwards the OLYMPIA instance study. At the left side of the slide at that topographic point are the telephone connections too at the right side the meshing links.

It's interesting to catch that inwards this diagram at that topographic point are also a number of SIGADs, which are codes designating interception facilities. It's non genuinely clear whether they were used to collect the metadata used for the chaining past times the OLYMPIA tools, or whether they were eventually used to behave interception of content on these communication links.

At the telephony side nosotros catch DS-800 equally the facility for telephone lines betwixt the Brazilian ministry building too numbers inwards Equador too Venezuela. Telephone communications to some other countries are monitored past times facilities designated US-3294 too US-966V.

Internet traffic betwixt IP addresses from Global Village Telecom too meshing providers inwards Africa, the Middle East too Canada are also monitored past times DS-800. We tin also catch that for meshing traffic to Republic of Republic of India there's a facility designated DS-200 (maybe because GCHQ has goodness access to India?).

> See also: What are SIGADs starting amongst DS for?

This slide seems to live the in conclusion i of the OLYMPIA instance study presentation. The analyst writes that he identified post servers, which meanwhile have got been targeted past times agency of passive collection. That agency past times tapping the traffic from meshing backbone cables. Analysts have got been assessing the value of these e-mail data.

The analyst also says that he is working amongst NSA's TAO segmentation "to farther examine the possibility for a Man on the Side operation". Here he's manifestly referring to acessovpn.mme.gov.br. Based on the network information gathered, the Network Analysis Centre (NAC) of the British signals intelligence agency GCHQ has started "a BPoA analysis on the MME".

This shows that the OLYMPIA presentation was non just a software tutorial or an representative of coding. The results bear witness CSEC genuinely ran this exercise against the Brazilian Ministry of Mines too Energy too got some existent results: information nearly their telephone too meshing connections, although in all probability past times far non complete.

As OLYMPIA is target-development software, this tool didn't get together whatever content of telephone calls or e-mail messages, but this in conclusion slide tells us that equally a number of the OLYMPIA effort, at to the lowest degree the e-mail of the Brazilian ministry building became land of study of an actual collection operation.


> See also on this weblog: An NSA eavesdropping instance study

> See also on Lux ex Umbra: Analyzing the "airport wi-fi" map



Links too Sources
- Vice.com: How does CSEC locomote amongst the world's most connected telecom company?
- Theoreti.ca: Interpreting the CSEC Presentation: Watch Out Olympians inwards the House!
- TheGlobeAndMail.com: Slides reveal Canada’s powerful espionage tool
- Globo.com: American too Canadian Spies target Brazilian Energy too Mining Ministry
- Anonymous: Total tear-down of Canada's Olympia spyware (pdf)