TOP SECRET//SI//NOFORN

~

24 April 2013

The overall classification of this brief is
Derived From : NSA/CSSM 1-52
Dated : 20070108
Declass ify On : 20291123

TOP SECRET//COMINT//NOFORN

.,.....

TOP SECRET//SI//NOFORN

I

II

<#>

 TOP SECRET//SI//NOFORN

PMRAgenda
~

Strategic & Technical Overview -

~

Placemats & Highlights - Client Service Leads (CSLs) &
Senior Mission Technical Leads (SMTLs)

~

~

PMR Spotlight
~

MONSTERMIND -

~

SOS Support to CHELSEABLUE -

Technical Health -

.,.....

TOP SECRET//SI//NOFORN

I

II

<#>

 TOP SECRET//SI//NOFORN

SIDPriority:Traditionally
Inaccessible
Network

(TS//SI//RELTOUSA, FVEY)

SIGINTDevelopmentChallenge:Establish
a provenfoundation
of targetsin Pakistan's
NationalTelecommunications
Corporation's
(NTC)VIPDivision.
MissionExampleand Result:Successfully
enabledpositiveidentification
of usersin NTC'sVIPdivisionwhofocuson maintaining
theGreenExchange.
TheGreenExchange
branchhousesZXJ-10switches
, whicharethebackbone
of Pakistan's
GreenLine
communications
network.Thisnetworkis usedby seniorPakistanicivilianandmilitaryleadership.Fourmachines
in theVIPdivision
whohaveGreenExchange
relateddocuments
on theirmachines
weresuccessfully
implanted.

0

OurApproach
• Evaluated
currentlytaskedselectorsrelatedto NTC'sVIPdivision.
• Conducted
SIGDEVagainstknownselectorsto identifyother
relatedtargets.

r··~
DOOR

\,

O
• Collaborated
withR&Tto useSECONDDATE
andQUANTUM
to
successfully
implantfournewCNEaccesses
withintheGreen
Exchange.

D
••••

....

RML ¥ 11D

•

CHJIIR

DTAII
_

-faititioni

-

.====-

LE

~.)

AluriniJn'l
l"(I

vtPll

e
\

.........

SIGINTDevelopmentOutcome:FournewCNEaccesses
weregainedfortheVIPDivisionanda baselineof collectionrelatedto the
GreenExchange
wasestablished.

·~

(TS//SI//RELTOUSA, FVEY)

;,
TOP SECRET//SI//NOFORN

.

..
<#>

 TOP SECRET//SI//NOFORN
~~~~~~~~~~~~~~~~~~~~~-

TS//SI//NF)

SID Priority:TraditionallyInaccessibleTargetNetworks

SIGINTDevelopmentChallenge:Passiveaccessin Lebanonis limited,therebyhinderingSIGDEV
, Discovery
, andMobilityExploitation.TAO
projectREXKWONDO
successfully
enabledCountry-Wide
ShapingandMan-in-the-Middle
(MiTM)capabilities
againstLebanon
's Internettraffic
for thefirsttimeever.
MissionExampleand Result: Combined
CTSIGDEVandCNEanalysiseffortwithinREXKWONDO,
theLebaneseownedOGEROISP,
resultedin multiplesuccessfulCNEoperationsthatyieldedinitialaccessandcollectionfromLebanon'sInternational
Gatewayrouters.Currently
shapingHizballah-related
trafficto SSO-STORMBREW,
providingSIGDEVdiscoveryopportunities
for S21
, S2E, andSSG\NACvia
M,Lo
Proioo:I o...11y s;~··
Ap~;,.. ~ppio~on
ApplD(""n;,,,p,;~o)
XKEYSCORE
andMARINA.
Our Approach
• S2153CTSIGDEVSOSanalystsprovidedtechnicalsupporton varioushigh-interest
targetsandassistedin exploitation
andimplantof the headof the OGERONOCand
the corerouters.
• Collaboration
betweenmultipledivisionswithinTAOandS215led to the development
of a custom-built
routerexploitandnewHAMMERCORE
implantbuilds.
• TheOGEROISPgatewayrouter(RB)wasexploitedvia HAMREXto enable
SECONDDATE
MiTM.
• TheOGEROupstreamLibanTelecomrouterswereexploitedwithCGDB,then
implantedwith HAMMERCORE
and HAMMERSTEIN
to enablesuccessfulShapingof
HizballahUnit 1800relatedtrafficfor multipleCT projects.
• Trafficwasexfiltratedto STORMBREW
fromcoreroutersandwasaccessibleto S21,
S2E, andSSG\NACanalystsvia XKEYSCORE
in lessthan24 hoursfollowingthe
successfulshapingtasking.

U1

TCP

O

us.11o;S11

~

~1wfottd1«4W,Yll:t

8-t

TCP

9

US-310$$$

http1>0et

~heuri•tiee

U

TCP

g

US-310Sst

U

~
u

TCP

TCP

9
9

US·3IOS5'l
us3105S8

Cdunn:A

TCP

•

US·3IOS5'l

Ea Ja~:

map;/googo _oi<ltl/10 ,pc L
v

"

U

TCP

g

US·$10S5'l

Aep~ Not:

TCP

9

"
U

TCP
TCP

9
9

us 11oist
us.msst

«!"3ttim11ont)http /93t ~;
oo,ertisement)http /gL

~

u

....
..
..
..
"
..
?7S

f~l

r opicaticn
I

US·$10S5'l
US.J1-0SSJI

Ntp •)k')!:f

TCP

us 310$$$

http ·1>0et

TCP

US·310Sst

TCP

US.l"ft!SSJI

http :'u0$l
~

..,.
,, • .,.r--0 , -.mrn

9,--

TCP

US-310S5*

TCP

US-$10SS,t

TCP

US-'HMS$

TCP

U$·3'10SS$

:.:JD

Ec,.,olsFilter

TCP

1"1
,.r,-----n, ,.•,---,

CERT II
·eABHAl,tu•e•

http/got

~

t1tte·,)4)t:t
http))4)st

!!!

Ip
_

I

el

~

8HAt11.'ll!tH

http/he«!
http/post

8HAlrl.·u•o•

htt p/post/oCO'.l
<ea,est

..,.,.,, .. ,

611Al,1:u$et

-.:
m=• ~
=•m
=u..
:n
• http/po;t/>:·W\\IW·fo
rm ..
~

~~

tiJ

c "'~r tts)wetr/o:ro:il:
ctcrn;;n{gcogo

ia

0 ,..tE>I

rrniVwetmafJhJtmal
:=•iw,,bPRJ
Lin
m3iVwetmaiJwhdJwslYe ~

m3ps{ooaoe _ea-th}oet
m;ps{ooooB_eath}rea..
m;ps{goage_er th}res...

OGERO ISP l&OS 2

StlMll ·uo,

BHAlrl.
·'u•o•

=

OS·l10,SS3

LE.QTIIABJAAMOU

, l•1n cl70<13ktc:t
di;Yilhoq,.uid-t>> « 11
1m:17o•31t
tcy• l-.oo8,o.tl ie>

OGfRO ISP '6:0S 2 US.J1&5S3

U. Ont ABJAAMOTl

t l• tn d7oa3ktCJ< lt Y.1h00-ll<l.t) > tt1f1nd7oa 31Ct<ya 1\0o8 to()l(te )

OGERO ISP UHOS 2

Lf .QTHABJAAUOTl

b31t 5b'94,tahba

OQ:ROISP UEEOS2 US~l106$8

U.QTHABfAAUOH

OGERO ISP l&OS 2

U. QTHABfAAUOH

<Co+glePAERO
:>

b311Sl>"4,t8cSd>••Go+gk:mEAO>

US. J1D5S3

OS·l10,SS3

SIGINTDevelopmentOutcome:SOScollaboration
acrosstheTAOandS215previously
deniedaccessto the International
Gatewayroutersin
LebanonandSole-Source
DiscoveryagainstHizballah.100+MBof HizballahUnit1800datahasbeencollectedandingestedinto
XKEYSCORE.
S2122confirmsCADENCE
dictionaryandXKEYSCORE
fingerprinthits.NSASIGINTEnterprise
analystscannowconduct
SIGDEVon anytargetIPrangeof interestin Lebanonusinga singlepassivedatabase[US-3105S8]
in XKEYSCORE.

_,.~
TOP SECRET//SI//NOFORN

.

(TS/IS1//N
F)

..

<#>