top secret documents reveal how gchq hacked belgacom

8/10/2019 Top Secret Documents Reveal How GCHQ Hacked Belgacom

1/67

TOP SECRET STRAP 2

Automated NOC

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK informationlegislation. Refer disclosure requests to GCHQ o

Detection

, Head of GCHQ NAC

, Senior Network Analyst, CSEC NAC


2/67

TOP SECRET STRAP 2

Challenge

SDC 2009 Challenged the Network

Analysis community to automate the

detection of Network Operations

This information is exempt from disclosure under the Freedom of Information Act 2000 and ma be subect to exemption under other UK informationlegislation. Refer disclosure requests to GCHQ o


3/67


4/67

TOP SECRET STRAP 2

NOCTURNAL SURGE

GCHQ response to challenge.

Early Prototype that looks at only:

ACLs for SSH/TELNET

ACLs for VTY



5/67

TOP SECRET STRAP 2NOCTURNAL SURGE

SCREEN SHOT 1

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK informationlegislation. Refer disclosure requests to GCHQ on 01242 221491 x30306 (non-sec ) or email infoleg@gchq


6/67

T STRAP 2AL SURGE

SNAPSHOT SLIDE 2

disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK informationuests to GCHQ on 01242 221491 x30306 (non-sec) or email i nfoleg@gchq


7/67

TOP SECRET STRAP 2



8/67

ET STRAP 2



9/67

TOP SECRET STRAP 2

GCHQ / CSEC NAC Joint tradecraft development

During March 2011 GCHQ Analysts visited CSEC to look at the

using PENTAHO for tradecraft modelling working with CSEC

NAC and CSEC/H3 software developers to see if could model

NOCTURNAL SURGE in PENTAHO and then implement in

OLYMPIA.

This information is exempt from disclosure under the Freedom of Information Act 2000 and ma be subect to exemption under other UK informationlegislation. Refer disclosure requests to GC

n y poss e o a emp ecause: GCHQ NAC use PENTAHO

CSEC NAC/H3 use PENTAHO

CSEC NAC have implemented GCHQ NAC TIDAL SURGE Database

Schema (DSD also have this..)

GCHQ approach based on AS

CSEC approach based on Country


10/67

TOP SECRET STRAP 2

Pentaho - NOC Auto Detection



11/67

TOP SECRET STRAP 2

Phase 2: Intelligent use of Metadata

We do not always get full configuration files to parse.

Services between routers and NOCs run on IP/TCP/UDP

We do create 5-TUPLE metadata from our collection

GCHQ have prototype database 5-Alive

CSEC have database - HYPERION



12/67

TOP SECRET STRAP 2

SNMP Protocol

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK informationlegislation. Refer disclosure requests to GCH


13/67

TOP SECRET STRAP 2

SNMP Protocol in 5-Alive

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK informationlegislation. Refer disclosure requests to GCHQ


14/67

TOP SECRET STRAP 2

Further drill down on activity for identified IP



15/67

TOP SECRET STRAP 2

Phase 3: Intelligent use of TELNET traffic

Again we do not always get full configuration files. Phase 1 is

based on full (or as near to full) configuration files

GCHQ NAC collect TELNET Sessions into TERMINAL SURGE

Collection based on TCP Port 23 (TELNET)

Other protocols use TCP Port 23 (YMSG)


n erac on w ou ers over or may e ne ar ous: Scanning

Password guessing

Need to separate legitimate use from nefarious activity

Look for signs of legitimate use.

Successful login

Follow on commands


16/67

TOP SECRET STRAP 2

From TCP Port 23 (Echo)



17/67

TOP SECRET STRAP 2

To TCP Port 23

This information is exempt from disclosure und exemption under other UK informationlegislation. Refer disclosure requests to GCHQ


18/67

TOP SECRET STRAP 2

Intelligent analysis of TELNET traffic

The fact that login was successful for both examples means the

following:

From TCP Port 23

To IP address is Network Management Terminal (in the

NOC ?)


To TCP Port 23

From IP address is Network Management Terminal (in

the NOC ?)


19/67

TOP SECRET STRAP 2

Phase 4: Bulk Port Scanning

We know the key services/servers running in the NOC

Utilise HACIENDA, GCHQs bulk port scanning capability to

identify what IPs have these service ports open additional

logic to build up confidence required.



20/67

TOP SECRET STRAP 2

Fusion of sources

Aim is to bring all sources that help identify NOC IP ranges

together with associated confidence.

Different techniques provide different results due to the nature of

passive access (international vs in-country for instance)

Different techniques have different levels of reliability therefore


looking to develop aggregation with overlay of smartintelligence.

Solution can work on not just ISP

NOCs but also Mobile OMCs.


21/67

TOP SECRET STRAP 2

And then.enabling CNE on NOCs

We now have IP ranges need selectors of NOC Staff to

enable QUANTUM INSERT attack against them.

Use of GCHQ TDI capability to identify selectors coming out of

IP ranges and/or identification of proxy/NAT within NOC range.



22/67

TOP SECRET STRAP 2

NOC IP range search in MUTANT BROTH



23/67

TOP SECRET STRAP 2NOC IP range Target identifiers for QUANTUM INSERT

This information is exempt from disclosure und xemption under other UK informationlegislation. Refer disclosure requests to GCH


24/67

TOP SECRET STRAP 2

Real-time picture of QI

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK informationlegislation. Refer disclosure requests to GCHQ on


25/67

TOP SECRET STRAP 2

Questions ?



26/67

TOP SECRET STRAP 2

Mobile Networks in


World

Head of GCHQ NAC


27/67

TOP SECRET STRAP 2

What is a MyNOC ?

MyNOC My Network Operations Centre

A Space

A Concept



28/67

TOP SECRET STRAP 2

A Space

Analyst Desktop X 10

Un-attributable internet X 10

JTRIG Desktop

HIGHNOTE CNE Toolsuite

COPPERHEAD CNE Attack box


NEXUS (BSS Desktop)

CADDIS (SIS Desktop)

NRT Tipping Display

65 VTC/Collaborative Monitor and Projector

Virtual Whiteboarding tool and Whiteboard

Secure telpehony / storage


29/67

TOP SECRET STRAP 2

A Space



30/67

TOP SECRET STRAP 2

Interlopers in A Space

This information is exempt from disclosure under t exemption under other UK informationlegislation. Refer disclosure requests to GCHQ on


31/67

TOP SECRET STRAP 2

A Concept

Collaboration environment bringing together capability from

across GCHQ.

Appropriateresources identified / Appropriateprioritisation

Formalised planning process

ClearFocused objectives


Preparation

Review

Assessment and feasibility

Professional Operations Manager

Ensure operation is focused on stated objectives

Ensures operation is legal Protects information equities


32/67

TOP SECRET STRAP 2

MyNOC & NAC

NAC tasked with development of greater good capability in

Mobile/Mobile Internet environment.

Due to lack of progress decision made to sponsor three MyNOC

events:

OP WYLEKEY Exploitation of International Mobile Billing Clearing Houses


xp o a on o pera or OP INTERACTION Development of in-depth knowledge of Mobile

Gateways.


33/67


34/67


35/67

TOP SECRET STRAP 2

Preparation work

Identified static web gateways and IP range used by engineersand tasked for QUANTUM operations

Identification and tasking of optimal bearers

TDI data mining identified potential for exploitation of LinkedInas a vector for QI QI capability developed for LinkedIn


.


36/67

TOP SECRET STRAP 2

MyNOC Focus

Expand collection and capability to enable better exploitationof Belgacom.

Identify key staff at BICS, and selectors used by theseindividuals for QI.

Map the network to better understand the BelgacomInfrastructure.


Investigate VPN links from BICS to other telecoms providers.

Investigate the vulnerability of the MyBICS Reporting Tool.


37/67

TOP SECRET STRAP 2

Infrastructure


TOP SECRET STRAP 2


38/67

TOP SECRET STRAP 2


TOP SECRET STRAP 2


39/67

TOP SECRET STRAP 2

Key BELGACOM staff

Identify Belgacom employees

NOC staff

In areas related to maintenance or security

Selectors to enable QUANTUM targeting

Use of LinkedIn noted


.

MUTANT BROTH used to identify TDI/Selectors coming from

identified range/proxy

QI capability enhanced to allow shots on LinkedIn

QI capability enhanced to allow white listing when shooting on

proxy

TOP SECRET STRAP 2


40/67

TOP SECRET STRAP 2

NOC IP range search in MUTANT BROTH


TOP SECRET STRAP 2


41/67

TOP SECRET STRAP 2NOC IP range Target identifiers for QUANTUM INSERT



42/67

TOP SECRET STRAP 2


43/67

TOP SECRET STRAP 2

GTAC effort

IR21 extractions

Website research domains visited from target gateway IPs

TDI harvesting

Identified owners of TDIs / finding new potential targets

Identified the FTP service


User agent analysis

Laptop identification

Mail server analysis

SSL research

GRX analysis

TOP SECRET STRAP 2


44/67

TOP SECRET STRAP 2

What MyNOC Priority gets you

Dedicated resources

Priority tasking of access

Priority utilisation of CNE Operator resources

Priority utilisation of CNE Developer resources

Priorit use of enablin communit GTE GTAC JTRIG


Priority time of legalities bodies

TOP SECRET STRAP 2


45/67

TOP SECRET STRAP 2

OP SOCIALIST Outcome

In MyNOC:

CNE Access to BELGACOM MERION ZETA 6 endpoints into

Engineer/support staff IP range

2 endpoints into BELGACOM DMZ (from prep VA work)

Optimal Bearers identified providing good access to BELGACOM proxy.


Optimal Bearers continue to allow QI against BELGACOM engineers/proxy

Internal CNE access continues to expand getting close to access core

GRX Routers currently on hosts with access

NAC continue to support with Network Analysis

of internal networks, network understanding

research on credentials and identification of

engineers/system administrators and theirspecific roles.

TOP SECRET STRAP 2


46/67

TOP SECRET STRAP 2

MyNOC leave behinds for NAC

Focused working in small groups

Regular Brainstorming sessions

Professional Operational Management

Network becomes Target Target approach to

Network Problems


Awareness of JTRIG and Open-source information specialist

capabilities and how they can support Network Analysis.

Steerage of access for Network Analysis gain

Closer working between NAC and CNE

Joint working between NACs

More NAC MyNOC/Focus efforts to come.

TOP SECRET STRAP 2


47/67

TOP SECRET STRAP 2

Questions ?


TOP SECRET STRAP 2 // REL TO USA AUS CAN GBR NZL

TOP SECRET//REL TO USA AUS CAN GBR NZL


48/67

TOP SECRET STRAP 2 // REL TO USA, AUS, CAN, GBR, NZL

Making Network Sense of

the encr tion roblem


Roundtable

Head of GCHQ NAC


Derived From: NSA/CSSM 1-52

Dated: 20070108

Declassify On: 20360501




49/67

TOP SECRET STRAP 2 // REL TO USA, AUS, CAN, GBR, NZLGCHQ metadata

GCHQ now creating metadata on:

SSL / TLS

IKE

OpenVPN

SSH


SQUEAL signatures (Various crypt packages)

Data available in BEARDED PIGGY and/or the

CLOUD





50/67

TOP SECRET STRAP 2 // REL TO USA, AUS, CAN, GBR, NZLHow can Network Analysis help ?

Can NAC help

make sense using

network


volumes of data to

isolate that which

we want to

decrypt





51/67

TOP SECRET STRAP 2 // REL TO USA, AUS, CAN, GBR, NZLThe Seed Approach

Intercepted documentation reveals details of VPN set up






52/67

TOP SECRET STRAP 2 // REL TO USA, AUS, CAN, GBR, NZLThe Seed Approach

Turn Seed IP into network block

Query on network block against metadata

Chain outwards / fuzzy subnet logic

Basis of NTAT developed tradecraft:

IRASCIBLE HARE


IRASCIBLE RABBIT IRASCIBLE MOOSE

IRASCIBLE EMITT





53/67

TOP SECRET STRAP 2 // REL TO USA, AUS, CAN, GBR, NZLKnown usage

Target known to use encryption

Identify target subnet

Select on subnet against metadata

Or

Start with an AS look for most interestin wheel


BELGACOM - AS6774 known to run GRX links to MNOover VPN





54/67

, , , ,






55/67

, , , ,






56/67

Network Knowledge enrichment

Internet Registry information

IP Geolocation

DNS

Data derived from network device configuration files

(routers/Firewalls etc)


Network information on surrounding IPs (i.e. rest of subnet isMNO related)



57/67




58/67

Your Ideas Please



SECRET STRAP1 COMINT

The maximum classification allowed on GCWiki is TOP SECRET STRAP1 COMINT Click to report


59/67

STARGATE

User Guide

Bugs & Feedback

Deployments

CNE Requirements

Surgery

The maximum classificationallowed on GCWiki is TOP SECRET STRAP1 COMINT. Click to report

inappropriate content.For GCWiki help contact: webteam Support page

STARGATE CNE Requirements

From GCWiki

(Redirected from OPCCNE Prototyping STARGATE CNE Requirements)

Jump to: navigation, search

OPCCNE Prototyping Team(team leader

HOME. MAD. KITCHEN SINK. MARVAL ICE. IRONING BOARD. TIN REVERIE. SORCERER.

FEDEX

Agile. Admin. Andromeda. Data Characterisation. Desks. Discussion. Forensics. Index. Links.Notes

. Storyboards. Team. Training. Planning. Priorities. Unification Workshop. Infrastructure.

Development Process

This page is for OPH-CNE staff to add requirementsfor STARGATE. You should start by reading the

Endpoint Initiative Requirements. Your requirement

may have already been captured.

Some headings have been added to get you started....

C

AQUILA

CNE on the BIG BUS

has a site wide license for OutsideIn

(QuickView uses this behind the scenes). You


60/67

Iterations

Iteration 7 Feedback



Dev Team

(Q )

can convert around ~350 document formats

into HTML for viewing safely. This is not

meant to replace udaq but would be a convinent

and safe halfway-house to view files quicklyfor tactical o erational reasons.

User:

[edit] How do you want to search the file

system?

[edit] How do you want to get tasked bycustomers?

[edit] What should appear on the summary

pages? What about summary pages for a

Project or Implant?

[edit] Embedded Comments

What form should they take? Do you want to be able to add attachments or hyperlinks. Do you want to be

alerted when a comment is added to your project?

[edit] What would CNE need from Network diagrams?


61/67


62/67


63/67


64/67


65/67


66/67


67/67