Top Secret Documents Reveal How GCHQ Hacked Belgacom

TOP SECRET STRAP 2
Automated NOC
Detection
, Head of GCHQ NAC
, Senior Network Analyst, CSEC NAC
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ on
TOP SECRET STRAP 2
Challenge
SDC 2009 Challenged the Network
Analysis community to automate the
detection of Network Operations
Centres
legislation. Refer disclosure requests to GCHQ o
TOP SECRET STRAP 2

Phase 1: Intelligent Router Configuration File Parsing
Routers have numerous services running on them that help

identify the NOC IP ranges:
SSH
TELNET/VTY
SNMP
SYSLOG
DNS
TACACS
RADIUS
Access to these services tends to be locked down by the use of

Access Control Lists (ACLs)
Configuration files provide details of how services are
configured.
TOP SECRET STRAP 2

NOCTURNAL SURGE
GCHQ response to challenge.

Early Prototype that looks at only:
ACLs for SSH/TELNET
ACLs for VTY
TOP SECRET STRAP 2

NOCTURNAL
SURGE
SCREEN SHOT 1
legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306 (non-sec) or email infoleg@gchq
T STRAP 2
AL
SURGE
SNAPSHOT SLIDE 2
disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
uests to GCHQ on 01242 221491 x30306 (non-sec) or email infoleg@gchq
TOP SECRET STRAP 2
RET STRAP 2
TOP SECRET STRAP 2

GCHQ / CSEC NAC Joint tradecraft development
During March 2011 GCHQ Analysts visited CSEC to look at the

using PENTAHO for tradecraft modelling working with CSEC
NAC and CSEC/H3 software developers to see if could model
NOCTURNAL SURGE in PENTAHO and then implement in
OLYMPIA.
Only possible to attempt because:
GCHQ NAC use PENTAHO
CSEC NAC/H3 use PENTAHO
CSEC NAC have implemented GCHQ NAC TIDAL SURGE Database
Schema (DSD also have this..)
GCHQ approach based on AS

CSEC approach based on Country
legislation. Refer disclosure requests to GC
TOP SECRET STRAP 2

Pentaho - NOC Auto Detection
TOP SECRET STRAP 2

Phase 2: Intelligent use of Metadata
We do not always get full configuration files to parse.

Services between routers and NOCs run on IP/TCP/UDP
We do create 5-TUPLE metadata from our collection
GCHQ have prototype database 5-Alive
CSEC have database - HYPERION
TOP SECRET STRAP 2

SNMP Protocol
legislation. Refer disclosure requests to GCHQ
TOP SECRET STRAP 2

SNMP Protocol in 5-Alive
TOP SECRET STRAP 2

Further drill down on activity for identified IP
TOP SECRET STRAP 2

Phase 3: Intelligent use of TELNET traffic
Again we do not always get full configuration files. Phase 1 is

based on full (or as near to full) configuration files
GCHQ NAC collect TELNET Sessions into TERMINAL SURGE
Collection based on TCP Port 23 (TELNET)
Other protocols use TCP Port 23 (YMSG)
Interaction with Routers over TCP Port 23 maybe nefarious:

Scanning
Password guessing
Need to separate legitimate use from nefarious activity

Look for signs of legitimate use.
Successful login
Follow on commands
TOP SECRET STRAP 2

From TCP Port 23 (Echo)
TOP SECRET STRAP 2

To TCP Port 23
This information is exempt from disclosure und

exemption under ot her UK information
TOP SECRET STRAP 2

Intelligent analysis of TELNET traffic
The fact that login was successful for both examples means the
following:
From TCP Port 23
To IP address is Network Management Terminal (in the
NOC ?)
To TCP Port 23
From IP address is Network Management Terminal (in
the NOC ?)
TOP SECRET STRAP 2

Phase 4: Bulk Port Scanning
We know the key services/servers running in the NOC

Utilise HACIENDA, GCHQs bulk port scanning capability to
identify what IPs have these service ports open additional
logic to build up confidence required.
TOP SECRET STRAP 2

Fusion of sources
Aim is to bring all sources that help identify NOC IP ranges

together with associated confidence.
Different techniques provide different results due to the nature of
passive access (international vs in-country for instance)
Different techniques have different levels of reliability therefore
looking to develop aggregation with overlay of smart
intelligence.
Solution can work on not just ISP
NOCs but also Mobile OMCs.
TOP SECRET STRAP 2

And then.enabling CNE on NOCs
We now have IP ranges need selectors of NOC Staff to

enable QUANTUM INSERT attack against them.
Use of GCHQ TDI capability to identify selectors coming out of
IP ranges and/or identification of proxy/NAT within NOC range.
TOP SECRET STRAP 2

NOC IP range search in MUTANT BROTH
legislation. Refer disclosure requests to GCH
TOP SECRET STRAP 2

NOC IP range Target identifiers for QUANTUM INSERT
This information is exempt from disclosure und

TOP SECRET STRAP 2

Real-time picture of QI
TOP SECRET STRAP 2

Questions ?
TOP SECRET STRAP 2
Mobile Networks in
World
Head of GCHQ NAC
TOP SECRET STRAP 2

What is a MyNOC ?
MyNOC My Network Operations Centre

A Space
A Concept
TOP SECRET STRAP 2

A Space
Analyst Desktop X 10
Un-attributable internet X 10
JTRIG Desktop
HIGHNOTE CNE Toolsuite
COPPERHEAD CNE Attack box
NEXUS (BSS Desktop)
CADDIS (SIS Desktop)
NRT Tipping Display
65 VTC/Collaborative Monitor and Projector
Virtual Whiteboarding tool and Whiteboard
Secure telpehony / storage
TOP SECRET STRAP 2

A Space
TOP SECRET STRAP 2

Interlopers in A Space
This information is exempt from disclosure under t

TOP SECRET STRAP 2

A Concept
Collaboration environment bringing together capability from

across GCHQ.
Appropriate resources identified / Appropriate prioritisation
Formalised planning process
Clear Focused objectives

Selection of Operations Manager
Preparation
Review
Assessment and feasibility

Professional Operations Manager
Ensure operation is focused on stated objectives
Ensures operation is legal
Protects information equities
TOP SECRET STRAP 2

MyNOC & NAC
NAC tasked with development of greater good capability in

Mobile/Mobile Internet environment.
Due to lack of progress decision made to sponsor three MyNOC
events:
OP WYLEKEY Exploitation of International Mobile Billing Clearing Houses
OP SOCIALIST Exploitation of GRX Operator
OP INTERACTION Development of in-depth knowledge of Mobile
Gateways.
TOP SECRET STRAP 2

MyNOC Team assemble
Operations Manager
Network Analysts ( NAC Cheltenham, NAC Bude & NAC
Cyprus)
Dataminer (GTAC)
Open Source Specialist
JTRIG Analysts (Cheltenham & Bude)
CNE Operators (Cheltenham CNE & Scarborough CNE)
VPN Expert (Crypt SD)
EREPO Expert (CNE)
Protocol Analyst (GTE)
Production Tasking Co-ordinator (PTC)
Trainee Ops Managers
TOP SECRET STRAP 2

One Month Later OP SOCIALIST
Scoping session conducted main focus to be on enabling CNE

access to BELGACOM GRX Operator
Ultimate Goal enable CNE access to BELGACOM Core
GRX Routers from which we can undertake MiTM
operations against targets roaming using Smart Phones.
Secondary focus breadth of knowledge on GRX Operators
Operations Manager assigned, team assembles
TOP SECRET STRAP 2

Preparation work
Identified static web gateways and IP range used by engineers

and tasked for QUANTUM operations
Identification and tasking of optimal bearers
TDI data mining identified potential for exploitation of LinkedIn
as a vector for QI QI capability developed for LinkedIn
WOODCUTTER logs analysed for usage by BELGACOM.
TOP SECRET STRAP 2

MyNOC Focus
Expand collection and capability to enable better exploitation

of Belgacom.
Identify key staff at BICS, and selectors used by these
individuals for QI.
Map the network to better understand the Belgacom
Infrastructure.
Investigate VPN links from BICS to other telecoms providers.
Investigate the vulnerability of the MyBICS Reporting Tool.
TOP SECRET STRAP 2

Infrastructure
TOP SECRET STRAP 2
TOP SECRET STRAP 2

Key BELGACOM staff
Identify Belgacom employees

NOC staff
In areas related to maintenance or security
Selectors to enable QUANTUM targeting

Use of LinkedIn noted
Use of Slashdot.org noted
MUTANT BROTH used to identify TDI/Selectors coming from

identified range/proxy
QI capability enhanced to allow shots on LinkedIn
QI capability enhanced to allow white listing when shooting on
proxy
TOP SECRET STRAP 2

NOC IP range search in MUTANT BROTH
TOP SECRET STRAP 2

NOC IP range Target identifiers for QUANTUM INSERT
TOP SECRET STRAP 2

GTAC effort
IR21 extractions
Website research domains visited from target gateway IPs
TDI harvesting
Identified owners of TDIs / finding new potential targets
Identified the FTP service
User agent analysis
Laptop identification
Mail server analysis
SSL research
GRX analysis

TOP SECRET STRAP 2

What MyNOC Priority gets you
Dedicated resources
Priority tasking of access
Priority utilisation of CNE Operator resources
Priority utilisation of CNE Developer resources
Priority use of enabling community (GTE, GTAC, JTRIG)
Priority time of legalities bodies

TOP SECRET STRAP 2

OP SOCIALIST Outcome
In MyNOC:
CNE Access to BELGACOM MERION ZETA 6 endpoints into
Engineer/support staff IP range
2 endpoints into BELGACOM DMZ (from prep VA work)
Optimal Bearers identified providing good access to BELGACOM proxy.
Post MyNOC:
Optimal Bearers continue to allow QI against BELGACOM engineers/proxy
Internal CNE access continues to expand getting close to access core
GRX Routers currently on hosts with access
NAC continue to support with Network Analysis
of internal networks, network understanding
research on credentials and identification of
engineers/system administrators and their
specific roles.
TOP SECRET STRAP 2

MyNOC leave behinds for NAC
Focused working in small groups

Regular Brainstorming sessions
Professional Operational Management
Network becomes Target Target approach to
Network Problems
Awareness of JTRIG and Open-source information specialist
capabilities and how they can support Network Analysis.
Steerage of access for Network Analysis gain
Closer working between NAC and CNE
Joint working between NACs
More NAC MyNOC/Focus efforts to come.
TOP SECRET STRAP 2

Questions ?
TOP SECRET//REL TO USA, AUS, CAN, GBR, NZL
TOP SECRET STRAP 2 // REL TO USA, AUS, CAN, GBR, NZL
Making Network Sense of

the encryption problem
Roundtable
Head of GCHQ NAC
Derived From: NSA/CSSM 1-52
Dated: 20070108
Declassify On: 20360501

GCHQ metadata
GCHQ now creating metadata on:

SSL / TLS
IKE
OpenVPN
SSH
SQUEAL signatures (Various crypt packages)
Data available in BEARDED PIGGY and/or the

CLOUD

How can Network Analysis help ?
Can NAC help

make sense using
network
knowledge of the
volumes of data to
isolate that which
we want to
decrypt

The Seed Approach
Intercepted documentation reveals details of VPN set up

The Seed Approach
Turn Seed IP into network block

Query on network block against metadata
Chain outwards / fuzzy subnet logic
Basis of NTAT developed tradecraft:
IRASCIBLE HARE
IRASCIBLE RABBIT
IRASCIBLE MOOSE
IRASCIBLE EMITT

Known usage
Target known to use encryption

Identify target subnet
Select on subnet against metadata
Or
Start with an AS look for most interesting wheel
BELGACOM - AS6774 known to run GRX links to MNO
over VPN

Network Knowledge enrichment
Internet Registry information

IP Geolocation
DNS
Data derived from network device configuration files
(routers/Firewalls etc)
Network information on surrounding IPs (i.e. rest of subnet is
MNO related)


Access Optimisation
A given role of Network Analysis is optimising access for a given

problem in this case enabling two-ended collection
Or.. Identifying opportunities to get at the data before it is
encrypted therefore no need to make sense of encrypted data.
Can do this both:
Passive
Active

Your Ideas Please
SECRET STRAP1 COMINT

The maximum classification allowed on GCWiki is TOP SECRET STRAP1 COMINT. Click to report
inappropriate content.
For GCWiki help contact: webteam
Support page
STARGATE CNE Requirements

From GCWiki
(Redirected from OPCCNE Prototyping STARGATE CNE Requirements)
Jump to: navigation, search
OPCCNE Prototyping Team (team leader
HOME . MAD . KITCHEN SINK . MARVAL ICE . IRONING BOARD . TIN REVERIE . SORCERER .
FEDEX
Agile . Admin . Andromeda . Data Characterisation . Desks . Discussion . Forensics . Index . Links . Notes
. Storyboards . Team . Training . Planning . Priorities . Unification Workshop . Infrastructure .
Development Process
This page is for OPH-CNE staff to add requirements
for STARGATE. You should start by reading the
Endpoint Initiative Requirements. Your requirement
may have already been captured.
Some headings have been added to get you started....
Contents
1 How should the file system be rendered?
2 How do you want to search the file system?
3 How do you want to get tasked by
customers?
4 What should appear on the summary pages?
What about summary pages for a Project or
Implant?
5 Embedded Comments
6 What would CNE need from Network
diagrams?
7 What input is most important
(ipconfig/netstat/dns/arps/....) ?
8 Scripts
9 Visualising non-DareDevil logs
10 Add a new section here!
STARGATE
User Guide
Bugs & Feedback
Deployments
CNE Requirements
Surgery
Support
Administration
User Management tool
Plugins
VORPAL SWORD
User Guide
Bugs & Feedback
Development
Version history
CLOTHO 2
Interface from ROYAL MANTLE
Architecture
[edit] How should the file system be

rendered?
I would like to be able to use STARGATE to
view the files directly from the S drive. GCHQ
Connectivity
ERIDANUS
CHEYENNE MOUNTAIN
CHEYENNE MOUNTAIN2
has a site wide license for OutsideIn

(QuickView uses this behind the scenes). You
can convert around ~350 document formats
into HTML for viewing safely. This is not
meant to replace udaq but would be a convinent
and safe halfway-house to view files quickly
for tactical operational reasons.
User:
AQUILA
CNE on the BIG BUS
Iterations
Iteration 7 Feedback
[edit] How do you want to search the file

system?
Dev Team
[edit] How do you want to get tasked by

customers?
[edit] What should appear on the summary
pages? What about summary pages for a
Project or Implant?
[edit] Embedded Comments
What form should they take? Do you want to be able to add attachments or hyperlinks. Do you want to be
alerted when a comment is added to your project?
[edit] What would CNE need from Network diagrams?

[edit] What input is most important (ipconfig/netstat/dns/arps/....) ?
[edit] Scripts
Incorporate scripts detailed in the TDE wiki into STARGATE, eg;
Email project lead (or interested party) when a volume manager event occurs. User
Please add more ideas!
[edit] Visualising non-DareDevil logs

I need to be able to view logs from unix ops [
I need to be able to view logs from masquerades (directory listings from FTP servers)
User
I need to be able to view logs from ops where i exploit on to the box and just use legspin
(THICKISH ALPHA) User:
[edit] Add a new section here!

Retrieved from "https://
Categories: STARGATE | CNE Prototyping Team

Top Secret Documents Reveal How GCHQ Hacked Belgacom

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Top Secret Documents Reveal How GCHQ Hacked Belgacom

Uploaded by

Copyright:

Available Formats

TOP SECRET STRAP 2

TOP SECRET STRAP 2

TOP SECRET STRAP 2

Routers have numerous services running on them that help

Access to these services tends to be locked down by the use of

TOP SECRET STRAP 2

GCHQ response to challenge.

TOP SECRET STRAP 2

TOP SECRET STRAP 2

TOP SECRET STRAP 2

During March 2011 GCHQ Analysts visited CSEC to look at the

GCHQ approach based on AS

TOP SECRET STRAP 2

TOP SECRET STRAP 2

We do not always get full configuration files to parse.

TOP SECRET STRAP 2

TOP SECRET STRAP 2

TOP SECRET STRAP 2

TOP SECRET STRAP 2

Again we do not always get full configuration files. Phase 1 is

Interaction with Routers over TCP Port 23 maybe nefarious:

Need to separate legitimate use from nefarious activity

TOP SECRET STRAP 2

TOP SECRET STRAP 2

This information is exempt from disclosure und

exemption under ot her UK information

TOP SECRET STRAP 2

TOP SECRET STRAP 2

We know the key services/servers running in the NOC

TOP SECRET STRAP 2

Aim is to bring all sources that help identify NOC IP ranges

TOP SECRET STRAP 2

We now have IP ranges need selectors of NOC Staff to

TOP SECRET STRAP 2

TOP SECRET STRAP 2

This information is exempt from disclosure und

exemption under ot her UK information

TOP SECRET STRAP 2

TOP SECRET STRAP 2

TOP SECRET STRAP 2

TOP SECRET STRAP 2

MyNOC My Network Operations Centre

TOP SECRET STRAP 2

TOP SECRET STRAP 2

TOP SECRET STRAP 2

This information is exempt from disclosure under t

exemption under ot her UK information

TOP SECRET STRAP 2

Collaboration environment bringing together capability from

Clear Focused objectives

Assessment and feasibility

TOP SECRET STRAP 2

NAC tasked with development of greater good capability in

TOP SECRET STRAP 2

TOP SECRET STRAP 2

Scoping session conducted main focus to be on enabling CNE

TOP SECRET STRAP 2

Identified static web gateways and IP range used by engineers

TOP SECRET STRAP 2

Expand collection and capability to enable better exploitation

TOP SECRET STRAP 2

TOP SECRET STRAP 2

TOP SECRET STRAP 2

Identify Belgacom employees