(Updated: March 17, 2015)
Most of the Snowden-revelations are about spying on the internet, but NSA and GCHQ are also conducting the more traditional collection of telephone communications that go through satellite links.
What needs to be done before phone calls can be collected, can be learned from two highly detailed technical reports from the GCHQ listening station near Bude in the UK.
These reports were published on August 31 last year by the German magazine Der Spiegel and the website The Intercept as part of a story about how Turkey is both a partner and a target for US intelligence.
Here we will analyse what's in these reports, which give an interesting impression of the techniques used to transmit telephone communications over satellite links.
Officially, such technical reports are called "informal reports", as opposed to the "serialized reports" that contain finished intelligence information for end users outside the SIGINT community.
Until now, only two of such technical reports have been disclosed, but according to an article by Der Spiegel from December 20, 2013, they are from "a bundle of documents filled with international telephone numbers and corresponding annotations" from Sigint Development (SD), which is a unit that identifies and develops new targets.
The technical reports are about test runs for new, previously unmonitored communication paths intended to "highlight the possible intelligence value" and whether certain satellite links could be "of potential interest for tasking". The reports give no indication about whether the listed numbers were eventually tasked for collection and neither about the intensity and length of any such surveillance.
Der Spiegel says these documents show that GCHQ "at least intermittently, kept tabs on entire country-to-country satellite communication links, like Germany-Georgia and Germany-Turkey, for example, of certain providers", which sounds rather indiscriminate.
However, the fact that GCHQ analysts are sampling these satellite links on whether they contain target's phone numbers, shows they are looking for the most productive links to be eventually intercepted. During the parliamentary investigation in Germany, officials from BND explained a similar way of selecting specific channels of specific satellites.
> See also: http://stephaniefulke.blogspot.com /2015/01/german-investigation-of-cooperation.html">German investigation of the cooperation between NSA and BND (III)
Technical report nr. 35
The first technical report is number 35 from October 15, 2008. It is about four satellite links between the United Kingdom and Iraq, which were given the following case notations, starting with G2, which is NSA's identifier for the Intelsat 902 communications satellite:
- G2BCR (UK - Iraq)
- G2BBU (UK - Iraq)
- G2BCS (Iraq - UK)
- G2BBV (Iraq - UK)
The physical gateways (the satellite ground stations) for these satellite links are in the UK and in Iraq, with the UK station providing logical gateways to the Rest-of-the-World (ROW), mainly Turkey, Syria, Saudi Arabia, UAE and Egypt.
Multiplexing and compression
By analysing the C7 channel (see below), it was confirmed that the two links from the UK to Iraq were load-sharing traffic between the Rest-of-the-World and Iraq, as was the case for the link originating in Iraq.
For an efficient transmission, the links are equipped with the DTX-600 Compression Gateway device, made by Dialogic. This is a high-capacity, multi-service, multi-rate voice and data compression system, which is able to simultaneously compress toll quality voice, fax, Voice Band Data (VBD), native data (for example, V.35), and signaling information:
This kind of voice compression equipment is installed at either end of long-distance links, like from communications satellites or submarine fiber-optic cables. Telecommunication companies try to pack as much capacity into as little physical space as possible, making it also more difficult for intelligence engineers to unpack it.
Signaling System No. 7
Most of the information in the report is derived from the so-called C7 channel. C7 is the British term for the Signaling System No. 7 as specified by ITU-T recommendations. In the US it is referred to as SS7 or CCSS7 (for Common Channel Signalling System 7).
SS7 is a set of protocols for setting up and routing telephone calls. In the SS6 and SS7 versions of this protocol, this signalling information is "out-of-band", which means it is carried in a separate signaling channel, in order to keep it apart from the end-user's audio path.
In other words, SS7 contains the metadata for telephone conversations, like the calling and the called phone numbers and a range of switching instructions. This makes the SS7 or C7 channel the first stop for intelligence agencies.
Analysis of the link
In order to see whether these four satellite links could contain traffic that is useful for foreign intelligence purposes, the analyst took some phone numbers from Iraq (country code 964), Iran (98), Syria (963) and the UK (44) and looked whether these appeared in the data of the C7 channel.
All four links had hits, both for the called and the calling number. These numbers were redacted by The Intercept, except for the terms "Non Op Kurdish Extremism" and [Kurdish] "Leadership". The report continues with a more detailed analysis of the links. As an example we look at the one between the UK and Iraq, which has the case notation G2BCR and was paired with G2BCS:
On this link, the C7 channel runs between end points that are designated with the Originating Point Code (OPC) 2-153-1 in the UK, and the Destination Point Code (DPC) 4-036-4 in Iraq. The switching device at the originating end is a Nokia DX220 ABS and at the destination end a Unid Exch.
The DTX-600 contains 11 active trunks for digital voice data that are compressed into packets of 10 milliseconds duration by using the audio data compression algorithm g.729. There is also one WC1A channel.
After decompression by a tool named SWORDFISH it came out that the location of the C7 channel is the "3rd Trunk BS19". Protocols used on this link were Cisco, IPv4, ICMP, TCP, UDP, GRE, ESP and PPTP. Similar analysis was done for the other three satellite links.
Intelsat communications satellite from the 900-series,
nine of which were launched in June 2001.
The report then has a small list of Technical Details, saying that the traffic goes via the Intelsat 902 communications satellite, but the exact frequencies of the four links are redacted, just like the Symbol Rate and the FEC Rate. FEC probably stands for Forward Error Correction, to mitigate for packet losses.
There is also a FEC RASIN number: TPC2D78R005. RASIN stands for RAdio-SIgnal Notation, which is a comprehensive, originally 10-volume NSA manual that lists the physical parameters of every known signal, all known communication links and how they are collected. It seems strange that this internal RASIN code is visible, while the FEC rate, which is common technology, is redacted.
Conclusion
The conclusion on whether these satellite links can be tasked on the collection system is: "Due to limited patching there is currently no spare tasking availability on Lopers". LOPERS is one of the main systems used by NSA for collecting telephone communications. According to Der Spiegel, some other reports concluded about tasking: "Not currently due to the data rate of the carriers."
Finally, this technical report gives the (redacted) contact details at OPA-BUDE, with OPA being the abbreviation of a yet unknown unit at the GCHQ Bude listening station in Cornwall. The last section of the report is fully blacked out by The Intercept, but the next report will show what is apparently covered there.
Technical report nr. 44
The second technical report is from December 1, 2008 and is about a satellite link between Jordan and Belgium. It has the case notation 8BBAC, with 8B being the identifier of a yet unknown communications satellite. The frequency of the link is redacted. The physical gateways are in Jordan and Belgium, with the Belgian station also providing a logical gateway to the Rest-of-the-World (ROW).
The link is an E1 carrier, which means it runs 2048 Megabit/second and has 32 timeslots (channels), which are numbered TS0 to TS31 (another widely used carrier is E3, which has an overall capacity of 34.368 Megabit/second and has 512 timeslots). Each timeslot can carry one phone call, so one E1 link can transmit up to 30 calls simultaneously. The remaining two timeslots are used for the signaling information.
The analyst found that in this case timeslots 30 and 31 were used to relay the C7 signaling information and that compression was achieved by the DTX-360B Digital Circuit Multiplication Equipment (DCME). Using this technique, one Intelsat communications satellite can relay up to 112.500 voice circuits (telephone calls) simultaneously.
The report also says that the "RLE to this link is believed to be 8BBNH. Currently in view at Sounder". RLE stands for Return Link End, which in this case would be the link back from Belgium to Jordan. SOUNDER is the covername for the GCHQ listening station at Ayios Nikolaos in Cyprus, which is apparently able to intercept the Intelsat downlink to Jordan.
The GCHQ intercept station Ayios Nikolaos (SIGAD: UKM-257) in Cyprus
Analysis of the link's metadata
The technical report says that on timeslot 30, the C7 channel runs between end points that are designated with the Originating Point Code (OPC) 4-032-5 at FAST Link GSM (now Zain) in Jordan, and the Destination Point Code (DPC) 2-014-7 at F Belgacom in Brussels, Belgium.
It's interesting to see Belgacom here, as from 2009, GCHQ got access to the cell phone roaming branch of this company by using the highly sophisticated Regin spyware suite.
From OPC 4-032-5 in Jordan, there were also transit calls via DPC 2-012-2 to some fourty countries all over the world. In addition to this, there were also transit calls to Mauritius, Finland, Bulgaria, Switzerland, Sweden, Syria and Iran via DPC 2-012-1.
On timeslot 31, the C7 channel runs between the end points 4-032-0 at FAST Link in Jordan, and 2-013-1 at F Belgacom in Brussels, Belgium. For this timeslot there were also two links with transit calls, via DPC 2-012-2 and DPC 2-012-1.
For these transit calls, the report also mentions an eight digit Circuit Identification Code (CIC). This code is used to connect the metadata in the C7 channel to the trunk and the timeslot which carry the voice part of the call. In this way, each of the 30 channels of an E1 link has a CIC associated with.
GCHQ has to know the CIC, in order to pick the right voice part from one of the content channels, after having found the target's phone number in the signaling channel.
Interface of an NSA tool with a page titled "SS7 Summary" which lists and visualizes
the number of OPC/DPC pairs accessible by various NSA fiber-optic cable
interception programs, identified by their SIGAD number.
(Screenshot from an NSA presentation
published in December 2013 - Click to enlarge)
Mapping the link
The analyst used the DEPTHGAUGE tool to map the 8BBAC satellite link. He reports that the resultant map was not fully conclusive, but that it supported the previously listed mapping. What follows is a list which seems to relate Circuit Identification Codes (CIC) to the specific TimeSlots (TS). Not all of them had yet been mapped.
The 8BBAC link was sampled for telephony data (DNR) for approximately 94 hours during the period from November 26 to December 1, 2008, by using a tool or system codenamed DRUMKIT.
Phone numbers listed in CORINTH, which could be GCHQ's telephony tasking database, were found 607 times in timeslot 30. This included both tasked and de-tasked numbers, which means numbers that were under surveillance as well as numbers for which the surveillance had been terminated. 26 numbers that were tasked at the time of the analysis had 86 hits.
In timeslot 31, there were 349 hits, 40 of which were from 14 phone numbers that were under surveillance. These hits could be viewed in DRUMROLL under the filenames 8BBAC0030 for timeslot 30 and 8BBAC0031 for timeslot 31.
DRUMROLL hits
The report lists all the hits of tasked, and a selection of the non-tasked phone numbers that were found in timeslot 30 and timeslot 31. These lists are completely blacked out, except for the terms "Turkish MFA" (= Ministry of Foreign Affairs) and "Kurdish Leadership".
According to The Intercept's reporting, NSA was regularly providing its Turkish partners with the mobile phone location data of PKK leaders, but was at the same time spying on the Turkish government.
DRUMROLL was first seen in snippets from a GCHQ document published by Der Spiegel in December 2013. It gave the hits for a satellite link with case notation 1ABCT. According to the Spiegel article, this was a communication path between Belgium and Africa.
For each of the entries there are codes or numbers under TNDEntry, TNDOffice, TNDtask and TNDzip. It is not known what TND stands for, but it could be something like Target Number Database.
Among the hits are European Union Commissioner Joaquin Almunia, the French oil and gas company Total E & P, the French transport company Thales Freight and Logistics and the UN Institute for Disarmament Research. As such lists can show both tasked and de-tasked numbers, it's not clear whether these ones were still under surveillance; the N under TNDtask could stand for "Not Active":
The technical report nr. 44 from 2008 may have similar information in the lists that were redacted.
That report then continues with a small list of Technical Details of satellite link 8BBAC, with the Symbol Rate and the FEC Rate not being redacted, like in the first report. The conclusion of the report is that "this link can be tasked on the system". According to Der Spiegel this was the answer in many of the other reports too.
Finally, also readable unlike in the first report, is the standard disclaimer that is under every document from GCHQ. It says that this "information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK informataion legislation".
Apparently this time the editors from The Intercept forgot to redact the GCHQ's internal (non-secure) phone number and e-mail address for such disclosure requests, which normally appear blacked out in all GHCQ documents that have been disclosed.
Classification
All three technical reports we have seen are classified SECRET STRAP 1 SPOKE. The British marking STRAP 1 means that the dissemination of the document is restricted by measures from a three-level control system codenamed http://stephaniefulke.blogspot.com /2013/12/the-british-classification-marking-strap.html">STRAP. Within that system, STRAP 1 is the lowest level.
More interesting is the NSA marking SPOKE, which also denotes a control system to limit access to the document, but is rarely seen. Other British documents marked STRAP 1 often have COMINT as their American equivalent, which is the general marking used for all information related to communications intelligence that hasn't to be more strictly controlled.
SPOKE is one of the codewords that NSA used in the past, but which were presumably abandoned in 1999. But from documents published as part of the Snowden-leaks we know that from these codewords at least SPOKE and http://stephaniefulke.blogspot.com /2014/07/nsa-still-uses-umbra-compartment-for.html">UMBRA are still used.
Given what's in the known documents that have the SPOKE classification, it seems to cover technical information about targets, like their phone numbers and the communication links in which these can be found. The higher UMBRA marking is then probably used for the actual content, when this is collected outside the US under EO 12333 authority.
Update:
On March 12, 2015, the Intelligence and Security Committee (ISC) of the British Parliament published an extensive report about interception activities of the UK intelligence agencies, which says that GCHQ only collects data from a small number of fiber-optic cable channels ('bearers'), which are likely to contain traffic that is of intelligence value.
Links and Sources
- Wikipedia: ISDN User Part
- ZDNet.com: Invasive phone tracking: New SS7 research blows the lid off mobile security
VSDC Video Editor Crack
BalasHapusVSDC Video Editor can serve you to set the minor bugs. So you can work with it efficiently. You can easily avail of both reading and writing formats. You can create a video without any struggle with visual and audio effects. There are various video editors in the market, but it has excellent functionalities through which you can upload your videos to the online programs. You can also create many kinds of diagrams like Pyramid 3D Radar Spline, 3D sketches, Pyramid, and several more.
http://crackerkeys.com/sony-vegas-pro-crack/
BalasHapusSony Vegas Pro Key is effectively ready to alter the soundtrack by utilizing its integral assets. In addition, it additionally catches and alters records, too. This product underpins numerous arrangements, including XDCAM and some more. It additionally underpins AVCHD and HDV groups. This product plays out its projects in the timetable. It additionally offers adjustable workspace for its clients. It works as indicated by a client’s necessities.
EXELLENT WORK!!! Grammarly Premium Crack
BalasHapusfull crack pc
BalasHapusI am very thankful for the effort put on by you, to help us, Thank you so much for the post it is very helpful, keep posting such type of Article. Excellent piece of work, and I am in wonder how you manage all of this content and his entry. I would like to say you have superb capabilities related to your work, and lastly, please keep it up because I am looking for the more
This web page is truly nice and the people are actually sharing fastidious thoughts.
BalasHapusactivatedlink
cleanmymac-x-crack-activation-key
goldwave-crack-license-key
edius-pro-crack-serial-key
bandicut-video-cutter-crack
avast-premium-security-crack
Thank you for every other informative site.
BalasHapusThe place else could I am getting that kind of information written in such an ideal manner?
I've a challenge that I am just now working on, and I've been at the look out for such information.
anytrans crack
getflv cracked
twistedbrush pro studio crack
pgware systemswift
tuxera-ntfs-crack
BalasHapusparallels-desktop-crack
freemake-video-converter-crack
output-arcade-crack
vegasaur-crack
microsoft-office-2019-crack
teorex-inpaint-crack
epubor-audible-converter-crack
drivermax pro crack latest free
BalasHapusHey there! I’ve been reading your web site for a while now and finally got the courage to go ahead and give you a shout out from Kingwood Texas! Just wanted to mention keep up the great job!
roboform crack
spyhunter crack
realtek high definition audio drivers crack
winsnap crack
syncbackfree serial code
BalasHapustally erp crack
block apk cracked mod
What’s up, after reading this awesome piece of writing i am also happy to share my experience here with mates.
BalasHapuscode vein crack
letasoft sound booster crack
simlab composer crack
Oh my goodness! Impressive article dude! Thanks, However I am having troubles with your RSS. I don’t understand the reason why I am unable to join it. Is there anybody having the same RSS issues? Anyone that knows the answer will you kindly respond? Thanx!!
BalasHapusfar cry primal apex edition multi19 elamigos crack
kx music player pro apk mod
wondershare pdfelement pro crack
windows 10 professional kms crack
What’s up, after reading this awesome piece of writing i am also happy to share my experience here with mates.
BalasHapusmalwarebytes anti malware crack
daemon tools lite crack
Very well-written information. It will be useful to everyone who uses it, including me.
BalasHapusKeep up the good work - you can wait to read more posts.
atomic email hunter crack
I do agree with all the ideas you have presented in your post.
BalasHapusThey’re really convincing and will definitely work.
Still, the posts are too short for beginners.
Could you please extend them a little from next time?
Thanks for the post.
groups crack
360 total security key crack
rust pc crack
Very well-written information. It will be useful to everyone who uses it, including me. Keep up the good work - you can wait to read more posts. Archicad 25 Crack
BalasHapusParallels Desktop 17 Crack
Bitdefender Total Security 2022 Crack
AVG Internet Security 2022 Crack
Thanks for this informative blog and for giving us an opportunity to share our views.
BalasHapusStaruml Crack
HDD Regenerator Crack
Microsoft Office 365
It's excellent time to plan ahead and it's time to be cheerful.
BalasHapusI read your post and I'd want to recommend some fascinating stuff or tips for you if I could.
Perhaps you could write the following articles on this article.
I want to read more stuff about it!
iobit uninstaller pro crack
adobe-premiere-pro-cc-2019-crack
nch mixpad crack full
belkasoft 2020 crack keygen
adobe photoshop cs6 crack dll files 32bit 64bit download
BalasHapusfl studio cracked games
easyworship tutorial
aomei partition assistant lite edition
Cinch Audio Recorder Crack
Sothink Logo Maker Pro Crack
Thanks for this informative blog and forgiving us and the opportunity to share our views.
BalasHapusDriver Booster 6.4 Key
HDD Regenerator Crack
M3 Data Recovery License Key
Avast Premier Crack
ZookaWare Activation Code
I like your all post. You have done really good work. Thank you for the information you provide, it helped me a lot. I hope to have many more entries or so from you.
BalasHapusHi, I do believe this is an excellent blog. I stumbledupon it �� I will come back once again since i have book marked it. Money and freedom is the greatest way to change, may you be rich and continue to help others.
BalasHapusultraiso crack
Your out-of-the-box ideas are always welcomed at the company meeting
BalasHapusKeep inspiring others
avg cleaner pro
avg secure vpn crack
final cut pro x crack
xnview crack is a powerful and professional photo management software xnview crack allows you to do extraordinary work on your photos. xnview crack program does a lot of work on your photos. xnview crack Simply select the image or images you want and xnview crack then perform the required operation on your photos
BalasHapusHello, Dear Thanks for sharing such great content with the US it’s really amazing content so please keep sharing. I also have something for you so please check out
BalasHapusCapture One Pro torrent
It's great to have you here. I really like the colours and theme.
BalasHapusIs this your website? I'd like to start working on my project as soon as possible.
If you don't mind, I was curious to know where you got this or what theme you're using.
Thank you.
CleanMyMac X Ios Mac Downloads
Wondershare PDF I am very impressed with your post because this post is very beneficial for me and provides new knowledge to me.
BalasHapusClip Studio Paint EX I am very impressed with your post because this post is very beneficial for me and provides new knowledge to me.
BalasHapusLock Screen Pro Cracked I am very impressed with your post because this post is very beneficial for me and provides new knowledge to me.
BalasHapusExamDiff Pro I am very impressed with your post because this post is very beneficial for me and provides new knowledge to me.
BalasHapusHome Plan Pro Crack I am very impressed with your post because this post is very beneficial for me and provides new knowledge to me.
BalasHapusSuper immersive. You should also checkout https://cracksys.com/driver-booster-crack/ which is the best free software. You will be glad about it.
BalasHapusWondershare Filmora I am very impressed with your post because this post is very beneficial for me and provides new knowledge to me.
BalasHapusThank you for informing us about this website.
BalasHapusDownload Now
It is Very nice and good.It's content is vary simple and easily Understandable.Pleas visit and enjoy!
BalasHapushttps://softserialskey.com/claris-filemaker-pro-download-crack/
thanks for sharing Do check ma website Factsride.com
BalasHapusExcellent essay with a lot of information. If you want to read more about it, click here. Thanks!
BalasHapusABViewer