I have compiled a list of codenames used by the NSA/GCHQ that hare affiliated
with hacking and bugging. The recent series of Der Spiegel articles has resulted
in a dramatic expansion of what is known about them.
I have also included my original spreadsheet, for the use of others who have
been maintaining similar lists.
Codename |
Price/ea |
Description |
Note |
Non Cooperative Wireless access point |
|
Just what it sounds like. The owner of the wireless device doesn't
know the NSA is using it. In short, it's been pwned |
|
ALTEREGO QFD |
|
A Question filled Dataset |
|
ANGRYNEIGHBOR |
|
A family of bugs implemented as RF retro reflectors. These
communicate with the use of an external radar wave generator such as CTX4000
or PHOTOANGLO. The signals are then processed by a system such as VIEWPLATE,
(for the VAGRANT video signal). Known implementations: LOUDAUTO(ambient audio).
DROPMIRE (printer/fax), RAGEMASTER (video), SURLYSPAWN (keyboard/mouse). |
See also: VAGRANT, DROPMIRE, CTX4000, PHOTOANGLO |
ANTO LP PROTOSS GUI |
|
|
Spotted on IRONCHEF diagram |
ARKSTREAM |
|
malicious BIOS flashing program, known to be associated with
DIETYBOUNCE, SWAP |
|
ARTEMIS |
|
|
see ENTOURAGE |
BACONRIDGE |
|
Codename for a 4200 sq. ft. facility in Texas, holding TAO.
Employing some 270 employees. Includes a datacenter qith 200 racks covering
9,450 sq. ft.. |
|
BANANAGLEE |
|
A software exploit made by Digital Network Technologies (DNT)
for Juniper Netscreen ns5xt, ns50, ns200, ns500, ISG 1000, ssg140, ssg5,
ssg20, SSG 320M, SSG 350M, SSG 520, SSG 550, SSG 520M, SSG 550M firewalls.
Also works on Cisco PIX 500 series and ASA 5505, 5510, 5520, 5540, and 5550
series firewalls. Used for exfiltrating data from target networks. |
See also FEEDTROUGH, GORUMETTROUGH, JETPLOW |
BLACKHEART |
|
Collection from an FBI implant |
|
BLACKPEARL |
|
|
mentioned in context of Petrobras story |
BLINDDATE |
|
Software included on SPARROW II mini computers. Also seen in
another context on QFIRE slide as part of a TAO covert network.. |
see also: STRAITBIZARRE, QUANTUM, SPARROW II |
BSR |
|
Base Station Router, use for intercepting GSM cell phone signals.
Ships with laptop and accessories, networkable with other units via 802.11.
Supports CANDYGRAM and LANDSHARK capabilities. |
|
BULLDOZER |
|
PCI bus malicious hardware |
Installed via interdiction |
Byzantine Anchor (BA) |
|
BA, a subset of Byzantine Hades, refers to a group of
associated computer network intrusions with an apparent nexus to China. |
Source: Cablegate |
Byzantine Candor (BC) |
|
Refers to a certain class of hacking by Chinese actors. Byzantine
Candor is a subset of Byzantine Hades relating to intrusion, including by
means of social engineering involving delivering malicious payloads by email. |
Source: Cablegate |
Byzantine Hades (BH) |
|
a cover term for a series of related computer network
intrusions with a believed nexus to China, has affected U.S. and foreign
governments as well as cleared defense contractors since at least 2003
Believed to be Chinese state-sponsored (the PLA in particular). Though the
evidence is tenuous. (ca 2009). In general, victims of Chinese-affiliated
hacking are legitimate businesses, including defense contractors. They have
been successful in exfiltrating large volumes of confidential emails and
other sensitive documents. |
Source: Cablegate |
CANDYGRAM |
$40,000.00 |
Mimics GSM cell tower. Also included in the package are a Windows
XP laptop, and cell phone, that communicate with the unit via SMS messages.
Capable of targeting 200 phone numbers simultaneously |
See also: DRTBOX, Stingray, CANDYGRAM, NEBULA, CYCLONE, TYPHON |
CDR Diode |
|
|
Spotted on IRATEMONK, WISTFULTOLL diagrams (Note: Must replay
Appelbaum's talk about these), See also: IRATEMONK, STRAITBIZARRE, SEAGULLFARO,
UNITEDRAKE, WISTFULLTOLL |
CHIMNEYPOOL |
|
Software based malware toolkit Framework, likely
written in C/C++ (according to resumes posted online) |
Known products written with it: COTTONMOUTH-I, COTTONMOUTH-II,
COTTONMOUTH-III, DROPOUTJEEP |
COMMONDEER |
|
A software based malware, used by the NSA. |
see also: SEASONEDMOTH, VALIDATOR |
CONJECTURE |
|
A RF communication protocol used by HOWLERMONKEY devices. |
see also: HOWLERMONKEY |
CONOP |
|
not a codename: Concept of Operations |
|
COTS |
|
Commercial Off the Shelf. When a description of a bug says it
is COTS-based, it means that the components are commercially available, giving
the NSA deniability as to their true source. (Unless you just happen to be
looking at the NSA's leaked product catalog. ) |
|
COTTONMOUTH-1 (CM-1) |
$20,300.00 |
USB cable w/ convert RF transmitter/receiver & malware payload |
GENIE Compatible, communicates with STRAITBIZARRE, other COTTOMNOUTH
devices, reprogrammable, probably related to DEWSWEEPER (possibly a subclass
of the same) |
COTTONMOUTH-II (CM-II) |
$4,000.00 |
A dual-stacked USB port, (the kind that are soldered directly
onto a motherboard), providing a covert long haul relay across
airgapped systems. Like CM-I, and many other systems, it is written with
the CHIMNEYPOOL framework, and communicates via STRAITBIZARRE. Unlike CM-I
and CM-III, it does not incorporate HOWLERMONKEY or TRINITY. |
See also: CM-I, CM-III, STRAITBIZARRE, CHIMNEYPOOL. Perhaps
a subclass of DEWSWEEPER |
COTTONMOUTH-III (CM-III) |
$24,960.00 |
A dual-stacked USB port/RJ45 ethernet jack combo, (the kind
that are soldered directly onto a motherboard), providing a covert RF relay
across airgapped systems. Like CM-I, and many other systems, it is written
with the CHIMNEYPOOL framework, and communicates via STRAITBIZARRE. It can
communicate with other CM devices with the SPECULATION Protocol. It also
integrates TRINITY, and the HOWLERMONKEY RF transceiver. |
see also: CM-1, CM-II, TRINITY, HOWLERMONKEY, SPECULATION,
CHIMNEYPOOL, STRAITBIZARRE. Perhaps a subclass of DEWSWEEPER. |
CROSSBEAM |
$4,000.00 |
the CROSSBEAM module consists of a standard ANT architecture
embedded computer, a specialized phone component, a customized voice controller
suite and and optional DSP (ROCKYKNOB) if using Data Over Voice to transmit
data. Communicates over GSM. Compatible with CHIMNEYPOOL framework.
Appears to be a WAGONBED controller board mated with a Motorola G20 GSM module. |
See also: WAGONBED, CHIMNEYPOOL, ROCKYKNOB. |
CRUMPET Covert network (CCN) |
|
Sample drawing included Printers, servers, and computers. All
allegedly airgapped. (But not actually, due to covertly installed hardware) |
Spotted on IRONCHEF diagram |
CRYPTO ENABLED |
|
Collection derived from AO's efforts to enable Crypto |
|
CTX4000 |
|
A radar wave generator, can produce up to 1kW, output, with
the use of external amplifies. designed for DROPMIRE, and VAGRANT. Obsolete,
replaced by PHOTOANGLO. |
see also, DROPMIRE, VAGRANT, PHOTOANGLO |
CUSTOMS |
|
Customs opportunities (not LIFESAVER) |
|
CW |
|
Continuous Wave, such as the ones generated by CTX4000, or
PHOTOANGLO. |
|
CYCLONE Hx9 |
$70,000
(2 month rental) |
EGSM base station router, used for collection GSM cell phone
signals. Shops with laptop and accessories for command and control, uses
the same GUI as the TYPHON. Controllable via 802.11 wifi. |
See also: TYPHON, CANDYGRAM, DRTBOX, NEBULA |
DANDERSPRIT |
|
|
See DANDERSPRITZ |
DANDERSPRITZ |
|
Described as an intermediate redirector node. Another
tool made by Digital Network Technologies (DNT). Spoofs IP and MAC address. |
|
DARKTHUNDER |
|
A SIGAD used for TAO, and thus QUANTUM, FOXACID, and the like. |
see also, QUANTUM, FOXACID. |
DEWSWEEPER |
|
USB (Universal Serial Bus) hardware host tap that provides COVERT
link over USB link into a target network. Operates w/RF relay subsystem to
provide wireless Bridge into target network. |
|
DIETYBOUNCE |
$0.00 |
BIOS exploit for Dell PowerEdge 1850/2850/1950/2950 running
BIOS versions A02, A05, A06, 1.1.0, 1.2.0 or 1.3.7 |
Can be installed by non-technical user with USB thumb drive |
DOCKETDICTATE |
|
|
|
DOGCOLLAR QFD |
|
A question filled dataset |
|
DROPMIRE |
|
passive collection of emanations using an antenna. A Tempest
style attack. |
see also VAGRANT, CTX4000, PHOTOANGLO |
DROPMIRE |
|
Laser printer collection, purely proximal access (**NOT**
implanted). A tempest style attack. |
see also VAGRANT, CTX4000, PHOTOANGLO |
DROPOUTJEEP |
|
Apple iPhone malware. Infiltrates and exfiltrates SMS, files,
contact lists, voicemail, geolocation, camera capture. Once installed, DROPUTJEEP
can be controlled via SMS messages or GPRS data connection. |
Installed either through physical access , or remotely
(future plan, back in 2008) |
DRTBOX |
|
Mimics cell tower, Spotted in BOUNDLESSINFORMANT slides. See
see
http://electrospaces.blogspot.com/2013/11/drtbox-and-drt-surveillance-systems.htmlfor
more details |
See also: CANDYGRAM, CYCLONE Hx9, TYPHON, EBSR, NEBULA |
EBSR |
$40,000.00 |
Low power GSM base station router, |
see also: TYPHON, CANDYGRAM, DRTBOX, CYCLONE Hx9, NEBULA |
EGOTISTICALGIRAFFE (EGGI) |
|
Malware, a successful Firefox exploit (attempted against tor
users) |
|
EGOTISTICALGOAT (EGGO) |
|
Firefox exploit against 10.0 -16.0.2 |
Exploits type confusion vulnerability in E4X |
ENTOURAGE |
$70,000.00 |
Application for the HOLLOWPOINT platform, including band-specific
antennas and a laptop for the command and control. Controllable via gibabit
Ethernet Future plans (circa 2008) included WiFi, WiMAX and LTE. |
|
EPICFAIL |
|
attacks against dumb Tor users (?) |
|
ERRONEOUSINGENUITY (ERIN) |
|
Firefox exploit against 13.0 16.0.2 |
|
FA |
|
CNE (hacking) technique used against Tor users |
|
FAIRVIEW |
|
a corporate-run SIGAD, part of the NSA's upstream
collection program, that permits cyber access. Thus it is probable
that it is used in QUANTUM collection. |
see also: QUANTUM, FOXACID. |
FEEDTROUGH |
|
malware for Juniper Networks' Firewalls |
|
FEEDTROUGH |
|
A malicious BIOSS modification that Implants and/or maintains
BANGALEE and/or ZESTYLEAK Juniper Netscreen firewall exploits |
deployed on many target platforms |
FERRETCANNON |
|
A system that injects malware, associated with FOXACID. |
see also, QUANTUM, FOXACID. |
FET |
|
Field Effect Transmitter |
|
FINKDIFFERENT (FIDI) |
|
A Firefox exploit, successful against 10 ESR, but failed against
tbb-firefox |
|
FIREWALK |
$10,740.00 |
FIREWALK is a bidirectional network implant, capable of
passively collecting Gigabit Ethernet traffic and injecting Ethernet packets
onto the same target network. Integrates TRINITY and HOWLERMONKEY.
Provides direct or indirect covert RF link to Remote Operations Center via
a VPN. The version in the catalog requires soldering to a motherboard. |
see also: HOWLERMONKEY, DANDERSPRITZ, TRINITY. Note: unit physically
appears nearly identical to CM-III. Perhaps a subclass of RADON. |
FLUXBABBIT |
$500.00 |
a hardware based bug for Dell PowerEdge 1950 and 2950 servers
using Xeon 5100 and 5300 processors. Installation requires intercepting the
server, while it is enroute to its destination, disassembling it and installing
the hardware. |
|
FLYING PIG |
|
GCHQ SSL/TLS exploitation knowledgebase and tool |
used for MITM attacks against Petrobras et al |
FOXACID |
|
A malicious server that injects malware, by means of spoofed
legitimate-looking pages and does MITM attacks |
|
FOXSEARCH |
|
perhaps a database of all targets to be exploited with FOXACID |
|
FREEFLOW |
|
|
context: DROPOUTJEEP [and TOTEGHOSTLY 2.0] is compliant
with the FREEFLOW project, therefor it is supported in the TURBULANCE
architecture. |
FREEZEPOST |
|
|
|
FRIEZERAMP |
|
A communications protocol that certain infected devices use
to communicate with the NSA. It involves HTTPSlink2. |
see also: TOTEGHOSTLY 2.0 |
FUNNELOUT |
|
|
mentioned in context of tor exploitation |
GALAXY |
|
|
|
GECKO II |
|
IRONCHEF example included A hardware implant (MRRF or GSM),
IRONCHEF persistence backdoor, Software implant UNITEDRAKE Node |
Spotted on IRONCHEF diagram |
GENESIS |
$15,000.00 |
A spectrum analyzer tool, for covertly collecting and locating
signals. A modified Motorola handset. Information downloaded to a laptop
via ethernet port. |
|
GENIE |
|
Multi-stage operation; jumping the airgap etc., refers to certain
classes of hardware that provide a wireless covert network in an allegedly
airgapped environment. |
see allso: CM-I, CM-II, CM-III, HOWLERMONKEY, TOTEGHOSTLY 2.0 |
GEOFUSION |
|
|
related to Petrobras story |
GINSU |
$0.00 |
maintains KONGUR infection, should it be removed |
target systems: Windows 9x, 2000, Vista, XP, 2003 |
GODSURGE |
$500.00 |
The software set for FLUXBABBIT, preconfigured at the factory,
but reconfigurable remotely. For Dell PowerEdge 1950, 2950 servers running
Xeon 5100 and 5300 processor families. |
see FLUXBABBIT, WAGONBED |
GOPHERSET |
$0.00 |
Malware for GSM Phase 2+ SIM cards that use the SIM Toolkit
(STK). Exfiltrates phonebook, SMS, and call logs, via SMS, to a predefined
phone number. Installed either via a USB sim card reader, or remotely (over
the air provisioning) |
See also: MONKEYCANENDAR |
GOURMETTROUGH |
$0.00 |
Maintains BANANAGLEE infection on Juniper Netscreen nsg5t, ns50,
ns25, isg1000, ssg140, ssg5, ssg20 firewalls |
see also: FEEDTROUGH |
GREAT EXPECTATIONS |
|
NSA version of QUICKANT |
|
HALLUXWATER |
|
ROM based exploit for Huawei Eudemon 200, 500, and 1000 series
firewalls. survives bootrom upgrades and OS upgrades. NSA operator has ability
to execute arbitrary code on infected system. |
|
HAMMERMILL |
|
|
See: HAMMERMILL Insertion Tool (HIT) |
HAMMERMILL Insertion Tool (HIT) |
|
command and control system, designed by DNT for exploited Huawei
routers |
|
HC12 |
|
an earlier micro-computer design the NSA used in bugs. |
see also: JUNIORMINT, MAESTRO II, TRINITY |
HEADWATER |
|
software based persistent backdoor for Certain Huawei routers.
Controlled via HAMMERMILL Insertion tool (HIT) |
|
HIGHLANDS |
|
Collection from Implants |
|
HOLLOWPOINT |
|
GSM/UTMS/CSMA2000/FRS signal platform. Operates In the 10MHz
to 4GHz range. Includes receiver and antenna. Can both transmit and receive. |
See also: ENTOURAGE, NEBULA, GALAXY |
HOWLERMONKEY (HM) |
$750-$1,000 |
Covert short to medium range RF Transceiver. Designed to be
integrated with a larger device. Communicates over SPECULATION and CONJECTURE
protocols. Known products that include HOWLERMONKEY are: CM-I, CM-II, FIREWALK,
SUTURESAILOR, and YELLOWPIN. |
See: CM-I, CM-III, FIREWALK, YELLOWPIN, COTS, SPECULATION,
CONJECTURE, STRIKEZONE. |
HOWLERMONKRY |
|
|
See HOWLERMONKEY |
HUSH PUPPY |
|
GCHQ Tool, related to exploitation |
related to Petrobras story |
IRATEMONK |
$0.00 |
Firmware based malware for certain WD, Seagate, Maxtor and Samsung
hard drives. Supports FAT, NTFS, EXT3, and UFS file systems. |
|
IRONCHEF |
$0.00 |
Malware that is used to maintain and reinstall, if necessary,
the software component of systems implanted with the WAGONBED hardware trojan. |
|
ISLANDTRANSPORT |
|
Enterprise Message Service |
|
JETPLOW |
$0.00 |
Firmware-based malware for maintaining BANANAGLEE, software-based
malware on. Cisco PIX 500 series and ASA 5505, 5510, 5520, 5540, and 5550
series firewalls. |
Widely Deployed |
JUNIORMINT |
|
A generic, programmable miniature computer. For use in concealed
bugs. Specs: 400Mhz ARM 9 microcontroller, 32 MB Flash, 64 MB SDRAM, 128MB
DDR2 and an XC4VLX25 10752 Slice FPGA. |
see also: MAESTRO II, TRINITY, SPARROW II |
KONGUR |
|
malware payload, known to be deployed via KONGUR |
|
LANDSHARK |
|
|
see: EBSR |
LEGION JADE |
|
GCHQ cover term, somehow associated with FLYING PIG, which is
a tool used for exploitation. It is probable that this term is also related
to exploitation in some way. |
see also: FLYING PIG, HUSH PUPPY, Byzantine Candor, Byzantine
Hades, Byzantine Anchor. |
LEGION RUBY |
|
GCHQ cover term, somehow associated with FLYING PIG, which is
a tool used for exploitation. It is probable that this term is also related
to exploitation in some way. |
see also: FLYING PIG, HUSH PUPPY, Byzantine Candor, Byzantine
Hades, Byzantine Anchor. |
LFS-2 |
|
A processing system for VAGRANT signals returned by the PHOTOANGLO
system. Requires an external monitor to display the signal. |
see also: PHOTOANGLO, NIGHTWATCH |
LHR |
|
Long Haul Relay |
|
LIFESAVER |
|
Imaging of the Hard Drive |
|
LOUDAUTO |
$30.00 |
An audio bug for a room. Implemented as an RF retro-reflector
(ANGRYNEIGHBOR family). It therefor requires a unit such as CTX4000, to
communicate back to the base. |
See also: ANGRYNEIGHBOR, VARGANT, CTX4000, PHOTOANGLO, DROPMIRE. |
LP |
|
Listening Post |
|
MAESTRO II |
$3,000
- $4,000 |
A generic, programmable miniature computer. For use in concealed
bugs. Specs: 66Mhz ARM 7 microcontroller, 4 MB Flash, 8 MB SDRAM an
XC2V500 500k gates FPGA. Roughly the same size as a dime. |
see also: JUNIORMINT, TRINITY, SPARROW II |
MAGNETIC |
|
Sensor Collection of Magnetic Emanations |
Tempest style attack |
MCM |
|
Multi Chip Module |
|
MIDDLEMAN |
|
TAO covert network. i.e. a network that secretly connects airgapped
computers to the internet. |
|
MINERALIZE |
|
Collection from LAN Implant |
|
MJOLNIR |
|
an internal tor test network ca 2006, with software tools for
the same |
Mjolnir was the Hammer of Thor possible pun
hammer of tor |
MOCCASIN |
|
a version of COTTONMOUTH permanently attached to a USB keyboard |
|
MONKEYCALENDAR |
$0.00 |
Malware for GSM Phase 2+ SIM cards that use the SIM Toolkit
(STK). Exfiltrates geolocation data to a preset phone number via SMS. |
See also GOPHERSET |
MULLENIZE |
|
'USER agent staining, malware |
mentioned in context of tor unmasking |
MUTANT BROTH |
|
GCHQ tool for identifying targets from data returned by QUANTUM
products |
|
NEBULA |
|
A base station router, for intercepting mobile telephone calls
and data transmissions. Uses the TYPHON GUI. Networkable and controllable
via 802.3 and 802.11. |
see also: TYPHON, CYCLONE, DRTBOX, CANDYGRAM, EBSR |
NEWTONS CRADLE |
|
GCHQ-run Tor nodes |
|
NIGHTSTAND (NS) |
|
Mobile hacking platform including laptop, case, and antennas.
Targets windows 2000 and XP, running internet explorer 5-6. Attacks occur
over WiFi, and are alleged to be undetectable to the user. Capable of targeting
several systems simultaneously. With the use of amplifiers, attacks can happen
from up to 8 miles away. |
|
NIGHTWATCH |
|
Specialized system for processing, reconstructing and displaying
video signals collected by VAGRANT. And returned to a CSX4000 or a PHOTOANGLO
system. Obsoleted, replaced by VIEWPLATE. |
SEE VAGRANT, ANGRYNEIGHBOR, CTX4000, PHOTOANGLO. |
OCEAN |
|
Optical Collection System for Raster-Based Computer Screens |
Either tempest style, or done by means of bugged cabling (?) |
OCONUS |
|
|
Not a code name - Outside CONtinental US |
OLYMPUS |
|
A piece of malware used by the NSA, for the purposes of spying. |
see also: SOMBERKNAVE, VALIDATOR, UNITEDRAKE |
OLYMPUSFIRE |
|
An exploitation system, that uses malware to completely control
a target Windows PC. Maintained by a NSA-run Listening Post. |
|
OMNIGAT |
|
|
Spotted on GINSU diagram |
ONIONBREATH |
|
Relates to GCHQ efforts against tor hidden services |
|
OSMJCM-II |
|
|
Spotted in CM-II diagram |
PARCHDUSK (PD) |
|
|
|
PBD |
|
Persistent BackDoor |
|
PBX |
|
Public Branch Exchange Switch |
|
PHOTOANGLO |
$40,000.00 |
Replaces CTX4000, a continuous radar Wave generator, for the
ANGRYNEIGHBOR family of retro-reflector bugs, including VAGRANT, DROPMIRE,
and LOADAUTO. The signals are then sent to a processing system such as NIGHTWATCH
or VIEWPLATE (which process and display the signals from the VAGRANT
monitor-cable bug). The LFS-2 is listed as another type of processing system.
A joint NSA/GCHQ project. |
|
PICASSO |
$2,000.00 |
GSM handset, carried by a witting operator for bugging conversations
and calls within its range. Includes a panic button for the operator. |
|
PPM |
|
Pulse Position Modulate |
|
PROTOSS |
|
Possibly a bridge between the airgapped system and the Internet |
Spotted on COTTONMOUTH-I, CM-II, and FIREWALK diagrams. |
PSP |
|
Personal Security Product. Also: President's Surveillance Program. |
|
QFD |
|
Question Filled Dataset |
|
QFIRE |
|
System used for infecting computers. Involves both TURMOIL,
TURBINE, and additional infrastructure. Co-opted routers, according to Appelbaum,
these may in cases be unwitting home or business routers, that have been
pwned. The Goal seems to be to reduce latency, and therefor increase
the success rate of QUANTUMINSERT/FOXACID attacks. |
see also: QUANTUM, FOXACID. |
QIM/JMSQ |
|
|
Spotted on IRATEMONK, WISTFULTOLL diagrams |
QUANTUM |
|
Perhaps a generalize term for certain styles of hacking used
by NSA and GCHQ. The most popular is the QUANTUMINSERT. |
see also: FOXACID, QUANTUM COOKIE, QUANTUM BOT, QUANTUM THEORY. |
QUANTUM INSERT (QI) |
|
A style of hacking, involving a man-in the middle attack, involving
a malicious server (dubbed FOXACID) that attempts to outrun a legitimate
server (yahoo and linkedIn are favorites), spoof their pages and insert a
trojan into the unsuspecting user. Both NSA and GCHQ use this term |
see also: FOXACID, QUANTUM COOKIE, QUANTUM BOT, QUANTUM THEORY. |
QUANTUMBOT |
|
controls IRC bots |
|
QUANTUMCOOKIE |
|
forces browsers to toss their cookies (divulge them) |
see also: FOXACID, QUANTUM COOKIE, QUANTUM BOT, QUANTUM THEORY. |
QUANTUMCOPPER |
|
corrupts file uploads and downloads. (malware injection on the
fly?). According to Appelbaum, this is also used like the great firewall
of China. |
|
QUANTUMNATION |
|
a system to deploy stage 0 malware such as SEASONEDMOTH.
Stage 0 items are programmed to self-destruct within 30 days. |
see also: QUANTUMTHEROY |
QUANTUMSKY |
|
resets connections (which ones?) |
|
QUANTUMTHEORY |
|
A GCHQ toolkit for QUANTUM products, that expands the range
of spoofable services. Injects a stage 1 malware,
such as VALIDATOR or COMMONDEER |
see also: QUANTUMNATION |
QUICKANT QFD |
|
GCHQ tor analytics/knowledgebase |
|
RADON |
|
Bi-Directional host-tap that can inject Ethernet packets onto
the same target. Allows Bi-directional exploitation of Denied networks using
standard on-net tools. |
Perhaps the ethernet equivalent of DEWSWEEPER (?) |
RAGEMASTER |
$30.00 |
A bugged video cable. Implemented as an RF retro-reflector.
Used for VAGRANT collection. |
See also: VAGRANT, CTX4000, PHOTOANGLO, DROPMIRE, LOADAUTO,
NIGHTWATCH, VIEWPLATE. |
REMATION II |
|
Joint NSA/GCHQ anti-tor Workshop ca 2012 |
|
Retro reflector |
|
a term for a special kind of mirror that always sends a signal
directly back on the path it comes from, regardless of the angle. |
|
RETURNSPRING |
|
|
Spotted on IRATEMONK, WISTFULTOLL diagrams |
ROC |
|
Remote Operations Center |
|
ROC |
|
Remote Operations Center |
|
ROCKYKNOB |
|
Optional Digital Signal Processing (DSP) Module for CROSSBEAM. |
See also: CROSSBEAM |
RONIN |
|
Database of tor events |
|
SCHOOLMONTANA |
|
SCHOOLMONTANA is the cover term for the persistence technique
to deploy a DNT implant to Juniper J-Series Routers. A malicious BIOS
modification. |
see also: SIERRAMONTANA, STUCCOMONTANA, VALIDATOR |
SDR |
|
software Defined radio |
|
SEAGULLFARO |
|
|
Spotted on IRATEMONK, WISTFULTOLL diagrams |
SEASONEDMOTH (SMOTH) |
|
A class of malware that is programmed to automatically die with
in 30 days. (unless instructed to extend its life) |
see also: VALIDATOR, COMMONDEER |
SERUM |
|
|
Spotted on IRATEMONK diagram |
SHARPFOCUS (SF2) |
|
|
|
SHORTSHEET |
|
CNE (hacking) technique used against Tor users |
|
SIERRAMONTANA |
|
SCHOOLMONTANA is the cover term for the persistence technique
to deploy a DNT implant to Juniper M-Series Routers. A malicious BIOS
modification. |
see also: SCHOOLMONTANA, STUCCOMONTANA, VALIDATOR |
SLICKERVICAR |
|
A tool known to be used somewhere in the process of uploading
malicious HD firmware |
Known to be used with IRATEMONK |
SNEAKERNET |
|
Not a codename, a term for the network communication
protocol involving someone physically carrying storage media between
machines. |
|
SOMBERKNAVE |
$50,000.00 |
software based malware, intended to bridge airgaps by using
an unused 802.11 wireless interface. For Windows XP. Allows other malware
to call home In particular, the VALIDATOR and OLYMPUS trojans. |
see also: VALIDATOR |
SOUFFLETROUGH |
$0.00 |
A malicious BIOS Modification that maintains BANANAGLEE infection
on Juniper SSG 320M, SSG 350M, SSG 520, SSG 550, SSG 520M, SSG 550M. |
See also: FEEDTROUGH, GOURMETTROUGH, BANANAGLEE, ZESTYLEAK |
SPARROW II |
$6,000.00 |
A microcomputer specialized for UAV operations. Includes Integrated
WLAN, and Mini PCI slots supporting . IBM PowerPC 405GR, 64MB SDRAM, 16MB
Flash. Designed for survey of wireless networks (Wifi/GSM, etc, depending
on expansion cards). |
See also: TRINITY, MAESTRO II, JUNIORMINT |
SPECULATION |
|
RF communication protocol, used by HOWLERMONKEY devices, Including
CM-I, CM-III, FIREWALK. |
|
SSG |
|
|
Spotted on IRATEMONK, WISTFULTOLL diagrams |
STEELFLAUTA |
|
A SIGAD used for TAO, and thus QUANTUM, FOXACID, amd the like. |
see also, QUANTUM, FOXACID. |
STRAITBAZARRE |
|
|
see also: STRAITBIZARRE |
STRAITBIZARRE (SB) |
|
Software made By Digital Network Technologies (DNT) for controlling
and receiving data from implants. Also involved somewhere in
the process of uploading malicious HD firmware (works with a tool called
SLICKERVICAR to accomplish this) |
Known to be used for COTTONMOUTH-I, COTTONMOUTH-II, COTTONMOUTH-III,
DROPOUTJEEP, IRATEMONK, TOTEGHOSTLY 2.0 |
STRIKEZONE |
|
Context: HOWLERMONKEY is a COTS- based transceiver designed
to be compatible with CONJECTURE/SPECULATION networks and STRIKEZONE devices
running a HOWLERMONKEY personality. |
see also: HOWLERMONKEY |
STRONGMITE |
|
somewhere on the ROC side of operations.... |
Spotted on IRONCHEF diagram |
STUCCOMONTANA |
|
SCHOOLMONTANA is the cover term for the persistence technique
to deploy a DNT implant to Juniper T-Series Routers. A malicious BIOS
modification. |
see also: SCHOOLMONTANA, SIERRAMONTANA, VALIDATOR |
STUXNET |
|
A jointly US/Isreali written piece of malware intended to infect,
and physically destroy Iranian nuclear Centrifuges. (which it did) Also spilled
on to non-targeted SCADA systems, causing collateral damage. |
|
SURLYSPAWN |
$30.00 |
A keyboard or mouse bug implemented as an RF retro-reflector
embedded in the cabling. This brings it into the ANGRYNEIGHBOR family of
bugs. |
see also: ANGRYNEIGHBOR, VAGRANT, DROPMIRE, SURLYSPAWN, CTX4000,
PHOTOANGLO, RAGEMASTER |
SURPLUSHANGAR |
|
|
|
SUTURESAILOR |
|
a particular device that includes a HOWLERMONKEY component |
see also: HOWLERMONKEY |
SWAP |
$0.00 |
A combination of a malicious BIOS modification and a malicious
Hard Disk firmware modification (in the host protected area) used to maintain
software based malware on the victim computer. Appears to work on a variety
of systems running Windows, Linux, FreeBSD or Solaris. The file system may
be FAT32, NTFS, EXT2, EXT3, or UFS 1.0. |
see also: ARKSTREAM, TWISTEDKILT, TUNINGFORK |
TAO |
|
Tailored Access Operations. NSA's hacking and bugging unit. |
|
Target Profiler |
|
A tool that lists which targets are vulnerable to exploits,
and which. |
see: QUANTUMNATION, QUANTUMTHEORY |
TAWDRYYARD |
$30.00 |
An ANGRYNEIGHBOR RF retro-reflector whose purpose is to serve
as a beacon, so the RF wave generator (CTX4000 or PHOTOANGLO) can locate
RAGEMASTER video cable bugs, and home in on them. |
see also: ANGRYNEIGHBOR, VAGRANT, DROPMIRE, SURLYSPAWN, CTX4000,
PHOTOANGLO, RAGEMASTER |
TLN |
|
Twisty Lobby Number. (not really well explained in doc) |
|
TOTECHASER |
|
Software-based malware for Thuraya 2520 satellite-cellular handsets
running Windows CE. Designed to exfiltrate GPS and GSM geolocation data,
as well as the call log and contact list, and other data via covert SMS messages.
SMS messages are also the means by which the attacker controls the phone.
Implementation requires modifying the phone itself, not yet deployed as of
Oct 2008. |
see also: TOTEGHOSTLY |
TOTEGHOSTLY 2.0 |
$0.00 |
Malware for Windows Mobile -based handsets. Written using DNT's
CHIMNEYPOOL framework, and controlled via STRAITBIZARRE. Used to infiltrate
and exfiltrate files, SMS, contact lists, geolocation via SMS or GPRS data
connection. From or to the victim device The attacker has the ability to
control the camera and microphone, and also send other commands to the device.
The encrypted protocol it uses to communicate is referred to as FRIEZERAMP. |
see also: STRAITBIZARRE, CHIMNEYPOOL, FREEFLOW, TURBULENCE,
GENIE, FRIEZERAMP, TOTECHASER |
TRINITY |
$6,250.00 |
A microcomputer, designed to be part of a bug. Specs: 100Mhz
ARM 9 Microcontroller, 4MB flash, 96MB SDRAM. Smaller than a penny. Known
to be a component of CM-I, CM-III, FIREWALK |
see also: MAESTRO II, JUNIORMINT |
TUMULT |
|
associated with TURBULANCE. Somehow involved with QUANTUMTHEORY.
Not precicely clear. |
see also: TURBULANCE, QUANTUM |
TUNING FORK |
|
|
spotted on DIETYBOUNCE, IRATEMONK, and SWAP diagrams |
TURBINE |
|
System used for infecting computers. Deep Packet
Injection |
Spotted on COTTONMOUTH-I, and CM-II diagrams, ref in Appelbaum's
talk |
TURBOPANDA |
|
cover term for joint CIA/NSA project to exploit Huawei network
equipment |
|
TURBOPANDA Insertion Tool (PIT) |
|
command and control system for exploited Huawei firewalls |
|
TURBULANCE |
|
A system integrating passive collection, active hacking, and
active hacking defense |
see also:
http://en.wikipedia.org/wiki/Turbulence_%28NSA%29 |
TURMOIL |
|
NSA's passive SIGINT collection system. Deep packet
inspection |
|
TUTELAGE |
|
NSA's own defense system against hacking. |
|
TWISTEDKILT |
|
a hard drive firmware updating program used to install malicious
firmware of a victim Hard drive. |
see also: SWAP |
TYPHON HX |
$175,000
(4 month rental) |
GSM base station router. Used to collect call logs from targeted
phones. Administrated with a laptop via SMS, but is otherwise a standalone
unit. There is no apparent ability to network these together, though other
units, running the same software can do so (CYCLONE Hx9). |
See also: CYCLONE Hx9, CANDYGRAM, DRTBOX, NEBULA |
UAV |
|
Unmanned aerial vehicle. A drone. |
|
UNITEDRAKE |
|
A program similar to STRAITBIZARRE, used for uploading malicious
HDD firmware, works with SLICKERVICAR. Known components include a GUI, a
database, and a server, and a manned listening post. It includes a trojan
of the same name. Digital Network Technologies (DNT), a private company,
actively maintains the listening posts for UNITEDRAKE, as well as design
and deploy malware. |
Spotted on IRATEMONK diagram |
VAGRANT |
|
Collection of computer Screens. The monitor cables are rigged
with an RF retro reflector, (RAGEMASTER). VAGRANT collection therefor requires
a continuous RF generator such as CTX4000 or PHOTOANGLO, and a system to
process and display the returned video signal such as NIGHTWATCH, GOTHAM,
LS-2 (with an external monitor), or VIEWPLATE. Known to be deployed in the
field , as of September 2010 at the following embassies: Brazil's UN Mission
in NY (POKOMOKE), France's UN Mission in NY (BLACKFOOT), India's Embassy
and annex in DC, and India's UN Mission in New York. India's embassies were
slated to be detasked, at the time of the document. Context of documents
seems to suggest, but does not definitively prove that the coverterm VAGRANT
only applies to the signal itself. |
See also: CTX4000, DROPMIRE, RAGEMASTER, PHOTOANGLO |
VALIDATOR |
|
A software based malware item designed to run on certain Juniper
routers (J, M, and T Series) running the JUNOS operating system. It must
be maintained by means of a malicious BIOS modification. A typical use case
involves the exfiltration of data from the victimized system. A separate
document describes VALIDATOR as a backdoor used against Windows systems (win
98-2003). In this instance, it will identify the system, and if it is truly
a target, invite a more sophisticated trojan in, such as UNITEDRAKE or OLYMPUS.
This trojan has been used to de-anonymize tor users. A third version of VALIDATOR
works for Apple iOS devices. The QUANTUMNATION states that the success rate
against iOS devices is 100%. |
See SCHOOLMONTANA, SIERRAMONTANA, STUCCOMONTANA |
VIEWPLATE |
|
Replacement for the NIGHTWATCH system. |
See NIGHTWATCH, PHOTOANGLO |
WAGONBED |
|
a malicious hardware device that provides covert 2-way RF
communications on the I2C channel of HP Proliant 380DL G5 servers. WAGONBED
2 can be mated with a Motorola G20 GSM module to form CROSSBEAM. |
See also: CROSSBEAM, IRONCHEF, FLUXBABBIT, GODSURGE |
WATERWITCH |
|
Handheld device for homing in on target handsets, used in
conjunction with TYPHON or similar systems to provide more precise location
information. |
see also: TYPHON |
WHITETAMALE |
|
Operation against the Mexican Public Security Secretariat |
|
WISTFULTOLL |
$0.00 |
A plugin for UNITEDRAKE and STRAITBIZARRE that extracts WMI
and registry information from the victim machine. Also available as a stand-alone
executable. Can be installed either remotely, or by USB thumb drive. In the
latter case, exfiltrated data will be stored on that same thumb drive. Works
on Windows 2000, XP, and 2003 |
See also: IRATEMONK, STRAITBIZARRE, SEAGULLFARO, UNITEDRAKE,
RETURNSPRING |
YELLOWPIN |
|
a particular device that includes a HOWLERMONKEY component |
see also: HOWLERMONKEY |
ZESTYLEAK |
|
a software exploit made by CES for Juniper Netscreen ns5xt,
ns50, ns200, ns500, ISG 1000 firewalls |
See also FEEDTROUGH |