8/13/2019 NSA Codenames http://slidepdf.com/reader/full/nsa-codenames 1/19 m June 1996 to the present ) liated with hacking and bugging. the NSA/GCHQ that hare affiliated with hacking and bugging. The recent series of Der Spiegel articles has resulted in a dramatic expansion of what is known about them. for the use of others who have been maintaining similar lists. tter handle: @paulmd199 , and I will seek to integrate them in to a future expanded version. Which will also integrate codenames from other areas, in order t o form a more complete
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
liated with hacking and bugging.the NSA/GCHQ that hare affiliated with hacking and bugging. The recent series of Der Spiegel articles has resulted in a dramatic expansion of what is known about them.
for the use of others who have been maintaining similar lists.
tter handle: @paulmd199, and I will seek to integrate them in to a future expanded version. Which will also integrate codenames from other areas, in order to form a more complete
Subject: List of NSA/GCHQ codemanes affiliated with hacking and bugging.
I have compiled a list of codenames used by the NSA/GCHQ that hare affiliated with hacking and bugging. The recent series of DerSpiegel articles has resulted in a dramatic expansion of what is known about them.
I have also included my original spreadsheet, for the use of others who have been maintaining similar lists.
Send any comments or corrections to my twitter handle: @paulmd199, and I will seek to integrate them in to a future expanded
version. Which will also integrate codenames from other areas, in order to form a more complete picture.
Software included on SPARROW II mini computers. Also seen in another context on QFIRE slide as part of a “TAO covert
network.”. see also: STRAITBIZARRE, QUANTUM, SPARROW II
BSR
Base Station Router, use for intercepting GSM cell phone signals. Ships with laptop and accessories, networkable with other units
via 802.11. Supports CANDYGRAM and LANDSHARK capabilities.
BULLDOZER
PCI bus malicious hardware Installed via “interdiction”
Byzantine Anchor (BA)
“BA, a subset of Byzantine Hades, refers to a group of associated computer network intrusions with an apparent nexus to China.”
Source: Cablegate
Byzantine Candor (BC)
Refers to a certain class of hacking by Chinese actors. Byzantine Candor is a subset of Byzantine Hades relating to intrusion,
including by means of social engineering involving delivering malicious payloads by email. Source: Cablegate
Byzantine Hades (BH)
“a cover term for a series of related computer network intrusions with a believed nexus to China, has affected U.S . and foreign
governments as well as cleared defense contractors since at least 2003” Believed to be Chinese state-sponsored (the PLA inparticular). Though the evidence is tenuous. (ca 2009). In general, victims of Chinese-affiliated hacking are legitimate businesses,
including defense contractors. They have been successful in exfiltrating large volumes of confidential emails and other sensitive
documents. Source: Cablegate
CANDYGRAM $40,000.00 Mimics GSM cell tower. Also included in the package are a Windows XP laptop, and cell phone, that
communicate with the unit via SMS messages. Capable of targeting 200 phone numbers simultaneously See also: DRTBOX,
Stingray, CANDYGRAM, NEBULA, CYCLONE, TYPHON
CDR Diode
Spotted on IRATEMONK, WISTFULTOLL diagrams (Note: Must replay Appelbaum's talk about these), See also: IRATEMONK,
GCHQ cover term, somehow associated with FLYING PIG, which is a tool used for exploitation. It is probable that this term is alsorelated to exploitation in some way. see also: FLYING PIG, HUSH PUPPY, Byzantine Candor, Byzantine Hades, Byzantine Anchor.
LEGION RUBY
GCHQ cover term, somehow associated with FLYING PIG, which is a tool used for exploitation. It is probable that this term is also
related to exploitation in some way. see also: FLYING PIG, HUSH PUPPY, Byzantine Candor, Byzantine Hades, Byzantine Anchor.
LFS-2
A processing system for VAGRANT signals returned by the PHOTOANGLO system. Requires an external monitor to display the
signal. see also: PHOTOANGLO, NIGHTWATCH
LHR
Long Haul Relay
LIFESAVER
Imaging of the Hard Drive
LOUDAUTO $30.00 An audio bug for a room. Implemented as an RF retro-reflector (ANGRYNEIGHBOR family). It therefor requires
a unit such as CTX4000, to communicate back to the base. See also: ANGRYNEIGHBOR, VARGANT, CTX4000, PHOTOANGLO,
DROPMIRE.
LP
Listening Post
MAESTRO II $3,000 - $4,000 A generic, programmable miniature computer. For use in concealed bugs. Specs: 66Mhz ARM 7
microcontroller, 4 MB Flash, 8 MB SDRAM an “XC2V500 500k gates” FPGA. Roughly the same size as a dime. see also:
JUNIORMINT, TRINITY, SPARROW II
MAGNETIC
Sensor Collection of Magnetic Emanations Tempest style attack
MCM
Multi Chip Module
MIDDLEMAN
TAO covert network. i.e. a network that secretly connects airgapped computers to the internet.
MINERALIZE
Collection from LAN Implant
MJOLNIR
an internal tor test network ca 2006, with software tools for the same Mjolnir was the “Hammer of Thor” possible pun – “hammerof tor”
A style of hacking, involving a man-in the middle attack, involving a malicious server (dubbed FOXACID) that attempts to outrun a
legitimate server (yahoo and linkedIn are favorites), spoof their pages and insert a trojan into the unsuspecting user. Both NSA and
GCHQ use this term see also: FOXACID, QUANTUM COOKIE, QUANTUM BOT, QUANTUM THEORY.
QUANTUMBOT
controls IRC bots
QUANTUMCOOKIE
forces browsers to toss their cookies (divulge them) see also: FOXACID, QUANTUM COOKIE, QUANTUM BOT, QUANTUM THEORY.
QUANTUMCOPPER
corrupts file uploads and downloads. (malware injection on the fly?). According to Appelbaum, this is also used like the “great
firewall of China”.
QUANTUMNATION
a system to deploy “stage 0” malware such as SEASONEDMOTH. Stage 0 items are programmed to self -destruct within 30 days.
see also: QUANTUMTHEROY
QUANTUMSKY
resets connections (which ones?)
QUANTUMTHEORY
A GCHQ toolkit for QUANTUM products, that expands the range of “spoofable” services. Injects a “stage 1” malware, such asVALIDATOR or COMMONDEER see also: QUANTUMNATION
QUICKANT QFD
GCHQ tor analytics/knowledgebase
RADON
Bi-Directional host-tap that can inject Ethernet packets onto the same target. Allows Bi-directional exploitation of Denied
networks using standard on-net tools. Perhaps the ethernet equivalent of DEWSWEEPER (?)
RAGEMASTER $30.00 A bugged video cable. Implemented as an RF retro-reflector. Used for VAGRANT collection. See also:
Optional Digital Signal Processing (DSP) Module for CROSSBEAM. See also: CROSSBEAM
RONIN
Database of tor events
SCHOOLMONTANA
“SCHOOLMONTANA is the cover term for the persistence technique to deploy a DNT implant to Juniper J -Series Routers.” Amalicious BIOS modification. see also: SIERRAMONTANA, STUCCOMONTANA, VALIDATOR
SDR
software Defined radio
SEAGULLFARO
Spotted on IRATEMONK, WISTFULTOLL diagrams
SEASONEDMOTH (SMOTH)
A class of malware that is programmed to automatically die with in 30 days. (unless instructed to extend its life) see also:
VALIDATOR, COMMONDEER
SERUM
Spotted on IRATEMONK diagram
SHARPFOCUS (SF2)
SHORTSHEET
CNE (hacking) technique used against Tor users
SIERRAMONTANA
“SCHOOLMONTANA is the cover term for the persistence technique to deploy a DNT implant to Juniper M -Series Routers.” A
malicious BIOS modification. see also: SCHOOLMONTANA, STUCCOMONTANA, VALIDATOR
SLICKERVICAR
A tool known to be used somewhere in the process of uploading malicious HD firmware Known to be used with IRATEMONK
SPARROW II $6,000.00 A microcomputer specialized for UAV operations. Includes Integrated WLAN, and Mini PCI slots supporting .
IBM PowerPC 405GR, 64MB SDRAM, 16MB Flash. Designed for survey of wireless networks (Wifi/GSM, etc, depending on
expansion cards). See also: TRINITY, MAESTRO II, JUNIORMINT
SPECULATION
RF communication protocol, used by HOWLERMONKEY devices, Including CM-I, CM-III, FIREWALK.
SSG
Spotted on IRATEMONK, WISTFULTOLL diagrams
STEELFLAUTA
A SIGAD used for TAO, and thus QUANTUM, FOXACID, amd the like. see also, QUANTUM, FOXACID.
STRAITBAZARRE
see also: STRAITBIZARRE
STRAITBIZARRE (SB)
Software made By Digital Network Technologies (DNT) for controlling and receiving data from “implants”. Also involvedsomewhere in the process of uploading malicious HD firmware (works with a tool called SLICKERVICAR to accomplish this) Known
to be used for COTTONMOUTH-I, COTTONMOUTH-II, COTTONMOUTH-III, DROPOUTJEEP, IRATEMONK, TOTEGHOSTLY 2.0
STRIKEZONE
Context: “HOWLERMONKEY is a COTS- based transceiver designed to be compatible with CONJECTURE/SPECULATION networks
and STRIKEZONE devices running a HOWLERMONKEY personality. see also: HOWLERMONKEY
STRONGMITE
somewhere on the ROC side of operations.... Spotted on IRONCHEF diagram
STUCCOMONTANA
“SCHOOLMONTANA is the cover term for the persistence technique to deploy a DNT implant to Juniper T -Series Routers.” A
malicious BIOS modification. see also: SCHOOLMONTANA, SIERRAMONTANA, VALIDATOR
STUXNET
A jointly US/Isreali written piece of malware intended to infect, and physically destroy Iranian nuclear Centrifuges. (which it did)
Also spilled on to non-targeted SCADA systems, causing “collateral damage”.
SURLYSPAWN $30.00 A keyboard or mouse bug implemented as an RF retro-reflector embedded in the cabling. This brings it into
the ANGRYNEIGHBOR family of bugs. see also: ANGRYNEIGHBOR, VAGRANT, DROPMIRE, SURLYSPAWN, CTX4000, PHOTOANGLO,
a hard drive firmware updating program used to install malicious firmware of a victim Hard drive. see also: SWAP
TYPHON HX $175,000 (4 month rental) GSM base station router. Used to collect call logs from targeted phones. Administrated
with a laptop via SMS, but is otherwise a standalone unit. There is no apparent ability to network these together, though other
units, running the same software can do so (CYCLONE Hx9). See also: CYCLONE Hx9, CANDYGRAM, DRTBOX, NEBULA
UAV
Unmanned aerial vehicle. A drone.
UNITEDRAKE
A program similar to STRAITBIZARRE, used for uploading malicious HDD firmware, works with SLICKERVICAR. Known components
include a GUI, a database, and a server, and a manned listening post. It includes a trojan of the same name. Digital Network
Technologies (DNT), a private company, actively maintains the listening posts for UNITEDRAKE, as well as design and deploy
malware. Spotted on IRATEMONK diagram
VAGRANT
Collection of computer Screens. The monitor cables are rigged with an RF retro reflector, (RAGEMASTER). VAGRANT collection
therefor requires a continuous RF generator such as CTX4000 or PHOTOANGLO, and a system to process and display the returned
video signal such as NIGHTWATCH, GOTHAM, LS-2 (with an external monitor), or VIEWPLATE. Known to be deployed in the field ,
as of September 2010 at the following embassies: Brazil's UN Mission in NY (POKOMOKE), France's UN Mission in NY
(BLACKFOOT), India's Embassy and annex in DC, and India's UN Mission in New York. India's embassies were slated to be detasked,
at the time of the document. Context of documents seems to suggest, but does not definitively prove that the coverterm
VAGRANT only applies to the signal itself. See also: CTX4000, DROPMIRE, RAGEMASTER, PHOTOANGLO
VALIDATOR
A software based malware item designed to run on certain Juniper routers (J, M, and T Series) running the JUNOS operating
system. It must be maintained by means of a malicious BIOS modification. A typical use case involves the exfiltration of data from
the victimized system. A separate document describes VALIDATOR as a backdoor used against Windows systems (win 98-2003). Inthis instance, it will identify the system, and if it is truly a target, invite a more sophisticated trojan in, such as UNITEDRAKE or
OLYMPUS. This trojan has been used to de-anonymize tor users. A third version of VALIDATOR works for Apple iOS devices. The
QUANTUMNATION states that the success rate against iOS devices is 100%. See SCHOOLMONTANA, SIERRAMONTANA,
STUCCOMONTANA
VIEWPLATE
Replacement for the NIGHTWATCH system. See NIGHTWATCH, PHOTOANGLO
WAGONBED
a malicious hardware device that provides covert 2-way RF communications on the I2C channel of HP Proliant 380DL G5 servers.
WAGONBED 2 can be mated with a Motorola G20 GSM module to form CROSSBEAM. See also: CROSSBEAM, IRONCHEF,