December 3, 2013

NSA's global interception network

(Updated: August 29, 2017)

On November 23, the Dutch newspaper NRC Handelsblad published a new slide from the Snowden documents. The slide is from a Top Secret NSA management presentation from 2012 and shows the agency's worldwide information collection capabilities.

As the slide is titled "Driver 1: Worldwide SIGINT/Defense Cryptologic Platform" there must be more slides with "Drivers", but unfortunately these were not published.

This article will take a close look at the map and tries to provide an explanation of the various interception locations of what is NSA's new ECHELON network for the internet age:

Click the map for a bigger version - it opens in a new tab or window,
so you can keep the map stand-by while reading this article

The slide shows five types of data collection, called "Classes of Accesses". These correspond to the organizational channels through which NSA gathers it's intelligence:
- 3rd PARTY/LIAISON - Intelligence sharing with foreign agencies
- REGIONAL - SCS units, a joint venture between NSA and CIA
- CNE - NSA's Tailored Access Operations (TAO) division
- LARGE CABLE - NSA's Special Source Operations (SSO) division
- FORNSAT - NSA's Global Access Operations (GAO) division

Besides the collection capabilities shown in this map, NSA also collects data through a range of tactical collection systems that support military operations, as well as through drones, planes and satellites (called Overhead Collection). Ground stations for spy satellites are at Menwith Hill in the UK and in Pine Gap in Australia.

3rd PARTY/LIAISON (Intelligence sharing)

As the first class of access, the slide lists the so-called 3rd Party liaisons with partner agencies in other countries with which NSA has formal agreements for the exchange of raw data and end product reports.

The legend designates 3rd Party Liaisons with a green dot, but there are no green dots on the map, which seems strange. One possible explanation could be that the different colored dots appear one by one after clicking the original powerpoint presentation, but according to a tweet of one of the NRC journalists, there were no green dots on the original map.

Another possible explanation is that 3rd Party stands for countries, whereas all other dots represent specific facilities. This however could have been solved by simply listing the nations just like the Regional and Fornsat lists at the top of the map.

With that not being the case, the most likely reason seems to be that NSA considers the names of these 3rd Party nations to be too sensitive to be mentioned in a TOP SECRET//COMINT document. Probably they may only be in documents classified within the Exceptionally Controlled Information (ECI) control system, just like the names of the telecommunication companies cooperating with NSA (the exact locations and even the codenames of the cable tapping facilities are also not mentioned in the map's legend).

This makes that it's still a big secret which 30 countries are NSA's 3rd party partners. Based upon the Snowden-documents, the German magazine Der Spiegel only published the names of these six European countries:
- Germany
- France
- Austria
- Denmark
- Belgium
- Poland
Some other sources also named the following countries as 3rd party partners:
- Norway
- Italy
- Greece
- Turkey
- Israel
- South-Africa
  - Thailand
- Malaysia
- Singapore
- Japan
- South-Korea
- Taiwan
NRC Handelsblad reported that The Netherlands is a 3rd party partner too, but presented no evidence for that. According to an article (pdf) by Dutch scolars it's not very likely that Dutch agencies are a formal 3rd party partner of NSA, as they have different political and cultural views. Nonetheless, the Netherlands has always been a loyal partner in military operations and so there is regular information sharing on that level.

An NSA slide published in May 2014 in Glenn Greenwald's book No Place To Hide revealed the names of all 33 Third Party countries for the very first time:

Slide from an NSA presentation titled 'Foreign Partner Review'
from 2013, showing the 2nd and 3rd Party partners

On October 30, 2013 the Spanish paper El Mundo published an undated document showing cooperation with various countries on four different levels. The first group is called "Tier A" which is "Comprehensive Cooperation" with the UK, Australia, Canada and New Zealand (the Five Eyes). The second group is "Tier B" and is about "Focused Cooperation" with some 20 countries. The third group of "Limited cooperation" consists of countries such as France, Israel, India and Pakistan. Finally, the fourth group is about "Exceptional Cooperation" with countries that the US considers to be hostile to its interests.

The general interpretation of this document is that is shows countries with which NSA is cooperating for Computer Network Operations (CNO), with the Tier B countries probably being a subset of the Third Party nations.

The list has no date, but it does have a declassification date (20291123), which minus 25 years (the standard classification period) would mean the document is from 2004. That opens up the possibility that Tier B might actually show that in 2004 there were just 20 Third Party countries, a number which then might have raised to 30 by 2012.
A strange thing about the list is that it's only classified as CONFIDENTIAL, where the text document itself is SECRET//COMINT.

REGIONAL (Special Collection Service)

Under "Regional" the map shows over 80 locations of the joint NSA-CIA Special Collection Service (SCS) units. These units are covertly based in US embassies and consulates all around the world and are charged with eavesdropping on high-level targets in difficult-to-reach places, such a foreign embassies, communications centers, and foreign government installations.

The names of 88 locations are listed at the top of the map, but 46 of them are blacked out. According to NRC Handelsblad, Glenn Greenwald asked them to do so, because of "protection of the source and the agreement we have with him: it's not really newsworthy". But Snowden apparently also insisted on this in order to protect his legal interests and therefore he provided Greenwald a "clear list" about categories of information that should not be published.

Earlier, a map showing SCS locations worldwide was published by the German magazine Der Spiegel. Initially an unredacted map was put online by accident, but before it was replaced, it was already copied onto several websites. This map showed 74 staffed SCS locations, 14 unmanned remote controlled locations and 8 other locations as of August 2010. Except for the SCS locations in Europe, the names of all other cities were blurred by Der Spiegel:

If we compare the European cities in this map from 2010 with those in the NRC map from 2012, we see that the latter doesn't show the following places: Baiku, Croughton, Kiev, Madrid, Moscow, and Tbilisi.

This could mean these SCS activities were terminated in the meantime, but also that their names were simply blacked out, which is definitely the case for Moscow and Madrid (having a dot on the map but not being mentioned in the legend) and seems likely for the technical SCS support facility at the US Air Force base in Croughton (or might this be "RESC" if it stands for something like Regional Exploitation Support Center?).
The latter option was confirmed in a slide showing a map of all SCS locations as of January 1, 2002, which was published by the Italian paper L'Espresso on December 6:

Also interesting is that the legend of the 2012 map reveals SCS locations in the US:
- Langley, Virginia, where the CIA headquarters is
- Reston, Virginia, where there's a small CIA facility too
These two locations are most likely not for eavesdropping, but rather serve as technical, training or support facilities. The headquarters of the Special Collection Service (SCS) itself is in Beltsville, Maryland.

CNE (Computer Network Exploitation)

The yellow dots on the map give some indication of where NSA has placed over 50.000 implants in computer networks as part of it's Computer Network Exploitation (CNE) operations. These operations are conducted by NSA's highly specialized and secretive Tailored Access Operations (TAO) division.

In 2004 NSA was managing a small network of only 100 to 150 implants. But over the next six to eight years, (TAO) recruited new hackers and developed new malware tools, the number of implants soared to tens of thousands. Based on the secret budget of the American intelligence agencies, the Washington Post reported that NSA installed an estimated 20,000 computer implants as early as 2008.

Other reports indicate that meanwhile the agency has already deployed between 85,000 and 100,000 of its implants against computers and networks across the world, with plans to keep on scaling up those numbers.

Compared to these numbers of implants, there's only a very small number of yellow dots on the map, so they probably provide only an indication of the regions where NSA placed most of them. As such we see India, China, Mexico, the northern part of South-America, north-east Africa, eastern Europe, the European part of Russia and the Middle-East.

It was probably TAO, maybe in collaboration with Israeli intelligence services, that developed the Stuxnet computer worm, which was discovered in 2010 and was supposedly created to attack Iranian nuclear facilities.

From the Snowden-leaks we know that Tailored Access Operations uses a wide variety of sophisticated hacking tools to gain access to foreign computer networks. For example, they operate a network of secret internet servers, codenamed FOXACID, which is used to attract the traffic of targets, in order to install spying software on their computers.

Under codenames like ERRONEOUSINGENUITY and EGOTISTICALGIRAFFE, TAO is also trying to get access to the TOR network, which enables full anonymity while using the internet.

Slide from a TAO presentation about exploiting the TOR network

LARGE CABLE (Access to the Internet Backbone)

The big blue dots represent 20 major "covert, clandestine, or cooperative large accesses" to "high speed optical cable" links which form the internet backbone. It's this way that the Special Source Operations (SSO) division collects the largest share of NSA's intelligence. Maybe therefore the blue dots are the biggest ones.

The map itself shows just 16 blue dots, but as the legend says "20 Access Programs" it's possible that there are 20 programs and only 16 actual intercept locations, or that not all locations are marked on the map (which is also the case for the FORNSAT locations).

The 16 Cable Access locations marked on the map seem to be in:
- Indonesia
- South Korea
- Guam
- Caroline Islands?
- Hawaii
- 4 locations at the US West coast
- 2 locations at the US East coast
- Cornwall, UK
- France (Marseille?)
- Djibouti
- Oman
- Afghanistan?

In most of these countries there's an American military base, which probably makes it easier to get covert and clandestine access to internet backbone cables. But as we know from earlier reports, NSA and GCHQ also have secret cooperation arrangements with major American, British and foreign telecommunication and internet providers, in order to get access to internet traffic.

One supposed cable tapping location that's missing on the map is the Ayios Nikolaos station, which is part of the British Sovereign Base Area of Dhekelia on Cyprus. This station was identified by the Italian paper L'Espresso as a major cable intercept facility run by GCHQ.

The main NSA programs for intercepting internet cables are:
- Through corporate partners inside the US:
- BLARNEY (collection under FISA authority, since 1978)
- FAIRVIEW (cooperation with AT&T, since 1985)
- STORMBREW (cooperation with Verizon, since 2001)
- Through corporate partners outside the US:
- OAKSTAR (cooperation with 7 telecoms, since 2004):
- ORANGECRUSH (through PRIMECANE partner)
- YACHTSHOP (through BLUEANCHOR partner)
Most of these OAKSTAR sub-programs are "foreign access points", so maybe they, or some of them are represented by the blue dots on the map.

Besides cable access through corporate partners, the SSO division also taps internet traffic in two other ways, which are shown in the presentation slide below:
- Through unilateral operations:
- RAMPART-M (undersea cables, since 1986)
- RAMPART-T (land-based cables, with CIA, since 1991)
- RAMPART-I/X (Iraq/Afghanistan, since 2001)
- DANCINGOASIS (since 2011)
- MYSTIC (since 2009), including:
- DUSKPALLET (GSM metadata from Kenya)
- EVENINGEASEL (GSM metadata from Mexico)
- VENATOR (GSM metadata from the Phillippines)
- SOMALGET (audio content buffer), including:
- BASECOAT (Bahamas)
- SCALAWAG (Afghanistan)
- OILYRAG (Afghanistan)
- LOLLYGAG (Afghanistan)
- ACIDWASH (Afghanistan)
- Through foreign partners:
- WINDSTOP (2nd Party), including:
- Two undisclosed programs
- RAMPART-A (3rd Party), with at least 5 sites:

If we add up all these Corporate, Unilateral and Foreign cable access programs, we get a total of around 20 programs, which equals the number of 20 Major Accesses mentioned in the legend of the map.

A slide from a 2010 presentation of the Special Source Operations (SSO)
division about access to "high-capacity telecommunication systems"

Slides from more recent years reveal the names of the programs that were redacted in the slide above, as well as additional programs that subsequently became operational:

Slide about NSA's cable tapping programs from 2011 and 2013
(click to enlarge)

FORNSAT (Foreign Satellite interception)

Finally, the orange dots on the map represent locations where there are stations for intercepting the signals of foreign communication satellites. The orange dots are the second biggest ones, so maybe this indicates that FORNSAT collection provides the second largest share of intelligence.

The legend in the bottom right corner says there are "12 + 40 Regional" FORNSAT stations, but on the map there are only 6 dots and the list in the upper right corner lists only 10 codenames. The six locations on the map can be identified as:
- INDRA - Khon Kuen (Thailand)
- ? - (Philippines)
- LADYLOVE - Misawa (Japan)
- TIMBERLINE - Sugar Grove (US)
- CARBOY - Bude, on the map combined with:
- MOONPENNY - Menwith Hill (Great Britain)
- ? - Skibsbylejren (Denmark)

Five FORNSAT stations have their codename listed, but are, for reasons unknown, not marked on the map:
- STELLAR - Geraldton (Australia)
- IRONSAND - Waihopai (New Zealand)
- JACKKNIFE - Yakima (US)
- SOUNDER - Ayios Nikolaos (Cyprus)
- SNICK - near Seeb (Oman)

The locations in the map published by NRC Handelsblad can be compared to those on a map shown by Brazilian media, which is about Primary FORNSAT Collection:

In this map, which is said to be from 2002, we see the following satellite intercept stations:
US Sites:
- TIMBERLINE, Sugar Grove (US)
- CORALINE, Sabena Seca (Puerto Rico)
- SCS, Brasilia (Brazil)
- MOONPENNY, Harrogate (Great Britain)
- GARLICK, Bad Aibling (Germany)
- LADYLOVE, Misawa (Japan)
- LEMONWOOD, Thailand
- SCS, New Delhi (India)
  2nd Party Sites:
- CARBOY, Bude (Great Britain)
- SOUNDER, Ayios Nikolaos (Cyprus)
- SNICK, near Seeb (Oman)
- SCAPEL, Nairobi (Kenya)
- STELLAR, Geraldton (Australia)
- SHOAL BAY, Darwin (Australia)
- IRONSAND, New Zealand

If we compare both maps, we see some notable differences. First of all, four stations from 2002 are not on the 2012 map, nor in its legend:
- CORALINE - Sabena Seca (Puerto Rico)
- GARLICK - Bad Aibling (Germany)
- SCAPEL - Nairobi (Kenya)
- SHOAL BAY - Darwin (Australia)

The station in Sabena Seca was closed down and the same has probably happened to the one in Nairobi.

NSA's large satellite intercept station Bad Aibling was closed in 2004, but most of the facilities, including nine of the large satellite dishes hidden under white radomes, were handed over to the German foreign intelligence agency BND. In return, BND had to share the results from the satellite collection with the NSA. For this cooperation, the Joint SIGINT Activity (JSA, 2004-2012) was set up, located in the nearby Mangfall Barracks.

The Australian intercept facility near Darwin, Shoal Bay Receiving Station, is not in the 2012 map, but as we can see in this picture, it seems to be still operational. The same applies to the big satellite station Pine Gap. Therefore we should be careful in treating information in presentation slides and maps like this as perfectly accurate.

Regional FORNSAT stations

The map from 2002 also shows two SCS locations: one in Brasilia and one in New Delhi. Apparently those Special Collection Service units also had a satellite intercept capability. This is most likely also the explanation for the number of "40 regional" FORNSAT stations mentioned in the legend of the 2012 map - which means that meanwhile half of all SCS units worldwide also conduct some kind of foreign satellite interception.

This could also explain the device shown in a slide published earlier by Der Spiegel: an SCS antenna system codenamed EINSTEIN and its corresponding control device codenamed CASTANET. Der Spiegel said this device may be used to intercept cell phone signals, but as a dish antenna, it actually looks more like a receiver for satellite signals (see the comments down below):

Unidentified stations

The map from 2012 as published by NRC Handelsblad also has orange dots for a FORNSAT station at the Philippines and in Scandinavia. These locations were not in the map of 10 years earlier, so it seems that these are new intercept stations build somewhere between 2002 and 2012. The Scandinavian station is probably the SIGINT facility in Skibsbylejren in Denmark, which was build in 2002 (there's also a smaller and older Danish satellite station in Aflandshage).

Unfortunately we don't have their codenames, because in the list in the upper right corner, there's no codename which was not already in the 2002 map. But as this list has only 10 names, and some don't fit on one line, it's possible that two names (coincidentally those of the new stations?!) dissappeared because of bad rendering.

The INDRA station

A final difference between the FORNSAT stations shown in the maps of 2002 and 2012 is the station in Thailand, which was codenamed LEMONWOOD in 2002. The location near the city of Khon Kaen was identified as being an intercept facility since 1979, but with a different codename: INDRA.

This facility fell into disrepair in the 1990s and seems to have been closed somewhere before 2002. In the years following 9/11, the old station apparantly has been reactivated and expanded to an important satellite intercept mission, and appeared again under its old codename INDRA in the 2012 map. Why this place (or another one?) was called LEMONWOOD in 2002 remains a mystery.

A recent Google Earth image of the INDRA
facility near Khon Kaen, Thailand

World map reconstruction

Analysing the NSA world map published by NRC Handelsblad has shown that some interception facilites and channels are missing in the map and/or the legend: most notable the 3rd party countries and some satellite stations. In order to see all additions and corrections at a glance, we modified the NSA original map, which results in this reconstruction:

Reconstruction of the NSA global interception network map
(click for a bigger version)

Links and Sources
- Hoe onderschept de NSA ons dataverkeer?
- NSA infected 50,000 computer networks with malicious software
- The embassy spy centre network (updated)
- ECHELON Satellite stations
- N.S.A. Report Outlined Goals for More Power


Ian Farquhar said...

It's hard to tell on the lowres image, but my guess is that EINSTEIN/CASTANET is a directional intercept device for ground-based comms (think TEMPEST-style attacks). I doubt it's for satellite use.

The interior of CASTANET especially looks fascinating. One would expect it to be a SDR, but there may be a lot more in there too. Possibly some front-end decryption/cryptanalysis capability? The low resolution and JPEG artifacts make it extremely difficult to make out.

The other possibility I would advance is that it has fault induction capabilities, ie. the ability to direct a burst of EM radiation to induce crypto faults. This could explain what may be high-powered RF stuff in the box.

Patrick Hammer said...

Einstein/Castanet hardware has nothing to do with satellite signal interception – although in theory there is no reason why it could not be configured for such use.

Einstein/Castanet is an SCS developed product which has been around for quite a while in one form or another. It is typically used in local/close-up intercept situations where serepticous penetration of a target location is not been possible. (e.g. secure office, cipher room, diplomatic premise etc etc ….).

Specific to its ability is very very precise and accurate dish positioning (fractions of a degree) and control of polarisation. Phase angle can also be exploited in certain situations. It is able to function as both a receiver as well as transmitter – the transmitter been used to transmit modulation which when “received” by a target is it’s self then re-modulated and reflected back to the dish. It is from this reflected & re-modulated carrier that target data/intelligence is extracted ……. and that, sadly, is pretty much all I can share with you regards its function and capability.

P/K said...

Thank you very much for these additions! In this way, things get clearer step by step.

Anonymous said...

Lots of photo's from a user on, Echelon and lots of other communication related facilities.

Jim Lee said...

See NSA facilities on my map, click Surveillance in the layer list

global network said...

Its always good to learn tips like you share for blog posting. As I just started posting comments for blog and facing problem of lots of rejections. I think your suggestion would be helpful for us.