January 26, 2015

How GCHQ prepares for interception of phone calls from satellite links

(Updated: January 6, 2017)

Most of the Snowden-revelations are about spying on the internet, but NSA and GCHQ are also conducting the more traditional collection of telephone communications that go through satellite links.

What needs to be done before phone calls can be collected, can be learned from two highly detailed technical reports from the GCHQ listening station near Bude in the UK.

These reports were published on August 31 last year by the German magazine Der Spiegel and the website The Intercept as part of a story about how Turkey is both a partner and a target for US intelligence.

Here we will analyse what's in these reports, which give an interesting impression of the techniques used to transmit telephone communications over satellite links.



Satellite dishes at the GCHQ intercept station near Bude, Cornwall, UK


Officially, such technical reports are called "informal reports", as opposed to the "serialized reports" that contain finished intelligence information for end users outside the SIGINT community.

Until now, only two of such technical reports have been disclosed, but according to an article by Der Spiegel from December 20, 2013, they are from "a bundle of documents filled with international telephone numbers and corresponding annotations" from Sigint Development (SD), which is a unit that identifies and develops new targets.

The technical reports are about test runs for new, previously unmonitored communication paths intended to "highlight the possible intelligence value" and whether certain satellite links could be "of potential interest for tasking". The reports give no indication about whether the listed numbers were eventually tasked for collection and neither about the intensity and length of any such surveillance.


Der Spiegel says these documents show that GCHQ "at least intermittently, kept tabs on entire country-to-country satellite communication links, like Germany-Georgia and Germany-Turkey, for example, of certain providers", which sounds rather indiscriminate.

However, the fact that GCHQ analysts are sampling these satellite links on whether they contain target's phone numbers, shows they are looking for the most productive links to be eventually intercepted. During the parliamentary investigation in Germany, officials from BND explained a similar way of selecting specific channels of specific satellites.




Technical report nr. 35

The first technical report is number 35 from October 15, 2008. It is about four satellite links between the United Kingdom and Iraq, which were given the following case notations, starting with G2, which is NSA's identifier for the Intelsat 902 communications satellite:
- G2BCR (UK - Iraq)
- G2BBU (UK - Iraq)
- G2BCS (Iraq - UK)
- G2BBV (Iraq - UK)

The physical gateways (the satellite ground stations) for these satellite links are in the UK and in Iraq, with the UK station providing logical gateways to the Rest-of-the-World (ROW), mainly Turkey, Syria, Saudi Arabia, UAE and Egypt.





Multiplexing and compression

By analysing the C7 channel (see below), it was confirmed that the two links from the UK to Iraq were load-sharing traffic between the Rest-of-the-World and Iraq, as was the case for the link originating in Iraq.

For an efficient transmission, the links are equipped with the DTX-600 Compression Gateway device, made by Dialogic. This is a high-capacity, multi-service, multi-rate voice and data compression system, which is able to simultaneously compress toll quality voice, fax, Voice Band Data (VBD), native data (for example, V.35), and signaling information:




This kind of voice compression equipment is installed at either end of long-distance links, like from communications satellites or submarine fiber-optic cables. Telecommunication companies try to pack as much capacity into as little physical space as possible, making it also more difficult for intelligence engineers to unpack it.


Signaling System No. 7

Most of the information in the report is derived from the so-called C7 channel. C7 is the British term for the Signaling System No. 7 as specified by ITU-T recommendations. In the US it is referred to as SS7 or CCSS7 (for Common Channel Signalling System 7).

SS7 is a set of protocols for setting up and routing telephone calls. In the SS6 and SS7 versions of this protocol, this signalling information is "out-of-band", which means it is carried in a separate signaling channel, in order to keep it apart from the end-user's audio path.

In other words, SS7 contains the metadata for telephone conversations, like the calling and the called phone numbers and a range of switching instructions. This makes the SS7 or C7 channel the first stop for intelligence agencies.


Analysis of the link

In order to see whether these four satellite links could contain traffic that is useful for foreign intelligence purposes, the analyst took some phone numbers from Iraq (country code 964), Iran (98), Syria (963) and the UK (44) and looked whether these appeared in the data of the C7 channel.

All four links had hits, both for the called and the calling number. These numbers were redacted by The Intercept, except for the terms "Non Op Kurdish Extremism" and [Kurdish] "Leadership". The report continues with a more detailed analysis of the links. As an example we look at the one between the UK and Iraq, which has the case notation G2BCR and was paired with G2BCS:

On this link, the C7 channel runs between end points that are designated with the Originating Point Code (OPC) 2-153-1 in the UK, and the Destination Point Code (DPC) 4-036-4 in Iraq. The switching device at the originating end is a Nokia DX220 ABS and at the destination end a Unid Exch.

The DTX-600 contains 11 active trunks for digital voice data that are compressed into packets of 10 milliseconds duration by using the audio data compression algorithm g.729. There is also one WC1A channel.

After decompression by a tool named SWORDFISH it came out that the location of the C7 channel is the "3rd Trunk BS19". Protocols used on this link were Cisco, IPv4, ICMP, TCP, UDP, GRE, ESP and PPTP. Similar analysis was done for the other three satellite links.



Intelsat communications satellite from the 900-series,
nine of which were launched in June 2001.


The report then has a small list of Technical Details, saying that the traffic goes via the Intelsat 902 communications satellite, but the exact frequencies of the four links are redacted, just like the Symbol Rate and the FEC Rate. FEC probably stands for Forward Error Correction, to mitigate for packet losses.

There is also a FEC RASIN number: TPC2D78R005. RASIN stands for RAdio-SIgnal Notation, which is a comprehensive, originally 10-volume NSA manual that lists the physical parameters of every known signal, all known communication links and how they are collected. It seems strange that this internal RASIN code is visible, while the FEC rate, which is common technology, is redacted.


Conclusion

The conclusion on whether these satellite links can be tasked on the collection system is: "Due to limited patching there is currently no spare tasking availability on Lopers". LOPERS is one of the main systems used by NSA for collecting telephone communications. According to Der Spiegel, some other reports concluded about tasking: "Not currently due to the data rate of the carriers."

Finally, this technical report gives the (redacted) contact details at OPA-BUDE, with OPA being the abbreviation of a yet unknown unit at the GCHQ Bude listening station in Cornwall. The last section of the report is fully blacked out by The Intercept, but the next report will show what is apparently covered there.



Technical report nr. 44

The second technical report is from December 1, 2008 and is about a satellite link between Jordan and Belgium. It has the case notation 8BBAC, with 8B being the identifier of a yet unknown communications satellite. The frequency of the link is redacted. The physical gateways are in Jordan and Belgium, with the Belgian station also providing a logical gateway to the Rest-of-the-World (ROW).





The link is an E1 carrier, which means it runs 2048 Megabit/second and has 32 timeslots (channels), which are numbered TS0 to TS31 (another widely used carrier is E3, which has an overall capacity of 34.368 Megabit/second and has 512 timeslots). Each timeslot can carry one phone call, so one E1 link can transmit up to 30 calls simultaneously. The remaining two timeslots are used for the signaling information.

The analyst found that in this case timeslots 30 and 31 were used to relay the C7 signaling information and that compression was achieved by the DTX-360B Digital Circuit Multiplication Equipment (DCME). Using this technique, one Intelsat communications satellite can relay up to 112.500 voice circuits (telephone calls) simultaneously.

The report also says that the "RLE to this link is believed to be 8BBNH. Currently in view at Sounder". RLE stands for Return Link End, which in this case would be the link back from Belgium to Jordan. SOUNDER is the covername for the GCHQ listening station at Ayios Nikolaos in Cyprus, which is apparently able to intercept the Intelsat downlink to Jordan.



The GCHQ intercept station Ayios Nikolaos (SIGAD: UKM-257) in Cyprus


Analysis of the link's metadata

The technical report says that on timeslot 30, the C7 channel runs between end points that are designated with the Originating Point Code (OPC) 4-032-5 at FAST Link GSM (now Zain) in Jordan, and the Destination Point Code (DPC) 2-014-7 at F Belgacom in Brussels, Belgium.

It's interesting to see Belgacom here, as from 2009, GCHQ got access to the cell phone roaming branch of this company by using the highly sophisticated Regin spyware suite.

From OPC 4-032-5 in Jordan, there were also transit calls via DPC 2-012-2 to some fourty countries all over the world. In addition to this, there were also transit calls to Mauritius, Finland, Bulgaria, Switzerland, Sweden, Syria and Iran via DPC 2-012-1.

On timeslot 31, the C7 channel runs between the end points 4-032-0 at FAST Link in Jordan, and 2-013-1 at F Belgacom in Brussels, Belgium. For this timeslot there were also two links with transit calls, via DPC 2-012-2 and DPC 2-012-1.

For these transit calls, the report also mentions an eight digit Circuit Identification Code (CIC). This code is used to connect the metadata in the C7 channel to the trunk and the timeslot which carry the voice part of the call. In this way, each of the 30 channels of an E1 link has a CIC associated with.

GCHQ has to know the CIC, in order to pick the right voice part from one of the content channels, after having found the target's phone number in the signaling channel.



Interface of an NSA tool with a page titled "SS7 Summary" which lists and visualizes
the number of OPC/DPC pairs accessible by various NSA fiber-optic cable
interception programs, identified by their SIGAD number.
(Screenshot from an NSA presentation
published in December 2013 - Click to enlarge)


Mapping the link

The analyst used the DEPTHGAUGE tool to map the 8BBAC satellite link. He reports that the resultant map was not fully conclusive, but that it supported the previously listed mapping. What follows is a list which seems to relate Circuit Identification Codes (CIC) to the specific TimeSlots (TS). Not all of them had yet been mapped.

The 8BBAC link was sampled for telephony data (DNR) for approximately 94 hours during the period from November 26 to December 1, 2008, by using a tool or system codenamed DRUMKIT.

Phone numbers listed in CORINTH, which could be GCHQ's telephony tasking database, were found 607 times in timeslot 30. This included both tasked and de-tasked numbers, which means numbers that were under surveillance as well as numbers for which the surveillance had been terminated. 26 numbers that were tasked at the time of the analysis had 86 hits.

In timeslot 31, there were 349 hits, 40 of which were from 14 phone numbers that were under surveillance. These hits could be viewed in DRUMROLL under the filenames 8BBAC0030 for timeslot 30 and 8BBAC0031 for timeslot 31.


DRUMROLL hits

The report lists all the hits of tasked, and a selection of the non-tasked phone numbers that were found in timeslot 30 and timeslot 31. These lists are completely blacked out, except for the terms "Turkish MFA" (= Ministry of Foreign Affairs) and "Kurdish Leadership".

According to The Intercept's reporting, NSA was regularly providing its Turkish partners with the mobile phone location data of PKK leaders, but was at the same time spying on the Turkish government.

DRUMROLL was first seen in snippets from a GCHQ document published by Der Spiegel in December 2013. It gave the hits for a satellite link with case notation 1ABCT. According to the Spiegel article, this was a communication path between Belgium and Africa.

For each of the entries there are codes or numbers under TNDEntry, TNDOffice, TNDtask and TNDzip. It is not known what TND stands for, but it could be something like Target Number Database.

Among the hits are European Union Commissioner Joaquin Almunia, the French oil and gas company Total E & P, the French transport company Thales Freight and Logistics and the UN Institute for Disarmament Research. As such lists can show both tasked and de-tasked numbers, it's not clear whether these ones were still under surveillance; the N under TNDtask could stand for "Not Active":




The technical report nr. 44 from 2008 may have similar information in the lists that were redacted.

That report then continues with a small list of Technical Details of satellite link 8BBAC, with the Symbol Rate and the FEC Rate not being redacted, like in the first report. The conclusion of the report is that "this link can be tasked on the system". According to Der Spiegel this was the answer in many of the other reports too.

Finally, also readable unlike in the first report, is the standard disclaimer that is under every document from GCHQ. It says that this "information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK informataion legislation".

Apparently this time the editors from The Intercept forgot to redact the GCHQ's internal (non-secure) phone number and e-mail address for such disclosure requests, which normally appear blacked out in all GHCQ documents that have been disclosed.



Classification

All three technical reports we have seen are classified SECRET STRAP 1 SPOKE. The British marking STRAP 1 means that the dissemination of the document is restricted by measures from a three-level control system codenamed STRAP. Within that system, STRAP 1 is the lowest level.

More interesting is the NSA marking SPOKE, which also denotes a control system to limit access to the document, but is rarely seen. Other British documents marked STRAP 1 often have COMINT as their American equivalent, which is the general marking used for all information related to communications intelligence that hasn't to be more strictly controlled.

SPOKE is one of the codewords that NSA used in the past, but which were presumably abandoned in 1999. But from documents published as part of the Snowden-leaks we know that from these codewords at least SPOKE and UMBRA are still used.

Given what's in the known documents that have the SPOKE classification, it seems to cover technical information about targets, like their phone numbers and the communication links in which these can be found. The higher UMBRA marking is then probably used for the actual content, when this is collected outside the US under EO 12333 authority.

Updates:

On March 12, 2015, the Intelligence and Security Committee (ISC) of the British Parliament published an extensive report about interception activities of the UK intelligence agencies, which says that GCHQ only collects data from a small number of fiber-optic cable channels ('bearers'), which are likely to contain traffic that is of intelligence value.

On December 8, 2016 the French newspaper Le Monde published another set of technical reports in which, among many others, some targets from Israel, Jordan and African countries were mentioned.


Links and Sources
- Wikipedia: ISDN User Part
- ZDNet.com: Invasive phone tracking: New SS7 research blows the lid off mobile security

2 comments:

Seo Sea said...

I am writing to wish you all the very best in your new venture, and to say what a pleasure it has been to work with you. ICA Cloud were sked to sort out the telephone and IT systems in our Hemel Hempstead, Luton and Stevenage offices. We were very happy with the diligence and understanding shown by the crew at ICA and have been happy with their support ever since. Options are VOIP, Telephone, Cloud, Online, PBX and Hosted.

Arjun Kumar said...

Great Job... Thanks for this post. ICA Cloud were sked to deal with the phone and IT frameworks in our Hemel Hempstead, Luton and Stevenage workplaces. We were exceptionally content with the ingenuity and comprehension appeared by the team at ICA and have been content with their backing from that point forward.