May 28, 2015

New details about the joint NSA-BND operation Eikonal

(Updated: January 24, 2016)

This weblog first reported about the joint NSA-BND operation Eikonal on October 15, 2014, but meanwhile interesting new details became available from the hearings of the German parliamentary inquiry, and from recent disclosures by a politician from Austria.

Under operation Eikonal, the NSA cooperated with the German foreign intelligence service BND for access to transit cables from Deutsche Telekom in Frankfurt. Here follows an overview of what is known about this operation so far. New information may be added as it comes available.




> See for the latest: Unnoticed leak answers and raises questions about operation Eikonal



 

Initial reporting

Operation Eikonal was revealed by the regional German paper Süddeutsche Zeitung and the regional broadcasters NDR and WDR on October 4, 2014. They reported that between 2004 and 2008, the German foreign intelligence service BND had tapped into the Frankfurt internet exchange DE-CIX and shared the intercepted data with the NSA.

For this operation, NSA provided sophisticated interception equipment, which the Germans didn't had but were eager to use. Interception of telephone traffic started in 2004, internet data were captured since 2005. Reportedly, NSA was especially interested in communications from Russia.

To prevent communications of German citizens being passed on to NSA, BND installed a special program (called DAFIS) to filter these out. But according to the reporting, this filter didn't work properly from the beginning. An initial test in 2003 showed the BND that 5% of the data of German citizens could not be filtered out, which was considered a violation of the constitution.

Süddeutsche Zeitung reported that it was Deutsche Telekom AG (DTAG) that provided BND the access to the Frankfurt internet exchange, and in return was paid 6000,- euro a month. But as some people noticed, Deutsche Telekom was not connected to DE-CIX when operation Eikonal took place, so something didn't add up.

As we will see, this was right, and the actual cable tap was not at DE-CIX, but took place at Deutsche Telekom. Nonetheless, many press reports still link Eikonal to the DE-CIX internet exchange.



Operations center room in the former BND headquarters in Pullach
(Photo: Martin Schlüter - Click to enlarge)


Eikonal as part of RAMPART-A

As was first reported by this weblog on October 15, 2014, operation Eikonal was part of the NSA umbrella program RAMPART-A, under which the Americans cooperate with 3rd Party countries who "provide access to cables and host U.S. equipment".

Details about the RAMPART-A program itself had already been revealed by the Danish newspaper Information in collaboration with The Intercept on June 19, 2014. The program reportedly involved at least five countries, but so far only Germany and, most likely, Denmark have been identified.

On October 20, Information published about a document from NSA's Special Source Operations (SSO) division, which confirms that an operation codenamed "EIKANOL" was part of RAMPART-A and says it was decommissioned in June 2008.

The slide below shows that under RAMPART-A a partner country taps an international cable at an access point (A) and then forwards the data to a joint processing center (B). Equipment provided by the NSA processes the data and analysts from the host country can then analyse the intercepted data (C), while they are also forwarded to NSA sites in the US (D, E):




 

Parliamentary hearings

Because of the confusion about the role of Deutsche Telekom in operation Eikonal, the NSA investigation commission of the German parliament (NSAUA) decided to also investigate whether this company assisted BND in tapping the Frankfurt internet exchange.

During hearings of BND officials it became clear that operation Eikonal was not about tapping into the Frankfurt internet exchange DE-CIX, but about one or more cables from Deutsche Telekom. This was first confirmed by German media on December 4, 2014.


Hearing of November 6, 2014 (Live-blog)

According to witness T.B., who was heard on on November 6, 2014, it was just during the test period that the filter system was only able to filter out 95% of German communications. When the system went live, this percentage rose to 99% with a second stage that could filter out even more than 99%. When necessary, a final check was conducted by hand.


Hearing of November 13, 2014 (Live-blog - Official transcript)

During this hearing, the witness W.K. said that Eikonal was a one of a kind operation, there was targeted collection from traffic that transited Germany from one foreign country to another.

This was focussed on Afghanistan and anti-terrorism. Selected data were collected and forwarded to NSA. The internal codename for Eikonal was Granat, but that name wasn't shared with NSA. There was even a third codename.

For Germany, Eikonal was useful because it provided foreign intelligence for protecting German troops and countering terrorism. The NSA provided better technical equipment that BND didn't had. In return, BND provided NSA with data collected from transit traffic using search profiles about Afghanistan and anti-terrorism. BND was asked to cooperate because NSA isn't able to do everything themselves.

Eikonal provided only several hundred useful phone calls, e-mail and fax messages a year, which was a huge disappointment for NSA. This, combined with the fact that it proved to be impossible to 100% guarantee that no German data were collected and forwarded, led BND to terminate the program.

For Eikonal, the cable traffic was filtered by using selectors provided by both NSA and BND. Although not all selectors can be attributed to a particular country and there may have been up to several hundred thousand selectors, witness W.K. said that BND was still able to check whether every single one was appropriate: only selectors that could be checked were used.



Hearing of December 4, 2014 (Live-blog - Official transcript)

During this hearing, BND-employee S.L., who was the project manager of operation Eikonal at BND headquarters, testified. He told that BND had rented two highly secured rooms of ca. 4 x 6 meters in the basement of a Deutsche Telekom switching center in the Frankfurt suburb Nied.

These rooms were only accessible for BND personnel and contained the front-end of the interception system, existing of 19 inch racks, with telecommunications equipment like multiplexers, processors and servers. These devices were remotely controlled from the headquarters in Pullach.*

Based upon analysis of public information about telecommunication networks, BND choose specific cables that would most likely contain traffic that seemed useful for the goals of the operation. It became clear that for redundancy purposes, cables only used 50% of their capacity. For example, 2 cables of 10 Gbit/s carried only 5 Gbit/s of traffic, so in case of a disruption, one cable could take over the traffic of the other one.



The switching center of Deutsche Telekom in Frankfurt-Nied
where some cables were tapped under operation Eikonal
(Screenshot: ZDF Frontal21 - Click to enlarge)


After a specific coax or fiber-optic cable had been selected, technicians of Deutsche Telekom installed a splitter and a copy of the traffic was forwarded to one of the secure rooms, where it was fed into a (de-)multiplexer or a router so the signal could be processed. After they got rid of the peer-to-peer and websurfing traffic, the remaining communications data, like e-mail, were filtered by selectors from BND and NSA.

The selected data were sent back to BND headquarters in Pullach over a leased commercial line, of which the capacity was increased after the internet collection became fully operational. From Pullach to the JSA in Bad Aibling there was a 2 Mbit/s line.

Timeframe

Eikonal started with access to a telephone cable (Leitungsvermittelt). Project manager S.L. told that the first cable was connected (aufgeschaltet) in December 2004, but that it's signal was too weak. Therefore, in January 2005, an amplifier was installed.

In February, March and April additional cables were connected, so telephony collection started in the spring of 2005. By the end of 2006, Deutsche Telekom announced that its business model for dedicated transit cables would be terminated, so in January 2007 the telephone collection ended.*

BND also wanted access to internet traffic (Paketvermittelt), for which the first cable became available by the end of 2005, but because the backlink was missing, collection was technically not possible. This was solved in 2006, and in the spring of 2006 a second cable was added, and they tested the front-end system and subsequently the filter systems until mid-2007 (Probebetrieb).

During this stage, data were only forwarded to the joint NSA-BND unit JSA after a manual check. Fully automated forwarding only happened from late 2007 until operation Eikonal was terminated in June 2008 (Wirkbetrieb).*

Legal issues

The collection of telephone communications from transit cables was done under the general authority of the BND Act, with details specified in the "Transit Agreement" between BND and Deutsche Telekom, which for the latter was signed by Bernd Köbele.

For the collection of internet data it was impossible to fully separate foreign and domestic traffic, so it couldn't be ruled out that German communications were in there too. Therefore, BND requested an order from the G10-commission, which, like the FISA Court in the US, has to approve data collection when their own citizens could be involved.

A G10-order describes the communication channel (Germany to/from a specific foreign country) that BND is allowed access to, the threat profile and it also authorizes the search terms that may be used for filtering the traffic.*

Such an order allows the collection of G10-data (communications with one end German), which were processed within BND's separate G10 Collection program. As a bycatch, this G10-interception also yielded fully foreign traffic (Routine-Verkehre), which was used for operation Eikonal:




Some employees from Deutsche Telekom and from BND had doubts about the legality of this solution, which seemed to use a G10-order as a cover for getting access to fully foreign internet traffic.

Eventually, the federal Chancellery, apparently upon request of the BND, issued a letter saying that the operation was legal. This convinced the Telekom management and the operation went on. It didn't become clear under what authority this letter was issued.

After BND had learned how to collect internet traffic from fiber-optic cable, it applied for G10-orders to intercept (one end German) communications from 25 foreign and domestic internet service providers in 2008. This time these cables were being tapped at the DE-CIX internet exchange, which is also in Frankfurt.

Results

The collection under operation Eikonal resulted in only a few hundred intelligence reports (German: Meldungen) a year, each consisting of one intercepted e-mail, fax message or phone call. These were burned onto a CD to hand them over to NSA personnel at the JSA.*

According to S.L., metadata (containing up to 91 fields) were "cleaned" so only technical metadata (Sachdaten) were forwarded to the JSA, where they were used for statistical and analytical purposes.

Personal metadata (personenbezogene Daten), like e-mail and IP addresses were not shared. Technical metadata are for example used to identify the telecommunication providers, transmission links and the various protocols.


Hearing of December 18, 2014 (Live-blog - Official transcript)

During this hearing, a talkative general Reinhardt Breitfelder, head of the SIGINT division from 2003-2006, confirmed many of the details from the earlier hearings of his subordinates. He also gave impressions of the dilemmas in dealing with the NSA and what to do with the equipment they provide.


Hearing of January 15, 2015 (Live-blog - Official transcript)

In this hearing, the commission questioned two employees from Deutsche Telekom (Harald Helfrich and Wolfgang Alster), but they provided very little new information, except for that Deutsche Telekom personnel only knows between which cities a cable runs, but they don't know what kind of traffic it contains - they are not allowed to look inside.


Hearing of October 1, 2015 (Live-blog)

Joachim Mewes from the Chancellary testified that somewhere in 2005, BND invited him and the G-10 Commission to visit the tapping site in Frankfurt, apparently as to show that no filtering took place there, but that everything from the cable went to BND headquarters and was split up over there. This however contradicts other testimonies, saying that filtering was conducted close to the access point.



A room where hearings of the parliamentary committee take place
(photo: DPA)

 

Disclosures from Austria

On May 15, 2015, Peter Pilz, member of the Austrian parliament for the Green party, disclosed an e-mail from an employee of the Deutsche Telekom unit for lawful intercept assistance (Regionalstelle für staatliche SonderAuflagen, ReSa), who notified someone from BND that apparently a particular fiber-optic cable had been connected to the interception equipment. The e-mail describes this cable as follows:

Transit STM1 (FFM 21 - Luxembourg 757/1), containing 4 links of 2 Mbit/s:

Channel 2: Luxembourg/VG - Wien/000 750/3
Channel 6: Luxembourg/CLUX - Moscow/CROS 750/1
Channel 14: Ankara/CTÜR - Luxembourg/CLUX 750/1
Channel 50: Luxembourg/VG - Prague/000 750/1

STM1 stands for Synchronous Transport Module level-1, which designates a transmission bit rate of 155,52 Mbit/second. A similar multiplexing method is Wavelength-Division Multiplexing (WDM) commonly used in submarine fiber-optic cables. The latter having a much larger capacity, generally STM-64 or 9,5 Gbit/second.

The number 757 is a so-called Leitungsschlüsselzahl (LSZ), which denotes a certain type of cable. In this case it stands for a channelized STM-1 base link (2 Mbit in 155 Mbit), which seem to be used for internal connections.

According to the meanwhile updated LSZ List, the number 750 stands for a "DSV2 Digitalsignal-Verbindung 2 Mbit/s", which is a digital signal path.

The cable mentioned in the e-mail therefore only has a small capacity, which seems to indicate that NSA and/or BND selected it carefully.

FFM 21 stands for "Frankfurt am Main 21", which according to Deutsche Telekom's network map is the name of the Point-of-Presence (PoP) located at its facility in the Frankfurt suburb Nied - the location where that Eikonal tapping took place.

This means we have a physical cable running between Luxembourg and the Deutsche Telekom PoP in Frankfurt, but containing channels to cities which are much further, so they have to connect to channels within other physical cables that run from Frankfurt to Moscow, Prague, Vienna and Ankara, respectively:



As the e-mail is from February 3, 2005, it must relate to telephone collection, because for Eikonal, the first cable containing internet traffic only became available by the end of that year.


The Transit agreement

On May 18, the Austrian tabloid paper Kronen Zeitung published the full "Transit Agreement" (pdf) between BND and Deutsche Telekom, in which the latter agreed to provide access to transit cables, and in return will be paid 6.500,- euro a month for the expenses. The agreement came into retrospective effect as of February 2004.

This disclosure got little attention, but is rather remarkable, as such agreements are closely guarded secrets. The Transit agreement existed in only two copies: one for BND and one for Deutsche Telekom.

It is not known how Pilz came into possession of these documents, but it seems the source must be somewhere inside the German parliamentary investigation commission. They are the only persons outside BND and Deutsche Telekom who, for the purpose of their inquiry, got access to the agreement and the other documents.

Leaking these documents to Pilz seems not a very smart move, as it will further minimize the chance that the commission will ever get access to the list of suspicious NSA selectors.


Country lists

On May 19, Pilz held a press conference (mp3) in Berlin, together with the chairman of the Green party in Luxembourg and a representative of the German Green party. Here, Pilz presented a statement (pdf), which includes the aforementioned e-mail, 10 questions to the German government, and two tables with cable links to or from Austria and Luxembourg:



Lists of links that apparently were on a priority list of NSA.
LSZ = Leitungsschlüsselzahl (cable type indentifier);
Endstelle = Endpoint; Österreich = Austria.
(Source: Peter Pilz - Click to enlarge)



According to Pilz, the full list contains 256 cable links. 94 of them connect EU member states, 40 run between EU members and other European countries like Switzerland, Russia, Serbia, Bosnia-Herzegovina, Ukraine, Belarus and Turkey. 122 links connect European countries with nations all over the world, with Saudi Arabia, Japan, Dubai and China being mentioned most.

The country which most links (71) run to or from is the Netherlands. The list for that country was disclosed by Peter Pilz during a press conference in Brussels on May 28, 2015. The US, the UK and Canada are not on the list, although there were apparently 156 links from/to Britain too.

Updates:

On June 25, 2015, the Dutch telecommunications provider KPN announced the results of its inquiry into the alleged tapping of its cables. It was very difficult to identify the channels in the list because meanwhile KPN's whole network had been restructured. Eventually it became clear the connections (being channels within cables and KPN only being responsible for the first half until Frankfurt) had been rented out under telephony wholesale contracts, so it was impossible to trace individual customers or users.

On October 2, 2015, the Slovenian television magazine POP TV revealed that also links to/from Slovenia, Croatia, Serbia and Bosnia and Herzogovina were on the NSA's "yellow list" obtained by Peter Pilz.

On January 16, 2016, Finnish media reported that the list also contained 6 transit links to/from Finland.
 
Additional details

On June 5, 2015, Peter Pilz held a press conference in Paris, where he presented a statement (.docx) containing a list of 51 transit links to or from France. Interestingly, this list now also includes some additional technical identifiers for these links, which were apparently left out in the earlier ones:



First part of the list with links related to France
(Source: Peter Pilz - Click to enlarge)


On June 29, 2015, Peter Pilz presented a similar detailed list (.pdf) of 28 transit links to and from Poland.

According to the updated LSZ List, the new codes in these lists stand for:

- 703: VC3 Virtual Container connection with 48,960 MBit/s
- 710: (not yet known)
- 712: VC12 Virtual Container connection with 2,240 MBit/s
- 720: (not yet known)
- 730: (not yet known)

VC3 and VC12 are from the Synchronous Digital Hierarchy (SDH) protocol to transfer multiple digital bit streams synchronously over optical fiber. This has the option for virtual containers for the actual payload data. VC3 is for mapping 34/45 Mbit/s (E3/DS3) signals; VC4 for 140 Mbit/s (E4); VC12 for 2 Mbit/s (E1).

The new identifiers in this list stand for: O-nr.: Ordnungsnummer; GRUSSZ: Grundstücksschlüsselzahl; FACHSZ: Fachschlüsselzahl.

No information about these identifiers was found yet, but by analysing the data in the list, it seems that the FACHSZ codes are related to a telecom provider. France Telecom for example appears with FACHSZ codes CFT, VPAS, VCP3, VB5 or 0.

The GRUSSZ number identifies a particular city, with the first two or three digits corresponding with the international telephone country codes. The last two digits seem to follow a different scheme, as we can see that a capital always ends with "10":
Paris = 33010
Lyon = 33190
Reims = 33680
  Brussels = 32010
Prague = 42010
Oslo = 47010
  Warsaw = 48010
Poznan = 48020
Moscow = 70010
It's possible that these are just internal codes used by Deutsche Telekom, as internationally, connections between telephone networks are identified by Point Codes (PC). From the Snowden-revelations we know that these codes are also used by NSA and GCHQ to designate the cable links they intercept.



NSA or BND wish lists?

Initially, Peter Pilz claimed these links were samples from a priority list of the NSA, but on May 27, he said in Switzerland, that the list was from BND, and was given to NSA, who marked in yellow the links they wanted to have fully monitored.

The German parliamentary hearings were also not very clear about these lists. On December 4, project manager S.L. confirmed that NSA had a wish list for circuit-switched transit links, but in the hearing from January 15 it was said that there was a "wish list of BND" containing some 270 links. And on March 5, former SIGINT director Urmann said he couldn't remember that NSA requested specific communication links.

Maybe the solution is provided by the Dutch website De Correspondent, which reports that there is a much larger list (probably prepared by BND) of some 1000 transit links, of which ca. 250 were marked in yellow (probably those prioritized by NSA).


Whose cables?

Media reports say that these cables belong to the providers from various European countries, but that seems questionable. As we saw in the aforementioned e-mail, it seems most likely that the lists show channels within fiber-optic cables, and that the physical cables all run between the Deutsche Telekom switching facility in Frankfurt and the cities we see in the lists.

In theory, these cables could be owned or operated by those providers mentioned in the lists, but then they would rather connect at a peering point like the DE-CIX internet exchange, where providers exchange traffic with eachother.

In this case, it seems more likely that the physical cables are part of Deutsche Telekom's Tier 1 network, which is a worldwide backbone that connects the networks of lower-level internet providers.



Simplified structure of the Internet, showing how Tier 1, Tier 2 and Tier 3 providers
transit data traffic in a hierarchial way and how Tier 2 providers exchange
traffic directly through peering at an Internet eXchange Point (IXP)
(diagram: Wikimedia Commons - click to enlarge)


Questions

It is not clear how many of the over 250 links on the list were actually intercepted. We only know that for sure for the STM-1 cable with the four channels described in the aforementioned e-mail from Deutsche Telekom to BND.

Strange is the fact that during the parliamentary hearings, most BND witnesses spoke about "a cable in Frankfurt", which sounds like one single physical cable, whereas the disclosures by Peter Pilz clearly show that multiple channels must have been intercepted.

Update:
During the commission hearing of January 29, 2015, BND technical engineer A.S. said that under operation Eikonal, telephone traffic came in with a data rate of 622 Mbit/s. This equals a standard STM-4 cable, which contains 252 channels of 2 Mbit/s. This number comes close to the channels on the "wish list", but it seems not possible that those were all in just one physical cable.

Another question is whether it is possible to only filter the traffic from specific channels, or that one has to have access to the whole cable.

It should be noted that not the entire communications traffic on these links was collected and stored, but that it was filtered for specific selectors, like phone numbers and e-mail addresses. Only the traffic for which there was a match was picked out and processed for analysis.


Possible targets

Based upon these documents, Peter Pilz filed a complaint (pdf) against 3 employees of Deutsche Telekom and one employee of BND for spying on Austria, although at the same time he said he was convinced the NSA was most interested not in Austrian targets, but in the offices of the UN, OPEC and OSCE in Vienna.

Apparently he didn't consider the fact that Eikonal was part of the RAMPART-A umbrella program, which is aimed at targets in Russia, the Middle East and North Africa. Many cities mentioned in the disclosed lists seem to point to Russia as target, and project manager S.L. testified that Eikonal was mainly used for targets related to Afghanistan, which fits the fact that there are for example 13 links to Saudi Arabia.

Green party members from various countries claimed that this cable tapping was used for economic or industrial espionage, but so far, there is no specific indication, let alone evidence for that claim.



Links and sources
- LeMonde.fr: Deutsche Telekom a espionné la France pour le compte de la NSA
- Tagesschau.de: Europa verlangt Aufklärung von Berlin
- DeCorrespondent.nl: Er is geen enkel bewijs dat de Nederlandse kabels zijn afgetapt
- Volkskrant.nl: 71 KPN-internetverbindingen afgetapt door geheime diensten
- NRC.nl: Duitse BND tapte tientallen internetverbindingen KPN af
- DerStandard.at: BND-NSA-Affäre: Laut Pilz auch Spionage in Belgien und Niederlanden
- Golem.de: Telekom und BND Angezeigt: Es leakt sich was zusammen
- Zeit.de: Daten abfischen mit Lizenz aus dem Kanzleramt

No comments:

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties