Some older articles on this weblog that are of current interest:

March 25, 2019

The phones of former FBI Director Robert Mueller

(Updated: March 30, 2019)

Last Friday, March 22, special counsel Robert S. Mueller ended his investigation on possible Russian influence in the 2016 United States presidential elections.

Before he was appointed special counsel in May 2017, Mueller served 12 years as director of the FBI, from September 2001 to September 2013.

Here we take a look at the telecommunications equipment used by Robert Mueller when he was leading the FBI, based upon some rare photos of his office.

The office of former FBI director Robert S. Mueller, June 4, 2010.
(photo: Melina Mara/The Washington Post/Getty Images)

The FBI Director's office

The office of the Director of the FBI is on the seventh floor of the FBI headquarters, the brutalistic J. Edgar Hoover Building in Washington D.C. Pictures of this room are very rare, but in 2010, The Washington Post provided some views of Robert Mueller in his office, which appeared to be rather small and with remarkably old-fashioned furniture.

Next to the director's office is a small executive conference room, also with 19th century furniture and a sign that looks as if it's from a Western movie, saying "Director of the Federal Bureau of Investigation". On the wall there's large world map, where for a domestic security service like the FBI one would rather expect a map of the United States:

The conference room next to the director's office, June 4, 2010.
(photo: Melina Mara/The Washington Post/Getty Images - click to enlarge)

Telephone systems

In the photos we can see that in the office of FBI director Mueller there were four phones, which belong to three different telephone systems, two for secure and one for non-secure calls:

IST phone

The first phone from the left is a big white Integrated Services Telephone (IST), which was designed by Electrospace Systems Inc. (ESI) and manufactured by Raytheon. This is a so called "red phone", which means that it's connected to the Defense Red Switch Network (DRSN). This is the main secure telephone network for military command and control communications and connects all mayor US command centers and many other military facilities.

Although this IST phone looks very futuristic, it has already been replaced by the newer IST-2, which was introduced in 2003. The new IST-2 was also on the president's desk in the Oval Office, before it was replaced by a Cisco IP phone for the new Executive Voice over Secure IP-network, which provides a highly secured link between the President and his senior cabinet members.

It's interesting to see that there's no such new IP telephone in the office of the director of the FBI, which means that he has no direct line to the president - according to the fact that FBI falls under the Department of Justice and the director of the FBI reports to the Attorney General.

STE phone

Next to the IST there's a big black telephone called Secure Terminal Equipment (STE). It's made by the American defense contractor L-3 Communications (since 2016: L3 Technologies) and is capable of encrypting phone calls up to the level of Top Secret/SCI. There's also an STE phone at the small drawer chest in the director's conference room.

STE phones can be used to make encrypted calls to anyone with a similar or compatible device and there are an estimated 400.000 STE users. STE is the successor of the almost legendary STU-III secure phone system from the late 1980s.

These STE phones can be used for secure communications with everyone working for the US government, the military, its contractors, and also foreign partners who can not be reached through a more select secure telephone network, like the aforementioned DRSN.

Nortel M5216

Finally, there were two Nortel M5216 Meridian telephones in former director Mueller's office: one with two additional 22 button key expansion modules on the desk, and one without these modules on the standing desk alongside the wall. These phones were used for any non-secure calls inside and outside the FBI headquarters.

The M5216 telephone sets were manufactured by the former Canadian company Northern Telecom or Nortel and look rather outdated as they are probably from the mid-1990s. The Nortel telephone system itself is even older: it goes back to the SL-1 PBX from 1975, which was gradually enhanced and renamed Meridian-1 in the late 1980s.

The system provides advanced voice and data features for applications ranging from 60 to 16.000 lines and also has Centrex capability. It became the first fully digital PBX on the global market and it was one of the most widely used business telephone systems, with an estimated number of 43 million installed users worldwide.

Computer networks

Besides the four telephone sets, there's also a computer in the office of former FBI director Mueller, which can be seen right behind the ubiquitous Aeron office chair. A KVM-switch allows him to use a single set of Keyboard, Video and Mouse to access multiple FBI networks on different classification levels, like:

- Law Enforcement Online (LEO), which is a web-based system for sharing information among the law enforcement community that is running over the internet, classified For Official Use Only.

- Federal Bureau of Investigation Network (FBINet), which is the FBI's intranet and can only be accessed through an FBI computer.

- FBI Secret Network, which can be accessed from any US government computer that is connected to the Intelligence Community's INTELINK-S network that is running on the Defense Department's SIPRNet infrastructure, classified up to Secret.

- Sensitive Compartmented Information Operational Network (SCION), which is the FBI's designation of the Intelligence Community's INTELINK-TS network that is running on the Defense Department's JWICS infrastructure, classified up to Top Secret/SCI.

Former FBI director Mueller working in his office, June 4, 2010.
(photo: Melina Mara/The Washington Post/Getty Images - click to enlarge)

Links and sources
- The Washington Post: Federal government cancels costly, decade-long search for a new FBI headquarters (2017)
- Office of the Director of National Intelligence: IATCG Intelligence Guide (2011)

See also:
- The phones of US Director of National Intelligence James Clapper
- NSA director Alexander's phones
- US State Department red phones
- Commander Petraeus' phones

November 28, 2018

A new secure phone for outside the White House

Last Thursday, Americans celebrated Thanksgiving and traditionally the president addressed members of the military services that are deployed abroad. For Donald Trump this was the second time during his presidency.

The video footage and photos of that address also showed something that is one of the topics of this weblog: a new telephone used for top level telecommunications of the president of the United States:

President Trump speaks to members of the military over the phone
from his Mar-a-Lago resort in Palm Beach. November 22, 2018.
(photo: Mandel Ngan/AFP/Getty Images - click to enlarge)

The telephone set that president Trump used for his conference call can be recognized as a Cisco IP Phone 8841, but with some distinctive modifications.

Top Secret

The first one is that is has a bright yellow bezel around the high-resolution color display, while standard phones have a black or a silver one. As yellow is the color code for information classified Top Secret/Sensitive Comparmented Information (TS/SCI), the bezel shows that this phone can be used for calls at the highest level.

This phone is part of the Executive Voice over Secure IP-network, which connects the US president with all major decision makers, like the secretaries of State, Defense and Homeland Security as well as the Director of National Intelligence. The phones themselves have no encryption capability - they are connected to a central network encryptor, probably from General Dynamics' TACLANE familiy.

Fiber network

The second modification is that the device can be directly connected to a local fiber optic network, instead of the usual connection to a copper cable telephone system through an RJ-14 plug. Because signals traveling over copper cables cause electromagnetic emanations ("TEMPEST"), they are easier to intercept than when there's a fiber optic network.

The new phone was modified by CIS Secure Computing, Inc., which is a small company that provides additional security functions for commercial-of-the-shelf communications equipment. On its website it advertises the Cisco 8841 Fiber Enabled VoIP Phone and in the photo below the company's logo can be recognized on the back side of the device:

President Trump with the new Cisco IP phone seen from the back side. November 22, 2018.
(photo: AP/Susan Walsh - click to enlarge)

It's not known when exactly this new telephone was installed, but it must have been somewhere after Trump's first Thanksgiving address last year. Then we still saw the old phone for highly secure calls. This was a common Cisco 7975 Unified IP phone, which was also modified by CIS Secure Computing, providing it with TEMPEST protection and two 1 Gigabit SC Fiber ports.

Left: the old Cisco 7975 IP Phones in 2017; right: the new Cisco IP Phone 8841 in 2018
(click to enlarge)

White House

In the Oval Office, the old Cisco 7975 for the classified network had already been replaced by a Cisco IP Phone from the new 8800-series by September 2017. However, this phone has no additional security functions (like a fiber optic connection or on-hook disconnection of the handset) nor the yellow bezel.

The Cisco 7975 IP phones for secure calls were introduced in 2007 as part of a general upgrade of the White House communications systems under president George W. Bush. Meanwhile this type of Cisco telephones is about 15 years old, so the replacement may not come as a surprise.

It seems that with the modified Cisco IP Phone 8841 all the old phone sets for secure and non-secure calls, used both inside and outside the White House, have now been replaced by new devices from Cisco's 8800-series.

October 9, 2018

The GRU close access operation against the OPCW in perspective

(Updated: December 2, 2018)

Last Thursday, October 4, the Dutch Ministry of Defence held a press conference about how its Military Intelligence and Security Service MIVD had disrupted a spying operation by the Russian military intelligence agency GRU last April.

Four Russian operatives were caught red-handed when they tried to hack into the Wi-Fi network of the headquarters of the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague. Meanwhile, the US Department of Justice (DoJ) published a formal indictment against seven GRU officers, including the four from the Netherlands.

Here, the failed GRU operation will be compared to close access operations of the NSA, which learns us more about the methods for hacking wireless networks. There are also some answers to frequent questions about the disruption by the MIVD.

Press conference with from left to right: MIVD director Onno Eichelsheim, Defence
minister Ank Bijleveld, British ambassador Peter Wilson
(photo: Bart Maat/ANP - click to enlarge)

MIVD presentation

During the press conference, the director of MIVD, major general Onno Eichelsheim, explained the case using a 35-page powerpoint presentation with an unprecedented amount of photos and details of what had been discovered about the Russian operation.

This makes the presentation very similar to the ones from the Snowden-revelations, although they were highly classified and for internal use only, while the MIVD presentation is unclassified (in Dutch: ongerubriceerd) and, although marked as For Official Use Only, made for the general public.

Front slide of the MIVD presentation about the disrupted GRU close access operation
(click to download the full presentation)

Close Access operations

MIVD director Eichelsheim revealed that the GRU officers planned a "close access" operation. Such an operation can range from simply setting up a microphone to listen into what is said in a nearby building, to the highly sophisticated collection of unintentional emanations from computer equipment by exploiting so-called TEMPEST vulnarabilities.

In this case it was an effort to gain access to the internal Wi-Fi network of the OPCW headquarters building by using an interception system hidden in a car at a nearby parking lot. It was described as high-end equipment capable of hacking Wi-Fi connections from a distance, identifying the users and intercepting their login credentials.

This sounds very similar to an IMSI-catcher (also known as a Stingray), a very expensive device that functions like a fake cell tower. It's used by law enforcement and intelligence agencies either to identify the nearby active phone numbers, or to actually intercept the calls of a particular cell phone.

The equipment found in the car of the GRU officers, clarified by a diagram
(source: MIVD - click to enlarge)

WiFi Pineapple

Besides the equipment in the car, the backpack of GRU officer Serebriakov also contained some antennas, a WLAN Booster, a WiFi Signal Booster and a WiFi Pineapple model NANO. These Pineapples, with a cost of just around 100,- US Dollar, can mimic the functions of a Wi-Fi server. They are not only used by law enforcement and penetration testers, but are also popular among criminals who use them to spoof Wi-Fi networks so that victims connect to them rather than the intended legitimate server.

As explained in the DoJ indictment, it's likely that the GRU already tried to get access to the OPCW computer network through remote hacking methods, like spear fishing e-mails. Only after that failed to result in the desired access, the agency apparently decided to sent a team to break in through close access methods. Had they succeeded, then the hacking team back in Moscow would have taken over again to exploit the access through remote means.

NSA equivalent

The GRU officers clearly planned to hack the OPCW network and infect it, a technique that wasn't yet known to the MIVD, according to director Eichelsheim. The latter sounds intruiging, but wasn't explained any further.

For an indication of what that mysterious Russian method might be, we can look at the techniques used by the NSA to hack into WiFi networks, which are also referenced to as 802.11 networks. The Snowden-trove provided several documents about this, some of which were published in August 2016 by the website The Intercept.

The NSA equivalent of the set-up found in the car of the GRU officers seems to be a mobile antenna system running software codenamed BLINDDATE. This software can also be attached to a drone to be positioned within the range ofa wireless network of interest:

The NSA's BLINDDATE Wi-Fi hacking system, depicted in the field in Afghanistan
(click to enlarge)

One of the components of BLINDDATE is a "man-in-the-middle" attack method codenamed BADDECISION, which redirects the target's wireless web traffic to a FOXACID server of the NSA. Such a server is then able to infect the target's computer with various kinds of spying malware. This method even seems to work when the wireless connection is WPA or WPA2 encrypted.

Slide from an 2010 NSA presentation of the BADDECISION Wi-Fi hacking method
(click for the full presentation)

SCS units

Such close access operations for American intelligence are usually conducted by units of the Special Collection Service (SCS). They operate covertly from inside US diplomatic facilites around the world and consist of specialized officers from both CIA (for getting physical or HUMINT access) and NSA (for the SIGINT interception equipment).

Interestingly, the GRU team had a similar composition with Aleksei Morenets and Evgenii Serebriakov as cyber operators and Oleg Sotnikov and Alexey Minin for HUMINT support.

The GRU team arrives at Schiphol Airport on April 10, 2018. From left to right: Serebriakov
(cyber), Minin (HUMINT), Sotnikov (HUMINT), Morenets (cyber), Russian embassy official.
(source: MIVD presentation - click to enlarge)

Traveling team

According to the DoJ indictment, Serebriakov and Morenets are both members of Unit 26165, also known as the GRU 85 Main Special Service Center, traveling to foreign countries to conduct on-site hacking operations. Evidence for that was provided by Serebriakov's laptop, from which the MIVD recovered the earlier Wi-Fi connections.

It appeared that they had also been in Rio de Janeiro, Brazil in August 2016 and in Lausanne, Switzerland in September 2016, where they targeted the anti-doping agencies WADA and USADA. In December 2017 the laptop connected to a Wi-Fi network in Kuala Lumpur, Malaysia, which related to the Flight MH17 investigation. After the OPCW in The Hague, their next assignment should have been the Spiez chemical laboratory in Switzerland.

Note that Serebriakov and Morenets traveled to targets related to some of the most controversial issues of Russian politics, which indicates their importance for GRU operations.

Embassy facilities

The fact that the four men were flown in, indicates that the GRU doesn't have such a team permanently stationed inside the Russian embassy in The Hague - just like there's also no SCS unit within the American embassy, according to a 2010 slide from the NSA.

The SCS units became notorious after it was revealed that one of them had been assigned to eavesdrop on German chancellor Angela Merkel and subsequently SCS "spying sheds" were discovered on the rooftops of a number of US embassy buildings.

The Russian embassy in The Hague, which is not very far from both the prime minister's residence as well as from the OPCW building, doesn't have visible spying structures on its roof.

The Russian embassy in The Hague. About 1/3 of the diplomatic personnel can
be considered working for Russian intelligence agencies.
(photo: - click to enlarge)


On November 30, 2018, the Dutch newspaper NRC came with a long piece about espionage by military officials from the Russian embassy in The Hague, a facility which includes six historic villas, a school, a tennis court and a range of satellite dishes, on a fenced area of ​​almost one hectare.

NRC journalists were able to identify several GRU employees working under diplomatic cover who were involved in various kinds of espionage activities. Most notable was Anton Naoemkin, who's official job at the embassy was Head of Protocol. He appeared to be the man who accompanied the GRU team at Schiphol airport as can be seen in one of the photos released in the MIVD presentation.

Naoemkin brought them to the embassy, where they were awaited by Konstantin Bachtin, who was also involved in the hacking attack, but who may also compromised the operation by constantly calling with Moscow - which may have been intercepted. NRC also mentioned that one month after the failed close access operation, the GRU conducted fishing mail attacks against the OPCW.


Referencing the "alibi" for the two Russians accused of poisoning Sergei Skripal, MIVD director Eichelsheim noted that the four GRU officers were clearly not on a holiday: they carried spying equipment, multiple cell and smartphones as well as 20.000,- US Dollar and the same amount of Euros in cash.

Also things like how Morenets tried to destroy a smartphone, several traces leading back to the GRU headquarters and the list of earlier Wi-Fi connections still stored on the laptop make the operation look sloppy and unprofessional. Actually it shows that the GRU didn't consider these kind of close access operations to be very risky, and the risk of being caught in the Netherlands not very high.

Plausible deniability

The presumed sloppiness is therefore no reason to lay back, but rather to be more alert. In hostile countries or high risk places, intelligence officers would make sure not to use and carry things that could to identify them or their mission so they can plausibly deny any accusations.

The cover story that the Russian foreign ministry came up with in this case is that there was nothing secret about trip of the four technical experts, as it was allegedly their job to test the cyber security of Russian diplomatic missions.

Prevention instead of monitoring

There were also some questions about how the Dutch services operated. Someone wondered for example why the MIVD didn't monitor the Russian hacking attempt for a short period of time in order to learn what kind of targets they were looking for - a common practice in cyber security.

During the press conference, MIVD director Eichelsheim said that the Russian equipment did not provide information about why the OPCW was targeted. We can assume that field operatives have no "need to know" for the actual purpose of the operation, which may also be classified differently. Maybe it was also already known that this particular GRU method is just used to get a general access to a network, instead of to particular users or files.

Another reason could be that the MIVD simply wanted to prevent any kind of attack on the network of an international organization like the OPCW - Dutch secret services can be quite strict when it comes to their legal tasks. This might have been different when the target had been a Dutch government agency, in which case it may be allowed to monitor a network intrusion for intelligence and prevention purposes.

Expelled instead of arrested

Another frequent question is why the Dutch authorities didn't arrest the GRU officers given the fact that they were caught red-handed. Instead, the four men had been immediately "escorted to a plane to Moscow" - not even formally expelled as some press reports suggest.

Here the most likely reason is that it's the usual practice in espionage to expel spies, especially when they operate under diplomatic cover. This not only prevents that a court case would attract public attention to intelligence failures and successes, but also that we can expect our own intelligence officials to be sent home instead of thrown in jail.

New strategy

A final question is why the MIVD came with such a unusually detailed presentation about a recent operation, given how extremely secretive the Dutch intelligence services are. But internationally there were precedents:

Last July, the US Department of Justice issued an indictment in which 12 Russian intelligence officials (mostly from the GRU) were identified and accused of hacking the Democratic National Committee (DNC) and the Clinton presidential campaign and subsequently releasing the stolen files using platforms like DC Leaks, Wikileaks and Guccifer 2.0.

In September, the British government also identified two GRU officers ("Alexander Petrov" and "Ruslan Boshirov") as the suspects in the case of the poisoning of former GRU officer and double agent Sergei Skripal in Salisbury in March 2018.

And just before the press conference in the Netherlands, the UK National Cyber Security Centre (NCSC) came with a statement in which the GRU was accused of "indiscriminate and reckless cyber attacks" including disrupting the Kyiv metro, Odessa airport, Russia’s central bank and two Russian media outlets, hacking a small UK-based TV station and cyber attacks on Ukrainian financial, energy and government sectors.

This makes clear that "naming and shaming" Russian intelligence officials is a new deterrance strategy of the Western allies in the hybrid cyber and information war that Russia inflamed a few years ago.

Links and sources
- Hoe de Russen (waarschijnlijk) probeerden de OPCW te hacken
- Heads rolling at the GRU? Blundering Russian intelligence
- The Rise of Russia's GRU Military Intelligence Service
- How Russian Spies Infiltrated Hotel Wi-Fi to Hack Victims
- A Tale of Two GRU Indictments
- Waarom de MIVD de Russische spionnen niet liet vastzetten

September 17, 2018

Trump's telephones in the Treaty Room

Under the presidency of Donald Trump, the White House became much less transparant than under previous administrations: most information has been stripped off the White House website and hardly any photos from behind the scenes are published. Therefore we see very little of how the White House rooms and West Wing offices are currently used.

But a new photo, released by the president's social media director a few days ago, now shows a glimpse of the so-called Treaty Room, in which president Trump and vice-president Pence received an update call on the emergency preparedness concerning the impact of Hurricane Florence:

Vice-president Pence and president Trump in the Treaty Room, September 15, 2018
(White House photo - click to enlarge)

The Treaty Room

The Treaty Room is on the second floor of the main building of the White House, the residential mansion, which includes both the ceremonial rooms and the private quarters of the president. The room is named after the peace treaty between the United States and Spain, which was signed here on August 12, 1898, ending the Spanish-American War. The signing is depicted in the large painting by Theobald Chartran.

Previous presidents used the Treaty Room as their private study where they could work during evening hours, as it is on the same floor as their private rooms. The picture below shows president Obama working behind a large table, which president Trump turned into the position it had under George W. Bush, along the wall on the west side. Given how empty the table and the credenza are, it seems that Trump doesn't use the room frequently.

President Obama in his private study in the Treaty Room of the White House. We see two black
Avaya/Lucent 8410 phones, a computer screen and an HP laser printer. March 2009.
(Callie Shell/Aurora Photos - click to enlarge)

Telephone equipment

In the recent photo with vice-president Pence en president Trump we see that on the large table in the Treaty Room there are the following three telephone sets:
- A Cisco 8851 IP phone (with a box on the back) for non-secure calls
- A Cisco 8851 IP phone for secure calls
- An IST-2 red phone

The two Cisco phones are the same ones as on the president's desk in the Oval Office, where they gradually replaced the older Cisco telephones.

Behind the two Ciscos there's a large gray telephone that can be recognized as an Integrated Services Telephone version 2 or IST-2, a device that was designed by Raytheon and subsequently manufactured by Telecore, Inc.

This IST is a so called "red phone", which means that it's connected to the Defense Red Switch Network (DRSN). This is the main secure telephone network for military command and control communications and connects all mayor US command centers and many other military facilities.

A special feature of the IST-2 is that one can make both secure and non-secure calls through this one single device. The phone itself has no encryption capability: any secure calls are encrypted in bulk before leaving the secure building, enclave or compound.

As part of a military telephone network, the IST-2 also has the distinctive 4 red buttons which are used to select the four levels of a system called Multilevel Precedence and Preemption (MLPP). This allows to make phone calls that get precedence over ones with a lower priority.

It's not really clear why there's an IST-2 in the Treaty Room and (at least visibly) not in the Oval Office. The two Cisco IP phones should be sufficient for any secure or non-secure phone calls, but it is possible that for connecting to military commanders it is still easier to use the IST-2 with its many direct line buttons.