NSA Foreign Satellite (FORNSAT) Exploitation
Transcript
Welcome to the Spy Collection, Digital Edition where we’re looking at spy artefacts that only exist in digital format. This is Anastasios and today we’ll look at a slide deck from the United States National Security Agency. An agency that among others has one of the largest Signals Intelligence, or
SIGINT, organisations in the world. The slides we are going to see came from Edward Snowden’s archive. Specifically, they were publicly released for the first time in March 2018 by The Intercept in this article. One of the most stereotypical visualisations of SIGINT organisations is photographs or large dishes or domes which hide similar antennas.
Those domes typically have dual purpose, one is to protect the antennas and the other is to conceal their technology and orientation. This a classic SIGINT capability. They are basically used to receive whatever satellites of interest broadcast, and then pass that data to processing centres.
That could be a country’s own spy satellites sending back data, or any foreign satellite, commercial or government-operated, that they want to spy on. This is also why multiple antennas are needed and in multiple geographical regions, to be able to capture many transmissions from various satellites regardless of their orbit. When that slide deck was leaked, this was part of
NSA’s GAO, or Global Access Operations division under the Data Acquisition of the Signals Intelligence Directorate. GAO had the Radio Frequency Office and in there is where we find the Foreign Satellites or FORNSAT. And this is where we start.
As usual, we have reconstructed the slide deck and here is this version of the NSA’s “Managing the Challenge” So, the revelations of that slide deck started quite early with this. What you see here is a small collection of commercial companies that offer satellite communication services. Actually, you might
have heard of some of them like Iridum phones or Inmarsat, Intelsat, etc. All of them offer subscription services for anyone to buy phones or radios that operate via their satellite networks. Typical users of those are the maritime sector, search and rescue teams working in disasters or remote locations, hikers, and others operating in remote locations.
Of course, it’s not unheard of that criminals, military personnel, as well as intelligence agencies use them too in case all other means fail. Especially considering that this slide deck is from 2013 or so, it is reasonable to see why the NSA would be interested in spying on those communications.
That makes them the SATCOM targets. But how was this done? Using the Foreign Satellite Communication Exploitation Model. This model involved a few different stages. The first was the FSS, or Fixed Satellite Services. As the title implies, those were things like antennas, known satellite communications networks like Intelsat and the former Soviet Union’s
satellites, other private satellite networks, as well as a project that the FIVE EYES were running between 2007 and at least until 2013, the SV. SV or SHAREDVISION was a FIVE EYES project to expand their satellite collection by adding more antennas and utilising more sites around the globe for better coverage on all satellite broadcasts of interest.
As mentioned, some of those commercial providers also offered mobile satellite services, so that was the second target. The MSS, or Mobile Satellite Services. So, assuming all that infrastructure is in place and is collecting
broadcasts of interest, then comes the S&S. The Search & Survey. The screenshots that you see under the “GET IT” column were from a FIVE EYES exploitation system codenamed as DQ, or DARKQUEST. This was part of the SHAREDVISION that we already talked about and what was doing was inspecting the received data and making automated analysis on the type of data.
For example, it could identify that this was a phone call, that was a VPN connection, this is a message, etc. In the SIGINT world, this kind of tooling is referred to as automated survey system. With this information at hand, the S&S
model moves to the second stage, the “KNOW IT”. Here the slide shows us that the collected satellite communications are processed in the EKB, this likely stands for Exploitation Knowledge Base, and it has dual purpose. One it is to add the newly acquired information, and the second to correlate it with any existing information. And finally, all that information
was available to the FIVE EYES SIGINT analysts via a tool known as GLOBALVIEW. You can see some screenshots of it here. And that was how FORNSAT exploitation was executed by the NSA and the rest of the FIVE EYES in 2013. However, the presentation goes one step further, giving us some real-world success stories of it. Actionable SIGINT. In the world of spies,
actionable intelligence means an intelligence product, like a report, that the recipients can use to take an action against a target. For example, details that can lead to the the capture or assassination of an individual, what exactly a foreign politician has in his agenda for an upcoming meeting, where will a person of interest be and when, etc.
And the first example, was Mullah Dadullah Lang who was a Taliban military commander and in 2007 was killed in Afghanistan. As we read in this official NATO press release: As reported earlier today by the Government of Afghanistan, Mullah Dadullah Lang left his sanctuary into Southern Afghanistan where he was killed in a US-led Coalition operation supported by ISAF.
Well, now we know that what led to his assassination was foreign satellite exploitation. Meaning, he or some of his associates, used a satellite phone to communicate and that was picked up by the NSA who made an intelligence package and passed it to the coalition forces.
The next case study was Harun Fazul. An Al-Qaeda leader from East Africa, operating mainly in Kenya, who later became an Al-Shabaab commander in Somalia too. He was killed in Mogadishu, Somalia on June 7th, 2011
while driving with another terrorist a car with large amounts of cash in US dollars, electronic devices, and fake passports. They were stopped in a Somalia military checkpoint in Sarkuusta and tried to escape. The soldiers killed both of them. Based on this and the leaked NSA slide, we can
assume that the NSA had detected Harun Fazul’s movements via foreign satellite exploitation, passed the intelligence to the relevant U.S. forces in Somalia and worked with the Somali military to stop that car in that checkpoint. Next Abdelmalek Droukdel was an Algerian leader of Al Qaeda in Morocco and later became the leader of the Al-Qaeda in the Islamic Maghreb, or AQIM.
He was also arrested and actually in 2020 he was killed in a French special operations mission in Mali, Africa. And here we have Nader Shah who was arrested. The JFK airport terrorist from 2007.
That was a plot to blow up a system of jet fuel supply tanks and pipelines that feed fuel to the JFK International Airport in New York. The plot involved 5 people and in the photo shown here is Kareem Ibrahim who was sentenced to life in prison. Suicide bombers were arrested via foreign satellite exploitation, and at last, the UK Airport Terrorist which
almost certainly refers to the the two individuals behind the Glasgow Airport attack in June 2007 that were also arrested. In this case, a jeep loaded with propane canisters was driven at the glass doors of the Glasgow Airport terminal and set ablaze. And what did the NSA exploit for
most of those cases was the commercially available Inmarsat constellation of satellites. This is known, even to this day, as I-4 and it provides Internet and telephony connections anywhere on Earth, except the polar regions. Back when this slide deck was written, the official I-4 satellites’ description was: Geosynchronous constellation providing mobile
communications at sea, on land and in the air. BGAN stands for Broadband Global Area Network and is a global satellite network with telephony owned by Inmarsat using portable terminals. FleetBroadband is a maritime satellite internet, telephony, SMS and ISDN network for ocean-going vessels using portable domed terminal antennas. SwiftBroadband is an internet communications network that provides an ‘always-on’ data connection for aircrafts globally.
And ISatPhone is Inmarsat’s handheld satellite phone. So, those were the products that the company was offering at that point. Actually, most of them exist to this day too. But how did the NSA took
advantage of this company’s satellite services? Via a program codenamed SEADIVER. As we’re reading: SEADIVER is a system that collects, processes, and forwards voice, fax and data traffic transmitted over the INMARSAT-III satellite systems from Foreign Satellite and SCS/TRYST collection facilities. SCS stands for Special Collection Service and
it was a covert joint operation between the NSA and CIA to utilise US embassies around the world to collect signals intelligence. Basically, CIA has presence in most, if not all US embassies, so the NSA made a secret agreement with CIA to install SIGINT equipment in those embassies to collect communications. In a similar manner, TRYST was a codename for
British GCHQ spies operating clandestinely in UK’s foreign embassies. Just like the SCS case, TRYST was a joint covert operation to install covert SIGINT equipment to collect communications in those embassies. So, the NSA could use theirs and their allies SIGINT stations as well as
embassies to install this spying equipment to receive satellite communications, and it was called the SEADIVER. Next was a program codenamed ZODIACARRAY which is described as: the system that targets Broadband Global Area Network (BGAN), a digital service providing rates of up to 492 kbps.
It is IP based activity to include voice. It is transmitted over the INMARSAT-IV satellite systems. So, ZODIACARRAY was used to spy on the BGAN product on Inmarsat and the last one was, CANYONDUST. It says: It is a ground based INMARSAT mobile terminal geolocation system that computes
geo-locations on all INMARSAT M, mini-M, M4, B, and C terminals, within its coverage region. The geo-locations are performed on the registration, access request, response bursts, or SCPC. The coverage region is defined as an area that is serviced by at least two INMARSAT satellites.
This is a very interesting capability since the NSA was able to use CANYONDUST to identify the exact location of the terminal that was used to communicate with the INMARSAT satellites. We can assume that while doing the operations mentioned, like access request, response bursts, or Single Channel Per Carrier satellite links, the data included the coordinates of the terminal
or something similar for the mentioned models, thus allowing the NSA to know exactly where they are physically located during the communication. And that was this small slide deck on how the NSA was exploiting commercial satellite communications products for signals intelligence. We went through the the Foreign Satellite Communication Exploitation Model, the Search &
Survey methodology, and even briefly described several previously unknown SIGINT programs like the SHAREDVIEW of the FIVE EYES, DARKQUEST, GLOBALVIEW, CANNYONDUST and others. We even saw how US and UK embassies were clandestinely utilised to install covert SIGINT equipment for satellite exploitation, and finally, how even a private company, like Inmarsat in this case, has to be putting security first since minor issues could expose
even the exact location of their customers. The next time you come across a satellite product, an embassy with some concealed antennas, or even while browsing the internet in a cruise ship or an airplane, keep in mind that someone could be listening... Nothing is as it seems