nsa codenames
NSA Codenames
Date: Wed, 1 Jan 2014 16:03:04 -0800 (PST)
From: xxxxxx[at]efn.org
To: cryptome
Subject: List of NSA/GCHQ codemanes affiliated with hacking and bugging.
From: xxxxxx[at]efn.org
To: cryptome
Subject: List of NSA/GCHQ codemanes affiliated with hacking and bugging.
I have compiled a list of codenames used by the NSA/GCHQ that hare affiliated with hacking and bugging. The recent series of Der Spiegel articles has resulted in a dramatic expansion of what is known about them.
I have also included my original spreadsheet, for the use of others who have been maintaining similar lists.
Send any comments or corrections to my twitter handle: @paulmd199, and I will seek to integrate them in to a future expanded version. Which will also integrate codenames from other areas, in order to form a more complete picture.
 |
 |
 |
 |
 |
Original spreadsheet converted to HTML below: http://cryptome.org/2014/01/nsa-codenames.ods
| Codename | Price/ea | Description | Note |
| “Non Cooperative Wireless access point” | Just what it sounds like. The owner of the wireless device doesn't know the NSA is using it. In short, it's been “pwned” | ||
| ALTEREGO QFD | A “Question filled Dataset” | ||
| ANGRYNEIGHBOR | A family of bugs implemented as RF retro reflectors. These communicate with the use of an external radar wave generator such as CTX4000 or PHOTOANGLO. The signals are then processed by a system such as VIEWPLATE, (for the VAGRANT video signal). Known implementations: LOUDAUTO(ambient audio). DROPMIRE (printer/fax), RAGEMASTER (video), SURLYSPAWN (keyboard/mouse). | See also: VAGRANT, DROPMIRE, CTX4000, PHOTOANGLO | |
| ANTO LP PROTOSS GUI | Spotted on IRONCHEF diagram | ||
| ARKSTREAM | malicious BIOS flashing program, known to be associated with DIETYBOUNCE, SWAP | ||
| ARTEMIS | see ENTOURAGE | ||
| BACONRIDGE | Codename for a 4200 sq. ft. facility in Texas, holding TAO. Employing some 270 employees. Includes a datacenter qith 200 racks covering 9,450 sq. ft.. | ||
| BANANAGLEE | A software exploit made by Digital Network Technologies (DNT) for Juniper Netscreen ns5xt, ns50, ns200, ns500, ISG 1000, ssg140, ssg5, ssg20, SSG 320M, SSG 350M, SSG 520, SSG 550, SSG 520M, SSG 550M firewalls. Also works on Cisco PIX 500 series and ASA 5505, 5510, 5520, 5540, and 5550 series firewalls. Used for exfiltrating data from target networks. | See also FEEDTROUGH, GORUMETTROUGH, JETPLOW | |
| BLACKHEART | Collection from an FBI implant | ||
| BLACKPEARL | mentioned in context of Petrobras story | ||
| BLINDDATE | Software included on SPARROW II mini computers. Also seen in another context on QFIRE slide as part of a “TAO covert network.”. | see also: STRAITBIZARRE, QUANTUM, SPARROW II | |
| BSR | Base Station Router, use for intercepting GSM cell phone signals. Ships with laptop and accessories, networkable with other units via 802.11. Supports CANDYGRAM and LANDSHARK capabilities. | ||
| BULLDOZER | PCI bus malicious hardware | Installed via “interdiction” | |
| Byzantine Anchor (BA) | “BA, a subset of Byzantine Hades, refers to a group of associated computer network intrusions with an apparent nexus to China.” | Source: Cablegate | |
| Byzantine Candor (BC) | Refers to a certain class of hacking by Chinese actors. Byzantine Candor is a subset of Byzantine Hades relating to intrusion, including by means of social engineering involving delivering malicious payloads by email. | Source: Cablegate | |
| Byzantine Hades (BH) | “a cover term for a series of related computer network intrusions with a believed nexus to China, has affected U.S. and foreign governments as well as cleared defense contractors since at least 2003” Believed to be Chinese state-sponsored (the PLA in particular). Though the evidence is tenuous. (ca 2009). In general, victims of Chinese-affiliated hacking are legitimate businesses, including defense contractors. They have been successful in exfiltrating large volumes of confidential emails and other sensitive documents. | Source: Cablegate | |
| CANDYGRAM | $40,000.00 | Mimics GSM cell tower. Also included in the package are a Windows XP laptop, and cell phone, that communicate with the unit via SMS messages. Capable of targeting 200 phone numbers simultaneously | See also: DRTBOX, Stingray, CANDYGRAM, NEBULA, CYCLONE, TYPHON |
| CDR Diode | Spotted on IRATEMONK, WISTFULTOLL diagrams (Note: Must replay Appelbaum's talk about these), See also: IRATEMONK, STRAITBIZARRE, SEAGULLFARO, UNITEDRAKE, WISTFULLTOLL | ||
| CHIMNEYPOOL | Software based malware toolkit “Framework”, likely written in C/C++ (according to resumes posted online) | Known products written with it: COTTONMOUTH-I, COTTONMOUTH-II, COTTONMOUTH-III, DROPOUTJEEP | |
| COMMONDEER | A software based malware, used by the NSA. | see also: SEASONEDMOTH, VALIDATOR | |
| CONJECTURE | A RF communication protocol used by HOWLERMONKEY devices. | see also: HOWLERMONKEY | |
| CONOP | not a codename: Concept of Operations | ||
| COTS | Commercial Off the Shelf. When a description of a bug says it is COTS-based, it means that the components are commercially available, giving the NSA deniability as to their true source. (Unless you just happen to be looking at the NSA's leaked product catalog. ) | ||
| COTTONMOUTH-1 (CM-1) | $20,300.00 | USB cable w/ convert RF transmitter/receiver & malware payload | GENIE Compatible, communicates with STRAITBIZARRE, other COTTOMNOUTH devices, reprogrammable, probably related to DEWSWEEPER (possibly a subclass of the same) |
| COTTONMOUTH-II (CM-II) | $4,000.00 | A dual-stacked USB port, (the kind that are soldered directly onto a motherboard), providing a covert “long haul” relay across airgapped systems. Like CM-I, and many other systems, it is written with the CHIMNEYPOOL framework, and communicates via STRAITBIZARRE. Unlike CM-I and CM-III, it does not incorporate HOWLERMONKEY or TRINITY. | See also: CM-I, CM-III, STRAITBIZARRE, CHIMNEYPOOL. Perhaps a subclass of DEWSWEEPER |
| COTTONMOUTH-III (CM-III) | $24,960.00 | A dual-stacked USB port/RJ45 ethernet jack combo, (the kind that are soldered directly onto a motherboard), providing a covert RF relay across airgapped systems. Like CM-I, and many other systems, it is written with the CHIMNEYPOOL framework, and communicates via STRAITBIZARRE. It can communicate with other CM devices with the SPECULATION Protocol. It also integrates TRINITY, and the HOWLERMONKEY RF transceiver. | see also: CM-1, CM-II, TRINITY, HOWLERMONKEY, SPECULATION, CHIMNEYPOOL, STRAITBIZARRE. Perhaps a subclass of DEWSWEEPER. |
| CROSSBEAM | $4,000.00 | “the CROSSBEAM module consists of a standard ANT architecture embedded computer, a specialized phone component, a customized voice controller suite and and optional DSP (ROCKYKNOB) if using Data Over Voice to transmit data”. Communicates over GSM. Compatible with CHIMNEYPOOL framework. Appears to be a WAGONBED controller board mated with a Motorola G20 GSM module. | See also: WAGONBED, CHIMNEYPOOL, ROCKYKNOB. |
| CRUMPET Covert network (CCN) | Sample drawing included Printers, servers, and computers. All allegedly airgapped. (But not actually, due to covertly installed hardware) | Spotted on IRONCHEF diagram | |
| CRYPTO ENABLED | Collection derived from AO's efforts to enable Crypto | ||
| CTX4000 | A radar wave generator, can produce up to 1kW, output, with the use of external amplifies. designed for DROPMIRE, and VAGRANT. Obsolete, replaced by PHOTOANGLO. | see also, DROPMIRE, VAGRANT, PHOTOANGLO | |
| CUSTOMS | Customs opportunities (not LIFESAVER) | ||
| CW | Continuous Wave, such as the ones generated by CTX4000, or PHOTOANGLO. | ||
| CYCLONE Hx9 | $70,000 (2 month rental) | EGSM base station router, used for collection GSM cell phone signals. Shops with laptop and accessories for command and control, uses the same GUI as the TYPHON. Controllable via 802.11 wifi. | See also: TYPHON, CANDYGRAM, DRTBOX, NEBULA |
| DANDERSPRIT | See DANDERSPRITZ | ||
| DANDERSPRITZ | Described as an “intermediate redirector node.” Another tool made by Digital Network Technologies (DNT). Spoofs IP and MAC address. | ||
| DARKTHUNDER | A SIGAD used for TAO, and thus QUANTUM, FOXACID, and the like. | see also, QUANTUM, FOXACID. | |
| DEWSWEEPER | USB (Universal Serial Bus) hardware host tap that provides COVERT link over USB link into a target network. Operates w/RF relay subsystem to provide wireless Bridge into target network. | ||
| DIETYBOUNCE | $0.00 | BIOS exploit for Dell PowerEdge 1850/2850/1950/2950 running BIOS versions A02, A05, A06, 1.1.0, 1.2.0 or 1.3.7 | Can be installed by non-technical user with USB thumb drive |
| DOCKETDICTATE | |||
| DOGCOLLAR QFD | A “question filled dataset” | ||
| DROPMIRE | passive collection of emanations using an antenna. A Tempest style attack. | see also VAGRANT, CTX4000, PHOTOANGLO | |
| DROPMIRE | Laser printer collection, purely proximal access (**NOT** implanted). A tempest style attack. | see also VAGRANT, CTX4000, PHOTOANGLO | |
| DROPOUTJEEP | Apple iPhone malware. Infiltrates and exfiltrates SMS, files, contact lists, voicemail, geolocation, camera capture. Once installed, DROPUTJEEP can be controlled via SMS messages or GPRS data connection. | Installed either through physical access , or remotely (“future” plan, back in 2008) | |
| DRTBOX | Mimics cell tower, Spotted in BOUNDLESSINFORMANT slides. See seehttp://electrospaces.blogspot.com/2013/11/drtbox-and-drt-surveillance-systems.htmlfor more details | See also: CANDYGRAM, CYCLONE Hx9, TYPHON, EBSR, NEBULA | |
| EBSR | $40,000.00 | Low power GSM base station router, | see also: TYPHON, CANDYGRAM, DRTBOX, CYCLONE Hx9, NEBULA |
| EGOTISTICALGIRAFFE (EGGI) | Malware, a successful Firefox exploit (attempted against tor users) | ||
| EGOTISTICALGOAT (EGGO) | Firefox exploit against 10.0 -16.0.2 | Exploits type confusion vulnerability in E4X | |
| ENTOURAGE | $70,000.00 | Application for the HOLLOWPOINT platform, including band-specific antennas and a laptop for the command and control. Controllable via gibabit Ethernet Future plans (circa 2008) included WiFi, WiMAX and LTE. | |
| EPICFAIL | attacks against dumb Tor users (?) | ||
| ERRONEOUSINGENUITY (ERIN) | Firefox exploit against 13.0 – 16.0.2 | ||
| FA | CNE (hacking) technique used against Tor users | ||
| FAIRVIEW | a corporate-run SIGAD, part of the NSA's “upstream” collection program, that permits “cyber” access. Thus it is probable that it is used in QUANTUM collection. | see also: QUANTUM, FOXACID. | |
| FEEDTROUGH | malware for Juniper Networks' Firewalls | ||
| FEEDTROUGH | A malicious BIOSS modification that Implants and/or maintains BANGALEE and/or ZESTYLEAK Juniper Netscreen firewall exploits | deployed on many target platforms | |
| FERRETCANNON | A system that injects malware, associated with FOXACID. | see also, QUANTUM, FOXACID. | |
| FET | Field Effect Transmitter | ||
| FINKDIFFERENT (FIDI) | A Firefox exploit, successful against 10 ESR, but failed against tbb-firefox | ||
| FIREWALK | $10,740.00 | “FIREWALK is a bidirectional network implant, capable of passively collecting Gigabit Ethernet traffic and injecting Ethernet packets onto the same target network.” Integrates TRINITY and HOWLERMONKEY. Provides direct or indirect covert RF link to Remote Operations Center via a VPN. The version in the catalog requires soldering to a motherboard. | see also: HOWLERMONKEY, DANDERSPRITZ, TRINITY. Note: unit physically appears nearly identical to CM-III. Perhaps a subclass of RADON. |
| FLUXBABBIT | $500.00 | a hardware based bug for Dell PowerEdge 1950 and 2950 servers using Xeon 5100 and 5300 processors. Installation requires intercepting the server, while it is enroute to its destination, disassembling it and installing the hardware. | |
| FLYING PIG | GCHQ SSL/TLS exploitation knowledgebase and tool | used for MITM attacks against Petrobras et al | |
| FOXACID | A malicious server that injects malware, by means of spoofed legitimate-looking pages and does MITM attacks | ||
| FOXSEARCH | perhaps a database of all targets to be exploited with FOXACID | ||
| FREEFLOW | context: “DROPOUTJEEP [and TOTEGHOSTLY 2.0] is compliant with the FREEFLOW project, therefor it is supported in the TURBULANCE architecture. | ||
| FREEZEPOST | |||
| FRIEZERAMP | A communications protocol that certain infected devices use to communicate with the NSA. It involves HTTPSlink2. | see also: TOTEGHOSTLY 2.0 | |
| FUNNELOUT | mentioned in context of tor exploitation | ||
| GALAXY | |||
| GECKO II | IRONCHEF example included A hardware implant (MRRF or GSM), IRONCHEF persistence backdoor, “Software implant UNITEDRAKE Node” | Spotted on IRONCHEF diagram | |
| GENESIS | $15,000.00 | A spectrum analyzer tool, for covertly collecting and locating signals. A modified Motorola handset. Information downloaded to a laptop via ethernet port. | |
| GENIE | Multi-stage operation; jumping the airgap etc., refers to certain classes of hardware that provide a wireless covert network in an allegedly airgapped environment. | see allso: CM-I, CM-II, CM-III, HOWLERMONKEY, TOTEGHOSTLY 2.0 | |
| GEOFUSION | related to Petrobras story | ||
| GINSU | $0.00 | maintains KONGUR infection, should it be removed | target systems: Windows 9x, 2000, Vista, XP, 2003 |
| GODSURGE | $500.00 | The software set for FLUXBABBIT, preconfigured at the factory, but reconfigurable remotely. For Dell PowerEdge 1950, 2950 servers running Xeon 5100 and 5300 processor families. | see FLUXBABBIT, WAGONBED |
| GOPHERSET | $0.00 | Malware for GSM Phase 2+ SIM cards that use the SIM Toolkit (STK). Exfiltrates phonebook, SMS, and call logs, via SMS, to a predefined phone number. Installed either via a USB sim card reader, or remotely (over the air provisioning) | See also: MONKEYCANENDAR |
| GOURMETTROUGH | $0.00 | Maintains BANANAGLEE infection on Juniper Netscreen nsg5t, ns50, ns25, isg1000, ssg140, ssg5, ssg20 firewalls | see also: FEEDTROUGH |
| GREAT EXPECTATIONS | NSA version of QUICKANT | ||
| HALLUXWATER | ROM based exploit for Huawei Eudemon 200, 500, and 1000 series firewalls. survives bootrom upgrades and OS upgrades. NSA operator has ability to execute arbitrary code on infected system. | ||
| HAMMERMILL | See: HAMMERMILL Insertion Tool (HIT) | ||
| HAMMERMILL Insertion Tool (HIT) | command and control system, designed by DNT for exploited Huawei routers | ||
| HC12 | an earlier micro-computer design the NSA used in bugs. | see also: JUNIORMINT, MAESTRO II, TRINITY | |
| HEADWATER | software based persistent backdoor for Certain Huawei routers. Controlled via HAMMERMILL Insertion tool (HIT) | ||
| HIGHLANDS | Collection from Implants | ||
| HOLLOWPOINT | GSM/UTMS/CSMA2000/FRS signal platform. Operates In the 10MHz to 4GHz range. Includes receiver and antenna. Can both transmit and receive. | See also: ENTOURAGE, NEBULA, GALAXY | |
| HOWLERMONKEY (HM) | $750-$1,000 | Covert short to medium range RF Transceiver. Designed to be integrated with a larger device. Communicates over SPECULATION and CONJECTURE protocols. Known products that include HOWLERMONKEY are: CM-I, CM-II, FIREWALK, SUTURESAILOR, and YELLOWPIN. | See: CM-I, CM-III, FIREWALK, YELLOWPIN, COTS, SPECULATION, CONJECTURE, STRIKEZONE. |
| HOWLERMONKRY | See HOWLERMONKEY | ||
| HUSH PUPPY | GCHQ Tool, related to exploitation | related to Petrobras story | |
| IRATEMONK | $0.00 | Firmware based malware for certain WD, Seagate, Maxtor and Samsung hard drives. Supports FAT, NTFS, EXT3, and UFS file systems. | |
| IRONCHEF | $0.00 | Malware that is used to maintain and reinstall, if necessary, the software component of systems implanted with the WAGONBED hardware trojan. | |
| ISLANDTRANSPORT | “Enterprise Message Service” | ||
| JETPLOW | $0.00 | Firmware-based malware for maintaining BANANAGLEE, software-based malware on. Cisco PIX 500 series and ASA 5505, 5510, 5520, 5540, and 5550 series firewalls. | Widely Deployed |
| JUNIORMINT | A generic, programmable miniature computer. For use in concealed bugs. Specs: 400Mhz ARM 9 microcontroller, 32 MB Flash, 64 MB SDRAM, 128MB DDR2 and an “XC4VLX25 10752 Slice” FPGA. | see also: MAESTRO II, TRINITY, SPARROW II | |
| KONGUR | malware payload, known to be deployed via KONGUR | ||
| LANDSHARK | see: EBSR | ||
| LEGION JADE | GCHQ cover term, somehow associated with FLYING PIG, which is a tool used for exploitation. It is probable that this term is also related to exploitation in some way. | see also: FLYING PIG, HUSH PUPPY, Byzantine Candor, Byzantine Hades, Byzantine Anchor. | |
| LEGION RUBY | GCHQ cover term, somehow associated with FLYING PIG, which is a tool used for exploitation. It is probable that this term is also related to exploitation in some way. | see also: FLYING PIG, HUSH PUPPY, Byzantine Candor, Byzantine Hades, Byzantine Anchor. | |
| LFS-2 | A processing system for VAGRANT signals returned by the PHOTOANGLO system. Requires an external monitor to display the signal. | see also: PHOTOANGLO, NIGHTWATCH | |
| LHR | Long Haul Relay | ||
| LIFESAVER | Imaging of the Hard Drive | ||
| LOUDAUTO | $30.00 | An audio bug for a room. Implemented as an RF retro-reflector (ANGRYNEIGHBOR family). It therefor requires a unit such as CTX4000, to communicate back to the base. | See also: ANGRYNEIGHBOR, VARGANT, CTX4000, PHOTOANGLO, DROPMIRE. |
| LP | Listening Post | ||
| MAESTRO II | $3,000 - $4,000 | A generic, programmable miniature computer. For use in concealed bugs. Specs: 66Mhz ARM 7 microcontroller, 4 MB Flash, 8 MB SDRAM an “XC2V500 500k gates” FPGA. Roughly the same size as a dime. | see also: JUNIORMINT, TRINITY, SPARROW II |
| MAGNETIC | Sensor Collection of Magnetic Emanations | Tempest style attack | |
| MCM | Multi Chip Module | ||
| MIDDLEMAN | TAO covert network. i.e. a network that secretly connects airgapped computers to the internet. | ||
| MINERALIZE | Collection from LAN Implant | ||
| MJOLNIR | an internal tor test network ca 2006, with software tools for the same | Mjolnir was the “Hammer of Thor” possible pun – “hammer of tor” | |
| MOCCASIN | a version of COTTONMOUTH permanently attached to a USB keyboard | ||
| MONKEYCALENDAR | $0.00 | Malware for GSM Phase 2+ SIM cards that use the SIM Toolkit (STK). Exfiltrates geolocation data to a preset phone number via SMS. | See also GOPHERSET |
| MULLENIZE | 'USER agent staining”, malware | mentioned in context of tor unmasking | |
| MUTANT BROTH | GCHQ tool for identifying targets from data returned by QUANTUM products | ||
| NEBULA | A base station router, for intercepting mobile telephone calls and data transmissions. Uses the TYPHON GUI. Networkable and controllable via 802.3 and 802.11. | see also: TYPHON, CYCLONE, DRTBOX, CANDYGRAM, EBSR | |
| NEWTONS CRADLE | GCHQ-run Tor nodes | ||
| NIGHTSTAND (NS) | Mobile hacking platform including laptop, case, and antennas. Targets windows 2000 and XP, running internet explorer 5-6. Attacks occur over WiFi, and are alleged to be undetectable to the user. Capable of targeting several systems simultaneously. With the use of amplifiers, attacks can happen from up to 8 miles away. | ||
| NIGHTWATCH | Specialized system for processing, reconstructing and displaying video signals collected by VAGRANT. And returned to a CSX4000 or a PHOTOANGLO system. Obsoleted, replaced by VIEWPLATE. | SEE VAGRANT, ANGRYNEIGHBOR, CTX4000, PHOTOANGLO. | |
| OCEAN | Optical Collection System for Raster-Based Computer Screens | Either tempest style, or done by means of bugged cabling (?) | |
| OCONUS | Not a code name - “Outside CONtinental US” |
https://cryptome.org/2014/01/nsa-codenames.htm
https://drive.google.com/file/d/0B2KHT-udZ8MUNHBNUnFhTmJCVnc/view