CSEC's LANDMARK tool for CNE operations - Lux Ex Umbra 20140817

CSEC's LANDMARK tool for CNE operations - Lux Ex Umbra 20140817

The recent c't Magazin article about Five Eyes methods of detecting computer devices vulnerable to exploitation (Julian Kirsch, Christian Grothoff, Monika Ermert, Jacob Appelbaum, Laura Poitras & Henrik Moltke, "NSA/GCHQ: The HACIENDA Program for Internet Colonization," c't Magazin, 15 August 2014) contains several slides from a CSEC presentation, apparently from 2010 or perhaps 2011, concerning a tool or program called LANDMARK:

As the first two slides indicate, LANDMARK is a tradecraft method or program used to identify "Operational Relay Boxes" (ORBs), computers that can be commandeered for use as "covert infrastructure" in Computer Network Exploitation (CNE) operations. ORBs are used to "provide an additional layer of non-attribution" (i.e., to make it more difficult to identify the perpetrator) for hacking operations to penetrate ("exploit") other computer networks, probably normally in a third country, and steal ("exfiltrate") data.

ORBs are sought in "as many non 5-Eyes countries as possible".

Other slides indicate that LANDMARK operations are at least partially automated and incorporated into CSEC's OLYMPIA "network knowledge engine" (further discussed here).

The slides also indicate that LANDMARK operations draw, at least sometimes, on information collected by GCHQ's HACIENDA tool, which searches for and compiles data on the vulnerabilities of computer devices, covering in many cases the computer infrastructure of entire countries. (See more on HACIENDA in the c't article.)

The description on the slide above notes that a February 2010 LANDMARK operation "encompasse[d] the whole of LONGRUN", possibly meaning that an entire country's infrastructure was examined. Twenty-four CSEC "network exploitation analysts" managed to identify more than 3000 potential ORBs in just a few hours.

This slide appears to show some of the HACIENDA data used in the February 2010 operation (the data is mainly from 2009, but it includes some items as recent as February 2010). You will probably need to go to this PDF version of the documents if you want to read the fine print for yourself. Interestingly, the computer screen capture, from CSEC's OLYMPIA tool, indicates that all the data shown pertained to Kenya. Is Kenya LONGRUN?

The slide notes that "network analysis" was "still manual" at this time.

By contrast, this slide suggests that, by the date of the presentation, "network analysis tradecraft to identify vulnerable devices" had become more automated within the OLYMPIA tool.

The final slide, which appears to refer to a more recent case involving a GSM provider that NSA's Tailored Access Operations directorate wanted to access, reports that an automated search for vulnerable devices using OLYMPIA took less than five minutes to perform.

The full set of slides that were published by c't Magazin, including excerpts from NSA and GCHQ documents as well as those from the CSEC document, is available here.

Update 25 August 2014:

Colin Freeze, "The Landmark file: Inside Canadian cyber-security agency’s 'target the world' strategy," Globe and Mail, 25 August 2014. Note the very interesting and previously unpublished comments by former CSEC Chief John Adams:

“We’ve got some bright young kids,” retired spymaster John Adams once told The Globe in an interview. “Virtually everything – 90 per cent of what they do – is CNO [Computer Network Operations] now. It opens it up to where they can literally go out and target the world.”

Update 27 August 2014

Patrick McGuire, "Canada’s Cyberspy Agency, CSEC, Hijacks Computers Worldwide to Build Their Spynet," Vice, 26 August 2014

Leave a Reply

Your email address will not be published. Required fields are marked *