Your Source for Leaks Around the World!

EONBLUE: CSE’s Cyber Threat Detection Platform; Access Internet Core Infrastructure with 200 Sensors Across Globe

In Archive, Canada, CSEC, Internet, NSA Files, Surveillance on February 25, 2015 at 10:34 PM

02/11/2015

Matthew Braga/Motherboard:

You might not think Canada’s digital spies are on par with those in the US and UK—but rest assured, America’s northern neighbour is just as capable of perpetuating mass surveillance on a global scale. Case in point: at over 200 locations around the world, spies from Canada’s cyberintelligence agency have been monitoring huge volumes of global internet traffic travelling across the internet’s core.

​From these locations, Communications Security Establishment (CSE) can track who is accessing websites and files of interest. Its analysts can also log email addresses, phone numbers and even the content of unencrypted communications—and retain encrypted communication for later study, too—as well as intercept passwords and login details for later access to remote servers and websites.

​But perhaps more importantly, tapping into global internet traffic is a means for CSE to monitor, and also exploit, an ever growing list of digital threats, such as vulnerabilities in networks and computers and the spread of malware as well as botnets and the computers under their control. In the process, analysts can keep tabs on both friendly and foreign governments conducting covert cyber attacks and infiltration of their own.

Such vast access to the backbone of the internet is achieved through a program called EONBLUE. According to documents (1) (2) leaked by whistleblower Edward Snowden,  ​and published by Der Spiegel last month, the program is designed to “track known threats,” “discover unknown threats,” and provide “defence at the core of the Internet.”

cse-eonblue-1

And while it may be tempting to dismiss this as yet another in a long line of revelations of mass surveillance, it is one of the clearest examples yet that Canada plays no small part in its Five Eyes partnership with intelligence agencies from Australia, New Zealand, the UK, and the US.

The meaning of threats, in this case, is two-fold: cyber attacks on network infrastructure and data, certainly, but also the online activities of terrorists believed to be plotting attacks against the physical world. The EONBLUE program is part of CSE’s Global Network Detection operations, which specialize in collecting signals intelligence from the movement of traffic online.

While the locations of EONBLUE sites are not disclosed in the documents, one slide makes reference to the internet’s “core” and describes EONBLUE’s ability to “scale to backbone internet speeds”—implying possible access to telecom operators, data centers, undersea cables and other infrastructure providers worldwide.

Such access would mean that much, if not all of the data, travelling through a location tapped by CSE could be subject to surveillance. Though the agency maintains it cannot legally track Canadians at home or abroad it is hard to fathom how such data could be exempt.

As of November 2010, when the document was dated, EONBLUE had already been under development for over eight years. However, it isn’t clear from the slides for how long EONBLUE has been used, or whether it is still in use today.

According to network security researchers consulted by Motherboard, EONBLUE is likely a global-scale implementation of ​a technology known as Deep Packet Inspection (DPI).

cse-eonblue-2

Such technology works by observing small portions of internet traffic known as packets, and matching the information describing each packet against a library of signatures—including known applications, protocols, network activity, and more. Internet service providers have been known to use DPI technology to identify subscribers using peer-to-peer filesharing protocols such as BitTorrent on their networks, for example. But such devices, generally speaking, can do much, much more.

Depending on how the system is configured, DPI hardware can: log the IP addresses of all users connecting to a website or webpage; log all activity from a certain IP, or blocks of IPs; identify applications being used on the network; look for cookies, email addresses, phone numbers, and other identifiers; identify encrypted traffic, and also the type of encryption used; identify the type of protocol a connection is using (for example, FTP or HTTP); locate the port that network traffic is connecting to or from; and, perhaps most concerning of all, modify certain types of traffic in real-time, in such a way that neither the sender or receiver would know any such tampering took place.

In other words, such a device can be instructed to lay bare your activities online.

It’s not clear what, exactly, EONBLUE is configured to monitor, but descriptions of other Canadian intelligence operations that rely on the program do offer some indication. For example, one document says that, thanks to EONBLUE, Canadian intelligence analysts identified a new type of malware, codenamed SNOWGLOBE, that they suspected was the work of French intelligence.

Because EONBLUE monitors network traffic, CSE was able to watch someone log into one of the remote computers, or listening posts, with which SNOWGLOBE communicated, and retrace the malware operator’s steps. This enabled Canadian intelligence to login to the listening post themselves, and see the data SNOWGLOBE had transmitted from the computers it had infected.

Another document outlining a roadmap for EONBLUE development references a Canadian version of ​the infamous US intelligence database XKEYSCORE. At the NSA, XKEYSCORE allowed analysts to query such information as the content of emails, browsing history, telephone numbers and online chats between Facebook users that, until July 2013, were not encrypted by default.

cse-eonblue-3

While it’s not clear how CSE’s XKEYSCORE functioned in practice, it’s clear Canadian spies were at least planning to develop a powerful database on par with that of its partner agencies in the US and UK—but using data that had been flagged by EONBLUE.

While the documents make it clear that EONBLUE relies on access to the internet’s core infrastructure—the physical cables and connection points across which most data in a geographic region travels—it’s not clear where, exactly, that access occurs.

“It’s difficult to understand how they’re doing this without violating the sovereignty and likely the criminal laws of at least some countries, allied countries even, abroad,” said Tamir Israel, a staff lawyer at the ​Canadian Internet Policy & Public Interest Clinic (CIPPIC).

One slide suggests that EONBLUE sits on-top of existing collection programs, such as SPECIALSOURCE, and  ​sometimes referred to as Special Source Operations (SSO)—a term that has been used in other documents to indicate direct access to fibre-optic cables and ISPs.

cse-eonblue-4

In other words, CSE’s partner agencies—or another division within CSE itself—are likely responsible for gaining physical access to internet infrastructure, and then making that data available to programs such as EONBLUE.

Curiously, one slide within the document hints at the existence of an Australian extension of EONBLUE operated by Australian Signals Directorate. Another refers to a Canadian special source. Whether that data source is located in Canada, or is a Canadian operator of infrastructure abroad, remains unclear.

According to documents jointly published by The Intercept and CBC, a CSE program codenamed LEVITATION tracked users downloading certain files from popular filesharing networks worldwide to identify extremists, while another program codenamed PONY EXPRESS sifts through millions of emails sent from Canadians to government agencies in a bid to detect potential cyber threats.

While there is no explicit link between the programs in any of the documents that have been publicly released, CSE could have instructed EONBLUE to flag the IP addresses of every user who attempted to access a bomb-making guide, for example, and send that information to a database for later analysis by LEVITATION.

The data analyzed by PONY EXPRESS can be obtained using Deep Packet Inspection Technology. DPI hardware can also flag all internet traffic destined for a particular IP address, or range of IP addresses, such as those belonging to the Government of Canada. It’s possible that CSE’s EONBLUE program—which is believed to be based on DPI technology—​could be the first step in flagging email traffic for further analysis by PONY EXPRESS.

It’s hard not to overstate the importance of what’s happening here. There are more eyes than we realize watching our data as it travels around the world. And it’s programs such as EONBLUE that prove the Canadian government is playing a much larger role in monitoring the internet than most might think—with a prowess that rivals both NSA and GCHQ.

  1. […] See Also: EONBLUE: CSE’s Cyber Threat Detection Platform; Access Internet Core Infrastructure with 200 Senso… […]

    Like

  2. […] CSEC document about the recognition of trojans and other “network based anomaly” (9MB) (See: EONBLUE: CSE’s Cyber Threat Detection Platform; Access Internet Core Infrastructure with 200 Senso…) […]

    Like

  3. […] Related Link: EONBLUE: CSE’s Cyber Threat Detection Platform; Access Internet Core Infrastructure with 200 Senso… […]

    Like

  4. […] of IP addresses, such as those belonging to the Government of Canada. It’s possible that CSE’s EONBLUE program—which is believed to be based on DPI technology—​could be the first step in flagging email […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: