NSA AURORAGOLD

8/10/2019 NSA AURORAGOLD

1/63

(U//FOUO) AURORAGOLD

(S//SI//REL) Project Overview: The mission of the AURORAGOLD (AG) project is to maintaindata about international GSM/UMTS networks for the Wireless Portfolio Program Office(WPMO), the Target Technology Trends Center (T3C/SSG4), and their customers. Analysis of thisdata supports:

a) An understanding of the current state,b) Trending, or time-series analysis, from the past through to the future, andc) Forecasting of the evolution of global GSM/UMTS-based networks.

This analysis and developmental activity is currently focusing only on GSM/UMTS infrastructure,

SECRET//COMINT//REL TO USA AUS CAN GBR NZL

voice-data convergence, UMTS technology migration, and UMTS technology deployments.Coincident beneficiaries of this mission are, among others, other NSA SIGDEV elements, protocolexploitation elements, and Five-Eyes Partner SIGDEV organizations.

(C//REL) Alignment: Supports NSAs and SIDs imperative to Know the Future.

(C//REL) Sponsors: WPMO/S3W

(C//REL) Customers: WPMO/S3W; T3C/SSG4; Various S3 collections organizations;numerous IC organizations

(C//REL) Architecture and Infrastructure: Custom-built application based on OZONEframework, using GOLDENCARRIAGE corporate servers for all application and datastorage



2/63


(S//SI//REL) Corpus:Will contain: Unclassified: Complete replica of Informa Telecoms and Medias World Cellular Information Service(WCIS) queryable database to eventually compare data against that collected from SIGINT Classified: SIGINT-collected IR.21 (International Roaming agreements) documents from around theworld, parsed of their information, analyzed, and giving users the ability to trend this informationover time (time-series analysis). In addition, e-mail selectors from within IR.21s and from SIGINT


,

(C//REL) Content: Portion of the WCIS data available via NSANet GUI; remainder to be completed within 2-3 months Currently, Phase 1 contains a small database of worldwide wireless networks being comparedagainst IR.21s from SIGINT to establish our baseline

(C//REL) Capabilities:

Soon, complete WCIS repository to be copied to NSANet for querying by all NSA and 2PPartners Later, agile querying through entire IR.21 and WCIS databases, with capability to perform time-

series analysis via visualization application



3/63

(U//FOUO) AURORAGOLD RepositoryCONFIDENTIAL//REL TO USA AUS CAN GBR NZL

Networks & Suppliers

Handsets & Devices

Network Features

Network Coverage

License

License Spectrum

CONFIDENTIAL//REL TO USA AUS CAN GBR NZL


4/63

(U//FOUO) AURORAGOLDCONFIDENTIAL//REL TO USA AUS CAN GBR NZL

(C//REL) Demonstration Script (Only capability currently available is basic querying against small portion of WCIS database) Go to Click on any of the brown boxes Select your search criteria Select your query result criteria Click Submit

View the results

CONFIDENTIAL//REL TO USA AUS CAN GBR NZL


5/63


Workin Grou

SECRET//SI//REL TO FVEY

(S//SI//REL) Shaping understanding of the global GSM/UMTS/LTE landscape

SIGDEV Conference 6 June 2012

Derived From: NSA/CSSM 1 52Dated: 20070108

Declassify On: 20370501

This briefing is classified:TOP SECRET//SI//REL TO FVEY



6/63

Agenda

(U//FOUO) What is AURORAGOLD? (U) Why come to us? (U) Our value proposition

(U)



(S//SI//REL) First-hand insight into industry changes (U//FOUO) Targeting efforts (U) Notable successes (U) Future plans (U) Discussion!



7/63

What is AURORAGOLD?

(S//SI//REL) Database of Mobile Network Operators

MNOs networks and

(S//SI//REL) Targetdevelopment effort against

MNOs roamin hubs and

(U//FOUO)


(U) Team of analysts, developers, and wireless SMEs working on:

PWIDs from collectedGSM/UMTS/LTE roamingdocuments (IR.21s)

working groups


(U) Fusion of open source, commercial datawith SIGINT to answer wireless needs


8/63

Why come to us?

(S//SI//REL) Extensive, global IR.21 data vetted bySSG4 analysts:

701 networks of estimated 985 (as of 15 May 2012) First-hand SIGINT information direct from MNOs

(U)


ost compre ens ve set o . -re ateemail selectors and keyword-based tasking:

1201 actively managed email selectors (as of 15 May 2012) (U//FOUO) Foundation for worldwide mobile wireless

network trending and forecasting Includes visibility into changing industry standards and practices



9/63

How can we help you?(U)


(S//SI//REL) Example: AFRICOM IKD-OPS requires information concerningthe SMS Gateway domains for:Libyana mobile (libyana.ly) and AlMadar Al Jadid (almadar.ly). We


e eve ese are e on y wo mo eproviders in Libya but if you haveinformation to the contrary please letus know.

3 March 2011


10/63

Weve done the research

(S//SI//REL) Quickly identified collected IR.21s (U//FOUO) Pushed information out to

customer through product reporting

(U)



DOCN 000028528ZNY ZNY MMIVXZKZK ZKZK RR SOL DEPDTG R 162037Z MAR 11FM FM DIRNSACL S T O P S E C R E T UMBRA US/UK/CAN/AUS/NZ EYES ONLY QQQQXXMM XXMMENP01FOO11075

SERI SERIAL: 3/OO/506998-11

T GS TAGS: LIC CCOM CLOG COEF CORG CPER CTEC CTPH LI

SU J SUBJ: Libya/Telecommunications: Two Libyan Mobile Phone CompaniesProvide Updated Network Information, June and December 2010(S//SI//REL TO USA, FVEY)


11/63

SIGINT Value Al Madar IR.21(S//SI//REL)

TOP SECRET//SI//REL TO FVEY


Extracted from 3/OO/506998-11


12/63

SIGINT Value Al Madar IR.21(S//SI//REL)





13/63

IR.21s in AURORAGOLD(S//SI//REL)





14/63

We monitor the industry

(S//SI//REL) Visibility into changing standardsand practices for:

Roaming

(S//SI//REL)


Billing Interoperability

GSM Association (GSMA), a Swiss associationthat drives the GSM/UMTS/LTE space



15/63

Roaming Agreement EXchange (RAEX)

(U) Next-generation roaming exchange process (U) Well-defined XML schemas instead of

semi-structured data in multiple formats

(S//SI//REL)


U Emai i e y gives way to SSL sessions witcentral server(s)


(S//SI//REL) SIGINT Access SIGINT Value Automated Analytics

Old IR.21s Easy Great Nearly impossible

RAEX IR.21s Difficult Even greater! Easy!


16/63

Targeting Efforts

(S//SI//REL) MNO roaming coordinators, hubs,GSMA working groups, ROAMSYS

(S//SI//REL) ~100% of MNOs in WPMOs Top 20

(U//FOUO)



Category Contains

4002 IR21 senders/receivers

3918 GSMA and SIGDEV

Tag Contains

AGIR21 IR21 senders/receivers

AG_USER Individual (usually sender)

AG_ALIAS Alias (usually receiver)

MCC/MNC [###][###] IR21 s/r for given network

AGRAEX RAEX working groups

roaming hub Roaming hub contacts


17/63

Email Address Selectors(S//SI//REL)




18/63

Notable Successes

(TS//SI//REL) Characterization of IR.21 collection from 67high-priority networks (DSD)

(TS//SI//REL) Most recent IR.21s from Egypt (S2E) (S//SI//REL) Assessment of IR.21 collection related to a

(U)


possible new Chinese network (S2B) (S//REL) Sole source of IR.21 collection, ingest, and

processing for RONIN; >200% improvement (NAC) (S//SI//REL) Working toward enterprise sharing of

licensed, commercial data Today: WiMAX data with JUBILEECORONA (S3516)

(TS//SI//REL) Reporting on GSMA standards and practicesTOP SECRET//SI//REL TO FVEY


19/63

Future Plans

(S//SI//REL) RAEX IR.21 collection and ingestproviding more query possibilities including:

LTE information

Technolo ies E ui ment

(U)


Frequencies (S//SI//REL) AURORAGOLD user interface enabling

SIGINT production chain access for querying and

trending (S//SI//REL) NKB partnership



20/63

Discussion

(S//SI//REL) What are your ideas, suggestions,and analytic needs with respect to:

roaming and network information discovery and

(U)


GSMAs standards setting activities?

(S//SI//REL) What are we missing? Are there

data elements we should seek out to helpmeet your needs?



21/63

Work with us!

(U//FOUO) To contact the AURORAGOLD teamwith an RFI, please use GLOBAL TIPPER

(U)

UNCLA SSIFIED//FOR OFFICIAL USE ONLY

(U//FOUO) WikiInfo: wi AURORAGOLD (U//FOUO) Email:



22/63


(U) BACKUP SLIDES(U//FOUO) AURORAGOLD



23/63

AG/GSMA Reporting

Serial Topic

3/OO/506998-11 (S//SI//REL) Libyan MNO information

3/OO/556211-11 (S//SI//REL) Launch of RAEX; ROAMSYS and GSMA

3/OO/515656-12 (S//SI//REL) GSMA standards releases/changes for 2012

(S//SI//REL)


.2/OO/502330-12 (S//SI//REL) GSMA database of Type Allocation Codes (TACs)



24/63

GSMA Working Groups(S//SI//REL)



(U) Known as of 10 May 2012


25/63

IR.21 Data Extraction(S//SI//REL)

(U) Content

Field AG R

MCC/MNC x x

Operator name x x

(U) Metadata/SRI

Field AG R

SIGAD x x

Case notation x x


pera or coun ry x xEmail addresses x

Access point information x

Autonomous system number x

DNS names & IPs x

Inter PLMN backbone IPs xGPRS Roaming Exchange (GRX) x

x xPINWALE Date Time Group x x

PINWALE category & keywords x

Email From & date x

Source & destination IP x

Filename xPDDG x



26/63

Metrics: Network Discovery(S//SI//REL)


600

700

800

(S//SI//REL) GSM/UMTS/LTE Networks Discovered in SIGINT


0

100

200

300

400

500

New Networks

Confirmed Networks


27/63

Metrics: Network Discovery(S//SI//REL)


(S//SI//REL) 701 confirmed 985 estimated

(S//SI//REL) GSM/UMTS/LTE NetworkCoverage


(as of 15 May 2012)


28/63


29/63

Metrics: Tasking(S//SI//REL)

1000

1200

1400

1600

(S//SI//REL) Strong Selector Targeting


2011-11 2011-12 2012-01 2012-02 2012-03 2012-04

Net change in tasking 363 1 782 206 2 -143

Total tasked 363 364 1146 1352 1354 1211

Extracted from IR.21s 564 1040 527 517 785 711

-400

-200

0

200

400

600

800



30/63

RAEX Adoption in SIGINT(S//SI//REL)


(S//SI//REL) What we've seen so far... (TS//SI//REL) What we expect...

(S//SI//REL) 36/699 networks(Apr 2012; AURORAGOLD)


5% 21%

(TS//SI//REL) 202/985 networks(19 Apr 2012; 3/OO/515656-12)


31/63

TOP SECRET//COMINT//REL TO USA, FVEY

(S//REL TO USA, FVEY ) IR.21 A Technology


SDC2010

SSG4/T3C Technical Director

Derived From: NSA/CSSM 1-52Dated: 20070108

Declassify On: 20341201


32/63


Classification

This briefing is classified:


,


33/63


(U//FOUO) Todays Agenda

. (U) Emerging Operating Model for Trends and Forecasting

. (U) Wireless Evolution Paths

. (S//REL TO USA, FVEY) Analytic Framework


. (S//REL TO USA, FVEY) Meet AURORAGOLD

. (U) An Invitation to Join Your Use CasesIncludes Home Work Assignments


34/63


(U//FOUO) Effective Forecasting:Geopolitical Regions and Targets

Regions &Targets

TechnologyTrends

Discovery

What geographies are of national interest to ourcustomers?What organizations and individuals must wetarget to answer our customers questions?How does those targets communicate?

How is technology evolving?How are technology andtelecoms evolving in regions of interest?How do we expect targets touse emerging technologies?What is the SIGINT threat of

How should discovery informwhat targets/geographies wefocus on next?How do we discover targetadoption of a technology?

Discovery

alsocritical


Vulnerabilities

Capabilities

Delivery

these emerging technologies?

What vulnerabilities are critical tocurrent success (i.e. where are ourrisk areas)?How do we discover vulnerabilities?How do we introduce vulnerabilitieswhere they do not yet exist?

What capabilities do we need to develop to take advantage of technologyvulnerabilities?What techniques to do we deploy to take advantage of those vulnerabilities (e.g.CNE, supply chain, mid-point, etc.)What role does enabling, cooperative access, HUMINT, 2nd parties, etc. play inbuilding those capabilities?

What products/services do weproduce for which customers?What is workforce makeupand how are they distributed?What role do partners play?

SIGINT PLANNING

CYCLE


35/63


(U) Two Types of Investigations

. (S//REL TO USA, FVEY) Horizon ScanningObjective: Initial identification and assessmentAll source researchAnswer the question: Does this technology appear to be a large risk to the SIGINT system? Why or why not?


. (S//REL TO USA, FVEY) Deep DiveObjective: Cause a funding decision(s)All source research; emphasis on geographic uptake trends; targetuptake plans or vignettes.Answer the question: Are SIGINT targets taking up this technology?How fast?Implicitly contrast the above with the cost and time needed toremediate any SIGINT system shortfalls.


36/63


37/63


(U) Roaming Agreements

.(U)

Allow a mobile subscriber to use resources on a visitednetwork Each carriers IR.21 is a technical document that:

Describes the operator itself in various waysLocation, business codes, etc.

Describes access to the IP network of the operator


, , , .Describes:

Radio Access Network: technology(ies) type(s)Frequency(ies)Telephony routing information (MSISDN ranges; E.212)SCCP gateways (Point codes)Mobile Application Part protocol in use

Hardware, software versions of certain network elements

. (S//REL TO USA, FVEY) Hypothesis: We can identify and track a carrierstechnical evolution with IR.21 and other data.


38/63


(U) 3G Wireless StandardsEvolution Overview

IS-856 Rev B(MC, 64QAM)

IS-1006-A(EBCMCS)

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

IS-1006(BCMCS)

3GPP2

IS-856 Rev 0(1xEV-DO)

IS-856 Rev A(Optimized UL& VoIP)

Opt.VoIP

UMBRev. 0 (FDD)Rev. A (TDD)

IS-2000(CDMA2000 1x)

Mobility

OFDM

OFDM

IS-856 Rev C(MIMO/SDMA,DO Enhancements )1x-adv (IS-2000)

2010

eHRPDEPC

Primarily FDD w/TDD o tions

2011


Note: Dates shown are standards completion dates (or expected completion dates.) Initial VoIP not as spectrally efficient as Optimized VoIP. Mobility indicates when each particular standard supports mobility inter-operability between the terminal and BTS.

IEEE/WiMAX Forum

Rel-5(HSDPA)

Rel-6(E-DCH,MBMS)

R-99(UMTS)

Rel-7(EnhancedHSDPA)

802.16e

Wave1&2

802.16

(WiMAX)802.16a 802.16d 16e Rev. 2

Rel 1.5

Rel-8(LTEDC HSPA)

3GPP

Mobility

Mobility

Init.VoIP

Opt.VoIP

Init.VoIP

Opt.VoIP

OFDM

802.16m

Rel 2.0

Rel-9(more LTEfeatures)

OFDM

Primarily TDDw/ FDD options

Rel-10(LTE-adv


39/63


(U) And What About 4G?. (U) IMT-adv is an ITU led effort to set requirements for next gen. mobilenetworks

Just as ITUs IMT-2000 defined 3G, ITUs IMT-adv will define 4G



40/63


(U) Framework for Analysis

. (U) 3GPP: Defines technology migration paths.Releases A Clear Technology Roadmap3G begins with Release 99Other releases: 04, 05, 06, 07, 08, 09, . 10, 11 (future)

See: www.3gpp.org/ftp/Information/WORK_PLAN/Description_Releases/

Releases cover:Access: GSM, EDGE, HSPA, LTE, LTE-Advanced, etc.


Core: GSM Core, Enhanced Packet CoreServices: MS, etc.

. (U) GSMA: Defines carrier information exchange requiredto enable roaming

Changes to IR.21 format warn of imminent technology roll-outAn IR.21 is a GSMA-mandated document. IR.21 are exchanged between Wirelessoperators with roaming agreements, to the GSMA, and to certain clearing houseoperations.


41/63


(U) Analytic Process

. (S//REL TO USA, FVEY) Data analysis process is to match information inIR.21, or elsewhere, against Releases in the TechnologyRoadmap

Example: CAMEL Phase 4 (aka CAMEL4) as proxy for Release 5 deployment

. (S//REL TO USA, FVEY) Analytic goals:Establish a date-time for a release de lo ment


Track releases at the per network levelDisplay status at the national, regional, hemispheric or global scaleMeasure speed of adoption at each scaleIdentify early and late adopter tendencies by network

. (S//REL TO USA, FVEY) Deliverables:Adoption trends over timeForecasts derived from trends and framework changesFormal reporting of data and conclusions as a dataset


42/63


(TS//SI//REL TO USA, FVEY) Data Flowand Process Overview

WCIS(UnclassifiedData Source)

Raw Data Sets

Unclassified

AURORAGOLD Repository

ITU OpsBulletin

(UnclassifiedData Source)

VISUALIZATIO

1

4

4a

4g

Querying

FileOutput

AnalyzedData Sets Unclassified

5

Analysis ByException;

Some AnalyticDecisions

ENTITYNORMALIZATION

Exception DecisionInformation

4c

4d

4e

AllUsers


IR.21(Classified

DataSource)

AUTO-MINIMIZATION

SCORPIOFORE;SIGINT Reporting

2

3

7Numbers in red are for reference only

Raw DataSets

Classified

AnalyzedData Sets Classified

4b

4h




ENTITYNORMALIZATION

4f All

AppropriatelyCleared Users

SIGINTProduction

Chain

9

8

21 May 2010

Supplementary Outputs:1. Strong Selector and Tasking Management2. Some selectors back to AGR inputs for tasking3. Information outputs to other systems (i.e. RONIN)4. Other??

10

Other (UnclassifiedData Source)

Other

(ClassifiedData

Source)


43/63


(TS//SI//REL TO USA, FVEY) What Is Done Today

WCIS(UnclassifiedData Source)

Raw Data Sets

Unclassified


ITU OpsBulletin


VISUALIZATIO

1

4

4a

4g

Querying

FileOutput


5



ENTITYNORMALIZATION


4c

4d

4e

AllUsers


IR.21(Classified

DataSource)

AUTO-MINIMIZATION

SCORPIOFORE;SIGINT Reporting

2

3

7Numbers in red are for reference only

Raw DataSets

Classified


4b

4h




ENTITYNORMALIZATION

4f All


SIGINTProduction

Chain

9

8

21 May 2010


10

Other (UnclassifiedData Source)

Other

(ClassifiedData

Source)


44/63


(S//REL TO USA, FVEY) InformationDelivery Vehicles At NSA

.(S//SI//REL TO USA, FVEY)

Mobile IP Information:

. (S//SI//REL TO USA, FVEY) Telephony and Provider information:TAPERLAY


. (S//REL TO USA, FVEY) Worldwide Wireless Market information: T3Cpackaged for WPMO consumption

Drives its portfolio investment planning processAffects ~80% of the portfolio (2009), per customer.

. (U) Various and sundry others


45/63


46/63


(U) Information Now What?

. (S//REL TO USA, FVEY) Make the data useableAvailable in or out of the SIGINT production chainAttach flows to value-adding chains and processesDeliver as a data-set

Recognize other data sets exist and also are part of analytic processes


(federation anybody?)

. (S//REL TO USA, FVEY) Make the data traceableIncludes auto-sourcing of data origin

Time-stamping

. (S//REL TO USA, FVEY) T3C will do technology trending and warning

. (U) Would your analytic processes benefit from this data set?


47/63


(U) Your Invitation to Join

. (U) We are few; we welcome partnership.Can you help?Do you have a better way?Lets pull together!!


. (TS//SI//REL TO USA, FVEY) We are preparing to measure the breadthof our access to IR.21 documents

Goals:Do we cover all 3GPP networks?Tweak accessTweak selectors

Indexer will provide PWID for all identified IR.21, after dedupe.


48/63


(U) What Are Your Use Cases?

. (S//REL TO USA, FVEY) This is your segmentto make thenotetakers job simpler please categorize your use case;describe impact:


A) IP Network B) Call Control Switched VoiceC) Hardware model and software version information

Group Discussion.


49/63

S//SI//REL TO USA FVEY


50/63

S//SI//REL TO USA, FVEY

(U//FOUO)

AURORAGOLD


Target Technology Trends Center/T3Csupport to WPMO

Overall briefing classification: S//SI//REL TO USA, FVEY

S//SI//REL TO USA FVEY


51/63


(C//REL TO USA, FVEY)

Two synergistic efforts:Trending and forecasting of global wireless and cellular networks

A U R O R A G O L D

Data gathering and analytics on GSM/UMTS networks


A u t o - M i n i m i z a t i o n

Automated minimization capability to ensure compliance with NSAreporting policy


52/63

WCIS(UnclassifiedData Source) Raw Data

Sets Unclassified


ITU OpsBulletin


VISUALIZATION

1

4a 4g

Querying

FileOutputs

AURORAGOLD DATA FLOW & PROCESS OVERVIEW(U//FOUO)


5



ENTITYNORMALIZATION


4c

4d

4e

All Users

4

IR.21(Classified

DataSource)

AUTO-MINIMIZATION

SCORPIOFORE;SIGINT

Reporting


2

3

7

Raw DataSets

Classified


4b 4hAnalysis ByException;



ENTITYNORMALIZATION

4f All


SIGINTProduction

Chain

9

8


10


53/63


Sets Unclassified


ITU OpsBulletin


VISUALIZATION

1

4

4a 4g

Querying

FileOutputs


5



ENTITYNORMALIZATION


4c

4d

4e

All Users

AURORAGOLD DATA FLOW & PROCESS OVERVIEW:PHASES 0 AND 1

(U//FOUO)

IR.21(Classified

DataSource)

AUTO-MINIMIZATION

SCORPIOFORE;SIGINT

Reporting2

3

7

Raw DataSets

Classified





ENTITYNORMALIZATION

4f All


SIGINTProduction

Chain

9

8


10S//SI//REL TO USA, FVEY


54/63


Sets Unclassified


ITU OpsBulletin


VISUALIZATION

1

4a 4g

Querying

FileOutputs


5



ENTITYNORMALIZATION


4c

4d

4e

All Users

4

AURORAGOLD DATA FLOW & PROCESS OVERVIEW(U//FOUO)

IR.21(Classified

DataSource)

AUTO-MINIMIZATION

SCORPIOFORE;SIGINT

Reporting2

3

7

Raw DataSets

Classified





ENTITYNORMALIZATION

4f All


SIGINTProduction

Chain

9

8


10S//SI//REL TO USA, FVEY



55/63

,

A U R O R A G O L D

NOW: FUTURE:

GSM technology family fromunclassified data Parsing IR.21 documents from SIGINT

Additional fields Additional sources Entity normalization


Basic auto-sourcing

Advanced auto-sourcing A u t o - M i n i m i z at i o n SCORPIOFORE reporting Visualizations enabling time-seriesanalyses

RISKS : Data sources and ingest Expanding capability to other wireless technologies

(C//SI//REL TO USA, FVEY)


56/63

(TS//SI//REL) Site Makes First-Ever Collect of High-Interest 4G Cellular Signal

FROM: XXXXXX and XXXXXXXRAINFALL (F78)Run Date: 02/23/2010

(TS//SI//REL) A collaborative effort between on-site collectors, engineers, and off-sitecontractors in mid-January 2010 allowed RAINFALL to make what is believed to be the firstcollection, by any known asset, of Time Division-Long Term Evolution (TD-LTE) 4G

(fourth generation) cellular communications. Exploitation of this signal, an all-InternetProtocol successor to 2G and 3G cellular systems, is a very high priority for NSA and theIntelligence Community. The TD-LTE signal will enter the market in 2010 and becomeglobally important by 2012.

(U) For full details, click HERE.

(U//FOUO) Note: A valid PKI certificate with TK clearance is required to access the abovearticle.

DYNAMIC PAGE -- HIGHESTPOSSIBLE CLASSIFICATION IS

TOP SECRET // SI / TK // RELTO USA AUS CAN GBR NZL

DERIVED FROM: NSA/CSSM 1-52, DATED 08 JAN 2007DECLASSIFY ON 20320108


57/63


WORKING A ID (UPDATED 17 M AY 2012)

(U//FOUO) AURORAGOLD is a !a" #$ SSG% a&a' s s *!+!'#,!-s a&* .i-!'!ss SMEs

.#- i& #& (S//SI//REL) Da a as! #$ M# i'! N! .#- O,!-a #-s (MNOs) &! .#- s a&*

PWIDs 3#''!3 !* $-#" GSM/UMTS/LTE -#a"i& *#34"!& s (IR521s)

(S//SI//REL) Ta- ! *!+!'#,"!& !$$#- a ai&s MNOs -#a"i& 64 s a&* GSMAss#3ia i#& (GSMA) .#- i& -#4,s a&*

(U) F4si#& #$ #,!& s#4-3! 'i3!&s!* 3#""!-3ia' *a a .i 6 SIGINT # a&s.!-.i-!'!ss &!!*s5

(S//SI//REL) Sample SIGINT (IR.21) Queries (S//SI//REL) W6a IR521s 6a+! .! s!!& $#- &! .#- s .i 6i& a 3#4& - #- s! #$

3#4& -i!s

(S//SI//REL) W6a IR521s 6a+! .! s!!& $#- &! .#- s "a&a !* a "# i'!&! .#- #,!-a #-


58/63



59/63

(S//SI//REL) Some IR.21 #ields Use$ul "o SIGINT(U) IR.21 #ield (U) %&a" is i"' (U) o is i" used'*o+ile oun"r,

ode (* )/*o+ile Ne" or-

ode (*N )

(U) A *!3i"a' *i i 3#*! .6i36 4&i84!' i*!& i$i!s a"# i'! &! .#- 5 T6! MCC .6i36 i*!& i$i!s 6!3#4& - is 4s!* as 6! $i-s 6-!! *i i s #$ a& 4s!->sIMSI $#''#.!* 6! .# *i i MNC .6i36 i*!& i$i!s

6! &! .#- .i 6i& 6a 3#4& - 5

(U) P-#+i*! 4&i84! i*!& i$i3a i#& #$ &! .#- s #i*!& i$ &! .#- #4&*a-i!s i& !-$a3!s ,-# #3#'ss#$ .a-! 6a-*.a-! ! 35

*o+ileSu+scri+erIn"e ra"edSer ices !i i"alNe" or- Num+er(*SIS!N)

(U) A &4" !- 4&i84!' i*!& i$ i& a s4 s3-i, i#& i& aGSM #- a UMTS "# i'! &! .#- ( 6! !'!,6#&!&4" !- # 6! SIM 3a-* i& a "# i'!/3!''4'a- ,6#&!)5

(U) A''#. i*!& i$i3a i#& #$ -!a' ,6#&! &4" !- *ia'!*

T0!IG codes (U) A &4" !- a''#3a !* 6! GSMA $#- 4s! as,-i"a- i*!& i$i!-s # 6 .i 6i& $i'! 3#& !& s a&* $i'!&a"!s5 A's# 4s!* as a "#-! !&!-i3 !& i i*!& i$i!-i& 6! "# i'! i&*4s -

(U) I*!& i$ 6! &! .#- $#- i''i& ,4-,#s!s a&*6!', i*!& i$ a- ! s

Si nalinonnec"ionon"rol ar"

(S )

(U) A &! .#- 'a !- ,-# #3#' 6a ,-#+i*!s !9 !&*!*-#4 i& $'#. 3#& -#' s! "!& a i#& 3#&&!3 i#&:#-i!& a i#& a&* !--#- 3#--!3 i#& $a3i'i i!s i&Si &a'i& S s !" 7 !'!3#""4&i3a i#&s &! .#- s

(U) P-#+i*!s -#4 i& i&$#-"a i#& .i 6i& 6! P4 'i3La&* M# i'! N! .#- a&* ,-#+i*!s a33!ss #a,,'i3a i#&s s436 as =00:3a'' ,-#3!ssi& a&*3a''i& 3a-* ,-#3!ssi& # i*!& i$ a- ! s a&*# 6!- i&$#-"a i#&

Su+scri+erIden"i",0u"&en"ica"ion

(U) T6is $i!'* i&*i3a !s .6! 6!- #- a4 6!& i3a i#&is ,!-$#-"!* $#- -#a"i& s4 s3-i !-s a 6! s a- #$GSM s!-+i3! a&* 6! ,! #$ A< 3i,6!- a' #-i 6"+!-si#& i& 4s!5

(S//SI//REL) I .#4'* a's# s6#. 6! !"!- !&3! #$&!. 3i,6!- a' #-i 6"s a&* s4,,#- a- ! a&a' sis

-!&*i& a&* 6! *!+!'#,"!& #$ !9,'#i s5

*o+ile

0pplica"ion ar"(*0 )

(U) A SS7 ,-# #3#' .6i36 ,-#+i*!s a& a,,'i3a i#&

'a !- $#- 6! +a-i#4s *!s i& GSM a&* UMTS "# i'!3#-! &! .#- s a&* GPRS 3#-! &! .#- s #3#""4&i3a ! .i 6 !a36 # 6!- i& #-*!- # ,-#+i*!s!-+i3!s # "# i'! ,6#&! 4s!-s5 T6! M# i'!A,,'i3a i#& Pa- is 6! a,,'i3a i#&:'a !- ,-# #3#'4s!* # a33!ss 6! ;#"! L#3a i#& R! is !- Visi #-L#3a i#& R! is !- M# i'! S.i 36i& C!& !-E84i,"!& I*!& i R! is !- A4 6!& i3a i#& C!& -!S6#- "!ssa ! s!-+i3! 3!& !- a&* S!-+i& GPRSS4,,#- N#*! (SGSN)5

(S//SI//REL) P-#+i*!s a 3'!a-!- 4&*!-s a&*i& #$

&! .#- $!a 4-!s .6!& -#a"i& a -!!"!&i&$#-"a i#& is ,4 'is6!*5 C4--!& i&$#-"a i#& a #4s4 s3-i !-s "# i'i "a&a !"!& a&*a,,'i3a i#&s 3a& ! 4s!* $#- a- ! i& a&* a- !*!+!'#,"!& 5

Ne" or-Elemen"

(U) S,!3i$i3 &! .#- 3#",#&!& s 6!i-"a&4$a3 4-!- s#$ .a-! ? 6a-*.a-! +!-si#&s ! 35

(S//SI//REL) T6is s,!3i$i3 i&$#-"a i#& is &!3!ssa-$#- a- ! i& a&* !9,'#i a i#&5 I&3'4*!s 3#-! a&*



In$orma"ion a*i# i& ! $a3! i&$# "a i#&5


60/63

In$orma"ion -a*i# i& !-$a3! i&$#-"a i#&5ac-e" !a"a

Ser icesIn$orma"ion

(U) Pa3 ! Da a S!-+i3!s i*!& i$i!s 6! a$$!3 !* GPRS&! .#- s5 A& A33!ss P#i& Na"! is a's# i&3'4*!* i&

6is i&$#-"a i#&5 APNs 3a& i*!& i$ 6! ,! #$s!-+i3! ,-#+i*!* GPRS &! .#- s ,-#+i*!* #"# i'! 4s!-s5 APNs a's# 6!', i*!& i$ 6! &! .#-a&* #,!-a #-@s ,a3 ! &! .#- i&+#'+!* i& 6! IR521a&* 3#4'* ! 4s!* $#- a- ! i& 5

(S//SI//REL) T6is *a a !'!"!& a's# ,-#+i*!si&$#-"a i#& #& 6! WAP a !.a !i& a33!ss a&*"4' i"!*ia "!ssa i& s!-+i3!s a !.a IPa**-!ss!s .6i36 is 4s!$4' $#- a- ! *!+!'#,"!& 5I&si 6 i& # 6! GPRS T4&&!'i& P-# #3#' +!-si#&s

!i& 4s!* .i 6i& 6! &! .#- s is ,-#+i*!* as .!''5GPRS EDGE a&* ;SPA !36'# i!s a-! 3#+!-!*5



61/63


62/63

Network Tradecraft Advancement Team (NTAT) 3G
https://wiki.gchq/index.php/File:NTAT.jpg


63/63

2nd SCAMP at CSEC process

Worked with CSEC H3 developers to implement IRASCIABLE RABBIT intoOLYMPIADeveloped 41 use casesDeveloped 10 new working aidsIdentified 3 new QFDsResearch conducted on GRX operators over VPN (QFD: IRASCIABLEHARE)Progressed IR21 sharing and analysisExplored other GSMA Association for network intelligence

Progressed signalling over IP analysis (QFD: BOLSHIE POSSUM)MNO EEI target template in developmentIdentified training scenarioConducted real-world training scenarioTied together target analysis to network analysis processUse cases and working aids follow a layered templateResearch conducted on clearing house operators identified keydocumentation and selectors

Explored the usefulness of IR21 processing decided against thisIntegrated TOYGRIPPE analysis into OLYMPIAStreamlined identification of VPNs of interest for crypt analysis

http://
https://wiki.gchq/index.php/File:NTAT.jpg

Documents

NSA AURORAGOLD