MUSCULAR

Arne Hintz — Wed, 22 Jul 2015 11:23:57 +0000

Purpose:

MUSCULAR , Washington Post, “Google Cloud Exploitation” slide.

MUSCULAR is a joint GCHQ and NSA programme that collects data travelling between internal data centres owned by Google and Yahoo. It achieves this by accessing the cables through which the companies’ internal network traffic passes. The programme is used to collect emails, documents, pictures, search queries and other data.

The programme relies on the telecommunications provider Level 3 to offer secret access to a fibre-optic cable at a point where Google and Yahoo traffic passes (NYT01). The access point, known as DS-200B, is located somewhere in the UK (WAH01).

MUSCULAR stores data for a three to five day period, during which GCHQ and NSA decode the proprietary data formats used by each company and extract information they want to keep (WAH02).

Capabilities:

Bulk collection from private networks
Bypassing encryption used on public networks
Decoding proprietary data formats

Data sources:

DS-200B, cable location owned by Level 3
Digital content from two major US companies

Related programmes:

WINDSTOP – NSA umbrella programme for bulk collection in partnership with “trusted second party” countries (UK, Canada, Australia and New Zealand). The programme targets “communications into and out of Europe and the Middle East” (ELE01).

Layers of operation:

Physical layer Tapping of fibre-optic cables.
Link layer, network layer and transport layer: Reconstruction of communication sessions.
Application layer: Extraction of content and metadata.

Background:

MUSCULAR is one of at least four similar “trusted second party programs” which together are known as WINDSTOP within the NSA (ELE01). This programme taps into the private leased fibre-optic cables that are used to connect the companies’ data centres across the globe (WAH02). These corporate internal networks have historically been unencrypted; however, both companies are beginning to encrypt their networks as a result of the MUSCULAR leak.

Company partners (NYT01):

Level 3: Provider of fibre-optic cables for Google

Sources:

Electrospaces (ELE)
1) http://electrospaces.blogspot.co.uk/2014/11/incenser-or-how-nsa-and-gchq-are.html

New York Times (NYT)
1) http://www.nytimes.com/2013/10/31/technology/nsa-is-mining-google-and-yahoo-abroad.html

Washington Post (WAH)
1) http://www.washingtonpost.com/blogs/the-switch/wp/2013/11/04/how-we-know-the-nsa-had-access-to-internal-google-and-yahoo-cloud-data
2) http://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html

TEMPORA

Arne Hintz — Wed, 06 May 2015 09:42:23 +0000

Submarine Cable Map (submarinecablemap.com)

Purpose:

TEMPORA is a GCHQ programme for physically tapping fibre-optic cablesto collect data in bulk. The programme collects content and metadata that travels over fibre-optic cables around the world, including cables entering and exiting the UK (GUA01). The programme taps at least 200 cables at various locations (GUA01).

TEMPORA stores the collected data in a buffer to enable retrospective analysis. Content is stored for three days, and metadata for 30 days (GUA01).

The TEMPORA programme incorporates bulk data from the INCENSER programme (ORG01). Data collected by TEMPORA is shared with the NSA through the WINDSTOP programme, and can be analysed using the XKEYSCORE search interface and a search language called GENESIS (ORG01, EFF01).

Capabilities:

Fibre-optic cable tapping
Temporary storage of content and metadata

Data sources:

Cable taps installed at the following locations (EFF01):
- 16 x 10 gigabit/second cables at the CPC processing center
- 7 x 10 gigabit/second cables at the OPC processing center
- 23 x 10 gigabit/second cables at the RPC1 processing center
The centres above have been associated with the following locations (ESP01):
- Benhall, Cheltenham (GCHQ headquarters)
- Bude station (Cornwall)
- Ayios Nikolaos station (Cyprus)

Related programmes:

POKERFACE – GCHQ programme using MVR (Massive Volume Reduction) for high-speed filtering and selection, including removal of high-volume, low-value traffic such as peer-to-peer downloads. Also searches by ‘trigger’ words, email addresses and phone numbers.

XKEYSCORE – NSA system for searching and analysing Internet data.

INCENSER – GCHQ bulk collection programme that provides access to a cable system codenamed NIGELLA, which is the intersection of two fibre-optic cables connecting the Atlantic with Europe and Asia (ORG01, ELE01).

Layers of operation:

Physical layer: Tapping of fibre-optic cables.
Link layer, network layer and transport layer: Reconstruction of communication sessions.
Application layer: Extraction of content and metadata.

Background:

The GCHQ cable-tapping operation has been built up over five years by attaching intercept probes to transatlantic fibre-optic cables where they land on British shores carrying data between Western Europe, Asia and North America. This was done under secret agreements with commercial companies, described in one document as “intercept partners” (GUA01).

In 2015, GCHQ was censured for conducting bulk collection activities and sharing this information with the NSA (GUA02).