Professional Documents
Culture Documents
(TS) NSA QUANTUM Tasking Techniques For The R&T Analyst: PO: Tao RTD I Team Booz Allen Hamilton SDS2
(TS) NSA QUANTUM Tasking Techniques For The R&T Analyst: PO: Tao RTD I Team Booz Allen Hamilton SDS2
(TS) NSA QUANTUM Tasking Techniques For The R&T Analyst: PO: Tao RTD I Team Booz Allen Hamilton SDS2
PO:
TAO RTD I Team - Booz Allen Hamilton SDS2
1
SPIEGEL ONLINE
TOP SECRET/ISUIREL USA, Au S 1 CAN, GBP, NZL
(T5f/SIUREL) This presentation does not cover FAA QUANTUM, but if you identify an
active selector, compare the SIGAD in Marina to the SIGAD on the GO QUANTUM wiki
page to see if FAA QUANTUM is an option.
2
SPIEGEL OF
TOP SECRED/COMINTS/REL TO LISA, EVE Y
What is QUANTUM?
Internet Router
11
17
Target
Yahoo's
Web Server
SSO Site
SI I
4
SPIEGEL ONLINE
TOP SECRETUSWREL USA, AU S, CAN, GBR, NZL
What is QUANTUM?
Yahoo's
Target Web Server
550 Site
4
SPIEGEL ONLINE
TOP SECRETUSIHREL USA, AUS, CAN, GBR, NZL
What is QUANTUM?
Yah oo' s
Target Web Server
SSO Site
2. SSO site sees the
QUANTUM tasked yahoo
selector's packet and forwards
it to TAO'S FOXACID Server
I INT • rn OF
4
SPIEGEL ONLINE
TOP SECRETUSIHREL USA, AU, CAN, GBR, NZL
What is QUANTUM?
Internet Router
11111110.
lit YahoWs
Target Web Server
solispoi A
NSA
I IkT V Of
4
SPIEGEL ONLINE
TOP SECRET1/511/REL USA, AUS, CAN, GBR, NZL
What is QUANTUM?
[nternet Router
th7 4
H4-
Yahoo's
Web Server
TAO FOXACID
Server
Jr
4
SPI EG EL ONLINE
TOP SECRETUSIHREL USA, AU S, CAN GBR, NZL
What is QUANTUM?
Internet Router
11111111P1IF 11 1111116
1/11
11
-get Tru
411[■■■■
Yahoo's
Web Server
6. The target's 'Yahoo welvage is
loaded but in the background the -
NSA
FOXACID URL hpads which 11111fr
Server
SIGNT Da on t
4
E.17. TEE.EL OFILME
TOP SECRETBSIMEL USA, AU S, CAN, GBR, NZL
What is QUANTUM?
1 1111 ) 1. 1 '
Internet Router
Tt3
Yahoo's
Target Web Server
iNSA
■11111111-
SSO Site
TAO FOXACID
Server
7. If the browser is exploitable
and the PSP is sale, FOXACID
deploys a Stage I implant back
to the target
/GRIT en rt
1
4
SPIEGEL CHLIIIE
TOP SECRETBSIMEL USA, AU S, CAN, GBR, NZL
What is QUANTUM?
10
1
X 41111r■I■
.11111°
Internet Router
Yahoo's
Target Web Server
NSA
01-, 1 1- 1 1 .1.1-
Target Implanted!
TAO FOXACID
Server
7. If the browser is exploitable
and the PSP is safe, FOXACID
deploys a Stage I. implant back
to the target
4
SPIEL EL oNLINE
TOP SECRETPCOMINTUREL TO LISA, FVEY
QUANTUMTHEORY - GCHQ
If a Partnering Agreement Form (PAF) is set up with GCHQ for
the CNO project, then the IT Analyst can utilize GCHQ
QUANTUMTHEORY to include additional capabilities such as:
• • ALI BABA • AL
• • BEBO_EMAIL • DOUBLE CLICK
• FACEBOOKCUSER • GOOGLE PREFID
• • GRAIL • HI5
• • HOTMAIL • LINKEDIN
• • MAIL RU • MICROSOFT_MUID
• • MICROSOFLANONA • RAMBLER
• • RADIUS • SIMBAR
• • TWITTER • YAHOO_13
• • YAHOO_L/Y • YANDEX_EMAIL
• • YOUTUBE • IP Address
More information on: https://wiki.gchqi /QUANTUM BISCUIT
If you cannot get to the link try: http:I/
ALTEREGO QFD:
GCHC., "vuene Selector A Iten ate Se I e 191 Ouerleci Alternate Intersection Stele
Selector Selector {1.10}
Degree Degree
5
, 14,154?
DOGCOLLAR QFD:
Selector TIP Enrichient Value Obsermions First Seen On Last Seen Date
4 (I-Si/SI/MEL) If you do not use the GCHQ or NSA QEDs you can use Marina. Run a
Marina Selector/Identifier Profile (Federated) search for a 3 month range to look for
additional selectors.
cqt:1--fina-
Hem Same. 'Prat i*FIE q 3•114NY F ksc - lidanbly •• Pr*Emcwi 4 41*.
6
ixilib ClaraaJ:13 "M. 20i20210 7 .D59.50 ikka-rthi
646.1 gr..
ailimmagitper. voredRocheirri
Matimagyilliers
7
SPIEGEL ONLINE
TOP SECRETBSUIREL USA, AU S, CAN, GBR, NZL
' (TS//511/REL) Once the query finishes. look at the Equivalent Os section. This will show
you other selectors that your target is using. This is determined by linking content
(logins/email registrations/etc). It is worth verifying that these are indeed selectors
associated to your target. NSA QUANTUM works best against <yahoo> and
<facebook>. Although, it is worth making note of a <gnriail> selector for possible GCHQ
QUANTUM support or for your own notes.
Pao 1 pi 1 er {r4orie Una"' (Deleu11). - • %mime krt• Stree AS • laDIS * ' LetaCICarnMe
Appikdaden Ft/
Erbtity A L... ) 1p Activity
10"
Entity 11
• cob Ir141.>
8
SPIEGEL ONLINE
TOP SECREVISUIREL USA, AUS, CAN GBR, NZL
(TSI/SIHREL) if your search was on a <yahoo> email address, then click on Machine
IDs and look for a recent <yahooBcookie>. YahooBcookiers are unique to a specific
computer and can hold other <yahoo> addresses that are being logged into on that
computer as long as the user does not clear browser cookies. If you see multiple
<yahooBcookie> pick the most recent Last Heard date. Also higher the Num Heard is,
the more likely that selector does not change.
Fleecing Ple•ecaam
Levine y= 27
.18‘11.5r`
New Selector
Pear 1 cC 1 Fter (None:: - Limit(Elateu13- - • • 7: • , Save ks 7 sr
•
Nropk.likei NM, UPIlt 42. b IP 0 riartilcie A 15 ) p P91*L kat 1-14201) -
'; Nab ‘walice•p mcirai4.0(compotole: n; ..7(dDr.S e MI [ I 15 L3 5133Z •2131.1.1Z135 Ids
9
SPIEGEL ONLINE
TOP SECREVISIIIREL USA, AUS, CAN, GBR, NZL
• POVe 1 et/ 1 .43' rim; inProis L I ntR {1>tleit-t1 • .41...Vettp 141.• Sem.a At • laNt. • %Mut: Load Ce.piele
1:7; Appac.totl.an tr"tV A. r fa IR • r11-1.1R y Entity ■
■
.g-- .!•11
r.75,4a7130, ers •-•
360/f.11 care rtmocgjia
IM d..-1-.^51-xoetisar I-. 5!.
tagrnp; ‹= F■ nd In
IgEmords.
111
SPIEGEL ONLINE
TOP SECRET/ISIBREL USA, AU S, CAN, GBR, NZL
, (TSIISIHREL) Change the query to search for the fast 3 Months and click SUBMIT
Selector PireIle Search
5eletirs Prone
Seim:tars birdy
Ye5.temday
0. hi!!
4 Remove
Acid
[1:1Bntif ilE1
Conlage
Ream lrput
This Weep
Last Wed.(
This Month
E1
4iggrialLcan gingle Parater s
Lag Month
skyp eMailticen Parameters 3 Day •
SPIEGEL ONLINE
TOP SECRETUSUIREL USA, AUS, CAN, GBR, NZL
I.
(TS1/51fiREL) Once the query finishes, look at the Equivalent IDs section and make
note of any new <yahoo>, <hotnnail>, <yahooBcookie>, and <facebook> selectors and
do the same process to identify additional selectors.
Equivalent IDE. 26
i1 Page I of 1 iar FAIN Nona) Lorarl Visualize h - Soy r rE5 - Twig Enrichniriz... Wangar Nava. rapparae
7
❑ 0.10
El: EMall
❑
Emal
alirrga-C.?Ir':i1W9leCP
Egicrnal.t.arr.qpcoe>
ncrinad_cm- no3cie5.
1 1...4V4rf
has at
12
SPIEG EL ONLINE
TOP SECRETUSHIREL USA, AUS, CAN, GBR, NZL
1 (TS/./SIIIIREL) Once you have a list of your selector(s), you will want to look at each one
separately to check for the likelihood of successfully exploiting your target via NSA
QUANTUM. We are checking to see if the target itself is seen at US- and if it is active.
2 (TS/./SIIIREL) First we want to run a Marina Active User/Presence (Federated) search on
<facebook> for the past 14 days.
13
SP I EGEL ONLINE
) TOP SECRETBSIBREL USA, AUSI CAN, GBR, NZL
(TSI/SIIIIREL) You will either have results or not have results. The key is to look at the
SIGAD for the results and if the SIGAD is capable of doing QUANTUM then you most
likely have a vulnerable target! To check for SIGADs that NSA and GCHQ QUANTUM
can target, type GO QUANTUM in your browser. If GCHQ QUANTUM is needed, then
work with your IR&T Analyst to follow the appropriate steps on the wiki to set up a PAP.
(TSIISIIIREL) You will want to look at the Marina results and make note of the most
frequent SIGAD/IP CIDR for each Active User/Presence (Federated) query
1) Selector
a) SIGAD
b) Active User IP cop - The CDR will be added to the TLN's Whitelist.
-A TLN's Whitelist is a list containing the IF CIDRs your target uses. It is where the
FOXACO server will only continue with exploitation if the external IP Address of
the targetiredirection is on the Whitelist for the TLN your R&T Analyst requests.
14
SPIEGEL ONLINE
TOP SECRETPCOMINTM E I- TO USA, FVEY
P-aked
Activity
O F
Tasked for Survey
OI
Technique: VIATITUMTHEORY
saikedi 21912-1;41-26
Teri Last Attempts 21013-Ma r • 01 Owl) °M ai
• v<yahoo> Sena erodif 1013-P i•-U1 11:11:2; 1 Er
UANTUMNATION
QUANTUMNATION use new TAO CNE tradecraft and automation to drive broad
scale initial access, specifically an SSG cloud-analytic to identify selectors in SSA]
passive collection that are viable for end-point access, and the use of lightweight
CNE implants to obtain initial access and survey data delivered to the TOPI offices
via corporate SIGINT repositories. For More Information on QUANTUMNATION check
the QUANTUMNATION wiki page
ea • YUlnerabIlttles
V.0 '
Vuirrarabie log Owenturn 0(12 davi ego)
Urner PkgentFrilyzill1415.11) (iPad; CPU CS 5_0_1 roc... K) ApplaWr6Ki16/5a4.46 OKI-MAL irk ■ ciihrclg) Vftrzi.orLi5,1 Whabilmi54405
f r 7 4
(TSI/SIUREL) Once you have a selector, SIGAD, and IP CIDR, you are ready to start
the process for a FOXACID TLN and Tag request.
4 (TSIISII/REL) Depending on the teams, either an IREET analyst or the Branch Chief can
create a TLN (Twisty Lobby Number), Contact your Branch Chief for information on
creating a TLN for each selector you want to target,
(TSIISIOREL) Note: You will need 1 TLN and 1 FOXACID Tag per selector you task with
QUANTUM.
lB
SPI EG EL ONLINE
TOP SECRET/IV/MEL USA, AUS, CAN, GBR, NZL
Step 8:
(TV/SI/MEL) Once you have a TLN, you will need to submit a FORA ID Tag request.
(TV/SI/MEL) Go to titcpE:( nsalcgi pint and fill out the appropriate
information in the top and within the body of the ticket update this information accordingly. Here is an example:
CT or Non-CT Non-CT
Second Party/Partnering: No
countryIRegigniType: in=m
RSA Target: No
Type of Op: QUANTUM
WPTT: No
Project Name;
TLN 12345 Insert Your TLN
IP Range: "1 Insert Your Active User IP CIOR WHITELIST
MAC Addresses' Unknown
Payload Requested: Val
Start Date: 20130401
POC
IvISQ Support: No
19
SPI EG EL ONLINE
TOP SECRETHSUIREL USA, AUS, CAN, GBR, NZL
(1Si/81/MEL) Once the ticket is completed, you will receive an email with the FOXACID
Tag for your TLN.
4 (T51/SUIREL) Once your selector is tasked for QUANTUM you will see the status
changed to complete.
(TsiisiIIREL) De-task your QUANTUM request when you hook your target]
20
SPIEGEL ONLINE
TOP SECRETIISUIREL USA, AUS, CAN, GBR, NJZL
-1 if you have any questions or comments about this presentation, please send an email
to atIMIrnsalc.gov
21
SPIEGEL ONLINE