In this episode we go through a slide-deck leaked by Edward Snowden to the press in 2013 and publicly disclosed in 2015. It was an NSA presentation at the June 2010 SIGINT Development (SIGDEV) conference covering a Chinese 3PLA cyber espionage actor codenamed as BYZANTINE CANDOR. The entire group of Chinese cyber espionage activity, at the time, was codenamed as BYZANTINE HADES. The presentation had two parts, one performed by an NTOC (NSA Threat Operations Centre) SIGINT analyst, and a second one from a TAO (Tailored Access Operations) hacker that infiltrated 3PLA’s infrastructure.
00:00 – Introduction
00:39 – SIGDEV Conference (June 2010)
01:01 – NSA/CSS Threat Operations Centre (NTOC), V225
01:17 – Opening slide
01:31 – What is BYZANTINE HADES?
02:05 – BYZANTINE HADES Sets
02:17 – BYZANTINE CANDOR
02:28 – BYZANTINE RAPTOR
02:40 – BYZANTINE ANCHOR
02:51 – BISHOP KNIGHT
03:05 – BYZANTINE VIKING
03:13 – MACERICK CHURCH (BISHOP)
03:20 – BYZANTINE TRACE
03:30 – DIESEL RATTLE
03:37 – BYZANTINE FOOTHOLD
03:48 – BYZANTINE PRAIRIE
03:53 – POP ROCKS
04:07 – CARBON PEPTIDE and SEEDSPHERE
05:14 – Analysis: BYZANTINE CANDOR
06:22 – Initial Searches
07:11 – Analysis Tools
07:57 – Enabling Active Collection
08:39 – And Analysis Reveals…
08:59 – BYZANTINE CANDOR Infrastructure
09:20 – Command and Control over Facebook
10:29 – Exfiltrated photos
11:14 – Success Stories
12:09 – Knowledge Gaps
12:37 – Part 2: TAO
12:48 – A TAO Success Story
13:02 – It Begins…
13:17 – What is a Hop-point?
13:59 – Email Masquerades
14:39 – It Continues…
15:01 – ARROWECLIPSE
15:43 – 3PLA
15:49 – What Else Can We Do?
16:22 – Man-in-the-Middle
16:41 – Results
17:17 – Accessing the Machines
17:56 – Results
18:39 – CUTEBOY
19:04 – Conclusion
19:33 – Closing
References
– EFF: BYZANTINE HADES: An Evolution of Collection: https://www.eff.org/files/2015/02/03/20150117-spiegel-byzantine_hades_-_nsa_research_on_targets_of_chinese_network_exploitation_tools.pdf
– Electrospaces: NSA’s organizational designations: https://www.electrospaces.net/2014/01/nsas-organizational-designations.html
– National Defence and the Canadian Armed Forces: The Past, Present and Future of Chinese Cyber Operations: http://www.journal.forces.gc.ca/vol14/no3/page26-eng.asp
– CSEC Cyber Threat Capabilities: https://s3.amazonaws.com/s3.documentcloud.org/documents/1690224/doc-6-cyber-threat-capabilities.pdf
– Spy Collection: Canada CSE Cyber Threat Capabilities presentation: https://www.youtube.com/watch?v=26B-_Uewvqg
– Wikipedia: Titan Rain: https://en.wikipedia.org/wiki/Titan_Rain
– Christopher Parsons: NSA Codenames/Covernames and Suggested Use/Implementation: https://christopher-parsons.com/resources/the-sigint-summaries/nsa-codenames-covernames-and-suggested-use-implementation/
source