World
Wayne Madsen
October 26, 2013
© Photo: Public domain

Thanks to the documents provided by National Security Agency (NSA) whistleblower Edward Snowden, the activities of a little-known branch of the U.S. intelligence community, the Special Collection Service (SCS), are becoming more well-known. A hybrid organization composed of mostly NSA personnel but also personnel from the Central Intelligence Agency (CIA), the SCS, known as F6 within the NSA, is headquartered in Beltsville, Maryland. SCS headquarters, in an office building bearing the initials «CSSG,» sits adjacent to the State Department’s Diplomatic Telecommunications Service (DTS). A secure underground cable that runs between the two buildings permits SCS to securely communicate with clandestine NSA listening posts established within U.S. embassies around the world. These NSA «out stations,» also known as «Special Collection Elements» and «Special Collection Units» are found in U.S. embassies from Brasilia and Mexico City to New Delhi and Tokyo…

As we now know from the Snowden documents, SCS also has managed to place communications taps within the Internet and cell phone and landline communications infrastructures of a number of nations, especially those in Latin America. Working with SCS has been the Communications Security Establishment Canada (CSEC), NSA’s «Five Eyes» partner agency, to eavesdrop on particular targets, such as the Ministry of Mines and Energy of Brazil. For many years, under an operation named PILGRIM, CSEC had been monitoring Latin American and Caribbean communications networks from out stations located within Canadian embassies and high commissions in the Western Hemisphere. These facilities have had code names such as CORNFLOWER for Mexico City, ARTICHOKE for Caracas, and EGRET for Kingston, Jamaica. 

NSA’s widespread collection of digital data from fiber-optic lines, Internet Service Providers, telecommunications companies’ network switches, and cellular systems in Latin America could not have been possible without the presence of intelligence assets within telecommunications companies and other network service providers. Among the Five Eyes signals intelligence (SIGINT) sharing nations of the United States, Britain, Australia, Canada, and New Zealand, such cooperation from the commercial firms is relatively easy. They cooperate with their nations’ respective SIGINT agencies to either gain favor or avoid retaliation from their governments. In the United States, NSA enjoys the cooperation of Microsoft, AT&T, Yahoo, Google, Facebook, Twitter, Apple, Verizon, and others to carry out massive surveillance conducted by the PRISM metadata collection program. 

Britain’s Government Communications Headquarters (GCHQ) has ensured the cooperation of British Telecom, Vodafone, and Verizon. Canada’s CSEC has working relationships with companies like Rogers Wireless and Bell Aliant while Australia’s Defense Signals Directorate (DSD) can rely on a constant flow of data from companies like Macquarie Telecom and Optus.

It is inconceivable that NSA’s collection of 70 million communications intercepts of French phone calls and text messages in a single month could have been accomplished without having intelligence assets placed within the technical staffs of two of the targeted French telecommunications companies» the Internet Service Provider Wanadoo and the telecommunications firm Alcatel-Lucent. It is also unlikely that French intelligence is unaware of the activities of the NSA and SCS in France. Similarly, it is unlikely that NSA penetration of German telecommunications networks is unknown to German authorities, especially since Germany’s Bundesnachrichtendiesnt (BND), the Federal Intelligence Service, has provided two BND telecommunications interception programs, Veras and Mira-4, and their intercept data in return for BND access to SIGINT intercepts of German communications contained in an NSA database known as XKEYSCORE. NSA and BND also most certainly have agents embedded in German telecommunications companies like Deutsche Telekom.

Classified slides prepared by GCHQ confirms the use of engineering and support staff to penetrate the BELGACOM network in Belgium. One slide on the classified MERION ZETA network penetration project describes GCHQ’s operation: «Internal CNE [Certified Network Engineer] access continues to expand – getting close to access core GRX [General Radio Packet Services (GPRS) Roaming Exchange] routers – currently on hosts with access». Another slide reveals the target of the BELGACOM core router penetration: «targets roaming using smart phones».

In countries where the NSA and its partners lack a formal alliance with the national intelligence authorities, the NSA’s Special Source Operations (SSO) element and the Tailored Access Operations (TAO) unit turn to SCS and its CIA partners to infiltrate agents into the technical staffs of telecommunications providers either by having them recruited as employees, especially as system administrators, hiring on as consultants, or buying off existing employees with cash or other favors or blackmailing them with embarrassing personal information. Personal information that can be used for blackmail is being collected by NSA and its partners from text messages, web searches and website visits, address books and webmail lists, and other targeted communications.

SCS operations are where SIGINT meets HUMINT, or «human intelligence». In some countries like Afghanistan, penetration of the Roshan GSM cell network is facilitated by the large presence of U.S. and allied military and intelligence personnel. In countries like the United Arab Emirates, the penetration of the Thuraya mobile satellite network was facilitated by the fact that the large U.S. defense contractor Boeing installed the network. Boeing is also a major NSA contractor.

This SIGINT/HUMINT interface has been seen with clandestine intercept devices placed on fax machines and computers in various diplomatic missions in New York and Washington, DC. Rather than breaking in diplomatic facilities under the cover of darkness, the method once used by SCS «black bag» operational teams, it is much easier to gain entry to such facilities as telecommunications service personnel or on-call technical support contractors. SCS successfully placed intercept devices in the following code-named targeted facilities: European mission to UN (PERDIDO/APALACHEE), Italian embassy in DC (BRUNEAU/HEMLOCK); French mission to UN (BLACKFOOT), Greek mission to UN (POWELL); French embassy in DC (WABASH/MAGOTHY); Greek embassy in DC (KLONDYKE); Brazilian mission to UN (POCOMOKE); and Brazilian embassy in DC (KATEEL).

The NSA Signals Intelligence Activity Designator «US3273,» codenamed SILVERZEPHYR, is the SCS collection unit located within the U.S. embassy in Brasilia, the capital of Brazil. In addition to conducting surveillance of Brazil’s telecommunications networks, SILVERZEPHYR can also monitor foreign satellite (FORNSAT) transmissions from the embassy and possibly other, clandestine units operating outside of official diplomatic cover, from within Brazilian territory. One such clandestine network access point found in the documents provided by Snowden is code-named STEELKNIGHT. There are some 62 similar SCS units operating from other U.S. embassies and missions around the world, including those in New Delhi, Beijing, Moscow, Nairobi, Cairo, Baghdad, Kabul, Caracas, Bogota, San Jose, Mexico City, and Bangkok. 

It was through the clandestine penetration of Brazil’s networks, using a combination of technical SIGINT and HUMINT means, that NSA was able to listen in on and read the communications of President Dilma Rousseff and her chief advisers and Cabinet ministers, including the Minister of Mines and Energy. The intercept operations against the latter were delegated to CSEC, which codenamed the penetration of the Mines and Energy Ministry, as well as the state oil company PETROBRAS, project OLYMPIA.

NSA’s RAMPART, DISHFIRE, and SCIMITAR operations specifically target the personal communications of heads of government and heads of state like Rousseff, Russian President Vladimir Putin, Chinese President Xi Jinping, Ecuadorian President Rafael Correa, Iranian President Hasan Rouhani, Bolivian President Evo Morales, Turkish Prime Minister Recep Tayyip Erdogan, Indian Prime Minister Manmohan Singh, Kenyan President Uhuru Kenyatta, and Venezuelan President Nicolas Maduro, among others.

NSA’s special SIGINT unit, called the «Mexico Leadership Team» used similar penetration of Mexico’s Telmex and Satmex to be able to conduct surveillance of the private communications of current President Enrique Pena Nieto and his predecessor Felipe Calderon, the operation against the latter code-named FLATLIQUID. NSA’s surveillance of the Mexican Public Security Secretariat was code-named WHITETAMALE and must have used inside collaborators given the fact that some level of Mexican security officials use encrypted communication methods. SCS certainly relied on well-placed insiders to monitor the cellular communications of Mexican cell phone networks in a covert project codenamed EVENINGEASEL.

While there are a number of technical fixes and countermeasures that can stymie NSA and Five Eyes surveillance of government and corporate communications, a simple threat and vulnerability assessment concentrating on personnel and physical security is the first line of defense against the roving ears and eyes of America’s «Big Brother».

The views of individual contributors do not necessarily represent those of the Strategic Culture Foundation.
How NSA Penetrated Latin America Telecommunications Networks

Thanks to the documents provided by National Security Agency (NSA) whistleblower Edward Snowden, the activities of a little-known branch of the U.S. intelligence community, the Special Collection Service (SCS), are becoming more well-known. A hybrid organization composed of mostly NSA personnel but also personnel from the Central Intelligence Agency (CIA), the SCS, known as F6 within the NSA, is headquartered in Beltsville, Maryland. SCS headquarters, in an office building bearing the initials «CSSG,» sits adjacent to the State Department’s Diplomatic Telecommunications Service (DTS). A secure underground cable that runs between the two buildings permits SCS to securely communicate with clandestine NSA listening posts established within U.S. embassies around the world. These NSA «out stations,» also known as «Special Collection Elements» and «Special Collection Units» are found in U.S. embassies from Brasilia and Mexico City to New Delhi and Tokyo…

As we now know from the Snowden documents, SCS also has managed to place communications taps within the Internet and cell phone and landline communications infrastructures of a number of nations, especially those in Latin America. Working with SCS has been the Communications Security Establishment Canada (CSEC), NSA’s «Five Eyes» partner agency, to eavesdrop on particular targets, such as the Ministry of Mines and Energy of Brazil. For many years, under an operation named PILGRIM, CSEC had been monitoring Latin American and Caribbean communications networks from out stations located within Canadian embassies and high commissions in the Western Hemisphere. These facilities have had code names such as CORNFLOWER for Mexico City, ARTICHOKE for Caracas, and EGRET for Kingston, Jamaica. 

NSA’s widespread collection of digital data from fiber-optic lines, Internet Service Providers, telecommunications companies’ network switches, and cellular systems in Latin America could not have been possible without the presence of intelligence assets within telecommunications companies and other network service providers. Among the Five Eyes signals intelligence (SIGINT) sharing nations of the United States, Britain, Australia, Canada, and New Zealand, such cooperation from the commercial firms is relatively easy. They cooperate with their nations’ respective SIGINT agencies to either gain favor or avoid retaliation from their governments. In the United States, NSA enjoys the cooperation of Microsoft, AT&T, Yahoo, Google, Facebook, Twitter, Apple, Verizon, and others to carry out massive surveillance conducted by the PRISM metadata collection program. 

Britain’s Government Communications Headquarters (GCHQ) has ensured the cooperation of British Telecom, Vodafone, and Verizon. Canada’s CSEC has working relationships with companies like Rogers Wireless and Bell Aliant while Australia’s Defense Signals Directorate (DSD) can rely on a constant flow of data from companies like Macquarie Telecom and Optus.

It is inconceivable that NSA’s collection of 70 million communications intercepts of French phone calls and text messages in a single month could have been accomplished without having intelligence assets placed within the technical staffs of two of the targeted French telecommunications companies» the Internet Service Provider Wanadoo and the telecommunications firm Alcatel-Lucent. It is also unlikely that French intelligence is unaware of the activities of the NSA and SCS in France. Similarly, it is unlikely that NSA penetration of German telecommunications networks is unknown to German authorities, especially since Germany’s Bundesnachrichtendiesnt (BND), the Federal Intelligence Service, has provided two BND telecommunications interception programs, Veras and Mira-4, and their intercept data in return for BND access to SIGINT intercepts of German communications contained in an NSA database known as XKEYSCORE. NSA and BND also most certainly have agents embedded in German telecommunications companies like Deutsche Telekom.

Classified slides prepared by GCHQ confirms the use of engineering and support staff to penetrate the BELGACOM network in Belgium. One slide on the classified MERION ZETA network penetration project describes GCHQ’s operation: «Internal CNE [Certified Network Engineer] access continues to expand – getting close to access core GRX [General Radio Packet Services (GPRS) Roaming Exchange] routers – currently on hosts with access». Another slide reveals the target of the BELGACOM core router penetration: «targets roaming using smart phones».

In countries where the NSA and its partners lack a formal alliance with the national intelligence authorities, the NSA’s Special Source Operations (SSO) element and the Tailored Access Operations (TAO) unit turn to SCS and its CIA partners to infiltrate agents into the technical staffs of telecommunications providers either by having them recruited as employees, especially as system administrators, hiring on as consultants, or buying off existing employees with cash or other favors or blackmailing them with embarrassing personal information. Personal information that can be used for blackmail is being collected by NSA and its partners from text messages, web searches and website visits, address books and webmail lists, and other targeted communications.

SCS operations are where SIGINT meets HUMINT, or «human intelligence». In some countries like Afghanistan, penetration of the Roshan GSM cell network is facilitated by the large presence of U.S. and allied military and intelligence personnel. In countries like the United Arab Emirates, the penetration of the Thuraya mobile satellite network was facilitated by the fact that the large U.S. defense contractor Boeing installed the network. Boeing is also a major NSA contractor.

This SIGINT/HUMINT interface has been seen with clandestine intercept devices placed on fax machines and computers in various diplomatic missions in New York and Washington, DC. Rather than breaking in diplomatic facilities under the cover of darkness, the method once used by SCS «black bag» operational teams, it is much easier to gain entry to such facilities as telecommunications service personnel or on-call technical support contractors. SCS successfully placed intercept devices in the following code-named targeted facilities: European mission to UN (PERDIDO/APALACHEE), Italian embassy in DC (BRUNEAU/HEMLOCK); French mission to UN (BLACKFOOT), Greek mission to UN (POWELL); French embassy in DC (WABASH/MAGOTHY); Greek embassy in DC (KLONDYKE); Brazilian mission to UN (POCOMOKE); and Brazilian embassy in DC (KATEEL).

The NSA Signals Intelligence Activity Designator «US3273,» codenamed SILVERZEPHYR, is the SCS collection unit located within the U.S. embassy in Brasilia, the capital of Brazil. In addition to conducting surveillance of Brazil’s telecommunications networks, SILVERZEPHYR can also monitor foreign satellite (FORNSAT) transmissions from the embassy and possibly other, clandestine units operating outside of official diplomatic cover, from within Brazilian territory. One such clandestine network access point found in the documents provided by Snowden is code-named STEELKNIGHT. There are some 62 similar SCS units operating from other U.S. embassies and missions around the world, including those in New Delhi, Beijing, Moscow, Nairobi, Cairo, Baghdad, Kabul, Caracas, Bogota, San Jose, Mexico City, and Bangkok. 

It was through the clandestine penetration of Brazil’s networks, using a combination of technical SIGINT and HUMINT means, that NSA was able to listen in on and read the communications of President Dilma Rousseff and her chief advisers and Cabinet ministers, including the Minister of Mines and Energy. The intercept operations against the latter were delegated to CSEC, which codenamed the penetration of the Mines and Energy Ministry, as well as the state oil company PETROBRAS, project OLYMPIA.

NSA’s RAMPART, DISHFIRE, and SCIMITAR operations specifically target the personal communications of heads of government and heads of state like Rousseff, Russian President Vladimir Putin, Chinese President Xi Jinping, Ecuadorian President Rafael Correa, Iranian President Hasan Rouhani, Bolivian President Evo Morales, Turkish Prime Minister Recep Tayyip Erdogan, Indian Prime Minister Manmohan Singh, Kenyan President Uhuru Kenyatta, and Venezuelan President Nicolas Maduro, among others.

NSA’s special SIGINT unit, called the «Mexico Leadership Team» used similar penetration of Mexico’s Telmex and Satmex to be able to conduct surveillance of the private communications of current President Enrique Pena Nieto and his predecessor Felipe Calderon, the operation against the latter code-named FLATLIQUID. NSA’s surveillance of the Mexican Public Security Secretariat was code-named WHITETAMALE and must have used inside collaborators given the fact that some level of Mexican security officials use encrypted communication methods. SCS certainly relied on well-placed insiders to monitor the cellular communications of Mexican cell phone networks in a covert project codenamed EVENINGEASEL.

While there are a number of technical fixes and countermeasures that can stymie NSA and Five Eyes surveillance of government and corporate communications, a simple threat and vulnerability assessment concentrating on personnel and physical security is the first line of defense against the roving ears and eyes of America’s «Big Brother».