nsa codenames
TRANSCRIPT
8/13/2019 NSA Codenames
http://slidepdf.com/reader/full/nsa-codenames 1/19
m June 1996 to the present
)
liated with hacking and bugging.the NSA/GCHQ that hare affiliated with hacking and bugging. The recent series of Der Spiegel articles has resulted in a dramatic expansion of what is known about them.
for the use of others who have been maintaining similar lists.
tter handle: @paulmd199, and I will seek to integrate them in to a future expanded version. Which will also integrate codenames from other areas, in order to form a more complete
8/13/2019 NSA Codenames
http://slidepdf.com/reader/full/nsa-codenames 2/19
8/13/2019 NSA Codenames
http://slidepdf.com/reader/full/nsa-codenames 3/19
Donate for the Cryptome archive of files from June 1996 to the present
--------------------------------------------------------------------------------
1 January 2014
NSA Codenames
--------------------------------------------------------------------------------
Date: Wed, 1 Jan 2014 16:03:04 -0800 (PST)
From: xxxxxx[at]efn.org
To: cryptome <cryptome[at]earthlink.net>
Subject: List of NSA/GCHQ codemanes affiliated with hacking and bugging.
I have compiled a list of codenames used by the NSA/GCHQ that hare affiliated with hacking and bugging. The recent series of DerSpiegel articles has resulted in a dramatic expansion of what is known about them.
I have also included my original spreadsheet, for the use of others who have been maintaining similar lists.
Send any comments or corrections to my twitter handle: @paulmd199, and I will seek to integrate them in to a future expanded
version. Which will also integrate codenames from other areas, in order to form a more complete picture.
8/13/2019 NSA Codenames
http://slidepdf.com/reader/full/nsa-codenames 4/19
--------------------------------------------------------------------------------
Original spreadsheet converted to HTML below: http://cryptome.org/2014/01/nsa-codenames.ods
Codename Price/ea Description Note
“Non Cooperative Wireless access point”
Just what it sounds like. The owner of the wireless device doesn't know the NSA is using it. In short, it's been “pwned”
ALTEREGO QFD
A “Question filled Dataset”
ANGRYNEIGHBOR
A family of bugs implemented as RF retro reflectors. These communicate with the use of an external radar wave generator such as
CTX4000 or PHOTOANGLO. The signals are then processed by a system such as VIEWPLATE, (for the VAGRANT video signal).
Known implementations: LOUDAUTO(ambient audio). DROPMIRE (printer/fax), RAGEMASTER (video), SURLYSPAWN
(keyboard/mouse). See also: VAGRANT, DROPMIRE, CTX4000, PHOTOANGLO
ANTO LP PROTOSS GUI
Spotted on IRONCHEF diagram
ARKSTREAM
malicious BIOS flashing program, known to be associated with DIETYBOUNCE, SWAP
ARTEMIS
see ENTOURAGE
BACONRIDGE
Codename for a 4200 sq. ft. facility in Texas, holding TAO. Employing some 270 employees. Includes a datacenter qith 200 racks
covering 9,450 sq. ft..
BANANAGLEE
A software exploit made by Digital Network Technologies (DNT) for Juniper Netscreen ns5xt, ns50, ns200, ns500, ISG 1000,
ssg140, ssg5, ssg20, SSG 320M, SSG 350M, SSG 520, SSG 550, SSG 520M, SSG 550M firewalls. Also works on Cisco PIX 500 series
and ASA 5505, 5510, 5520, 5540, and 5550 series firewalls. Used for exfiltrating data from target networks. See also FEEDTROUGH,
GORUMETTROUGH, JETPLOW
BLACKHEART
8/13/2019 NSA Codenames
http://slidepdf.com/reader/full/nsa-codenames 5/19
Collection from an FBI implant
BLACKPEARL
mentioned in context of Petrobras story
BLINDDATE
Software included on SPARROW II mini computers. Also seen in another context on QFIRE slide as part of a “TAO covert
network.”. see also: STRAITBIZARRE, QUANTUM, SPARROW II
BSR
Base Station Router, use for intercepting GSM cell phone signals. Ships with laptop and accessories, networkable with other units
via 802.11. Supports CANDYGRAM and LANDSHARK capabilities.
BULLDOZER
PCI bus malicious hardware Installed via “interdiction”
Byzantine Anchor (BA)
“BA, a subset of Byzantine Hades, refers to a group of associated computer network intrusions with an apparent nexus to China.”
Source: Cablegate
Byzantine Candor (BC)
Refers to a certain class of hacking by Chinese actors. Byzantine Candor is a subset of Byzantine Hades relating to intrusion,
including by means of social engineering involving delivering malicious payloads by email. Source: Cablegate
Byzantine Hades (BH)
“a cover term for a series of related computer network intrusions with a believed nexus to China, has affected U.S . and foreign
governments as well as cleared defense contractors since at least 2003” Believed to be Chinese state-sponsored (the PLA inparticular). Though the evidence is tenuous. (ca 2009). In general, victims of Chinese-affiliated hacking are legitimate businesses,
including defense contractors. They have been successful in exfiltrating large volumes of confidential emails and other sensitive
documents. Source: Cablegate
CANDYGRAM $40,000.00 Mimics GSM cell tower. Also included in the package are a Windows XP laptop, and cell phone, that
communicate with the unit via SMS messages. Capable of targeting 200 phone numbers simultaneously See also: DRTBOX,
Stingray, CANDYGRAM, NEBULA, CYCLONE, TYPHON
CDR Diode
Spotted on IRATEMONK, WISTFULTOLL diagrams (Note: Must replay Appelbaum's talk about these), See also: IRATEMONK,
STRAITBIZARRE, SEAGULLFARO, UNITEDRAKE, WISTFULLTOLL
CHIMNEYPOOL
Software based malware toolkit “Framework”, likely written in C/C (according to resumes posted online) Known products
written with it: COTTONMOUTH-I, COTTONMOUTH-II, COTTONMOUTH-III, DROPOUTJEEP
COMMONDEER
A software based malware, used by the NSA. see also: SEASONEDMOTH, VALIDATOR
CONJECTURE
A RF communication protocol used by HOWLERMONKEY devices. see also: HOWLERMONKEY
CONOP
not a codename: Concept of Operations
8/13/2019 NSA Codenames
http://slidepdf.com/reader/full/nsa-codenames 6/19
COTS
Commercial Off the Shelf. When a description of a bug says it is COTS-based, it means that the components are commercially
available, giving the NSA deniability as to their true source. (Unless you just happen to be looking at the NSA's leaked product
catalog. )
COTTONMOUTH-1 (CM-1) $20,300.00 USB cable w/ convert RF transmitter/receiver & malware payload GENIE Compatible,
communicates with STRAITBIZARRE, other COTTOMNOUTH devices, reprogrammable, probably related to DEWSWEEPER (possibly
a subclass of the same)
COTTONMOUTH-II (CM-II) $4,000.00 A dual-stacked USB port, (the kind that are soldered directly onto a motherboard), providing
a covert “long haul” relay across airgapped systems. Like CM-I, and many other systems, it is written with the CHIMNEYPOOL
framework, and communicates via STRAITBIZARRE. Unlike CM-I and CM-III, it does not incorporate HOWLERMONKEY or TRINITY.
See also: CM-I, CM-III, STRAITBIZARRE, CHIMNEYPOOL. Perhaps a subclass of DEWSWEEPER
COTTONMOUTH-III (CM-III) $24,960.00 A dual-stacked USB port/RJ45 ethernet jack combo, (the kind that are soldered directly
onto a motherboard), providing a covert RF relay across airgapped systems. Like CM-I, and many other systems, it is written with
the CHIMNEYPOOL framework, and communicates via STRAITBIZARRE. It can communicate with other CM devices with the
SPECULATION Protocol. It also integrates TRINITY, and the HOWLERMONKEY RF transceiver. see also: CM-1, CM-II, TRINITY,
HOWLERMONKEY, SPECULATION, CHIMNEYPOOL, STRAITBIZARRE. Perhaps a subclass of DEWSWEEPER.
CROSSBEAM $4,000.00 “the CROSSBEAM module consists of a standard ANT architecture embedded computer, a specialized
phone component, a customized voice controller suite and and optional DSP (ROCKYKNOB) if using Data Over Voice to transmit
data”. Communicates over GSM. Compatible with CHIMNEYPOOL framework. Appears to be a WAGONBED controller board mated
with a Motorola G20 GSM module. See also: WAGONBED, CHIMNEYPOOL, ROCKYKNOB.
CRUMPET Covert network (CCN)
Sample drawing included Printers, servers, and computers. All allegedly airgapped. (But not actually, due to covertly installed
hardware) Spotted on IRONCHEF diagram
CRYPTO ENABLED
Collection derived from AO's efforts to enable Crypto
CTX4000
A radar wave generator, can produce up to 1kW, output, with the use of external amplifies. designed for DROPMIRE, and
VAGRANT. Obsolete, replaced by PHOTOANGLO. see also, DROPMIRE, VAGRANT, PHOTOANGLO
CUSTOMS
Customs opportunities (not LIFESAVER)
CW
Continuous Wave, such as the ones generated by CTX4000, or PHOTOANGLO.
CYCLONE Hx9 $70,000 (2 month rental) EGSM base station router, used for collection GSM cell phone signals. Shops with laptop
and accessories for command and control, uses the same GUI as the TYPHON. Controllable via 802.11 wifi. See also: TYPHON,
CANDYGRAM, DRTBOX, NEBULA
DANDERSPRIT
See DANDERSPRITZ
DANDERSPRITZ
Described as an “intermediate redirector node.” Another tool made by Digital Network Technologies (DNT). Spoofs IP and MAC
address.
8/13/2019 NSA Codenames
http://slidepdf.com/reader/full/nsa-codenames 7/19
DARKTHUNDER
A SIGAD used for TAO, and thus QUANTUM, FOXACID, and the like. see also, QUANTUM, FOXACID.
DEWSWEEPER
USB (Universal Serial Bus) hardware host tap that provides COVERT link over USB link into a target network. Operates w/RF relay
subsystem to provide wireless Bridge into target network.
DIETYBOUNCE $0.00 BIOS exploit for Dell PowerEdge 1850/2850/1950/2950 running BIOS versions A02, A05, A06, 1.1.0, 1.2.0 or
1.3.7 Can be installed by non-technical user with USB thumb drive
DOCKETDICTATE
DOGCOLLAR QFD
A “question filled dataset”
DROPMIRE
passive collection of emanations using an antenna. A Tempest style attack. see also VAGRANT, CTX4000, PHOTOANGLO
DROPMIRE
Laser printer collection, purely proximal access (**NOT** implanted). A tempest style attack. see also VAGRANT, CTX4000,
PHOTOANGLO
DROPOUTJEEP
Apple iPhone malware. Infiltrates and exfiltrates SMS, files, contact lists, voicemail, geolocation, camera capture. Once installed,
DROPUTJEEP can be controlled via SMS messages or GPRS data connection. Installed either through physical access , or remotely
(“future” plan, back in 2008)
DRTBOX
Mimics cell tower, Spotted in BOUNDLESSINFORMANT slides. See see http://electrospaces.blogspot.com/2013/11/drtbox-and-
drt-surveillance-systems.htmlfor more details See also: CANDYGRAM, CYCLONE Hx9, TYPHON, EBSR, NEBULA
EBSR $40,000.00 Low power GSM base station router, see also: TYPHON, CANDYGRAM, DRTBOX, CYCLONE Hx9, NEBULA
EGOTISTICALGIRAFFE (EGGI)
Malware, a successful Firefox exploit (attempted against tor users)
EGOTISTICALGOAT (EGGO)
Firefox exploit against 10.0 -16.0.2 Exploits type confusion vulnerability in E4X
ENTOURAGE $70,000.00 Application for the HOLLOWPOINT platform, including band-specific antennas and a laptop for the
command and control. Controllable via gibabit Ethernet Future plans (circa 2008) included WiFi, WiMAX and LTE.
EPICFAIL
attacks against dumb Tor users (?)
ERRONEOUSINGENUITY (ERIN)
Firefox exploit against 13.0 – 16.0.2
8/13/2019 NSA Codenames
http://slidepdf.com/reader/full/nsa-codenames 8/19
FA
CNE (hacking) technique used against Tor users
FAIRVIEW
a corporate-run SIGAD, part of the NSA's “upstream” collection program, that permits “cyber” access. Thus it is probable that it is
used in QUANTUM collection. see also: QUANTUM, FOXACID.
FEEDTROUGH
malware for Juniper Networks' Firewalls
FEEDTROUGH
A malicious BIOSS modification that Implants and/or maintains BANGALEE and/or ZESTYLEAK Juniper Netscreen firewall exploits
deployed on many target platforms
FERRETCANNON
A system that injects malware, associated with FOXACID. see also, QUANTUM, FOXACID.
FET
Field Effect Transmitter
FINKDIFFERENT (FIDI)
A Firefox exploit, successful against 10 ESR, but failed against tbb-firefox
FIREWALK $10,740.00 “FIREWALK is a bidirectional network implant, capable of passively collecting Gigabit Ethernet traffic and
injecting Ethernet packets onto the same target network.” Integrates TRINITY and HOWLERMONKEY. Provides direct or indirect
covert RF link to Remote Operations Center via a VPN. The version in the catalog requires soldering to a motherboard. see also:
HOWLERMONKEY, DANDERSPRITZ, TRINITY. Note: unit physically appears nearly identical to CM-III. Perhaps a subclass of RADON.
FLUXBABBIT $500.00 a hardware based bug for Dell PowerEdge 1950 and 2950 servers using Xeon 5100 and 5300 processors.
Installation requires intercepting the server, while it is enroute to its destination, disassembling it and installing the hardware.
FLYING PIG
GCHQ SSL/TLS exploitation knowledgebase and tool used for MITM attacks against Petrobras et al
FOXACID
A malicious server that injects malware, by means of spoofed legitimate-looking pages and does MITM attacks
FOXSEARCH
perhaps a database of all targets to be exploited with FOXACID
FREEFLOW
context: “DROPOUTJEEP *and TOTEGHOSTLY 2.0+ is compliant with the FREEFLOW project, therefor it is supported in the
TURBULANCE architecture.
FREEZEPOST
8/13/2019 NSA Codenames
http://slidepdf.com/reader/full/nsa-codenames 9/19
FRIEZERAMP
A communications protocol that certain infected devices use to communicate with the NSA. It involves HTTPSlink2. see also:TOTEGHOSTLY 2.0
FUNNELOUT
mentioned in context of tor exploitation
GALAXY
GECKO II
IRONCHEF example included A hardware implant (MRRF or GSM), IRONCHEF persistence backdoor, “Software implant
UNITEDRAKE Node” Spotted on IRONCHEF diagram
GENESIS $15,000.00 A spectrum analyzer tool, for covertly collecting and locating signals. A modified Motorola handset.
Information downloaded to a laptop via ethernet port.
GENIE
Multi-stage operation; jumping the airgap etc., refers to certain classes of hardware that provide a wireless covert network in an
allegedly airgapped environment. see allso: CM-I, CM-II, CM-III, HOWLERMONKEY, TOTEGHOSTLY 2.0
GEOFUSION
related to Petrobras story
GINSU $0.00 maintains KONGUR infection, should it be removed target systems: Windows 9x, 2000, Vista, XP, 2003
GODSURGE $500.00 The software set for FLUXBABBIT, preconfigured at the factory, but reconfigurable remotely. For Dell
PowerEdge 1950, 2950 servers running Xeon 5100 and 5300 processor families. see FLUXBABBIT, WAGONBED
GOPHERSET $0.00 Malware for GSM Phase 2+ SIM cards that use the SIM Toolkit (STK). Exfiltrates phonebook, SMS, and call logs,
via SMS, to a predefined phone number. Installed either via a USB sim card reader, or remotely (over the air provisioning) See also:
MONKEYCANENDAR
GOURMETTROUGH $0.00 Maintains BANANAGLEE infection on Juniper Netscreen nsg5t, ns50, ns25, isg1000, ssg140, ssg5, ssg20firewalls see also: FEEDTROUGH
GREAT EXPECTATIONS
NSA version of QUICKANT
HALLUXWATER
ROM based exploit for Huawei Eudemon 200, 500, and 1000 series firewalls. survives bootrom upgrades and OS upgrades. NSA
operator has ability to execute arbitrary code on infected system.
HAMMERMILL
8/13/2019 NSA Codenames
http://slidepdf.com/reader/full/nsa-codenames 10/19
See: HAMMERMILL Insertion Tool (HIT)
HAMMERMILL Insertion Tool (HIT)
command and control system, designed by DNT for exploited Huawei routers
HC12
an earlier micro-computer design the NSA used in bugs. see also: JUNIORMINT, MAESTRO II, TRINITY
HEADWATER
software based persistent backdoor for Certain Huawei routers. Controlled via HAMMERMILL Insertion tool (HIT)
HIGHLANDS
Collection from Implants
HOLLOWPOINT
GSM/UTMS/CSMA2000/FRS signal platform. Operates In the 10MHz to 4GHz range. Includes receiver and antenna. Can both
transmit and receive. See also: ENTOURAGE, NEBULA, GALAXY
HOWLERMONKEY (HM) $750-$1,000 Covert short to medium range RF Transceiver. Designed to be integrated with a larger device.
Communicates over SPECULATION and CONJECTURE protocols. Known products that include HOWLERMONKEY are: CM-I, CM-II,
FIREWALK, SUTURESAILOR, and YELLOWPIN. See: CM-I, CM-III, FIREWALK, YELLOWPIN, COTS, SPECULATION, CONJECTURE,
STRIKEZONE.
HOWLERMONKRY
See HOWLERMONKEY
HUSH PUPPY
GCHQ Tool, related to exploitation related to Petrobras story
IRATEMONK $0.00 Firmware based malware for certain WD, Seagate, Maxtor and Samsung hard drives. Supports FAT, NTFS, EXT3,
and UFS file systems.
IRONCHEF $0.00 Malware that is used to maintain and reinstall, if necessary, the software component of systems implanted with
the WAGONBED hardware trojan.
ISLANDTRANSPORT
“Enterprise Message Service”
JETPLOW $0.00 Firmware-based malware for maintaining BANANAGLEE, software-based malware on. Cisco PIX 500 series and ASA
5505, 5510, 5520, 5540, and 5550 series firewalls. Widely Deployed
JUNIORMINT
A generic, programmable miniature computer. For use in concealed bugs. Specs: 400Mhz ARM 9 microcontroller, 32 MB Flash, 64
MB SDRAM, 128MB DDR2 and an “XC4VLX25 10752 Slice” FPGA. see also: MAESTRO II, TRINITY, SPARROW II
KONGUR
malware payload, known to be deployed via KONGUR
8/13/2019 NSA Codenames
http://slidepdf.com/reader/full/nsa-codenames 11/19
LANDSHARK
see: EBSR
LEGION JADE
GCHQ cover term, somehow associated with FLYING PIG, which is a tool used for exploitation. It is probable that this term is alsorelated to exploitation in some way. see also: FLYING PIG, HUSH PUPPY, Byzantine Candor, Byzantine Hades, Byzantine Anchor.
LEGION RUBY
GCHQ cover term, somehow associated with FLYING PIG, which is a tool used for exploitation. It is probable that this term is also
related to exploitation in some way. see also: FLYING PIG, HUSH PUPPY, Byzantine Candor, Byzantine Hades, Byzantine Anchor.
LFS-2
A processing system for VAGRANT signals returned by the PHOTOANGLO system. Requires an external monitor to display the
signal. see also: PHOTOANGLO, NIGHTWATCH
LHR
Long Haul Relay
LIFESAVER
Imaging of the Hard Drive
LOUDAUTO $30.00 An audio bug for a room. Implemented as an RF retro-reflector (ANGRYNEIGHBOR family). It therefor requires
a unit such as CTX4000, to communicate back to the base. See also: ANGRYNEIGHBOR, VARGANT, CTX4000, PHOTOANGLO,
DROPMIRE.
LP
Listening Post
MAESTRO II $3,000 - $4,000 A generic, programmable miniature computer. For use in concealed bugs. Specs: 66Mhz ARM 7
microcontroller, 4 MB Flash, 8 MB SDRAM an “XC2V500 500k gates” FPGA. Roughly the same size as a dime. see also:
JUNIORMINT, TRINITY, SPARROW II
MAGNETIC
Sensor Collection of Magnetic Emanations Tempest style attack
MCM
Multi Chip Module
MIDDLEMAN
TAO covert network. i.e. a network that secretly connects airgapped computers to the internet.
MINERALIZE
Collection from LAN Implant
MJOLNIR
an internal tor test network ca 2006, with software tools for the same Mjolnir was the “Hammer of Thor” possible pun – “hammerof tor”
8/13/2019 NSA Codenames
http://slidepdf.com/reader/full/nsa-codenames 12/19
MOCCASIN
a version of COTTONMOUTH permanently attached to a USB keyboard
MONKEYCALENDAR $0.00 Malware for GSM Phase 2+ SIM cards that use the SIM Toolkit (STK). Exfiltrates geolocation data to a
preset phone number via SMS. See also GOPHERSET
MULLENIZE
'USER agent staining”, malware mentioned in context of tor unmasking
MUTANT BROTH
GCHQ tool for identifying targets from data returned by QUANTUM products
NEBULA
A base station router, for intercepting mobile telephone calls and data transmissions. Uses the TYPHON GUI. Networkable and
controllable via 802.3 and 802.11. see also: TYPHON, CYCLONE, DRTBOX, CANDYGRAM, EBSR
NEWTONS CRADLE
GCHQ-run Tor nodes
NIGHTSTAND (NS)
Mobile hacking platform including laptop, case, and antennas. Targets windows 2000 and XP, running internet explorer 5-6.
Attacks occur over WiFi, and are alleged to be undetectable to the user. Capable of targeting several systems simultaneously. With
the use of amplifiers, attacks can happen from up to 8 miles away.
NIGHTWATCH
Specialized system for processing, reconstructing and displaying video signals collected by VAGRANT. And returned to a CSX4000
or a PHOTOANGLO system. Obsoleted, replaced by VIEWPLATE. SEE VAGRANT, ANGRYNEIGHBOR, CTX4000, PHOTOANGLO.
OCEAN
Optical Collection System for Raster-Based Computer Screens Either tempest style, or done by means of bugged cabling (?)
OCONUS
Not a code name - “Outside CONtinental US”
OLYMPUS
A piece of malware used by the NSA, for the purposes of spying. see also: SOMBERKNAVE, VALIDATOR, UNITEDRAKE
OLYMPUSFIRE
An exploitation system, that uses malware to completely control a target Windows PC. Maintained by a NSA-run Listening Post.
OMNIGAT
Spotted on GINSU diagram
ONIONBREATH
Relates to GCHQ efforts against tor hidden services
8/13/2019 NSA Codenames
http://slidepdf.com/reader/full/nsa-codenames 13/19
OSMJCM-II
Spotted in CM-II diagram
PARCHDUSK (PD)
PBD
Persistent BackDoor
PBX
Public Branch Exchange Switch
PHOTOANGLO $40,000.00 Replaces CTX4000, a continuous radar Wave generator, for the ANGRYNEIGHBOR family of retro-
reflector bugs, including VAGRANT, DROPMIRE, and LOADAUTO. The signals are then sent to a processing system such as
NIGHTWATCH or VIEWPLATE (which process and display the signals from the VAGRANT monitor-cable bug). The LFS-2 is listed as
another type of processing system. A joint NSA/GCHQ project.
PICASSO $2,000.00 GSM handset, carried by a witting operator for bugging conversations and calls within its range. Includes a
panic button for the operator.
PPM
Pulse Position Modulate
PROTOSS
Possibly a bridge between the airgapped system and the Internet Spotted on COTTONMOUTH-I, CM-II, and FIREWALK diagrams.
PSP
Personal Security Product. Also: President's Surveillance Program.
QFD
Question Filled Dataset
QFIRE
System used for infecting computers. Involves both TURMOIL, TURBINE, and additional infrastructure. Co-opted routers,
according to Appelbaum, these may in cases be unwitting home or business routers, that have been “pwned”. The Goal seems to
be to reduce latency, and therefor increase the success rate of QUANTUMINSERT/FOXACID attacks. see also: QUANTUM,
FOXACID.
QIM/JMSQ
Spotted on IRATEMONK, WISTFULTOLL diagrams
QUANTUM
8/13/2019 NSA Codenames
http://slidepdf.com/reader/full/nsa-codenames 14/19
Perhaps a generalize term for certain styles of hacking used by NSA and GCHQ. The most popular is the QUANTUMINSERT. see
also: FOXACID, QUANTUM COOKIE, QUANTUM BOT, QUANTUM THEORY.
QUANTUM INSERT (QI)
A style of hacking, involving a man-in the middle attack, involving a malicious server (dubbed FOXACID) that attempts to outrun a
legitimate server (yahoo and linkedIn are favorites), spoof their pages and insert a trojan into the unsuspecting user. Both NSA and
GCHQ use this term see also: FOXACID, QUANTUM COOKIE, QUANTUM BOT, QUANTUM THEORY.
QUANTUMBOT
controls IRC bots
QUANTUMCOOKIE
forces browsers to toss their cookies (divulge them) see also: FOXACID, QUANTUM COOKIE, QUANTUM BOT, QUANTUM THEORY.
QUANTUMCOPPER
corrupts file uploads and downloads. (malware injection on the fly?). According to Appelbaum, this is also used like the “great
firewall of China”.
QUANTUMNATION
a system to deploy “stage 0” malware such as SEASONEDMOTH. Stage 0 items are programmed to self -destruct within 30 days.
see also: QUANTUMTHEROY
QUANTUMSKY
resets connections (which ones?)
QUANTUMTHEORY
A GCHQ toolkit for QUANTUM products, that expands the range of “spoofable” services. Injects a “stage 1” malware, such asVALIDATOR or COMMONDEER see also: QUANTUMNATION
QUICKANT QFD
GCHQ tor analytics/knowledgebase
RADON
Bi-Directional host-tap that can inject Ethernet packets onto the same target. Allows Bi-directional exploitation of Denied
networks using standard on-net tools. Perhaps the ethernet equivalent of DEWSWEEPER (?)
RAGEMASTER $30.00 A bugged video cable. Implemented as an RF retro-reflector. Used for VAGRANT collection. See also:
VAGRANT, CTX4000, PHOTOANGLO, DROPMIRE, LOADAUTO, NIGHTWATCH, VIEWPLATE.
REMATION II
Joint NSA/GCHQ anti-tor Workshop ca 2012
Retro reflector
a term for a special kind of mirror that always sends a signal directly back on the path it comes from, regardless of the angle.
RETURNSPRING
Spotted on IRATEMONK, WISTFULTOLL diagrams
8/13/2019 NSA Codenames
http://slidepdf.com/reader/full/nsa-codenames 15/19
ROC
Remote Operations Center
ROC
Remote Operations Center
ROCKYKNOB
Optional Digital Signal Processing (DSP) Module for CROSSBEAM. See also: CROSSBEAM
RONIN
Database of tor events
SCHOOLMONTANA
“SCHOOLMONTANA is the cover term for the persistence technique to deploy a DNT implant to Juniper J -Series Routers.” Amalicious BIOS modification. see also: SIERRAMONTANA, STUCCOMONTANA, VALIDATOR
SDR
software Defined radio
SEAGULLFARO
Spotted on IRATEMONK, WISTFULTOLL diagrams
SEASONEDMOTH (SMOTH)
A class of malware that is programmed to automatically die with in 30 days. (unless instructed to extend its life) see also:
VALIDATOR, COMMONDEER
SERUM
Spotted on IRATEMONK diagram
SHARPFOCUS (SF2)
SHORTSHEET
CNE (hacking) technique used against Tor users
SIERRAMONTANA
“SCHOOLMONTANA is the cover term for the persistence technique to deploy a DNT implant to Juniper M -Series Routers.” A
malicious BIOS modification. see also: SCHOOLMONTANA, STUCCOMONTANA, VALIDATOR
SLICKERVICAR
A tool known to be used somewhere in the process of uploading malicious HD firmware Known to be used with IRATEMONK
SNEAKERNET
8/13/2019 NSA Codenames
http://slidepdf.com/reader/full/nsa-codenames 16/19
Not a codename, a term for the “network communication protocol” involving someone physically carrying storage media
between machines.
SOMBERKNAVE $50,000.00 software based malware, intended to bridge airgaps by using an unused 802.11 wireless interface. For
Windows XP. Allows other malware to “call home” In particular, the VALIDATOR and OLYMPUS trojans. see also: VALIDATOR
SOUFFLETROUGH $0.00 A malicious BIOS Modification that maintains BANANAGLEE infection on Juniper SSG 320M, SSG 350M,
SSG 520, SSG 550, SSG 520M, SSG 550M. See also: FEEDTROUGH, GOURMETTROUGH, BANANAGLEE, ZESTYLEAK
SPARROW II $6,000.00 A microcomputer specialized for UAV operations. Includes Integrated WLAN, and Mini PCI slots supporting .
IBM PowerPC 405GR, 64MB SDRAM, 16MB Flash. Designed for survey of wireless networks (Wifi/GSM, etc, depending on
expansion cards). See also: TRINITY, MAESTRO II, JUNIORMINT
SPECULATION
RF communication protocol, used by HOWLERMONKEY devices, Including CM-I, CM-III, FIREWALK.
SSG
Spotted on IRATEMONK, WISTFULTOLL diagrams
STEELFLAUTA
A SIGAD used for TAO, and thus QUANTUM, FOXACID, amd the like. see also, QUANTUM, FOXACID.
STRAITBAZARRE
see also: STRAITBIZARRE
STRAITBIZARRE (SB)
Software made By Digital Network Technologies (DNT) for controlling and receiving data from “implants”. Also involvedsomewhere in the process of uploading malicious HD firmware (works with a tool called SLICKERVICAR to accomplish this) Known
to be used for COTTONMOUTH-I, COTTONMOUTH-II, COTTONMOUTH-III, DROPOUTJEEP, IRATEMONK, TOTEGHOSTLY 2.0
STRIKEZONE
Context: “HOWLERMONKEY is a COTS- based transceiver designed to be compatible with CONJECTURE/SPECULATION networks
and STRIKEZONE devices running a HOWLERMONKEY personality. see also: HOWLERMONKEY
STRONGMITE
somewhere on the ROC side of operations.... Spotted on IRONCHEF diagram
STUCCOMONTANA
“SCHOOLMONTANA is the cover term for the persistence technique to deploy a DNT implant to Juniper T -Series Routers.” A
malicious BIOS modification. see also: SCHOOLMONTANA, SIERRAMONTANA, VALIDATOR
STUXNET
A jointly US/Isreali written piece of malware intended to infect, and physically destroy Iranian nuclear Centrifuges. (which it did)
Also spilled on to non-targeted SCADA systems, causing “collateral damage”.
SURLYSPAWN $30.00 A keyboard or mouse bug implemented as an RF retro-reflector embedded in the cabling. This brings it into
the ANGRYNEIGHBOR family of bugs. see also: ANGRYNEIGHBOR, VAGRANT, DROPMIRE, SURLYSPAWN, CTX4000, PHOTOANGLO,
RAGEMASTER
SURPLUSHANGAR
8/13/2019 NSA Codenames
http://slidepdf.com/reader/full/nsa-codenames 17/19
SUTURESAILOR
a particular device that includes a HOWLERMONKEY component see also: HOWLERMONKEY
SWAP $0.00 A combination of a malicious BIOS modification and a malicious Hard Disk firmware modification (in the host
protected area) used to maintain software based malware on the victim computer. Appears to work on a variety of systems
running Windows, Linux, FreeBSD or Solaris. The file system may be FAT32, NTFS, EXT2, EXT3, or UFS 1.0. see also: ARKSTREAM,
TWISTEDKILT, TUNINGFORK
TAO
Tailored Access Operations. NSA's hacking and bugging unit.
Target Profiler
A tool that lists which targets are vulnerable to exploits, and which. see: QUANTUMNATION, QUANTUMTHEORY
TAWDRYYARD $30.00 An ANGRYNEIGHBOR RF retro-reflector whose purpose is to serve as a beacon, so the RF wave generator
(CTX4000 or PHOTOANGLO) can locate RAGEMASTER video cable bugs, and home in on them. see also: ANGRYNEIGHBOR,
VAGRANT, DROPMIRE, SURLYSPAWN, CTX4000, PHOTOANGLO, RAGEMASTER
TLN
Twisty Lobby Number. (not really well explained in doc)
TOTECHASER
Software-based malware for Thuraya 2520 satellite-cellular handsets running Windows CE. Designed to exfiltrate GPS and GSM
geolocation data, as well as the call log and contact list, and other data via covert SMS messages. SMS messages are also the
means by which the attacker controls the phone. Implementation requires modifying the phone itself, not yet deployed as of Oct
2008. see also: TOTEGHOSTLY
TOTEGHOSTLY 2.0 $0.00 Malware for Windows Mobile -based handsets. Written using DNT's CHIMNEYPOOL framework, and
controlled via STRAITBIZARRE. Used to infiltrate and exfiltrate files, SMS, contact lists, geolocation via SMS or GPRS data
connection. From or to the victim device The attacker has the ability to control the camera and microphone, and also send other
commands to the device. The encrypted protocol it uses to communicate is referred to as FRIEZERAMP. see also: STRAITBIZARRE,
CHIMNEYPOOL, FREEFLOW, TURBULENCE, GENIE, FRIEZERAMP, TOTECHASER
TRINITY $6,250.00 A microcomputer, designed to be part of a bug. Specs: 100Mhz ARM 9 Microcontroller, 4MB flash, 96MB
SDRAM. Smaller than a penny. Known to be a component of CM-I, CM-III, FIREWALK see also: MAESTRO II, JUNIORMINT
TUMULT
associated with TURBULANCE. Somehow involved with QUANTUMTHEORY. Not precicely clear. see also: TURBULANCE,
QUANTUM
TUNING FORK
spotted on DIETYBOUNCE, IRATEMONK, and SWAP diagrams
TURBINE
System used for infecting computers. “Deep Packet Injection” Spotted on COTTONMOUTH -I, and CM-II diagrams, ref in
Appelbaum's talk
TURBOPANDA
cover term for joint CIA/NSA project to exploit Huawei network equipment
TURBOPANDA Insertion Tool (PIT)
command and control system for exploited Huawei firewalls
8/13/2019 NSA Codenames
http://slidepdf.com/reader/full/nsa-codenames 18/19
TURBULANCE
A system integrating passive collection, active hacking, and active hacking defense see also:
http://en.wikipedia.org/wiki/Turbulence_%28NSA%29
TURMOIL
NSA's passive SIGINT collection system. “Deep packet inspection”
TUTELAGE
NSA's own defense system against hacking.
TWISTEDKILT
a hard drive firmware updating program used to install malicious firmware of a victim Hard drive. see also: SWAP
TYPHON HX $175,000 (4 month rental) GSM base station router. Used to collect call logs from targeted phones. Administrated
with a laptop via SMS, but is otherwise a standalone unit. There is no apparent ability to network these together, though other
units, running the same software can do so (CYCLONE Hx9). See also: CYCLONE Hx9, CANDYGRAM, DRTBOX, NEBULA
UAV
Unmanned aerial vehicle. A drone.
UNITEDRAKE
A program similar to STRAITBIZARRE, used for uploading malicious HDD firmware, works with SLICKERVICAR. Known components
include a GUI, a database, and a server, and a manned listening post. It includes a trojan of the same name. Digital Network
Technologies (DNT), a private company, actively maintains the listening posts for UNITEDRAKE, as well as design and deploy
malware. Spotted on IRATEMONK diagram
VAGRANT
Collection of computer Screens. The monitor cables are rigged with an RF retro reflector, (RAGEMASTER). VAGRANT collection
therefor requires a continuous RF generator such as CTX4000 or PHOTOANGLO, and a system to process and display the returned
video signal such as NIGHTWATCH, GOTHAM, LS-2 (with an external monitor), or VIEWPLATE. Known to be deployed in the field ,
as of September 2010 at the following embassies: Brazil's UN Mission in NY (POKOMOKE), France's UN Mission in NY
(BLACKFOOT), India's Embassy and annex in DC, and India's UN Mission in New York. India's embassies were slated to be detasked,
at the time of the document. Context of documents seems to suggest, but does not definitively prove that the coverterm
VAGRANT only applies to the signal itself. See also: CTX4000, DROPMIRE, RAGEMASTER, PHOTOANGLO
VALIDATOR
A software based malware item designed to run on certain Juniper routers (J, M, and T Series) running the JUNOS operating
system. It must be maintained by means of a malicious BIOS modification. A typical use case involves the exfiltration of data from
the victimized system. A separate document describes VALIDATOR as a backdoor used against Windows systems (win 98-2003). Inthis instance, it will identify the system, and if it is truly a target, invite a more sophisticated trojan in, such as UNITEDRAKE or
OLYMPUS. This trojan has been used to de-anonymize tor users. A third version of VALIDATOR works for Apple iOS devices. The
QUANTUMNATION states that the success rate against iOS devices is 100%. See SCHOOLMONTANA, SIERRAMONTANA,
STUCCOMONTANA
VIEWPLATE
Replacement for the NIGHTWATCH system. See NIGHTWATCH, PHOTOANGLO
WAGONBED
a malicious hardware device that provides covert 2-way RF communications on the I2C channel of HP Proliant 380DL G5 servers.
WAGONBED 2 can be mated with a Motorola G20 GSM module to form CROSSBEAM. See also: CROSSBEAM, IRONCHEF,
FLUXBABBIT, GODSURGE
WATERWITCH
8/13/2019 NSA Codenames
http://slidepdf.com/reader/full/nsa-codenames 19/19
Handheld device for homing in on target handsets, used in conjunction with TYPHON or similar systems to provide more precise
location information. see also: TYPHON
WHITETAMALE
Operation against the Mexican Public Security Secretariat
WISTFULTOLL $0.00 A plugin for UNITEDRAKE and STRAITBIZARRE that extracts WMI and registry information from the victim
machine. Also available as a stand-alone executable. Can be installed either remotely, or by USB thumb drive. In the latter case,
exfiltrated data will be stored on that same thumb drive. Works on Windows 2000, XP, and 2003 See also: IRATEMONK,
STRAITBIZARRE, SEAGULLFARO, UNITEDRAKE, RETURNSPRING
YELLOWPIN
a particular device that includes a HOWLERMONKEY component see also: HOWLERMONKEY
ZESTYLEAK
a software exploit made by CES for Juniper Netscreen ns5xt, ns50, ns200, ns500, ISG 1000 firewalls See also FEEDTROUGH
--------------------------------------------------------------------------------