December 8, 2016

Wikileaks publishes classified documents from inside German NSA inquiry commission

(UPDATED: May 15, 2017)

On December 1, Wikileaks published 90 gigabytes of classified documents from the German parliamentary commission that investigates NSA spying and the cooperation between NSA and the German foreign intelligence service BND. The documents include 125 files from BND, 33 from the security service BfV and 72 from the information security agency BSI.

It should be noted though that all documents are from the lowest classification level and lots of them are just formal letters, copies of press reports and duplications within e-mail threads. Nonetheless, the files also provide interesting new details, for example about the German classification system, BND's internal structure, the way they handled the Snowden-revelations and the use of XKEYSCORE.

These topics will be updated or topics will be added when new information is found in the documents published by Wikileaks

The German parliamentary investigation commission just before a hearing
(photo: DPA)


Some background information was provided in an article from the newspaper Die Zeit, which says that only documents with the lowest classification level (VS NfD or RESTRICTED) are scanned and made available to the investigation commission on a government server. They are also available at the federal Chancellery.

Documents with a higher classification level are not digitalized and have to be read in a secure room (German: Geheimschutzstelle) in the parliament building. Most of the documents classified Top Secret can only be viewed at the Chancellery or the new Berlin headquarters of BND.

Classified documents provided to the investigation commission
(still from the ARD documentary Schattenwelt BND)

Regarding the source of this leak, IT experts of the German parliament said that they found no indications of a hack. Der Spiegel suggests that the source might be a member of the parliamentary commission for foreign affairs or for the affairs of the European Union, because one document published by Wikileaks (meanwhile removed) was only available to members of those two commissions.


On December 11, 2016, German press reported that according to a high-level security officer, there's a high plausibility that the commission documents published by Wikileaks were stolen during a large hacking attack on the German parliament's internal network late 2014/early 2015.
This attack was discovered in May 2015 and showed patterns similar to APT28 a.k.a. Operation Pawn Storm, the Sofacy Group, or Fancy Bear - a hacker collective which is probably sponsored by the Russian government. The timeframe of this hacking attack could explain why Wikileaks has no commission documents dated after January 2015.

It seems also possible that the secret documents about the joint NSA-BND operation Eikonal, which were published last year by the Austrian member of parliament Peter Pilz, came from this cyber attack on the German parliament servers.

Wikileaks hasn't redacted anything. Almost everything that is redacted is in blue, which is apparently the way BND is redacting its documents. Therefore, the files still contain all the internal organizational designators as well as the e-mail aliasses or addresses of many German government units and employees.

Internal BND e-mail from the EAD branch for the relationships with western countries &
cooperation partners, and the EADD unit for relationships with North America & Oceania
(click to enlarge)


BND classifications

Documents from BND are classified according to the official German classification system, which has four levels, corresponding to those used in many other countries:

color code: blue or black; equivalent: RESTRICTED

color code: blue or black; equivalent: CONFIDENTIAL

- GEHEIM (Geh. / Stufe I)
color code: red; equivalent: SECRET

- STRENG GEHEIM (Str. Geh. / Stufe II)
color code: red; equivalent: TOP SECRET

Besides these common classification levels, it was suspected that there would be at least one higher or more restrictive category to protect highly sensitive information. This has now been confirmed by various letters from the Wikileaks trove, which mention the following two classification markings:


color code: ?; equivalent: TOP SECRET/SCI

The use of these markings is apparently a secret itself, because also members of the parliamentary commission puzzled about their exact meaning and usage. It seems though that these categories are rather similar to the US Classification System, which was explained here earlier.

Examples of the German coversheets for classified information

The German marking ANRECHT apparently means that certain information is classified Secret or Top Secret, but that within that particular level, it's only meant for those people who have a need-to-know (German: Anrecht), apparently especially when it comes to signals intelligence. In the United States this is realized through a range of different dissemination markings.

The marking SCHUTZWORT is also meant to restrict access, but in this case, the originator of a particular document determines a codeword (German: Schutzwort) which he provides only to those people who are allowed access to that document. This is similar to the system of Sensitive Compartmented Information (SCI) used in the US, where meanwhile several formerly secret codewords have been declassified.

A security manual from the German armed forces from 1988 also mentions special classification categories, like for example SCHUTZWORT and KRYPTO, the latter apparently for classified cryptographic information.

Letter from the Chancellery which was classified STRENG GEHEIM-ANRECHT,
which was marked as cancelled (UNGÜLTIG) after the attached
documents at that classification level were removed
(click to enlarge)

Internal markings

From the commission files we also learn that BND uses te following internal markings. When disseminated outside BND, such information was meant to be classified GEHEIM.

- Meldedienstliche Verschlusssache - amtlich geheimgehalten

- Ausgewertete Verschlusssache - amtlich geheimgehalten

- Operative Verschlusssache - amtlich geheimgehalten

- FmA Auswertesache - amtlich geheimgehalten


BND organization

The files published by Wikileaks also contain a set of charts showing the organizational structure of BND between the year 2000 and 2014. There are some changes in the agency's divisions, with a reorganization in 2009, as can be seen in the following charts:

BND organization chart, situation until 2009
(click to enlarge)

BND organization chart, situation since 2009
(click to enlarge)

A more detailed BND organization chart was among the Snowden documents and was published earlier by Der Spiegel.

Internal designators

The BND's divisions, branches and units are designated by codes that consist of letters, written in capitals. In the current situation the main divisions have a two-letter designator which is more or less an abbreviation of their full name. The SIGINT division is for example TA, which stands for Technische Aufklärung.

From the e-mails published by Wikileaks we learn that lower units are designated by adding additional letters or words to the division designator. It seems that these addtional letters can be the first letter of a full name, a more or less random letter, or A for the first unit, B for the second unit, etc.

For example, "PLSA-HH-Recht-SI" is the first branch (A) of PLS, which is the BND president's staff. The term "Recht" indicates that this is apparently a unit for legal issues. A simpler designator is "GLAAY", which is a unit of the division GL (Gesamtlage)

By combining several documents related to XKEYSCORE, the following list of designators for BND's field stations could be reconstructed:
- 3D10: Schöningen or Rheinhausen (satellite interception)
- 3D20: Schöningen or Rheinhausen (satellite interception)
- 3D30: Bad Aibling (satellite interception)
- 3D40: Gablingen (HF radio interception)*
Similar designators are used for BND liaison offices:
- 2D01: London (with contacts to 7 British partner agencies, denoted as GBR01, GBR02, GBRMD, GBRND, GBRSD, GBRPS, and GBRTF)
- 2D02: Paris
- 2D03: Brussels/NATO
- 2D30: Washington
- 2D33: Canberra

Some divisions

The organization charts for BND's structure since 2009 shows that there are four divisions for analysis and production, which is where analysts prepare intelligence reports:
- Two divisions are for topical missions: TE for international terrorism and organized crime, and TW for proliferation of weapon systems and ABC weapons.
- The other two divisions, LA and LB, are responsible for a geographical area. From their logos in the signature block in internal e-mails we learn that LB is responsible for Africa, the Middle East and Afghanistan, while LA has the rest of the world:

Secure communications

A letter from BND from July 2013 says that BND's wide-area networks (WANs) which are classified Secret (Geheim) are secured by SINA encryption devices certified by the BSI. Communications between foreign and domestic BND facilities are transmitted through MPLS (Multiprotocol Label Switching) networks.

The letter also says that BND-unit SICD for eavesdropping techniques domestically checks only whether BND facilites may have been bugged, but found nothing over the past several years. Outside Germany, the embassies and consulates of the German foreign ministry were checked in regular turns.



According to Wikileaks, one of the more interesting documents from their release is one that allegedly proofs that "a BND employee will be tasked to use and write software for XKeyscore." However, the German tech website Golem says that this seems to be based on a text section that only refers to BND employee A.S. who helped install XKEYSCORE at the Berlin headquarters of the domestic security service BfV, which uses this system only for analysing terrorism-related data sets.

More interesting are several other documents about XKEYSCORE. For example In a list of answers prepared for the meeting of the parliamentary oversight commission on November 6, 2013 it is said that XKEYSCORE is used since 2007 in Bad Aibling and that this system is being tested since February 2013 at the satellite intercept stations Schöningen and Rheinhausen. It was planned to use XKEYSCORE on a regular basis at the latter two locations too.

According to another document, BND uses XKEYSCORE for the following purposes:
- Check whether satellite links with internet traffic (only foreign-to-foreign and especially crisis regions, so no links to or from Germany or cables inside Germany) could contain data relevant for BND's mission
- Search for new relevant targets
- Make communications traffic from already known and selected targets readable to transfer them to analysts for preparing reports
XKEYSCORE processes data streams in real time, but for analysis purposes it can also buffer both metadata and content for a certain time, which depends on the available storage space of the buffer. Because XKEYSCORE is used for regular processing purposes, BND deemed it not necessary to inform the federal chancellery or the parliamentary oversight commission (PKGr) about this system specifically.

An internal BND e-mail from November 5, 2013, explains that at Schöningen and Rheinhausen, XKEYSCORE is used for intercepting foreign satellite communications. The specific purpose for the system is determining which satellite links are most useful and subsequently checking whether the traffic contains the communications of people the BND is looking for (so-called survey):

Internal BND e-mail about the use of XKEYSCORE at BND's satellite stations
(source: Wikileaks, pdf-page 248 - click to enlarge)

This is a rather unexpected use of XKEYSCORE, because for NSA and GCHQ the strength of the system lies in its capability to reassemble internet packets, filter them and allow analysts to search buffered content. It is still not fully clear whether BND uses XKEYSCORE also in this way.

In November 2014, W.K. from BND's SIGINT division testified that XKEYSCORE was used for decoding and demodulating IP traffic. Decoding for making things readable happens both online and on stored data, while (demodulating for) selecting the proper satellite links only happens on online data streams.

At Schöningen and Rheinhausen XKEYSCORE was only used for the latter purposes, in the pre-analysis stage. This also came forward from some testimonies before the investigation commission. For example E.B., head of the Schöningen station, said that XKEYSCORE was only used for looking at a few days of satellite traffic to determine which communication links where in it.

An earlier presentation about satellite interception at Menwith Hill Station in the UK shows that NSA and GCHQ have other systems, like DARKQUEST, for surveying satellite links, after which XKEYSCORE is used for processing and analysing the data.

Another file that was sent to the parliamentary commission contains two diagrams about how BND uses the XKEYSCORE system:

In the first diagram we see that what comes in through the satellite antenna first goes to an actual collection system (Erfassungssystem) which has some kind of database attached that says which satellite links have to be selected (Streckenauswahl). The result then goes to XKEYSCORE, which is fed by a database with rules (Regeln), which apparently determine which data to select and forward for further analysis (Weiterverarbeitung):

Another diagram shows the difference between XKEYSCORE and traditional collection processing systems: in the traditional set-up, it seems that first, IP packets from a data stream were reassembled (sessionized) and then went through a filter to select only those of interest (the green one), which were forwarded for further analysis. XKEYSCORE could do all that at once:

IBM servers

The Wikileaks files also contain an internal BND order form from February 25, 2014, used for ordering six servers for field station 3D20: two IBM X3650 M4 and four IBM X3550 M4 servers, with a total cost of 58.000,- euros. A separate text explains that these servers were needed for both PDBD and XKEYSCORE:

- PDBD was the new centralized BND tasking database, which would replace the proprietary tasking databases used at the various field stations.

- XKEYSCORE is described as a system that decodes packet-switched telecommunicatiosn traffic like e-mail, messenger, chat, geolocation information, etc. and is used for analysing telecommuncations traffic. At BND the system was needed because it became increasingly difficult to extract relevant information from the ever growing amount of data. The servers were needed to move XKEYSCORE from test to operational status.

Internal BND order form for several IBM servers to be used for XKEYSCORE and PBDB
(source: Wikileaks, pdf-page 72 - click to enlarge)



A large file from the commission documents is about the reaction on the revelation of PRISM. In August 2013, members of the Bundestag asked so many questions about this NSA program, that one BND employee complained that it was unreasonable to expect that his agency could provide all the answers.

At that time, many details about PRISM weren't clear yet and statements from the US government and from internet companies seemed to contradict eachother. Among the documents that BND forwarded to the parliamentary commission was also one report from July 2013, which summarizes what was known about PRISM at that time.

This report was made by civil servants from unit ÖS I 3 of the Public Safety division of the German Interior Ministry (BMI). After summarizing what was known from the press reports, the report also describes a second tool that is named PRISM - based upon an earlier article on this weblog:

Summary of a second PRISM program as described on this weblog
(source: Wikileaks, pdf-page 104 - click to enlarge)

Shortly after the existance of PRISM was revealed early June 2013, much was unclear, so I did some open source research and found that the US military uses a program named PRISM, which in this case is an acronym for "Planning tool for Resource Integration, Synchronization and Management".

Shortly afterwards, in July 2013, German press published an NSA letter saying that there are actually three different programs with the name PRISM: one that collects data from the big internet companies, one that is used as a military tasking and planning tool, and finally one that is used for internal data sharing in NSA's Information Assurance Directorate (IAD).



On July 29, 2013, the German magazine Der Spiegel published a chart from the NSA tool BOUNDLESSINFORMANT. The chart was related to Germany and it was thought that it showed that NSA had intercepted over 550 million pieces of communications traffic.

But within just a few days, BND contacted Der Spiegel, saying that they collected those data, and shared them with NSA. The SIGADs US-987LA and US-987LB designated collection at the BND satellite station in Bad Aibling and interception of phone calls in Afghanistan, respectively. This was confirmed by NSA and published by Der Spiegel on August 5, 2013.

A document published by Wikileaks explains that in Afghanistan, BND had a satellite interception facility (for downlinks to complement the uplinks intercepted at Bad Aibling) and also intercepted point-to-point microwave links (generally used for (mobile) telephony backbones).

BOUNDLESSINFORMANT screenshot showing metadata related to Germany
as being published by Der Spiegel on July 29, 2013
(click to enlarge)

An e-mail published by Wikileaks shows that meanwhile, M.J. from unit 3D3D of the Bad Aibling station was comparing the numbers from the BOUNDLESSINFORMANT chart with those from his logfiles and Nagios Checks. In the e-mail, from August 12, 2013 to his boss R.U., he concluded that at the beginning of the month there was a relatively clear similarity with the chart from Der Spiegel:

The chart that seems to be prepared by BND employee M.J. to compare
with the one from BOUNDLESSINFORMANT (note the different scale)
(click to enlarge)

It should be noted that BND didn't count the numbers of metadata they provided to NSA, they did so only for content, so the numbers from M.J.'s chart may not be fully accurate. Even more puzzling is a table that was also with the e-mail from M.J. and contains the daily numbers for the metadata during this period:

The chart that seems to be prepared by BND employee M.J. to compare
with the one from BOUNDLESSINFORMANT (note the different scale)
(click to enlarge)

The strange thing here is that on the right side, the table has daily numbers broken down for several processing systems - strange because the chart from Der Spiegel only provided aggregated numbers, and because three codenames weren't seen in the published BOUNDLESSINFORMANT charts: POPTOP, CRON and SNOWHAZE. Did NSA provide these more detailed numbers so BND could compare them?

In a letter from August 13, 2013, BND president Schindler asks NSA director Alexander to confirm that the metadata collected through 987LA and US-987LB came solely from BND. This would help to make the public debate more rational.

During a hearing of the German parliamentary investigation commission on January 19, 2017, former BND president Schindler said that the BOUNDLESSINFORMANT charts that Snowden took, were from training course material. This was said here for the first time and given the problems these charts caused for BND, it's possible that they asked NSA for more details after which this explanation came up.


Cooperation in Afghanistan

In answers to questions from parliament, BND wrote that in Afghanistan, NSA operates a collection network, in which 14 countries participate (the Afghanistan SIGINT Coalition, or AFSC). Partner agencies enter the data they collect into a database (similar or identical to SIGDASYS) managed by NSA and they can request from the database those data that are relevant for their mission task.

Between 2011 and 2013, BND requested and received 216.423 data sets from this syetem. For the Afghanistan "burden sharing", BND was working on some 5000 targets, which resulted in ca. 1 million data sets each day. These were shared with the AFSC group and therefore also with NSA and GCHQ. Most of this is about localisation.

Furthermore, NSA provided BND with several thousand selectors of targets to collect the related data from satellite links from or to Afghanistan and other crisis regions. BND does this through its satellite intercept station in Bad Aibling, which results in ca. 3 million data sets each month. After passing the G-10 filter (to block communications related to Germans), these data are provided to NSA.


Intelligence sharing

In 2012, BND's SIGINT division TA shared 580 intelligence reports (Meldungen) with US agencies, 184 with British services and 553 with multinational groups. A total of 879 reports contained personal data from intercepted communications. In the first half of 2013 there were 200 reports shared with the US, 55 with the UK and 220 with multinational groups. A total of 408 contained personal data.

In return, BND received 7976 reports and information packages about terrorism and the proliferation of weapons of mass destruction in 2012. This total number is made up of ca. 750 reports from NSA, 4538 from CIA, 519 from DIA and 2169 from the US Central Command (CENTCOM).


Cyber security

Some insights about the cooperation between BND and NSA on the field of cyber defense can be read in a report about the visit of NSA director Keith Alexander to Berlin, on June 6 and 7, 2013 (which were the second and third days of the Snowden revelations!).

When it came to cyber issues, Alexander compared the internet to a "fibre ring" operated by internet service providers (ISPs), with "pipes" leading to the networks of industry, finance and government. Any malware, whether for destroying things or stealing data, should be stopped in the "fibre ring" before it reaches the "pipes" - "you need to see it first".

A German government official said that Germany has good cyber specialists, but they work only in a defensive way. When it comes to offensive cyber attacks, Germany is inactive. Also, contacts to industry should be revived. The general opinion was that German industry should protect itself, but small and medium businesses are very naiv and without obligations, companies will not spend money for cyber defense.

The report says that for cyber issues, a small group of "trusted states" could be created, because international regulations like the Budapest Convention seem hardly effective. According to general Alexander, the US is building partnerships, but sharing information depends on trust, which is not always given.

General Alexander also told BND that NSA had 27 teams of 56 persons each, which support the US Combatant Commands and that additional 6000 new cyber specialists will follow. NSA also supports the US Cyber Command with a detachment of 407 cyber experts. According to Alexander, NSA identified about 50 Chinese "intrusion sets" and gained access to Chinese networks to find out who the victims were of these massive and global cyber attacks.

In an answer to questions by member of parliament Oppermann from July 23, 2013, BND says that they support domestic security service BfV and information security agency BSI in recognizing foreign cyber attacks, which is called "SIGINT Support to Cyber Defence" (SSCD). Only BND is able to build technical systems to detect cyber attacks in(!) foreign countries.

The answer also says that "within the SSCD-working group of a international SIGINT coalition, BND exchanges information about the international detection of cyber attacks" - this international SIGINT coalition is most likely the SIGINT Seniors Europe (SSEUR or 14-Eyes) group. And apparently it's this working group that that BND director Schindler referred to when he talked about international cybersecurity cooperation in May 2014.



Finally, a list of some of the most interesting files found so far (would have been useful when Wikileaks provided this kind of index though):

- MAT_A_BND-1-3a_2 (employees of US military and intelligence contractors in Germany)

- MAT_A_BND-1-5 (NSA's bulk metadata collection, PRISM and XKEYSCORE)


- MAT_A_BND-1-11c (pdf-page 315: options how NSA could have intercepted Merkel's cell phone)

- MAT_A_BND-1-11j (pdf-page 145 ff.: cyber security cooperation between NSA and BND; page 155: short history of Bad Aibling Station; page 280: NSA letter about 3 different PRISMs)

- MAT_A_BND-1-11k (letter of BND president Schindler to NSA director Alexander)

- MAT_A_BND-1-13a (pdf-page 61 and 88: initially, BND assumed that PRISM was about collecting metadata; page 99: since 2012, NSA sent BND ca. 450 reports about terrorist threats)

- MAT_A_BND-1-13b (pdf-page 84 and 85: XKEYSCORE diagrams; page 227: targeted interception requires a "sessionizer" similar to XKS; page 277: SSCD working group of the SSEUR)

- MAT_A_BND-1-13c (pdf-page 127: data sharing in Afghanistan)

- MAT_A_BND-1-13h (pdf-page 108 ff.: report about the VERAS metadata system)

- MAT_A_BND-1-2a (pdf-page 19 ff.: Various presentations from the Black Hat 2013 conference)

- MAT_A_BND-3a (very extensive index of topics used by BND)

- MAT_A_BND-3-1a (BND organization charts from 2000-2014)

- MAT_A_BND-8a (contacts with GCHQ, cooperation between BND and NSA, reports about the refugee interview unit, internal G10 manual)

More to follow...

1 comment:

Leak Launch said...

German BND-NSA Inquiry Exhibits Downloads

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties