June 23, 2020

NSA documents and cover names from the book Dark Mirror

On May 20, yet another book about the Snowden-revelations was published: Dark Mirror, Edward Snowden and the American Surveillance State. It's written by Barton Gellman, who was in direct contact with Snowden and reported on the NSA's spying activities for The Washington Post.

Here, you'll find the original documents from Dark Mirror, to complement the existing collections of Snowden documents, as well as a listing of all the NSA cover names, because most of them are not included in the index of the book. A review of Dark Mirror will follow in due course.

(Similarily, the NSA documents and codenames from Glenn Greenwald's book No Place to Hide from 2014 can be found on the website IC Off The Record)


The book contains five (parts of) documents that haven't been published before, as well as six slides from NSA presentations which were released as part of earlier press reports. There are also three photos of Edward Snowden in Dark Mirror which are not reproduced here.

(Collections of all the documents from the Snowden revelations can be found at the website IC Off the Record and in the Snowden Surveillance Archive)

Presentation about the PRISM program:

Front slide of the NSA's PRISM presentation from April 2013.
Published earlier by The Washington Post on June 6, 2013.
(Dark Mirror, p. 109 - click to enlarge)

Part of slide 40 from the NSA's PRISM presentation from April 2013.
Published earlier by The Washington Post on June 29, 2013,
but without the two-row table with the Section 702 FAA certifications.
(Dark Mirror, p. 113 - click to enlarge)

> See for all the PRISM slides that have been released: What is known about NSA's PRISM program

Presentation from the Large Access Exploitation Group:

Detail from a slide from an NSA presentation titled "Is it the End of the
SIGINT World as We Have Come to Know It?" prepared by a member of
the Large-Access Exploitation Group and dated May 10, 2012.
(Dark Mirror, p. 169 - click to enlarge)

Detail from a slide from a briefing titled "Is it the End of the SIGINT
World as We Have Come to Know It?" prepared by a member of the
Large-Access Exploitation Group and dated May 10, 2012.
(Dark Mirror, p. 174 - click to enlarge)

Probably from the same presentation are two slides that were published by The Washington Post on December 4, 2013 and one partial slide published with Greenwald's book No Place to Hide in May 2014.

> More about the MAINWAY system: Section 215 bulk telephone records and the MAINWAY database

Presentations about SSO Collection Optimization:

Meme from the NSA presentation "SSO Collection Optimization"
from January 7, 2013, referring to collection systems that
scooped up more data than they could process
(Dark Mirror, p. 192 - click to enlarge)

Slide from the NSA presentation "SSO Collection Optimization" from 2013
about intercepting Google's cloud, better known as the MUSCULAR program.
Published earlier by The Washington Post on October 30, 2013.
(Dark Mirror, p. 284 - click to enlarge)

Also from presentations about SSO Collection Optimization are:
- seven slides published by The Washington Post on October 14, 2013,
- six slides published by The Washington Post on November 4, 2013.

Slides from other NSA presentations:

Detail from a slide from the NSA presentation from
"FAIRVIEW Data Flow Diagrams" from April 2012.
The full presentation was published by
The Intercept in November 2016.
(Dark Mirror, p. 171 - click to enlarge)

> More about the FAIRVIEW program: FAIRVIEW: Collecting foreign intelligence inside the US

Slide from the NSA presentation "NSA/CSS Mission: PROVIDE AND
Published earlier by The Washington Post on December 23, 2013.
(Dark Mirror, p. 184 - click to enlarge)

Explanation of "traffic shaping" to redirect a target's communications
traffic in such a way that it passes an NSA access point.
Published earlier by The Intercept.
(Dark Mirror, p. 201 - click to enlarge)

Miscellaneous documents:

Example of an e-mail exchange between senior White House, Justice
Department and DNI officials, released upon a FOIA request about
the FIRSTFRUITS media leaks program
(Dark Mirror, p. 226 - click to enlarge)

Confirmation of the flight reservations for Edward Snowden
and Sarah Harrison, June 24, 2013.
(Dark Mirror, p. 307 - click to enlarge)

Cover names

Dark Mirror contains 28 cover names that haven't been published before. However, not all of them are explained in the book, some are just mentioned to reflect the NSA's internal culture and the way these code names are composed.

There are also 63 cover names which were already known from press reports and/or documents from the Snowden trove. This means that for many of them there's additional information available - click the asterisk for sources.

(All these cover names are also included in the extensive listings of NSA Nicknames and Codewords and NSA's TAO Division Codewords on this weblog)

Newly revealed cover names:

BADASS - (unexplained compartment) (p. 206)
BADGIRL - ? (p. 204)
BATCAVE - Digital hideout for NSA hackers who emerge to steal another country's software code (p. 209)
BLACKAXE - Exceptionally Controlled Information (ECI) compartment (p. 70)
BLADERUNNER - ? (p. 209)
CAPTAINCRUNCH - FBI owned and monitored network servers to attract foreign hackers (p. 86)
COOKIEDOUGH - ? (p. 210)
CROWNROYAL - ? (p. 209)
DEPUTYDAWG - ? (p. 209)
DEVILFISH - ECI compartment (p. 70)
DEVILHOUND - ? (p. 207)
EPICFAIL - ? (p. 207)
EXPLETIVEDELETED - Cover name for al-Qaeda's favorite encryption software (p. 212)
EXUBERANTCORPSE - Cover name for al-Qaeda's favorite encryption software (p. 212)
FLYLEAF - ECI compartment (p. 70)
Graph-in-Memory - Database holding maps of contacts in support of contact-chaining (p. 174, 177, 180)
HYSSOP - ECI compartment (p. 70)
KESSELRUN - ECI compartment (p. 70)
KOBAYASHIMARU - NSA contract with General Dynamics to help break into another country's surveillance equipment (p. 210)
LIGHTNINGTHIEF - ECI compartment (p. 70)
MISS MONEYPENNY - Support unit providing cover identities for undercover CNE operations abroad (p. 202)
PANT_SPARTY - Injection of an NSA software tool into a backdoor in the target's defenses (p. 204)
POISONIVY - Remote-access trojan used by Chinese government spies (p. 209)
QUIDDITCH - Exploit used by the Special Collection Service (SCS) (p. 209)
STRAWHORSE - Modification to Apple's software installer Xcode to insert a remote-controlled backdoor into each app it compiled (p. 188, 216-220)
VIXEN - ? (p. 204)
ZOMBIEARMY - ? (p. 207)

Cover names published earlier:

ALTEREDCARBON - An IRATEMONK implant for Seagate drives * (p. 209)
AMBULANT (AMB) - ECI compartment related to the BULLRUN program (p. 70)
BLACKBELT - Access point under the FAIRVIEW program * (p. 207)
BLARNEY - Collection of foreign phone and internet communications within the US under FISA authority (since 1978) * (p. 199)
BLINDDATE - Searching for vulnerable machines on a local Wi-Fi network * * * (p. 203, 206)
BORGERKING - Something related to Linux exploits (p. 210)
BOUNDLESSINFORMANT - NSA's collection visualization tool based on internet and telephone metadata (p. 10, 206)
BYZANTINE HADES (BH) - Chinese computer network exploitation (CNE) against the US * probably renamed to the LEGION-series * (p. 68, 85, 206)
CAPTIVATEDAUDIENCE - Software tool that listens in on conversation by switching on the microphone of a target's mobile handset (p. 208)
CO-TRAVELER - Set of tools for finding unknown associates of intelligence targets by tracking movements based upon cell phone locations * (p. 318)
CRUMPET - Covert network with printer, server and desktop nodes, or ECI compartment (p. 70)
EGOTISTICALGIRAFFE (EGGI) - TOR Browser Bundle (TBB) exploit (p. 80)
EPICSHELTER - Data backup system to recover information from particular NSA sites, designed by Edward Snowden * (p. 59-61, 63, 75)
ERRONEOUSINGENUITY (ERIN) - Tool for exploiting the TOR network (p. 207)
FAIRVIEW - Domestic cable tapping program in cooperation with AT&T (since 1985) * (p. 311)
FALLOUT - Internet metadata ingest processor/database (p. 169/image)
FASCIA - Telephony metadata ingest processor/database * (p. 169)
FASCIA II - Telephony metadata ingest processor and primary source of telephone metadata for target development. It formerly contained internet metadata which are now in MARINA.* (p. 172)
FELONYCROWBAR - System used to configure the UNITEDRAKE framework (p. 207)
FIRSTFRUITS - Counterintelligence database to track unauthorized disclosures to the press, set up in 2001 * * (p. 225, 271-274, 277)
GROK - Key logger that records every character a target types (p. 209)
HAPPYHOUR - Getting access to vulnerable machines on a local Wi-Fi network (p. 203)
Heartbeat - Apparently a data handler system, designed by Edward Snowden * and/or successor of EPICSHELTER, or an index of surveillance systems * (p. 36, 74-78)
IRONAVENGER - NSA hacking operation against an ally and an adversary (2010) * (p. 209)
KRISPYKREME - Implant module related to the UNITEDRAKE framework, as revealed by the Shadow Brokers * (p. 210)
LADYLOVE - The NSA satellite intercept station at Misawa in Japan (since 1982) (p. 204)
LIFESAVER - Technique which images the hard drive of computers * (p. 210)
MAILORDER - FTP-based file transport system used to move data between various collection, processing and selection management systems. Originally developed in 1990, ultimately to be replaced by JDTS * (p. 171)
MAINWAY (MW) - NSA's main contact chaining system for foreign and domestic telephone and internet metadata from multiple sources; performs data quality, preparation and sorting functions, summarizes contacts and stores the resulting one-hop contact chains * (p. 168-176, 178-180)
MAKERSMARK - Major cyber threat category countered by the TUTELAGE system * identified in 2007 * (p. 209)
MARINA - NSA database for internet metadata; maybe succeeded by CLOUDRUNNER in 2013 * (p. 169/image)
MJOLNIR - Tool to break the anonymity of the Tor network * (p. 209)
MUSCULAR - Joint NSA-GCHQ operation to tap the cables linking Google and Yahoo data clouds to the internet * (p. 284, 299-300, 311, 315)
NIGHTSTAND - Delivering malware to a vulnerable machines on a local Wi-Fi network (p. 203, 206)
NIGHTTRAIN - Part of a program to spy on a close US ally during operations alongside the ally against a common foe * (p. 209)
OAKSTAR - Umbrella program for 9 accesses at 7 corporate partners (since 2004)* * (p. 311)
ODDJOB – HTTP command and control implant for installation on compromised Windows hosts, published by the Shadow Brokers (p. 201)
PINWALE - Primary storage, search, and retrieval system for SIGINT text intercepts. Target data is filtered through a Packet Raptor at the collection site and is subsequently processed by a WEALTHYCLUSTER 2, followed by an XKEYSCORE for selection at NSA headquarters.* (p. 176)
PITIEDFOOL - Suite of computer network attack (CNA) tools to attack the Windows operating system, overwrites data to the point it is irrecoverable (p. 206)
POLITERAIN - Offensive computer network attack (CNA) team from the Access Technologies & Operations (ATO) unit of the NSA's hacking division TAO * (p. 220)
PRISM - Collection of internet data from specific foreign targets at major US internet companies (since 2007) (p. 84, 99, 106-113, 117-121, 123-133, 137, 139-148, 226, 285, 300)
QUANTUM - Secret servers placed by NSA at key places on the internet backbone; part of the TURMOIL program * (p. 199)
RAGTIME (RGT) - ECI compartment for call and e-mail content collected under FISA authority * Encompasses both NSA and FBI FISA data since 2002 * (p. 122)
SCISSORS - Data scanning, formatting and distribution system * or processing system that slices up data for sorting (p. 206)
SECONDDATE - Method to influence real-time communications between client and server in order to redirect web-browsers to FOXACID malware servers (p. 203)
SEEDSPHERE - Chinese "intrusion set" against US computer networks, identified in 2007 * (p. 68)
SORTINGHAT - RT10 application * or Traffic control system for information exchanged with GCHQ (p. 209)
STARBURST - Temporary cover term for what would become the STELLARWIND compartment (October 2001) (p. 70, 170)
STELLARWIND (STLW) - Cover term for the President's Surveillance Program (PSP), which encompassed bulk collection of domestic metadata and targeted interception at backbone facilities inside the US in order to track down foreign terrorists and their previously unknown conspirators (2001-2007) (p. 26, 70, 71, 169-170, 175)
TRANSGRESSION - TAO/CES unit providing cryptanalytic support for various missions * (p. 206)
TURMOIL (TML) - Passive SIGINT sensors: filtering and selection (at the packet level) of internet traffic on high-speed satellite, microwave and cable links, part of the TURBULENCE program * * * (p. 299)
TURTLEPOWER - System to process VoIP communications data * and/or automated decryption of enciphered data (p. 209)
UNPACMAN - Processing system on TAONet, part of DEEPFRIEDPIG * (p. 210)
Upstream - Targeted collection of telephone and internet communications of foreign targets at backbone cables and switches inside the US (p. 84)
VOYEUR - Compartment shared with GCHQ for spying on another country's spies as they spy on someone else (4th party collection) * (p. 206)
VULCANDEATHGRIP - Repository for data collected from vPCS shaping under the STEELFLAUTA program * or tool that seizes encryption keys during the handshake of two devices as they establish a secure link (p. 210)
WALKERBLACK - Related to the MAKERSMARK intrusion set * (p. 209)
WESTERNSTAR - Contact-chaining program * (p. 174/image)
WHARPDRIVE - Joint venture between the German BND and another country with access for NSA (2013)* * (p. 210)
WHIPGENIE (WPG) - ECI compartment for details about the STELLARWIND program * (p. 70, 122)
XKEYSCORE (XKS) - Computer system that combines high-speed filtering of data traffic from different sources with techniques for discovering targets who use the internet anonymously * (p. 86-87, 330-331)


Cover names from Edward Snowden's book Permanent Record:

EPICSHELTER - (p. 168-169, 189, 220)
FOXACID - (p. 168)
Heartbeat - (p. 221-222, 256-257)
OPTICNERVE - (p. 256)
PRISM - (p. 223-224, 291)
QUANTUM - (p. 225)
STELLARWIND - (p. 175, 177, 245, 250)
TRAILBLAZER - (p. 250-251)
TURBINE - (p. 225)
TURBULENCE - (p. 225)
TURMOIL - (p. 225)
Upstream - (p. 224)
XKEYSCORE - (p. 276-279, 281, 325)
ZBSMACKTALK/1 - (Fictitious CIA cryptonym) (p. 133-134)

1 comment:

Anonymous said...

hobbit was here 2021

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties