TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Development

Derived From: NSA/CSSM 1-52

Dated: 20070108
Declassify On: 20360401

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

 This Briefing is Classified TOP SECRET//COMINT//ORCON//NOFORN

Tailored Access Operations

This Briefing is Classified TOP SECRET//COMINT//ORCON//NOFORN

DERIVED FROM: NSA/CSS Manual 1-52, Dated: 20070108, Declassify On: 20320108

IOEC1000
 SECRET//COMINT//REL TO USA, FVEY

TAO Mission
•  Sustain a deep, persistent, and pervasive presence on critical target networks
•  Rapidly penetrate and track the communications of high-value individuals
•  Continually execute CNE; support CNA and CND
•  CNE: Exploit networks for foreign intelligence
•  CNA: Provide access and capabilities to support authorized network attacks
•  CND: Hunt foreign cyber actors on foreign networks
•  Deconflict DoD CNO with IC/Foreign partners
•  Build the techniques, tools and infrastructure required
•  Subvert endpoint devices
•  Servers, workstations, firewalls, routers, handsets, phone switches, SCADA
systems, etc.
•  Covertly communicate with implants in target networks
•  Automate CNE operations and maintenance of a large number of accesses
Aggressively Scale CNO Capabili3es and Opera3ons

SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

TAO Organization

TAO
Requirements & Remote Data Network Telecommunications Access Mission
Targeting Operations Technologies Network Technologies & Infrastructure
Center Technologies Operations Technologies
Manage ops Develop operational
requirements Conduct On-net ops concepts and software Develop operational Conduct physical Design, development
Perform target (exploit, collect, geo- implants to exploit concepts and software access (off-net) and delivery of the
development locate) computer networks implants to exploit operations end-to end
phone switches Conduct expeditionary infrastructure that
Develop network CNO supports GENIE
warfare capabilities Develop hardware and operations
Network shaping firmware implants to
access isolated or
complex networks

TOP SECRET//COMINT//REL TO USA, FVEY

 Access Technology & Operations

•  conducts global off-net operations with HUMINT partners to develop and

deploy technology that enables on-net operations targeting high priority
target networks and individuals.
•  works closely with development organizations to create technical and
operational solutions using specialized TAO hardware and software
tools that are tailored to each mission and opportunity.
•  bring unique talents to gaining access to intelligence when conventional
collection methods prove ineffective. 
•  The diverse skill sets that ATO personnel bring to the mission leverages
the support of our HUMINT partners, unique access, and sophisticated
tools and techniques that provide physical access to networks and
communications.
 Access & Target Development

•  (S//SI) Develop deep understanding of target communication techniques

and practices of target entities with goal of identifying vulnerabilities that
can be exploited via physical access.
•  Define and develop physical access strategies, aligned to national
requirements and TAO priorities, with emphasis on hard targets and
isolated networks.
•  Build and maintain significant relationships within the HUMINT
community necessary for achieving access. 
•  Drive resulting operations to achieve end-to-end SIGINT successes.
 Access Technology & Operations
Field Operations Expeditionary Access Operations
(TS//SI//REL) The Field Operations Division is responsible (EAO)
for the developing and deploying customized SIGINT
(TS//SI//REL TO USA FVEY) S3283 is the expeditionary arm
collection and data exfiltration solutions that enable
of TAO which conducts worldwide Human-Enabled Close
remote network operations by gaining access to isolated
Access Cyber Operations to satisfy National and Tactical
target networks. The Division is also responsible for
SIGINT access requirements.
maintaining access to selected targets, exploring methods
of enhancing the value from existing access, efficiently
managing sustained operations, and working closely with
the FBI and other HUMINT partners to plan and conduct
operations.
Access and Target Development Persistence Divison
- (S//SI) Develop deep understanding of target communication (U//FOUO) The Persistence Division (S3285) conceives, develops,
techniques and practices of target entities with goal of tests, and integrates sophisticated firmware and software-based
identifying vulnerabilities that can be exploited via physical capabilities and techniques to directly support three of Tailored
access. Define and develop physical access strategies, aligned Access Operations’ (TAO’s) mission technology focus areas:
to national requirements and TAO priorities, with emphasis on Persistence - IT/GEO - Computer Network Attack (TS//SI//REL
hard targets and isolated networks. Build and maintain FVEY) These firmware and software techniques are remotely
significant relationships within the HUMINT community deployable to target devices via a network connection or by
necessary for achieving access. Drive resulting operations to physical interdiction. Regardless of the deployment methodology,
achieve end-to-end SIGINT successes. these highly developed accesses operate covertly without any
indication of their presence and provide TAO with unique and
advanced capabilities that directly support NSA and its other
Intelligence Community partners with some of their most significant
successes.
 TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Telecom Network Technologies

•  Providing logically intrusive methods of

manipulating or extracting data from
telecommunications networks.

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET // COMINT // X1

TNT Mission:
“Define, design, develop, & test, logically intrusive methods of manipulating
& extracting data from telecommunication networks, public infrastructures,
and public broadcasting networks – and supporting enabling efforts, remote
operations, initial deployments, and information operations.”

Fixed Satellite Systems

PSTN

Satcom Gateways
Global
GSMC Information
Packet
Data & BTS Network
Voice MSC GPS
Tactical Control
BSC
Comms Links Pagers
Servers Abis

Cellular Telephones
Internet / Intranets Switches /
Routers PBX Modems

FAX

TOP SECRET // COMINT //

TOP SECRET // COMINT // X1

Targeted Technologies:

•  Telephony:
•  VOIP - Voice Over Internet Protocol
•  ISDN – Integrated Services Digital Network
•  GSM - Global Systems for Mobile Communications
•  GPRS – General Packet Radio Service
•  3G – 3rd Generation Mobile Telephony
•  SMS – Short Messaging Service
•  MMS – Multimedia Messaging Service
•  SDH – Synchronous Digital Hierarchy

•  Facilities & Infrastructure:

•  Data communications standards (ITU & IEEE)

•  Broadcast:
•  ITU standards for digital video communications

TOP SECRET // COMINT //

 CBND Overview
•  Control Platforms Branch
–  Large Scale SCADA Energy Management Systems (EMSs)
–  Vendors
•  Siemens
•  Areva
•  ABB
•  Control Devices Branch
–  Substation SCADA Technologies
–  Technologies
•  Programmable Logic Controllers (PLCs)
•  Intelligent Relays
•  Video Technologies Branch
–  Video Teleconferencing Systems (VTCs)
–  Personal Video Technologies
•  Webcams
•  Internet Chat (Skype, etc)
 Project Descriptions
•  OPERATIONAL
–  GSM implants deployed in several target
networks
–  Geolocation tools used with great success
–  Metadata and other voice collection tools
•  DEVELOPMENT
–  GPRS and UMTS
•  STRATEGIC EFFORTS
–  IP exfiltration
–  Enabling passive SIGINT collection
 VND Overview
•  Enterprise Telephony
–  Private Branch Exchanges (PBXs)
–  VoiceMail Systems
–  Network Management Systems
–  Technologies
•  SIP, H.323, SCCP
•  Linux & Windows development platforms
•  C, Assembly, Perl/Python
•  Ghidra, IDA Pro, JTAG for reverse engineering
•  Transport Services
–  SDH, SONET Multiplexers
–  ATM Routers
–  Technologies
•  SDH, SONET, ATM
•  Linux & Windows development platforms
•  C, Assembly, Java
•  Ghidra, IDA Pro, JTAG for reverse engineering
 TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Data Network Technologies

•  Providing the software-based

capabilities needed to surreptitiously
exploit computer networks and the
technology needed to covertly pass
endpoint access commands and data
across public networks to support
endpoint operations.

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

 Data Network Technologies
Access Division, S3231 Network Technology
Division, S3235
(TS//SI) The Chief, Access Division is responsible to the Chief, Data Net-work
Technologies Office to develop access to targets of interest to NSA. The (S//SI//REL) The Chief, Network Technology Division is responsible to the
Access Division focuses on developing remote access techniques and tools, Chief, Data Network Technologies Office for the development of tools and
ensuring continued remote access through the deployment of tools via remote techniques to exploit components on global and private networks supporting
or human assets, and assisting with remote access operations under the endpoint operations.
authority of the Remote Operations Center. The Access Division will act as the
front door for DNT-wide efforts. The techniques developed should be scalable,
automatable, and robust.

Computer Technology Cyber Networks

Division, S3234 Technology Division, S3232

(TS//SI) The Chief, Computer Technology Division is responsible to the Chief, (TS//SI) The Chief, Cyber Networks Technology Division (CNTD) is responsible
Data Networks Technologies Office for collection against target networks. The to the Chief, Data Net-work Technologies Office to develop and deploy logically
Computer Technology Division focuses on the development of software intrusive, software-based, end-point access techniques to enable Computer
implants, automation, and control tools to support endpoint operations. Network Operations (CNO) across multiple target operating systems and
platforms. CNTD's purpose is to collect or enable collection of data for Foreign
Intelligence and Operational Information and to include support to Information
Operations.
 TOP SECRET//COMINT//NOFORN

Data Network Technologies

Cyber Network Technologies Division (CNTD)
•  Mission:
–  (TS//SI//NF) Develop and deploy logically intrusive, software-based, end-point access
techniques to enable Computer Network Operations (CNO).
•  Purpose:
–  (TS//SI//NF) Collect or enable collection of data for Foreign Intelligence and Operational
Information, to include support to Information Operations.
•  The Bottom Line
–  (TS//SI//NF) “Provide the War-fighter with a world class capability for computer network
attacks and counter-computer network exploitations”.
–  (TS//SI//NF) Develop mission applications that Deny, Destroy, Degrade, Disrupt, Manipulate,
Mislead, and Collect against enemy targets.
–  (TS//SI//NF) Design and develop techniques that enable stealthy sustained operation of our
mission applications on target.
–  (TS//SI//NF) Accomplish the above points across many target operating systems and
platforms.

TOP SECRET//COMINT//NOFORN
 TOP SECRET//COMINT//NOFORN

CNTD Overview
Acquisitions and Evaluations Branch (AEB)
• Search for or identify opportunities to purchase tools and their source code

• Validate, prioritize opportunities with appropriate development organization

• Acquire tools and their source code, provide in-depth evaluation to

accurately assess the tools functionality

• Productize tools by modifying/developing for OPSEC, tradecraft,

integration, testing with other TAO capabilities in order to meet operational
requirements.

TOP SECRET//COMINT//NOFORN
 TOP SECRET//COMINT//NOFORN

Methodology

Prioritization Sources
Customer Toolbox
Requirements Diversity Industry Services
Acquisition
Rogue Nations CNO Community
Systems Research Academia
Agencies, Partners

Intel NTOC, ANO,

Assessments TAO
Evaluation

Productized/
Integration
Code
Modifications

Testing

Release ROC
Submission

TOP SECRET//COMINT//NOFORN
 TOP SECRET//COMINT//NOFORN

CNTD Overview
Forensics and Engineering Branch (FEB)
•  Mission:
–  (TS//SI//NF) Evaluate, Reverse Engineer, Exploit, and Repurpose
software for use in CNE, CCNE and CNA operations.
•  Purpose:
–  (TS//SI//NF) Reverse engineer and evaluate software from malware,
nation-state, and commercial sources for the purpose of identifying
tradecraft signatures and vulnerabilities.

TOP SECRET//COMINT//NOFORN
Questions???