《中國網絡安全產業聯盟：2025美情報機構針對全球移動智能終端實施的監聽竊密活動研究報告（英文版）（82頁）.pdf》由會員分享，可在線閱讀，更多相關《中國網絡安全產業聯盟：2025美情報機構針對全球移動智能終端實施的監聽竊密活動研究報告（英文版）（82頁）.pdf（82頁珍藏版）》請在三個皮匠報告上搜索。

1、ContentsIntroduction.1Chapter1.Taking OvertheMobile Phonevia SMS-Highly SophisticatedAttacksTargeting SIMCardVulnerabilities.5Incident Review.6Attack Method.6TraceabilityAnalysis.8ExtendedAnalysis.10References.13Chapter2.The Stolen Key-Stealing theEncryption Key of the Mobile Phone SIMCard.14Inciden

2、t Review.14Attack Method.15ExtendedAnalysis.17References.18Chapter3.Sneaky Intrusion-Zero-ClickAttack on iPhone.20Incident Review.20Attack Method.21ExtendedAnalysis.23References.24Chapter4.Pegasus-the Useof Commercial Spyware.26Incident Reviewof the Pegasus Spyware.26The US IntelligenceAgencies Use

3、Spyware(Pegasus).27ExtendedAnalysis.29References.30Chapter5.AppsThatCannotBe Uninstalled-Collecting DataThrough SoftwareWidely Preinstalled byOperators.32Incident Review.33IncidentAnalysis.34ExtendedAnalysis.34References.35Chapter6.Getting to theBottom-ObtainingTechnical Parameters of Global MobileO

4、perators.37Incident Review.38Attack Method.38Extendedanalysis.42References.43Chapter7.Camouflaged BaseStations Fake BaseStationsAreWidely Used toMonitorMobilePhones.44Fake Base StationsAreWidely Used by the US IntelligenceAgencies andLaw EnforcementAgencies.45Fake Base StationsBecomeAvenues forSurve

5、illance and Cyberattacks.47References.48Chapter8.Hacking the OperatorIntranet-Using Regin toAttack Mobile Network.50Incident Review.50TraceabilityAnalysis.51ExtendedAnalysis.53References.54Chapter9.Attacking InternetTerminalsBased on Operators-TheAttackAbility ofQuantum Systemon MobilePhones and Int

6、ernet PCs.56Incident Review.57TraceabilityAnalysis.57Revealing the Secretsof Quantum System.58ExtendedAnalysis.60References.61Chapter10.APPReplacing-ImplantedAttacks of IRRITANTHORN.62Incident Review.62Revealthe Secrets ofthe IRRITANTHORN Project.63ExtendedAnalysis.64References.65Chapter11.The Consp

7、iracy Behind PRISM-Building SuperDataAccess Interface.67Incident Reviewof PRISM.68Operation of PRISM.69DeleteriousEffect ofPRISM.71References.73Summary.74Appendix 1 Acronyms.781IntroductionThe number of global mobile smart terminal users is huge.The 2023 Facts and Figuresreport released by the Inter

8、national Telecommunications Union(ITU)in November 2023 showsthat the mobile phone ownership rate among the global population aged 10 and above is 78%,andthe coverage of mobile broadband with 3G and above in the total global population is 95%.Smartphones are no longer limited to the traditional commu

9、nication function of operators,butbecome the basic entrance for daily shopping,entertainment,social interaction,study and lifeservices.They are also nodes for mobile offices and even identity tokens for accessing variousgovernment and enterprise intranets.But at the same time,mobile smart terminals

10、such as mobile phones also lurk hugecybersecurity risks.Compared with traditional PCs,they have wider sensing capabilities and areequipped with high-precision sensors,as well as signal collection devices such as cameras andmicrophones.Through the collection and analysis of data assets on the device,

11、it is possible toconduct targeted,accurate portrait analysis of the targeted personnels work and life trajectory,behavioral habits,psychological characteristics,social relationships and surrounding environment,and even control the mobile phone through vulnerability exploitation and malware delivery,

12、so asto realize all-round wiretapping and surveillance.A compromised mobile phone is like a walkingbug or monitor.No secrets can be kept wherever it goes,and everything is transparent to theattackers Gods perspective.For smart terminal devices such as mobile phones that have beenintroduced into mobi

13、le office environments,once compromised,higher-value data assets related tothe target may be leaked.Whats worse,they may become a breakthrough and springboard forattackers to invade the intranets of government and enterprise institutions.Mobile smart terminals such as mobile phones have been coveted

14、 by the US intelligenceagencies since their appearance because of the huge value of data resources they contain.Over thepast two decades,a major challenge faced by global critical information infrastructure operators,security vendors and researchers has been how to discover,analyze,and respond to cy

15、berattackslaunched by the US intelligence agencies such as the National Security Agency(NSA)and the2Central Intelligence Agency(CIA).Compared with traditional PCs,mobile smart terminals such as mobile phones have morecybersecurity exposure and attack surfaces,including the terminal device level invo

16、lving hardware,firmware,systems and applications,the information interaction level involving data interfaces,Wi-Fi,Bluetooth,cellular network,geographical positioning services such as GPS,etc.At thesame time,the security of the mobile phone system is related to the complex software andhardware suppl

17、y chain system,the industrial ecology of APPs,the signal transmission of operatorsand the data storage and aggregation of large internet platform vendors.These are the linkscoveted by the US intelligence agencies and the key targets to attack.This report gathers togethera large number of disclosures

18、 and analyses from the industry and academia on the networkintelligence activities carried out by the US intelligence agencies against mobile smart terminals(see the figure below).It is classified and integrated from the aspects of terminal equipment,communication infrastructure,operators and intern

19、et vendors,in order to form an overallunderstanding of the cyberattack activities and information acquisition behaviors of the UnitedStates against mobile terminals,mobile industry chains and supply chains,operators and largeinternet vendors,so as to establish systematic prevention capabilities,effe

20、ctively cover the mobileindustry chain and application ecology,critical information infrastructure,and government andenterprise network scenarios.3Chapter 1 to 5 focus on attacks by the US on the hardware,firmware,systems andapplications of mobile smart terminals.Chapter 6 to 10 focus on attacks by

21、the US on operatorinfrastructure and internal systems,with the latter two chapters focusing on combination attackson operators and smart termi+nals.Chapter 11 re-analyzes the PRISM program,exposing the4intelligence activities of the US intelligence agencies to obtain mobile smart terminal data throu

22、ghthe super data access interface of internet vendors and perform big data analysis(see the figurebelow).The analysis and research results disclosed by all walks of life around the world have jointlyrevealed that the US wiretapping and secret theft operations against mobile smart terminals aroundthe

23、 world are pervasive,unscrupulous and intensified.5Chapter 1.Taking Over the Mobile Phone via SMS-HighlySophisticatedAttacks Targeting SIM CardVulnerabilitiesThe SIM card is the user identification module of the mobile communication system and isused to register user identification data and informat

24、ion.An obvious feature of attacks exploitingSIM card vulnerabilities is that the attacks are not restricted by hardware type.Theoretically,allbrands and models of mobile phones,and even IoT devices and wearable devices with SIM cards,regardless of the operating system installed,can be exploited as l

25、ong as there is a vulnerability inthe inserted SIM card.In September 2019,an Irish cybersecurity company exposed an attackexploiting the SIM card vulnerability Simjacker to target mobile phone users in Mexico,Colombiaand Peru.It pointed out that the attack is very similar to two NSA SIM card attack

26、equipmentMONKEYCALENDAR and GOPHERSET exposed by Snowden.Fig.1-1 List of Cases of NSAAttacks Exploiting Simjacker Vulnerability6Incident ReviewOn September 11,2019,AdaptiveMobile Security,a cybersecurity company headquartered inDublin,Ireland,exposed an attack targeting the Simjacker vulnerability i

27、n the ST browser ofSIM cards1.This attack activity sends specially formatted binary SMS messages to mobilephones.If there is ST browser in the SIM card,it will trigger Simjacker vulnerability andexecutes malicious instructions to achieve malicious purposes including locating and stealingsecrets.The

28、Simjacker vulnerability attack is only related to the functional components embedded inthe SIM card.In theory,all brands and models of mobile phones inserted with a SIM cardcontaining this vulnerability may be attacked,even IoT devices and wearable devices with SIMcards.Although AdaptiveMobile Secur

29、ity only detected attacks in Mexico,Colombia and Peru,SIM cards provided by telecom operators in 29 countries around the world at that time containedthe vulnerability,involving 1 billion users.AdaptiveMobile Security pointed out that on the one hand,the Simjacker attack was verysimilar to 4 exposed

30、attacks that exploit SIM card vulnerabilities,including two NSA SIM cardattack equipment exposed by Snowden;on the other hand,the perpetrator had a very broad rangeof skills,experience and resources,had access to SS7(Signaling System 7)networks,and hadspecific interest in mobile users in countries s

31、uch as Mexico.It is believed that NSA is one of thefew attack entities in the world with the above capabilities and characteristics.Attack MethodThe Simjacker Technical Paper2released in October 2019 pointed out that the Simjackerattack exploited the security configuration error of the ST Browser in

32、 the SIM card issued bysome operators of not verifying the validity of the received message to perform attacks such asremotely locating the target.ST Browser(SIMalliance Toolbox Browser)is SIM card built-in software.Its originalpurpose is to enable services such as obtaining user account balances th

33、rough SIM cards,so it is7not widely known.As of 2019,the ST Browser technology has not been updated for 10 years,but at that time,the browser was a legacy technology and was defaulted as a built-in component ofmany brands of SIM cards.AdaptiveMobile Security analyzed Simjackers attack steps:Step 1:T

34、he attacker uses an ordinary mobile phone,GSM modem or A2P SMS service tosend SMS-PP(point-to-point)type text messages to the attack target.The targeted application isST Browser in the SIM card.Step 2:After the attack target receives the SMS-PP type message,the logic on the mobilephone is triggered,

35、and the ST Browser becomes the execution environment on the SIM card.The SIM card takes over the mobile phone to receive and execute sensitive instructions.Step 3:Once the attack code retrieves information such as location and specific deviceinformation(International Mobile Equipment Identity,IMEI)f

36、rom the phone,it collates theinformation and triggers the logic on the phone again to send the combined information to thereceiver via a Data Message.Fig.1-2 The Technical Process of Simjacker Vulnerability AttackAdaptiveMobile Security believes that in theory,the commands that ST Browser canexecute

37、 include obtaining the current location of the device,IMEI information,network8information,language information,sending SMS,playing audios,starting the browser,etc.,so itcan even use mobile phones to send false SMS,make phone calls to commit telecom fraud,openmalicious websites,etc.Cathal McDaid,the

38、 chief technology officer of AdaptiveMobile Security,said3that one ofthe special features of the Simjacker vulnerability attack was that the victim was completelyunaware of the SMS received with attack messages and the data messages sent,there was noindication in any SMS inbox or outbox.The second w

39、as that the attack may be the first real-lifecase of malware(specifically spyware)sent within an SMS.Previous malware sent via SMSsimply sent its link,requiring the user to click on the link to download.Previous malware sent viaSMS involves sending links to malware,not the malware itself within a co

40、mplete message.Third,many of its attacks seem to work independent of handset types,as the vulnerability is dependenton the software on the SIM and not the device.We have observed devices from nearly everymanufacturer being successfully targeted:Apple,ZTE,Motorola,Samsung,Google,Huawei,andeven IoT de

41、vices with SIM cards.TraceabilityAnalysisIn December 2013,Der Spiegel disclosed 48 types of NSAs ANT attack equipment exposedby Snowden4.AdaptiveMobile Security pointed out that the Simjacker attack is quite similar totwo of the attack equipment targeting SIM cards-MONKEYCALENDAR and GOPHERSET.GOPHE

42、RSET uses the SIM Toolkit(STK)application interface to send STK instructions to thedesignated SIM card to collect the other partys call records,SMS content and contact list,andsendstheextracteddatatothedesignatednumberthroughtheSMSservice.MONKEYCALENDAR is a spyware implanted into the SIM cards of G

43、SM users.It is also basedon the SIM Toolkit(STK)and is mainly used to obtain the location information of the targetedSIM card.AdaptiveMobile Security believes that the similarities among the three are:first,the attacksall use STK instructions;second,the attacks have the same purpose and can obtain l

44、ocationinformation,contact list,SMS content,call logs,etc.;third,they all use SMS to send outbound9data.Fig.1-3ANTs Cyberattack Equipment MONKEYCALENDAR Against SIM CardsFig.1-4ANTs Cyberattack Equipment GOPHERSETAgainst SIM CardsOrganizations carrying out Simjacker attacks also have broad access to

45、 SS7 networks.AdaptiveMobile Security has discovered that some Simjacker victims suffered simultaneouscyberattacks via SS7 and believes the attack method is being used as a fallback in the incident thatSimjacker exploits are unsuccessful.SS7 is a common channel signaling usually used amongoffices.It

46、 is superimposed on the operators switching network and is an important part of thesupport network.The SIM卡及移動端核彈漏洞密集爆發：近期網絡戰頂級數字武器解析（Intensified Outbreak of Nuclear Bomb Vulnerabilities in SIM Cards and Mobile Terminals:Analysis of Top Digital Weapons in Recent Cyber Warfare）report5released in 2019

47、 pointed outthat hackers who can log in to the SS7 network to launch attacks have a high probability ofnational backgrounds.AdaptiveMobile Security only detected actual attacks in Mexico,Colombia and Peru.Asearly as July 2013,Reuters quoted O Globo,a leading Brazilian newspaper6that according to the

48、information exposed by Snowden,some Latin American countries have become the main targets10of NSA surveillance,especially Colombia,Venezuela,Brazil and Mexico.The report confirmedthat the NSA had a specific interest in mobile users in countries such as Mexico.AdaptiveMobile Security did not directly

49、 identify the organization that carried out the attackbecause of concerns that disclosing specific traceability methods would undermine its capability todetect and prevent Simjacker attacks on a global scale.However,based on its analysis of theoverall situation of the Simjacker attack,technical char

50、acteristics,attack weapons,attack paths,attack targets,etc.,the mastermind NSA hidden behind the Simjacker attack has surfaced.ExtendedAnalysisBased on the information exposed by Snowden,Chinese cybersecurity vendor Antiy combedand found that the Advanced Network Technology(ANT),a subsidiary of NSA,

51、had as many as15 kinds of attack equipment for scanning,monitoring and data collection of mobilecommunication devices,accounting for about one-third of all the exposed 48 kinds of equipment7.Fig.1-5ANTs Cyberattack Equipment ArsenalThe equipment involves both software and hardware.The equipment form

52、s include malware11payloads,cell towers,base stations,signal transceivers,mobile phones,etc.,which can be used incombination to achieve complex attack objectives.Tab.1-1ANT Cyberattack Equipment Against Mobile Communication DevicesAttack EquipmentTargeted Devices and FunctionsSoftware ImplantationMe

53、thod/HardwareDeployment LocationDROPOUTJEEPDROPOUTJEEPisasoftwareimplantforiPhones that can remotely push/pull files fromthe device.The data that can be collected include:SMS,contact list,voicemail,geolocation,hotmic,camera capture,cell tower location,etc.Command,control,and data exfiltration canocc

54、ur over SMS messaging or a GPRS dataconnection.The initial release will focuson installing the implant viacloseaccessmethods.Aremote installation capabilitywill be pursued for a futurerelease.GOPHERSETGOPHERSET is a software implant for GSM(GlobalSystemforMobilecommunication)subscriber identify modu

55、le(SIM)cards.Thisimplant pulls data such as contact list,SMS andcallrecordsfromatargetedhandsetandexfiltrates it to a user-defined phone number viashort message service(SMS).It is loaded onto the SIM cardusing either a Universal SerialBus(USB)smartcard reader orvia over-the-air provisioning.MONKEYCA

56、LENDARMONKEYCALENDAR is a software implant forGSM SIM cards.This implant pulls geolocationinformationfromatargetedhandsetandexfiltrates it to a user-defined phone number viaSMS.It is loaded onto the SIM cardusing either a USBsmartcard reader or via over-the-air provisioning.TOTECHASERTOTECHASERisaWi

57、ndowsCEimplanttargeting the Thuraya 2520 handset.It pulls GPSand GSM geolocation information,call records,contact list,and other user information fromThuraya 2520 handset and exfiltrates it to a user-defined phone number via SMS.The existing version needs tobe deployed directly on theThuraya2520hand

58、set.Aremotely deployable version isunder development.TOTEGHOSTLY 2.0TOTEGHOSTLY 2.0 is a software implant forthe Windows Mobile operating system that isbased on StraitBizarre(a springboard backdoorthat enables quantum injection attacks).Thisfunctionality includes the ability to remotelypush/pull fil

59、es from the device,SMS retrieval,contact list retrieval,voicemail,geolocation,hotmic,camera capture,cell tower location,etc.Command,control,and data exfiltration canoccur over SMS messaging or a GPRS dataconnection.The initial release will focuson installing the implant viacloseaccessmethods.Aremote

60、 installation capabilitywill be pursued for a futurerelease.PICASSOModified GSM(targeted)handset that collectsuser data,location information and room audio.Replacethetargetedphonewith a modified GSM phoneCROSSBEAMCROSSBEAM is a reusable CHIMNEYPOOL-compliant GSM communications module capableof colle

61、cting and compressing voice data.It canreceive GSM voice,record voice data,andtransmit the received information via connectedmodules or 4 different GSM data modes(GPRS,Circuit Switched Data,Data Over Voice andDTMF)back to a secure facility.GSM communication module,deployed on mobile phones.CANDYGRAM

62、Mimics GSM cell tower of a targeted network.WheneveratargetedhandsetenterstheCANDYGRAM base stations area of influence,the system sends out an SMS through theexternal network to registered watch phones.GSM cell tower,deployed tothe targeted network.12CYCLONE HX9EGSM(900MGz)macro-class Network-ln-a-B

63、ox(NIB)system.Uses the existing Typhon GUI andsupportsthefullTyphonfeaturebaseandapplications.Macro-class NIB system,deployed to base stations.EBSRMulti-purpose.Pico class,tri-band active GSMbase station with internal 802.11/GPS/handsetcapabilityGSM base station,deployed tothe targeted network.ENTOU

64、RAGEDirection Finding application operating on theHOLLOWPOINTplatform.Thesystemiscapable of providing line of bearing(LOB)forGSM/UMTS/CDMA2000/FRS signals.Direction Finding application,deployed on theHOLLOWPOINT platform.GENESISCommercialGSMhandsetthathasbeenmodified to include a Software Defined Ra

65、dio(SDR)andadditionalsystemmemory.Theinternal SDR allows a witting user to covertlyperform network surveys,record RF spectrum,orperform handset location in hostile environments.Hand held signal transceiver,carry it with you,no need todeploy.NEBULAMulti-Protocolmacro-classNetwork-ln-a-Box(NIB)system.

66、Leverages the existing TyphonGUI and supports GSM.UMTS.CDMA2000applications.LTEcapabilitycurrentlyunderdevelopment.Macro-class NIB system,deployed to base stations.TYPHON HXBase Station Router-supporting GSM bands850/900/1800/1900 and associated full GSMsignaling and call control.GSM Base Station Ro

67、uter,deployed to the base stationgateway.WATERWITCHHand held finishing tool used for geolocatingtargeted handsets in the field.Hand held finishing tool,carryit with you,no need to deploy.Simjacker vulnerability attack is an application case of the US ANT attack equipment.Thetechnology,infrastructure

68、 and methods used prove that the US cyberattack capabilities have madea huge leap.The most prominent point is that the US no longer needs to install implants via closeaccess methods or OTA remote installation(in this way the attacker needs to obtain the OTA keyof the targeted SIM card).Monitoring ca

69、n be started simply via SMS,which is more covert.AdaptiveMobile Security believes that the attacker has been using the Simjacker vulnerability tocarry out attacks for at least two years and monitored tens of thousands of users before it wasdiscovered and exposed.The US intelligence agencies,represen

70、ted by the NSA,have a complete set ofstandardized mobile attack equipment,are capable of conducting rigorously organizedoperations,and their operations are highly covert.13References1AdaptiveMobile Security.Simjacker Technical Paper.2019.https:/ 技術分析報告.2019.https:/ McDaid.Simjacker Next Generation s

71、pying via SIM Card Vulnerability.2019.https:/ Appelbaum,Judith Horchert&Christian Stcker.Catalog Advertises NSA Toolbox.2013.https:/www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html5Sim 卡及移動端核彈漏洞密集爆發：近期網絡戰頂級數字武器解析.2019.https:/ Boadle.NSA spied o

72、n most Latin American nations:Brazil paper.2013.https:/ 2.The Stolen Key-Stealing the Encryption Key ofthe Mobile Phone SIM CardSIM card encryption keys are an important part of mobile communications and one of thefoundations for ensuring communication security.The authentication key in the SIM card

73、encryption key participates in the legality authentication of mobile devices entering the network,and plays an important role in ensuring user communication security.This key is flashed into theSIM card by the SIM card manufacturer during the production process and provided to thenetwork operator.Bu

74、t it is this key that ensures the security of mobile phone communicationsthat has become the target of the US and British intelligence agencies.From 2010 to 2011,the USand British intelligence agencies carried out the DAPINO GAMMA operation against the DutchSIM card manufacturer Gemalto to steal mob

75、ile phone encryption keys.Fig.2-1 List of Cases of DAPINO GAMMAOperation by NSA and GCHQIncident ReviewOn February 20,2015,The Intercept published an article titled The Great SIM Heist-How15Spies Stole the Keys to the Encryption Castle1based on the NSA documents leaked by Snowden.It was disclosed th

76、at between 2010 and 2011,the Mobile Handset Exploitation Team(MHET)composed of the NSA and the British Government Communications Headquarters(GCHQ),animportant organization of the Five Eyes intelligence system,carried out an operation calledDAPINO GAMMA against SIM card manufacturer Gemalto,aiming t

77、o steal the authenticationkeys used to ensure the security of communications between personal mobile phones and mobilenetworks.The behavior of the US and Western intelligence agencies to steal mobile phone SIMcard authentication keys and then obtain mobile phone communication data has been fullyexpo

78、sed.The Dutch company Gemalto is one of the worlds largest SIM card manufacturers.It wasacquired by the French military industry company Thales in 2019.Around 2010,its customersincluded nearly 450 mobile operators in 85 countries around the world,and it producedapproximately 2 billion SIM cards ever

79、y year1.Documents leaked by Snowden show that in itskey harvesting trial operations in the first quarter of 2010,GCHQ successfully intercepted keysused by wireless network providers in Iran,Afghanistan,Yemen,India,Serbia,Iceland andTajikistan2.In addition,the US and British intelligence agencies coo

80、perated closely during theoperation.GCHQ used the NSAs XKEYSCORE system to screen and lock targets,and the SIMcard keys it obtained were also shared with NSA.Attack MethodLocking targets using the NSAs XKEYSCORE system:MHET used the NSAsXKEYSCORE system to intercept a large number of emails on the e

81、mail servers of Gemalto andmobile operators.Through analysis of the email content,key personnel or clues may be foundwho may have access to Gemaltos core network and key generation system.XKEYSCORE is the NSAs system for retrieving and analyzing global internet data.TheXKEYSCORE system intercepts da

82、ta such as emails,internet calls,internet chat records,andbrowsing history in real time through servers distributed at 150 sites around the world3.Analystscan obtain the content data and metadata of the targeted network activities through various16keywords such as name,phone number,IP and browser.Wi

83、th this system,NSA can have apanoramic view of every move of a specific target on the Internet.XKEYSCORE also has goodscalability and can be integrated or interacted with NSAs TURBULENCE cyberattack operatingsystem to automatically analyze network information collected through other channels and tri

84、ggertask logic;it can also accept data from other project tasks(for example,data from foreign satellitecommunications collection project SKIDROWE)and provide analysis and processing functions;XKEYSCORE also provides support for the use and sharing of intelligence by the Five Eyes(FVEY)countries4.Dur

85、ing the email investigation,MHET found that Gemalto used email or FTP to send SIMcard encryption keys to its global operator customers in batches.When it came to transmitting keyfiles,Gemalto only uses simple encryption methods that were easy to crack,sometimes eventransmitting the key files directl

86、y without encrypting them.This extensive transmission methodcreated conditions for the US and British intelligence agencies to intercept key files.Intrusion into Gemaltos internal network:in order to steal SIM card encryption keysmore conveniently and accurately,MHET also invaded Gemaltos internal n

87、etwork and implantedmalware on multiple internal computers.It provides access to Gemaltos intranet and find targetsfor intercepting keys.Documents leaked by Snowden reveal that MHET has successfullyimplanted several Gemalto machines,mastered its entire network and processed the acquireddata5.Develop

88、ing programs to steal keys in batches:based on preliminary reconnaissance,MHETsuccessfullyinterceptedinternetcommunicationdatabetweenmultipleGemaltopersonalization centers and mobile operators and obtained encryption keys.An article on theIntercept website stated,in one two-week period,they accessed

89、 the emails of 130 peopleassociated with wireless network providers or SIM card manufacturing and personalization.Thisoperation produced nearly 8,000 keys matched to specific phones in 10 countries.In another two-week period,by mining just six email addresses,they produced 85,000 keys1.In order to f

90、urther steal the encryption keys transmitted between Gemalto and mobileoperators on a larger scale and in larger quantities,the US and British intelligence personnel also17specially developed a program to automatically intercept and collect keys.It has also been shownthat although the automated meth

91、od is able to return a representative set of items from bulk data,itoften fails to detect all items that would be found manually6.Not only that,GCHQ also launchedan operation called HIGHLAND FLING in 2011,with goals including:to look at getting intoFrance HQ to get in to core data repositories;to ge

92、t information of possible IPs that could lead topenetration into one or more personalisation centres;to start process for a new supplier Gieseckeand Devriente7.Extended AnalysisThe SIM card encryption keys is an important tool for identity authentication and channelencryption and decryption between

93、mobile phones and mobile networks.Stealing SIM cardencryption keys can provide technical support for intelligence agencies to conduct closereconnaissance of mobile phones.If the attacker has the encryption key of the targeted mobilephone,it will be easier for the attacker to achieve an authenticated

94、 connection between the fakebase station and the targeted mobile phone,especially in 3G and 4G networks with higher security.Having the encryption key will make it easier to crack the communication encryption and restorethe plain text communication content.As Matthew Green,a cryptography specialist

95、at the JohnsHopkins Information Security Institute,said that with old-fashioned 2G,there are other ways towork around mobile phone security without those keys,with newer 3G,4G and LTE protocols,however,the algorithms arent as vulnerable,so getting those keys would be essential1.Inaddition,the US and

96、 British intelligence agencies steal inactivated SIM card encryption keys.Thiscan also establish a SIM card encryption key database to provide support for future signalintelligence(SIGINT).When it comes to signal intelligence acquisition,the largest one is the US-led ECHELONglobal signal intelligenc

97、e collection and analysis system.The system was jointly established bythe NSA,GCHQ,the Communications Security Authority of Canada(CSEC),the AustralianSignals Directorate(ASD)and the New Zealand Government Communications Security Bureau(GCSB).The system was first established in the 1970s and was ini

98、tially used during the Cold Warto monitor military and diplomatic communications between the Soviet Union and its bloc.After18the end of the Cold War,it began intercepting commercial and personal communications aroundthe world.The ECHELON system identifies and extracts valuable information from mass

99、iveamounts of data by indiscriminately intercepting communication data.This system has establishedmultiple interception facilities around the world and has set up stations in the FVEY countries toperform remote intelligence collection and processing tasks.ECHELON sites analyze and process telephone

100、calls,faxes,emails and other traffic dataaround the world by intercepting communications data carried over satellite communications,switched telephone networks and microwave links.In the system,each site automatically retrievesmillions of intercepted messages and performs keyword matching.The system

101、s search list notonly includes keywords set by the intelligence agency of the country where the site is located,butalso includes keywords set for other agencies of the FVEY countries.Whenever it encounters datacontaining a keyword from a certain intelligence agency,it automatically picks out the mes

102、sageand sends it directly to the relevant intelligence agency8.Whether it is the theft of mobile phone SIM card encryption keys or the collection ofglobal signal intelligence data through the ECHELON system,they all reflect the continuousand crazy collection of global signal intelligence data by Wes

103、tern intelligence agencies led bythe United States.Whether they are terminal devices or backbone lines,whether they are high-value targets such as technical experts and government officials or ordinary people,they may allbecome targets of the US intelligence agencies intelligence activities.Referenc

104、es1Jeremy Scahill,Josh Begley.The Intercept.THE GREAT SIM HEIST.2015.https:/ Gross.Spy agencies hacked SIM card makers encryption.2015.https:/ Greenwald.The Guardian.XKeyscore:NSA tool collects nearly everything a userdoes on the internet.2013.19https:/ 12 篇.網信軍民融合.2017(12)-2018(11).https:/ Gilbert.

105、International Business Times UK.US and UK spies hack SIM card encryptionto monitor mobile phone conversations.2015.https:/www.ibtimes.co.uk/us-uk-spies-hack-sim-card-encryption-monitor-mobile-phone-conversations-14887596SnowdenArchive.PCS Harvesting at Scale.2015.https:/grid.glendon.yorku.ca/items/s

106、how/2697Snowden Archive.DAPINO GAMME CNE Presence and IPT keys:Our workshops aims.2015.https:/grid.glendon.yorku.ca/items/show/3338Nicky Hager.EXPOSING THE GLOBAL SURVEILLANCE SYSTEM.2018.https:/cryptome.org/echelon.htm20Chapter 3.Sneaky Intrusion-Zero-ClickAttack on iPhoneThe iOS system platform is

107、 a mobile operating system developed by Apple and used formobile devices such as iPhone,iPad and iPod touch.The iOS system platform has built-in someunique functions.For example,iMessage is an instant messaging service developed by Apple.Ithas multiple functions such as sending and receiving text me

108、ssages,images,videos,anddocuments,providing users with a convenient social experience.However,this type of instantmessaging service has become a target by the US intelligence agencies.The US intelligenceagencies use this type of service to send malware or attack payloads to iPhone users in order tos

109、teal mobile phone data.In June 2023,the Russian Federal Security Service(FSB)issued astatement accusing the NSA of carrying out Operation Triangulation against iPhones.Fig.3-1 List of Cases of NSA Operation TriangulationIncident ReviewOn June 1,2023,the cybersecurity company Kaspersky stated that th

110、e iPhones of its senioremployeeshadbeencompromised.KasperskythenreleasedareporttitledOperation21Triangulation:iOS devices targeted with previously unknown malware1.The report revealed amalicious campaign that targeted iPhones and iPad devices with zero-click attacks.The zero-click attack means that

111、the implantation of the targeted mobile device can be completed withoutany interaction from the mobile phone user during the entire attack process.The oldest traces ofinfection happened in 2019.It performs a fingerprinting technique called Canvas Fingerprintingby drawing a yellow triangle on a pink

112、background with WebGL and calculating its checksum.This triangle is,in fact,why Kaspersky dubbed this whole campaign Operation Triangulation2.Subsequently,Kaspersky successively released 6 related reports3-6.On the same day,the Russian Federal Security Service(FSB)issued a statement,accusingApple of

113、 close cooperation with the NSA and invading thousands of iPhones throughsophisticated malware,targeting mainly foreign diplomats stationed in Russia and post-Sovietcountries,including diplomats from NATO member states,Israel,Syria and China,as well assome local Russian users.The FSB stated that App

114、le provides opportunities and conditions forthe US intelligence agencies to carry out intelligence surveillance activities against Russia.Thesurveillance targets also include US partners in anti-Russian activities and US citizens7.Attack MethodOperation Triangulation uses the built-in iMessage messa

115、ging service of the iOS system andfour zero-day vulnerabilities in the iOS system to achieve zero-click attacks on Apple devices.Fig.3-2 Schematic Diagram of Operation TriangulationAttack Chain622The attacker first sent iMessages containing hidden malicious attachments to the targeted iOSdevice thro

116、ugh the iMessage server.After receiving the message,the device automaticallytriggered four zero-day vulnerabilities in the system and automatically completed the subsequentimplantation of malicious programs.The attacker initially exploited WebKit memory corruptionand font parsing vulnerabilities to

117、obtain execution permissions,then used an integer overflowvulnerability to escalate to gain kernel permissions,and then used multiple memory vulnerabilitiesto break through Apples hardware-level security defense functions to execute and implantmalicious programs on the device.The entire process is c

118、ompletely hidden and does not requirethe user to perform any action.Malicious programs quietly and automatically transmit personalinformation in the phone to a set remote server.This includes microphone recordings,photos frominstant messages,geolocation,and other device data.Kaspersky analyzed the m

119、ain implanted weapon and dubbed it TriangleDB.TriangleDB isdeployed after the attackers obtain root privileges on the targeted iOS device by exploiting akernel vulnerability.It is deployed in memory,meaning that all traces of the implant are lost whenthe device gets rebooted.Therefore,if the victim

120、reboots their device,the attackers have toreinfect it by sending an iMessage with a malicious attachment,thus launching the wholeexploitation chain again.In case no reboot occurs,the implant uninstalls itself after 30 days,unless this period is extended by the attackers4.The binary validator is the

121、component responsible for cleaning up traces of the maliciousiMessage.Sending this information back to the C2 server can help attackers to judge the value ofthe device and decide whether to execute the TriangleDB process.If executed normally,TriangleDB loads and calls multiple sub-spy modules from t

122、he C2 server,including themicrophone recording module,KeyChain credential acquisition module,SQLite database secrettheft module,GPS positioning module,SMS secret theft module,etc.It supports attackers to carryout platform-level secret theft operations.The sent and received messages are encrypted wit

123、hsymmetric(3DES)and asymmetric(RSA)cryptography.All messages are exchanged via theHTTPS protocol in POST requests.It performs a fingerprinting technique called CanvasFingerprinting by drawing a yellow triangle on a pink background with WebGL and calculating its23checksum.On December 27,2023,Kaspersk

124、y released the report Operation Triangulation:The last(hardware)mystery.The attacker wrote data to a certain physical address and also bypassedhardware-based memory protection by writing data,destination address,and data hash tounknown hardware registers of the chip unused by the firmware.Currently,

125、it is unknown how theattacker learned to use this unknown hardware feature6.The report speculates that Apple may becooperating with the US intelligence agencies.Extended AnalysisMost mobile malware requires the user to take a click action during the process of infectingthe target.Users can prevent t

126、his by improving their own security awareness.Zero-click attacksdo not require the user to perform any action on the phone,including clicking a link or opening afile.As long as the mobile phone user receives the relevant content,the malicious program can beautomatically implanted into the mobile pho

127、ne.Most of the targets are unaware that their phoneshave been implanted with malicious programs,making it difficult to protect personal phones andprivacy.Zero-click attacks often exploit unknown or unpatched vulnerabilities in the system.Therefore,system developers cannot discover and fix them in ti

128、me.As Fortinet FortiGuard Labscybersecurity researcher Aamir Lakhani said,even very alert and aware users cannot avoid thosedouble-whammy zero-day and zero-click attacks8.As mobile phone systems become more and more perfect,there are fewer and fewer zero-click vulnerabilities that can be discovered

129、and exploited,and the cost of zero-click attacks isbecoming higher and higher.Zerodium,which purchases vulnerabilities on the open market,paysup to$2.5M for zero-click vulnerabilities against Android8.All these determine that attacks likeOperation Triangulation must be carried out against high-value

130、 targets and small-scale specificgroups of people.During the Operation Triangulation attack,the attacker verified a large amountof target and device information and deleted some attack traces before implanting TriangleDB.TriangleDB only exists in the phones memory and has the ability to self-delete.

131、These once againprove that Operation Triangulation has the characteristics of high concealment of attack methods,24high complexity of attack processes,and high directionality of attack targets.Based on thesecharacteristics,it is reasonable to infer that the action was carefully planned and implement

132、ed byorganizations with a national background.Kaspersky released a report on January 16,20249stating that investigating such cases can becomplicated,costly,or time consuming due to the nature of the iOS ecosystem.As a result,relatedthreats can often go undetected by the general public.The lightweigh

133、t method for identifying apotential iPhone infection can detect the Pegasus spyware infection and other iOS malware.Among various mobile phone systems,iOS is considered to have a relatively more reasonablearchitecture design and a relatively complete security mechanism.However,it is precisely theact

134、ivities of the US intelligence agencies that seriously affect the trust of global users in iphones.As the Russian Ministry of Foreign Affairs said on June 1,202310,This fact hasconclusively proven what Moscow has been speaking about for a long time,namely,that theUS intelligence services have been u

135、sing IT giants for decades to collect internet userspersonal data without their knowledge.The United States has placed itself above the law.No state has a right to abuse its technological capabilities in a sensitive sphere such as accessto the personal data of smartphone users.References1Igor Kuznet

136、sov.et al.Operation Triangulation:iOS devices targeted with previously unknownmalware.2023https:/ KUCHERIN.et al.The outstanding stealth of Operation Triangulation.2023.https:/ Kuznetsov.et al.In search of the Triangulation:triangle_check utility.2023.https:/ Kucherin.et al.Dissecting TriangleDB.a T

137、riangulation spyware implant.2023.https:/ Bezvershenko.et al.How to catch a wild triangle.2023.25https:/ Larin.et al.Operation Triangulation:The last(hardware)mystery.2023.https:/ Fiscutean.CSO.Zero-click attacks explained,and why they are so dangerous.2022.https:/ Yamout.Alightweight method to dete

138、ct potential iOS malware.2024.https:/ The Ministry of Foreign Affairs of the Russian Federation.Press release on new facts ofglobal surveillance by the United States.2023.https:/www.mid.ru/cn/foreign_policy/news/1873533/26Chapter 4.Pegasus-the Use of Commercial SpywareThe Pegasus spyware is a well-k

139、nown product of the Israeli cyber weapons supplier NSOGroup.This software can infect the targeted mobile phone through the zero-click method,and issecretly installed on mobile phones(or other mobile smart terminals)running iOS and Androidsystems to monitor the targeted mobile phone for a long time.T

140、he Pegasus can obtain detaileddata on the mobile phone,including emails,photos,text messages,call records,etc.In addition,itcan also obtain the gelocation of the phone and even control the phones camera and microphone.Since 2018,intelligence agencies such as the CIA and FBI in the United States have

141、 adoptedvarious ways and means to use spyware such as Pegasus to monitor relevant mobile phone users.Fig.4-1 List of Cases of CIA,FBI and Other Intelligence Agencies Using Pegasus SpywareIncident Review of the Pegasus SpywareOn July 18,2021,17 internationally renowned media organizations1from more t

142、han tencountries around the world,including The Washington Post and The Guardian,jointly published areport after several months of investigation into the Israeli spyware Pegasus.The report revealed27that multiple heads of state and political figures were monitored by this spyware,including FrenchPre

143、sident Macron,Iraqi President Saleh,South African President Ramaphosa,Pakistani PrimeMinister Imran Khan,Egyptian Prime Minister Ma Debry,etc.,in addition to many royal familymembers,government officials,business executives,media reporters and other public figures fromvarious countries.After the Peg

144、asus attack was exposed by the media,it caused an uproar in theinternational community.This incident has given people a deeper understanding of the ultra-highattack capabilities of commercial spyware.The US Intelligence Agencies Use Spyware(Pegasus)The powerful attack,penetration and monitoring capa

145、bilities of the Pegasus have attractedglobal attention and become a hot target for governments and intelligence agencies of relevantcountries.The United States is very fond of the Pegasus.The DEA,the Secret Service and the USMilitary Africa Command had all held discussions with NSO2.Intelligence age

146、ncies such as theCIAand FBI have also carried out in-depth co-operations with the NSO.1.Technical Origins of CIA and PegasusAccording to a report by the New York Times in January 20223,as early as 2018,the USCIA bought Pegasus to assist its government in counterterrorism operations.The CIA arrangeda

147、nd paid for the government of Djibouti.An investigative report published by the Forbes websitein March 20174showed that the CIAs techniques for getting persistence on a hacked iPhonewere similar to those from an Israeli cyber weapons dealer called NSO Group,they both use thesame vulnerability,but im

148、plementation differs a bit.It can be seen that the technical relationshipbetween CIA and NSO is very deep.There may be a deeper partnership between them.2.In-depth cooperation between the FBI and NSO GroupIn addition to the CIA,the FBI is also a client of the NSO Group.The Times revealed inJanuary 2

149、022 that the FBI had purchased Pegasus in 2018.Over the next two years,the FBI hadtested the spyware at a secret facility in New Jersey3.In June 2019,three Israeli computerengineers arrived at a New Jersey building used by the FBI.They demonstrated and tested thefunctions and performance of Pegasus.

150、28NSO engineers demonstration of the functionality of the Pegasus spyware aroused the FBIskeen interest.However,due to Israeli government restrictions,the regular version of the Pegasussoftware cannot monitor American mobile phone numbers.During a presentation to officials inWashington,the company d

151、emonstrated a new system,called Phantom,that could hack any phonenumber in the United States that the FBI decided to target.Israel had granted a special license toNSO,one that permitted its Phantom system to attack US numbers.The license allowed for onlyone type of client:the US government agencies.

152、NSOs US subsidiary declared,Phantom allowsAmerican law enforcement agencies and intelligence agencies to get intelligence by extracting andmonitoring crucial data from mobile devices.It is an independent solution that requires nocooperation from AT&T,Verizon,Apple or Google.The system will turn the

153、targets smartphoneinto an intelligence gold mine2.3.Purchase NSO Products through Shadow CompaniesAccording to a report by the New York Times in April 20235,a secret contract was finalizedbetween a company that had acted as a front for the US government and the American affiliate ofa notorious Israe

154、li hacking firm on November 8,2021.Under the arrangement,the Israeli firm,NSO Group,gave the US government access to one of its most powerful weapons Landmark,ageolocation tool that could covertly track mobile phones around the world without the phoneusers knowledge or consent.If the veiled nature o

155、f the deal was unusual,it was signed for thefront company by a businessman using a fake name.Only a few days earlier,the White Houseplaced NSO on a Commerce Department blacklist.This also fully demonstrates the duality andhypocrisy of the US government in terms of cyber weapons proliferation and cit

156、izen privacymonitoring.4.The US Intelligence Agencies Authorize Defense Contractor to Acquire theNSO GroupIn 2022,a potential deal with L3Harris,the American defense giant,to buy NSO hackingtools and take on the bulk of its workforce was far more advanced than previously known5.Despite NSO being on

157、the Commerce Department blacklist,L3Harris executives had discussionswith Commerce Department officials about the potential deal,according to internal department29records,and there was a draft agreement in place to finalize it before the White House publiclyobjected and L3Harris dropped its plans.Th

158、is incident fully demonstrates the US intelligenceagencies intention to control commercial spyware to carry out intelligence activities.5.Continued Exploitation of Other Israeli SpywareThe US government agencies continue to use spyware with similar functionality to Pegasus.The media revealed that th

159、e US Drug Enforcement Administration(DEA)is one of the largestcustomers of the Israeli company Paragons Graphite software.Paragon has learned from NSOsexperience and established close communication channels with the US government.Paragon alsoreportedly asked for US guidance on its target customer li

160、st;deliberately sought funding from twoUS-based venture capital firms,Battery Ventures and Red Dot,in order to have American backing.Paragon hired a US political consultancy to advise it on what it should and shouldnt do to wingovernment orders.Through these measures,Paragon actually obtained the ac

161、quiescence of theUS government,and the US government indirectly gained strong control over Paragon6.It is worth noting that although the DEA is a law enforcement agency that combats illegaldrug trade,it has inextricable ties with the US intelligence agencies.The DEA often uses itsconvenient status i

162、n combating drug trade to provide help and cover for intelligence agencies tocarry out activities abroad7.Although the US government banned the Pegasus software,similarspyware is still used to carry out intelligence activities.Extended AnalysisOn the surface,the United States restricts other countri

163、es from using its software bysanctioning the NSO Group,but secretly it purchases spyware through shadow companies andinstructs defense contractors to acquire the NSO Group.The FBI cooperated with NSO under theguise of testing to develop Phantom system that can attack mobile phones in the United Stat

164、es;theFBI also used the Landmark spyware through the contractor Riva Networks to conduct long-termmobile phone monitoring activities in Mexico8.Intelligence coordination between the United States and Israel includes:Israeli companieshave provided commercial espionage tools for the United States to u

165、se;the United States has30developed attack weapons for both parties.Famous incidents include Stuxnet and Duqu 2.0(forKaspersky).The US intelligence agencies have further strengthened their surveillance andintelligence acquisition capabilities in the mobile network field by utilizing and controllingc

166、ommercial spyware.On April 5,2022,The Washington Post reported9that the FBI signed a record-breakingsoftware service contract of up to$27 million with Babel Street to strengthen its search andtracking capabilities for social media content.The FBI bidding conditions clearly require:abilityto search a

167、nd translate in at least seven foreign languages;ability to search for a certaingeographical area;ability to perform correlation analysis and sentiment analysis on the poster,andalso has additional functions such as expression analysis,predictive analysis,and machinedetection.The US intelligence age

168、ncies use commercial software to maximize their alreadyarmed to the teeth network intelligence collection capabilities.References1Takeaways from the Pegasus Project.2021.https:/ Bergman,Mark Mazzetti.The Battle for the Worlds Most Powerful Cyberweapon.2022.https:/ Mazzetti,Ronen Bergman.F.B.I.Told I

169、srael It Wanted Pegasus Hacking Tool forInvestigations.2022.https:/ Brewster.Wikileaks CIA Mega-Leak Implicates US And UK Spies In Deep iPhoneHacks.2017.https:/ Mazzetti,Ronen Bergman.A Front Company and a Fake Identity:How the U.S.Cameto Use Spyware It Was Trying to Kill.2023.https:/ Lovejoy.US gov

170、t banned NSOs Pegasus,but said to buy rival spyware ParagonGraphite.2023.https:/ Buchanan.The Hacker and The State.2020.https:/gerdab.ir/files/fa/news/1400/6/23/49615_176.pdf8Mark Mazzetti.Who Paid for a Mysterious Spy Tool?The F.B.I.,an F.B.I.Inquiry Found.2023.https:/ Post.The FBI is Spending Mill

171、ions on Social Media Tracking Software.2022.https:/ 5.Apps That Cannot Be Uninstalled-CollectingData Through Software Widely Preinstalled byOperatorsAndroid is one of the most important mobile operating systems in the world.In pursuit ofbetter performance,user interface and functions,mobile phone ve

172、ndors often choose to deeplycustomize the native Android system.Some vendors will pre-install certain applications in theRead-Only Memory(ROM),which may become tools for the US intelligence agencies to obtainuser data.In 2011,it was disclosed that US operators AT&T,Verizon,Sprint and T-mobile US had

173、widely pre-installed the Carrier IQ software in mobile phones.The software illegally collecteduser data,including SMS,keyboard operations,etc.The operators used the Carrier IQ backendproduct to conduct data query,and the FBI and NSA obtained user data that far exceeds the scopeof legal authorization

174、 through intelligence cooperation with operators.Fig.5-1 List of Cases in Which the FBI and NSA Collected User Data Through Carrier IQSoftware33Incident ReviewCarrier IQ,founded in 2005,is an American privately owned mobile software company.Itsproducts consist of embedded software(IQ Agent)on mobile

175、 devices and server-side analyticsapplications to enable mobile operators to understand in detail a wide range of performance andusage characteristics of mobile services and devices.IQ Agent was first shipped in 2006 onembedded feature phones and had since been implemented on other devices such as U

176、SB modemsand tablets1.On November 12,2011,American white-hat hacker Trevor Eckhart posted an article on theAndroid system security testing website()2,disclosing that the Carrier IQsoftware collected both network-facing information such as core voice and data offerings,as wellas non-network-facing in

177、formation,including device type,available memory and battery life,thetype of applications resident on the device,the geographical location of the device,the end userspressing of keys on the device and usage history of the device,and sent back to Carrier IQs serverfor statistical analysis.The backend

178、 products provided by Carrier IQ allowed operators and otherusers to conduct detailed history queries on any device based on IMEI or IMSI(InternationalMobile Subscriber Identity),so users privacy was completely exposed to Carrier IQ and mobileoperators using its services.Typically,Carrier IQ softwar

179、e was deeply pre-installed into ROM.Therefore,in order to completely excise the software,users must first root the phone and then re-flash the phones ROM thoroughly,which is difficult for the ordinary users to operate.On November 28,2011,Eckhart posted a video on YouTube showing the Carrier IQ softw

180、arerecording various keystrokes in plain text3,including plain text capture of security websitepasswords,and activities performed when cellular networks were disabled.In November 2011,Antiy released對Carrier IQ木馬的綜合分析報告(A ComprehensiveAnalysis on Carrier IQ)4,which confirmed that Carrier IQ not only

181、actively captured and readSMS content on users mobile phones,monitored users keyboard operations and keystrokes,buteven recorded and transmitted the data it obtained.34IncidentAnalysisThe four major telecom operators in the United States-AT&T,Verizon,Sprint and T-MobileUS-were all customers of Carri

182、er IQ and had pre-installed the software in several types of phones,involving Android,Symbian,BlackBerry,iOS and other platforms.It was reported that 141million devices were affected5.And Carrier IQ software was pre-installed in several brands ofmobile phones including BlackBerry,HTC and Samsung,whi

183、le mobile phone vendors claimedthat it was US operators that forced them to install the software on their devices.In December 2011,the FBI refused to disclose Carrier IQ-related documents in accordancewith the Freedom of Information(FOI)ACT request,and was forced to admit that the datacollected by C

184、arrier IQ was used in investigative documents compiled for law enforcementpurposes6.In June 2013,Bloomberg published an article titled The NSA Could Collect Far More ThanYour Phone Records7,which pointed out that after the data collection of Carrier IQ was exposed,many US carriers and device makers

185、excised Carrier IQ from their handsets,but the fact remainedthat carriers had installed hidden monitoring software on their customers handsets.It wouldnt bedifficult for the NSA to collect and aggregate that data from carriers networks,just as itsreportedly doing with Web giants Google.ExtendedAnaly

186、sisAfter the data collection by Carrier IQ was exposed,AT&T admitted that it had installed thesoftware on its devices since March 20118.In December 2015,AT&T acquired Carrier IQ in alow-profile manner and did not disclose details about the acquisition.Major US operators have along history of coopera

187、tion with intelligence agencies.According to the information exposed bySnowden,AT&T had a decades-long partnership with the NSA9and the PRISM program showedthat the US intelligence agencies deeply mined and obtained data from operators and large internetvendors.On June 5,2013,The Guardian,a British

188、newspaper,reported that the NSA hadrequested Verizon to provide millions of private phone records10.35Major US operators had obtained a large amount of private user data far exceeds their trafficoptimization needs through the Carrier IQ software.Based on the deep cooperative relationshipbetween the

189、US telecom operators such as AT&T and Verizon and the US intelligence agencies,global mobile users had reason to suspect that the US intelligence agencies,through telecomoperators in the country,had widely pre-installed network diagnostic software such asCarrier IQ in users mobile phones to collect

190、data on mobile users in the United States at anextremely low cost.In fact,they had turned mobile operators into their intelligenceresources.Although the Freedom of Information ACT,passed by the US Congress in June 2015,requires the US intelligence agencies to cease large-scale collection of phone da

191、ta within sixmonths,and to apply to the Foreign Intelligence Surveillance Court(FISC)for approval beforeaccessing phone data on specific targets from telecom companies.However,the US intelligenceagencies have not complied with this regulation at all.On November 20,2023,the Americanmagazine Wired pub

192、lished an article titled Secretive White House Surveillance Program GivesCops Access to Trillions of US Phone Records11,pointed out that a surveillance program nowknown as Data Analytical Services(DAS)had for more than a decade allowed federal,state,andlocal law enforcement agencies to mine the deta

193、ils of Americans calls,analyzing the phonerecords of countless people who are not suspected of any crime,including victims.The DASprogram,formerly known as Hemisphere,was run in coordination with the telecom giant AT&T,which captured and conducted analysis of US call records for law enforcement agen

194、cies,fromlocal police and sheriffs departments to the US customs offices and postal inspectors across thecountry.The exposure of the DAS program fully proves that the extensive wiretapping activitiesof the US intelligence agencies are pervasive,and even the rights and interests of Americanscannot be

195、 guaranteed.References1Wikipedia.Carrier IQ.2024https:/en.wikipedia.org/wiki/Carrier_IQ#cite_note-21362Trevor Eckhart.What is Carrier IQ?.2011.https:/ Eckhart.Carrier IQ Part#2.2011.https:/ Labs.AComprehensive Analysis on Carrier IQ.2011.https:/ Goodin.Carrier IQ VP:App on millions of phones not a p

196、rivacy risk.2011.https:/ Greenberg.FBI Says Carrier IQ May Be Used In Law Enforcement Proceedings.2011.https:/ Fitchard.The NSA Could Collect Far More Than Your Phone Records.2013.https:/ Molen.Senator Al Franken asks about Carrier IQ,the companies answer:the completebreakdown.2011.https:/ Spying Re

197、lies on AT&Ts Extreme Willingness to Help.2015.https:/www.propublica.org/article/nsa-spying-relies-on-atts-extreme-willingness-to-help10 Glenn Greenwald.NSA collecting phone records of millions of Verizon customers daily.2013https:/ Dell Cameron&Dhruv Mehrotra.Secretive White House Surveillance Prog

198、ram Gives CopsAccess to Trillions of US Phone Records.2023.https:/ 6.Getting to the Bottom-Obtaining TechnicalParameters of Global Mobile OperatorsSince the concept of cellular network was proposed by Bell Laboratories in the 1970s,mobile communication technology has been rapidly iterated and update

199、d.Global mobile operatorshave different business environments and operating models,so the network standards,infrastructure types,encryption methods,protocols and other technical parameters they adopt arealso different.In order to obtain technical parameters of global mobile operators and exploitvuln

200、erabilities for targeted attacks,the NSA has been implementing operation AuroraGold since atleast 2010.The operation used signal intelligence methods to obtain non-public data-theinternational roaming file IR.21 of various mobile operators,integrated it with public data,andformed a global mobile ope

201、rator technical parameter database,which supported the NSA SIGINTproduction chain to carry out secret theft,wiretapping and eavesdropping on mobile phone users.Fig.6-1 List of Cases of NSA OperationAuroraGold38Incident ReviewOn December 4,2014,The Intercept published relevant documents leaked by Sno

202、wden,which disclosed that the NSA had been implementing operation AuroraGold1since at least 2010,aiming to obtain global mobile operator technical parameters and effectively predict futuretechnology trends,so as to support the SIGINT production chain.In addition,informationgathered by operation Auro

203、raGold was widely shared within the intelligence agencies of theFVEY countries.As of May 2012,the NSA had obtained the technical information of 701 networks ofestimated 985 GSM/UMTS networks around the world(approximately 70%)through operationAuroraGold,covering almost all countries,including allies

204、 close to the US,such as the UK,Australia,New Zealand,Germany and France.Attack MethodSince at least 2010,the NSA has proposed the SIGINT planning cycle project to systematizethe SIGINT production chain,which consists of six links:discovery,regions&targets,technologytrends,vulnerabilities,capabiliti

205、es,and delivery.Operation AuroraGold is part of the technologytrends link.39Fig.6-2 Schematic Diagram of the NSA SIGINT Planning CycleIn the subsequent vulnerabilities link,the NSA explicitly proposed to use the technicaltrend data provided by operation AuroraGold to identify vulnerabilities that co

206、uld be exploited andintroduce vulnerabilities that did not yet exist in order to exploit in the capabilities link.ManycybersecurityexpertsincludingKarstenNohl,Germansecurityexpertandcryptographer,and Mikko Hypponen,senior researcher at Finland-based F-Secure,have expressedshock at the NSAs deliberat

207、e operation AuroraGold to introduce new vulnerabilities in the globalcommunication system for espionage purposes.Security experts pointed out1that criminalhackers and foreign government adversaries could be among the inadvertent beneficiaries of anysecurity vulnerabilities inserted by the NSA.This c

208、ontroversial tactic could expose ordinarypeople to hackers and other criminals.NSA documents show that in March 2011,two weeks before the western countries intervenedin the Libyan civil war,AFRICOM used the data intelligence database of operation AuroraGold toacquire information concerning the SMS G

209、ateway domains for the only two mobile providers inLibya,and used the information to invade mobile networks in Libya for SMS monitoring.Operation AuroraGold integrated public data and non-public data.After data analysis andextraction,it built a data intelligence database containing global mobile ope

210、rators technicalparameters and mobile technology development trends,and output the data in a visualized way.The public data included a complete replica of World Cellular Information Service(WCIS)queryable database,the International Telecommunication Union(ITU)operational announcementsand other data,

211、while the non-public data were mainly IR.21.40Fig.6-3AuroraGold Data Flow&Process OverviewIR.21 is the international roaming document and an important specification document forGSM international roaming operators to produce counterparty data,in order to enable theircustomers to use international roa

212、ming services overseas.The IR.21 document standard format isdeveloped by the Global System for Mobile Communications Association(GSMA).Founded in1995,the GSMA is an organization in the global mobile communications industry.Its membersinclude nearly 800 mobile operators from 220 countries and regions

213、,as well as more than 230companies in a broader mobile ecosystem.The NSA assessment suggested that IR.21 contained the specific information necessary fortargeting and exploitation,and could obtain GSM/UMTS mobile phone operator infrastructure,voice and data integration,UMTS technology migration and

214、UMTS technology deployment andother technical details through IR.21 to support subsequent intelligence work.Tab.6-1 NSAAssessment of SIGINT Value of IR.21IR.21 FieldWhat is it?How is it used?Mobile Country Code(MCC)/Mobile Network Code(MNC)A decimal digit code which uniquelyidentifies a mobile netwo

215、rk.The MCCwhich identifies the country is used as thefirst three digits of any users IMSI,followed by the two digit MNC whichidentifies the network within that country.Provideuniqueidentificationofnetworkstoidentifynetworkboundaries,interfaces,protocols,software,hardware,etc.41Mobile SubscriberInteg

216、rated ServicesDigital NetworkNumber(MSISDN)Anumberuniquelyidentifyingasubscription in a GSM or a UMTS mobilenetwork(the telephone number to theSIM card in a mobile/cellular phone).Allow identification of real phonenumber dialed.TADIG CodesA number allocated by the GSMA for useas primary identifiers,

217、both within filecontents and file names.Also used as amoregenericentityidentifierinthemobile industry.Identifythenetworkforbillingpurposes and help identify targets.Signaling ConnectionControl Part(SCCP)A network layer protocol that providesextendedrouting,flowcontrol,segmentation,connection-orienta

218、tion,anderror correction facilities in SignalingSystem 7 telecommunications networks.Provides routing information withinthe Public Land Mobile Network andprovides access to applications suchas 800-call processing and callingcard processing to identify targets andother information.Subscriber Identity

219、AuthenticationThisfieldindicateswhetherornotauthentication is performed for roamingsubscribers at the start of GSM serviceand the type of A5 cipher algorithmversion in use.It would also show the emergence ofnew cipher algorithms and supporttargetanalysis,trendingandthedevelopment of exploits.Mobile

220、ApplicationPart(MAP)ASS7protocolwhichprovidesanapplication layer for the various nodes inGSM and UMTS mobile core networksand GPRS core networks to communicatewith each other in order to provideservices to mobile phone users.TheMobileApplicationPartistheapplication-layer protocol used to accesstheHo

221、meLocationRegister,VisitorLocationRegister,MobileSwitchingCenter,EquipmentIdentityRegister,AuthenticationCenter,Shortmessageservice center and Serving GPRS SupportNode(SGSN).Provides a clearer understanding ofnetworkfeatureswhenroamingagreement information is published.Currentinformationaboutsubscri

222、bers,mobilitymanagementand applications can be used fortargeting and target development.Network ElementInformationSpecificnetworkcomponents,theirmanufacturer,software&hardwareversions,etc.This specific information is necessaryfortargetingandexploitation.Includescoreandradiointerfaceinformation.Packe

223、t Data ServicesInformationPacketDataServicesidentifiestheaffectedGPRSnetworks.AnAccessPoint Name is also included in thisinformation.APNs can identify the typeof service provided by GPRS networksprovided to mobile users.APNs also helpidentify the network and operators packetnetwork involved in the I

224、R.21 and couldbe used for targeting.Thisdataelementalsoprovidesinformation on the WAP gatewaybeingaccessandmultimediamessagingservicesgatewayIPaddresses which is useful for targetdevelopment.Insight into the GPRSTunneling Protocol versions beingused within the networks is providedas well.GPRS,EDGE a

225、nd HSPAtechnologies are covered.In order to obtain the IR.21 of each operator,operation AuroraGold used signal intelligencemethods to monitor and intercept the data interaction between the MNO roaming coordinators andGSMA working groups and other relevant agencies,as well as more than 1200 email mes

226、sages.In addition to obtaining IR.21,operation AuroraGold continues to monitor industryorganizations,such as GSMA and ITU,to obtain information on new technical standards,newglobal mobile communications technologies and their development trends as early as possible to42support other links of the NSA

227、 SIGINT planning cycle.Extended analysisIn the operation AuroraGold,the NSA targeted global mobile operators,and pertinently builtits cyberattack capabilities by acquiring technology trends and other data intelligence.The NSACamberDADA program exposed by Snowden in June 2015 showed the same US intel

228、ligenceactivity strategy.In the CamberDADA program2,the NSA mainly utilized the traffic acquisitioncapabilities used by the US to invade global operators,monitored communications between anti-virus vendors and their users such as Kaspersky,and obtained new virus samples to assist inplanning cyberatt

229、acks that could bypass detection and develop exploitable attack weapons.Thefollow-up targets of the program also include 23 major global cybersecurity vendors from 16countries,including Chinese cybersecurity vendorAntiy.In the operation AuroraGold,the NSA collected operators IR.21 containing informa

230、tion oncommunications encryption,which could be used to crack encryption and eavesdrop onconversations.The Register,a British technology media,published an article analyzing theAuroraGold incident and pointed out that the NSAs Target Technology Trends Center(TTTC)worked within standard bodies like t

231、he GSM Association to get advanced copies of new securityprotocols so that it could work out how to break them ahead of deployment3.In fact,the NSA hasalways coveted the crypto system.In early September 2013,many US and UK media reported thatthe NSA had hidden backdoors in the SP 800-90A standard re

232、leased by the National Institute ofStandards and Technology(NIST)45,confirming rumors that the industry had long worried andsuspected.The NSA has been systematically manipulating the crypto system for a long timeand exploited vulnerabilities in encryption standards to carry out global surveillance,w

233、hichhas undermined global trust in cyber technology and caused great damage to the globalcybersecurity ecosystem.43References1Ryan Gallagher.The Intercept.OPERATION AURORAGOLD：How the NSA HacksCellphone Networks Worldwide.2014.https:/ Thomson.The Register.Snowden files show NSAs AURORAGOLD pwned 70%

234、ofworlds mobe networks.2014.https:/ Perlroth,Jeff Larson,Scott Shane.The New York Times.NSA Able to Foil BasicSafeguards of Privacy on Web.2013.https:/ Ball,Julian Borger,Glenn Greenwald.The Guardian.Revealed:how US and UK spyagencies defeat internet privacy and security.2013.https:/ 7.Camouflaged B

235、ase Stations Fake BaseStationsAre Widely Used to Monitor Mobile PhonesThe International Mobile Subscriber Identity(IMSI)is used to identify mobile phone usersworldwide.IMSI is located on the SIM card of a mobile phone and consists of 15 digits,includingcountry code,mobile network code,subscriber ide

236、ntification code and other information.Whenthe mobile phone establishes a connection with the mobile network,it uses IMSI to complete theauthentication and legally accesses the network.Attackers use fake base stations to force mobilephones to connect to it,obtain the mobile phones IMSI,simulate iden

237、tity authentication,establisha transit connection between the network and the mobile phone,and thereby steal communicationdata.The US intelligence agencies and law enforcement agencies have long and extensively usedStingray and other fake base stations to monitor mobile phones.Fig.7-1 List of Cases

238、of FBI,NSA,DHS and Others Agencies Using Fake Base Station Devices45Fake Base Stations Are Widely Used by the US IntelligenceAgencies and Law EnforcementAgenciesOn May 8,2013,the American Civil Liberties Union(ACLU)and the Electronic FrontierFoundation(EFF)published a brief1disclosing that the FBI u

239、sed invasive eavesdroppingtechnology and device to collect mobile phone information.The device involved was Stingray,afake base station manufactured by the US defense contractor Harris Corporation.Stingray is an IMSI catcher2that works through a man-in-the-middle attack.The basestation believes Stin

240、gray is a mobile phone,while mobile phone believes Stingray is a base station.Fig.7-2 Stingray Fake Base StationOnce the connection is established,Stingray is able to intercept communication content.Itcan not only collect IMSI and location information of mobile phones,but also steal call,SMS andweb

241、browsing information.When the user is using a mobile network of 3G or above,Stingray canforce phones to downgrade to 2G,a less secure protocol,and tell the phone to use either noencryption or use a weak encryption that can be cracked,as a way to achieve surveillancepurpose3.The Stingray family of de

242、vices can be mounted in vehicles,on airplanes,helicoptersand unmanned aerial vehicles.Hand-carried versions are referred to under the trade nameKingFish and can be used anywhere.On July 31,2020,The Intercept published an article2,disclosing that the US lawenforcement agencies use Stingray to locate

243、targeted phones,obtain information such as SMS,emails and voice calls,and master the identity and address of the targeted phone holder,and obtain46communication relationships with the assistance of operators through intelligence cooperation.The Stingray device can accurately locate the target within

244、 a meter range and lock the target bymeasuring the signal strength between the mobile phone and the Stingray device.On November 13,2014,The Wall Street Journal disclosed4that the US Marshals Servicehad installed a fake base station called Dirtbox on small general-purpose aircraft since 2007.The devi

245、ce is manufactured by Digital Receiver Technology(DRT),a subsidiary of the USmilitary contractor Boeing,and is used to collect personal and location information from mobilephone users on a large scale5.The Dirtbox can scoop data from tens of thousands of mobilephones in a single flight,collecting th

246、eir identifying information and general location.And it canaccurately locate the targeted phone within three meters on the plane.Compared with Stingray onthe ground,the Dirtbox in the air can collect more data and move over a wide area moreconveniently and quickly.Fig.7-3 Dirtbox(DRT 2101A)Fake Base

247、 StationWith the development of mobile network technology,the US intelligence agencies and lawenforcement agencies are constantly updating and purchasing these devices.Harris Corporationhas developed a variety of fake base stations for 3G and 4G networks.And the US intelligenceagencies and law enfor

248、cement agencies also purchase fake base stations manufactured by Octasic,a Canadian company,whose devices are capable of targeting eight frequency bands includingGSM(2G),CDMA2000(3G),and LTE(4G)6.Fake base stations are widely used by the US government departments and the military.TheAmerican Civil L

249、iberties Union7disclosed that Stingray and other IMSI catchers were used bymany government agencies and military agencies such as the US Army,US Navy,US Marine47Corps,FBI,US Department of Homeland Security,and the US Marshals Service.In a mediainterview8,an FBI agent described using Stingray more th

250、an 300 times over a decade andindicated that it was used on a daily basis by the US Marshals,the Secret Service and other federalagencies.Data disclosed by the American Civil Liberties Union and the US media showed that theDHS used Stingray 1,885 times between 2013 and 20179,and at least 466 times b

251、etween 2017and 201910.The report of the US House Oversight Committee showed that the US Department ofJustice had 310 sets of fake base stations,and DHS had 124 sets of fake base stations.FromFY2010 to FY2014,the US Department of Justice spent more than$71 million on fake basestation technology,and t

252、he US DHS spent more than$24 million on fake base stationtechnology11.Fake Base Stations Become Avenues for Surveillance andCyberattacksFake base stations turn mobile phones into surveillance tools.On July 22,2013,TheWashington Post published an article,which mentioned that as early as 2004,a new NS

253、Atechnique enabled the agency to find mobile phones even when they were turned off.JSOC troopscalled this The Find,and it gave them thousands of new targets in Iraq12.On June 6,2014,theCNN website published an article titled How the NSA can turn on your phone remotely13,statingthat the NSA sends a c

254、ommand to the baseband chip of the phone through a fake base station,telling the phone to fake any shutdown and stay on.While the phone on standby can either turn onthe microphone for environmental wiretapping,or can send location information for locating.Fake base stations become avenues for cybera

255、ttacks.According to an article on thewebsite The Intercept2,the fake base stations used by the US intelligence agencies could sendphishing messages,and could also enable mobile phones to send and receive text messagesthrough a server the military controls instead of the mobile carriers server for su

256、rveillancepurposes.The US intelligence agencies could potentially inject malware into targeted phonesthrough fake base stations.If there were vulnerabilities in targeted phones browser,they couldalso inject spying software onto specific phones or direct the browser of a phone to a website48where mal

257、ware can be loaded onto it.Michael Hayden,the former director of the CIA,admitted that the NSA surveillance programdid not play a role in counter-terrorism,but it allowed intelligence analysts to track peoples onlinebehavior14.The US intelligence agencies and law enforcement agencies abuse fake base

258、stations to conduct large-scale and indiscriminate surveillance of personal mobile phones byany means necessary,which greatly infringes on the communication rights and interests ofcitizens around the world,and poses a serious threat to the national security of othercountries.References1Linda Lye.ACL

259、U.Court Ruling Gives FBI Too Much Leeway on Surveillance Technology.2013.https:/www.aclu.org/news/national-security/court-ruling-gives-fbi-too-much-leeway-surveillance2Columns,Michael A.Miller.Long Island Weekly.Time For Cops To Come Clean OnStingray.2014.https:/ Zetter.The Intercept.How Cops Can Se

260、cretly Track Your Phone.2020.https:/ Barrett.The Wall Street Journal.Americans Cellphones Targeted in Secret U.S.SpyProgram.2014.http:/ and the DRT surveillance systems.2018.https:/ Cameron.Dhruv Mehrotra.GIZMODO.Cops Turn to Canadian Phone-Tracking FirmAfter Infamous Stingrays Become Obsolete.2020.

261、https:/ Stingray phone trackerhttps:/en.wikipedia.org/wiki/Stingray_phone_tracker8K.Zetter.WIRED.Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight.2013.http:/ Flores.BuzzFeed News.DHS Has Used A Controversial Cell PhoneTrackingDevice More Than 1,800 Times.2017.https:/ Alexia Ramire

262、z.ACLU.ICE Records Confirm that Immigration Enforcement Agencies areUsing Invasive Cell Phone Surveillance Devices.2020.https:/www.aclu.org/news/immigrants-rights/ice-records-confirm-that-immigration-enforcement-agencies-are-using-invasive-cell-phone-surveillance-devices11 House Committee on Oversig

263、ht and Government Reform.Publicintelligence.HouseOversight Committee Report on Law Enforcement Use of Cell-Site Simulation Technologies.2016.https:/ D.Priest.The Washington Post.NSA growth fueled by need to target terrorists.2013.https:/ Jose Pagliery.CNN.How the NSA can turn on your phone remotely.

264、2014.https:/ 環球網.盤點！美國操縱網絡霸權的四大罪狀.2022.https:/ 8.Hacking the Operator Intranet-Using Regin toAttack Mobile NetworkRegin is a particularly powerful malware developed by the NSA and shared with partners ofthe FVEY countries,which has advanced technology,complex structure and strong stealthcapabilities

265、.It can customize functions and targeted deployment according to different targets toconduct remote monitoring and intelligence gathering.From 2010 to 2013,the NSA and GCHQused Regin to jointly hack the internal networks of Belgacom and its subsidiary InternationalCarrier Services,invaded the GRX ro

266、uter system that provides cross-border roaming services,andcarried out targeted man-in-the-middle attack on roaming smartphones.Fig.8-1 List of Cases of NSA and GCHQ Operation SocialistIncident ReviewOn September 20 and November 11,2013,Der Spiegel successively revealed that the NSAand GCHQ had join

267、tly carried out Operation Socialist1from 2010,hacking into the GRX router51system of Belgium Telecom International Carrier Service(BICS),which conducted targeted man-in-the-middle attacks on roaming smartphones.The incident drew widespread global attention,because it was the first revealed cyberatta

268、ck that occurred among EU countries.On December 13,2014,The Intercept further reported Operation Socialist,saying thatBelgium Telecom began to detect network anomalies in the summer of 2012,and it was onlyconfirmed in June 2013 that its computer system had been infected with highly sophisticatedmalw

269、are.The malware disguises itself as legitimate Microsoft software to quietly steal data.TheRegin cyberattack platform was a malware used by Operation Socialist.The documents leaked bySnowden indicated that GCHQ and NSA are the developers and operators of the Regin platform.From 2010 to 2013,GCHQ use

270、d the Regin platform to hack into Belgacom.As one of the largestroaming service operators in Europe,when foreign tourists enter Europe,many of them willconnect to the international roaming network provided by Belgacom.Regin has entered thepublics field of vision and has become a malware of continuou

271、s concern in the field ofcybersecurity.In June 2019,Reuters exclusively revealed that the Western intelligence agencies hackedRussias Google Yandex in late 20183saying that hackers implanted a rare malware Regin in theRussian search engine Yandex to spy on Yandex users accounts.Vikram Thakur,technic

272、al directorat the US Symantec Security Response said,Regin is the crown jewel of attack frameworks usedfor espionage.Its architecture,complexity and capability sits in a ballpark of its own3.Theincident proved that Regin has been active in the next several years.TraceabilityAnalysisOn November 23,20

273、14,Symantec released an analysis report titled Regin:Top-tierespionage tool enables stealthy surveillance4saying,Regin is an extremely complex piece ofsoftware that can be customized with a wide range of different capabilities,which can be deployeddepending on the different target.It is built on a c

274、overt framework that is designed to sustain long-term intelligence-gathering operations.It goes to extraordinary lengths to disguise itself and itsactivities on compromised computers.Its stealth activities combine many of the most advanced52techniques.Symantec reported that the main purpose of Regin

275、 is intelligence gathering and it has beenimplicated in data collection operations against government institutions,infrastructure operators,businesses,academics,and private individuals.Regin is a multi-stage,modular threat with theflexibility to load capabilities tailored to individual targets when

276、required.This modular methodhas been seen in other sophisticated malware families such as Flamer and Weevil,while the multi-stage loading architecture of Regin is similar to that seen in the Duqu/Stuxnet family of threats.Regin is capable of installing a large number of additional payloads,some high

277、ly customized forthe targeted computer.More advanced payload modules designed with specific goals in mind werealso found in Symantecs investigations.On November 24,2014,the day after Symantec released its report,Kaspersky released amore detailed technical analysis of Regin titled,The Regin Platform

278、Nation-State Ownage of GSMNetwork5.In the report,Kaspersky pointed out that Regin is a cyberattack platform,which theattackers deploy in victim networks for conducting total remote control at all levels.Kasperskyfound that the most interesting aspect we have found so far regarding Regin relates to a

279、ninfection of a large GSM operator.Kaspersky reported that Regin is the first known attack platform capable of penetrating andmonitoring GSM networks in addition to conducting other standard espionage tasks.The attackersbehind the platform have compromised computer networks in at least 14 countries

280、around theworld.The main targets of the group include telecom operators,governments institutions,financial institutions,research institutions,multinational political bodies and individuals involvedin advanced mathematical/cryptographic research.On January 17,2015,Der Spiegel published a copy of the

281、FVRY countries malware programcode-named QWERTY based on information exposed by Snowden.QWERTY is designed toinvisibly record all key strokes from the infected Windows computer.Through careful comparison,Kaspersky analysts concluded that the QWERTY is identical in functionality to the Regin 50251plu

282、gin6.Kaspersky has technically proved Regins homology to QWERTY,another NSA spyingmodule.Kaspersky concluded that the QWERTY developers and the Regin developers are the53same or working together.ExtendedAnalysisAccording to Der Spiegel8,the US and Western intelligence agencies used Quantumsystem to

283、deliver Regin malware in the attack on Belgacom.By redirecting users to FoxAcidserver through fake LinkedIn pages,the computers of several BICS engineers were infected withRegin malware,which enabled the GCHQ spies to deeply penetrate the Belgacom internalnetwork and its subsidiary BICS to hack the

284、GRX router system that provides cross-borderroaming services,and carried out targeted man-in-the-middle attack on roaming smartphones.The report pointed out that the attack operations could capture the entire internetcommunication traffic of the targeted mobile phone,track the location or implant sp

285、yingsoftware to conduct large-scale surveillance on roaming mobile users.According to Kaspersky,Regins ability to penetrate and monitor GSM network is perhapsthe most unusual and interesting aspect of these operations.In todays world,people have becometoo reliant on mobile phone networks that use ol

286、der communication protocols,while there isalmost no security assurance for end users.Although all GSM networks have embeddedmechanisms that allow law enforcement agencies to track suspects,there are other entities that canalso acquire this capability and then abuse it to launch other types of attack

287、s against mobile users.In fact,the NSAs attacks on telecom operators are long-standing.Antiy released a reporttitled方程式組織CDR解析器樣本分析報告（Equation Group CDR Parser Sample AnalysisReport)9,based on the information disclosed by the Shadow Broker in 2016,analyzed theanalytic extraction tool of Equation Gro

288、up for telecom Call data(Call Detai Record,CDR)indetail.CDR data generated by telecom devices such as telephone switches,including various callattributes such as call time,duration,completion status,source number,and destination number.The CDR parser of Equation Group can match the specified matchin

289、g conditions(such as timerange,etc.)to collect CDR files,and then parse the collected CDR file data based on the contentsof the encrypted parameter file(such as location area code,phone number,etc.).The Antiy reportpointed out that this tool is only responsible for data screening,acquisition,and enc

290、rypted storage,54and is not responsible for return transmission.This operation method is in line with the USsmodular operation and strict encryption habits and characteristics.This operational method isconsistent with the modular operation and strict encryption habits and characteristics of the US.A

291、fter the intrusion,the attacker can construct various conditional rules by parameters for targeteddata acquisition,and use data decryption and data return tools to conduct a complete intrusion andsecret theft attack.As a critical node for data communication and aggregation,operators have greatstrate

292、gic value in the eyes of the US intelligence agencies and have been their target for along time.According to the information exposed by Snowden,MAINWAY and NUCLEON inSTELLARWIND program are specialized in collecting global telecommunications call data andwiretapping.MAINWAY obtains relevant data by

293、establishing cooperation with operators,whileNUCLEON intercepts the conversation content and keywords in telephone calls to obtainspecified data.The US intelligence agencies implement their all-round and in-depth networkintelligence activities in the communication field by attacking operators.Refere

294、nces1Britains GCHQ Hacked Belgian Telecoms Firm.2013.https:/www.spiegel.de/international/europe/british-spy-agency-gchq-hacked-belgian-telecoms-firm-a-923406.html2Ryan Gallagher.The Inside Story of How British Spies Hacked Belgiums Largest Telco.2014.https:/ Bing,Jack Stubbs,Joseph Menn.Exclusive:We

295、stern intelligence hackedRussias Google Yandex to spy on accounts 2019.https:/ espionage tool enables stealthy surveillance.2014.https:/ Regin Platform Nation-State Ownage of GSM Networks.2014.55https:/ Raiu,Igor Kuznetsov.Comparing the Regin module 50251 and the“Qwerty”keylogger.2015.https:/ Pagani

296、ni.REGIN AND QWERTY KEYLOGGER ARE LINKED WITH FIVEEYES INTELLIGENCE.2015.https:/ Used Fake LinkedIn Pages to Target Engineers.2013.9Equation Group CDR Parser Sample Analysis Report.2024.https:/ 9.Attacking Internet Terminals Based onOperators-The Attack Ability of Quantum System onMobile Phones and

297、Internet PCsAll mobile terminals such as mobile phones and various internet terminals rely on theoperator system to access the network and various applications.The US intelligence agencies usesthe Quantum system to invade the switching and routing network equipment of operators invarious countries,t

298、ransforming the global operation system into a delivery system that can be usedto attack Internet users.The attack scope includes smart mobile terminals such asAndroid and iOS,and various internet PCS and server products.The Quantum system,first exposed by Snowdenin 2013,was developed and used by th

299、e Office of Tailored Access Operation(TAO),a subsidiaryof the NSA,which is a set of engineering systems and intrusion tools for conducting cyberattackson high-value targets.Fig.9-1 List of Cases of NSAAttacking Internet Terminals Based on Operators57Incident ReviewOn June 9，2023，Antiy released a rep

300、ort titled 量子系統擊穿蘋果手機方程式組織攻擊iOS系統的歷史樣本分析(Quantum System Breaks Down iPhone-Analysis ofHistorical Samples of Equation Groups Attack on iOS System)1,revealing that the EquationGroup,a subsidiary of NSA launched attacks on internet terminals of iOS system on the networkside based on the Quantum platfor

301、m in the early years,and exploited browser vulnerabilities todeliver backdoor for penetration activities.Previously,Kaspersky released an analysis report tiledOperation Triangulation:iOS Devices Targeted with Previously Unknown Malware2,pointingout that the malware attacked iOS devices through a zer

302、o-click approach.The Quantum system attacks on the iOS systems disclosed by Antiys report and theOperation Triangulation attacks exposed by Kaspersky come from the Equation Group,but theattack paths and samples revealed by the two reports are completely different.They are twodifferent attack methods

303、.The attack exposed by Kaspersky relied on iMessage vulnerabilities todeliver samples;the attacks of the Equation Group on the iOS platform discovered by Antiy mayhave appeared in 2013 or earlier.The attack samples were delivered through the Quantumsystem.TraceabilityAnalysisThe iOS attack samples a

304、nalyzed by Antiy report are not regular iOS APP installationpackage,but the Trojan targeting the underlying iOS.The main body of the Trojan is disguised asa PE format file named regquerystr.exe for delivery.Its true format is the Mach-O executableprogram of the ARM architecture,using vulnerabilities

305、 or sandbox escape to complete the releaseand execution of the backdoor program.The Trojan first detects the kernel version and userpermissions,and then releases the backdoor mvld,which is mainly used to collect deviceinformation and communicate with remote servers.After the program runs,it will gen

306、erate logfiles and delete its own files.The attack sample contains 13 command codes,which are very similar to the DoubleFantasyseries instructions of the Equation Group Windows and Solaris Trojan exposed by Antiy3.In58addition,the mvld Trojan internally decrypted the information FAID,in which ace024

307、68bdf13579is consistent with the mandatory unique identification code required for NSA operationspreviously exposed.This identification also exists in the SecondDate weapon in the Equationarsenal leaked by the Shadow Brokers.The information all points to:the Trojan comes from theEquation Group,a sub

308、sidiary of the US intelligence agency NSA.Antiy reported that by comparing and analyzing the iOS Trojan with the DoubleFantasyTrojan equipment sequence of Equation Group,we can draw the following results:they are almostidentical in functions,behaviors,algorithms,information collection and command co

309、ntrol sets.The Trojan uses the most commonly used value 0 x47 in the Equation Group encryption algorithm.The collection terminal information format is consistent with DoubleFantasy,and the controlinstruction code structure is basically consistent with DoubleFantasy,which fully proves theconnections

310、between the iOS Trojan and the Equation Group.Revealing the Secrets of Quantum SystemThe Quantum system project,first exposed by Snowden in 2013,was initiated by the NSAandjointlyimplementedwithGCHQandtheNationalDefenceRadioEstablishment(Swedish:Frsvarets radioanstalt,FRA).It is used to develop and

311、operateengineering systems and intrusion tool sets that carry out cyberattacks to conduct intervention andcontrol of network status in cyberspace,which was developed and used by TAO under the NSA.As Wired reported in April 20154,the hacking technology known as Quantum Injectionhas been used by NSA a

312、nd its partner GCHQ to break into high-value,hard-to-reach systems andimplant malware since 2005.Quantum Injection works by hijacking the targeted browser whenit attempts to access a web page and forcing it to access malicious web pages.The highlysuccessful technology allowed the NSA to implant 300

313、kinds of malware on computers aroundthe world in 2010 by hijacking them to the malicious web pages.The Quantum Injection technology requires the fast-acting servers relatively near a targetsmachine that are capable of intercepting browser traffic swiftly in order to deliver malicious webpage to the

314、targeted machine before the legitimate web page reach.To achieve this,NSA used the59code-named FoxAcid server and the special high-speed server known as Shooter placed at keypoints around the internet.The closer the traffic-sniffing and shooter machines are to the target,the more likely the rogue se

315、rvers will win the race to the victims machine.The operational fulcrum of the Quantum system is the intrusion and hijack of criticalrouters and gateways of network communication infrastructure,thereby having the capabilities ofanalyzing and hijacking the online process of the attack target.First,by

316、relying on theXKEYSCORE system,it identifies the relevant IP,code number,link,identity account or otheridentification of the Internet device to determine whether it meets the requirements for the attacktarget and verifies whether the attack has been successfully carried out on the device.If it is th

317、etarget to be attacked,it will further determine whether there are available vulnerabilities,and thenselects the corresponding tools to perform secret intrusion.Antiy drew a spectrum conjecturediagram of the attack capability of the Quantum system in the report,believing that theQuantum attack capab

318、ilities completely cover all major internet terminals in the world,including various types of PCs,servers,mobile smartphone terminal devices and relatedbrowsers1.Fig.9-2 Graphical Analysis ofAttackable Scenarios of the Quantum System Drawn by Antiy60ExtendedAnalysisOn the one hand,the operation capa

319、bilities of the Quantum system come from the largenumber of undisclosed vulnerability resources and the reserve of vulnerability exploitation toolsunder its control.On the other hand,they come from the degree of attack control of the EquationGroup on the global critical network communication devices

320、.For example,to trick targets intoaccessing the FoxAcid server,NSA relied on its secret cooperative relationship with UStelecommunications companies to deploy Shooter server at critical locations in the Internetbackbone network5.It can be seen that the close cooperation between the US intelligenceag

321、encies and the owners of telecommunication infrastructure is the key to the success of itscyberattack operations.It is also an important part of the US pre-preparation of the globalcyberspace battlefield.It achieves proactive pre-preparation by invading and hijackingglobal operators to shape the cyb

322、erspace environment for subsequent cyberattacksoperations.The Quantum attack mechanism not only causes harm to mobile phones and other internetterminals,but has actually become an important means of the systematic deployment of US cybermilitary operations.Through the Quantum system,the US malicious

323、code can be deployed onswitches and routers in the key targeted networks after cross-network intrusion,including networkequipment such as firewalls,thereby building an intrusion bridgehead on the intranet.It willimprove the mobility of cyber forces,enable them to enter and control key terrain when n

324、ecessary,and ensure that the US military conduct expeditionary cyberspace operations whennecessary,without establishing a physical presence in foreign territories for powerprojection.In summary,the Quantum delivery system,the vulnerability library for browsers andnetwork clients,and the capability s

325、ystem of the A2PT organization not only provide support andguarantee for the US military operations in cyberspace,but make all PCs and mobile devices atrisk of being attacked and penetrated by the US intelligence agencies,thus putting mobilephone users and internet users around the world under the Q

326、uantum hanging sword ofDamocles.61References1“量子”系統擊穿蘋果手機方程式組織攻擊 iOS 系統的歷史樣本分析.2023.https:/ KUZNETSOV.Operation Triangulation:iOS devices targeted with previouslyunknown malware.2023.https:/ 攻擊組織高級惡意代碼的全平臺能力解析.2016.https:/ Zetter.How to Detect Sneaky NSA Quantum InsertAttacks.2015.https:/ Tor:how th

327、e NSA targets users online anonymity.2013.https:/ 10.APP Replacing-ImplantedAttacks ofIRRITANT HORNIn the era of mobile internet,the rich functions of mobile smart terminals such as mobilephones come from the support of various applications(APP).The official APP store of mobilephone vendors and oper

328、ating system suppliers provide users with safe and convenient downloadchannels.However,the huge trusted resource that can reach users mobile phones has also becomea coveted target for network attackers.The leaked information showed that from 2011 to 2012,theNSA and national intelligence agencies of

329、other FVEY countries launched the IRRITANT HORNproject to tamper users downloaded APP with malware through traffic hijacking to hack usersmobile phones.Fig.10-1 List of Cases of the NSA and Other Intelligence Agencies IRRITANT HORNIncident ReviewOn May 21,2015,the Canadian Broadcasting Corporation(C

330、BC),The Intercept and other63Western media and related institutions published an article1that exposed the implementation ofthe IRRITANT HORN project by the NSA and national intelligence agencies of other FVEYcountries,pointing out that NSA plans to hijack Google App Store to attack smartphones.Thele

331、ak of the IRRITANT HORN project revealed the shady story of the long-term attack andmonitoring on mobile phone users by the national intelligence agencies of FVEY countries led bythe US.Top-secret documents leaked by Snowden revealed that2the IRRITANT HORN project wasjointly launched by the NSA and

332、national intelligence agencies of other FVEY countries.Byhijacking download links from Google and Samsung APP stores,intelligence agencies modifiedthe content of data packets passed between the targeted smartphone and the APP server whenusers downloaded or updated APPs,and then sent them to the phon

333、e to trick users into installingtransformed APP implanted with malware.Attackers exploited vulnerabilities in mobile phonesAPP to closely monitor targeted mobile phones,collected massive amounts of users information,and carried out intelligence extraction operations.Previously,documents leaked by Snowden have shown that the national intelligence agenciesof the FVEY countries have designed spyware