April 24, 2015

Some equipment that connects NSA with its foreign partners

(Updated: June 29, 2019)

A close look at a unique photo of NSA computer equipment revealed the names of five countries: Tunisia, the Netherlands, Belgium, Germany and Italy. The devices are routers, but it's not certain what exactly they used for. The circumstances indicate that they enable the exchange of data for military operations in which these NSA partner countries participate.



Presentation about Strategic Analystics at the
NSA's European Cryptologic Center (ECC)
(Click for the full presentation in pdf)


On June 14, 2014, the German magazine Der Spiegel published 53 documents pertaining to the NSA's operations in Germany and its cooperation with German agencies. Many of them got little attention, and so they often contain interesting things which are not yet reported.

One of these documents is an undated presentation about Strategic Analystics used at the NSA's European Cryptologic Center (ECC), which is located near the city of Darmstadt in Germany. This presentation contains some unique photos of what seems to be NSA equipment.


Cisco routers

One of the photo's shows a 19-inch rack for computer equipment modules, which contains 13 common Cisco 2811 routers. In the photo we see the front panels of the routers, with each one having a black power cable and a red network cable, which connects to a computer in order to manage the router. The cables for the actual data are on the rear side, where the device has four high-speed WAN interface card (HWIC) slots, two 10/100 Gigabit Ethernet ports, and a slot for an Enhanced Network Module (ENM).



Slide from the presentation about Strategic Analystics
at the NSA's European Cryptologic Center (ECC)
(Click to enlarge)


Classification labels

Twelve routers have an orange and a yellow label, only the bottom one has a red label. These labels indicate the (highest) classification level of the data that are handled by the equipment. The red label is for Secret, the orange one for Top Secret and the yellow one for Sensitive Compartmented Information (SCI), which means the information is in a "control system" with extra protective measures.

All but one of the routers may therefore transfer data up to the level of Top Secret/SCI. This sounds quite impressive, but actually almost everything NSA does is classified at this level, more specifically as Top Secret//Comint (or SI for Special Intelligence) - the marking that can be seen on almost all Snowden documents.


Sometimes, the photos in the presentation are related to what the slide is about, but here that seems not to be the case. The slide is about MapReduce analytics, with MapReduce being a particular method to filter, sort and generate data from very large databases. This is completely different from what routers do, which is transferring data from one computer network to another.



Photo of the equipment rack with 13 Cisco routers
(Click to enlarge)


The white labels

Most interesting in this photo is the text on the white labels, which unfortunately is very difficult to read. But after I brought these photos under attention, a twitter-user noticed that these labels contained new codewords and names of countries. Eventually the following words could be read, with in gray those that are uncertain:

BAYBRIDGE
TUNISIA

PARTSTREAMER
NETHERLANDS

BAYBRIDGE
SEENFLARE

BAYBRIDGE
BELGIUM

BAYBRIDGE
SIDELIGHT

BAYBRIDGE
MALFRACK

BAYBRIDGE
THAWFACTOR TR82/...

... EXPANSION
GERMANY ...

CRO......
MEVE/ORION ..MG/..EF

BAYBRIDGE
...... ..../....

BAYBRIDGE
FAIRLANE

BAYBRIDGE
ITALY ....

........
....... ....


Most of the routers are labeled BAYBRIDGE, either accompanied by another codeword or by the name of a country: Tunisia, Belgium and probably Italy. The Netherlands and Germany are mentioned on routers which appear to be related to other systems, which for the Netherlands is codenamed PARTSTREAMER. Germany is related to some kind of EXPANSION.

All these codewords are seen here for the first time, so it's not known what they stand for and the variations make it even more difficult to guess what these routers are actually used for. Maybe some future disclosures of NSA documents can provide an explanation.

Update:
On August 15, 2018, The Intercept published a batch of internal SIDtoday newsletters, including one from April 12, 2006 which reveals that BAYBRIDGE is a circuit for the exchange of metadata and analytic information from and to the NSA's foreign partner agencies.



Close-up of the white labels for the routers labeled
BAYBRIDGE TUNISIA and PARTSTREAMER NETHERLANDS


Third Party partners

One thing that these five countries have in common, is the fact that they are 3rd Party partners of NSA. This means there's a close cooperation based upon a formal agreement between NSA and the agency responsible for signals intelligence in a given country.

Belgium, The Netherlands, Germany and Italy are long-time trusted allies of the US, but Tunisia only came more close to the US after 9/11. It for example supported the war on terrorism, conducted joint training exercises with the US, and US Navy ships regularly visited the ports of Bizerte, Sfax, Sousse and Tunis.*

Initially, Tunisia then fell under responsibility of the US European Command (EUCOM), but came under the newly created US Africa Command (AFRICOM) in 2008. There are even plans to move the AFRICOM headquarters from Stuttgart, Germany to Tunisia, after this small north-african country moved away from its close relationship with France in recent years.


We probably can come even closer to what the purpose of these routers is, by looking at where they are used. As we have seen, the photo isn't related to what's in the slide, but as the presentation as a whole is about certain efforts at the NSA's European Cryptologic Center (ECC), we can assume the routers were photographed there.
 

The European Cryptologic Center

The ECC is one of several Cryptologic Centers of the NSA. These were established in the mid-1990s to decentralize SIGINT operations and make their systems more redundant. Initially they were called Regional SIGINT Operations Center (RSOC).

Four of these centers are in the United States and named after the state they are in: Georgia (in Augusta), Texas (in San Antonio), Hawaii (in Honolulu) and Colorado (in Denver). There are two known centers outside the US: the European Cryptologic Center (ECC, in Griesheim, Germany) and the Afghanistan Remote Operations Cryptologic Center (AROCC, in Bagram, Afghanistan).



The NSA's European Cryptologic Center (ECC) at the Dagger
Complex in Griesheim near Darmstadt, Germany
(Photo: AP, July 2014 - Click to enlarge)


The European Cryptologic Center (ECC) is located within the US Army's Dagger Complex outside the small town of Griesheim, near the city of Darmstadt in Germany. In 2011, it had some 240 personnel, consisting of military and civilian members of the military services, NSA civilians and contractors.

On behalf of NSA, the center is operated by the US Army Intelligence and Security Command (INSCOM) and as such is part of the NSA's military branch, the Central Security Service (CSS), more specifically of NSA/CSS Europe and Africa (NCEUR/AF).

The ECC conducts the processing, analysis and reporting of signals intelligence in support of both the European Command and the Africa Command - which perfectly fits the countries we saw on the white labels. The ECC is primarily focussed on Counter-Terrorism and supporting military operations in Africa and the Middle East.

Update:
In March 2016, it was announced that a new Joint Intelligence Analysis Centre will be established at RAF Croughton, a US Air Force base near Milton Keynes, which already processes about a third of US military communications in Europe. The new centre will be the US headquarters for European and African military communications, employing up to 1250 staff analysing intelligence from more than 50 countries. It is due to be completed in 2017.


Military operations

According to NSA historian Matthew Aid, NSA's European center already supported American troops operating in Bosnia and Kosovo in the late 1990s. There were direct communication links not only with US military units, but also with all the SIGINT agencies and units of the partner nations operating in the Balkan, like Germany, France, Italy, the Netherlands, and others.

In a similar way the routers we see in the photo from the presentation could then be used for the exchange or transfer of data related to specific military and counter-terrorism operations, each involving different countries. For now, this seems the most likely option, as it could also explain the variations of the codewords.

This seems to be different from SIGDASYS, which is a database system where NSA and some partner agencies can put in and pull out military intelligence information on a more regular basis. Also, SIGDASYS is part of the SIGINT Seniors Europe (SSEUR or 14 Eyes) group, which doesn't include Tunisia.



Links and sources
- Matthew Aid: The European Cryptologic Center at Darmstadt, Germany (2013)
- Presentation about the US Army Intelligence and Security Command (INSCOM) (pdf, 2013)
- NIST: Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy (pdf, 2005)

April 8, 2015

Torus: the antenna to significantly increase satellite interception

(Updated: November 24, 2015)

At three satellite facilities, in Britain, Cyprus and New Zealand, there's a special antenna that allows NSA's partner agencies a significant increase in their capability to collect satellite communications.

This antenna is called Torus, and while conventional parabolic dish antennas can only view one satellite at a time, one single Torus antenna is able to receive the signals from up to 35 communications satellites.

These rare and expensive Torus antennas are used by some television networks, but a close look at photos of the Five Eyes satellite stations has now revealed the locations where Torus antennas are also used for gathering signals intelligence.



A General Dynamics Satcom Technologies Torus antenna
with the array of receiver heads clearly visible



The Torus antenna is rectangular, instead of circular like the conventional satellite dishes. Its quasi-parabolic shape is actually a section of a geometrical shape called torus, which it gave its name. Where a conventional satellite antenna only has one receiving head, called a Low-Noise Block (LNB) downconverter, a Torus antenna has many of them, placed in an array.



How one Torus antenna (brand name Simulsat) is able
to receive the signals of up to 35 satellites
(Source: Evertz.com - Click to enlarge)


With a focal arc instead of a single focus point, the Torus antenna can pick up the signals from a range of satellites which are in a GeoStationary Orbit (GSO), a fixed position above the equator. This is the case for most of the more than 100 communications satellites. Because a Torus antenna has to be aligned with the position of multiple satellites, it has to be adjusted to a specific position and therefore cannot be turned or spin around like circular satellite dishes.


Satellite collection

The usage of Torus antennas for signals intelligence first became clear from a slide that was part of a 2011 presentation for the annual Five Eyes conference. It was published in May 2014 in Glenn Greenwald's book No Place To Hide.

The slide is titled "New Collection Posture" and contains a diagram showing the various steps in the process of satellite collection. Greenwald saw this as evidence that NSA wants to "Collect it All", although the diagram clearly shows this refers to just one particular stage:



(The full presentation for this slide)


For the first step of this process it's said that "Torus increases physical access" - a clear description of the fact that one such antenna can receive the signals from many satellites. With one satellite having between 24 and 32 transponders to relay a signal, one Torus antenna, under the right circumstances, could in theory receive nearly 1,000 communications channels simultaneously.

This doesn't necessarily means that with Torus antennas, the Five Eyes agencies are now "collecting everything". The new antenna allows them access to much more satellites, but in the next stage (dubbed "Know it All") they look for and pick out the channels that have the best chances for useful information.


More access also means the need for more capacity to process these incoming signals, because they have to be converted, demodulated and demultiplexed before something can be done with them. And for internet communications, also more XKEYSCORE (XKS) servers would be needed for buffering, so analysts can sort out data of interest.

Torus antennas are useful to "increase the haystack", which doesn't mean that the whole haystack is stored - only those tufts that are likely to contain "needles".



Torus interception antennas

Now knowing what to look for, it was quite easy to "spy back" on the satellite intercept stations through the aerial images of Google Maps. By doing so, we can recognize Torus antennas in Britain, Cyprus and New Zealand.


Waihopai, New Zealand

Most information about the use of a Torus antenna for signals intelligence is available for the one at the Waihopai satellite intercept station in New Zealand, which is codenamed IRONSAND.

According to an article that was originally published in The Marlborough Express in July 2007, the Torus at Waihopai was built the month before and was expected to be operational later that year. Then GCSB director Bruce Ferguson said that this new dish would enable satellites to be tracked more efficiently, and with a cost of under 1 million dollars, it was very good value for money, he said.



The Waihopai station in 2012, with the Torus antenna at the far left
(Photo: Gilbert van Reenen/Vital Images - Click to enlarge)


The new Torus antenna joined the existing satellite dishes, the first of which was built in 1989, and the second in 1998. These dishes are covered by domes, which make them look like giant golf balls. According to the GCSB director this was to ward off the weather, but it is generally considered that it is actually to prevent seeing which direction the dishes face.

The Torus didn't get such a covering, maybe because it only has limited ability to manoeuvre on a fixed pad. But had the Torus antenna been covered like the old dishes, we wouldn't have known about this new and increased satellite interception capability.



The GCSB satellite station Waihopai, before (2005) and
after (2008) the Torus antenna was installed


The Torus at Waihopai is also mentioned in a recently disclosed GCSB presentation from April 2010, which says: "TORUS now enabling an increase of COMSAT/FORNSAT collection". This sounds like this antenna became operational not long before, although it was already installed in 2007. Maybe it took a few years before the necessary processing capacity became fully functional.


Bude, United Kingdom

A second Torus antenna used for satellite interception is at GCHQ Bude, in the west of Cornwall, in the United Kingdom. Bude, codenamed CARBOY, is a large station where GCHQ and NSA cooperate in the interception of both satellite and submarine cable communications.

Here, satellite interception started in the late 1960s with two giant dishes with a diameter of 27 meters. Nowadays there are 21 satellite antennas of various sizes that can cover all the main frequency bands and seem generally orientated towards the INTELSAT, Intersputnik and INMARSAT communication satellites.

The Torus antenna at GCHQ Bude must have been installed somewhere between January 2011 and June 2013: on the current Google Maps image, which is from December 30, 2010, the Torus antenna isn't yet present, but in the picture below, which is from June 23, 2013, the distinctively shaped antenna is clearly visible:



Satellite dishes at GCHQ Bude in Cornwall, with the Torus
antenna just right of the big radome in the center
(Photo: Reuters/Kieran Doherty - Click to enlarge)



Ayios Nikolaos, Cyprus

A third Torus antenna is installed at the GCHQ listening station Ayios Nikolaos, which is part of the British Sovereign Base Area (SBA) of Dhekelia in Cyprus, where British signals intelligence has already been present since the late 1940s.

This listening station is codenamed SOUNDER and is part of the Five Eyes satellite interception network that became known as ECHELON. A Google Maps satellite photo shows that there are several large and small satellite dishes, including one that can be recognized as a Torus antenna:



Satellite dishes at GCHQ Ayios Nikolaos in Cyprus with
the one at the left recognizable as a Torus antenna
(Photo: Google Maps - Click to enlarge)


This satellite image is from April 12, 2014, but because for this location no earlier images are available, it's not possible to say in which year this Torus antenna was installed. This makes that for now, the oldest reference to a Torus antenna used for signals intelligence is for Waihopai in New Zealand (2007).

Updates:
As a reader noticed in a comment below, images from Google Earth show that the Torus antenna at Ayios Nikolaos must have been built somewhere between May 2008 and April 2011, according to the images available for those dates.

So for signals intelligence, Torus antennas were subsequently set up in Waihopai (2007), in Ayios Nikolaos (between 2008 and 2011) and in Bude (between 2011 and 2013).

A GCHQ document from July 2010 mentions Torus as one of the then current projects "which provide new capabilities and may reduce support costs".

According to a report (pdf) from the Nautilus Institute about Torus antennas from May 28, 2015, a Torus was also installed at Menwith Hill Station late 2011, this time underneath a slightly 'squashed' radome. Another one was installed in 2012 at the GCHQ satellite station near Seeb in Oman, which is codenamed SNICK. Finally, in 2008, a Torus antenna was set up at the Pine Gap station in Australia, which also got a satellite intercept function in the early 2000s.

No Torus dishes were visible at the other major satellite stations of the Five Eyes countries, like Yakima and Sugar Grove in the US, Menwith Hill in the UK, Misawa in Japan, and Geraldton in Australia. Torus antennas can also not be seen in aerial photos of the satellite intercept facilities in allied countries like The Netherlands, Denmark, Germany, and Austria.



Development

The Torus antenna was developed in 1973 by COMSAT Laboratories in Clarksburg, Maryland, where it operated an experimental installation that communicated with Intelsat satellites.

The original version of the Torus antenna was able to receive the signals of up to 7 satellites simultaneously and costed 1,1 million US dollars. At that time, the price of a conventional dish, that was much larger than those used nowadays, was around 800,000 dollars.


Probably the first experimental Torus antenna of Comsat,
here being disassembled in August 2007
(Photo: Dennis Boiter/Comara.org - Click to enlarge)


In 1979, COMSAT applied for the Federal Communications Commission (FCC) to build three Torus antennas for commercial use: in Etam (West Virginia), Andover (Maine) and Jamesburg (California). Each of them had to communicate simultaneously with three American domestic satellites which were in a geostationary orbit at 4° degrees apart from eachother.

After the presentation of the first commercial Torus antenna in 1981, the system didn't become very popular, apparently because the efficiency of this antenna type was less than the parabolic satellite dishes and also had increased sidelobe levels. General Dynamics was apparently able to reduce these effects by the offset design of its custom made antennas.


Manufacturers

The largest and custom made Torus antennas appear to be manufactured by General Dynamics Satcom Technologies. Smaller, standard Torus antennas are available from General Dynamics' subsidiary Antenna Technology Communications Inc (ATCi), which produces three types under the brand name Simulsat. The width of these dishes is between 8 and 13 meters.

Reportedly there are only about 20 Torus antennas in the world, but it's not clear whether this number is only about the largest ones made by GD Satcom Technologies, or that it also includes that smaller dishes from ATCi. Main customers are the US federal government and television stations that feed their cable networks with a large number of satellite channels.



Simulsat antenna at the Microsoft campus in Silicon Valley


Television networks

An example of a Torus used by television networks is the American sports broadcaster ESPN, which had a 24-meter Torus antenna installed at its headquarters in Bristol, Connecticut, in 2007. DIRECTV has three Torus dishes, including one at its Los Angeles Broadcast Center (LABC), which receives signals from 32 satellites.

It's not known what the price of a Torus antenna is, but it comes probably near 1 million dollars. This can be worth it as one single Torus eliminates the need to install multiple conventional parabolic dishes, that can cost up to several hundred thousand dollars each.
 

Update:
After this article had been published, a number of other Torus-antennas were found by Cryptome, @sigwinch and other people. Most of them are at the dish farms of television networks and commercial satellite companies. Until now, 17 additional Torus antennas can be seen at:

- CIA headquarters (present already in 2000)
- Schriever Air Force Base in Colorado
- An Intelsat ground station near Napa, California (2)
- An Intelsat ground station in Nuevo, California
- An Intelsat ground station near Atlanta, Georgia
- An RRsat America ground station near Hawley, Pennsylvania
- An Intelsat dish farm in Long Beach, California
- An Echostar satellite downlink facility in Chandler, Arizona
- The Intelsat Teleport near Castle Rock, Colorado
- An Echostar Broadcast Center in Cheyenne, Wyoming
- A satellite station near Lake Pochung, New Jersey
- A satellite ground station in Vernon county, New Jersey
- The HBO Communication Center in Hauppage, New York
- The roof of HBO Studio Productions in New York City (2)
- The Inmarsat access station in Nemea, Greece



Links and sources
- Nautilus.org: Expanded Communications Satellite Surveillance and Intelligence Activities Utilising Multi-beam Antenna Systems (pdf)
- Stuff.co.nz: Snowden Files: Inside Waihopai Domes
- Business sheet: General Dynamics SATCOM Technologies Business Overview (pdf)
- Product sheet: General Dynamics 7.0 Meter Torus (pdf)

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties