csec-france-babar

03/21/2014

LeMonde 1/2 (Google Translation):

Victim posture displayed by France since the revelations about the activities of the NSA against him is likely to be less credible. The French authorities, who like to alert the public about the dangers constantly threaten our state secrets or those of our strategic areas were taken hand in the bag for an all-out espionage countries as well as friends considered dangerous.

The services Canadian secrets suspect indeed their French counterparts to be behind a large-scale hacking computers, which would have started in 2009 and still continue, thanks to a spy implant.

The attack would aim first half dozen Iranian institutions related to the program nuclear in this country. It also concern, according to internal memo that Le Monde could see , targets with no direct link with the fight against nuclear proliferation.Canadian secret services report the presence of the implant in Canada , in Spain , in Greece , in Norway and in Côte d'Ivoire and Algeria .

SPY COMPUTER STATE IN FRANCE

More surprisingly, this computer espionage State was, as Canadians, used against targets in France, which would constitute a serious breach of the rules prevailing in the jurisdiction of the French secret services. The only service with technical expertise capable of conducting such an operation, the Directorate General of External Security (DGSE) is not officially and outside our borders. Often suspected, including some members of the Central Directorate of Internal Intelligence (DCRI), to expand its activities in France, the DGSE has always denied.

Document revealing this case emanates from the center of the Communications Security Establishment Canada (CSEC), technical intelligence of the country. It was extracted from the archives of the National Agency of American security (NSA), his ex-consultant Edward Snowden. Dated 2011, it seems to have been designed to exhibit within CSEC, the details of a hunt conducted successfully against an offensive weapon with computer, in this case, to permit incriminate France. This educational note provides technical characteristics of the implant and says, more or less precisely what were the targets before delivering its verdict on its owner.

"We believe, with a moderate degree of certainty, CSEC concluded that it is an operation on computer networks supported by a State and implemented by a French intelligence agency. "In a world where there is no absolute certainty in the allocation of cyber attacks and where we retain generally several possibilities even if suspicions are substantiated, this single case, making a direct link with power state, is quite rare. A finding which has also been shared with the other four members of the inner circle called the "Five Eyes" which meets the U.S. Secret Service, British, Australian, Canadian and New Zealand.

IMPLANT WHICH PROFILE HAS STOPPED BECOME MORE SOPHISTICATED

The hunt began, according to the CSEC, in November 2009, when Canadian experts have detected the presence of a suspect implant whose profile has steadily more sophisticated over the years. The French secret services would be interested, as a priority, Iranian targets involved at various levels in the process of obtaining nuclear technology by Tehran. Alongside the Ministry of Foreign Affairs of Iran, there are four institutions: the University of Science and Technology of Iran, the Organization of Atomic Energy 'of Iran , the Iranian Organization for Research for Science Technology (University Imam Hossein, Tehran) and Malek-Ashtar University (Tehran). These institutions are under the strict control of Iranian security services.

French intelligence services are far from being the only work well on Iran. Their Israeli counterparts and their American allies nearby have long been a priority and have significant technical means. According to a source from the community of French intelligence, confirmed by a diplomat in Paris working on Iran, France was hitherto better known for pulling his country information elements transmitted by Tel Aviv and Washington as its own collection. "What Paris can act independently, rather than in "co" shows the progress made ​​between 2006 and 2010 by the French in computer attacks through investment and hiring made by the technical direction of the DGSE, "says one of these two sources interviewed by Le Monde.

Now, according to the same expert, France would be able to return in a form of barter with its allies. "After having collected enough sensitive information, then we can begin to share with our American friends, British, German and Israeli , taking care not to reveal the ways that have allowed us to find as allies or not, they understand our techniques, they take measures against-to protect , which forced us to develop new computational tools, this that costs money. "

CANADIAN FRENCH MEDIA WAS ALSO SUBJECT

According to CSEC, the implant spy was also spotted in other geographical areas. Under the heading "former French colonies," the Canadian secret service cite the Ivory Coast and Algeria as other targets. Beyond its interest policy regional Abidjan in 2010 in the heart of the presidential race. The confrontation between the Ivorian president Laurent Gbagbo and former Prime Minister Alassane Ouattara, emerged victorious at the end of the second round in November, plunging the country into four months of civil war. Algiers, for its part, broke dialogue with Paris in late 2009, while the country remains a major regional player for France, especially on security issues.

To illustrate the variety of targets assigned to the French, CSEC mention other countries where the implant was detected spy: Spain, Norway and France are among this list without further precision. It is not known whether these objectives are linked to the fight against nuclear proliferation or are referred for other reasons.Greece, it appears with the word "possible link with the European Financial Association" and the "Five Eyes" registry, we learn that a French Canadian media has also been targeted.

YOUNG AND COMPUTER HACKERS THE FORT OF NOISY

If Canadians do not cite the French secret services as possible perpetrators of this, they say they do not know the exact name of the intelligence agency that would have orchestrated. Assumptions are however limited. It could s' act primarily on the technical direction of the DGSE, located boulevard Mortier, in the 20tharrondissement of Paris, and especially its young computer hackers and working at Fort Noisy, Romainville (Seine- Saint-Denis ).

The army , she has a pole of cyber defense and offensive weapons are claimed in the White Paper on Defence of 2013, but the list of objectives refers more to a civil service as the DGSE.

Asked by Le Monde, the DGSE has declined to comment "on actual or alleged activities." CSEC, however, was more eloquent and confirmed in the world that this document originated many of his services, without returning into the details of this hunt software spy.

This is a real hunt waged by the services of the technical secrets Canadian Centre for Security Establishment Canada (CSEC). It is told in the document provided to the World by Edward Snowden, in which they present their findings. Stingy with details, this document nevertheless can track the investigation that helped point the France of the finger.

As in a hunting party, these are prints that draw attention first Canadian services.The internal memo shows indeed that CSEC collection daily and automatically a number of data on the Internet.

This mass of data is then digested by a program to detect anomalies such as unusual or abnormal activity file transfer. In this huge haystack, Canadian spies find a needle: portions of computer code from an unidentified program, intriguing.

FOR THE "COLLECTION OF FOREIGN INFORMATION"

Bloodhounds baptize this mysterious "Snowglobe" object (ball snow ). From the first pages, the document explains that experts "feel "what they have before them is intended for "foreign intelligence collection" .

Further, they ensure that the nature and location of its targets "do not fit the crime"traditional. Finally, the memo adds that Boning program, engineers CSEC concluded that this data object, once located on the target, "collecting emails from specific accounts and targeted" .

CSEC then focuses on infected programs which communicate with servers.These servers, "listening posts" seem hold a crucial role, since remote control software "Snowglobe" infecting computers involved. We understand from reading the document, that in a first step, investigators are able to CSEC locate one of these listening posts.

INFECTION "PARASITE", ACCORDING TO THE DOCUMENT

The active agency then his big ears on networks to find similar infrastructures.With two monitoring programs, CSEC is a more precise idea of the establishment and operation of these "listening posts" . The presentation of CSEC explained that these "positions" nestle two types of servers. The first does not require it go broke. In contrast to the second type of infection, "parasitic ", in the words of the document, where the "listening post" coexists with other programs that are totally alien to him.

On this point, analysts CSEC seem perplexed. They are unable to distinguishwhether these "positions" are installed in the servers without the knowledge of their owners, through a hacking , or if the attackers proceeded by a "special access" . In the hushed language spies, it would mean a legal order or a partnership was signed between the intelligence agency responsible for "Snowglobe" and the owner of a server, the latter being forced to open the doors of his server to hostone of these "listening posts" . Probably a mixture of both techniques, concludes CSEC.

Once this set of "listening posts" spotted, Canadian experts focus their monitoring on one of them, in the manner of a police stakeout. When handling the malware connects to remote, Canadians have a default security s' introduce discreetly in the "listening post" in turn.

"TITI" THE NICKNAME OF A DEVELOPER OF SOFTWARE SPY

Canadian services then relate their efforts to find the identity of who is behind "Snowglobe." To do so , they meet several disturbing elements: the nickname of a software developer spy, "Titi" nestled among the lines of code, is presented as "a French diminutive" .

Then come formulations in an English risky in the software interface, or use of kilobyte unit of measurement, not the kilobyte, clean unit Anglophone world.

Finally, detail undoubtedly the most surprising might, in some respects, to smile , Canadians take the name given to spy by its developer program: "Babar" , named after the famous pachyderm imagined by Jean de Brunhoff. The image of a happy elephant and frolicking throne even in the middle of the top-secret presentation toillustrate this finding. This, together with the nature and origin of targets spy software, lead to the final Canadian services to point the finger at a suspect: France.

NO INDICATION ON THE NUMBER OF INFECTED COMPUTERS

All the clues found in the survey are discussed very carefully by Canadians. This caution is due. The allocation of a computer attack that conceals its origin is an extremely difficult exercise, even for the best specialists. "At best, it is possible to have an idea of his opponent, to know if it has much resources and time, " says one expert on the subject. In this case, he says, after having consulted a part of the presentation of CSEC, "it is a little above what one usually sees" .

The assessment is even more difficult than experts CSEC give no indication of the number of infected computers nor say whether the agency could all identify , nor do they describe how the software Spy proceeds to intercept emails targets.

The presentation of CSEC ends with a confession. The spyware has mutated.Under Canadian experts, a version improved, more "sophisticated" of "Snowglobe", discovered in mid-2010, and called, this time, "Snowman" (snowman), they still resisted at the time was writing this document.