

Spy Files 3 - frank_boyd
http://wikileaks.org/spyfiles3p.html

======
TheLegace
From the gist of the incredible difficult to decipher training manual there
are 4 systems. Overview of network topology is here:
[http://i.imgur.com/gzw6nAT.png](http://i.imgur.com/gzw6nAT.png)

1) ADMF-Client & Infection GUI

These seem to be HP Compaq computers, running Windows 7 Ultimate, FinFlyISP
GUI and a XMPP client(which runs over TLS and is secure). This is a tool for
LEA to use which interfaces with the ADMF backend for managing infections,
selection of infection methods, realtime status info and management of all
components.

2) ADMF - Central Administration Function

This is the backend which all the LEA terminals in 1 connect to. These are HP
DL380 G6 Intel Xeon X5550 @ 2.67GHz servers running hardened Debian(by
Dreamlab best practices). It is a core component of their infrastructure and
communicates in realtime with all their other component systems. It stores the
configuration and initiation of infections. Realtime exchange of info and
states(target coming online, being infected, etc.) Contains RFC XMPP used for
secure encrypted communications.

3) Network Data processing component (iProxy/NDP01/NDP02)

Infections are remotely activated by ADMF in 2 via the GUI. Each NDP is
bridged with 10GB/s fiber bypass module. Incase of hardware/logical failures
this module switches automatically to by-pass mode. Thus traffic will never be
interrupted. ATTENTION this is highly dynamic bridge, do not change any
configuration manually. __NDP has been specially configured for his network,
any changes are tightly coordinated with Dreamlab.

4) Radius Probe(RP01/RP02)

Realtime monitoring of AAA processes which include:

1\. Targets coming online

2\. Receiving IP Addresses

3\. Changing IP Addresses

4\. Going offline

Recording of RADIUS authentications and accounting dialogues. Being always up
to date of target IP RP sends info to ADMF, the ADMF provisions the NDP.
Running same hardware/OS as 3. The RPs have bidirectional connection with
broadband remote access server(BRAS) [1] which are what connect to the global
internet from a ISPs network. BRAS aggregrates user sessions from access
network. This is where ISPs can inject policy management and QOS. Aggregrates
DSLAM connections from locally dispersed in an ISP area network.

Communications Visualized

The slide explains that communication of all components always is initiated
towards the ADMF.

[http://i.imgur.com/qOQfVYd.png](http://i.imgur.com/qOQfVYd.png)

Use Cases

1\. GUI->ADMF [Infect a target]

2\. ADMF->Radius prove [Start monitoring/set a trap on target]

3\. Radius->ADMF->NDP/iProxy [Handover of IP]

4\. iProxy->NDP [iProxy requests NDP to analyse datastream on IP and
"interesting" traffic]

5\. NDP->iProxy [Handover traffic matching request]

6\. iProxy [changes traffic and modifies data by adding infection parts]

7\. iProxy->NDP [iProxy sends modified traffic data to NDP]

8\. NDP Reinject [NDP recalculates checksums/resequences TCP/IP packets and
reinjects traffic into the stream]

9\. Target infection done [Data successfully sent to target]

[1]
[http://en.wikipedia.org/wiki/Broadband_Remote_Access_Server](http://en.wikipedia.org/wiki/Broadband_Remote_Access_Server)

~~~
dmix
What exactly is an "infection"?

~~~
swatkat
FinFisher wikipedia page:

[http://en.wikipedia.org/wiki/FinFisher](http://en.wikipedia.org/wiki/FinFisher)

It talks about the "infection" and its "use by repressive regimes" among other
things.

------
conductor
I'm glad this time it is getting more up-votes than the previous submission
[0].

There are many interesting documents here, for example the "Finfisher FINFly
ISP 2.0 Infrastructure Product Training" [1] which is a presentation/guide
from www.gammagroup.com about how to use their software to "infect" the target
and collect information about it.

[0] -
[https://news.ycombinator.com/item?id=6329435](https://news.ycombinator.com/item?id=6329435)

[1] -
[https://wikileaks.org/spyfiles/docs/GAMMA_2010_FinfFINFISP_e...](https://wikileaks.org/spyfiles/docs/GAMMA_2010_FinfFINFISP_en.html)

~~~
gcb1
but still going slow.

btw reading some of those files and seeing the presentations remind me of the
animated tv show Archer...

------
runn1ng
This is why you need actual journalists... this is just heap of data that's
hard to decipher and hard to make sense of.

~~~
1123581321
I find that when dumps of data are released, other journalists go through it
and curate it. So, I see WL as making more good journalism possible because
there are a lot of curators who do not also have the resources to collect
material to curate.

~~~
runn1ng
I didn't mean it as a criticism of wikileaks! What they are doing is great!

It's just, the data itself are useless if you don't find some narrative, some
story in it.

And, frankly, Assange himself admitted it before that just releasing dumps and
hoping for people to find something in it is not the best thing to do.

~~~
1123581321
I understand. I would like if WL developed the resources to curate as well as
release entire data sets.

------
mkup
There's a screenshot at the page 49 of
[https://wikileaks.org/spyfiles/docs/GAMMA_2010_FinfFINFISP_e...](https://wikileaks.org/spyfiles/docs/GAMMA_2010_FinfFINFISP_en.html)
(logs of ADMF trojan upload service) which mentions resource
"chrome_installer(3)_129271991323222656.exe" was processed.

Doesn't it mean that ADMF of FinFly somehow interferes with browser auto-
update in order to upload its trojan to the target computer? I know browser
update file must be somehow cryptographically signed, but NSA may have access
to private RSA key used for browser updates, which allows such types of
attacks. Isn't it?

~~~
toyg
I haven't read the docs, but from the wikileaks page describing it, I assume
the malware "wraps" any exe. If it then manages to "unwrap" (on save?) and
disappear before crypto checks happen, then they don't need actual need to
attack the crypto.

------
joering2
I don't have time to read all this but I wish. Please anyone: I need names of
organizations and those on the top involved, so I can create my own "no-use
list" and avoid those at any cost.

Thank you.

~~~
samstave
* .mil

* .gov

~~~
mturmon
__*.com

------
lawnchair_larry
The discussion here so far seems to be talking about something other than the
general page that this link points to, as if the other commenter had some
context that the current title no longer provides. I see Gamma Group being
discussed specifically.

I'm going to guess that the title was edited again, so we don't have the
intended context. What was the original title?

------
detcader
Making all the text of these docs searchable from a single webpage would be
lovely..

~~~
dbuxton
[https://www.google.co.uk/search?q=site%3Awikileaks.org%2Fspy...](https://www.google.co.uk/search?q=site%3Awikileaks.org%2Fspyfiles%2Fdocs)

------
lobo_tuerto
Why does it say to disable ipv6 along with the likes of no direct root login
allowed in the "System and Bios hardening" section? (page 40)

[https://wikileaks.org/spyfiles/docs/GAMMA_2010_FinfFINFISP_e...](https://wikileaks.org/spyfiles/docs/GAMMA_2010_FinfFINFISP_en.html)

------
shandip
I'm moving from US, it just keeps on getting worst. Fuck it.

