F2Oft) Si • evelopment Conference
SIGDEV: Discovery in the Cyber Age 91.
TOP SECRET8COMINTI/REL TO USA, FVEY1/20320108
(U//FOLIO) QUANTUMTIEORY
(UHFOU0); name redacted S32X
mli■=111■10■.-
TOP SECREMCOMINTIIREL TO USA, FVEY1120320108
TOP SECRETIICOMINVIREL TO USA, FVEY//20320108
__00 0r1H5
TOP SECRETHCOMINT/IREL TO USA, FVEY/120320108
(U) Classification o res e nt at o n
■ This presentation is classified:
TOP SECRET 11 COMINT 11 REL TO USA, FVEY // 20320108
TOP SEC RET/ICOMINT/IREL TO USA, FVEY/120320108
(U) What is QUANTUMTHEORY • (U/iFOU0) Nothing to do with "Quantum Computing"
■ (S//SI//REL) Protocol injection technique • Passive • Active
■ (SHREL) Not Man-in-the-Middle ■ But can be used to gain that position
■ (SHREL) Man-on-the-Side
■ (SHREL) Mostly Low Latency... mostly 7okk
VO' Iry a
M H S
TOP SECRETi/COMINVIREL TO USA, FVEY//20320108
ROC Operator
TOP SECRETHCOMINT/IREL TO USA, FVEY1120320108
747 mpo TRAFFICTH1EF
MHS
TURBINE GUI
A? tilk el VF RaliS
TOP SECRETIICOMINTi/REL TO USA, FVEY//20320108
Low Side
High Side
TOP SECRETHCOMINT/IREL TO USA, FVEY/120320108
(C) Components of QUANTUM Architecture ■ (SHREL) TURMOIL
■ (or LPT, LPT-D, what else can you kludge for tipping... cough.. N1NJANIC) ■ Passive Sensor
■ (S//REL) TURBINE ■ Active Mission Logic of Remote Agents
■ (C//REL) ISLANDTRANSPORT ■ Messaging Fabric
■ (SHREL) SURPLUSHANGER ■ High-›Low diodes
■ (SHREL) STRAIGHTBIZARRE or DAREDEVIL ■ Implant / Shooter
)4111r., . mr
19.11 HS -
TOP SECRETIICOMINVIREL TO USA, FVEY//20320108
TOP SEC RET/ICOMINT/IREL TO USA, FVEY//20320108
(C) Legacy QUANTUMTHEORY techniques ■ (TS//SI//REL) QUANTUMINSERT
• HTML Redirection
■ (TS//SI//REL) QUANTUMSKY • HTML/TCP resets
■ (TS//SI//REL) QUANTUMBOT • IRC botnet hijacking
I • Ir‘.
M1-1S
TOP SECREP/COMINVIREL TO USA, FVEY//20320108
TOP SEC RETHCOMINT/IREL TO USA, FVEY//20320108
(U) New otness ■ (TS//SI//REL) QUANTUMBISCUIT
• Redirection based on keywork ■ Mostly HTML Cookie Values
■ (TS//SI//REL) QUANTUMDNS • DNS Hijacking ■ Caching Nameservers
■ (TS//SI//REL) QUANTUMBOT2 ■ Combination of Q-BOT/Q-BISCUIT for web based
Command and controlled botnets
TOP SECREP/COMINVIREL TO USA, FVEY//20320108
TOP SEC RETHCOMINT/IREL TO USA, FVEY/120320108
■ (TS//SI//REL) QUANTUMCOPPER • File download disruption
■ (TS//SI//REL) QUANTUMMUSH • Virtual HUFFMUSH / Targeted Spam Exploitation
■ ( -1SHSIHREL) QUANTUMSPIM • Instant Messaging (MSN chat, XMPP)
■ (1-SHSIHREL) QUANTUMSQUEEL • Injection into MySQL persistent database connections
■ (TSIISIHREL) QUANTUMSQU1RREL • Truly covert infrastructure, be any IP in the world,
th0 -141V TOP SECREP/COMINVIREL TO USA, FVEY//20320108
Anysite.co), in C2 malware =
nn
TOP SECRETIICOMINVIREL TO USA, FVEY//2-0320108
DNS query any NIPRN
TARGET SPACE
P ddress 3 2 0 - „ I
TAO Shooter
IS Blocked 111 ot,4 Fo
Ser
NIPRNET
TAO C2 mirrors anysite.com C2
Command Sent
TOP SECRETHCOMINT/IREL TO USA, FVEY//20320108
(U//FOLIO) QUANTUMDEFENSE
TOP SECRETHCOMINT/IREL TO USA, FVEY/120320108
at can you
VW.
Ml-IS •
TOP SECRETfiCOMINVREL TO USA, FVEY/720320108
• (Si/SCI/REL.) Menwith Hill Station (UUSJ-759 3 USJ-759A,...) ■ Operational: 0-INSERT, 0-SKY, 0-DNS, 0-BISCUIT, Q-BOT ■ Tested: 0-COPPER, 0-SQUIRREL, Q-BOT2
• (SHSIIIREL) Misawa AFB (USF-799...) ■ Operational: ()INSERT
• (SHSIHREL) INCENSOR (DS-300) — with help from GCHQ ■ Operational: Q-BOT, Q-BISQUIT, 0-INSERT ■ Tested: Q-SQUEEL, Q-SPIM
• (TSIISIHREL) NIPRNET Gateways ■ Operational: Q-DNS
■ (Si/SIHREL) Coming Soon.... ■ SMOKEYSINK ■ SARATOGA
elk 111-15
TOP SECRETWCOMINT1/REL TO USA, FVEY//20320108
Questions?
contact info redacted
TOP SECRETHCOMINTHREL TiO USA, FVEY1/20320108