Tuesday, November 13, 2012

The GUNMAN Project

Foreign embassies have always been very attractive intelligence targets. Embassy staff and personnel often handle classified information. On way to obtain such sensitive information is by HUMINT (human intelligence) from embassy personnel. Another - covert - method is SIGINT (signals intelligence) by wiretapping or advanced listening devices, commonly knows as bugs.

A most spectacular case of electronic espionage occurred in the 1980s, at the height of the Cold War, when it was discovered that Soviet intelligence had successfully implanted very sophisticated bugs in a large number of electronic typewriters at the U.S. embassy in Moscow.

It all started in August 1983, when a friendly government informed U.S. intelligence that they found a curious bug, implanted in equipment at their embassy. In response, the U.S. National Security Agency (NSA) sent communications security experts to their ally, to examine the bug. Its technology proved to be very sophisticated. The efforts, required to develop such technology, were of such a scale that NSA was convinced that this was not a single case.

NSA realised that such bugs were most likely also implanted in U.S. embassy equipment. This triggered a secret operation codenamed GUNMAN. The first part of the operation was to remove all equipment from the U.S. embassy in Moscow and check it for bugs. This comprised all crypto and communications equipment, computers, printers and much more. However, Soviet intelligence was to be kept ignorant of the operation.

The transport of the equipment proved quite a logistic challenge. No less than eleven tons of all kinds of equipment had to be shipped from Russia back to NSA in the United States and replaced by new equipment. All this had to be done in complete secrecy. New techniques and procedures had to be devised to make sure that the new equipment, some ten tons, wasn't again tampered with by the Soviets and at the same time they had to keep their own embassy personnel ignorant of  the real reasons for the exchange of equipment. It took them five months.

All recovered equipment was stacked at Fort Meade. The next part of GUNMAN was to carefully inspect and X-ray each single item. All crypto gear soon proved clean. It took them until July 1984, eleven months after the tip-off, to discover the first bug in a non-crypto device, an IBM Selectric typewriter. It was an extra coil inside a power switch that caught the attention of a technician. X-rays revealed an electronic bug, hidden inside a metal bar. Eventually, they found bugs in sixteen Selectric type II and type III typewriters.

IBM Selectric II Typewrite
NSA technicians started the complex task of reverse-engineering the bugs. They turned out much more sophisticated than the specialists could ever have imagine. Metal cams were replaced by a non-ferromagnetic version that contained strong little magnets. These magnets caused magnetic disturbances when keys were depressed on the keyboard. The magnetic changes were picked up by the electronics, analysed  and converted into a digital signal. The electronics were hidden completely invisible and sealed into a hollow support bar.

The signal was compressed into four-bit frequency selecting words. Up to eight four-bit characters could be stored in a circuit with tiny one-bit core memories. Only when the memory was filled completely (at irregular intervals due to the typists tempo) the data was sent in a very short burst transmission to a nearby listening post. The burst frequency range was selected deliberately in the same frequency band as Soviet television stations to hide the burst noise. The implants could be turned off remotely to avoid detection when security technicians would sweep the embassy for bugs.

The NSA technicians found several different versions of the bug. Some operated on batteries and others were powered by the AC mains. Some bugs activated a beacon to monitor whether a typewriter was turned on. The  technicians were stunned by the technology used and the cleverness of the design to avoid detection by technical teams.

NSA director General Faurer was quoted in 1986: "I think people tend to fall into the trap of being disdainful too often of their adversaries. Recently, we tended to think that in technical matters we were ahead of the Soviet Union, for example in computers, aircraft engines, cars. In recent years, we have encountered surprise after surprise and are more respectful."

That quote says it all. The case had a major impact on all intelligence agencies and many lessons were learned. A damage assessment proved impossible because the whereabouts of the typewriters during all those years were never put on record. They do know that from 1976 to 1984, Soviet intelligence used these bugs to collect sensitive plaintext information, typed on typewriters in the U.S. embassy in Moscow and the U.S. consulate in Leningrad.

Now came the final part of the GUNMAN project: awareness and prevention. New procedures were implemented for secure shipping of equipment, technologies were developed to make equipment tamper proof and new guidelines were written on how to handle classified information. Over a period of seven years, special GUNMAN briefings were given to various government agencies and the intelligence community.

COMSEC (communications security) was renamed into INFOSEC (information security) to emphasise that security is not merely a case of using secure communications equipment but rather the secure handling of critical information on whatever type of secure or insecure equipment that might process plaintext information. The lessons learned in 1984 are still applied in protecting information that is handled inside embassies and other critical buildings all over the world.

However, this story is also relevant to anyone of us. Our computers have numerous unknown processes running at the background, multi-functional printer-scanners and various mobile devices are constantly connected to the Internet. We store and process all kinds of confidential information on these new technologies but hardly realize that they are easily turned into bugs. This doesn't even require the implant of sophisticated hardware any more, as in the GUNMAN case, but only a quick reprogramming of internal software or hidden spyware.

The old school spy equipment has evolved into digital spyware. An evolution quite dangerous when people constantly use these modern media without thinking about the possible consequences. Secrets can leak in most unexpected ways, as the GUNMAN case has shown!

Read NSA's Learning From the Enemy: The GUNMAN Project (pfd) for the full story. The original (redacted) NSA paper is available at this link. On Wikipedia more about the IBM Selectric typewriter. There's an interesting video showing the typing mechanism of the IBM Selectric.

No comments: