NSA Codewords

Please see the frequently updated list from @electrospaces.
JD, 04.08.2016


ACCORDIAN – Type 1 Cryptographic algorithm used in a number of crypto products

AGILITY – NSA internet information tool or database

AGILEVIEW – NSA internet information tool or database

AIGHANDLER – Geolocation analysis

ALPHA – SIGINT Exchange Designator for Great Britain

ALTEREGO QFD – A “Question filled Dataset”

ANCHORY – NSA software system which provides web access to textual intelligence documents

ANGRYNEIGHBOR – A family of bugs implemented as RF retro reflectors. These communicate with the use of an external radar wave generator such as CTX4000 or PHOTOANGLO. The signals are then processed by a system such as VIEWPLATE, (for the VAGRANT video signal). Known implementations: LOUDAUTO(ambient audio). DROPMIRE (printer/fax), RAGEMASTER (video), SURLYSPAWN (keyboard/mouse).





ARKSTREAM – malicious BIOS flashing program, known to be associated with DIETYBOUNCE, SWAP

ARTEMIS – Geospatial analysis, see ENTOURAGE

ASSOCIATION – NSA tool or database

AUTOSOURCE – NSA tool or database

AQUACADE – A class of SIGINT spy satellites (formerly RHYOLITE)

BACONRIDGE – Codename for a 4200 sq. ft. facility in Texas, holding TAO. Employing some 270 employees. Includes a datacenter qith 200 racks covering 9,450 sq. ft..

BANANAGLEE – A software exploit made by Digital Network Technologies (DNT) for Juniper Netscreen ns5xt, ns50, ns200, ns500, ISG 1000, ssg140, ssg5, ssg20, SSG 320M, SSG 350M, SSG 520, SSG 550, SSG 520M, SSG 550M firewalls. Also works on Cisco PIX 500 series and ASA 5505, 5510, 5520, 5540, and 5550 series firewalls. Used for exfiltrating data from target networks.

BANYAN – NSA tool or database

BATON – Type 1 Block cipher algorithm, used with many crypto products



BINOCULAR – Former NSA intelligence dissemination tool

BLACKHEART – Collection from an FBI implant

BLACKPEARL – NSA tool or database

BLARNEY – NSA internet and telephony network collection program

BLINDDATE – Software included on SPARROW II mini computers. Also seen in another context on QFIRE slide as part of a “TAO covert network.”.

BOUNDLESSINFORMANT – DNI and DNR data visualization tool

BSR- Base Station Router, use for intercepting GSM cell phone signals. Ships with laptop and accessories, networkable with other units via 802.11. Supports CANDYGRAM and LANDSHARK capabilities.

BULLDOZER – PCI bus malicious hardware

BULLRUN – COI for decryption of network communications

BYEMAN (BYE) – Retired control system for overhead collection systems (1961-2005)

Byzantine Anchor (BA) – “BA, a subset of Byzantine Hades, refers to a group of associated computer network intrusions with an apparent nexus to China.”

Byzantine Candor (BC) – Refers to a certain class of hacking by Chinese actors. Byzantine Candor is a subset of Byzantine Hades relating to intrusion, including by means of social engineering involving delivering malicious payloads by email.

Byzantine Hades (BH) – “a cover term for a series of related computer network intrusions with a believed nexus to China, has affected U.S. and foreign governments as well as cleared defense contractors since at least 2003” Believed to be Chinese state-sponsored (the PLA in particular). Though the evidence is tenuous. (ca 2009). In general, victims of Chinese-affiliated hacking are legitimate businesses, including defense contractors. They have been successful in exfiltrating large volumes of confidential emails and other sensitive documents.

CADENCE – NSA collection tasking tool or database

CANDYGRAM – Mimics GSM cell tower. Also included in the package are a Windows XP laptop, and cell phone, that communicate with the unit via SMS messages. Capable of targeting 200 phone numbers simultaneously

CANYON – Class of COMINT spy satellites (1968-1977)

CANNON LIGHT – Counterintelligence database of the US Army

CDR Diode –

CHESS – Compartment of TALENT KEYHOLE for the U-2 spy plane

CHIMNEYPOOL – Software based malware toolkit “Framework”, likely written in C/C++ (according to resumes posted online)

CORDOBA – Type 2 Cryptographic algorithm used in a number of NSA-developed crypto chips

COMMONDEER – A software based malware, used by the NSA.

CONFIRM – NSA database for personell access

CONJECTURE – A RF communication protocol used by HOWLERMONKEY devices.

CONOP – not a codename: Concept of Operations

CONTRAOCTAVE – NSA tool or database

CONVEYANCE – A voice content ingest processor?

CORONA – A series of photographic surveillance satellites (1959-1972)


COTS – Commercial Off the Shelf. When a description of a bug says it is COTS-based, it means that the components are commercially available, giving the NSA deniability as to their true source. (Unless you just happen to be looking at the NSA’s leaked product catalog. )

COTTONMOUTH-1 (CM-1) – USB cable w/ convert RF transmitter/receiver & malware payload

COTTONMOUTH-II (CM-II) – A dual-stacked USB port, (the kind that are soldered directly onto a motherboard), providing a covert “long haul” relay across airgapped systems. Like CM-I, and many other systems, it is written with the CHIMNEYPOOL framework, and communicates via STRAITBIZARRE. Unlike CM-I and CM-III, it does not incorporate HOWLERMONKEY or TRINITY.

COTTONMOUTH-III (CM-III) – A dual-stacked USB port/RJ45 ethernet jack combo, (the kind that are soldered directly onto a motherboard), providing a covert RF relay across airgapped systems. Like CM-I, and many other systems, it is written with the CHIMNEYPOOL framework, and communicates via STRAITBIZARRE. It can communicate with other CM devices with the SPECULATION Protocol. It also integrates TRINITY, and the HOWLERMONKEY RF transceiver.

COURIERSKILL – NSA Collection mission system

CPE – Content Preparation Environment, Reporting tool

CREST – Database which automatically translates foreign language intercepts in English

CROSSBEAM – “the CROSSBEAM module consists of a standard ANT architecture embedded computer, a specialized phone component, a customized voice controller suite and and optional DSP (ROCKYKNOB) if using Data Over Voice to transmit data”. Communicates over GSM. Compatible with CHIMNEYPOOL framework. Appears to be a WAGONBED controller board mated with a Motorola G20 GSM module.

CRUMPET Covert network (CCN) – Sample drawing included Printers, servers, and computers. All allegedly airgapped. (But not actually, due to covertly installed hardware)

CRYPTO ENABLED – Collection derived from AO’s efforts to enable Crypto

CTX4000 – A radar wave generator, can produce up to 1kW, output, with the use of external amplifies. designed for DROPMIRE, and VAGRANT. Obsolete, replaced by PHOTOANGLO.

CULTWEAVE – Smaller size SIGINT database

CUSTOMS – Customs opportunities (not LIFESAVER)

CW – Continuous Wave, such as the ones generated by CTX4000, or PHOTOANGLO.

CYCLONE Hx9 – EGSM base station router, used for collection GSM cell phone signals. Shops with laptop and accessories for command and control, uses the same GUI as the TYPHON. Controllable via 802.11 wifi.


DANDERSPRITZ – Described as an “intermediate redirector node.” Another tool made by Digital Network Technologies (DNT). Spoofs IP and MAC address.

DARKTHUNDER – A SIGAD used for TAO, and thus QUANTUM, FOXACID, and the like.

DELTA – Compartment for COMINT material from intercepts of Soviet military operations

DEWSWEEPER – USB (Universal Serial Bus) hardware host tap that provides COVERT link over USB link into a target network. Operates w/RF relay subsystem to provide wireless Bridge into target network.

DIETYBOUNCE – BIOS exploit for Dell PowerEdge 1850/2850/1950/2950 running BIOS versions A02, A05, A06, 1.1.0, 1.2.0 or 1.3.7

DIKTER – SIGINT Exchange Designator for Norway

DINAR – Predecessor of the UMBRA compartment for COMINT

DISHFIRE – NSA internet information tool or database


DOGCOLLAR QFD – A “question filled dataset”

DRAGONFLY – Geolocation analysis

DROPMIRE – passive collection of emanations using an antenna. A Tempest style attack.

DROPMIRE – Laser printer collection, purely proximal access (NOT implanted). A tempest style attack.

DROPOUTJEEP – Apple iPhone malware. Infiltrates and exfiltrates SMS, files, contact lists, voicemail, geolocation, camera capture. Once installed, DROPUTJEEP can be controlled via SMS messages or GPRS data connection.

DRTBOX – Mimics cell tower, Spotted in BOUNDLESSINFORMANT slides. See see http://electrospaces.blogspot.com/2013/11/drtbox-and-drt-surveillance-systems.htmlfor more details

DRUID – SIGINT Exchange Designator for third party countries

DYNAMO – SIGINT Exchange Designator for Denmark

EBSR – Low power GSM base station router,

ECHELON – A SIGINT collection network run by Australia, Canada, New Zealand, the United Kingdom, and the United States

ECHO – SIGINT Exchange Designator for Australia

EGOTISTICALGIRAFFE (EGGI) – Malware, a successful Firefox exploit (attempted against tor users)

EGOTISTICALGOAT (EGGO) – Firefox exploit against 10.0 -16.0.2

ENTOURAGE – Application for the HOLLOWPOINT platform, including band-specific antennas and a laptop for the command and control. Controllable via gibabit Ethernet Future plans (circa 2008) included WiFi, WiMAX and LTE.

EPICFAIL – attacks against dumb Tor users (?)

ERRONEOUSINGENUITY (ERIN) – Firefox exploit against 13.0 – 16.0.2

FA – CNE (hacking) technique used against Tor users

FAIRVIEW – NSA internet and telephony network collection program, a corporate-run SIGAD, part of the NSA’s “upstream” collection program, that permits “cyber” access. Thus it is probable that it is used in QUANTUM collection.

FALLOUT – DNI metadata ingest processor



FEEDTROUGH – malware for Juniper Networks’ Firewalls

FEEDTROUGH – A malicious BIOSS modification that Implants and/or maintains BANGALEE and/or ZESTYLEAK Juniper Netscreen firewall exploits

FERRETCANNON – A system that injects malware, associated with FOXACID.

FET – Field Effect Transmitter

FINKDIFFERENT (FIDI) – A Firefox exploit, successful against 10 ESR, but failed against tbb-firefox

FIREFLY – NSA-developed key generation scheme, used for exchanging EKMS public keys

FIREWALK – “a bidirectional network implant, capable of passively collecting Gigabit Ethernet traffic and injecting Ethernet packets onto the same target network.” Integrates TRINITY and HOWLERMONKEY. Provides direct or indirect covert RF link to Remote Operations Center via a VPN. The version in the catalog requires soldering to a motherboard.

FISHBOWL – NSA program for securing commercial smartphones

FLUXBABBIT – a hardware based bug for Dell PowerEdge 1950 and 2950 servers using Xeon 5100 and 5300 processors. Installation requires intercepting the server, while it is enroute to its destination, disassembling it and installing the hardware.

FLYING PIG – GCHQ SSL/TLS exploitation knowledgebase and tool


FOXACID – A malicious server that injects malware, by means of spoofed legitimate-looking pages and does MITM attacks

FOXSEARCH – perhaps a database of all targets to be exploited with FOXACID



FRIEZERAMP – A communications protocol that certain infected devices use to communicate with the NSA. It involves HTTPSlink2.



GAMMA (G) – Compartment for highly sensitive communication intercepts

GAMUT – NSA collection tasking tool or database

GECKO II – IRONCHEF example included A hardware implant (MRRF or GSM), IRONCHEF persistence backdoor, “Software implant UNITEDRAKE Node”

GENESIS – A spectrum analyzer tool, for covertly collecting and locating signals. A modified Motorola handset. Information downloaded to a laptop via ethernet port.

GENIE – Multi-stage operation; jumping the airgap etc., refers to certain classes of hardware that provide a wireless covert network in an allegedly airgapped environment.


GINSU – maintains KONGUR infection, should it be removed

GJALLER – Geospatial analysis

GLOBAL BROKER – NSA tool or database

GODSURGE – The software set for FLUXBABBIT, preconfigured at the factory, but reconfigurable remotely. For Dell PowerEdge 1950, 2950 servers running Xeon 5100 and 5300 processor families.

GOPHERSET – Malware for GSM Phase 2+ SIM cards that use the SIM Toolkit (STK). Exfiltrates phonebook, SMS, and call logs, via SMS, to a predefined phone number. Installed either via a USB sim card reader, or remotely (over the air provisioning)

GOSSAMER – Geospatial analysis

GOURMETTROUGH – Maintains BANANAGLEE infection on Juniper Netscreen nsg5t, ns50, ns25, isg1000, ssg140, ssg5, ssg20 firewalls


GROWLER – Geospatial analysis

HAVE BLUE – Development program of the F-117A Stealth fighter-bomber

HAVE QUICK (HQ) – Frequency-hopping system used to protect military UHF radio traffic

HALLUXWATER – ROM based exploit for Huawei Eudemon 200, 500, and 1000 series firewalls. survives bootrom upgrades and OS upgrades. NSA operator has ability to execute arbitrary code on infected system.


HAMMERMILL Insertion Tool (HIT) – command and control system, designed by DNT for exploited Huawei routers

HC12 – an earlier micro-computer design the NSA used in bugs.

HEADWATER – software based persistent backdoor for Certain Huawei routers. Controlled via HAMMERMILL Insertion tool (HIT)

HERCULES – CIA terrorism database

HIGHLANDS – Collection from Implants

HIGHTIDE – NSA tool or database

HOLLOWPOINT – GSM/UTMS/CSMA2000/FRS signal platform. Operates In the 10MHz to 4GHz range. Includes receiver and antenna. Can both transmit and receive.

HOWLERMONKEY (HM) – Covert short to medium range RF Transceiver. Designed to be integrated with a larger device. Communicates over SPECULATION and CONJECTURE protocols. Known products that include HOWLERMONKEY are: CM-I, CM-II, FIREWALK, SUTURESAILOR, and YELLOWPIN.


HUSH PUPPY – GCHQ Tool, related to exploitation

INDIA – SIGINT Exchange Designator for New Zealand


INTRUDER – Series of ELINT and COMINT spy satellites (since 2009)

IRATEMONK – Firmware based malware for certain WD, Seagate, Maxtor and Samsung hard drives. Supports FAT, NTFS, EXT3, and UFS file systems.

IRONCHEF – Malware that is used to maintain and reinstall, if necessary, the software component of systems implanted with the WAGONBED hardware trojan.

ISHTAR – SIGINT Exchange Designator for Japan

ISLANDTRANSPORT – “Enterprise Message Service”

IVY BELLS – NSA, CIA and Navy operation to place wire taps on Soviet underwater communication cables

JEROBOAM – Another name used for the TRUMPET spy satellites

JETPLOW – Firmware-based malware for maintaining BANANAGLEE, software-based malware on. Cisco PIX 500 series and ASA 5505, 5510, 5520, 5540, and 5550 series firewalls.

JUGGERNAUT – Picks up all signals from mobile networks

JUMPSEAT – Class of SIGINT reconnaissance satellites (1971-1983)

JUNIORMINT – A generic, programmable miniature computer. For use in concealed bugs. Specs: 400Mhz ARM 9 microcontroller, 32 MB Flash, 64 MB SDRAM, 128MB DDR2 and an “XC4VLX25 10752 Slice” FPGA.

KEA – Asymmetric-key Type 2 algorithm used in products like Fortezza, Fortezza Plus

KLONDIKE (KDK) – Control system for sensitive geospatial intelligence

KONGUR – malware payload, known to be deployed via KONGUR

LEGION JADE – GCHQ cover term, somehow associated with FLYING PIG, which is a tool used for exploitation. It is probable that this term is also related to exploitation in some way.

LEGION RUBY – GCHQ cover term, somehow associated with FLYING PIG, which is a tool used for exploitation. It is probable that this term is also related to exploitation in some way.

LFS-2 – A processing system for VAGRANT signals returned by the PHOTOANGLO system. Requires an external monitor to display the signal.

LHR – Long Haul Relay

LIFESAVER – Imaging of the Hard Drive

LOPERS – Software application for Public Switched Telephone Networks

LOUDAUTO – An audio bug for a room. Implemented as an RF retro-reflector (ANGRYNEIGHBOR family). It therefor requires a unit such as CTX4000, to communicate back to the base.

LP – Listening Post

MAESTRO II – A generic, programmable miniature computer. For use in concealed bugs. Specs: 66Mhz ARM 7 microcontroller, 4 MB Flash, 8 MB SDRAM an “XC2V500 500k gates” FPGA. Roughly the same size as a dime.

MAGIC LANTERN – A keystroke logging software developed by the FBI

MAGNETIC – Sensor Collection of Magnetic Emanations

MAGNUM – Series of SIGINT spy satellites (since 1985)


MAIN CORE – Federal database of personal and financial data of suspicious US citizens

MAINWAY – NSA database of bulk phone metadata

MARINA – NSA database of bulk internet metadata

MCM – Multi Chip Module

MENTOR – Class of SIGINT spy satellites (since 1995)

MESSIAH – NSA automated message handling system


METTLESOME – NSA Collection mission system


MIDDLEMAN – TAO covert network. i.e. a network that secretly connects airgapped computers to the internet.

MINARET – A sister project to Project SHAMROCK (1967-1973)

MINERALIZE – Collection from LAN Implant

MJOLNIR – an internal tor test network ca 2006, with software tools for the same

MOCCASIN – a version of COTTONMOUTH permanently attached to a USB keyboard

MONKEYCALENDAR – Malware for GSM Phase 2+ SIM cards that use the SIM Toolkit (STK). Exfiltrates geolocation data to a preset phone number via SMS.

MOONLIGHTPATH – An NSA collection program

MORAY – Retired compartment for the least sensitive COMINT material

MULLENIZE – ‘USER agent staining”, malware

MUTANT BROTH – GCHQ tool for identifying targets from data returned by QUANTUM products

NEBULA – A base station router, for intercepting mobile telephone calls and data transmissions. Uses the TYPHON GUI. Networkable and controllable via 802.3 and 802.11.


NIGHTSTAND (NS) – Mobile hacking platform including laptop, case, and antennas. Targets windows 2000 and XP, running internet explorer 5-6. Attacks occur over WiFi, and are alleged to be undetectable to the user. Capable of targeting several systems simultaneously. With the use of amplifiers, attacks can happen from up to 8 miles away.

NIGHTWATCH – Specialized system for processing, reconstructing and displaying video signals collected by VAGRANT. And returned to a CSX4000 or a PHOTOANGLO system. Obsoleted, replaced by VIEWPLATE.

NUCLEON – Database for contents of phone calls

OAKSTAR – NSA internet and telephony network collection program

OCEAN – Optical Collection System for Raster-Based Computer Screens

OCEANARIUM – Database for SIGINT from NSA and intelligence sharing partners around the world

OCELOT – Probably a NSA program for collection from internet and telephony networks


OCTAVE – NSA tool for telephone network tasking

OCTSKYWARD – NSA tool or database

OLYMPUS – A piece of malware used by the NSA, for the purposes of spying.

OLYMPUSFIRE – An exploitation system, that uses malware to completely control a target Windows PC. Maintained by a NSA-run Listening Post.


ONIONBREATH – Relates to GCHQ efforts against tor hidden services

OSCAR – SIGINT Exchange Designator for the USA


OXCART – The Lockheed A-12 program (better known as SR-71)

PADSTONE – Type 1 Cryptographic algorithm used in products like Cypris, Windster and Indictor


PATHFINDER – SIGINT analysis tool (made by SAIC)

PBD – Persistent BackDoor

PBX – Public Branch Exchange Switch

PHOTOANGLO – Replaces CTX4000, a continuous radar Wave generator, for the ANGRYNEIGHBOR family of retro-reflector bugs, including VAGRANT, DROPMIRE, and LOADAUTO. The signals are then sent to a processing system such as NIGHTWATCH or VIEWPLATE (which process and display the signals from the VAGRANT monitor-cable bug). The LFS-2 is listed as another type of processing system. A joint NSA/GCHQ project.

PICASSO – GSM handset, carried by a witting operator for bugging conversations and calls within its range. Includes a panic button for the operator.

PINWALE – Database for recorded signals intercepts/internet content

PLUS – NSA SIGINT production feedback program

PPM – Pulse Position Modulate

PRISM – NSA collection program for foreign internet data

PROTON – Smaller size SIGINT database

PROTOSS – Possibly a bridge between the airgapped system and the Internet

PSP – Personal Security Product. Also: President’s Surveillance Program.

PURPLE – Codename for a Japanese diplomatic cryptosystem during WWII

PUZZLECUBE – NSA tool or database

QFD – Question Filled Dataset

QFIRE – System used for infecting computers. Involves both TURMOIL, TURBINE, and additional infrastructure. Co-opted routers, according to Appelbaum, these may in cases be unwitting home or business routers, that have been “pwned”. The Goal seems to be to reduce latency, and therefor increase the success rate of QUANTUMINSERT/FOXACID attacks.


QUANTUM – Perhaps a generalize term for certain styles of hacking used by NSA and GCHQ. The most popular is the QUANTUMINSERT.

QUANTUM INSERT (QI) – A style of hacking, involving a man-in the middle attack, involving a malicious server (dubbed FOXACID) that attempts to outrun a legitimate server (yahoo and linkedIn are favorites), spoof their pages and insert a trojan into the unsuspecting user. Both NSA and GCHQ use this term

QUANTUMBOT – controls IRC bots

QUANTUMCOOKIE – forces browsers to toss their cookies (divulge them)

QUANTUMCOPPER – corrupts file uploads and downloads. (malware injection on the fly?). According to Appelbaum, this is also used like the “great firewall of China”.

QUANTUMNATION – a system to deploy “stage 0” malware such as SEASONEDMOTH. Stage 0 items are programmed to self-destruct within 30 days.

QUANTUMSKY – resets connections (which ones?)

QUANTUMTHEORY – A GCHQ toolkit for QUANTUM products, that expands the range of “spoofable” services. Injects a “stage 1” malware, such as VALIDATOR or COMMONDEER

QUICKANT QFD – GCHQ tor analytics/knowledgebase

RADON – Bi-Directional host-tap that can inject Ethernet packets onto the same target. Allows Bi-directional exploitation of Denied networks using standard on-net tools.

RAGEMASTER – A bugged video cable. Implemented as an RF retro-reflector. Used for VAGRANT collection.

RAGTIME (RT) – Codeword for four NSA surveillance programs

REMATION II – Joint NSA/GCHQ anti-tor Workshop ca 2012

RENOIR – NSA telephone network visualization tool

RESERVE (RSV) – Control system for the National Reconnaissance Office (NRO)

Retro reflector – a term for a special kind of mirror that always sends a signal directly back on the path it comes from, regardless of the angle.


RICHTER – SIGINT Exchange Designator for Germany

ROC – Remote Operations Center

ROCKYKNOB – Optional Digital Signal Processing (DSP) Module for CROSSBEAM.

RONIN – Database of tor events

RUFF – Compartment of TALENT KEYHOLE for IMINT satellites

RHYOLITE – Class of SIGINT spy satellites (in 1975 changed to AQUACADE)

SABRE – Retired(?) SIGINT product codeword

SAVILLE – Narrow band voice encryption used for radio and telephone communication

SCHOOLMONTANA – “SCHOOLMONTANA is the cover term for the persistence technique to deploy a DNT implant to Juniper J-Series Routers.” A malicious BIOS modification.


SDR – software Defined radio


SEASONEDMOTH (SMOTH) – A class of malware that is programmed to automatically die with in 30 days. (unless instructed to extend its life)

SEMESTER – NSA SIGINT reporting tool

SENTINEL – NSA database security filter


SETTEE – SIGINT Exchange Designator for South Korea

SHAMROCK – Operation for intercepting telegraphic data going in or out the US (1945-1975)

SHARKFIN – Sweeps up all-source communications intelligence at high speed and volumes


SHELLTRUMPET – NSA metadata processing program

SHORTSHEET – CNE (hacking) technique used against Tor users



SIGSALY – The first secure voice system from World War II

SILKWORTH – A software program used for the ECHELON system

SIRE – A software program used for the ECHELON system

SKIPJACK – Type 2 Block cipher algorithms used in products like Fortezza, and the Clipper Chip

SKYWRITER – NSA internet intelligence reporting tool

SLICKERVICAR – A tool known to be used somewhere in the process of uploading malicious HD firmware

SNEAKERNET – Not a codename, a term for the “network communication protocol” involving someone physically carrying storage media between machines.

SOLIS – SIGINT product databases

SOMBERKNAVE- software based malware, intended to bridge airgaps by using an unused 802.11 wireless interface. For Windows XP. Allows other malware to “call home” In particular, the VALIDATOR and OLYMPUS trojans.

SOUFFLETROUGH – A malicious BIOS Modification that maintains BANANAGLEE infection on Juniper SSG 320M, SSG 350M, SSG 520, SSG 550, SSG 520M, SSG 550M.

SPARROW II – A microcomputer specialized for UAV operations. Includes Integrated WLAN, and Mini PCI slots supporting . IBM PowerPC 405GR, 64MB SDRAM, 16MB Flash. Designed for survey of wireless networks (Wifi/GSM, etc, depending on expansion cards).

SPECULATION – RF communication protocol, used by HOWLERMONKEY devices, Including CM-I, CM-III, FIREWALK.

SPHINX – Counterintelligence database of the Defense Intelligence Agency

SPINNERET – an NSA operational branche?

SPOKE – Retired compartment for less sensitive COMINT material


STEELFLAUTA – A SIGAD used for TAO, and thus QUANTUM, FOXACID, amd the like.

STELLARWIND (STLW) – SCI compartment for the President’s Surveillance Program information

STONE GHOST – DIA classified network for information exchange with UK, Canada and Australia

STORMBREW – NSA internet and telephony network collection program


STRAITBIZARRE (SB) – Software made By Digital Network Technologies (DNT) for controlling and receiving data from “implants”. Also involved somewhere in the process of uploading malicious HD firmware (works with a tool called SLICKERVICAR to accomplish this)

STRIKEZONE – Context: “HOWLERMONKEY is a COTS- based transceiver designed to be compatible with CONJECTURE/SPECULATION networks and STRIKEZONE devices running a HOWLERMONKEY personality.

STRONGMITE – somewhere on the ROC side of operations….


STUMPCURSOR – Foreign computer accessing program of the NSA’s Tailored Access Operations

STUXNET – A jointly US/Isreali written piece of malware intended to infect, and physically destroy Iranian nuclear Centrifuges. (which it did) Also spilled on to non-targeted SCADA systems, causing “collateral damage”.

SURLYSPAWN – A keyboard or mouse bug implemented as an RF retro-reflector embedded in the cabling. This brings it into the ANGRYNEIGHBOR family of bugs.


SUTURESAILOR – a particular device that includes a HOWLERMONKEY component

SWAP – A combination of a malicious BIOS modification and a malicious Hard Disk firmware modification (in the host protected area) used to maintain software based malware on the victim computer. Appears to work on a variety of systems running Windows, Linux, FreeBSD or Solaris. The file system may be FAT32, NTFS, EXT2, EXT3, or UFS 1.0.

TAO – Tailored Access Operations. NSA’s hacking and bugging unit.

TALENT KEYHOLE (TK) – Control system for space-based collection platforms

TALK QUICK – An interim secure voice system created to satisfy urgent requirements imposed by conditions to Southeast Asia. Function was absorbed by AUTOSEVOCOM

TAPERLAY – covername for Global Numbering Data Base (GNDB)?

Target Profiler – A tool that lists which targets are vulnerable to exploits, and which.

TAROTCARD – NSA tool or database

TAWDRYYARD – An ANGRYNEIGHBOR RF retro-reflector whose purpose is to serve as a beacon, so the RF wave generator (CTX4000 or PHOTOANGLO) can locate RAGEMASTER video cable bugs, and home in on them.

TEMPEST – Investigations and studies of compromising electronic emanations

THINTREAD – NSA program for wiretapping and sophisticated analysis of the resulting data

TLN – Twisty Lobby Number. (not really well explained in doc)

TOTECHASER – Software-based malware for Thuraya 2520 satellite-cellular handsets running Windows CE. Designed to exfiltrate GPS and GSM geolocation data, as well as the call log and contact list, and other data via covert SMS messages. SMS messages are also the means by which the attacker controls the phone. Implementation requires modifying the phone itself, not yet deployed as of Oct 2008.

TOTEGHOSTLY 2.0 – Malware for Windows Mobile -based handsets. Written using DNT’s CHIMNEYPOOL framework, and controlled via STRAITBIZARRE. Used to infiltrate and exfiltrate files, SMS, contact lists, geolocation via SMS or GPRS data connection. From or to the victim device The attacker has the ability to control the camera and microphone, and also send other commands to the device. The encrypted protocol it uses to communicate is referred to as FRIEZERAMP.

TRACFIN – NSA Database

TRAFFICTHIEF – Part of the TURBULENCE and the PRISM programs

TRAILBLAZER – NSA Program to analyze data carried on communications networks

TREASUREMAP – NSA internet content visualization tool

TRIBUTARY – NSA provided voice threat warning network

TRINE – Predecessor of the UMBRA compartment for COMINT

TRINITY – A microcomputer, designed to be part of a bug. Specs: 100Mhz ARM 9 Microcontroller, 4MB flash, 96MB SDRAM. Smaller than a penny. Known to be a component of CM-I, CM-III, FIREWALK

TRUMPET – Series of ELINT reconnaissance satellites (1994-2008)TUMULT – associated with TURBULANCE. Somehow involved with QUANTUMTHEORY. Not precicely clear.

TUNINGFORK – NSA tool or database

TURBINE – System used for infecting computers. “Deep Packet Injection”

TURBOPANDA – cover term for joint CIA/NSA project to exploit Huawei network equipment

TURBOPANDA Insertion Tool (PIT) – command and control system for exploited Huawei firewalls

TURBULANCE – NSA Program to detect threats in cyberspace (2005- ), system integrating passive collection, active hacking, and active hacking defenseTURMOIL – NSA’s passive SIGINT collection system. “Deep packet inspection”

TURMOIL – Part of the TURBULENCE program

TUSKATTIRE – DNR (telephony) ingest processor

TUTELAGE – NSA’s own defense system against hacking, Part of the TURBULENCE program

TWISTEDKILT – a hard drive firmware updating program used to install malicious firmware of a victim Hard drive.

TYPHON HX – GSM base station router. Used to collect call logs from targeted phones. Administrated with a laptop via SMS, but is otherwise a standalone unit. There is no apparent ability to network these together, though other units, running the same software can do so (CYCLONE Hx9).

UAV – Unmanned aerial vehicle. A drone. Useful tool.

ULTRA – COMINT from decryption of high-level Nazi ciphers, like the Enigma machine

UMBRA – Retired compartment for the most sensitive COMINT material

UNIFORM – SIGINT Exchange Designator for Canada

UNITEDRAKE – A program similar to STRAITBIZARRE, used for uploading malicious HDD firmware, works with SLICKERVICAR. Known components include a GUI, a database, and a server, and a manned listening post. It includes a trojan of the same name. Digital Network Technologies (DNT), a private company, actively maintains the listening posts for UNITEDRAKE, as well as design and deploy malware.

UTT – Unified Targeting Tool (UTT) is a software program used by NSA to select targets for surveillance.

VAGRANT – Collection of computer Screens. The monitor cables are rigged with an RF retro reflector, (RAGEMASTER). VAGRANT collection therefor requires a continuous RF generator such as CTX4000 or PHOTOANGLO, and a system to process and display the returned video signal such as NIGHTWATCH, GOTHAM, LS-2 (with an external monitor), or VIEWPLATE. Known to be deployed in the field , as of September 2010 at the following embassies: Brazil’s UN Mission in NY (POKOMOKE), France’s UN Mission in NY (BLACKFOOT), India’s Embassy and annex in DC, and India’s UN Mission in New York. India’s embassies were slated to be detasked, at the time of the document. Context of documents seems to suggest, but does not definitively prove that the coverterm VAGRANT only applies to the signal itself.

VALIDATOR – A software based malware item designed to run on certain Juniper routers (J, M, and T Series) running the JUNOS operating system. It must be maintained by means of a malicious BIOS modification. A typical use case involves the exfiltration of data from the victimized system. A separate document describes VALIDATOR as a backdoor used against Windows systems (win 98-2003). In this instance, it will identify the system, and if it is truly a target, invite a more sophisticated trojan in, such as UNITEDRAKE or OLYMPUS. This trojan has been used to de-anonymize tor users. A third version of VALIDATOR works for Apple iOS devices. The QUANTUMNATION states that the success rate against iOS devices is 100%.

VIEWPLATE – Replacement for the NIGHTWATCH system.

VORTEX – Class of SIGINT spy satellites (1978-1989)

WAGONBED – a malicious hardware device that provides covert 2-way RF communications on the I2C channel of HP Proliant 380DL G5 servers. WAGONBED 2 can be mated with a Motorola G20 GSM module to form CROSSBEAM.

WALBURN – High-speed link encryption, used in various encryption products

WATERWITCH – Handheld device for homing in on target handsets, used in conjunction with TYPHON or similar systems to provide more precise location information.

WEALTHYCLUSTER – Program to hunt down tips on terrorists in cyberspace (2002- )

WEBCANDID – NSA tool or database

WEASEL – Type 1 Cryptographic algorithm used in SafeXcel-3340

WHITETAMALE – Operation against the Mexican Public Security Secretariat

WISTFULTOLL – A plugin for UNITEDRAKE and STRAITBIZARRE that extracts WMI and registry information from the victim machine. Also available as a stand-alone executable. Can be installed either remotely, or by USB thumb drive. In the latter case, exfiltrated data will be stored on that same thumb drive. Works on Windows 2000, XP, and 2003

XCONCORD – Program for finding key words in foreign language documents

XKEYSCORE (XKS) – Program for analysing SIGINT traffic

YELLOWPIN – a particular device that includes a HOWLERMONKEY component

ZARF – Compartment of TALENT KEYHOLE for ELINT satellites

ZESTYLEAK – a software exploit made by CES for Juniper Netscreen ns5xt, ns50, ns200, ns500, ISG 1000 firewalls


Findings on Pastebin, LinkedIn profiles, leaked materials and other readings

Work in Progress, Will be updated from time to time



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: