Overview#

APEX is an National Security Agency (NSA) SIGINT program.

VPN Phase 1: IKE Metadata Only (Spin 15)#

• IKE packets are exfiled to TURMOIL APEX.
• APEX reconstructs/reinjects IKE packets to the TURMOIL VPN components.
• TURMOIL VPN extracts metadata from each Key-Exchange and sends to the CES TOYGRIPPE metadata database This database is used by SIGDEV analysts to identify potential targets for further exploitation

VPN Phase 2: #

Targeted IKE Forwarding (Spin 15)-

• TURMOIL VPN looks up IKE packet IP Address in KEYCARD.
• If either IP Address is targeted, the Key-Exchange packets are forwarded to the CES Attack Orchestrator (POISON NUT) for VPN key recovery.

VPN Phase 3: Static Tasking of ESP#

• HAMMERSTEIN receives static tasking to exfil targeted ESP packets.
• APEX reconstructs/reinjects ESP packets to the TURMOIL VPN components.
• TURMOIL VPN requests VPN key from CES and attempts decryption.

VPN Phase 4: Dynamic Targeting of ESP#

• Based on the value returned by KEYCARD, the ESP for a particular VPN may be targeted as well
• TURMOIL sends to HAMMERSTEIN (via TURBINE) the parameters for capturing the ESP for the targeted VPN

APEX Voice over IP Phases#

VoIP Phase 1: Static Tasking of VoIP (Spin 16)#

• HAMMERCHANT monitors VoIP SIP/H.323 signaling and exfiltrates only targeted VoIP RTP sessions to TURMOIL
• APEX reconstructs and bundles the voice packets into a file, attaches appropriate metadata and delivers to PRESSUREWAVE
• This triggers a modified VoIP analytic to prepare the VoIP for corporate delivery.

VoIP Phase 2. VoIP Call Survey#

• HAMMERCHANT monitors VoIP SIP/H.323 signaling and exfiltrates all call signaling metadata to TURMOIL
• APEX inserts call signaling metadata into an ASDF record and publishes it to the TURMOIL AsdfReporter component for target SIGDEV

VoIP Phase 3. Dynamic Targeting of VoIP#

• HAMMERSTEIN captures/exfils all VoIP signaling
• APEX reconstructs/reinjects the signaling to the TURMOIL VoIP components.
• TURMOIL VoIP extracts call metadata and sends to FASCIA; checks KEYCARD for hits.
• If called/calling party is targeted for active exfil, then TURMOIL sends to HAMMERSTEIN (via TURBINE) the parameters to capture the targeted RTPT session

Implementation of Voice over IP Phase 2 and 3 will be driven by mission need. #

• Phase 3 leverages all TURMOIL VoIP signalling protocol processorsa to expand SIP and H.323 (e.g. Skype) without additional development on the implant.

Category#

Government Surveillance

More Information#

There might be more information for this subject on one of the following:

• SIGINT

---

• [#1] - VPN and VOIP Exploitation With HAMMERCHANT and HAMMERSTEIN - based on information obtained 2018-08-03-
• [#2] - https://www.aclu.org/sites/default/files/assets/vpn-and-voip-exploitation-with-hammerchant-and.pdf - based on information obtained 2019-05-18