NSA program FAIRVIEW: Collecting trash. 🗑️

Published on March 20, 2019 by

Fairview is a NSA program designed to collect “phone, internet, and e-mail data mainly of foreign countries’ citizens at major cable landing stations and switching stations inside the United States”. It dates back to 1985 [1]. There are various good articles on the subject [2].

As with every mass surveillance program, the basic law of collection (and search queries) is:

Garbage in, garbage out.

List of North Korean domains captured by FAIRVIEW. Picture Source

Since Intelligence X crawls North Korean domains (see our archive here https://intelx.io/?s=*&b=web.public.kp&pb=1) the above picture caught our attention. There are many of .KP domains that are unknown to us and everyone else.

What does the above picture actually show? It lists the top “20 North Korean domains” based on average bandwidth, as collected on upstream internet points in (!) the US (specifically at least from AT&T). It essentially lists traffic from people within the US to North Korean domains.

It does not take long to realize that most of the listed KP domains are complete garbage. For example, “zfr8.kp” cannot be resolved in DNS and by simply looking at the domain name itself, it would not make much sense. The full .KP TLD zone was accidentally made available for transfer on September 19, 2016; it’s always possible to look up the full list of KP domains here –https://github.com/mandatoryprogrammer/NorthKoreaDNSLeak – without relying on live DNS lookups.

Below are all domains listed from the picture with additional information provided by us. 12 out of 20 domains are invalid/fake: that’s 60% of domains shown in the presentation slide.

NSA listed .kp domains Bandwidth Kbps Intelligence X Info
star-co.net.kp
609Real domain, main NK email provider (no website)
silibank.net.kp131Real domain, used for emails (no website)
star.edu.kp2Real domain, used for emails (no website)
water.ocn.ne.kp< 1Non-existent
star-di.net.kp< 1 Real domain, used for emails, likely only historically
aimlessnessm.kp< 1Non-existent
vok.rep.kp< 1Real domain, Voice of Korea
zfr8.kp< 1Non-existent
xmufi.kp< 1Non-existent
zeido.kp< 1Non-existent
kpnwoa.mts.kp< 1Non-existent
azzoz.kp< 1Non-existent
fuana.kp< 1Non-existent
naenara.com.kp< 1Real domain, Korea Computer Center
rodong.rep.kp< 1Real domain, Rodong Sinmun, daily newspaper
kcna.kp< 1Real domain, Korean Central News Agency
majucm.kp< 1Non-existent
ziij.kp< 1Non-existent
poqoce.kp< 1Non-existent
netmwa.kp< 1Non-existent

How is the NSA intercepting emails sent to North Korea?

NSA intercepts traffic with Fairview via “cooperative effort associated with mid-point collection (cable, switch, router)” [3] slide 5. NSA is also tapping cables according to slide 4. Whatever traffic – whether garbage or not – comes through those access points and gets sniffed by NSA.

The presentation lists “DNI: Port 25” on slide 9 (DNI = “Digital Network Intelligence”). In human-speak this means sniffing port 25, which is used for SMTP (the protocol for sending emails). Since the North Korean SMTP servers do NOT support SSL, they are sent in plain text over the wire.

All of this means that essentially any email sent in the United States to a .KP (North Korea) domain will be intercepted by the NSA.

How are these false positive .KP domains produced and intercepted by NSA?

As mentioned NSA will sniff everything, whether garbage or not. One of the mentioned domains, “water.ocn.ne.kp”, quickly reveals the source of the false positives. It is a combination of spam and typos. There are actual email addresses that exist for the domain “water.ocn.ne.jp” (note the ending .JP for Japan, instead of .KP). The site, http://file.scirp.org/Html/7-1780056_25523.htm, lists the email “myhp.na@water.ocn.ne.jp” and is dated to 2012, matching the year of the presentation.

This particular non-existent “water.ocn.ne.kp” domain likely ended up in the NSA slide because somebody made a typo at the end of the email address, sending it to .KP, rather than .JP. It shows how is easy it is, simply making a typo mistake while sending an email, to end up forever in the NSA collection.

At the same time, it is surprising how little false-positive detection and quality control is done. North Korea is a high-value target and listing 60% non-existent domains (falsely associating them with North Korea) on a slide is an intelligence failure.

North Koreas Actual Domains

Here is a full list of actual .KP domains (source: Intelligence X). We are aware of a few more domains that are not publicly known. We may release them later this year.

DomainTitle
airkoryo.com.kpNational airline: Air Koryo
www.airkoryo.com.kpNational airline: Air Koryo
cooks.org.kpKorean Association of Cooks: North Korean recipes
www.cooks.org.kpKorean Association of Cooks: North Korean recipes
dprkportal.kpDPRK Portal
www.dprkportal.kpDPRK Portal
fia.law.kpFinancial Intelligence Agency
friend.com.kpCommittee for Cultural Relations / Korean Friendship Association
www.friend.com.kpCommittee for Cultural Relations
gnu.rep.kpPyongyang Broadcasting Service, radio station
www.gnu.rep.kpPyongyang Broadcasting Service, radio station
gpsh.edu.kp Grand People’s Study House
www.gpsh.edu.kp Grand People’s Study House
kass.org.kpKorea Association of Social Studies
www.kass.org.kpKorea Association of Social Studies
kcna.kpKorean Central News Agency
www.kcna.kpKorean Central News Agency
kftrade.com.kpForeign Trade of DPR of Korea
www.kftrade.com.kpForeign Trade of DPR of Korea
kiyctc.com.kpKorea International Youth and Childrens Travel Co.
knic.com.kpKorea National Insurance Co.
korean-books.com.kpKorean Books
www.korean-books.com.kpKorean Books
koredufund.org.kpKorea Education Fund
www.koredufund.org.kpKorea Education Fund
korelcfund.org.kpKorea Elderly Care Fund
www.korelcfund.org.kpKorea Elderly Care Fund
korfilm.com.kpKorea Film Corporation: North Korean movies
kut.edu.kpKim Chaek University of Technology
www.kut.edu.kpKim Chaek University of Technology
ma.gov.kpMartime Agency
www.ma.gov.kpMartime Agency
mail.silibank.net.kpInternational email service
manmulsang.com.kpManmulsang Commerce Website
mediaryugyong.com.kpRyugyong Programming Center
mfa.gov.kpMinistry of Foreign Affairs
www.mfa.gov.kpMinistry of Foreign Affairs
mirae.aca.kpMirae
www.mirae.aca.kpMirae
naenara.com.kpKorea Computer Centre
www.naenara.com.kpKorea Computer Centre
pulbora.edu.kpSamhung Intellectual Assets Center
www.pulbora.edu.kpSamhung Intellectual Assets Center
pyongyangtimes.com.kpThe Pyongyang Times
www.pyongyangtimes.com.kpThe Pyongyang Times
rodong.rep.kpRodong Sinmun, daily newspaper
www.rodong.rep.kpRodong Sinmun, daily newspaper
ryongnamsan.edu.kpKim Il Sung University
www.ryongnamsan.edu.kpKim Il Sung University
sdprk.org.kpSports in the DPRK
www.sdprk.org.kpSports in the DPRK
smtp.star-co.net.kpISP-related
smtp.star-di.net.kpISP-related
tourismdprk.gov.kpNational Tourism Administration
www.tourismdprk.gov.kpNational Tourism Administration
vok.rep.kpVoice of Korea
www.vok.rep.kpVoice of Korea
youth.rep.kpInformation on Korean Youth
www.youth.rep.kpInformation on Korean Youth

References

[1]
https://www.propublica.org/article/nsa-spying-relies-on-atts-extreme-willingness-to-help

[2]
https://electrospaces.blogspot.com/2015/08/fairview-collecting-foreign.html
https://electrospaces.blogspot.com/2014/01/slides-about-nsas-upstream-collection.html https://electrospaces.blogspot.com/2014/01/slides-about-nsas-upstream-collection.html

[3]
https://www.documentcloud.org/documents/2274319-fairviews2dbriefings11march2013.html

Related articles

Newsletter 2019-11-27

Published on November 27, 2019 by

November 2019: Academia Program and Inline Filters 🎓 Academia Program We are now offering free access to members of schools and universities. Accounts that register on intelx.io with an email address from a school or university get upgraded automatically. We have published a list of supported domains and add new ones on request. You can


Login Bruteforce attempts against intelx.io

Published on November 21, 2019 by

Minutes ago (evening of November 21, 2019) we just stopped an unsuccessful login bruteforce attack. The attacker’s email address is primeday@protonmail.com and the IPs used in the attack are 163.172.225.39 (a NordVPN IP), 94.36.97.33 and 87.0.205.119. There were 27,601 login attempts from those IPs before stopped by Intelligence X staff. As clearly stated in our


Inline Filters

Published on November 18, 2019 by

We have added inline statistics & filters. After searching, you can filter by data source, file type or date. Click on the summary line to expand the full statistics view and then click on either the data source, file type or the date heatmap.


Search the blog: