NSA program FAIRVIEW: Collecting trash. 🗑️

Published on March 20, 2019 by

Fairview is a NSA program designed to collect “phone, internet, and e-mail data mainly of foreign countries’ citizens at major cable landing stations and switching stations inside the United States”. It dates back to 1985 [1]. There are various good articles on the subject [2].

As with every mass surveillance program, the basic law of collection (and search queries) is:

Garbage in, garbage out.

List of North Korean domains captured by FAIRVIEW. Picture Source

Since Intelligence X crawls North Korean domains (see our archive here https://intelx.io/?s=*&b=web.public.kp&pb=1) the above picture caught our attention. There are many of .KP domains that are unknown to us and everyone else.

What does the above picture actually show? It lists the top “20 North Korean domains” based on average bandwidth, as collected on upstream internet points in (!) the US (specifically at least from AT&T). It essentially lists traffic from people within the US to North Korean domains.

It does not take long to realize that most of the listed KP domains are complete garbage. For example, “zfr8.kp” cannot be resolved in DNS and by simply looking at the domain name itself, it would not make much sense. The full .KP TLD zone was accidentally made available for transfer on September 19, 2016; it’s always possible to look up the full list of KP domains here –https://github.com/mandatoryprogrammer/NorthKoreaDNSLeak – without relying on live DNS lookups.

Below are all domains listed from the picture with additional information provided by us. 12 out of 20 domains are invalid/fake: that’s 60% of domains shown in the presentation slide.

NSA listed .kp domains Bandwidth Kbps Intelligence X Info
star-co.net.kp
609Real domain, main NK email provider (no website)
silibank.net.kp131Real domain, used for emails (no website)
star.edu.kp2Real domain, used for emails (no website)
water.ocn.ne.kp< 1Non-existent
star-di.net.kp< 1 Real domain, used for emails, likely only historically
aimlessnessm.kp< 1Non-existent
vok.rep.kp< 1Real domain, Voice of Korea
zfr8.kp< 1Non-existent
xmufi.kp< 1Non-existent
zeido.kp< 1Non-existent
kpnwoa.mts.kp< 1Non-existent
azzoz.kp< 1Non-existent
fuana.kp< 1Non-existent
naenara.com.kp< 1Real domain, Korea Computer Center
rodong.rep.kp< 1Real domain, Rodong Sinmun, daily newspaper
kcna.kp< 1Real domain, Korean Central News Agency
majucm.kp< 1Non-existent
ziij.kp< 1Non-existent
poqoce.kp< 1Non-existent
netmwa.kp< 1Non-existent

How is the NSA intercepting emails sent to North Korea?

NSA intercepts traffic with Fairview via “cooperative effort associated with mid-point collection (cable, switch, router)” [3] slide 5. NSA is also tapping cables according to slide 4. Whatever traffic – whether garbage or not – comes through those access points and gets sniffed by NSA.

The presentation lists “DNI: Port 25” on slide 9 (DNI = “Digital Network Intelligence”). In human-speak this means sniffing port 25, which is used for SMTP (the protocol for sending emails). Since the North Korean SMTP servers do NOT support SSL, they are sent in plain text over the wire.

All of this means that essentially any email sent in the United States to a .KP (North Korea) domain will be intercepted by the NSA.

How are these false positive .KP domains produced and intercepted by NSA?

As mentioned NSA will sniff everything, whether garbage or not. One of the mentioned domains, “water.ocn.ne.kp”, quickly reveals the source of the false positives. It is a combination of spam and typos. There are actual email addresses that exist for the domain “water.ocn.ne.jp” (note the ending .JP for Japan, instead of .KP). The site, http://file.scirp.org/Html/7-1780056_25523.htm, lists the email “myhp.na@water.ocn.ne.jp” and is dated to 2012, matching the year of the presentation.

This particular non-existent “water.ocn.ne.kp” domain likely ended up in the NSA slide because somebody made a typo at the end of the email address, sending it to .KP, rather than .JP. It shows how is easy it is, simply making a typo mistake while sending an email, to end up forever in the NSA collection.

At the same time, it is surprising how little false-positive detection and quality control is done. North Korea is a high-value target and listing 60% non-existent domains (falsely associating them with North Korea) on a slide is an intelligence failure.

North Koreas Actual Domains

Here is a full list of actual .KP domains (source: Intelligence X). We are aware of a few more domains that are not publicly known. We may release them later this year.

DomainTitle
airkoryo.com.kpNational airline: Air Koryo
www.airkoryo.com.kpNational airline: Air Koryo
cooks.org.kpKorean Association of Cooks: North Korean recipes
www.cooks.org.kpKorean Association of Cooks: North Korean recipes
dprkportal.kpDPRK Portal
www.dprkportal.kpDPRK Portal
fia.law.kpFinancial Intelligence Agency
friend.com.kpCommittee for Cultural Relations / Korean Friendship Association
www.friend.com.kpCommittee for Cultural Relations
gnu.rep.kpPyongyang Broadcasting Service, radio station
www.gnu.rep.kpPyongyang Broadcasting Service, radio station
gpsh.edu.kp Grand People’s Study House
www.gpsh.edu.kp Grand People’s Study House
kass.org.kpKorea Association of Social Studies
www.kass.org.kpKorea Association of Social Studies
kcna.kpKorean Central News Agency
www.kcna.kpKorean Central News Agency
kftrade.com.kpForeign Trade of DPR of Korea
www.kftrade.com.kpForeign Trade of DPR of Korea
kiyctc.com.kpKorea International Youth and Childrens Travel Co.
knic.com.kpKorea National Insurance Co.
korean-books.com.kpKorean Books
www.korean-books.com.kpKorean Books
koredufund.org.kpKorea Education Fund
www.koredufund.org.kpKorea Education Fund
korelcfund.org.kpKorea Elderly Care Fund
www.korelcfund.org.kpKorea Elderly Care Fund
korfilm.com.kpKorea Film Corporation: North Korean movies
kut.edu.kpKim Chaek University of Technology
www.kut.edu.kpKim Chaek University of Technology
ma.gov.kpMartime Agency
www.ma.gov.kpMartime Agency
mail.silibank.net.kpInternational email service
manmulsang.com.kpManmulsang Commerce Website
mediaryugyong.com.kpRyugyong Programming Center
mfa.gov.kpMinistry of Foreign Affairs
www.mfa.gov.kpMinistry of Foreign Affairs
mirae.aca.kpMirae
www.mirae.aca.kpMirae
naenara.com.kpKorea Computer Centre
www.naenara.com.kpKorea Computer Centre
pulbora.edu.kpSamhung Intellectual Assets Center
www.pulbora.edu.kpSamhung Intellectual Assets Center
pyongyangtimes.com.kpThe Pyongyang Times
www.pyongyangtimes.com.kpThe Pyongyang Times
rodong.rep.kpRodong Sinmun, daily newspaper
www.rodong.rep.kpRodong Sinmun, daily newspaper
ryongnamsan.edu.kpKim Il Sung University
www.ryongnamsan.edu.kpKim Il Sung University
sdprk.org.kpSports in the DPRK
www.sdprk.org.kpSports in the DPRK
smtp.star-co.net.kpISP-related
smtp.star-di.net.kpISP-related
tourismdprk.gov.kpNational Tourism Administration
www.tourismdprk.gov.kpNational Tourism Administration
vok.rep.kpVoice of Korea
www.vok.rep.kpVoice of Korea
youth.rep.kpInformation on Korean Youth
www.youth.rep.kpInformation on Korean Youth

References

[1]
https://www.propublica.org/article/nsa-spying-relies-on-atts-extreme-willingness-to-help

[2]
https://electrospaces.blogspot.com/2015/08/fairview-collecting-foreign.html
https://electrospaces.blogspot.com/2014/01/slides-about-nsas-upstream-collection.html https://electrospaces.blogspot.com/2014/01/slides-about-nsas-upstream-collection.html

[3]
https://www.documentcloud.org/documents/2274319-fairviews2dbriefings11march2013.html

Related articles

Redesigned user interface and added statistics

Published on June 3, 2019 by

Update 6/7/2019: We added a full-screen view (click on the new button next to “Back to result”) as well as a new search bar when clicking on a search result. If you don’t see it, make sure to refresh the website (CTRL + F5) as your browser may have cached the old version. Original 6/3/2019:


Social Security Numbers

Published on May 22, 2019 by

We added support for US Social Security Numbers (SSNs)! You can immediately search for them here: https://intelx.io/?s=086-38-5955 Whis this is important Searching at Intelligence X works based on selectors (strong search terms). When you search for something, the system automatically detects suitable selectors and performs a search. Below is the list of supported selectors: Email


A comparison of darknet search engines

Published on May 11, 2019 by

A few days ago a new search engine DarkSearch for Tor launched, adding to the mix of other existing search engines out there like Ahmia, Torch, Not Evil, and Haystack – it’s time for a feature comparison! No search engine can cover 100% of the pages due to the nature of Tor. There is no


Search the blog:

Subscribe for the newsletter: