NSA program FAIRVIEW: Collecting trash. 🗑

Published on March 20, 2019 by

Fairview is a NSA program designed to collect “phone, internet, and e-mail data mainly of foreign countries’ citizens at major cable landing stations and switching stations inside the United States”. It dates back to 1985 [1]. There are various good articles on the subject [2].

As with every mass surveillance program, the basic law of collection (and search queries) is:

Garbage in, garbage out.

List of North Korean domains captured by FAIRVIEW. Picture Source

Since Intelligence X crawls North Korean domains (see our archive here https://intelx.io/?s=*&b=web.public.kp&pb=1) the above picture caught our attention. There are many of .KP domains that are unknown to us and everyone else.

What does the above picture actually show? It lists the top “20 North Korean domains” based on average bandwidth, as collected on upstream internet points in (!) the US (specifically at least from AT&T). It essentially lists traffic from people within the US to North Korean domains.

It does not take long to realize that most of the listed KP domains are complete garbage. For example, “zfr8.kp” cannot be resolved in DNS and by simply looking at the domain name itself, it would not make much sense. The full .KP TLD zone was accidentally made available for transfer on September 19, 2016; it’s always possible to look up the full list of KP domains here –https://github.com/mandatoryprogrammer/NorthKoreaDNSLeak – without relying on live DNS lookups.

Below are all domains listed from the picture with additional information provided by us. 12 out of 20 domains are invalid/fake: that’s 60% of domains shown in the presentation slide.

NSA listed .kp domains Bandwidth Kbps Intelligence X Info
star-co.net.kp
609Real domain, main NK email provider (no website)
silibank.net.kp131Real domain, used for emails (no website)
star.edu.kp2Real domain, used for emails (no website)
water.ocn.ne.kp< 1Non-existent
star-di.net.kp< 1 Real domain, used for emails, likely only historically
aimlessnessm.kp< 1Non-existent
vok.rep.kp< 1Real domain, Voice of Korea
zfr8.kp< 1Non-existent
xmufi.kp< 1Non-existent
zeido.kp< 1Non-existent
kpnwoa.mts.kp< 1Non-existent
azzoz.kp< 1Non-existent
fuana.kp< 1Non-existent
naenara.com.kp< 1Real domain, Korea Computer Center
rodong.rep.kp< 1Real domain, Rodong Sinmun, daily newspaper
kcna.kp< 1Real domain, Korean Central News Agency
majucm.kp< 1Non-existent
ziij.kp< 1Non-existent
poqoce.kp< 1Non-existent
netmwa.kp< 1Non-existent

How is the NSA intercepting emails sent to North Korea?

NSA intercepts traffic with Fairview via “cooperative effort associated with mid-point collection (cable, switch, router)” [3] slide 5. NSA is also tapping cables according to slide 4. Whatever traffic – whether garbage or not – comes through those access points and gets sniffed by NSA.

The presentation lists “DNI: Port 25” on slide 9 (DNI = “Digital Network Intelligence”). In human-speak this means sniffing port 25, which is used for SMTP (the protocol for sending emails). Since the North Korean SMTP servers do NOT support SSL, they are sent in plain text over the wire.

All of this means that essentially any email sent in the United States to a .KP (North Korea) domain will be intercepted by the NSA.

How are these false positive .KP domains produced and intercepted by NSA?

As mentioned NSA will sniff everything, whether garbage or not. One of the mentioned domains, “water.ocn.ne.kp”, quickly reveals the source of the false positives. It is a combination of spam and typos. There are actual email addresses that exist for the domain “water.ocn.ne.jp” (note the ending .JP for Japan, instead of .KP). The site, http://file.scirp.org/Html/7-1780056_25523.htm, lists the email “myhp.na@water.ocn.ne.jp” and is dated to 2012, matching the year of the presentation.

This particular non-existent “water.ocn.ne.kp” domain likely ended up in the NSA slide because somebody made a typo at the end of the email address, sending it to .KP, rather than .JP. It shows how is easy it is, simply making a typo mistake while sending an email, to end up forever in the NSA collection.

At the same time, it is surprising how little false-positive detection and quality control is done. North Korea is a high-value target and listing 60% non-existent domains (falsely associating them with North Korea) on a slide is an intelligence failure.

North Koreas Actual Domains

Here is a full list of actual .KP domains (source: Intelligence X). We are aware of a few more domains that are not publicly known. We may release them later this year.

DomainTitle
airkoryo.com.kpNational airline: Air Koryo
www.airkoryo.com.kpNational airline: Air Koryo
cooks.org.kpKorean Association of Cooks: North Korean recipes
www.cooks.org.kpKorean Association of Cooks: North Korean recipes
dprkportal.kpDPRK Portal
www.dprkportal.kpDPRK Portal
fia.law.kpFinancial Intelligence Agency
friend.com.kpCommittee for Cultural Relations / Korean Friendship Association
www.friend.com.kpCommittee for Cultural Relations
gnu.rep.kpPyongyang Broadcasting Service, radio station
www.gnu.rep.kpPyongyang Broadcasting Service, radio station
gpsh.edu.kp Grand People’s Study House
www.gpsh.edu.kp Grand People’s Study House
kass.org.kpKorea Association of Social Studies
www.kass.org.kpKorea Association of Social Studies
kcna.kpKorean Central News Agency
www.kcna.kpKorean Central News Agency
kftrade.com.kpForeign Trade of DPR of Korea
www.kftrade.com.kpForeign Trade of DPR of Korea
kiyctc.com.kpKorea International Youth and Childrens Travel Co.
knic.com.kpKorea National Insurance Co.
korean-books.com.kpKorean Books
www.korean-books.com.kpKorean Books
koredufund.org.kpKorea Education Fund
www.koredufund.org.kpKorea Education Fund
korelcfund.org.kpKorea Elderly Care Fund
www.korelcfund.org.kpKorea Elderly Care Fund
korfilm.com.kpKorea Film Corporation: North Korean movies
kut.edu.kpKim Chaek University of Technology
www.kut.edu.kpKim Chaek University of Technology
ma.gov.kpMartime Agency
www.ma.gov.kpMartime Agency
mail.silibank.net.kpInternational email service
manmulsang.com.kpManmulsang Commerce Website
mediaryugyong.com.kpRyugyong Programming Center
mfa.gov.kpMinistry of Foreign Affairs
www.mfa.gov.kpMinistry of Foreign Affairs
mirae.aca.kpMirae
www.mirae.aca.kpMirae
naenara.com.kpKorea Computer Centre
www.naenara.com.kpKorea Computer Centre
pulbora.edu.kpSamhung Intellectual Assets Center
www.pulbora.edu.kpSamhung Intellectual Assets Center
pyongyangtimes.com.kpThe Pyongyang Times
www.pyongyangtimes.com.kpThe Pyongyang Times
rodong.rep.kpRodong Sinmun, daily newspaper
www.rodong.rep.kpRodong Sinmun, daily newspaper
ryongnamsan.edu.kpKim Il Sung University
www.ryongnamsan.edu.kpKim Il Sung University
sdprk.org.kpSports in the DPRK
www.sdprk.org.kpSports in the DPRK
smtp.star-co.net.kpISP-related
smtp.star-di.net.kpISP-related
tourismdprk.gov.kpNational Tourism Administration
www.tourismdprk.gov.kpNational Tourism Administration
vok.rep.kpVoice of Korea
www.vok.rep.kpVoice of Korea
youth.rep.kpInformation on Korean Youth
www.youth.rep.kpInformation on Korean Youth

References

[1]
https://www.propublica.org/article/nsa-spying-relies-on-atts-extreme-willingness-to-help

[2]
https://electrospaces.blogspot.com/2015/08/fairview-collecting-foreign.html
https://electrospaces.blogspot.com/2014/01/slides-about-nsas-upstream-collection.html https://electrospaces.blogspot.com/2014/01/slides-about-nsas-upstream-collection.html

[3]
https://www.documentcloud.org/documents/2274319-fairviews2dbriefings11march2013.html

Related articles

Newsletter 2019-10-17

Published on October 17, 2019 by

October 2019: Russia, Grouping Results, and DDoS attack 🇷🇺 Russia Want to investigate the Russian government? We are helping with a new search category, “Government: Russia”. It indexes data from Russian governmental domains, including: gov.ru – Russian Government mil.ru – Ministry of Defence of the Russian Federation kremlin.ru – Official website of the President of


Want to investigate the Russian government? We are helping.

Published on October 5, 2019 by

We just released a new search category “Government: Russia”. It indexes data from Russian governmental domains, including: *.gov.ru – Russian Government *.mil.ru – Ministry of Defence of the Russian Federation kremlin.ru – Official website of the President of Russia fsb.ru – Federal Security Service government.ru – Russian Government supcourt.ru – Supreme Court of Russia cikrf.ru


New Feature: Grouping of Similar Results

Published on October 3, 2019 by

A new features was just added: Grouping of similar results. This new feature is optional and can be in the Advanced menu -> Settings -> “Group Similar Results” checkbox. Try it out by clicking on this link and scroll down: https://intelx.io/?s=test.com&b=darknet.tor&g=1 If there are many search results, this feature can help to declutter the result


Search the blog:

Subscribe for the newsletter: