Malicious Life Podcast: Operation GUNMAN and the World's First Keylogger

Op. GUNMAN & The World's First Keylogger Transcript

N.

S.

A.

Few acronyms can evoke so much awe, so much fear. ISIS, maybe, or CCP. Or YMCA. That song haunts my nightmares!

The NSA is worthy of just about every adjective denoted to it over the years. But it wasn’t always as big and scary a place as it is today. In fact, it wasn’t always that important. The organization was formally established just six weeks after a bug was uncovered in the U.S. Ambassador’s office in Moscow – a story we described in detail on episode 17 of our show. “The Thing,” as it was affectionately named, was a listening device so sneakily hidden inside a large wooden plaque that it hung in that ambassador’s office, undetected, for nearly seven years.

Hi, and welcome to ML in collaboration with Cybereason. I’m Ran Levi.

The NSA wasn’t created because of The Thing, but these two events coincided in a convenient way. The new “NSA” was tasked with organizing the U.S. government’s cryptologic capabilities, particularly with regards to communications security. That meant, for example, securing communications at embassies abroad.

NEW EMBASSY BUILDING
So when, in the mid-1960s, the U.S. and U.S.S.R. began to make plans for building new embassies in each other’s respective capitals, this new organization was well-positioned to comment. A high-ranking NSA official wrote to the U.S. Ambassador in Moscow. Quote:

“In past Soviet building activity concerning embassies it could be predicted that every attempt would be made to ‘fix’ the materials and the construction. Experience has shown that some of the fixes can only be found by extensive destruction. In the case of the Moscow site every attempt should be made to use U.S. building materials and construction personnel.”

Building a sensitive site in Eastern territory would be perilous. The Soviets were prolific with spying technologies–hiding cameras and microphones in walls and furniture. (It’s something Russia still does well to this day.) They could even do it, as this official noted, in the building materials themselves.

But the NSA simply didn’t hold the sway back then that they do now. In a four-volume series on American cryptology during the Cold War, historian Thomas R. Johnson writes how the State Department–which manages foreign embassies–didn’t heed the advice of their brainy NSA counterparts. They allowed the U.S.S.R. state-owned construction company to prefabricate large parts of the new embassy building offsite, without supervision. And while 600 to 800 Soviet workers built the 10-story tower, only 20 to 30 Americans were assigned to oversee the project. One Yankee for every 30 Commies.

It won’t surprise you what happened next. In 1982, an NSA team went to investigate the building and found a suite of problems. There were locks that didn’t actually lock, and alarms that didn’t sound. The FBI was called in, and they found more of the same. And despite both organizations finding all kinds of security flaws, neither caught the most important bit of all. Three years later, listening devices were discovered built into the building’s prefabricated columns.

The exact thing the NSA warned about two decades earlier.

CATALYST
The bugging of the Moscow embassy was the exact kind of thing to get the new U.S. administration on edge. Ronald Reagan was now President, and he and his people were arguably more sensitive to the Russians than any administration had been before.

So they were ready to pounce when, in 1983, they received an interesting bit of news.

“[Andrew] So, one of the United States’ strong free world democratic allies shared that there was a bug in a device.”

That’s Andrew Borene–someone who’s been in a lot of the rooms where international cyber intelligence happens.

“[Andrew] I started kind of my government and technology career as a US Marine officer working in Signals Intelligence. Then I went to law school and spent some time at the Pentagon at the General Counsel’s Office and have been in and out of a number of high-tech leadership roles in robotics, big data, intelligence analysis, and kind of the… supporting the intelligence community for about 20 years.”

In early 1983, the U.S. got word from an ally–France, according to the Crypto Museum–that they’d found a bug in some of their own embassy’s equipment. That the Soviets were spying on the French was, frankly, not so surprising. What was surprising was the way they were doing it.

The bug, itself, was the headline. It was highly sophisticated–more so than anything the allies had ever seen from their counterpart. An internal NSA document called “Learning from the Enemy,” details what was so remarkable about this device. Quote:

“The bug [. . .] could be rapidly and easily installed by nontechnical personnel; it resisted detection by conventional methods; and it was wireless and remotely controlled. Search by disassembly and visual inspection, when conducted by any but the best-trained technicians, would normally be unproductive.”

After learning about the French bug, the Americans came to two conclusions. First: that developing such a bug must have required an immense amount of time, money, and manpower.

And, second: whatever the Soviets were doing against the French, they would surely be doing twice as badly to the Americans.

WALT DEELEY
So there was no time to waste. The U.S. called on their top cryptology nerd: the head of the NSA, a man named Walter Deeley.

“[Andrew] Walt Deeley, I believe joined NSA in the 1950s, kind of his… just after the National Security acted in 1947 established a formalized US intelligence enterprise. And so he’s kind of a plank holder of a national SIGINT entity.

Throughout the 1960s, he really rose through the ranks of what was called the SIGINT Operations Director. [. . .] if you think about that, that would be akin to kind of coming into a government agency in the early 2000s as the internet, the advent of the internet, right? So cyber is today what SIGINT was in the 1960s and ‘70s. So he’s kind of a pioneer.”

It’s tough to know too much about NSA people, by virtue of how secretive the organization has always been. But wherever you read about Walt Deeley, the same kinds of adjectives keep popping up: “strong-willed,” “tough,” “results-oriented.” Definitely not a fun boss, but one of the most effective leaders ever to grace the NSA.

“[Andrew] Walt Deeley also you know reportedly is responsible for the development appointment of a secure telephone system which it has been by many people called the most important improvement the US government telecommunications security in – since World War II. So, you know he’s a legend in a lot of ways.”

Walt Deeley spent essentially his whole career–35 years–at the NSA. But the biggest challenge he ever faced–the one that defined his tenure, the one they write about in Walt Deeley obituaries–was “Project Gunman.”

LOGISTICS
Project Gunman was simple: Deeley’s NSA would have to inspect every machine in the U.S. embassy, for any possible Soviet bugs.

Easier said than done.

“[Andrew] I mean it was really a massive, massive operation.”

Picture printers, computers, teletypes, copiers–anything electronic in the building would have to be removed. But even just figuring out what equipment there was in the building was a logistical nightmare. Quote:

“The first problem that we faced was the lack of a centralized inventory at the embassy. The problem was further complicated because individual departments had software tailored to their specific needs. For instance, we could not simply replace all of the Wang computers. Keeping track of all of the various software was hard enough, but keeping track of all of the variations was a nightmare. With the assistance of a few trusted communication center embassy employees, we were able to obtain diagrams and frequently the original diagram did not always match with the equipment that had been actually delivered.”

Each bit of equipment removed from the building had to be replaced, like-for-like, meaning the NSA had to buy or otherwise procure ten-stories worth of sometimes highly-particular machines. It was an almost comical thing to do–like a thief breaking into a house, stealing all the valuables inside, and then replacing it all with the exact same valuables, exactly as they were arranged before the break-in.

Oh, and the house is a giant city building.

“[Andrew] they had to move reportedly 10 tons of material up and down and throughout that embassy.”

Have you ever moved before? Remember how tiring it was to carry your couch, your fridge and your bed out of the building, into a truck, up and down flights of stairs?

Project Gunman was like that, but for every room in a ten-story building.

SECRECY
In fact it was worse than that. It was like moving houses, if you had to hide that you were doing it from your spouse.

“[Andrew] they had to do this protecting the secrecy that they were even looking for the bugs because they didn’t want to alert Russian intelligence that they thought there might be an issue. “

The U.S.S.R. kept a close watch over the American embassy, for obvious reasons.

“[Andrew] the Russians at the time [. . .] were using photographic reconnaissance patrols, running spies inside the embassy and all kinds of other antics that they were up to.”

What would happen if they saw a bunch of Americans moving 10 tons of machines in and out of the building? Just about anything. Even if they had no idea what it was for, the Soviets still liked to play little games to keep the Americans on their toes. As the Moscow embassy’s Deputy Chief of Communications wrote, quote:

“Every embassy is at the mercy of the host country because it must depend on the host for water, electricity and heat just as any other building in a country is dependent on that country for utilities. It was more difficult in Moscow because we had an adversarial relationship. Sometimes the Soviets played games by shutting off utilities.

[. . .] even in our personal life. I lived in an apartment outside the U.S. compound. I would come home to find my freezer unplugged, shirts missing from my closet, or a dirty glass in the sink that had contained liquor.”

The Soviets didn’t need a reason to mess around with the Americans. But if they found out what was really going on, it wouldn’t be fun and games. According to “Learning from the Enemy,” quote: “The Soviets had a history of poisoning or using other means to injure technicians from other countries who investigated bugs in their respective embassies.” End quote.

To avoid alerting the Soviets to their plan, the NSA decided upon a strict need-to-know policy for all personnel, even Americans. Only those directly involved in the operation, the ambassador himself, the President and his defense advisors, and the heads of the CIA and State Department were to be briefed on the plan. Even embassy employees were given a cover story–that their equipment was being upgraded. The Soviets were told that the equipment was being shipped back home for safety inspection.

DAY OF
After the replacement equipment was flown in, under heavy 24/7 protection, the mission began. Machines were brought up and downstairs via a hoist that went up the side of the building, and in a service elevator that could only fit four people (or a couple people and a couple machines). After one day, the Soviets shut down the elevator for “preventative maintenance.” So everything had to be manually hauled through three-foot-wide hallways and up and down up to ten flights of stairs. One NSA employee brought to Moscow specifically for Project GUNMAN recounted the story, quote:

“I arrived late on a Saturday and began work early on Sunday morning. I had two kinds of tasks, protect the equipment that was held overnight in the attic and help with the unloading and loading of equipment. I brought alarms and sensors that I set up in the attic. I ran the wires down to the Marine guards on the sixth floor. No one interfered with our equqipment while we were there.

The logistics of the operation were handled superbly. A shipping clerk was part of the team. He opened the diplomatic pouch, uncrated the equipment and opened the box. We carried the equipment down to its position. While members of the team set up the new piece of equipment, others brought the old one back to the attic where it was repackaged in the box that contained the new equipment. We spent lots of time running up and down the stairs. The teletype machines were really, really heavy. They were also very wide and could barely fit through the stairways.

We started changing equipment in the State Department communication center. We systematically worked our way through the rest of the building. I was at the embassy for ten days. It was a real adventure.”

SEARCH FOR EVIDENCE
Once the equipment arrived at NSA headquarters, the best communications security experts in the country began working around the clock, methodically inspecting every item of equipment received from Moscow in absolutely excruciating detail. Every machine was inspected visually, then x-rayed and cross-examined against known standards for each model.

But after two, long months, nothing suspicious was found. People started to become restless. With the amount of investment it took to get all those hundreds of machines onto U.S. soil, they simply had to come up with something. The NSA’s reputation was on the line. The President was watching. A physicist on the team said of that time, quote:

“The adrenalin was really flowing. About twenty-five of us were involved in the search. We all recognized the importance of our work. NSA’s reputation was on the line, and it was up to us to find something. We felt sure that the Soviets were taking advantage of us.”

Employees were working on weekends and through long nights. Walt Deeley, growing increasingly impatient, fired and replaced the manager of the investigative team, and posted a $5,000 bounty for whoever was first to find something.

But through it all, every computer, printer and copier showed up clean. Did they really fleece an entire embassy all for nothing? As one engineer recalled, they were both motivated to catch the Soviets and running out of options for doing so. Quote:

“We knew who the enemy was and wanted to limit his effect. I frequently worked at night and on the weekends by myself in the trailer examining equipment. After we had looked at all of the crypto gear, we eventually made our way to examining the typewriters.”

That the engineer was even looking at the typewriters was a bad sign. Since they were electric typewriters–“Selectric” typewriters, made by IBM–they did qualify for inspection. But they were pretty low-priority in the grand scheme of things. Of 250 total typewriters in the embassy, only 50 were hurriedly crammed into the last boxes that shipped out from Moscow. One NSA official said, quote: “I had no targeting against typewriters…Had those typewriters not come [in time]…I would have shipped without them without a wink.” End quote.

Nonetheless, the engineers took a look. Quote:

“I took a typewriter apart to look at all of the possible places where a bug could be inserted. I created an image of these areas which enabled me to take fewer but clearer x-rays of the important sections.”

DISCOVERY
On one late evening, after work hours, a young technician named Michael Arneson was examining x-rays from one of these electric typewriters when he noticed a, quote, “ghostly gray” thing in the image. It appeared to be an extra coil on the machine’s power switch. It wasn’t much to go on, but it was something. He recalled, quote: “After looking at so many x-rays day after day for so many hours, I could easily have missed it.” End quote.

To be safe, Arneson went ahead and x-rayed the entire machine, top to bottom. The new x-rays seemed even more strange–the center of the machine was cluttered, in a way that clearly didn’t accord with the other Selectric models. Quote:

“When I saw those x-rays, my response was ‘holy f***’. [. . .] I was very excited, but no one was around to tell the news. My wife was an NSA employee, but I could not even tell her because of the level of classification of the project. I could hardly wait for morning when my colleagues would return.”

Arneson didn’t know much, but he was confident that this was what he and 24 other technicians had been looking for all along. Quote:

“The next morning, [the engineers] argued about whether we had an anomaly or a bugged typewriter. Some typewriters had memory now which could account for additional circuits. What led us to conclude that this typewriter was probably bugged was the location of so many circuits in a metal bar that went along the length of the machine. When our boss arrived, we informed him and called in other experts from R9. Deeley informed the DIRNSA. Now the pace of our work really increased. We had to thoroughly examine all embassy typewriters in the USSR because most likely there were more bugs. We had to educate other U.S. embassy personnel from East Bloc countries on how to search for bugs. We also began the difficult task of reverse engineering the bug to see how it worked.”

HOW IT WORKED
“[Andrew] So in essence, this device was invisibly implanted inside a kind of a structural bar inside the typewriter and then the device would read.”

The IBM Selectric typewriter looks kind of like the bottom half of an old computer–a keyboard, and the base of the monitor, without the actual screen.Above the keyboard, along where the paper goes, is a metal bar which runs the length of the machine. Along the bar, there’s a rotating print head–it looks like a golf ball, with the letters A to Z, upper and lower case, the numbers 1 to 9 and special characters engraved on it.

“[Andrew] So when the user would type a letter, that letter sends an electric signal to the Selectric ball. Selectric ball then does its rotation horizontally and vertically, smacks the letter onto the paper.”

Actually, I myself used these Selectric typewriters – or perhaps a clone very similar to it – when I was a teenager, back in the 80s. I absolutely loved to type the science fiction-y short stories I used to write back then on these ‘cutting edge’ machines, so much more sophisticated than the old purely mechanical typewriters of the 60s and 70s… the rotating and smacking of the Selectric ball had a kind of hypnotic grace to it.

But enough with the nostalgia. The obvious question here is: how in the world do you hack a typewriter? We’re talking about ink and paper!

When news outlets later caught word of the story, they were as confused as you are. Time Magazine speculated on how the bug might have been able to designate specific electromagnetic signatures to each character. An expert interviewed for Discover Magazine guessed that the bug listened for the timing of key presses. Quote:

“The time it takes to accomplish the rotation to each letter is different. A low-tech listening device planted in the room could transmit the sounds of a typing Selectric to a computer. The computer could then easily measure the time intervals between each key stroke and the character being put on the paper, and thus determine which character had been tapped.”

The real explanation was even better than that.

what the device did in real time was read the side-channel electromagnetic emissions from the typewriter that were telling the Selectric ball what to do

Every digital device–everything from your iPhone to an old IBM Selectric typewriter–radiates electromagnetic and acoustic waves, kind of like how the human body radiates heat. These waves travel in every which direction, and keep traveling out into the aether forever. We rarely think about these kinds of signals, because they’re just not that relevant to how we interact with the devices. For hackers they’re hardly very interesting, either–or, rather, they’re so much less easy to capture and manipulate than the digital information we’re used to dealing with, that they just end up being ignored.

But what if you could tune into the particular frequency of those waves? Amplify the signals, analyze them for patterns and possibly reverse-engineer the raw input data itself? In the Selectric, it was the bails–little mechanical arms that moved the rotating print head–which produced the waves. Quote:

“[. . .] the movement of the bails determined which character had been typed because each character had a unique binary movement corresponding to the bails. The magnetic energy picked up by the sensors in the bar was converted into a digital electrical signal. The signals were compressed into a four-bit frequency select word. The bug was able to store up to eight four-bit characters. When the buffer was full, a transmitter in the bar sent the information out [. . .] to a nearby listening post. Data were transmitted via radio frequency.”

“[Andrew] so the Russian intelligence organizations could basically intercept what was being typed on these IBM computers by US personnel inside the embassy.”

Even today, the Selectric bug seems pretty high-tech. And it did all this despite being near-microscopic in size–almost invisible to the naked eye. It lasted for years without need for repair, and could be turned on and off from a remote distance.

“[Andrew] So the early devices, I believe were powered by a battery that was implanted and hidden inside a component on the typewriter. Subsequently, later devices were able to kind of siphon off a little bit of the alternating current and run off the wall outlets just like the computer was or the typewriter was rather.”

OUTCOME

“[Andrew] The level of investment, time, and patience to just get that operation built, the strategic vision to put it into the embassy shows that you know really the Russians, 20… like now, 40 years ago were heavily invested into the same type of activity that we would now call Advanced Persistent Threat or APT.”

After the discovery, Walt Deeley’s task force ordered that the remaining 200 Selectric typewriters at the Moscow embassy be shipped home. In total, they found 16 bugged machines.

The damage to U.S. intelligence, as a result of these leaks, was even more difficult to find than the implant itself. No record remained of when the compromised machines were delivered, to which part of the embassy building, and for whose use, because the State Department destroyed those kinds of records, routinely, every two years. The bugs were likely active for well over two years.

We’ll never know just how much they managed to intercept.

FALLOUT
The NSA wasn’t always as big and scary a place as it is today. In fact, it wasn’t always that important.

GUNMAN was one, major step towards legitimizing the NSA, and making it a recognizable name within the wider U.S. government. One engineer from the time of GUNMAN recalled how, quote:

“Before 1984 the community did not believe NSA and its abilities. As a result of the 1984 work on GUNMAN, the stature of NSA in terms of dealing with the embassy security community changed radically. We became the voice to listen to.”

End quote. Following the events of 1984, the NSA’s responsibilities increased. They became, basically, the Marie Kondo of communications security–evaluating and advising other government divisions and agencies on the commsec in their own facilities.

Walt Deeley–the tough-minded, no-nonsense leader of the GUNMAN project–retired from the NSA the year after uncovering the Selectric Bug. He passed away four years later. 25 years after his passing, he was inducted into the NSA’s Cryptologic Hall of Honor.

“[Andrew] in our field of technical security, information security, military security or even national security, we often look for role models, people that were so committed to the mission and to leading change and innovation. And I think Walt Deeley is certainly I remember as one of those throughout the US national security community.”

The legacy of Project GUNMAN lives on in all kinds of ways. In the power and breadth of the modern NSA–an organization which would be almost unrecognizable to those technicians of the mid-80s. In the way the U.S. approached embassy security for years thereafter. Beginning in the mid-80s, embassy buildings were considered compromised from the outset until which time they could be thoroughly inspected and sufficiently proven safe. Jack Matlock, Ambassador to the U.S.S.R. from 1987-1991, reportedly refused to use any electric typewriter for his communications, on the basis that the electromagnetic emissions might be picked up by the Soviets. So he wrote everything by hand.

LESSONS FORGOTTEN
But it appears the Russians didn’t learn quite as much from this story as did the Americans.

Three decades after Project GUNMAN, Edward Snowden leaked classified NSA documents to Wikileaks. For Russians, the most scandalous revelation was that their former president, Dmitriy Medvedev, had been bugged during a 2009 trip to the G20 summit in London.

In response to that news, the agency in charge of Kremlin security–the FSO–made a strange purchase: 486,540 roubles-worth of “Triumph Adler”-brand typewriters. They told reporters, quote, “After the scandal with the spread of secret documents by WikiLeaks, the practice of creating paper documents will expand.”

Reverting to paper would, presumably, protect high-ranking government officials from communications leaks. The problem with their logic? Those Triumph Adler typewriters were electric.

I can think of at least one way to hack those machines.