Traffic Analysis for MI5 – If I were Putin, I would, wouldn’t you?

By Philip Ingram MBE

I am going to start this blog with a caveat, not good practice, but important as what I am saying in it is purely speculative, it is not based on anything more than the supposition of a rambling mind, but I do like to question things I observe.  In addition, I wish to make it clear that I have no evidence, nor am I stating that RT is engaged in espionage in any way, I am merely using its geographical presence for illustrative purposes.

“Covert activity – using false identities – was blended with overt information through Russian media outlets like RT. Too often those in the West focused on one element of this activity – hacking or social media – but failed to see the full spread,” said the BBC Security Correspondent Gordon Corera in his new book Russians Amongst Us when he was talking about interference in elections in 2016.

In 2014 Russia Today launched a dedicated TV channel in the UK rebranded as RT.  Again, according to Gordon Corera’s book he said, “Putin had said the aim of the network had been “to try to break the Anglo-Saxon monopoly on the global information streams.”  I will come back to RT later.

One of the key activities during the Second World War that enabled the Top-Secret team at Bletchley Park to break the Enigma code was what is referred to as Traffic Analysis.  That Traffic Analysis allowed a picture of what communications networks operated where and when and technical analysis of that traffic, i.e. operator fingerprinting, frequencies used, network discipline and more.

According to the US Manual TM 32-250-AFll 100-80, Fundamentals of Traffic Analysis (Radio Telegraph) published on 9 Jun 1948, it defined Traffic analysis as, that branch of signal intelligence (SIGINT) analysis which deals with the study of the external characteristics of signal communications and related materials for the purpose of obtaining information concerning the organisation and operation of a communication system.”

The modern equivalent of Traffic Analysis would be the identification of work and personal mobile phones associated with an organisation. However, would need a collection capability to be able to collect the information from phones as they first switch on and connect to a network and that rarely happens in one place, or does it?

Speaking to Matthias Wilson is a former SIGINT analyst with the German military and Germany’s foreign intelligence service he said, “What happens when a mobile phone first connects to the network? In order to understand this, we have to look at the unique identifiers each phone has. The first would be the serial number of the phone itself called IMEI, the International Mobile Equipment Identity. This 15-digit number contains information on the brand and model of the phone and number unique number allocated to one specific device.

Secondly, each mobile phone will have one (or more) SIM cards containing information provisioned by the provider. The SIM has the IMSI, or International Mobile Subscriber Identity, saved on it. In most cases the IMSI will also consist of 15 digits and is linked to one’s phone number. It is used to identify a user within the mobile network. From the IMSI, you can derive the country and provider the card has been issued through.

When a mobile phone is switched on, it immediately searches for a network to connect to. If a preferred network is found, the phone will send a request to the network and basically ask for a connection to this network. This request will contain the IMSI and in some cases the IMEI as well. If the IMSI is registered in the networks databases, an authentication process takes place between the phone and the network.” The critical data is contained in the initial network login.

He concluded, “data intercepted from mobile phones logging into a network will provide a rough location, the IMSI that can be linked to a phone number and thus an intelligence target, and in some cases even information on the type of device that is used through the IMEI. Collecting this initial logon is also crucial to following a target of the course of time, as apart from this first connection, a phone will be identified by the temporary IMSI in all further connections.”

OK, so the theory is there, what is next? This comes down to Location, Location, Location.

The RT Studios in London opened in 2014 occupy a couple of floors of the 118-meter-high Millbank Tower, the highest tower block in the area. Its roof is the natural place for mobile phone antenna from many networks, providing good coverage for this area of London. RT have a direct feed over a high capacity communications link to their main studios in Moscow via satellite with the uplink dishes also on the roof.

They have a legitimate reason to be on the roof of the building with specialise engineers and their own equipment, configured in any way they need.

When anyone goes into the MI5 or MI6 building, they are not allowed through reception without mobile phones being taken off them and locked away, in most cases people will switch them off before locking them away or putting them in special faraday bags, cutting their signal off from the networks.

When people leave the building again, they naturally switch their phones on, and they register with the nearest and strongest network. I have noticed this on the many occasions I have walked past both MI5 and MI6 HQs and observed people leaving. That network, in proximity to the buildings is likely to be via the antenna on the roof of the Millbank Tower, where RT have sophisticated data uploading capabilities, transmitting their TV data from Russian state-controlled assets, back to Moscow.

Over time simple pattern of life analysis combined with the Traffic Analysis would enable a picture to be built up of the movement of every phone that registered if that could be identified. Whose phones do the most registering through these masts on a regular basis, who is switching on and off more than normal?

Matthias Wilson continued, “Given the close proximity to the target, I could do this with my own passive collection device and a small stub antenna.”  “There are so many more opportunities,” he added, “as Bluetooth tracking and collection would be easy as well.” Another SIGINT specialist who asked not to be named said, you’d probably forget about the cellular side of things and tap into the backlink,” referring to the signal from the antenna going back to the network.

As I said at the start of this blog, this is pure speculation based on observation from the ground, a vivid but partially informed imagination and I am sure the security teams in MI5 and MI6 will have examined this particular threat scenario carefully.  However, If I were Putin, I would, wouldn’t you?

 

This blog was written by Philip Ingram MBE, a former senior military intelligence officer with the overt help from Matthias Wilson and covert advice from a number of others for which he is very grateful.  Philip is available for comment if necessary.