UK spy agency GCHQ paid NZ firm Endace to power Internet fiber-optic taps

The 2013 Snowden documents revealedUK intelligence agency GCHQ to be tapping into the undersea cables that carry Internet traffic,covertlygathering vast amounts of digital comms data under asurveillance program code-named Tempora apparently with the help of commercial partners.

Now leaked documents obtained by The Interceptconfirm GCHQ paid New Zealand-based Endace tocreate data capture systems toenable it totap high speedInternet traffic.

Endaceswebsite touts its ability to offer 100% accurate network recording, any speed, any network, going on to note:

When organizations buy our products they buy the confidence that all of the network traffic will be captured, analyzed, stored or sent to wherever it needs to go. For network forensics and diagnostics knowing youve got every packet captured, indexed, and written to disk is a huge advantage. It allows the teams responsible for maintaining and protecting the network to work fast and effectively when the chips are down.

Italso notes the companydoes business with:

  • 3 of the top 5 telcos in the USA
  • 5 of the top 10 global telcos
  • Top US, European and APAC government and defence departments
  • 5 of the top 10 commercial banks in the USA
  • 2 of the 3 largest exchanges in the world
  • 4 of the top 5 diversified financials globally
  • 4 of the top 10 Fortune 500 organizations.

Endaces name has previously been linked to state surveillance via a 2011 WikiLeaks dump of brochures and marketing materials from the companies seeking to sell services to spy agencies.

But the new cache of documents detail specific purchases and product requirements, such as a245,000 chargein a statement of work dated February 2010to accelerate feature enhancements to certain of its data capture and monitoring products which it says have been identified in discussions with GCHQ.

The documentadds that the majority of these enhancement are of a bespoke nature and would not otherwise have formed part of its planned commercial roadmap for the unit.

The cache of internal documents include emails, customer lists, project updates, product overviews, contracts and financial reports. TVNZ has also reported on the documents, which were leaked to The Intercept via the open source whistleblower submission site, SecureDrop.

They underline howGCHQ was pushing to ramp up its surveillance capabilities. The Intercept notes that as of 2009 the agencywas tapping into 87 different 10Gbps capacity cables but by March 2011 itwanted to beef that up to 415 cables.

While an earlierJuly 2010 document, setting out its vision for 2013, describes itsambition togrow our Internet access to 800 10Gs.

In one contract withGCHQ Endace is revealed to have been bound tothe UKs Official Secrets Act thereby enforcing non-disclosure of itscontract with the spy agency.

The leaked documents also reveal EndaceusedNew Zealand government research funding to develop certainsurveillance products for GCHQ.

Endace was founded in New Zealand back in 2001, spun out of an academic research project. The company was acquired by California-based Emulex in 2015 butearlier this year a management-led buyout spun it back out, as a private company.

In a statement at the time CEO Stuart Wilson said: Operating as an independent company again allows us to continue to deliver innovative solutions to our customers under the Endace brand theyve known and trusted for more than 15 years.

So you want todata-mine a popular chat app

In anotherof the leaked documents, a 2013 proof of concept overview fora productcalled Kraken which the company describedas aimed at solving the deep storage problem faced by network analytics users Endace gives several sample customer user stories, including a scenario in which a Friendly Government Agency (FGA) has the encryption keys for a well-known chat program and wants to unencrypt all packets set on the network in the last 24 hours to look for a particular text string


Elsewhere in the documents the company switches between referring to FGA and GCHQ, heavily implying FGA is itsinternal code-name for GCHQ.

And while its not clear how true-to-life that particularcustomer user story is, with its apparently jokey reference to Dominos Pizza as the preferred food of terrorists, the general thrust of the capability request is presumably exactly what GCHQ wasafter at that point which was in turn drivingEndaces product development decisions.

Another data capture product being developed by EndacewithGCHQs requirements in mind, code-named Medusa, was designedto enable data traveling at up to 100Gbps to be intercepted.

The first version of the techwas apparently delivered to the spy agency in November 2011, after which they requested some additional capabilities including a feature described as Separate MAC insertion by IP type, perhaps seeking the ability to target individuals via the hardware addresses of their devices.

In addition to selling tech to enable GCHQ to tap fibre optic cables at high speedand massive scale, the documents reveal Endace selling surveillance-enabling technology to a raft of other government agencies and bodies, including in the U.S. and Canada, Israel, Denmark, Spain, Morocco, India and Australia.

In theMoroccan instance, The Intercept notes the particular security agency in question the DGST has beenimplicatedin torture.

Endace is also revealed to have a large number oftelecoms customers includingAT&T, AOL*, Verizon**, Sprint, Cogent Communications, Telstra, Belgacom, Swisscom, Deutsche Telekom, Telena Italy, Vastech South Africa, and France Telecom and also finance giants on its customer lists, such asMorgan Stanley, Reuters and Bank of America.

The Intercept flagsanotherdocumentwhich details another strand of itsbusiness is providing a lawful intercept product, in this case to US telco Sprint likely as part of a legal requirement that telcos have an intercept capability for equipment on their networks in order that they can provide extracted data to law enforcement and security agencies on request.

That said, Endace does also sell network monitoring equipment to companies wanting to check and maintaintheir own networks including to help investigatedata breaches and network security incidents. One such customer there is HealthShare NZ.

On the finance side, itswebsite also notesproviding financial companies with monitoring technology to help high-frequency traders to monitor, measure, and analyze critical network environments.

*TechCrunchs parent company

**The parent company of TechCrunchs parent company

Read more: