How to catch a spy that is using a numbers station – The KGB Experience
numbers-stations.comI expected to see something along the lines of vans with directional antennas driving around Moscow listening for spurious emissions from local oscillators of superheterodyne receivers 465 kHz away from the number station frequency, as in Operation RAFTER.
Interesting, some I've some googling to do!
Any radio that uses a mixer is also a transmitter.
Only if it's poorly designed (leaks local oscillator frequency back into antenna) and not shielded.
Modern receivers use quadrature sampling detectors rather than traditional superheterodyne. In that setup any leakage would be on the same frequency and harder to detect.
It is as good as impossible to run an oscillator based receiver that is also connected to an antenna that does not radiate. That's nothing to do with poor design, it's just physics. Zero coupling does not exist in practice. By design the mixer stage sits pretty close to the initial amplifier and it will result in some of the oscillator energy making it back to the antenna circuitry. FWIW I built a ton of transmitters and radio gear in my teens, it is pretty easy to take a theoretical stance here and declare that anything that leaks is not designed properly but that's about as 'true Scotsman' as you could get.
Note also with a highly directional high gain receiver that tiny bit of radiating energy is very detectable. It's just going to feed into background noise for most receivers so no one cares. But it will be detectable by a motivated hunter with the right equipment.
A directional antenna has to be much larger than wavelength. Won't fit in a van if we're talking about HF (with wavelengths measured in tens of meters).
Not[0] really[1]. Loop antennas (active or passive) have good gain perpendicular to the loop. It would be easy to mount on the inside of a wood paneled moving van with some nice receiving equipment. You park the van so the side faces the target's apartment and voilà you can listen to the mixer of their superhet radio. If your searching for receivers a couple vans driving around could triangulate and detected signals. Just getting the right apartment building would be enough for the KGB to turn the place over.
[0] http://www.kr1st.com/swlloop.htm
[1] https://www.fmuser.org/fm-receiver/receiver-antenna/DE31MS-l...
You can make a small (relative to wavelength) loop antenna that has a sharp minimum, but it will be very inefficient. You want your directional antenna to have a sharp maximum (high gain) so that it can increase signal to noise ratio.
Initial amplifier does not let much energy flow backwards.
More importantly, there's a lot of background noise on HF bands that will mask that weak signal.
'not much' == 'some'.
If you've never built a radio and tried to shield this unintended export than I can totally see how you might think this is just a matter of careful design and more shielding but it really is a lot harder than that and you will simply never reach zero to the point where even an ordinary spectrum analyzer hooked up to the input of your radio will not show the oscillator frequency as a nice fat peak.
There is a big difference between spectrum analyzer hooked up directly to the input of the radio and an antenna in a van several blocks away, with reflections and noise thrown in.
Have you actually done any of this? If so, great. If not, I have and it would appear to me that your experiments at shielding have been more successful than mine. And there was a good premium on being able to create a mixer based receiver that did not leak at all because discovery could have led to fairly large financial impact for the owner of the device (not quite at the we'll ship you to Siberia or shoot you level, but impressive enough to make sure we weren't leaking if we could help it).
I learned a lot during that project, especially how hard it is to make an oscillator that does not radiate. So, it got to the point where I could reliably detect the receiver from about 100 meters away, fortunately the counterparty never started out from the assumption that it would be in that particular location to begin with. Trawling for a signal is a lot harder than verifying that is is there. But if you know the modulation and the frequency the receiver uses for its mixing stage this is a very hard problem to solve in such a way that there is absolutely no power radiated out of the reception antenna. Any kind of magnetic or capacitive coupler is bi-directional. Maybe with today's hardware capabilities it would be possible to pull the whole thing into the digital domain at a very early stage and that way I can see a few options to make it 100% clean but in the analog domain I do not see a bullet proof way of achieving this.
> if you know the modulation and the frequency the receiver uses
Number stations on short waves all use AM, so you know the modulation. But you don't need to know it, superhet works the same way with any modulation. You need to know the number station frequency, receiver's intermediate frequency, and guess whether its above or below.
> in such a way that there is absolutely no power radiated out of the reception antenna.
I'm not saying there is absolutely no power radiated out of the reception antenna, only that there is not enough power to reliably detect and localize, given the noise and interference from other sources.
If you want absolutely no power radiated out of the reception antenna, you can still do it. Feed some local oscillator frequency, inverted, into the antenna to cancel the remaining leak. But as far as I know, nobody bothers since some leakage is not a problem.
> Any kind of magnetic or capacitive coupler is bi-directional.
True, but in many designs there's also at least one transistor stage in the preamp, and that is not bi-di. There is some stray capacitance between collector and base, but not much.
> Maybe with today's hardware capabilities it would be possible to pull the whole thing into the digital domain at a very early stage
It is possible, but unnecessary. The last radio I built has quadrature sampling detector with FST3253 and handful of op-amps. Most SDRs also do I/Q sampling with two slow ADCs, much simpler than a single high-speed ADC.
As invented by Peter Wright of Spycatcher fame
If your have not read it yet, I highly recommend this book!
Peter started as a radio engineer so there first part of the book is slightly technical. Last chapters are more psychological, also very interesting.
To me the most remarkable thing about this story is that the KGB was apparently stymied for an extended period by the fact that Filatov had a "difficult" lock of "foreign origin" on his apartment door, to the extent that they had to steal and copy a key carried by his wife using an elaborate setup. It seems odd that an agency known for its skilled spycraft apparently was unable to pick a door lock.
I'd guess the problem is if you spend a long time trying to pick a lock in an apartment building, it looks pretty suspicious.
Well if you watch videos like Lockpicking Lawyer they make it seem like a skilled person can open a typical door in a few seconds. Though he's probably pretty experienced compared to even the average locksmith or spy.
If you learn a lock you can open it quickly when pressed, but most pick-resistant locks are quite troublesome to open. If you can't bump the lock or use a pick gun and the area is not secluded it may not be reasonable to pick the lock.
And I think that's the issue. It was a foreign lock they weren't familiar with so didn't have one to practice on. It was apparently easier to copy the key.
>> When Filatov was at work, the operative workers infiltrated his apartment and installed technical surveillance resources for video surveillance and photography.
1977. Video equipment was VERY different then, especially on that side of the iron curtain. It would have had moving parts, motors, probably requiring a degree of soundproofing. I want to see pictures of where/how they hid this stuff because it wasn't easy.
There was a joke in the Soviet Union:
- How do you know the KGB is surveilling you? - A new wardrobe has just appeared in your apartment.In parts of china, some uighur households are assigned a live-in spy, an agent openly living with the family to monitor and report on the household's activities.
https://www.independent.co.uk/news/world/asia/china-uighurs-...
"China sends state spies to live in Uighur Muslim homes and attend private family weddings and funerals"
I did a quick google and here's a link: https://www.theguardian.com/world/gallery/2018/aug/01/cold-w...
Perhaps it is lost in translation, but video isn't film. So video surveillance probably means they placed a video camera (probably based on a video tube) and ran cables.
Lol. Kids. Video is certainly not film, but once upon a time was regularly recorded onto magnetic tape running over reels (google "VCR" or "VHS"). Still photography also used moving parts. Things like shutters would make audible clicks when exposing the photographic film, which then had to be moved out of position mechanically. That "click" noise on your iPhone camera is actually designed to mimic this ancient camera technology.
The tape deck would’ve been a separate unit and could be kept anywhere you could run a cable to.
It’s clear that the poster you’re condescending to understands this.
>> The tape deck would’ve been a separate unit
In an ideal situation. In a realworld situation that means running wires through walls, not something done easily in this situation. Hiding a camera in a bookcase is easy. Secretly running wires from that bookcase to a recorder in the next room is not.
They literally kicked his upstairs neighbours out and moved in there themselves. Once you’ve done that, dropping wiring down from your floor to his ceiling become trivial (at least for certain types of building construction).
CCTV has been around since the 40s.
The KGB moved the target's upstairs neighbours and took over that apartment, so probably they made holes to peep through.
Talk about power though, imagine getting a knock on your door and being told "you're moving apartments, and don't ask why or who we are.".
The way you catch the spy is apparently by monitoring sent mail and comparing handwriting. Very little of this is specific to numbers stations.
But still a fascinating account, well worth reading.
exactly my thoughts, its like articles about serious "hacks", when the critical steps turn out to be social engineering, definitely interesting, but not what the title suggests.
Spycraft is social engineering. It always comes down to bribing someone with money/passport/sex. Its all quite banal.
(Bribe with) money, (to serve an) ideology, (application of) coercion or (as an outlet for) ego - “MICE”.
You're forgetting a couple motivations:
Money Ideology Conscious/Coercion Ego Revenge and Sex
(The last two are less relevant in hacking/tech but more relevant in straight espionage.)
I agree, but https://news.ycombinator.com/item?id=24520757 is about at least seven dozen people from three of the five eyes on one side, and someone who was infamous for "hacking" Tony Blair and Uscentcom on the other, yet nothing in any of the articles suggests anything much more technical than social engineering[1].
(Indeed, the story as written does have Hollywood MacGuffin floppy disk written all over it, in that I'd find it implausible that, even in a war zone, no one kept anything on-prem, or at least backups? At least performing a "kill -9" via Hellfire missile does upstage Stanford gangstas https://www.youtube.com/watch?v=Fow7iUaKrq4 .)
[1] Compare https://www.haaretz.com/israel-news/.premium.MAGAZINE-why-wh... and remember that the case of TFA starts in 1974 with social engineering via "Nadia." I'm pretty sure the Arthashastra mentions social engineering via thirst trap, and https://en.wikipedia.org/wiki/Xi_Shi has a similar story. Then there's https://www.theatlantic.com/magazine/archive/2001/12/all-you... 's account of deradicalisation via honey trap.
Q. How did Adam and Eve anticipate the twenty-first century?
A. They failed to read Apple's Terms & Conditions and got in trouble for misunderstanding the Privacy Policy.
The Article doesn't mention Tony Blair at all?
Interesting story back when I worked for Poptel which was the ISP the labour party used back then.
I had to look up something on our internal system, and was distracted and just hit return when searching and pulled up Tonys's a account details.
When we had uploaded all our data from the internal system some one thought it would be fun to make Tony the first entry in the data base.
Of course hacking Us would have pissed off our ops guys in Manchester who where members of the UK arm of alt 2600
Sorry, got that from related surfing: https://en.wikipedia.org/wiki/Junaid_Hussain
(Compared to sweden[1], the PLO[2], or even a japanese 財閥[3], either ISIS took a cavalier approach to hooking up their "Cyber Caliphate" or he was not as important as the article, and british tabs, made out.)
[1] https://en.wikipedia.org/wiki/House_of_Bernadotte#History_of...
"On 21 August 1810, the Riksdag elected Jean Baptiste Jules Bernadotte, a Marshal of France, as heir presumptive to the Swedish throne."
[2] https://www.theatlantic.com/magazine/archive/2001/12/all-you...
[3] https://www.kalzumeus.com/2014/11/07/doing-business-in-japan...
Thank you, I tried to skim and couldn't find the numbers station bits. This helps me know I needn't read the article.
Hello everyone. This is a translated excerpt from a desecretized KGB operations manual that offers an example on how their counter-intelligence division caught a spy using a numbers station for one-way communication.
> To compensate this issue a new optic surveillance system “Negus” with 300-400 meter range that was capable of detecting, when objects entered the house, what he did in the stairway and some of the main areas of his apartment.
Seems like the "Negus" device is a photo-camera with a large magnifying attachment, sturdy base, stereo viewfinder, and knobs for focus. I found a description and some pictures here: http://ussrphoto.com/Wiki/default.asp?WikiCatID=46&ParentID=...
I've sometimes wondered why the Hershey Fonts have such a nice set of cyrillic vectors. Maybe making things like https://i1.wp.com/www.numbers-stations.com/wp-content/upload... is something one would prefer to do on an in-house plotter, rather than sending it out to an ordinary print shop?
https://en.wikipedia.org/wiki/Hershey_fonts
Edit: the bus stop has been replaced, and the kerbside tree is gone: https://www.google.com/maps/place/Druzhby+St/@55.7139414,37....
(it was conveniently located between an "embassy row" and a nice park with scenic overlook)
https://www.google.com/maps/@55.709541,37.5422738,3a,75y,90t...
and the dead drop location from: https://www.numbers-stations.com/articles/trigon-numbers-sta...
https://www.google.com/maps/@55.7272732,37.5479753,3a,75y,15...
(unfortunately nowhere near close enough to see if the sign is still there)
What stands out for me after reading this is the number of civilian lives disrupted to carry out this operation. Whether mass surveillance or moving neighbors, the system successfully rooted out a single mole but paid little mind to the impact that doing so had on the rest of society. Short-sighted strategic excellence can conceal long term self-sabotage and risk.
You can see it on a smaller scale when 2 cops both in their cars are blocking half the road discussing whatever the fuck they discuss. I think government in general has very little regard for mere mortals.
> To intercept the agency letters sent by Filatov or to detect if he has made new places to hide or send documents, a event called “Ruby” was carried out in his work cabinet, his living place and his mailbox by using a special chemical agent.
Do you have any idea what they are talking about here? I'm imagining dispersing some invisible chemical (or isotope maybe?) in his house and then looking for increases in concetrations in areas where he might have been to.
"Spy Dust" https://io9.gizmodo.com/how-the-soviet-union-tracked-people-...
In SpyCatcher, Peter Wright describes contemplating a similar system to catch spies removing sensitive documents from MI5. From the book:
"I was asked if there was any technical way we could prove Vassall was removing documents from the Admiralty. I had been experimenting for some time with Frank Morgan on a scheme to mark classified documents using minute quantities of radioactive material. The idea was to place a Geiger counter at the entrance of the building where the suspected spy was operating so that we could detect if any marked documents were being removed. We tried this with Vassall, but it was not a success. There were too many exits in the Admiralty for us to be sure we were covering the one which Vassall used, and the Geiger counter readings were often distorted by luminous wristwatches and the like. Eventually the scheme was scrapped when fears about the risks of exposing people to radiation were raised by the management"
Peter Wright also described a radioactive agent for discovering secret writing, which may be similar to how the secret writing that tipped them off was detected on the letters to the embassy to begin with:
"The techniques of secret writing are the same the world over. First the spy writes his cover letter. Then he writes the secret message on top, using a special sheet of carbon paper treated with a colorless chemical. Tiny particles of the chemical are transferred to the letter, which can then be developed by the recipient. Most developing agents make the chemical traces grow, so that the message becomes legible, and unless the correct agent is known, the message remains undetectable. But Morgan created a universal developing agent, using radioactivity, which transformed the possibilities of detection."
> Eventually the scheme was scrapped when fears about the risks of exposing people to radiation were raised by the management
Makes you wonder if the person removing the documents was management.
So, basically the answer is "expensively monitor all outgoing international mail and hope for someone as stupid as to sign his spy letters".
The answer is that in 2020, when the median page weighs 2 MB and makes 70 requests over a dozen TCP connections, everything is a potential numbers station.
I had been joking about www.duckdascism.gov in https://news.ycombinator.com/item?id=24458630 but https://news.ycombinator.com/item?id=24526075 has people who've used that channel. (for the record, ~64kbps is more than most people had over dialup in the early days of the web)
Internet connections are fundamentally different in that they are traceable. You've identified the "station", you can immediately see who's "listening".
Unless you co-opt a page everyone "listens" to, such as facebook or something.
"The core principle of Tor, "onion routing", was developed in the mid-1990s by United States Naval Research Laboratory employees, mathematician Paul Syverson, and computer scientists Michael G. Reed and David Goldschlag, with the purpose of protecting U.S. intelligence communications online. Onion routing was further developed by DARPA in 1997." - wiki on Tor
Monitoring all sensitive employees for Tor usage is rather easy (or at least much easier than tracking down superhet radiation).
No need to co-opt. You just post a cat image on twitter.
In 1970s USSR there wasn't much outgoing international mail, so the monitoring wasn't really that expensive.
They weren't just quickly inspecting it, they found invisible ink on it.
Outgoing international mail sent by a nonlocal tourist might have been a quick triage signal for the local postmaster?
These days, of course, our communications pass through various boxes that can automate inspections, so no need to involve wetware.
Keyword search in 1960s US: https://en.wikipedia.org/wiki/IBM_7950_Harvest#Usage
Nothing makes a "tourist" letter any more likely to be spy-related than any other letter going out of the eastern bloc, say a pen-friend letter to Sweden.
They probably were inspecting all outgoing mail.
And as well for all the satellite states.
Morals of the story:
1. Do not try to sneak stuff past the Russians in invisible ink.
2. If you are a spy and your friendly neighbours suddenly have to move, consider taking an unscheduled vacation in GTFO.
The way I see it: don't spy. You will get caught and the third party won't even reward you if you make it alive.
After release he demanded compensation from the US embassy, but was denied as a non citizen.Agreed it seems the only reason to do it would be as a service to you nation or political ideals.
Nice one.
Today we're seeing number stations move off of ham radio and onto protocols like MQTT.
Additionally a lot of "weather stations" around the world are simply number stations. They vary the numbers reported, and wherever they diverge from whatever is determined in advance as the "canonical" source is how information is communicated. This paragraph and the above are just my personal observations please note.
Lastly good examples of weather stations in general (not actual spying things please note) can be found here [1] and here [2].
> Today we're seeing number stations move off of ham radio and onto protocols like MQTT.
Wouldn't a MQTT station be lacking one of the major advantages of a radio number station - that it is very difficult to know who is listening to the broadcast.
Using weather reports (or obituaries in newspapers etc) are not number stations, though they can be used as covert channels.
I would have expected steganography in YouTube videos to be the numbers stations of today?
You seem unaware of the difference between unicast IP and broadcast radio. Watching youtube is just as anonymous as a phone call, not very hard to map to a person. Youtube has a log of every IP accessing their servers and what they do, augmented by cookies and google accounts. A radio station does not know who is listening.
You don’t seem to understand my point. With good steganography you don’t know a message is being transmitted in the first place. It doesn’t matter which IP addresses accesses a video because you don’t know which video contains a message. Given the number of videos uploaded to YouTube, checking them all for embedded messages from a sophisticated state actor would seem to be quite a significant challenge. Even more difficult if you’re in Latvia, the agent is Russian, and the video is hosted in the USA...
This approach offers a way of transmitting much more data, on demand, with very little risk of detection of either the existence of the communication channel itself, or of the recipient.
The recipient could casually watch on wifi in a food court, using a modified app, while eating lunch. They would obviously need to exercise good secops, presumably as part of their trade... it seems quite a reasonable approach to me, but I’m no expert, it was just a thought.
Conversely, unlike a numbers station theoretically only the intended recipients know which videos should contain messages.
So the counterespionage personnel may be able to track who has watched one specific video, but only if they know which video to track.
The internet can be switched off, and the websites are potentially controlled by your enemy.