The Russian Man (RU6)

From HFUnderground

(Difference between revisions)
Jump to: navigation, search
Line 95: Line 95:
Most of the visible quirks can be attributed to operations from the Smolensk site - which include regular G06 schedules and all G06, E06 and M14 schedules sending fake messages. Unlike with other sites, they are operated in a partially manual way: they use a different warmup procedure and start transmissions a few minutes off the schedule; and M14 transmissions use MCW modulation instead of ICW. Transmissions from Smolensk are also particularly prone to errors, and regularly leak Windows XP shutdown sounds at the end of the last broadcast of the day, and sometimes other Windows XP system sounds as well. Occasionally, they will transmit using voice samples in the wrong language.
Most of the visible quirks can be attributed to operations from the Smolensk site - which include regular G06 schedules and all G06, E06 and M14 schedules sending fake messages. Unlike with other sites, they are operated in a partially manual way: they use a different warmup procedure and start transmissions a few minutes off the schedule; and M14 transmissions use MCW modulation instead of ICW. Transmissions from Smolensk are also particularly prone to errors, and regularly leak Windows XP shutdown sounds at the end of the last broadcast of the day, and sometimes other Windows XP system sounds as well. Occasionally, they will transmit using voice samples in the wrong language.
-
 
Line 101: Line 100:
(Text from Priyom.org)
(Text from Priyom.org)
 +
 +
 +
== External links ==
 +
 +
[[Category:People]]

Revision as of 14:26, 25 July 2019

Priyom.png

Although this operator is not identified, it is believed to be a Russian intelligence agency with big resources, who can support development and operation of many modes and schedules transmitting from several sites, including operations based in Moscow, the Russian Far East, and Cuba.

Voice stations of this operator support a wide choice of language:

English (E06, E17)

German (G06)

Russian (S06)

Spanish (V06)

French (V23)

The last two ones, although inactive, are still maintained, possibly kept available for being brought back into operation. V06 was heard in test transmissions as late as 2016. V23 received new, male voice samples as early as 2010, and was heard in test transmissions in 2016 and 2017.

It also supports several speeds for its morse station M14, high-speed versions of which are sometimes referred to as M24.

Finally, it runs widespread regularly scheduled operations of several high-speed, advanced digital modes supporting redundant integrity features and versatile modular encapsulation layers, among which at least F01 and F06 are identified and understood.

The 5-figure-group messages carried by the digital modes share the same metadata header as the presumed Russian diplomatic transmissions known under M42, formerly operated by FAPSI. Links or infrastructure sharing between these agencies seem possible.


Contents

Format

Analog stations (voice and morse) follow the same identical format.

The 00000 outro is a characteristic format feature unique to this operator. It is present in the analog format, and also most deliberately in the digital F01, which uses a dedicated padding character but still includes one 00000 outro group. It is also present in F06, which uses 0-digit padding but always includes at least a whole five-0 group as outro, and counts four 00000 5-figure groups in null messages. Postambles repeating metadata already given in the preamble are another feature which, among currently active stations only this time, is particular to this operator. The analog format has a preamble and a postamble that are identical and contain a number unique to the message transmitted, followed by the group count. Digital formats similarly feature a 5-group metadata header and a postamble repeating the serial number of the message transmitted, followed by the group count.

This operator exhibits a variant following a special format, known as E06a and S06b for analog stations, and also observed in F01 and F06 transmissions.


Scheduling and operating habits

The analog stations follow the common habit of sending a repeat transmission on a different frequency one hour after the initial transmission. Digital stations follow the common habit of sending two repeat transmissions on different frequencies, spaced by 10 minutes, after the initial transmission.

Transmissions that send traffic, i.e. not a null message, are repeated on the next day at the same times on the same frequencies. This is a characteristic scheduling feature unique to this operator.

Digital stations share the operational characteristic of repeating the message contents in an automated loop for approximately 7 minutes. This is in contrast to some Russian diplomatic transmissions (M42) that share format similarities with this numbers station operator, but however do not exhibit this automated looping behavior.

Analog stations share the obscure operational habit of maintaining schedules that only send obviously fake messages. These fake messages sometimes contain obviously non-random numbers, or sometimes repeat some same old identical contents that has been seen on these schedules for years. Sometimes the same known fake message is even reused across the different stations.


Grouped transmissions

During some tests of this operator, the different voice stations appear successively on the same frequency during the same transmission, sending similar test contents. Similarly, digital stations share test frequencies. On December 5th, 2017, transmissions took place on the test frequency 8140 kHz: two test messages of S06 ID 975 were repeated several times throughout the day, and among them, one F01 null message was also transmitted. S06 voice was transmitted in J3E mode without a carrier, but when it wasn't transmitting, a carrier regularly appeared, alternating between centered on 8140 kHz, and shifted down 250 Hz ready to transmit F01. Every weekday, a group of stations transmit over the Pacific area, each transmission at the top of a successive hour. This peculiar Pacific weekdays network groups together stations F01, F06, S06 and M14. Shared schedules

E06 ID 832 occasionally appears as an analog replacement on the schedule of F06 ID 50046, and transmits in place of it, exhibiting the non-OTP message features specific to this schedule. Conversely, E06 ID 537 was replaced by F01 transmissions at least once.

Two sporadic transmission schedules have also seemingly seen similar replacements: F06 ID 90017 by S06 ID 348, and F01 1945z by E06 ID 734. M14 ID 381 and F06 ID 20021 shared the same weekly schedule, using the same times and frequencies: M14 would send on weeks 1 and 3, and F06 would send on weeks 2 and 4. This schedule was very active with both stations sending messages, although no correlation could be established between the traffic patterns and message contents of the two stations. However at some point, both stations of this schedule simultaneously stopped sending any traffic, and then sent only null messages during months on; then in September 2015, both stations simultaneously stopped transmitting at all, effectively ending this shared schedule. Operation errors

On June 1st, 2016, during a scheduled broadcast of F06 ID 90073, an F01 null message was mistakenly transmitted on the first two slots, before correctly sending an F06 null message on the third slot.

In his Radio Intrigue report #63, Don Schimmel relates an incident where an M14 null message was mistakenly transmitted instead of an M42 transmission. However this is not entirely conclusive, as M42 also includes presumed diplomatic transmissions that are linked to this operator but are not believed to be directly included in its numbers station activities; and the particular details of the M42 transmission in this incident are not identified.

On July 20th, 2017, a regular scheduled transmission of G06 ID 329 sent a null message using the E06 voice instead. Conversely, on April 18th, 2019, a regular scheduled fake message E06 transmission was sent using the G06 voice. (Both transmissions ended with a leaked Windows XP shutdown sound.) On October 17th, 2014, an S06 transmission simultaneously sending on a different frequency was leaked through the audio of a regular G06 transmission.

On March 13th, 2018, a sporadic E06 ID 729 transmission simultaneously sending on a different frequency was leaked through the audio of a scheduled S06 ID 480 transmission.


Activity breakdown

Much of this operator's activity goes through its advanced digital modes, F06 and F01; especially considering the significant share of analog schedules that are in fact only dedicated to the fake message operations.

The activity of this operator is mostly based in western Russia, with Moscow and Smolensk as main sites; digital transmissions are foremost based in Moscow, while Smolensk operates many of the analog schedules. It also operates sites with lower activity in Orenburg, Chita, and also in Havana, Cuba. Until 2019 it also ran a daily transmission network featuring all modes, from an unidentified site in the Russian Far East over the Pacific area.


Encryption modes

The prime option for encryption would be one-time pads, and it seems reasonable to think that it would be used on most schedules. However, some of the schedules of digital stations F01 and F06 share a set of features that point to something incompatible with one-time pads.

In affected schedules, the encrypted part of the messages starts with a triple timestamp header, which is encrypted with a key that gets reused year long, message after message within the schedule, and produces visibly similar and even identical groups across different messages. For example, the 4th, 8th and 12th groups will almost always remain constant. This is the clearest sign that at least this part of the messages does not use one-time pads.

According to information sourced by Numbers & Oddities, one of the metadata header fields is a one-time pad parameter that would point to a resource unique to a given recipient. In affected schedules, a recurring well-known bogus value (36987), or other anagrammed bogus-looking values, sometimes appear in this field.

In the protocol of the F01 mode, the metadata header, which contains the one-time pad parameter, holds an optional place, and can be featured or not depending on the schedule. Although data is lacking to conclusively confirm this, it can be theorized that this optional header is always absent in affected schedules, because the one-time pad parameter value it carries is bogus and unnecessary. In affected schedules, messages always have even group counts. Test frequencies

This operator has several known frequencies on which it runs test, training, drill transmissions... Analog formats use 7353, 8140, 9073, 9300, 9463, 10270, 10755, 13530, and 19460 kHz, and use a number of known test IDs: 801 (7353, 9300, 9463 kHz) and 975 (8140, 10755 kHz). Digital formats use 6780, 7992, 8140, 9300, and 13530 kHz.


Operation quirks

Most of the visible quirks can be attributed to operations from the Smolensk site - which include regular G06 schedules and all G06, E06 and M14 schedules sending fake messages. Unlike with other sites, they are operated in a partially manual way: they use a different warmup procedure and start transmissions a few minutes off the schedule; and M14 transmissions use MCW modulation instead of ICW. Transmissions from Smolensk are also particularly prone to errors, and regularly leak Windows XP shutdown sounds at the end of the last broadcast of the day, and sometimes other Windows XP system sounds as well. Occasionally, they will transmit using voice samples in the wrong language.


Sources

(Text from Priyom.org)


External links



This site is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com. Some links may be affiliate links. We may get paid if you buy something or take an action after clicking one of these.