ThenFwd from maddog: "Imitative Communications Deception"
From: John Buquoi
Date: Thu, 22 Oct 1998
Following is a self-explanatory post from maddog Mike Doran. Again, I hope that anyone appreciating the content will take the time to personally thank Mike for the exceptional work he's doing in unearthing all these historical gems' of interest. His email is email@example.com
Mike Doran wrote:
How bout this one sports fans?
Lessons Learned Nov 64 - Sept 67
UNITED STATES MILITARY ASSISTANCE COMMAND, VIETNAM
APO San Francisco 96222
MAC J343 15 September 1967
SUBJECT: Counterinsurgency Lessons Learned No. 64:
Imitative Communications Deception
TO: SEE DISTRIBUTION
1. (CMHA) INTRODUCTION:
a. Imitative Communications Deception (ICD) is the deliberate intrusion on an enemy's communications channels for the purpose of introducing information, in a manner imitating his own communications, in order to deceive or to confuse him. Analysis of captured documents, interrogation reports and the increasing number of reported ICD attempts indicate that the VC/NVA are becoming more adept at exploiting allied communications. One of the consequences of this increased proficiency in Signal Intelligence has been the deliberate intrusion into friendly force's communications to introduce or to gain information intended to produce situations of tactical advantage to the VC/NVA.
b. This issue of Lessons Learned will set forth documented examples of VC/NVA attempts at Imitative Communications Deception against allied communications in Vietnam.
2. (CMHA) BACKGROUND:
a. VC/NVA interest in all facets of Signal Intelligence is not new but has increased with their capability to acquire, maintain and utilize communications equipment from all sources. Success in the field of Signal Intelligence has fostered an evergrowing intelligence network in RVN.
b. Prior to 1964, VC/NVA intercept capability was centered no lower than Main Force Regiment and Military Region Level where personnel were assigned to monitor RVNAF radio communications. The initial effort was so successful that personnel were recruited and trained especially for this purpose. In 1965, the Military Intelligence Section of the Central Office of South Vietnam (COSVN) established a countrywide network of technical reconnaissance units to monitor allied communications for intelligence gathering purposes as well as to conduct ICD and jamming to benefit the Viet Cong. Illustrative of the enemy's communications intercept activities was the work of the D47 Battalion after its reorganization in February 1967. This Technical Reconnaissance Battalion (D47) was comprised of subordinate elements thought to have been companies. These elements were designated Cl, C2, C4, C5 and C6. Most of the allied information has been collected on the Cl element. The mission of the element included the intercept of 30 nets in the III Corps Tactical Zone and two positions copying press communications, The Cl element claimed to have intercepted 7,745 of the 7,793 messages passed in their area during September 1966 and claimed to have had 100 percent success in exploiting the intercepted messages. After reorganization, the battalion is believed to have been deactivated and the Technical Reconnaissance Units placed under the Intelligence Section, Military Staff, Liberation Army Headquarters.
c. Equipment. The signal equipment used by the VC/NVA for intercept ICD activities varies widely. Much of the equipment is of U.S. manufacture that has been captured, stolen or illegally purchased, such as the PRC10, PRC25, PRC6, GRC9, SCR300, SCR694, VRC3 and B1004 radios. Chinese radios such as the 71B and 102E are also utilized in addition to the portable commerical radios such as Sony, Phillips, Sanyo and Zenith which are modified to produce the desired frequency.
d. ICD has been performed on US/RVNAF communications frequently. The exact number of successful attempts is unknown. Some of the attempts were quite crude while others displayed a high degree of intelligence sophistication among the VC/NVA. All attempts could have been negated by adherence to sound communications security practices.
3. (CMHA) VC/NVA ICD ATTEMPTS TO GAIN INFORMATION:
a. A radio operator, station call LITTLE JOE ALFA, received a voice transmission in English from station LIMELIGHT requesting a communications check and asked what time the helicopters were departing in the morning. LITTLE JOE ALFA replied "0730". After checking his schedule the LITTLE JOE ALFA operator found he was in error on the time and called LIMELIGHT to correct the error. The LIMELIGHT operator reported that the LIMELIGHT transmitter had not been used during the night and that he had made no such request. Two days later the bogus LIMELIGHT station again requested operational information. On this occasion LITTLE JOE ALFA requested authentication and the bogus station was unable to comply.
b. Two attempts to gain information using telephone taps were made at Camp Holloway, Pleiku in January 1967 as follows:
- The caller speaking in excellent English with a slight Spanish accent called all the bunkers and stated, "Hot food is being prepared for the men in the guard bunkers. How many men are there in each bunker and how many bunkers are there?" One of the bunkers started to answer when a guard at another bunker broke in stating, "don't answer! If that's Vega (the commander of the relief) he should know how many men and bunkers." The caller broke off transmission. A check was made with SP4 Vega and found that he had not made the call. The people in the bunkers, however, felt the caller's voice sounded exactly like Vega's and that the caller must have been very adept at imitation.
- At bunker number one in the POL yard a telephone caller, speaking in fluent English, reported that food was coming down shortly, wanted to know which bunker this was and how many men were in it. The guard at bunker one answered him. The guard became suspicious, however, when the caller asked how many men were in the other bunkers and the caller hung up. The guard called the commander of the relief to verify the previous call and was told that no such call had been made. A check of the telephone line leading to bunker number one revealed that someone had tapped the line.
c. Two additional deception attempts were made by telephone at Camp Holloway when a caller impersonated a SFC assigned to post headquarters. The caller identified himself on both occasions and spoke in a clear normal conversation tense and speed. He attempted to have the Sergeant of the Guard post one man on top of each bunker in the defense perimeter and to have the perimeter lights turned off. The text of the message did not appear to be prepared speech for when asked several questions, his response was reasonable and undisturbed indicating a thorough command of the language. The attempted ruse did not work, however, because in each case the Officer of the Day was notified. The SFC concerned was in the mess hall at the time of each call and stated that he did not place the calls.
d. A US Navy ship on Market Time received a radio message over Fleet Common from a station identifying itself as an aircraft with a possible fire mission at coordinates 975228 (no letters given). The only audible portion of the station's call sign were the digits 098. The station transmitted again asking (in English with oriental accent) "Are you a Market Time patrol ship? I' The transmission was not understood and the station repeated the question. The ship replied "Roger wait out". The ship attempted to contact 098 five times to ask for authentication but 098 failed to respond.
4. (CMHA) VC/NVA ICD ATTEMPTS TO GAIN TACTICAL ADVANTAGE:
a. On 5 January 1964, an attempt to lure an airlift element into a trap was made b; using a properly designated call sign to guide the helicopter into a landing zone. The call signs had been obtained from intercepted U.S. communications and the use of the call signs in English was fluent to the extent that the attempted deception was not detected until the helicopter approached the landing zone and was fired upon. The helicopter evacuated safely receiving twentyfive hits from automatic weapons. No authentication procedures were used at anytime.
b. On 7 January 1964 ground troops in Long An operations in the vicinity of Tan An requested the pickup of ARVN personnel and stated in plain language that the landing zone would be marked with green smoke. A helicopter started into the landing zone but aborted when T28s made a napalm strike on it. A voice speaking fluent English immediately reported that the napalm had struck a friendly position. The helicopter started its approach a second time and received automatic weapons fire just prior to touchdown. The friendly troop position requesting the pickup was marked with green smoke but was 2000 meters south of the zone in which the helicopter was hit. No operation codes were used and the VC took advantage of the unencrypted voice request for the troop pickup and marked their ambush site with green smoke.
c. In January 1965, a Vietnamese Air Force pilot in an L19 reported that a VC broke into his frequency, used his call sign and carried on a lengthy conversation with the pilot. The VC stated that he was going to shoot down the plane with a . 50 caliber machine gun and later requested an air strike on the village of Go Cong.
d. During operation White Wing in Binh Dinh Province in February 1966 the VC used standard English phrases in an attempt to get friendly troops to cease fire. Two examples are:
- A VC platoon was caught in a crossfire, two VC called in English, "Hold your fire, we are friendly, " and, "Don't shoot. "
- As artillery fire was adjusted on a VC battalion, mortar platoon personnel heard a radio transmission; "Cease fire, you are hitting friendly troops".
e. On 11 December 1966, an ARVN patrol received a message on their radio to move to the vicinity of coordinates YS440632. The caller used proper call signs that allegedly originated from the district headquarters. Authentication was not requested, but the patrol leader became suspicious and sent a runner back to the compound to confirm the order. No such order was issued and the ruse was believed to have been an attempt to lure the patrol into an ambush.
f. On 8 January 1967 the command post bunker switchboard at Camp Holloway received a request for illumination at concentration 35. A static patrol was operating in the vicinity of this target and the illumination was provided. Shortly after illuminating the area another like request was received for HE at concentration 1, which on the alternate defense plan was the same as concentration 35. This request was made in such a way that authentication or followup action could not be initiated. The patrol was contacted immediately for verification of the request and it was determined that the patrol was within the perimeters of concentrations 1 and 35 and had not requested HE.
g. While in contact with enemy forces in the vicinity of Di Linh in February 1967, the VC, through ICD, attempted to direct artillery fire on friendly forces. A team advisor using the team's call sign requested artillery support from the Sector Advisor who acknowledged the transmission. Shortly thereafter the Sector Advisor received another call supposedly from the same advisory team requesting that the artillery fires be shifted to another set of grid coordinates. The team member, originally requesting the artillery support, was wounded and was unable to use his radio. The team's senior advisor overheard the bogus report, checked the new grid location and determined that his position was the new target. The team senior advisor reported the bogus transmission and requested continued fire on the original target. No authentication or operational codes were used in this case.
h. On 26 March 1967, a convoy requested an airstrike on a suspected VC location in the Ninh Thuan Sector, II Corps area. A station in the air/ground net broke in, identified itself as the district chief in the location of the requested air strike, and stated that there were friendly troops in the area. The airstrike was cancelled and the convoy was ambushed, An operations code was not used in requesting the airstrike nor was there any authentication requested of the district chief. Later information showed that the district chief had not made the transmission.
5. (CMHA) SUMMARY OF SALIENT LESSONS LEARNED:
a. The VC/NVA is an apt and eager pupil in the art of ICD. He spends many hours of study of particular peoples voices, and is becoming proficient in the use of the English language. He is trained, organized, and eqaipped for his mission.
b. The VC/NVA can and do intercept allied communications. By using captured allied documents and equipment he can mount an extensive ICD effort against allied low level tactical communications. The enemy is able to enter allied communications with ease to gain information, to create a situation favorable to themselves or simply to harass.
c. The VC/NVA capability to conduct successful ICD is inversely proportional to the degree of perfection of allied communications security. Defensive measures against ICD which must be followed are:
- Strict adherence to the rules for authentication contained in ACP 122 ©. Authentication, by far, is the single most effective measure against ICD. codes.
- Frequent and proper use of low level operational
- Hiqh state of operator training to include alertness in recognizing irregularities in signal procedures.
- Preoperation COMSEC planning and maximum use of available COMSEC equipment.
- Maintenance of circuit discipline.
- Realization by all personnel of the vulnerability of communications to interception
NowDick Henson wrote:
Many of you have not had any connection with SIGSEC/COMSEC monitoring in a long time. There have been many, many changes over the years, not the least of which being a decision that Army would no longer have a monitoring capability and the MOS was dissolved. At least part of that decision has been reversed and there is now training ongoing. A number of years ago an entity called the Joint COMSEC Monitoring Activity (JCMA) was created under NSA'S umbrella. The plan was to have each of the services provide people. NSA would provide the equipment, training, etc. There are those on this net that are much more familiar with how this has played out than I because they worked there.
The following is a very rough outline of what is being considered for inclusion in training for the COMSEC monitor of the future. Many of these bullets need to be further reduced to the specific skills & knowledges that apply. Heaven knows what these fellows and gals will be called. I'm sure it won't be COMSECers or SIGSECers, but I'm equally sure BF will somehow become attached to what they do. As I looked at this, it took me back to Devens in '65 where I learned morse, voice (land line, HF, VHF, UHF, SHF), RATT, multichannel, microwave, etc. I see a lot of similarity here.
COLLECTION OF DOD TELECOMMUNCIATIONS AND AUTOMATED INFORMATION SYSTEMS:
- In the RF spectrum (SATCOM, INMARSAT, MSE, LPE/LPD, videoteleconferencing, etc.).
- Analog & digital telephones (cable, fiber, cellular, microwave, satellite, etc).
- Data information systems (e-mail, computer-to-computer, fax, tactical internet, etc)
- NON-COM systems (radar, beacons, GPS, etc)
- Telecommunications securied by US codes & cryptographic devices
- Radio propagation, transmission media, modulation, types of communciations (analog, digital, bybrid) global command and control, satellite, HF, ATC systems, DISN, etc.
- Conduct computer penetration testing; exploit operating systems; exploit data.
- Perform data manipulation, corruption & denial of service
- computer fundamentsls (hardware, software, storage devices, etc); networking; computer threats, vulnerabilities and countermeasures.
- characteristics of external & internal data; produce gists of recorded comms; transcript procedures;
- some of the knowledges needed under analysis include parametric data, FLIPS, ATO'S SPINS, time conversion, plotting maps (UTM, GEOREF, geographic, asimuth & range); geography, use of operational databases, commercial data bases, gov't databases, web brousers, ability to locate publications, etc
- ID vulnerabilities, susceptibilities, determine threat, determine countermeasures.
- apply classifications; security protections; destruction of classified; preparation of reports (spot, daysum, periodic, comprehensive, etc).
- Prepare & present oral briefings
- interdiction, close air support,space lift, air lift, info warfare, info superiority, surveillance & reconnaissance, special operations, force protection, logistics, combat support, unified commands, major commands, FOAs,
- computer operations (DOS, UNIX, WINDOWS (2000, NT, etc), word processors, database programs, graphics programs, spreadsheet programs, telecoms software,
- Intel organizations, information operations concepts, intel preperation of the battlefield, emission security, physical security
- ID legal monitoring activities, restricted or illegal activities.
- Procedures to seek waivers
- Provisions of applicable federal guidance, laws (e.g., Title 18 USC)
In God We Trust, All Others We Monitor!!
From: Robert Housman Subject: Re: COMSEC MONITORING FUTURE
I just got back from Fort Huachuca after three weeks and two days of the Information Systems Security Monitoring (ISSM) Course. They had a couple of GS-0080s, myself (GS-0132), an Intel Analyst (96B), and two SIGINTers from LIWA. The course awards ASI 2G for military personnel (And supposedly DA will track them by the ASI). Commands do their own monitoring now. FORSCOM is sending mostly civilians (0080/0132) to the course.
I have submitted a UFR for equipment to do the monitoring, and it basically consists of telephone and cellular phone monitoring systems which plug into the computer, and radio receiving equipment which consists of a circuit card which you plug into a slot in the computers, and which displays monitored frequencies on the screen. Monitoring computers is just a software thing. As far as penetrations, LIWA is the only one doing that as of right now (Except for the other side!!), but that will change as soon as I get my hands on some good software and get a "Mother, may I" from the command. This stuff is a far cry from sitting with a GTA or GISH though.
Back to the 101st RRC page
Go to the COMSEC page