CSE's Toolbox
  • CSE's toolbox

    Here's a sampling of techniques Canada's cyber spies can deploy, according to top-secret documents obtained by CBC News.

  • cne


    OPSEC Monitoring

    Once cyber spies have implanted malware on computer networks or devices to gather intelligence, they still have to monitor them. This "operations security," or OPSEC, monitoring is done to make sure targets remain unaware of the implanted malware and its activities.
  • cne


    Disable Adversary Infrastructure

    This cyberwarfare technique aims to prevent enemies from using certain devices, online systems or servers by disabling them. For example, spies could temporarily shut down computer systems by infecting them with malicious software. CNE stands for “computer network exploitation,” and covers a broad field of cyber spies hacking into computer systems to gather intelligence.
  • cne


    Control Adversary Infrastructure

    This is another “computer network exploitation” technique. Here, cyber spies seek to control a system. Once they secure control, the spies might disrupt their enemies by triggering errors in the system or even preventing the enemies from accessing their own computer systems.
  • cne



    This type of computer network exploitation appears to use QUANTUM malware. As The Intercept has revealed, QUANTUM malware can be used to infect a computer and copy data from its hard drive, block targets from accessing certain websites and disrupt file downloads.
  • cna


    Adversary Infrastructure

    As the description suggests, this tool involves destruction. Essentially, cyber spies hack into a computer system to damage it or render it useless. CNA stands for “computer network attack.” The most famous example of the highly aggressive cyberwarfare tactic is the Stuxnet virus, a computer worm used by the U.S. and Israel to damage Iranian nuclear facilities.
  • deception


    Deploy in GoC/Track in SIGINT

    Honeypots are used as a type of bait to lure an attacker or enemy into them. CSE likely uses them to detect or deflect malicious emails or traffic on Government of Canada (GoC) networks and in its foreign signals intelligence (SIGINT) work. Once the malware is captured in the honeypot, CSE analysts can watch the malware to see how it functions or glean information about where it came from.
  • deception

    False Flag Operations

    Create unrest

    A classic psychological warfare tool, false flags refer to countries conducting an attack but making it look as though another country or group did it. The goal might be to cause tension between the victim and the falsely accused attacker, or for the true attacker to benefit in some way.
  • deception


    Alter adversary perception

    Effects techniques seek to feed enemies wrong information or distort their understanding of something. The goal is to demoralize or disrupt the enemy. Documents by CSE’s British counterpart, GCHQ, suggest that agency used effects to spread propaganda on social media websites and disrupt websites or online forums.
  • dynamic defence

    Traffic Redirection

    (inbound i.e. quarantine traffic)

    Traffic redirection involves re-routing dangerous emails or online traffic to another domain or server. Basically, malicious traffic gets diverted to a space where it can’t do harm.
  • dynamic defence

    Traffic Alteration

    (outbound i.e. insert malware)

    This suggests that CSE may be injecting malicious software into outgoing traffic in order to infect targeted computer systems and gather intelligence.
  • commercial / industry / relationships

    Influence Technology

    (provide signature to AV)

    IT security analysts use so-called “signatures” to identify malicious software. CSE may be providing these identifiers to anti-virus companies so they can implement them into their commercial products. Alternately, the spy agency might be telling anti-virus companies about the signatures and asking them to not detect certain kinds of malware, such as those produced by CSE or its allies. It's unclear.
  • See the full list of CSE's 32 capabilities in a 2011 presentation by one of its analysts.

Sources: National security expert Christian Leuprecht, The Intercept's Ryan Gallagher and Chris Parsons with the Munk School of Global Affairs.