{
	"id": "93150ccd-53ca-4d1d-9d1a-efeebbfd5ef1",
	"created_at": "2026-04-06T00:16:36.497344Z",
	"updated_at": "2026-04-10T03:23:38.839929Z",
	"deleted_at": null,
	"sha1_hash": "1e8d3280d4b276ff6df89f67e7cf77efcb77282f",
	"title": "INCENSER, or how NSA and GCHQ are tapping internet cables",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1215468,
	"plain_text": "INCENSER, or how NSA and GCHQ are tapping internet cables\r\nArchived: 2026-04-05 23:15:32 UTC\r\n(Last edited: January 9, 2018)\r\nRecently disclosed documents show that the NSA's fourth-largest cable tapping program, codenamed INCENSER,\r\npulls its data from just one single source: a submarine fiber optic cable linking Asia with Europe.\r\nUntil now, it was only known that INCENSER was a sub-program of WINDSTOP and that it collected some 14\r\nbillion pieces of internet data a month. The latest revelations now say that these data were collected with the help\r\nof the British company Cable \u0026 Wireless (codenamed GERONTIC, now part of Vodafone) at a location in\r\nCornwall in the UK, codenamed NIGELLA.\r\nFor the first time, this gives us a view on the whole interception chain, from the parent program all the way down\r\nto the physical interception facility. Here we will piece together what is known about these different stages and\r\nprograms from recent and earlier publications.\r\n- NIGELLA - GERONTIC - INCENSER - WINDSTOP -\r\nThe cables tapped at NIGELLA by GERONTIC under the INCENSER and WINDSTOP programs\r\n(Map: ARD.de - Text: Electrospaces.net - Click to enlarge)\r\nNIGELLA\r\nLast week's joint reporting by the British broadcaster Channel 4, the German regional broadcasters WDR and\r\nNDR and the German newspaper Süddeutsche Zeitung, identified NIGELLA as an interception facility at the\r\nintersection of Cable \u0026 Wireless and Reliance cables at Skewjack Farm.\r\nhttps://www.electrospaces.net/2014/11/incenser-or-how-nsa-and-gchq-are.html\r\nPage 1 of 11\n\nThere, just north-west of Polgigga Cottage in Cornwall, is a large building that was constructed in 2001 for FLAG\r\nTelecom UK Ltd for 5.3 million pounds. It serves as a terminus for the two ends of a submarine optical cable: one\r\nfrom across the Atlantic which lands at the beach of nearby Sennen, and one that crosses the Channel to Brittany\r\nin France:\r\n- FLAG Atlantic 1 (FA1)\r\nConnecting the east coast of North America to the United Kingdom and France (6.000 kilometers)\r\nThe FLAG Atlantic 1 cable to America consists of 6 fibre pairs, each capable of carrying 40 (eventually up to 52)\r\nseparate light wavelengths, and each wavelength can carry 10 Gigabit/s of traffic. This gives a potential capacity\r\nof 2.4 terabit/s per cable. However, in 2009, only 640 gigabit/s were actually used, which went apparently up to\r\n921 gigabit/s in 2011.\r\nThe FLAG terminus station in Skewjack Farm, Cornwall\r\n(still from 'The Secrets of Cornwall' - click to enlarge)\r\nThe cable was initially owned by FLAG Telecom, where FLAG stands for Fiber-optic Link Around the Globe.\r\nThis company was renamed into Reliance Globalcom when it became a fully owned subsidiary of the Indian\r\ncompany Reliance Communications (RCOM). In March 2014, Reliance Globalcom was again renamed, now into\r\nGlobal Cloud Xchange (GCX).\r\nMore important is another, much longer submarine cable, which was also owned by this company, and which has\r\nits landing point on the shore of Porthcurno, a few miles south-west of Skewjack Farm:\r\n- FLAG Europe-Asia (FEA)\r\nConnecting the United Kingdom to Japan through the Mediterranean, with landing points in Egypt, the Saudi\r\nPeninsula, India, Malaysia, Thailand, Hong Kong, China, Taiwan, South Korea and Japan (28.000 kilometers)\r\nhttps://www.electrospaces.net/2014/11/incenser-or-how-nsa-and-gchq-are.html\r\nPage 2 of 11\n\nThis cable has 2 fibre pairs, each capable of carrying up to 40 separate light wavelengths, and each wavelength\r\ncan again carry 10 gigabit/s of traffic. This gives a potential capacity of 800 gigabit/s, but in 2009 only 70\r\ngigabit/s were used, which went up to 130 gigabit/s in 2011 - still an unimaginable 130.000.000.000 bits per\r\nsecond.\r\nThe\r\nbackhaul connection between the FLAG Atlantic 1 (FA1) and the FLAG Europe-Asia (FEA) is provided by a\r\nlocal area network of Cable \u0026 Wireless, which also connects both submarine cables to its terrestrial internet\r\nbackbone network.\r\nAccording to the newly disclosed GHCQ Cable Master List from 2009, the interception of the FA1 and the FEA\r\ncables takes place at the intersection with this backhaul connection:\r\nThis list also shows that the interception of these two cables is accompanied by a Computer Network Exploitation\r\n(CNE) or hacking operation codenamed PFENNING ALPHA.\r\nBecause the owner of the cables (Reliance Globalcom, now Global Cloud Xchange) is not a cooperating partner of\r\nGCHQ, they hacked into their network for getting additional \"router monitoring webpages\" and \"performance\r\nstatistics for GTE [Global Telecoms Exploitation]\".\r\nInterception equipment\r\nHow the actual interception takes place, can be learned from an article in The Guardian from June 2013, which\r\nprovides some details about the highly sophisticated computer equipment at cable tapping points.\r\nFirst, the data stream is filtered through what is known as MVR (Massive Volume Reduction), which immediately\r\nrejects high-volume, low-value traffic, such as peer-to-peer downloads. This reduces the volume by about 30%.\r\nSelectors\r\nThe next step is to pull out packets of information that contain selectors like phone numbers and e-mail, IP and\r\nMAC addresses of interest. In 2011, some 40,000 of these were chosen by GCHQ and 31,000 by the NSA,\r\naccording to The Guardian. This filtering is most likely done by devices from Boeing-subsidiary Narus, which can\r\nanalyse high-volume internet traffic in real-time.\r\nA single NarusInsight machine can monitor traffic up to 10 Gigabit/second, which means there have to be up to a\r\ndozen of them to filter the relevant traffic from the FA1 and FEA submarine cables. Most of the information\r\nextracted in this way is internet content, such as the substance of e-mail messages.\r\nFull sessions\r\nBesides the filtering by using specific selectors, the data are also sessionized, which means all types of IP traffic,\r\nlike VoIP, e-mail, web mail and instant messages are reconstructed. This is something the Narus devices are also\r\nhttps://www.electrospaces.net/2014/11/incenser-or-how-nsa-and-gchq-are.html\r\nPage 3 of 11\n\ncapable of.\r\nThese \"full take\" sessions are stored as a rolling buffer on XKEYSCORE servers: content data for only three to\r\nfive days, and metadata for up to 30 days. But \"at some sites, the amount of data we receive per day (20+\r\nterabytes) can only be stored for as little as 24 hours\" according to an NSA document from 2008.\r\nThe aim is to extract the best 7,5% of the traffic that flows past the access, which is then \"backhauled\" from the\r\ntapping point to GCHQ Bude through two 10 gigabit/s channels (the \"egress\" capacity). This might be a dedicated\r\ncable, or a secure VPN path over the regular Cable \u0026 Wireless backbone that connects Bude with the south-west\r\nof Cornwall:\r\nThe Cable \u0026 Wireless internet backbone (yellow) in Cornwall\r\nand the connections to submarine fiber-optic cables (red)\r\n(Map from before 2006 - Click for the full verion)\r\nGERONTIC (Cable \u0026 Wireless)\r\nThe secret GCHQ documents about these cable tapping operations only refer to the cooperating\r\ntelecommunications provider with the cover name GERONTIC. The real name is protected by STRAP 2\r\ndissemination restrictions. But nonetheless, German media already revealed that GERONTIC is Cable \u0026 Wireless\r\nlast year.\r\nIn july 2012, Cable \u0026 Wireless Worldwide was taken over by Vodafone for 1.04 billion pounds, but according to\r\nthe GCHQ documents, the covername GERONTIC was continued, and was seen active until at least April 2013.\r\nAccording to the press reports, GCHQ had access to 63 undersea internet cables, 29 of which with the help of\r\nGERONTIC. This accounted for about 70% of the total amount of internet data that GCHQ had access to in 2009.\r\nCable \u0026 Wireless was involved in these 29 cables, either because it had Direct Cable Ownership (DCO), an\r\nIndefeasible Right of Use (IRU) or Leased Capacity (LC). Besides that, the GCHQ Cable Master List from 2009\r\nlists GERONTIC also as a landing partner for the following nine cables:\r\n- FLAG Atlantic 1 (FA1)\r\n- FLAG Europe-Asia (FEA)\r\nhttps://www.electrospaces.net/2014/11/incenser-or-how-nsa-and-gchq-are.html\r\nPage 4 of 11\n\n- Apollo North\r\n- Apollo South\r\n- Solas\r\n- UK-Netherlands 14\r\n- UK-France 3\r\n- Europe India Gateway (EIG)\r\n- GLO-1\r\nDisclosed excerpts from internal GCHQ wiki pages show that Cable \u0026 Wireless held regular meetings with\r\nGCHQ from 2008 until at least 2010, in order to improve the access possibilites, like selecting which cables and\r\nwavelenghts would provide the best opportunities for catching the communications GCHQ wanted.\r\nGCHQ also paid Cable \u0026 Wireless tens of millions of pounds for the expenses. For example, in February 2009 6\r\nmillion pound was paid and a 2010 budget references a 20.3 million pound payment to the company. By\r\ncomparison, NSA paid all its cooperating telecommunications companies a total of 278 million dollars in 2013.\r\nThe intensive cooperation between Cable \u0026 Wireless and GCHQ may not come as a surprise for those knowing a\r\nbit more of British intelligence history. The company already worked with predecessors of GHCQ during World\r\nWar I: all international telegrams were handed over so they could be copied before being sent on their way, a\r\npractice that continued for over 50 years.*\r\nINCENSER (DS-300)\r\nAmong the documents about the GCHQ cable tapping is also a small part of an internal glossary. It contains an\r\nentry about INCENSER, which says that this is a special source collection system at Bude. This is further\r\nspecified as the GERONTIC delivery from the NIGELLA access, which can be viewed in XKEYSCORE (XKS):\r\nThis entry was also shown in the German television magazine Monitor, although not fully, but without the\r\nredactions, so from this source we know the few extra words that were redacted for some reason.\r\nThe entry also says that INCENSER traffic is labeled TICKETWINDOW with the SIGINT Activity Designator\r\n(Sigad) DS-300. From another source we know that TICKETWINDOW is a system that makes cable tapping\r\ncollection available to 2nd Party partners. The exact meaning of Sigads starting with DS is still not clear, but\r\nprobably also denotes 2nd Party collection.\r\nTEMPORA\r\nIn Bude, GCHQ has its Regional Processing Center (RPC), which in 2012 had a so-called \"Deep Dive\" processing\r\ncapability for 23 channels of 10 gigabit/second each under the TEMPORA program.\r\nhttps://www.electrospaces.net/2014/11/incenser-or-how-nsa-and-gchq-are.html\r\nPage 5 of 11\n\nTEMPORA comprises different components, like the actual access points to fiber-optic cables, a Massive Volume\r\nReduction (MVR) capability, a sanitisation program codenamed POKERFACE, and the XKEYSCORE system. As\r\nwe have seen, most of the hardware components are located at the interception point, in this case the facility in\r\nSkewjack (NIGELLA).\r\nAnalysing\r\nThese collection systems can be remotely instructed (\"tasked\") from Bude, or maybe even also from NSA\r\nheadquarters. For one part that involves entering the \"strong selectors\" like phone numbers and internet addresses.\r\nFor another part, that is by using the additional capabilities of XKEYSCORE.\r\nBecause the latter system buffers full take sessions, analysts can also perform queries using \"soft selectors\", like\r\nkeywords, against the body texts of e-mail and chat messages, digital documents and spreadsheets in English,\r\nArabic and Chinese. XKEYSCORE also allows analysts to look for the usage of encryption, the use of a VPN or\r\nthe TOR network, and a number of other things that could lead to a target.\r\nThis is particularly useful to trace target's internet activities that are performed anonymous, and therefore cannot\r\nbe found by just looking for the known e-mail addresses of a target. When such content has been found, the\r\nanalyst might be able to find new intelligence or new strong selectors, which can then be used for starting a\r\ntraditional search.\r\n \r\nHacking operations\r\nAccording to a 2010 NSA presentation that was published by The Intercept in December 2014, the INCENSER\r\naccess is also capable of supporting the QUANTUMBOT (IRC botnet hijacking), QUANTUMBISQUIT (for\r\ntargets who are behind large proxies), and QUANTUMINSERT (HTML web page redirection) hacking\r\ntechniques.\r\nTwo other components of the QUANTUMTHEORY computer network exploitation framework,\r\nQUANTUMSQUEEL (for injection of MySQL databases) and QUANTUMSPIM (for instant messaging), had\r\nbeen tested, but weren't yet operational:\r\nhttps://www.electrospaces.net/2014/11/incenser-or-how-nsa-and-gchq-are.html\r\nPage 6 of 11\n\nThis means that at the INCENSER collection site NIGELLA, there are also TURMOIL sensors which detect when\r\ntargeted user’s packets are among the traffic that flows past. TURMOIL tips off the central automated command \u0026\r\ncontrol system codenamed TURBINE, which then launches one or more QUANTUM attacks, as directed by\r\nNSA's hacking division Tailored Access Operations (TAO). An explanation of this method is on the weblog of\r\nRobert Sesek and the website of Wired.\r\nPossible targets\r\nThe disclosed GCHQ documents contain no specific targets or goals for the INCENSER program, which provided\r\nChannel 4 the opportunity to claim that this Cable \u0026 Wireless/Vodafone access allows \"Britain's spies to gather\r\nthe private communications of millions of internet users worldwide\". Vodafone, which also has a large share of the\r\ntelecommuncations market in Germany, was even linked to the eavesdropping on chancellor Merkel.\r\nBoth claims are rather sensationalistic. Merkel's phone was probably tapped by other means, and both GCHQ and\r\nNSA aren't interested in the private communications of ordinary internet users. On the contrary, by tapping into a\r\nsubmarine cable that connects to Asia and the Middle East, INCENSER looks rather focussed at high-priority\r\ntargets in the latter region.\r\nUpdate: The redacted source trigraphs of the case notations in the internal GCHQ glossary, which start\r\nwith IR and YM, seem to point to Iran (Iraq is IQ) and Yemen as target countries of the INCENSER\r\nprogram.\r\nhttps://www.electrospaces.net/2014/11/incenser-or-how-nsa-and-gchq-are.html\r\nPage 7 of 11\n\nReporting\r\nDespite INCENSER being NSA's fourth-largest cable tapping program regarding to the volume which is\r\ncollected, the intelligence reports analysts are able to write based upon this only made it to the 11th position of\r\ncontributors to the President's Daily Brief - according to a slide from a 2010 presentation about Special Source\r\nCollection, published by The Washington Post in October last year:\r\nWINDSTOP (2nd Party)\r\nData collected under the INCENSER program are not only used by GHCQ, but also by NSA, which groups such\r\n2nd Party sources under the codename WINDSTOP. As such, INCENSER was first mentioned in a slide that was\r\npublished by the Washington Post on in October 2013 for a story about the MUSCULAR program:\r\nAccording to NSA's Foreign Partner Access budget for 2013, which was published by Information and The\r\nIntercept last June, WINDSTOP involves all 2nd Party countries (primarily Britain, but also Canada, Australia and\r\nhttps://www.electrospaces.net/2014/11/incenser-or-how-nsa-and-gchq-are.html\r\nPage 8 of 11\n\nNew Zealand) and focusses on access to (mainly internet) \"communications into and out of Europe and the Middle\r\nEast\" through an integrated and overarching collection system.\r\nMUSCULAR is a program under which cables linking big data centers of Google and Yahoo are tapped. The\r\nintercept facility is also located somewhere in the United Kingdom and the data are processed by GCHQ and NSA\r\nin a Joint Processing Centre (JPC) using the Stage 2 version of XKEYSCORE.\r\nA new slide from this presentation about WINDSTOP was published by Süddeutsche Zeitung on November 25,\r\nwhich reveals that a third program is codenamed TRANSIENT THURIBLE. About this program The Guardian\r\nreported once in June 2013, saying that it is an XKeyscore Deep Dive capability managed by GHCQ, with\r\nmetadata flowing into NSA repositories since August 2012.\r\nIn November 2013, the Washington Post published a screenshot from BOUNDLESSINFORMANT with numbers\r\nabout data collection under the WINDSTOP program. Between December 10, 2012 and January 8, 2013, more\r\nthan 14 billion metadata records were collected:\r\nhttps://www.electrospaces.net/2014/11/incenser-or-how-nsa-and-gchq-are.html\r\nPage 9 of 11\n\nThe bar chart in the top part shows the numbers by date, with DNR (telephony) in green and DNI (internet) in\r\nblue. The section in the center of the lower part shows these data were collected by the following programs:\r\n- DS-300 (INCENSER): 14100 million records\r\n- DS-200B (MUSCULAR): 181 million records\r\nXKEYSCORE, which is used to index and search the data collected under the INCENSER program, can be seen\r\nin the bottom right section of the chart.\r\nWith just over 14 billion pieces of internet data a month, INCENSER is the NSA's fourth-largest cable tapping\r\nprogram, accounting for 9 % of the total amount collected by Special Source Operations (SSO), the division\r\nresponsible for collecting data from internet cables. According to another BOUNDLESSINFORMANT chart, the\r\nNSA's Top 5 of cable tapping programs is:\r\nSSO worldwide total:\r\nDANCINGOASIS:\r\nSPINNERET (part of RAMPART-A):\r\nMOONLIGHTPATH (part of RAMPART-A):\r\nINCENSER (part of WINDSTOP):\r\nAZUREPHOENIX (part of RAMPART-A):\r\n...\r\nOther programs:\r\n \r\n160.168.000.000 (100%)\r\n57.788.148.908  (36%)\r\n23.003.996.216  (14%)\r\n15.237.950.124   (9%)\r\n14.100.359.119   (9%)\r\n13.255.960.192   (8%)\r\n...\r\n38.000.000.000 (24%)\r\nIt's remarkable that just one single cable access (NIGELLA in Cornwall) provides almost one tenth of everything\r\nNSA collects from internet cables. This also means that besides a large number of small cables accesses, NSA\r\nseems to rely on just a few important cables for about 2/3 of it's collection from this type of source.\r\nhttps://www.electrospaces.net/2014/11/incenser-or-how-nsa-and-gchq-are.html\r\nPage 10 of 11\n\nLinks and Sources\r\n- Documentary about the cable landing stations: The Secrets of Cornwall\r\n- Golem.de: Die Abhörkette der Geheimdienste\r\n- The recently disclosed documents about GCHQ cable tapping:\r\n   - NetzPolitik.org: Cable Master List: Wir spiegeln die Snowden-Dokumente über angezapfte Glasfasern, auch\r\nvon Vodafone\r\n   - Sueddeutsche.de: Snowden-Leaks: How Vodafone-Subsidiary Cable \u0026 Wireless Aided GCHQ’s Spying Efforts\r\n- ArsTechnica.com: New Snowden docs: GCHQ’s ties to telco gave spies global surveillance reach\r\n- Sueddeutsche.de: Vodafone-Firma soll GCHQ und NSA beim Spähen geholfen haben\r\n- WDR.de: Neue Snowden-Dokumente enthüllen Ausmaß der Zusammenarbeit von Geheimdiensten und\r\nTelekommunikationsunternehmen\r\n- TheRegister.co.uk: REVEALED: GCHQ's BEYOND TOP SECRET Middle Eastern INTERNET SPY BASE\r\n- Weblog about Uk Submarine Cable Landings \u0026 Cable Stations\r\n- Article about Explaining submarine system terminology – Part 1\r\nThanks also to Henrik Moltke, who did most of the research for the German press reports\r\nMore reactions on Hacker News and Schneier's Blog\r\nSource: https://www.electrospaces.net/2014/11/incenser-or-how-nsa-and-gchq-are.html\r\nhttps://www.electrospaces.net/2014/11/incenser-or-how-nsa-and-gchq-are.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.electrospaces.net/2014/11/incenser-or-how-nsa-and-gchq-are.html"
	],
	"report_names": [
		"incenser-or-how-nsa-and-gchq-are.html"
	],
	"threat_actors": [
		{
			"id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4",
			"created_at": "2022-10-25T16:07:23.667223Z",
			"updated_at": "2026-04-10T02:00:04.705778Z",
			"deleted_at": null,
			"main_name": "GCHQ",
			"aliases": [
				"Government Communications Headquarters",
				"Operation Socialist"
			],
			"source_name": "ETDA:GCHQ",
			"tools": [
				"Prax",
				"Regin",
				"WarriorPride"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434596,
	"ts_updated_at": 1775791418,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1e8d3280d4b276ff6df89f67e7cf77efcb77282f.pdf",
		"text": "https://archive.orkl.eu/1e8d3280d4b276ff6df89f67e7cf77efcb77282f.txt",
		"img": "https://archive.orkl.eu/1e8d3280d4b276ff6df89f67e7cf77efcb77282f.jpg"
	}
}