BIRDWATCH program: Treasure and tragedy with Eleron-3

Background

Subreption’s research and development team, for the past few months, has been dedicating manpower and resources to investigate and analyze military and paramilitary drone platforms operating in Asia and Europe. Our background is primarily vulnerability research and reverse engineering, enabling us to understand these platforms for both offensive and defensive purposes, including but not limited to detection, forensics data acquisition and active countermeasures.

Eleron 3: adventures in signal classification and decoding

Origins

From May 2022 onwards, Subreption and volunteers provided access to a prototype for detecting and decoding Eleron 3 signals to a specific group in Ukraine. This group later on disseminated the prototype without due credit.

Following an investigation of those involved, their employment, motivations, affiliations and registration information for companies (in some cases, registered as “NGOs” and as such benefiting from tax deductions similar to non-profit organizations), as well as credible reports from multiple sources, it was determined that the prototype and code for Eleron 3 detection and decoding was circulated beyond the boundaries of the altruistic collaboration that originally led to its development and completion.

Unfortunately, seeing how this situation deprives the general public of wide access to the tool while benefiting a select few (both Ukrainian and foreign businesses and individuals with personal interests), and how the ethical, legal and moral principles of our collaboration had been violated, a decision was reached to disclose (in the coming days and weeks) all information related to this specific system, in order to negate the unethical exploitation of the work involved.

In the public interest

As such, we have decided to pursue publication and disclosure of materials under a non-commercial dual licensing scheme, leveraging the SUDL and AGPL licenses to ensure that the general public can still benefit from the completed work, but barring businesses from pursuing their financial agendas and interests at our expense (or that of true volunteers, who deserve the credit and appreciation for all their altruistic efforts). We have also fenced with loaded claims and insinuations that “releasing the work” would “aid the enemy”: to that, all we can say is that our work is beyond politics and financial agendas, and that those among you pursuing the conflict in Ukraine for profit are “aiding the enemy” perfectly fine on your own.

The truth that resonates from all this is that a group of volunteers and a world-class vulnerability research team have worked for six months for free, dedicating time and treasure while others pursue commercial ventures. While we might pursue financing of our efforts to keep the project alive, we are above all else dedicated to the original principles of our collaboration. The very nature of a free market implies that someone, somewhere, might be doing your job better and even choosing to do it for free, regardless of how this might frustrate those who confuse antitrust and corrupt practices with classical liberalism economics.

This should serve as a warning to those who need it that, regardless of how rare it might be nowadays, some people do keep their word and follow course with their promises. We promised to help with the expectation of providing a positive impact, and we also promised to react and respond swiftly to any violations of our principles of operation. Today, we honor both promises.

Planned disclosures

As the situation evolves, a technical report will soon follow, along commentary of how different circumstances played a part in leading to this decision.

We are also kindly requesting any business entity with access to the prototype to eliminate any and all derivatives or related capabilities developed directly or indirectly through access to said prototype, and to those who circulated it, to adequately credit past, present and future contributions, and cease immediately any further circulation of misattributed third-party work. We reserve the right to expose or explicitly address violators publicly.

We will distribute functional copies to third-parties that can enter non-disclosure, non-compete agreements limiting use under the terms of the SUDL. Any members of the Armed Forces in Ukraine are eligible, so as long as proper accountability and background verification can be done through volunteers and officials. Members of organizations with prior or present employment with SIGINT or counter-drone vendors, or any commercial, for-profit or practical “for profit” entities are also not eligible. Transfer of the technology and research to third-parties involved in commercial exploitation might lead to legal action and/or the complete disclosure of all research.

We will only consider private sector organizations under extremely exceptional circumstances, as our experience with the private sector in this particular area so far has been unsatisfactory, and the program is transitioning towards a permanently non-commercial nature limiting disclosure to non-profit and state-related entities.

The GPG encrypted prototype, pending release of the password, can be found at:

• elescope-20220629.zip.gpg

To all those nameless people volunteering somewhere, thank you for all you’ve done. Especially the resident DSP wizard :-)

the Subreption team and volunteers.

Disclosures

The following disclosures have already been made to the public related to this announcement:

• September 13th 2022: el3dec (Github)
• September 9th 2022: original announcement (this page).

el3dec

Released on September 13th 2022, el3dec (Github) is a high-performance C++ reference implementation for Eleron 3 payload decoding, currently limited in its public release to telemetry (passive) C2 information beacons. An example asynchronous network server is provided that can produce JSON output for raw hex-encoded input directly fed from a signal classifier and frame decoder, as well as unit testing for the library itself. The library can operate in fault tolerant or intolerant modes, performing validation of the untrusted input data and maximizing the amount of information extracted.

The build system is fully GNU/Linux and Windows compatible via the CMake toolkit.

• https://github.com/subreption-research/el3dec/blob/main/tests/el3dec_libtest.cpp

Conflicts of interest

All research related to military drone platforms until September 2022 has been provided free of charge, as part of the BIRDWATCH program, to select partners involved in conflicts where such platforms are currently operating.

Subreption is providing pro bono consulting and research to multiple institutions in Europe and Asia, as well as volunteer organizations, in the context of information security (defensive and offensive).

References

• US Army OE Data Integration Network (ODIN) resources on Eleron-3 systems
• SUDL

Updates

Any updates and amendments to this press release will be listed in this section.

Contact

Press and media can reach us at regarding this announcement or any other inquiries.

Feel welcome to use PGP if you have sensitive information or special confidentiality needs.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBGLyeDQBDACk0Q63sgSuwrT0ovQO2hyYFW5fzSZD+8BeXbINNlJawnuv3FHR
IQgeaG37sRWzVtsIrczFfpCz/MVeJ5HqzCLallnzQ4RBpFQifEA7TeQQTkF7iKCy
2knpD3MpQ5RS2u9karo09sKf22yc43EJEuiD8I4LHlkHUHdzinFIr31206xyh7vM
9hIC383lLf5+C8jJm6dnGepgKOiCh+MGAhgs42ahwkEjvYqRveX7OOTRf3JlUGqI
ezTtk7+dDPpBQDC9feW5VctNrK4HJSUFzO/MOWezmr5J2dUZzt0Zr5R6N3neMNpu
wV2QfGx41Jq+NytNVnTj7VdLPApICI7MLWu+r3y+qV2yvyvN0ZYVp7utAEm3a87S
rXaRROTOdJwTQrS0dTgad5a2yGE4Z2r0sPGgmLZQQAzy+xh2T6Wf1MT7LwELLAyq
PYEf/kYsQ6WTDnETJe976lnKcgM2ljTab9Nl2IHyEUg8i5uFEV8hLsHJH5UzH9oZ
6cCSeHGopI8I5JkAEQEAAbQzU3VicmVwdGlvbiBMTEMgKFByZXNzL01lZGlhKSA8
cHJlc3NAc3VicmVwdGlvbi5jb20+iQHUBBMBCgA+FiEEAeK3eZRmSGeYNCqsPyQj
i1sneYgFAmLyeDQCGwMFCQPCZwAFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQ
PyQji1sneYjXfQwAj9V7l9cDKjQ8BzURR18I7H/3MqeuBDON+xMONHYiuOQVImaF
L3t89+W2OFCGu3vHQB93lvL3htc/2QdUGmtwrVfUNVn/BGkEWa1vE8JyQfeWbvIi
5CtG1XtEvSCifGyE5tgCG4lNVYp+37By6+UMfMHOgRPtP2YCQebCylujlln08xxA
NC7DMbdpommk0oVc1glcyKnkyBh2r9Nqp8t/RccbA2K7n4GE4VOpcaetyujpH+gK
zhvPk9e4NZDVMS6cIlKGvgooKkUMyS3ilhQVpwn6pSW/QWDhkle4Hkhi+srFzxGt
tSmAUOFfZx9tOxQJcF5FvZm055mkG0hy+htYHr+DH0nMDlR3SWfNdJw81ar6W92X
F1ub8gBJaChUFAAUSq2wQMTEwfCIdEhzBLj1tbW6jqknRkATWCGp9mGwTHR5p8A5
puRQR/aPT8mkvGP2XbPW0vh5vyigHzHFp9F271mDtI75vMA6MRdT+7eGgef0Ag7+
IjulZhJt45eANo6/uQGNBGLyeDQBDAC/SoQLyjSLAlka+i9NqdvKgRPW8sA8qZS+
farFhJ1z6cyGryVDi6pNfoWud2QjcdnZED+WlvwVBC62d6SBCiUt7Oor+/LjMbFf
Y09jkWNAS7HO5kTTP48Cuil6kPzUAaz9DFA8vywqsUD0rY9xhTP0DbGSYqhGOQUh
sgQ/pfqmD/oEeEaEEp+lj2wngXngUEl+MQ36JgYL02Hby+zZtdOrtkqYZ0f+3wHc
am2VfRM+kD83WiX5rNnM5JBDEV80wPSdASNrhzjGfw7U2XZpFbi1i+BdBz0KZjs3
sIxEtXWZBERvaVFUqdPL/rRYCLzG477mjtyf3AIfhfGYxcYJM+flpoMwoWbbfAj9
RuSyFGmDIBmOAlcorFvo4jfzJIS2SvtZqg5bUqE9LBFBTtj69XKnD79uNkNd6Enm
SYqfLBnzhWzCV8LKncDMomhrwIhXtVXFcoqfAFpsp/Tvaey2nZv5yKRmMbs1+k18
xnU+UA0ZWnCy38Fo2592ga7CEWur9I8AEQEAAYkBvAQYAQoAJhYhBAHit3mUZkhn
mDQqrD8kI4tbJ3mIBQJi8ng0AhsMBQkDwmcAAAoJED8kI4tbJ3mItqwL/2suKQuA
jKsC8smjwgM3phxZ1W2Oc/Pz6zGn1XrinO9xsezpUiflL/FZMKKH1E0hcxUboF5R
VfJCFI3Oj6L8hayeSQqPYU5iayq5DPBcO5a4gxi8YmjyuG/NeGJW+u/uhnkvH6JQ
XQ/BvzDqGOgFTv6WDcBfParA5VxUye1565flFiwg/pKYRiBa2SgB9F9Nw0hNJ/8u
Xu2Zk7VB/6Je6A4klZQLnZMolYwNDpfqwdgbKS4M02EYk1M/6p1fiq5jjcrDI7id
jDRC6OZIWWzWaQi2GaTfN0LW0fsoRHFTbV+cVHJRElTyS234ceyigyjlJ7twsf/D
UmREdtboKx2O+026/OLmW+04BovXE6xzzM1yfBWEyfia3fahQuywqoVxqpNXi1ZO
z1iwS/hcjEIe/6rhPgnAgsMMbO/dbZzVsZlJLtUN+LiUEC8WWFjn88FZB3d+kyP/
khZAs7qBm41vruJH4mcmzI2VITT0m+7ree7yFagYPyZ2eywU60X4zMrFzg==
=D+RF
-----END PGP PUBLIC KEY BLOCK-----