priyom.org

Russian 6

Operating agency Unknown

Enigma family IA
Country Russia

Russian (icon)

Operational detail pages
Active stations E06, G06, S06, M14, F01, F06
Inactive stations E17, E20, V06, V23

Although this operator is not identified, it is believed to be a Russian intelligence agency with big resources, who can support development and operation of many modes and schedules transmitting from several sites, including operations based in Moscow, the Russian Far East, and Cuba.

Voice stations of this operator support a wide choice of language:

The last two ones, although inactive, are still maintained, possibly kept available for being brought back into operation. V06 was heard in test transmissions as late as 2016. V23 received new, male voice samples as early as 2010, and was heard in test transmissions in 2016 and 2017.

It also supports several speeds for its morse station M14, high-speed versions of which are sometimes referred to as M24.

Finally, it runs widespread regularly scheduled operations of several high-speed, advanced digital modes supporting redundant integrity features and versatile modular encapsulation layers, among which at least F01 and F06 are identified and understood.

The 5-figure-group messages carried by the digital modes share the same metadata header as the presumed Russian diplomatic transmissions known under M42, formerly operated by FAPSI. Links or infrastructure sharing between these agencies seem possible.

Binding characteristics

There are numerous characteristics and pieces of evidence that bind together these stations as run by a same single operator.

Format

  • Analog stations (voice and morse) follow the same identical format.
  • The 00000 outro is a characteristic format feature unique to this operator. It is present in the analog format, and also most deliberately in the digital F01, which uses a dedicated padding character but still includes one 00000 outro group. It is also present in F06, which uses 0-digit padding but always includes at least a whole five-0 group as outro, and counts four 00000 5-figure groups in null messages.
  • Postambles repeating metadata already given in the preamble are another feature which, among currently active stations only this time, is particular to this operator. The analog format has a preamble and a postamble that are identical and contain a number unique to the message transmitted, followed by the group count. Digital formats similarly feature a 5-group metadata header and a postamble repeating the serial number of the message transmitted, followed by the group count.
  • This operator exhibits a variant following a special format, known as E06a and S06b for analog stations, and also observed in F06 transmissions.

Scheduling and operating habits

  • The analog stations follow the common habit of sending a repeat transmission on a different frequency one hour after the initial transmission. Digital stations follow the common habit of sending two repeat transmissions on different frequencies, spaced by 10 minutes, after the initial transmission.
  • Transmissions that send traffic, i.e. not a null message, are repeated on the next day at the same times on the same frequencies. This is a characteristic scheduling feature unique to this operator.
  • Digital stations share the operational characteristic of repeating the message contents in an automated loop for approximately 7 minutes. This is in contrast to some Russian diplomatic transmissions (M42) that share format similarities with this numbers station operator, but however do not exhibit this automated looping behavior.
  • Analog stations share the obscure operational habit of maintaining schedules that only send obviously fake messages. These fake messages sometimes contain obviously non-random numbers, or sometimes repeat some same old identical contents that has been seen on these schedules for years. Sometimes the same known fake message is even reused across the different stations.

Grouped transmissions

  • During some tests of this operator, the different voice stations appear successively on the same frequency during the same transmission, sending similar test contents.
  • Similarly, digital stations share test frequencies.
  • Every weekday, a group of stations transmit over the Pacific area, each transmission at the top of a successive hour. This peculiar network groups together stations F01, F06, S06 and M14.

Shared schedules

  • E06 ID 832 occasionally appears as an analog replacement on the schedule of F06 ID 50046, and transmits in place of it, exhibiting the non-OTP message features specific to this schedule.
  • M14 ID 381 and F06 ID 20021 shared the same weekly schedule, using the same times and frequencies: M14 would send on weeks 1 and 3, and F06 would send on weeks 2 and 4. This schedule was very active with both stations sending messages, although no correlation could be established between the traffic patterns and message contents of the two stations. However at some point, both stations of this schedule simultaneously stopped sending any traffic, and then sent only null messages during months on; then in September 2015, both stations simultaneously stopped transmitting at all, effectively ending this shared schedule.

Operation errors

  • On June 1st, 2016, during a scheduled broadcast of F06 ID 90073, an F01 null message was mistakenly transmitted on the first two slots, before correctly sending an F06 null message on the third slot.
  • In his Radio Intrigue report #63, Don Schimmel relates an incident where an M14 null message was mistakenly transmitted instead of an M42 transmission. However this is not entirely conclusive, as M42 also includes presumed diplomatic transmissions that are linked to this operator but are not believed to be directly included in its numbers station activities; and the particular details of the M42 transmission in this incident are not identified.
  • On October 17th, 2014, an S06 transmission simultaneously sending on a different frequency was leaked through the audio of a regular G06 transmission. G06 operations are known to be particularly error-prone.
  • On July 20th, 2017, a regular scheduled transmission of G06 ID 329 sent a null message using the E06 voice instead. The transmission then ended with a leaked Windows XP shutdown sound.

Activity breakdown

Most of this operator's activity goes through its advanced digital modes, F01 and F06; especially considering the significant share of analog schedules that are in fact only dedicated to the fake message operations. At least one of these M14 schedules used to send only null messages, but was converted to fake messages.

Breakdown of Russian 6 schedule statistics

The activity of this operator is mostly based from Moscow (fake message schedules are all based in Moscow). It has a small and balanced presence in the Pacific area from the Russian Far East. Two active F01 schedules are based in Cuba, aimed at different parts of the Americas.

Encryption modes

The prime option for encryption would be one-time pads, and it seems reasonable to think that it would be used on most schedules. However, some of the schedules of digital stations F01 and F06 share a set of features that point to something incompatible with one-time pads.

  • In affected schedules, the encrypted part of the messages starts with a triple timestamp header, which is encrypted with a key that gets reused year long, message after message within the schedule, and produces visibly similar and even identical groups across different messages. For example, the 4th, 8th and 12th groups will almost always remain constant. This is the clearest sign that at least this part of the messages does not use one-time pads.
  • According to information sourced by Numbers & Oddities, one of the metadata header fields is a one-time pad parameter that would point to a resource unique to a given recipient. In affected schedules, a recurring well-known bogus value (36987), or other anagrammed bogus-looking values, sometimes appear in this field.
  • In the protocol of the F01 mode, the metadata header, which contains the one-time pad parameter, holds an optional place, and can be featured or not depending on the schedule. Although data is lacking to conclusively confirm this, it can be theorized that this optional header is always absent in affected schedules, because the one-time pad parameter value it carries is bogus and unnecessary.
  • In affected schedules, messages always have even group counts.

Test frequencies

This operator has several known frequencies on which it runs test, training, drill transmissions... Analog formats use 7353, 8140, 9073, 9300, 9463, 10270, 10755, 11073, 13530 and 19460 kHz, and use a number of known test IDs: 352 (11073 kHz), 801 (7353, 9300, 9463 kHz) and 975 (10755 kHz). Digital formats use 6780, 7992 and 9300 kHz.

Operation quirks

Unlike regular E06 and S06 schedules, G06 schedules - and also the E06 schedule sending fake messages - are operated in a partially manual way, using a different warmup procedure and starting transmissions a few minutes off the schedule. These transmissions are particularly prone to errors. G06 regularly leaks Windows XP shutdown sounds at the end of the last broadcast of the day, and sometimes other Windows XP system sounds as well.

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×