Numbers & oddities: Column 8

editor: Ary Boender

Lobeliastraat 33B
3202 HR Spijkenisse
the Netherlands

[Back to list]


Hi folks, an error has crept into my EAM sample in last month's column. I included a 'one' in the sample message but after reading the whole story I'm sure you all know by now that there are NO 'ones' in EAM's. This month's special edition of N&O is about spy stations. Not the normal, average spy stations (YL with 5F groups) but the digital ones. C37A and 6XM8 were the cause of many discussions amongst dxers during the past few years. Several dxers -amongst them also WUNners- have been following these stations for years and one of them sent me the following very interesting manuscript:

Today I'd like to introduce you to a rather mysterious group of stations, that seem to have no connection but are all centred around one of the Israeli intelligence services (MOSSAD, LAKAM, AMAN or SHABACK).

Probably most of these stations are known to you already, but there seems to be a lot of uncertainty as to who is behind them, so it may be worthwhile taking a closer look at them.

The following calls appear to be involved in this multinational operation, although there are probably a few more which we haven't found out about yet: C37A, 6XM8, CJL, WJI, TFB, RSB1 (QRT?), CIF9, PTI2, CAM, M4W, RK2, KWO (QRT?)



'C37A' and '6XM8'

These two stations are the most active in the net. They have a daily sked, 7 days a week, which normally starts at 04:30 UTC and continues nonstop until 19:45 UTC (Mo.-Fr.) or until 15:30 UTC (Sat.& Sun.). Modes used are ARQ-E with 288 Bd and normal Baudot telegraphy with 100 Bd, which is used for operational procedures only. Traffic in ARQ-E is always encrypted, using a very effective combination of encryption and data compression.

'C37A' is located in Israel, not very far from Tel Aviv. This was checked out by locals in the outskirts of Tel Aviv (sig. rep. was 59+20dB and no fading on the signal during lousy conditions) and also confirmed with the help of professional grade DF-equipment.

'6XM8', the other end of the link, is located in Germany, probably not more than 100 Km from the city of Bonn. Although we have no proof, all the data gathered so far, hints at a station run by the German intelligence service (BND).

It is still unknown where exactly the station is located. Monitors in the Bonn area, living very close to the German MFA-building and the Israeli embassy, gave the station a rather weak ground wave signal. This more or less rules out involvement by either of the two installations, which both have huge HF antennae on the roof. However various attempts were conducted to DF the station and each time Bonn appeared to be the source of the signal. The most likely transmitter site is the region northwest of Bonn, bordering with Belgium. This region is packed with military and other dubious installations, and the ideal place for such a low profile operation. We think the site may be located near the town of Monschau, in a place called Hoefen. The BND is known to have a very large monitoring installation in Hoefen.

Although it would appear strange to use a monitoring station for transmission purposes, the BND seems to do just that (eg.the now closed DEA47 in Husum), using the name "Bundesstelle für Fernmeldestatistik" as a cover.

The '6XM8' transmitter site seems to be used by the BND number stations (eg. "Kilo Whiskey"), as well as a couple of other ARQ-E outlets, running at 288, 192 and 96 Baud, always encrypted. Operational messages are sent in CW.

These German stations can be heard on the following frequencies:
13903 ARQ-E-96, 14950 ARQ-E-288, 15641 ARQ-E-288, 16327 ARQ-E-96, 16350 ARQ-E-288, 18768 ARQ-E-288, 18772 ARQ-E-288, 20950 ARQ-E-192

These links seem to be directed to other partner intelligence services of the German BND.

The messages sent by 'C37A' to Germany consist of encrypted English text or 5 LGs which are also encrypted using the online compression/encryption algorithm.

You can tell 'C37A' and '6XM8' apart by looking at the shift. The Israeli side uses 330-340 Hz on both ARQ-E and Baudot, whereas the German side uses a narrow 190 Hz. The Israelis transmit at 100.87 Bd and the Germans use exactly 100 Bd Baudot.

Here is the current 'C37A'/'6XM8' frequency list:

Frequency Channel nr. Callsign Mode
7569.50 (??) C37A ARQ-E-288/ITA-2 100.87
9208.00 (53) 6XM8 ARQ-E-288/ITA-2 100
10348.00 (54) 6XM8 ARQ-E-288/ITA-2 100
10749.50 (??) C37A ARQ-E-288/ITA-2 100.87
11434.50 (??) C37A ARQ-E-288/ITA-2 100.87
12224.50 (??) C37A ARQ-E-288/ITA-2 100.87
12276.00 (56) 6XM8 ARQ-E-288/ITA-2 100
13073.50 (25) C37A ARQ-E-288/ITA-2 100.87
13419.00 (57) 6XM8 ARQ-E-288/ITA-2 100
14379.50 alternate during QRM C37A ARQ-E-288/ITA-2 100.87
14386.50 alternate during QRM C37A ARQ-E-288/ITA-2 100.87
14390.50 (??) C37A ARQ-E-288/ITA-2 100.87
14398.00 alternate during QRM C37A ARQ-E-288/ITA-2 100.87
15688.00 (59) 6XM8 ARQ-E-288/ITA-2 100
16312.50 (28) C37A ARQ-E-288/ITA-2 100.87
16457.00 (60) 6XM8 ARQ-E-288/ITA-2 100
17387.00 (61) 6XM8 ARQ-E-288/ITA-2 100
17422.50 (??) C37A ARQ-E-288/ITA-2 100.87
17427.50 (??) C37A ARQ-E-288/ITA-2 100.87
17437.50 (??) C37A ARQ-E-288/ITA-2 100.87
18547.50 (??) C37A ARQ-E-288/ITA-2 100.87
18557.50 (??) C37A ARQ-E-288/ITA-2 100.87
18275.00 (62) 6XM8 ARQ-E-288/ITA-2 100
20465.50 (??) C37A ARQ-E-288/ITA-2 100.87

The following traffic from 'C37A' to '6XM8' shows that decisions are made on the Israeli side of the link: 12:55 UTC 12.May.95 13072.50 kHz. (C37A was having serious problems with encryption device/no synch. possible)

it is ok with me
no hard feelings
we will try again and if it wont work
i will a ask prommuission to qrx
ok///zar
ok ok ok
(--- THEN TO ARQ-E-288 BUT NO SYNCH WITH '6XM8'---)
(--- BACK TO BAUDOT---)
ok ok ok,
ok ok
but pls pls as as as
i have to get aprovel
ok ok ok, pls as
tks tks tks
as 5 m

(--- PAUSING FOR A COUPLE OF MINUTES ---)
good news
we can close now
it was a pleasure working with you
ok ok
many thanks and regards
xxkk
i dont understand 88

(--- PAUSING FOR ABOUT 2 MINUTES ---)
ok
to you too
gb gb gb gb gb gb

(--- S. OFF ---)

The Israelis have problems with their equipment very often. In August the link was down for several weeks due to technical problems with the encryption device. They were back to normal on 23/08/1995.

'CJL' and 'WJI'

'CJL' is a station which is listed in many publications as the Cypriotic MFA in Nicosia. The location may be right, however the user is again one of the Israeli intelligence services.

'WJI', the other end of the link is a station located in Italy, probably somewhere in the north-eastern part of the country. This was indicated by rough DF-analysis and propagation characteristics. The user is probably one of the Italian intelligence services. There are normally 3 skeds per day, with limited weekend activity. From Monday to Friday you can hear both stations at 07:00, 11:30 and 15:00 UTC Saturday normally has 1 or 2 skeds only.

The regular frequencies in use are 16339.50 kHz ('CJL') and 17526 kHz ('WJI'). Modes used are ARQ-E-96 with a 4 character rep. cycle and 100 Baud Baudot for the call-up procedure.

The following technical problems, operator errors, operator chatter, technical data and transmission characteristics gave away the real users of 'CJL' and 'WJI', thus definitely ruling out the MFA Nicosia theory:

The traffic sent on this link consists of 5 LGs, using the NATO encryption system called AROFLEX. Here is a sample of a message transmitted by 'CJL' to 'WJI'. You will notice that the first and the last group of the message are identical, and that groups 2/3/4/5/6 are identical as well.

cjl
ryryryryryryryryryryryryryryryryryryryryryryry
i ga ga

nr05
170047z july 95'
bt
bsdwf arjun arjun arjun arjun arjun ylfvo loedb nqscm xmlcv
zldpk msppd rkqco ofksf ypecd ftzqc swopq mdkeq qsrox novey
(..........rest deleted ...........)
page 2
olywv ctneo zzwqh zzcxa smyxs eioex goojh updvu fuhmw vpbkr
(..........rest deleted ...........)
kjnax wunmr zybqw ngahc tovnl rioub tjaia xakbf dljap qtlqn
jqlef bsdwf
bt
gr312
nnnn

Here is a sample message from 'WJI' to 'CJL' (note the Italian date-time-group and the similarity to the message-format used by Italian diplo-stations !) :

nr. 06
o 110825z giu 95
gr364
bt
nwwvy ldonf ldonf ldonf ldonf ldonf dwuiw qofth vtyit mejok

(..........rest deleted ...........)
page 2
glrcz arxzq zprzi epovd scsig hvnou bmulm nteix ansxx dkonh

(..........rest deleted ...........)
bgnlh psygp bzene kwpmz hmelb tkquo toahk vnmjq zbbzf fvnud
evnmw unkad mmnhb nwwvy
bt
,6921
nnnn

Here are the frequencies we have so far for the link 'CJL'/'WJI':

Frequency Channel nr. Callsign Mode
14447.00 (44) WJI ARQ-E-96/ITA-2 100
14780.50 CJL ARQ-E-96/ITA-2 100.87
15721.50 CJL ARQ-E-96/ITA-2 100.87
16217.00 WJI ARQ-E-96/ITA-2 100
16339.50 CJL ARQ-E-96/ITA-2 100.87
17526.00 WJI ARQ-E-96/ITA-2 100

'M4W' / 'RK2'

'M4W' is the "Israeli" side of the link. It is probably identical with station 'CJL' because:

DF-analysis on the station pinpointed it to the eastern part of the Mediterranean area, somewhere in the area of Northern Israel or Lebanon.

'M4W' uses Baudot telegraphy with 75 Baud, 1 stopbit per char. and the standard "Israeli shift" of 330-340 Hz.

Here is a typical example of 'M4W' traffic:

m4w  m4w  m4w  ryryryryryryryryryryryryryryryryryryryryryryryry
m4w  m4w  m4w  ryryryryryryryryryryryryryryryryryryryryryryryry
m4w  m4w  m4w  ryryryryryryryr
ok ok qsa 4 qsa 4
i qru too qru qru
pls qso qso qso
ok ok ok tks tmxqs    have a nice day
bybybyby by by by


'RK2' is located in or very near Moscow. It is probably an outlet also used for SOUD ("Brotherhood") transmissions. The station uses the standard eastern block 500 Hz shift and Baudot with 75 Baud and 1.5 stopbit. As in the SOUD-transmissions, the RY test-tapes are sent shifted as 4646......

Here is an example of an 'RK2' transmission:

rk2 rk2 rk2  464646464646464646464646464646464646464646464646464646
rk2 rk2 rk2  464646464646464646464646464646464646464646464646464646
rk2 rk2 rk2  464646464646464646464646464646464646464646464646464646

hr qsa fb  qsa 4 
only ur wrk qrg 16128  pls next qso wrk qrg 16129  okej ?
k ok  ga pls
i qru qru
int qtc
gb  gb qru  gb sk   qso
qso  will wrk  
ok tks gb sk sk
sk  sk


'M4W' and 'RK2' have a daily sked at 08:30 UTC, six days per week on 16129 and 16247 kHz. Messages are encrypted using 5 figure groups. As we haven't been able to catch the beginning of a message yet, we don't know what type of message headers are used. There is hardly any traffic on this link, the last message from the Israeli side to the Russian side was monitored in February 1995, yet still they have a daily sked. After a few minutes of operational chatter, the link is normally closed.

Frequency Callsign Mode
16129,00 M4W F1B-75
16247,00 RK2 F1B-75
19559,00 M4W F1B-75

The question remains why an Israeli intelligence service would have a daily sked with its Russian counterpart. One of our fellow WUNers suggested a joint Russian-Israeli effort to help control Russian organized crime among the Russian immigrants entering Israel - an explanantion which seems to make sense.

'RSB1', 'TFB', 'CAM', 'CIF9' and 'PTI2'

These are a bunch of stations using a 3 channel FEC-A-192 VFT system. 'RSB1' was very active but seems to have disappeared. 'CAM' and possibly 'TFB' seem to be identical with 'CJL'. 'CAM' has been heard on 16339.5 kHz at 07:52 in the morning and many times on 19243 kHz with crosstalk from the "MOSSAD-lady". Both 'CAM and 'TFB' have been heard running the same 100.87 Baud Baudot system used by 'CJL' and certain operator characteristics are very similar to the ones seen on the 'CJL' circuit.

Traffic seen on these VFT-circuits consists of 5 LGs and a little chatter. The sign off is the typical "Israeli way" with "ar va ar va".

It is yet unclear unclear who and where the other end of the link is, but it may be another multinational operation, as operator chatter is always in English.

Here are a few text samples from the VFT-stations :

de
rsb1 rsb1  rsb1 
ryryryryryryryryryryryryryryryryryryryryryryryryryryryry
1234567890 1234567890 1234567890 1234567890
qtc qtc
+ + +  ccccccccccccccccccccccccccccccccccc
277     221620       178 gr
sahst nufms ~llgv witrc pbtug lovon rpwus yuaes diuwp jirqh
wlrkm yzmyp mebsb taodb lywvv pyhpz vnfht rwitc twcfz vyzhu
(..............rest deleted................)
dlwzt bemzi xadok wtslb lnnhm~wjhex tpwoi euauw trgxz wdurp
ijqdb ybxeu edqvc kjvnn ntuza bqrey xyuky vubhd

ar++


de
cam  cam  cam
ryryryryryryryryryryryryryryryryryryryryryryryryryryry
qru qru qru
ar        ar        ar        ar    
ar va  ar va


de
cam  cam  cam
ryryryryryryryryryryryryryryryryryryryryryryryry
qtc  qtc

494     091535       598 gr
lhvno oyxut rksyp dgfet jodcc yexao enxgt gydpk iydbv boses
ihrrj yeuon rzhwg omjqw wyngv nmoqc mtxkb mldai rzjsy xqwiw
(.....rest deleted.....)
page 2
(.....rest deleted.....)
bsaml nzmet bmbth ogrfb puhgf qhzre cfoxo nziop

nnnn


de
cif9  cif9  cif9
ryryryryryryryryryryryryryryryryryryryryryryryry
1234567890  1234567890  1234567890  1234567890
qru qru


ryryryryryryryryryryryryryryryryryryryryryryryryryryryryryryry
tfb   tfb    tfb   tfb    tfb   tfb    tfb   tfb    tfb   tfb
ryryryryryryryryryryryryryryryryryryryryryryryryryryryryryryry
tfb   tfb    tfb   tfb    tfb   tfb    tfb   tfb    tfb   tfb
ok ok ok ok
tks tks
zbz 4 qsa 4 qsa 4 zbz 4
i qru qru qru int qtc qtc qtc qtc


The stations can be heard on the following frequencies:

Frequency Callsign
12179.80 TFB daily sked at 13:00 UTC
12544.80 RSB 1 (QRT ?)
13404.00 ???
14594.00 ???
15852.30 PTI 2
16099.80 ???
16286.20 RSB 1 (QRT ?)
16339.50 CAM operator error !
19227.10 CIF 9 daily sked at 09:00 UTC
19243.00 CAM daily sked at 08:00 UTC
19406.20 ???
19911.00 PTI 2

'KWO'

This station was a daily guest on 18568.5 kHz and was last heard about 1 1/2 years ago. The mode used was ARQ-E-96 with a rep. cycle of 8 characters. I never managed to locate the other end of the link. The link was normally established at 12:00 UTC, although 'KWO' was often on the air about 30 min. earlier with idle signals. From the operational messages seen on 'KWO' transmissions I would suggest that this was the Israeli side of the link.

Here is a typical 'KWO' sample :

ryryryryryryryryryryryryryryryryryryryryryryryryry
the quick brown fox jumps over the lazy dog .
de kwo
ryryryryryryryryryryryryryryryryryryryryryryryryry
the quick brown fox jumps over the lazy dog .
de kwo
ryryryryryryryryryryryryryryryryry r r r r
r r r r
r r r r r r r r r r
i qsa 3 zbz3
i qru qru qru
int qtc qtc
okokokokok tks pls rpt rpt
tks tks by dear
by by by by ar va


I hope we have managed to draw your attention to this very interesting group of stations. If anybody can provide additional information on these or other similar stations, please feel free to post it to Ary. We are especially interested in any similar activity heard outside of Europe.

Thanks for your efforts OM. Good stuff ! Well, that's all for now folks, it's time to sign off. Please send me your findings, loggings and news. I am looking for people who can tell me more about the navigation signals between 1600-3000 kHz. I'd like to cover them in a future edition of the newsletter. Write me for more info. Bye ! -Ary-


---