analyzing the HF network traffic on 5120 KHz (OS BiH)

 

First of all I want to thank IZ6BYY Alain from Martinsicuro (Italy) who allowed me to use his KiwiSDR receiver without time limits: I very appreciated. 
I monitored this Bosnian HF network (I logged them first time on 2016) for more than two weeks: transmissions occur almost exclusively in the morning, not on weekends, and start around at 0730 UTC, likely following a certain schedule. The traffic consists of standards-based email exchange:

– 141A 2G ALE for link establishment
– Up to 2400 bps modem (Serial 110A, 39-tone 110A App.B)
– STANAG 5066 & CFTP client used for reliable over-the-air data delivery
– Standard SMTP email protocols into the wired network

All stations are members of the same ALE network and use the 3-way handshake for link management. In a few cases, a link closure similar to that used in STANAG-4538 is adopted, i.e. the link is terminated by the called station and not by the calling one.
The analysis of the 5066 PDUs after the removal of 110A overhead, figure 1, show the use of HBFTP compressed files (Harris Basic File Transfer Protocol) which, as for 5066 Annex F, is used along with CFTP for transfers from one SMTP server to another. 

Fig. 1 - STANAG-5066 PDUs showing the use of CFTP and HBFTP protocols

After HBFTPn.gz files have been extracted and unzipped, the email headers finally emerge and allow a bit of "intelligence" (figure 2):

Fig. 2 - email headers

 

wmtuser@OMEGA.ok, wmtuser@CIKLON.ok
The email addresses reveal that the messaging system software, and most likely the connected radios, are provided by Harris Corporation: indeed "wmtuser" is the email address default name that is prompted by Harris RF-67x0W Wireless Gateway. The ".ok" e-mail domain name stands for Operativna Komanda or Operational Command,
 

received: from osbihbutmir, received from kstbrvspvo
The server name "osbihbutmir" must be split as OS BiH Butmir where OS BiH (Oružane Snage Bosne i Hercegovine) stands for Armed Forces of Bosnia and Herzegovina, and Butmir is a neighborhood in Ilidža municipality site of the AF Operational Command HQ. Similarly, the name "kstbrvspvo" could be formed by the acronyms KSTBR and VSPVO, where KSTBR may stand for Communications Systems and Technologies Brigade (Komunikacioni Systems i Tehnologije BRigada).
I also noted the server name "jovana" which may have been chosen to honour the memory of Jovana Divjak, a Bosnian army general who died on April 8th, 2021: but that's just a my guess.

X-Mailer
The underlaying PCs run a Microsoft OS, likely Windows 2000 Professional or Windows XP Professional; Outlook 11 is used to draft and send the emails by OMEGA while other nodes seem to use Outlook Express.

X-HSMTP
(likely Harris SMTP, Simple Mail Transfer Protocol) The routing rows show that the recipient node is at 1-hop distance (DP and NP values).

By processing the bitstreams is then possible to derive the the 5066 addresses of the nodes and associate them to the related stations names and 141A ALE addresses  (in brackets):

 

000.000.000.001 OMEGA (OMA)
000.000.000.006 ASTRA (ASA)
000.000.000.007 CIKLON (CIN)
000.000.000.011 GRANIT (GRT)
000.000.000.016 LI(?)A (LIA)
000.000.000.017 LI(?)1 (LI1)
000.000.000.029 ORKAN (ORN)

 

It must be noted that:

1) the 5066 address range 0.0.0.0 — 0.255.255.255 does not have a Regional Assignee, rather the actual block allocation for Bosnia-Herzegovina is 6.6.y.z ( STANAG-5066 Annex N);

2) during the monitoring period I have not heard any other station or ALE address other than those listed. 

 

We also might compare the current station names with the old ones in use in year 2016, assuming that the 5066 addresses of the stations have not changed; notice that at that time the 141A ALE addresses were assigned  by using some popular automotive brands (HFMREZA is the Bosnian translation for HF Nerwork):

000.000.000.001 GAMAHFMREZA (GAMA)
000.000.000.003 FIATHFMREZA (FIAT)
000.000.000.005 FORDHFMREZA (FORD)
000.000.000.007 OPELHFMREZA (OPEL)        
000.000.000.009 SKODAHFMREZA (SKODA)   
000.000.000.011 VOLVOHFMREZA (VOLVO)        

Searching in the UDXF logs, this network appears for the first time in 2014: even in that case the ALE addresses were formed by the union of the first two and the last letter of the station names (TAO = TAngO), the latters consisting of the letters of the Greek alphabet: ALA (=ALFA), BRO (=BRAVO), DEA (=DELTA), GOF (=GOLF), EKO (=ECHO), OMA (=OMEGA), OSR (=OSCAR),TAO (=TANGO), ZUU (=ZULU).

The particular 5066 address (.001), the site (the AF Operational Command HQ), the traffic (OMEGA almost always initiates the ALE sessions) and the software too (Outlook 11 rather than Outlook express), led to think of OMEGA (OMA) as the net-control station as it was for the station GAMA. In addition to the change of station names and addresses, the most relevant change compared to 2016 is the paradigm used for emails: PEM - Privacy Enhanced Mail is now used for secure that traffic (figure 3).

Fig. 3

 

In some cases the contents of the emails are in clear-text, as for example the list of telegrams received/sent by the DK brigade (DK brTP) along with the greetings (*** Greetings from the team DK brTP OS BiH **** ) and the name of the operator of the "Workstation DK 6.pbr"; due to privacy, I have masked his surname:

 

Fig. 4

As said above, in some links the messages are also exchanged using the 39-Tone (110A App.B/FED-1052B) as HF waveform: this evidence proves the use of (at least) two radio networks where all or a subset of the nodes are members of both nets; at this regard, it's to be noted that Harris RF-6750 WG does not allow the use of multiple waveforms/protocols in a same radio-network. Likely, the HF email domain ".OK" coincides with only one radio network.
(yep I know, it's not good and it's definitely not discreet! anyway - to better illustrate my hypothesis - I had recourse to a old copy of the 6750 WG to simulate the software setup that I imagine and which in my opinion comes closest to the configuration which they use)

Fig. 5 - two distinct radio-networks with different waveforms/protocols

Another interesting point is that some bitstreams carried by the 39-tone and 188-110 modems have initial 41-bit length similar patterns (figure 6) that - in my opinion - reveal the use of encryption, therefore in those cases 5066 PDUs are not readable. I tried some analysis of the patterns and maybe they could be "partial" strings of the sequence generated by the polynomial x^42+x^41+x+1. 

Fig. 6 - 41-bit patterns in Serial 110A and 39-tone bitstreams

As far as the encryption device is concerned, my guess is that some links use Datotek encryption which is used in Harris RF-5022 and RF-5800 based radio stations. In that regard, I did some research in the web and found that as early as 2009 they were just using Harris RF-5022 transceivers during their participation as a PfP country in the "NATO Combined Endeavor" 2009 exercise (1). If my guess is correct, the 41-bit sequences could be a kind of "distinctive sign" of the Datotek encryption.

Fig. 7 - Datotek encryption may be used in RF-5022 based radio stations

https://disk.yandex.com/d/B0wHSW1Tfhz2Eg

(1) Bosnia and Herzegovina joined the Partnership for Peace (PfP) programme in 2006.At the beginning of 2021, Bosnia and Herzegovina established the Commission for Cooperation with NATO in order to facilitate the development of their Reform Programme for 2021-2022 and other matters on their path to accession.  
http://mod.gov.ba/Zdruzeni_napor/?id=21449