The DSB Oddity audio source identified

Status
Not open for further replies.

Token

Member
Premium Subscriber
Joined
Jun 18, 2010
Messages
2,255
Location
Mojave Desert, California, USA
A signal I have been calling the 9024 DSB Oddity, or just the DSB Oddity, has been regularly active for several months now. I did a video of it on my YouTube channel on 03 April, 2020 (
).


This signal has been on air most weekday nights since at least as far back as February, 2020. At times it has been on two frequencies simultaneously, other times it has been only found on one frequency. The four known frequencies it uses often are 5708 kHz, 9008 kHz, 9022 kHz, and 9024 kHz, there may be others that have not yet been reported. The signal has been seen on every week day, but not on Saturday or Sunday (UTC days). Typically it is on the air between about 0130 and 0630, but the start and stop times are variable.


The signal is a repeating loop of audio, the audio segment is 20 seconds long. It is transmitted in DSB (the same content in USB and LSB, with no carrier). The audio is unclear, but obviously it is more than one voice. The voices may be in Russian.


There have been discussions on the possible use or purpose of this signal on various forums. The general feeling is that it is very possible it may be a jammer, or possibly jammer training. The signal does not seem to be attacking any specific signal, in fact it is often on a frequency with no other signal present.


Repeated TDOA, RFDF, and propagation modeling calculations place the source in Far Eastern Russia, specifically around the Khabarovsk, Russia, area.


ulx2, a user on the HFUndergorund.com forums, identified the sound as being the same as a recording on a Russian jamming focused web site. A voice jammer that the Russians used in the 1970's and 80's to jam broadcast stations. The "Speech-like signal" on this page RADIOJAMMING


This DSB transmission is not the same kind of jammer used in the past, or rather the fact it sounds the same does not mean it is the same. Because the audio of the DSB signal is the sound clip from the web site. Not just the same kind of signal, but the same 20 second clip. I think it is quite possible the source of the DSB signal is actually using the actual sound clip off the web site. It is identical in length and every feature, just a little more muddy sounding.


I did a new video of the signal, showing the signal on 2 frequencies at one time, and comparing the web site audio to the received audio.


T!
 

Token

Member
Premium Subscriber
Joined
Jun 18, 2010
Messages
2,255
Location
Mojave Desert, California, USA
My first thought when I first heard this was speech inversion plus something else. However, it turns out there is probably no encryption techniques applied at all. And also, I knew I had heard this before, I just could not place where and when.

As I show in the video, the source of the audio being sent is that jammer web site. Not just the same kind of signal that web site is talking about, but they actually appear to be transmitting the audio sample taken from the web site. The audio sample from the web site is a random 20 second segment of an hour log jamming program the Russians used to run, and the timing and features of the transmitted 9024 kHz DSB signal match that 20 second sample exactly, with just a little more distortion added. They are the same sound clips.

As I understand it, the original Russian jammer was built by recording two announcer audio programs, one male and one female, on one track and adding a little distortion. This insured that the jammer was covering voice frequencies with wide variations, and any technique that countered the jammer would also make the covered target unlistenable.

T!
 

RFI-EMI-GUY

Member
Joined
Dec 22, 2013
Messages
5,291
How bizarre. Why? What else is happening in the region that the signals originate from?
 

a417

!#
Joined
Mar 14, 2004
Messages
2,850
HF Trolling?
The fact that Token has basically confirmed it's the same file leads me to think that someone had some vodka and said "you know what would be hilarious, comrade? If we got this audio file from the internet and broadcast it to mess with everyone's heads...":LOL:
 

Token

Member
Premium Subscriber
Joined
Jun 18, 2010
Messages
2,255
Location
Mojave Desert, California, USA
How bizarre. Why? What else is happening in the region that the signals originate from?
If the source is indeed the Khabarovsk, Russia, area, and based on multiple independent indicators I think that is very likely, there is a significant Russian military presence there, including a dedicated Electronic Warfare unit. Khabarovsk is the headquarters of the Eastern Military District and home of the 17th Independent Electronic Warfare Brigade. The 106th Communications Brigade is only a short distance away in Dalnerechensk.

There are several dedicated training divisions and detachments in the area also.

Possibly of interest is the fact that apparently the Pacific or Asiatic versions of the numbers station V07 and M12 are also transmitted from the same general area. In fact, maybe a lot closer than the same general area, it could be the same facility or group. Asiatic V07 and M12 are both known to tune their transmitters up with a specific habit. 20 to 40 minutes before the scheduled time of the first transmission for either of these signals the transmitter typically comes online and is tuned up for several seconds on the first frequency (both of these signals transmit on 3 frequencies per set of messages). Habitually the transmitter operators use audio from a local Russian language commercial broadcast station in this tuning process, you can hear the radio station audio in the tuneup. Also, during the V07 numbers station transmission there is quite often audio cross talk present from the same commercial station, leading to questions of the possibility that the commercial station and the numbers station may share facilities or at least location.

But why mention these numbers stiatons?

At least one time this DSB signal may have, possibly, done the same thing. One day, several minutes before the 9024 kHz signal appeared a carrier came up on frequency, the carrier carried audio from what sounded like a Russian language commercial broadcast station, and the amplitude of the signal ramped up as the transmitter was adjusted. The signal maxed out and a few seconds later went off air. A few minutes after that the DSB Oddity started up. I use a lot of qualifiers in these statements because the signal was on the weak side, and it was not possible for me to be 100% sure of the language or content of the audio on tune up.

HF Trolling?

The fact that Token has basically confirmed it's the same file leads me to think that someone had some vodka and said "you know what would be hilarious, comrade? If we got this audio file from the internet and broadcast it to mess with everyone's heads...":LOL:
If it was purely trolling I would have to say that is some dedicated trolling. This signal has been seen active most weekdays since some time in February. It consistently operates in the same time windows almost every weekday.

I tend to think it might be a combination of military training / testing and trolling. If I were a training NCO and I needed to have a class of operators / technicians work the equipment every day for a while, I could see grabbing a chunk of audio like this for the purpose. From an OPSEC standpoint it does not give away real waveforms I would use in conflict, but it is suitably obscure enough to mess with people. Maybe.

T!
 

RFI-EMI-GUY

Member
Joined
Dec 22, 2013
Messages
5,291
Maybe there is some subtle intelligence buried in that mayhem. As with steganography, some portion of the noise containing bits of data. Nobody would normally tune this sort of station in, they would move on, unlike a numbers station.. it would be a faster data rate than those 5 letter groups,
 

Token

Member
Premium Subscriber
Joined
Jun 18, 2010
Messages
2,255
Location
Mojave Desert, California, USA
Maybe there is some subtle intelligence buried in that mayhem. As with steganography, some portion of the noise containing bits of data. Nobody would normally tune this sort of station in, they would move on, unlike a numbers station.. it would be a faster data rate than those 5 letter groups,
There is really no reason to go to that effort, what is the gain? Who are you hiding it from?

If you want to send secure data, then send secure data. There are many Russian digital formats to be found on HF, secure formats.

The purpose of a voice or Morse numbers stations as a secure one way voice link are not the same as a digital signal. A voice or Morse station is 100% secure and can be received and decoded by a human with no hardware more imposing than portable shortwave radio and a pad of paper. A digital signal, whatever the format, can carry much more data, much quicker, but requires hardware to decode.

What purpose would trying to hide data in this kind of signal serve? Sure, hobbyist may not realize there was data present, but professionals would strip the signal down to determine if there were any changing data, at all, in each cycle. Like steganography, the fact there is data present is only hidden from a casual inspection. The data content may be much harder to pull, but the fact there was changing data should be pretty detectable.

T!
 

RFI-EMI-GUY

Member
Joined
Dec 22, 2013
Messages
5,291
There is really no reason to go to that effort, what is the gain? Who are you hiding it from?

If you want to send secure data, then send secure data. There are many Russian digital formats to be found on HF, secure formats.

The purpose of a voice or Morse numbers stations as a secure one way voice link are not the same as a digital signal. A voice or Morse station is 100% secure and can be received and decoded by a human with no hardware more imposing than portable shortwave radio and a pad of paper. A digital signal, whatever the format, can carry much more data, much quicker, but requires hardware to decode.

What purpose would trying to hide data in this kind of signal serve? Sure, hobbyist may not realize there was data present, but professionals would strip the signal down to determine if there were any changing data, at all, in each cycle. Like steganography, the fact there is data present is only hidden from a casual inspection. The data content may be much harder to pull, but the fact there was changing data should be pretty detectable.

T!
The purpose would be to thwart signal analysis. Numbers stations are likely recorded 100%. Why if the agents use a one time pad? Because an agent might slip up. Maybe his OTP was already copied by counterintelligence breaking in. Or maybe he was caught with the goods. But if the transmissions are conducted on an unusual channel, using a hereto unknown modulation, the channel is a bit more secure. Maybe the numbers stations are simply a ruse to distract complacent signal intelligence agencies.dont bother with that garbled noise, it's just a jammer . Or is it?
 
Last edited:

RFI-EMI-GUY

Member
Joined
Dec 22, 2013
Messages
5,291
Let's say I want to embed data in this DSB signal you have discovered. I start with a clean recording of this nonsense as a reference. I insert it into an ISB exciter after running it independently through a phase modulator on one ISB channel. At the other end I compare the phase between each sideband and extract a binary result. It may be a subtle 20 bps, but it is much faster than a numbers station and a OTP. The code book changes daily, like a OTP. It is faster, more usable data, more stealthy. How do I decode it? A laptop with a soundcard plugged into a SW receiver. Keep in mind that with modern computational power and long term storage, everything interceoted will some day become useful. Hiding in plain sight is just as important.
 

Token

Member
Premium Subscriber
Joined
Jun 18, 2010
Messages
2,255
Location
Mojave Desert, California, USA
The purpose would be to thwart signal analysis. Numbers stations are likely recorded 100%. Why if the agents use a one time pad? Because an agent might slip up. Maybe his OTP was already copied by counterintelligence breaking in. Or maybe he was caught with the goods. But if the transmissions are conducted on an unusual channel, using a hereto unknown modulation, the channel is a bit more secure. Maybe the numbers stations are simply a ruse to distract complacent signal intelligence agencies.dont bother with that garbled noise, it's just a jammer . Or is it?
I believe that is a flawed starting point. You think numbers stations are 100% recorded, and so moving the data to another type of transmission reduces the probability it will be scrutinized. I think, no, I am almost certain, that the entire HF spectrum is 100% recorded, not just specific signals. I do so myself at times. And I think unknown, unusual, one of a kind signals would be under greater scrutiny.

All it takes is storage and an ability to sift the data.

An example.

There is a network of ditters that I call the Pips Network. A short duration pulse that cycles across the HF spectrum every few seconds. What is the purpose and source I do not know, I suspect it is some kind of ionospheric testing tool, but have never confirmed the source. The point is it hits many frequencies in a short period, most often a 6 second cycle, hitting all the frequencies it is going to (from as few as 4 up to 128 frequencies across the HF spectrum) in 6 seconds and then starting over. Listening on any one frequency it just sounds like a short "pip" every 6 seconds (or whatever the current cycle time is, I have seen from 3 to 40 seconds used.).

I have found the easiest way to address it, to find what frequencies it is using for a given set, is, when I note it active, to record the entire HF spectrum as an IQ recording, and then search the recording. In truth, I typically only record the spectrum that has propagation. So if it is 0500 local time and I have no signals at all above say 13000 kHz I will record 0 - 16000 kHz, or maybe 2000 - 14500 kHz because I have never found this signal below 2000 kHz. But I can, and have, recorded the entire HF spectrum, 0 - 32000 kHz (yeah, HF is only 3000 - 30000 kHz, I know, but 32 MHz is the step size I have that can get it all), or any other chunk of spectrum, 32 MHz wide, when required. 32 MHz is the widest my equipment at home will do IQ recordings, but at work I can do 800 MHz of width.

I then search the recording for this signal or whatever signal I am looking for. For the Pips Network, since it has some distinctive features and I know them, I have written some scripts to help automate portions of this task. For example, depending on its parameters it always uses a specific frequency step, so I can search only on those steps for unknown freqs, I can channelize my search for those steps.

With the WinRadio G35DDC and at 16 bit depth it takes about 14 TB for me to record 24 hours of 0 - 32000 kHz spectrum (9.7 GB / min). If I wanted to, on my local radio storage servers, I could keep roughly 1 week of the entire HF spectrum, from 0 - 32000 kHz, that is right at 100 TB of data.

If I can do that, as a casual hobbyist, OK, maybe more than casual, but still a hobbyist, you don't think professional / governmental agencies can't record every chunk of HF spectrum every day, all day?

And then automate the sorting of information. Write software to categorize transmissions, it already exist, Rohde and Schwarz, Keysight, PROCITEC, etc, already commercially sell software with this ability, but I am willing to bet a 3 letter agency might have their own. After the signals are all categorized more software features can compare them against known databases of signals. Flag any unknown or unrecognized combinations for deeper review. Automate the prioritization of the review cycle. Kick out the remaining unknown signals for human, or deeper software, review.

Done correctly humans would only be keyed to signals that had never been seen before or ones they had flagged as of particular interest. Identified signals could be routed to specific groups for monitoring / analysis.

Let's say I want to embed data in this DSB signal you have discovered. I start with a clean recording of this nonsense as a reference. I insert it into an ISB exciter after running it independently through a phase modulator on one ISB channel. At the other end I compare the phase between each sideband and extract a binary result. It may be a subtle 20 bps, but it is much faster than a numbers station and a OTP. The code book changes daily, like a OTP. It is faster, more usable data, more stealthy. How do I decode it? A laptop with a soundcard plugged into a SW receiver. Keep in mind that with modern computational power and long term storage, everything interceoted will some day become useful. Hiding in plain sight is just as important.
As I have pointed out above, I think trying to obscure the signal that way might actually make it more likely to be investigated, not less likely. If your simple SW radio plugged into a laptop running some software can demodulate it, then those differences in SB channel data can be detected.

So outside potential obscurity, until it is noticed and then easy recognition, what do you gain?

Going to an existing style of encrypted HF modem does the same thing but with much higher data throughput. Another Russian AT3104D data stream showing up on HF is just a regular thing, or a new Russian T600 frequency and time, the same for the Chinese 4+4 or 30 tone PSK modems, new ones are popping up for short durations all the time. With the right encryption you can know they transmitted, but never know the content. And they can be recorded by the recipient, and if you have the code key decrypted, with that same laptop and SW radio.

And, not to focus on them, some known numbers stations have already done it. Chinese V16 and V22 are not seen these days, but the last few known transmission schedules of those stations was replaced by an encrypted digital modem. That modem is still seen periodically today, but is it carrying their traffic or not? Various known Russian digital transmission have taken the place of some past voice / Morse numbers stations. The Cuban V02a (voice) and M08a (Morse) numbers stations were replaced by SK01 and then later HM01, digital data.

Security through obscurity is a real thing, no doubt, but to be obscure you need to not stand out. And this one of a kind DSB signal stands out if you are actually looking for anomalies. And hiding in plain sight is a real thing also, but to work it needs to be something in plain sight, something people are used to seeing.

To do what you have described I would pick a signal already on the air, not introduce a new signal. Preferably something with many copies across the spectrum, something people and software are used to seeing, and only one of them containing these changes.

But that is just my take on it. And of course, I can't say you are wrong, I can only say that I think it less likely.

T!
 
Last edited:

RFI-EMI-GUY

Member
Joined
Dec 22, 2013
Messages
5,291
It brings us back to ...Why?
And somebody is going to a lot of trouble transmitting it if it's real purpose has nothing to do with jamming. See how easy it is to discount it?
 

Token

Member
Premium Subscriber
Joined
Jun 18, 2010
Messages
2,255
Location
Mojave Desert, California, USA
It brings us back to ...Why?

And somebody is going to a lot of trouble transmitting it if it's real purpose has nothing to do with jamming. See how easy it is to discount it?
For indications of possible why, lets look at habits. I am making the assumption the signal is indeed from the Kharabovsk region.

The signal is on almost every week day, their local time. It has not been observed operating on weekends, their local time.

The times it is operational has been variable, observed on as early as 0130z and off as late as 0630z. More typically something like 0200z to 0500z, with operations as short as 1.5 hours to as long as 5 hours. The on time might be looser than that, it could be on earlier but if I don't have propagation earlier I could be missing it. But it is typically of good strength when it goes off. Kharabovsk is GMT +10, so the operational times are anything from 1130 local time (or before) to as late as, but typically earlier than, 1630 local time. On average it is typically off between 1500 and 1600 (local) daily. Basically seen after lunch to end of business or working day, local time for the source.

In the local region there are at least 4 major Electronic Warfare commands or centers, the 17th IEWBg, the 471st and 475th IEWCnt, and the 541st IEWBat. There are also several training commands.

Both training and testing of systems often requires transmitting a real signal. Training for some kinds of systems can take months. And people can get used to doing certain maintenance activities at certain times of the day.

When I was in school at Corry Station (now called the Information Warfare Training Center, but it has had other names over the years, when I was there it was called the Naval Technical Training Center, the core functions have remained similar since about 1960) we did both off air and open air training, both reception of signals and spectrum denial.

The students had sets of activities, and those typically spanned weeks to a couple of months. A local in the area, if they knew what signals to look for, could have told every time a new class reached a certain point in training, as each class ended up doing the same things for several years running. Several times a year, for several weeks each time, the same kind of on-air signals would have been observed.

But the maintainers were even more predictable. Every afternoon, after the students left, the maintainers would put the gear through the same set of tests to make sure it was ready for the next days class activities. For OPSEC reasons they were careful not to use "real" signals. One of the signals was one of the maintainers dogs barking. You could almost set your watch by the regularity of some bogus, but repeating, signals that would be on the air.

Now, am I saying that is what is happening with this signal? Of course not, that would be too coincidental. I just mention this as an example of how weird, repeating, signals can be relatively benign or easily explained if you know one key detail. Especially around military installations. But lacking that key detail they can be a real mystery.

This particular signal could be something unique and mysterious, or it might just be someone learning or testing a transmitter. Until something else happens we may not ever know. But I tend to think more simple in nature is more probable. And if they were doing some kind of new hidden data link It end to think they would have picked a signal a bit more common, one that would be seen, recognized for what it was (on the surface) and dismissed. Maybe hide it in one of the many Russian Navy propagation beacons, or an existing style of repetitive transmission. Why draw attention to something you are trying to hide by using a signal that is so obviously odd and out of the norm.

T!
 
Status
Not open for further replies.
Top