IV. Case Studies‎ > ‎Russian FISH‎ > ‎


                The radio traffic the Russian Fish intercepted was codenamed “Bandwurm” by the Germans. Karrenburg defined it as “a Russian Baudot letter ‘strip’…not to be confused with Russian 5 letter traffic also carried on Baudot lines.”  Karrenberg stated to TICOM that the system contained two elements: a Baudot teleprinter producing 32 characters made up of the Russian alphabet along with a figure and a letter shift, and a cipher attachment consisting of 5 small wheels driven by one large wheel, creating a cipher with a period of 43. Despite this knowledge, the Germans made no effort to reconstruct the wheel patterns. The cipher attachment had two settings, a ‘large’ setting that gave a simple one-letter substitution for the key, i.e. the wheels of the cipher device did not move. A ‘small’ setting that engaged the gears of the cipher device producing and endless stream of non-repeating key. The Russian teleprinter operators used the large setting to establish contact and test the mechanism. This was probably done to simplify the process of setting up the circuit; the operators only had to refer to a table of the ‘letter of the day’ to establish contact. This letter, sent in the clear, was repeated three times to ensure that the receiver had his machine set up correctly.


            The Bandwurm traffic was first intercepted in 1940 in Warsaw, but it wasn’t studied until 1943 when the FA (Forschungsamt) made a break into the traffic by exploiting a particular anomaly; at every pause, it transmitted a compromise of seven characters of apparently pure key before shutting off. This of course produced a major crib for the cryptanalyst. The deciphered text yielded a plain (non-enciphered) five-digit code.


            Later Dr Otto Buggisch, who worked for both GdNA and OKW/Chi during the war, related to TICOM what he knew of the matter: “(I) …heard in 1943 that the FA had claimed some success on a Russian teletype machine and had reconstructed the machine. It was a machine with a very long cycle being not prime but the product of several smaller cycles like the SZ 42.” …He heard this from Doering “who was then doing his research on the T 52 but liaison with the FA was bad anyway …. the next thing Buggisch heard was that the traffic found by the FA had stopped. He remembered, "only that the cycle of one of the wheels was 37; the others he thought varied widely, from 30 to 80.” Buggisch was again questioned about this teletype machine success of the FA, and answered in written homework that the FA had analyzed a Russian cipher teleprinter system in 1943, and recognized that it must have been based on a machine having certain similarities with the German SZ 40. After a short time, the Russians altered the system and the FA gave up its effort.


            On 18 September 1943, in a very rare meeting between the FA, the Nazi party’s signal intelligence agency, and the Army cryptanalytic service was held at the FA headquarters in Berlin. The purpose of the meeting was to pass on technical information from Dr. Martin Pützel, the head of mathematical research at the FA to his counterpart in the Army, Dr.Pietsch. Pützel reported that for some time the FA had been intercepting this Russian Baudot traffic and had made some progress on its decipherment. Traffic analysis indicated that these circuits were between Moscow and the high staffs at their Army fronts, communicated on one or two channels.


            Buggisch also added that: “The Mathematics section of In 7/VI … worked on it and at the end of 1943, there was a "Kompromiss," (compromise) and a depth or 8 messages with the same setting was created. The section was able to recover 1400 letters of pure key, and to determine that the traffic was derived from a 5-figure code. The Germans postulated a machine like the German T 43, but was not able to prove any theories they had.”


            Sometime after September 1943, the Army took the project over from the FA and developed multiplex receivers to intercept the Russian traffic. This mission as assigned to GdNA’s Group VI and in December of 1944 Karrenburg became solely responsible for the traffic and worked on it until the end of the war.


            Once the encipherment was broken the messages were found to be in a variety of code systems, for operational orders from the General Staff to the Army Fronts 5 letter and 5 figure codes called “Blocknots” based upon one-time pads were used. There were a number of links, usually 8, from Moscow HQ to the Army Fronts in the field.  Less important material was encoded using 3 and 4 figure codes, many of them broken and read by the Germans. Soviet Army traffic was usually on the two channel teletype system. Commercial traffic was sent on 9-channel and 6-channel circuits, such as Moscow-Baku and Rostov-Moscow, but was sent in the clear.


         Experience with the traffic, specifically close study of preambles, initial contacts, and operator chat, provided many clues into the cipher. Preambles of messages were always enciphered but their stereotypical format and content provided cryptanalysts a clear insight into the beginnings of the cipher text. Contact traffic of the operators, in the ‘large’ setting, often gave the setting away. When the key was not revealed in the set up chat, the Germans could often relay on depths, that is, repeated messages, where the same plaintext is transmitted more than once at different positions in the key stream, giving cryptanalysts a means of comparisons. Depths were due to bad reception, sometimes requiring repeating the message three or four times. Depths were also caused when the reciprocal station got out of phase with the sending station and the key sequences did not synchronize. Karrenberg commented:

“When traffic is running smoothly, and on a day when a lot of material is transmitted, one can count on key-identity being given away by repeats.”


        The traffic analysis study by Magilavy and Uzielli at Steeple Clayton showed that the bulk of the traffic was two-channel military, with commercial traffic passed in the clear on 6 and 9 channels. The message preambles and endings, such as originating station, serial numbers, group count, dates, address, routing and priority and indicators were mapped out. In addition, some internal police (SMERSH) traffic was identified in the two-channel system. The frequencies used varied between 8 and 11 MHz and were changed at irregular intervals, which were easily tracked from the simple code used in the operator chat. The Russians had a lack of security discipline when tuning and operator chat often revealed the identity of the net. The call signs of all Soviet ground stations were made up of three letter characters, or a combination of three letters and figures.


            Much information about this traffic, including details on exactly how the encryption was broken and specifics about the underlying codes, is still classified by the NSA, as demonstrated by the frequent redactions in TICOM documents I-153 and I-169.