GCHQ Summaries

In 2013, journalists began revealing secrets associated with members of the Five Eyes (FVEY) intelligence alliance. These secrets were disclosed by Edward Snowden, a US intelligence contractor. The journalists who published about the documents did so after carefully assessing their content and removing information that was identified as unduly injurious to national security interests or threatened to reveal individuals’ identities. During my tenure at the Citizen Lab I provided expert advice to journalists about the newsworthiness of different documents and, also, content that should be redacted as its release was not in the public interest. In some cases documents that were incredibly interesting were never published on the basis that doing so would be injurious to national security, notwithstanding the potential newsworthiness of the documents in question.

Since 2013 I have worked with the Snowden documents for a variety of research projects. As part of these projects I have tried to decipher the meaning of the covernames that litter the document (e.g., CASCADE, MEMORYHOLE, SPEARGUN, or PUZZLECUBE), as well as objectively trying to summarise what is contained in the documents themselves without providing commentary on the appropriateness, ethics, or lawfulness of the activities in question.

In all cases the materials which are summarised on my website have been published, in open-source, by professional news organizations or other publishers. None of the material that I summarise or host is new and none of it has been leaked or provided to me by government or non-government bodies. No current or former intelligence officer has provided me with details about any of the covernames or underlying documents. This said, researchers associated with the Citizen Lab and other academic institutions have, in the past, contributed to some of the materials published on this website.

As a caveat, all descriptions of what the covernames mean or refer to, and what are contained in individual documents leaked by Edward Snowden, are provided on a best-effort basis. Entries will be updated periodically as time is available to analyse further documents or materials.

Summaries are organized by the year in which the underlying documents were made public, as opposed to the year they may have been authored internal to the agency.

This page was last updated January 17, 2023.

2018

GCHQ CNE Presentation

Summary: This presentation provides a high-level overview of the GCHQ’s Computer Network Exploitation (CNE) operations. CNE is done to access data at rest or to overcome passive collection activities, as well as to enable conventional signals intelligence by way of enabling operations against traffic.

All CNE activities must be UK deniable and, as such, intermediary machines/infrastructure are used to gain access to targets and to return data to GCHQ repositories. CNE operation include: network end points, counter terrorism, single end points, data harvesting, effects, and “CNE Scarborough”. In some cases these operations involve obtaining credentials from CNE or passive collection to access email or other points of interest or, in others, engaging in spear phishing. GCHQ’s CNE operations also involve targeting network infrastructures after gaining access to administrators’ machines or using security weaknesses to gain access to computers or devices.

Effects operations are classified as “[m]aking something happen a [sic] target’s computer” and includes slowing down a device, “[b]ringing down target’s web browser”, or changing users’ passwords. The CNE team is also involved in router operations, under the covername EREPO, which provides in-country collection through the exploitation of routers.

Another aspect of CNE operations involves developing techniques and assets for CNE operations. Teams are divided between Microsoft, UNIX, hardware, and mobile, and are responsible for finding holes and weaknesses in software and using them to subsequently execute code. Part of this involves prototyping and then automating the developed code, often in close collaboration with other UK or second party partners. Deconfliction is recognized as an issue, on the basis that implants may interfere with one another and more activity increases the risk of discovery; deconfliction tends to take place by detasking based on IP addresses, instead of based on targets. Once the primary party responsible for the targeting is selected they are expected to share the take with other parties who were similarly tasked.

Document Published: February 16, 2018
Document Dated: unknown
Document Length: 22 pages
Associated Article: How U.K. Spies Hacked A European Ally and Got Away With It
Download Document: GCHQ CNE Presentation
Classification: TOP SECRET STRAP 1
Authoring Agency: GCHQ
Codenames: EREPO, HIGHNOTE, MUGSHOT, QUANTUM, STARGATE, WHARFRAT

2017

The Tale of Two Sources

Summary: This document outlines the GCHQ’s rationale for adopting Palantir equipment for information assurance operations. Centrally, the existing systems that the GCHQ was using lacked an effective Target Knowledge Base; while the agency was successful in collecting large volumes of data it lacked effective ways of analyzing the data, and was focused principally on tracking known data bearers. There was no way for analysts to easily trace back the source of an attack.

After conducting a market analysis that included service providers inside and outside of government, including Lockeed Martin and Detica (BAE Systems), the GCHQ decided to examine and test Palantir’s offerings. Centrally Palantir changed the basic data and knowledge development cycle. Whereas the ‘normal’ analyst workflow involved collecting data, then running analytics on it, and finally divining target knowledge, the Palantir system had each of these aspects share data back and forth so that analysts could call data from anywhere, and run queries against all data, with the goal of enriching the sum of target knowledge. This meant that data could be easily aggregated and presented to analysts in a histogram format.

Palantir itself sits at the ‘end’ of the collection and storage processes already undertaken by the GCHQ. That is, Palantir replaces the methods by which analysts historically queried data, but did not itself represent a primary place that data was inputted into for information assurance purposes. It operates as the workspace for analysts, and thus separate from databases that retain events information (e.g. QFD databases, XKEYSCORE, GORDIAN KNOT, SPAY) or are used for enrichment (e.g. GEOFUSION, INTEGERSPIN, MWX, HACIENDA, FOXTRAIL, MARBLEPOLLS, MOONRAKER).

The document concludes with a list of “unexpected benefits” and “potential downsides” to the agency’s use of the Palantir solution. In this section, the document notes that the Palantir solution is scalable based on the FBI and DSD’s use of it, that the solution is accessible on mobile phones and laptops, and that it is “not really” expensive.

Document Published: February 22, 2017
Document Dated: Post-October 2011
Document Length: 43 pages
Associated Article: How Peter Thiel’s Palantir Helped the NSA Spy on the Whole World
Download Document: The Tale of Two Sources
Classification: TOP SECRET // REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: GCHQ
Codenames: 8BALL, ALPINEBUTTERFLY, BROADOAK, CROUCHINGSQUIRREL, DEADSEA, DISTILLERY, FOXTRAIL, FRACTALJOKER, GEOFUSION, GLOBAL SURGE, GORDIANKNOT, HACIENDA, HALTERHITCH, HIDDENOTTER, HRMap, INTEGERSPIN, MARBLEPOLLS, MOONRAKER, MUGSHOT, MUTANTBROTH, MVR/PPF, MWX, OP DEVICE, OP WAFTER, PACMAN, PENSIVEGIRAFFE, PPF, RAPIDTAPIR, SALTYOTTER, SAMUELPEPYS, SHORTFALL, SORCERER, SPAY, TM, TRYST,  XKEYSCORE (XKS)

TWO FACE

Summary: This wiki page principally summarizes the how-to guides that are associated with GCHQ’s Palantir deployments for Cyber Defence Operations (CDO). From the outset there are plans for collaborating between GCHQ and DSD and, subsequently, a listing of datasources that exist at the time of writing and that are planned for possible integration into GCHQ’s Palantir instance. At the time the page was written access to Palantir was restricted to NDIST, a group within GCHQ.

Document Published: February 22, 2017
Document Dated: Undated
Document Length: 5 pages
Associated Article: How Peter Thiel’s Palantir Helped the NSA Spy on the Whole World
Download Document: TWO FACE
Classification: TOP SECRET STRAP 1 COMINT
Authoring Agency: GCHQ
Codenames: 8BALL, AUTOASSOC, CROUCHINGSQUIRREL, DEADSEA, DISCOVER, FIVEALIVE, FOXTRAIL, FRACTALJOKER, FRACTALWEB, GEOFUSION, GLOBALSURGE, GOOGLEFUSION, GORDIANKNOT, HACIENDA, HALTERHITCH, HRMap, INFINITEMONKEYS, INTEGERSPIN, KARMAPOLICE, MOONRAKER, MUGSHOT, MUTANTBROTH,  OBERON, PENSIVEGIRAFFE, RAPIDTAPIR, SAMUELPEPYS, SOCIALANTHROPOID, TWO FACE, XKEYSCORE (XKS)

SDSG Integrated Analytics Workshop (14 Oct 2011)

Summary: This document summarizes how the GCHQ has assessed a product from Palantir, called ‘Mamba’. The product is designed for big data intake and analytics and regarded as potentially useful for collaboration with the NSA, and possibly the DSD as well. There were concerns of locking the GCHQ into a commercial product that might not be fully responsive to the agency’s needs, as well as questions of how much training analysts would require to fully benefit from the Palantir product.

Document Published: February 22, 2017
Document Dated: Undated (post Oct 14, 2011)
Document Length: 3 pages
Associated Article: How Peter Thiel’s Palantir Helped the NSA Spy on the Whole World
Download Document: SDSG Integrated Analytics Workshop (14 Oct 2011)
Classification: SECRET
Authoring Agency: GCHQ
Codenames: MAMBA, RUMOURMILL

XKEYSCORE Helper Notes

Summary: This document explains how analysts can use some of the new features in the XKEYSCORE Palantir Helper for GCHQ analysts. Palantir Helper is designed to assist analysts more easily query data stored in XKEYSCORE. This assistance includes, in part, the ability to apply histogram grids on data so that only certain information that is of interest is ported from XKEYSCORE. Some of the fields that are available when conducting this porting include: from/to port; SIGAD; from/to IP address information, down to the city level; application fingerprints; HTTP type used in the communication; browser; ‘bluesmoke_id’; the intrusion sets used; organization; or implant identifier or name. Once data is imported the analyst will use Palantir Helper to summarize data to surface information sought by the analyst.

Document Published: February 22, 2017
Document Dated: Unknown (Post March 25, 2011)
Document Length: 6 pages
Associated Article: How Peter Thiel’s Palantir Helped the NSA Spy on the Whole World
Download Document: XKEYSCORE Helper Notes
Classification: TOP SECRET STRAP I
Authoring Agency: GCHQ
Codenames: XKEYSCORE

Review of VisWeek 2008

Summary: This review summarizes the highlights of VisWeek 2008, which was a conference the GCHQ sent three employees to—all of them members of ‘B17’. The document highlights papers relevant to the GCHQ, as well as useful techniques and tools that the GCHQ could use for its SIGINT visualisation research. These highlights include some of the visualization lessons that the GCHQ could adopt to improve their internal analysts’ workspace, covernamed MONTEVISTA, and how data can be clustered or visualized to better derive insights from available information. More broadly the attendees took away generalizable lessons pertaining to how to make visualizations more meaningful, the importance of the visualization tool capturing the whole chain of progress from research to developing thoughts to visualizing them, the importance of building both individual and collaborative spaces in analysts’ digital work environments, the need to build tools that are flexible instead of brittle applications, and more.

The document also notes that the GCHQ members at the conference were impressed by a government tool built by US firm Palantir—so much so that the document links to an internal wiki page for it. The employees were impressed with Palantir’s ability to visualize information, likely interoperate with the GCHQ’s data stores, and ability to scale well with federated databases. They were worried, however, about vendor lock-in, referring to the cost of adopting the solution within the GCHQ and then across the rest of government given the risk that the small company would later pivot—thereby preventing the GCHQ’s needs from being met. Concerns about security are also voiced.

Document Published: February 22, 2017
Document Dated: Post 2008
Document Length: 14 pages (NOTE: document is missing 16+ pages)
Associated Article: How Peter Thiel’s Palantir Helped the NSA Spy on the Whole World
Download Document: Review of VisWeek 2008
Classification: STRAP 1 COMINT
Authoring Agency: GCHQ
Codenames: BROADOAK, B17, CEREBRAL, CHARTBREAKER, HAUSTORIUM, KNIME, MAMBA, MONTEVISTA, PIGSEAR, RAPTOR, SALAMANCA

2016

GHOSTHUNTER Tasking Process

Summary: This document explains how the GCHQ can task GHOSTHUNTER, along with some examples of how the GCHQ’s tasking differs from the United States’. GHOSTHUNTER is used to learn and establish patterns of life for known terrorists who use internet cafes to communicate. The whereabouts of targets are established using known Internet Protocol (IP) and Media Access Control (MAC) addresses in conjunction with Comstat/OH accesses and the GHOSTHUNTER system at Menwith Hill Station. Whereas the United States can request coverage of targets anywhere in the world, the GCHQ only mentioned: Iraq, Iran, Pakistan, Afghanistan, Algeria, Philippines, Lebanon, Mali, Kenya, Sudan, and Somalia. When GHOSTHUNTER geolocates a modem it will also geolocate all modems which are on the same signal, close to the targeted area, and active at the time of the initial geolocation.

Document Published: September 6, 2016
Document Dated: September 2009
Document Length: 3 pages
Associated Article: Inside Menwith Hill: The NSA’s British Base at the Heart of U.S. Targeted Killings
Download Document: GHOSTHUNTER Tasking Process
Classification: TOP SECRET//COMINT
Authoring Agency: GCHQ
Codenames: APPARITION, GHOSTHUNTER (GH), MASTERSHAKE, MOONPENNY, SOUNDER

APPARITION/GHOSTHUNTER Tasking Info

Summary: This document explains how analysts can task the APPARITION and GHOSTHUNTER systems to obtain very small aperture terminal (VSAT) geolocation and mapping information pertaining to a target. APPARITION is intended for target development and survey work, and whereas GHOSTHUNTER is used for higher priority tasking and support for operations. GHOSTHUNTER is used to provide the geolocation of active modems based on location information, which can include national or city level requests.

Document Published: September 6, 2016
Document Dated: July 2011
Document Length: 3 pages
Associated Article: Inside Menwith Hill: The NSA’s British Base at the Heart of U.S. Targeted Killing
Download Document: APPARITION/GHOSTHUNTER Tasking Info
Classification: TOP SECRET STRAP
Authoring Agency: GCHQ
Codenames: APPARITION (APN), CARBOY, GHOSTHUNTER (GH), JACKNIFE, LADYLOVE, MASTERSHAKE, MOONPENNY, OVERHEAD, SOUNDER

DGO and DOC Special

Summary: This document provides a high-level analysis of how rarely PRESTON-related, and warranted, data is viewed. Ultimately, of the six months of PRESTON data analyzed the analysts realized that only 3% of the data had been viewed. This is particularly important on the basis that PRESTON provides “most of the useful collection” for domestic events, such as the London G20. The final slide of this document associates SIGADs with their cover names, and clarifies that PRESTON is the system collecting data at those particular SIGADs.

Document Published: June 7, 2016
Document Dated: Undated (Post April 2009)
Document Length: 6 pages
Associated Article: Facing Data Deluge, Secret U.K. Spying Report Warned Of Intelligence Failure
Download Document: DGO and DOC Special
Classification: TOP SECRET STRAP 1
Authoring Agency: GCHQ
Codenames: ARTEMIS, CATSUP, CONDONE, GEORGELET, GERONTIC, HAUSTORIUM, LABORO, LARKSPUR, NIGH, NORWALK, PECTASE, PRESTON, PRESTON 4, REMEDY, SALAMANCA, XKEYSCORE, ZAMENSIS

MILKWHITE Enrichment Service (MES) Programme

Summary: This short document provides an accounting of the GCHQ’s commitments to supporting the MILKWHITE Enrichment Service (MES), which is designed to help law enforcement and security services discover IP-selectors for their targets. External funding will support the GCHQ’s efforts, including maintaining the “MES-funded access and bulk events storage” and tailor analytics — such as those which determine the number of identifiers which are enriched with additional information and the diversity of such enrichment — that will determine the productivity per request. Agencies that enjoy access to MILKWHITE included: the Serious Crime Organization Agency (SOCA), HM Revenue & Customs, Metropolitan Police Service (MPS) Counter Terrorism Command (CTC), Police Services of Northern Ireland, and the Scottish Recording Centre. The Secret Intelligence Service (SIS) was to receive access to MES in 2011/12.

Document Published: June 7, 2016
Document Dated: March 9, 2011
Document Length: 2 pages
Associated Article: Facing Data Deluge, Secret U.K. Spying Report Warned Of Intelligence Failure
Download Document: MILKWHITE Enrichment Service (MES) Programme
Classification: Top Secret STRAP1
Authoring Agency: GCHQ
Codenames: MILKWHITE

The National Technical Assistance Centre

Summary: This overview document outlines the core responsibilities and mission of the National Technical Assistance Centre (NTAC). NTAC is responsible for 11,000 targeted interceptions each day and is responsible for collecting 60% of the special source material that GCHQ relies on; that material is associated with: BOUNCER, CANLEY, CATSUP, CONDONE, HOOCH, and ZAMENSIS.

NTAC is currently under the authority of the GCHQ and is responsible for processing the intercepts that are warranted through the security services. Its intelligence customers include intelligence services, police, and tax authorities. Its annual budget is roughly £40 million, derived equally from two sources identified as CTIP and IMP. It was formally inducted into GCHQ Operations on July 1, 2008. It is tasked with maintaining and extending current interception capabilities, improving lawful interception infrastructure, and developing NTAC missions to meet current and future operations. Core challenges it faces are linked to the dynamic technical environment it is situated in: this makes hiring people challenging, ensuring integration important, and renders management of stakeholders complex.

Document Published: June 7, 2016
Document Dated: June 22, 2010
Document Length: 11 pages
Associated Article: Facing Data Deluge, Secret U.K. Spying Report Warned Of Intelligence Failure
Download Document: The National Technical Assistance Centre
Classification: Secret
Authoring Agency: GCHQ
Codenames: BOUNCER, CANLEY, CATSUP, CONDONE, HOOCH, MILKWHITE, ZAMENSIS

PRESTON Architecture (Version 3.0)

Summary: The PRESTON architecture is designed to collect warranted intercepts of UK line access, and covers fixed and mobile communications as well as voice and data. Targets must be covered under RIPA 8(1). As a future facing architecture PRESTON is meant to also capture computer-to-computer communications, lawful intercept streams, and excludes circuit-switched modes of communication.

The document provides a detailed explanation of how the PRESTON architecture is designed to conduct, process, and deliver intercepts to different government customers. The National Technical Assistance Centre (NTAC) which is formally part of the GCHQ but kept separate, is the intermediary responsible for operating intercepts associated with the PRESTON architecture. This division between the GCHQ and NTAC is meant to reduce the GCHQ’s association with Communications Service Providers (e.g. internet service providers).

There are significant differences in the kinds of connections between CSPs and PRESTON-architecture databases. Mobile communication service provider (CSP) information is intermediated to establish commonality across the data that is provided by such organizations to government agencies. Accredited CSPs link directly to the collection system associated with PRESTON, whereas unaccredited CSPs send data that passes through a GCHQ security diode to ensure that information is not inappropriately sent to the GCHQ or the CSP. Some of the equipment used in the PRESTON architecture is developed and produced by LogicaCMG.

NTAC provides raw data to the GCHQ, whereas it provides formatted data to other government customers.

The conclusion of this document considers ways that next-generation communications can be intercepted, processed, and provided to customers. It notes how the deprecation of selector systems, such as BLACKNIGHT, pose challenges to PRESTON-derived interception data and various ways of addressing such impending problems.

Document Published: June 7, 2016
Document Dated: July 5, 2007
Document Length: 47 pages
Associated Article: Facing Data Deluge, Secret U.K. Spying Report Warned Of Intelligence Failure
Download Document: PRESTON Architecture (Version 3.0)
Classification: SECRET STRAP 1 UK EYES
Authoring Agency: GCHQ
Codenames: ARSENIDE, BLACKKNIGHT, BOXSTER, BRIGHTON, B3M, CADENCE, CORINTH, COURIERSKILL, FARNDALE, FASTGROK, FUNFAIR, GENTIAN, GREENHEART, HAUSTORIUM, HOTLINE, KEYCARD, LOCHNVAR, MARMION, MONACO, MONKEYPUZZLE, PILBEAM, PRESTON, SALAMANCA, SAMBOK, SAMDYCE, TACHO, TERRAIN, TRAFFICMASTER, X-KEYSCORE

PRESTON Business Processes (Version 1.0)

Summary: This document explains the process flow for tasking a domestic interception using the PRESTON system. The PRESTON system is operated by the National Technical Assistance Centre (NTAC) and the GCHQ; the former is responsible for establishing the actual interceptions of RIPA warranted communications whereas the latter is responsible for the actual analysis and processing of the intercepted communications.

A series of workflows are delineated in the document, including the initial setup of an interception, the discontinuation of an interception, the production of intelligence, and use-case analysis. At each stage there are workflow diagrams along with definitions for the different actors involved in each of the steps.

Document Published: June 7, 2016
Document Dated: May 8, 2007
Document Length: 24 pages
Associated Article: Facing Data Deluge, Secret U.K. Spying Report Warned Of Intelligence Failure
Download Document: PRESTON Business Processes (Version 1.0)
Classification: SECRET STRAP 1
Authoring Agency: GCHQ
Codenames: CADWELLPARK, HANGERLANE, MIDDLESEXGREEN, PRESTON, PRESTONOPS, TERRAIN

Mobile Apps — Checkpoint meeting Archives

Summary: This wiki stored brief meeting notes for the group responsible for collecting mobile-related information for the GCHQ and which was responsible for the TERRAIN system. Many of the notes highlight the importance of demonstrating the business case of the group’s work.

The group extensively focused on two areas: successfully targeting GPRS Exchange (GPX) traffic and the associated GPRS Tunnelling protocol (GTP). There were routine problems analyzing GTP data; despite there being 900 10G lines accessible to the GCHQ in 2010, only a handful carried GTP. The group sought to overcome these deficiencies by better identifying GTP setups.

The second area the group focused on was mobile applications. A range of mobile applications is listed throughout the document, including: WhatsApp, Yahoo! mail, MMS, BlackBerry, Gmail, Hotmail, Fring, eBuddy, ICQ, Myspace, LinkedIn, Mail.ru, Orkut, and Bebo. The document notes that changes in application design or adoption of encryption can stymie or stop access to communications carried over the respective application. Of note, in 2010 despite only 10% of traffic being associated with Blackberry, 80% of what was collected was identified as Blackberry-based.

Document Published: June 7, 2016
Document Dated: May 1, 2012
Document Length: 20 pages
Associated Article: Facing Data Deluge, Secret U.K. Spying Report Warned Of Intelligence Failure
Download Document: Mobile Apps — Checkpoint meeting Archives
Classification: Top Secret STRAP1 COMINT
Authoring Agency: GCHQ
Codenames: BEGAL, BLACKHOLE, BOSTROM, BROADOAK, ENCHANTRESS, EREPO, EREPOGAMMA, GEOFUSION, GOLDENEYE, GREENHEART, HARDASSOC, HAUSTORIUM, INTEGERSPIN, LOOKINGGLASS, MAGLITE, MARBLEDGECKO MIDDLESEXGREEN, MILKWHITE, MONKEYPUZZLE, MUTANTBROTH, NINJA, PEBBLEDBED, POKERFACE, PRESTON, SALAMANCA, SILVERLINING, SOCIALANIMAL, SORCERER, SOCIALANTHROPOID (SOC ANTH), STARPROC, TACHO, TAMINGPASTRIES, TERRAIN, TRAFFICMASTER, XKEYSCORE

Communications Capability Development Programme

Summary: Published in 2012 or later, this document provides a high-level explainer on the Communications Capacity Development (CCD) programme and the GCHQ’s involvement in it. CCD is a UK programme that is meant to ensure that law enforcement agencies and security services are able to access communications data as their targets shift from telephony- to Internet-based communications. CCD’s (failed) legislative predecessor was the Intercept Modernisation Programme (IMP).

The GCHQ is providing expertise on shifting to a world of IP-based interceptions and has worked to develop the MILKWHITE enrichment service, to help law enforcement and security services identify IP-based selectors for their targets. The document also notes that the GCHQ is a customer of the CCD programme insofar as the agency receives communications data from UK-based companies, but notes that unlike other UK domestic security agencies, the GCHQ are not dependent on the CCD’s provisions.

Document Published: June 7, 2016
Document Dated: Undated
Document Length: 3 pages
Associated Article: Facing Data Deluge, Secret U.K. Spying Report Warned Of Intelligence Failure
Download Document: Communications Capability Development Programme
Classification: Top Secret STRAP1 COMINT
Authoring Agency: GCHQ
Codenames: MILKWHITE

What’s the worst that could happen?

Summary: This is a document which contains examples of risks that could arise in the course of operations and, as such, must be taken into consideration when writing submissions for operations, which are submitted to the Secretary of State for approval. The categories of risks include those: to personnel (e.g. risk of false attribution or to collaborators/enabling agents); to technical methods (e.g. compromise of technique or attribution of technique that leads to loss of capability); to political or reputational risk (e.g. impacts of operation being attributed to government, to GCHQ, or the misattribution of a GCHQ operation to an ally, who then blames the UK to avoid deleterious blame); to HUMINT; to relationships (e.g. compromise of a partner’s operation or discovery or attribution of working or sharing relationships); during the operational phase (e.g. compromise of an operation during installation, course of operation, or egress of traffic); those linked to discovery (e.g. forensic discovery of installed software, of egressed traffic, or other IT leakage); and pertaining to legality (e.g. liabilities of enabling commercial partners, the principle of non-intervention in sovereign countries’ affairs, and whether the law of armed conflict applies).

Document Published: February 2, 2016
Document Dated: March 2010 
Document Length: 3 pages
Associated Article: Exclusive: Snowden intelligence docs reveal UK spooks’ malware checklist
Download Document: What’s the worst that could happen?
Classification: TOP SECRET STRAP 1
Authoring Agency: GCHQ
Codenames: None

HIMR Data Mining Research Problem Book

Summary: This book sets down areas for long-term data research starting in October 2011 and to continue for at least three years. The areas examined in the document include: beyond supervised learning, information flow in graphs, streaming exploratory data analysis, and streaming expiring graphs.

The document provides a high-level overview of the different ways in which the GCHQ collects SIGINT and, also, ways in which collected data is stored, processed, and used in the course of business at the GCHQ. Data is collected from network communications as well as communications satellites, and by way of warranted collection (covernamed PRESTON). Processing of collected information is spread across Cheltenham, Bude, and LECKWITH. Much of the sessionalization of data is done using a platform covernamed TERRAIN, with processing of content typically only happening when there is a good reason to target it. Targeting data is retained in the BROADOAK database, which contains designated selectors for front-end processing. Processed data move into specific content databases, query-focused datasets (QFDs) that are designed to answer specific questions, DISTILLERY which is a stream processing platform that enables near real-time processing of data, and the cloud which is a scalable distributed filesystem along with a MapReduce processing framework.

The GCHQ tends to assume one of four positions in its computer network operations (CNOs): attack, exploit, defend, or counter. It also engages in data mining for discovery purposes; data mining in particular offers the ability to detect anomalies or outliers in bulk data and, using temporal analysis and behavioural pattern matching, to detect hostile network activity from adversarial CNE operations and botnets.

The majority of this document is focused on the different four problem set areas. It includes work to date, why problems are of interest and linked to internal (i.e. classified) and external (i.e. academic or public) research programs, as well as persons researchers might want to work with inside of the intelligence community. The end of the document outlines the human rights justifications for the work done to analyze the bulk collected datasets, as well as series of public and classified work documents that are cited throughout the book.

Document Published: February 2, 2016
Document Dated: September 20, 2011
Document Length: 96 pages
Associated Article: Exclusive: Snowden intelligence docs reveal UK spooks' malware checklist
Download Document: HIMR Data Mining Research Problem Book
Classification: UK TOP SECRET STRAP 1 COMINT AUS/CAN/NZ/UK/US EYES ONLY
Authoring Agency: GCHQ
Codenames: AURA, AUTOASSOC, BAKERSDOZEN, BIRCH, BLACKHOLE, BROADOAK, BUZZ, CARBONCOPY, CASK, CHARTBREAKER, CHORDAL, COMET, CRAN, CROUCHINGSQUIRREL, DISCOVER, DISTILLERY, FIRSTCONTACT, FIVEALIVE, FLUIDINK, GEOFUSION, GOLDMINE, GRINNINGROACH, HAGERAWEL, HIDDENOTTER, HRMap, INJUNCTION, INSTINCT,  KACHINA, LECKWITH, LUCKYSTRIKE, MADFORGE, MAMBA, METEORSHOWER, MOUNTMCKINLEY, MYOFIBRIL, PIRATECAREBEAR, PRESTON, PRIMETIME, PSYCHICSALMON, RADONSHARPEN-B, RAGINGBULLFROG, ROBOTICFISH, SALAMANCA, SALTYOTTER, SEPANG, SILVERLINING, SILVERLIBRARY, SQUEAL, SOLIDINK, SPIKYROCK, SUNSTORM, SWAMP, TERRAIN, TIMIDTOAD, VALHALLA, VOLSUNGA, WHITERAVEN, WOODY

2015

Assessment of Intelligence Opportunity – Juniper

Summary: This document summarizes the capabilities of the GCHQ to exploit routers of Juniper Networks Inc. which are typically running the ScreenOS operating system; there was a less pervasive ability to exploit the company’s routers that were running the JUNOS operating system. After providing an overview of the company and its status against competitors, the document notes the range of Juniper device models that can currently be exploited, and the rationale for targeting Juniper devices. Specifically, the prominence of the company and its roles in providing core internet routing capability along with enterprise and security network equipment means that significant intelligence dividends can be derived from targeting the company’s devices. Not maintaining exploit capability against the company’s routers is seen as potentially undermining collection capability for multiple years, and the document warns that this is a possible future if Juniper continues to focus on improving their security.

Page 5 of the document explicitly notes some of GCHQ’s targets as well as their use of Juniper products. Global IP networks, Pakistan, CT Yemen, and China all use the company’s products. The same is not true of Afghanistan or CT Broker. It is unclear whether CT Saudi Arabia uses Juniper products.

Finally, the document notes that there are both potential opportunities and complications on the basis of Juniper being a US company. Specifically, there may be an opportunity to leverage a corporate relationship should the NSA possess one and, regardless, developing exploits must “begin with close coordination with NSA.”

Document Published: December 23, 2015
Document Dated: February 3, 2011
Document Length: 7 pages
Associated Article: NSA Helped British Spies Find Security Holes In Juniper Firewalls
Download Document: Assessment of Intelligence Opportunity - Juniper
Classification:  TOP SECRET STRAP 1
Authoring Agency: GCHQ (by NSA Integree)
Codenames: HEADRESS NU (project)

GCHQ Analytic Cloud Challenges

Summary: This document summarizes some of the challenges facing the GCHQ in analyzing and presenting data to analysts. Query Focused Datasets (QFDs) are principally used to select data from the BLACK HOLE flat database and, subsequently, present answers to analysts (e.g. where has my target been on the Internet). Many of these QFDs are briefly discussed — such as a description of the dataset and the questions that the particular QFD answers — as is the relative size of the databases storing the data.

While datasets were being visualized at the time of this presentation, such visualizations were still in pilot phases. The goal was to push data to analysts, when they know the target and queries associated, where they know the target but not appropriate queries, as well as when no target is known but the data can be correlated, as well as when no target or query is known to aggregate information.

The GCHQ identified a range of challenges going forward, including the ability to affordably scale its operations, enable analysts to cope with the large volumes of collected data, the complexity of the analytic development, and agility and maturity of platforms. A range of options were provided to address such challenges, such as to explore new technology, know the value of data, and understand usage capabilities, while also exploring engineering options that adopted practices used by collaborating agencies such as the NSA.

Document Published: September 25, 2015
Document Dated: May 14, 2012
Document Length: 23 pages
Associated Article: Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: GCHQ Analytic Cloud Challenges
Classification: UK TOP SECRET STRAP 1
Authoring Agency: GCHQ
Codenames: ACCUMULO, ALPHACENTAURI, AUTOASSOC, BLACKHOLE, CLOUDBASE, CLOUDYCOBRA, EPICFAIL, EVERYASSOC, EVERYCIPHER, EVERYCREATURE, EVERYeAD, EVERYPOLICE, EVOLVEDMUTANTBROTH, FIREENGINE, FIRSTCONTACT, FOGHORN, GOLDENAXE, GREYFOX, GUIDINGLIGHT, HAKIM, HARDASSOC, HARDY, HBASE, HRMap, KARMAPOLICE, LOOKINGGLASS, PUBLICANEMONE, RUMOURMILL, SALAMANCA, SAMUELPEPYS, SILVERFOX, SOCIALANTHROPOID, STERLINGMOTH, TERRAIN, TRIBALCARNEM, VAIL

ROCK RIDGE – Next Generation Events

Summary: The goal of Rock Ridge was to meet the GCHQ’s needs for ingesting more events, increasing the availability of Question Focused Databases (QFDs), and to deliver QFDs that supported convergence data. The outcome of this work was to enable QFD sharing with 2nd and 3rd parties and interface with visualization services in FIRESTORM.

Pages 3 and 4 are explanations of what QFDs are, and what kinds of questions different major QFDs (e.g. MUTANTBROTH, KARMAPOLICE) are designed to provide responses to.

Convergence QFDs are, centrally, meant to let analysts link events across devices to a common identifier. This can involve linking mobile identifiers to internet identifiers (e.g. email addresses) or where internet applications are accessed from mobile devices. Page 7 has a screenshot of a prototyped version of SAMUELPEPYS, indicating what it looked like when querying what a user is doing online at that moment (in this case, reading the Cryptome website). Page 8 covers in detail what BLACKHOLE is and what it enables, while the final page concludes with “user feedback” which indicates that ROCKRIDGE has been highly successful and works “flawlessly.”

Document Published: September 25, 2015
Document Dated: Unknown (before May 2010)
Document Length: 9 pages
Associated Article: From Radio to Porn, British Spies Track Users' Online Identities
Download Document: ROCK RIDGE - Next Generation Events
Classification: SECRET STRAP 1
Authoring Agency: GCHQ
Codenames: AUTOASSOC, BLACKHOLE, BLAZINGSADDLES, BLUESHIFT, FIRESTORM, GEOFUSION,  GOOBZS, HAUSTORIUM, HARBOURPILOT, HRMap, INFINITEMONKEYS, KARMAPOLICE, LOOKINGGLASS, MARBLEDGECKO, MEMORYHOLE, MONOPOLY, MUTANTBROTH, ROCKRIDGE, ROUGHDIAMOND, SALAMANCA, SAMUELPEPYS, SOCIALANIMAL, SUPERDRAKE, SUPPORTINGINO, TERRAIN

Content or Metadata

Summary: This document lists how the GCHQ differentiated between content and metadata for the different types of information its analysts collected and evaluated in the course of their operations. The range of data-types are denoted as being: attachments, authentication of communications, content, communications addresses, content derived data, content headers, traffic data that includes networking management information but not that which is inside the body of a communication, and miscellaneous data.

Document Published: September 25, 2015
Document Dated: January 20, 2010 (or later)
Document Length: 3 pages
Associated Article: Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: Content or Metadata
Classification: UK SECRET STRAP 1 / COMINT AUS/CAN/NZ/UK/US EYES ONLY ORCON
Authoring Agency: GCHQ
Codenames: None

Cyber Defence Operations Legal and Policy

Summary: This document provides legal guidance pertaining to cyber defence operations (CDO). The document is broken up into discussions of cyber defence data, cyber defence targeting, cyber defence tools, some operational-specific guidance, working with partners, protecting sensitive information, and training.

In discussing cyber defence data, the document author(s) outline which legal authorizations are required to access what kinds of operational data (e.g. RIPA s.8(4) for SIGINT data, ISA warrants for CNE operations against computers, RIPA’s LBPR for network monitoring in the UK). Included in this section are data retention periods for the databases that are used for CDO.

Cyber defence targeting composes a significant portion of the document. There is an extended discussion about the differences in using Information Assurance (IA) versus SIGINT data for targeting purposes. In general, the location of the target plays a significant role in the type of authorization required for the targeting behaviour. This is followed by outlining the conditions under which attacker infrastructure can be targeted; pages 5 and 6 note that there is guidance for targeting infrastructure in the UK and US, and that the DSD, CSEC, and GCSB were “reviewing their legal/policy positions in relation to targeting attacker infrastructure based in their respective countries” at the time this document was created.

Whereas once CDO authorized the datamining of UK subjects, this was abolished following the GCHQ’s adoption of the Combined Policy Authorization (COPA). However, UK networks could continue to be examined for attack, and could include the ANXIOUS methodology, which entailed “creating an XKS fingerprint for the UK IP addresses of potential victim networks in order to tag Sigint traffic relating to these networks. This traffic may then be searched in conjunction with a signature to look for evidence of known electronic attacks on these companies’ networks.” An extended description of the legal processes for such targeting follows.

When discussing the kinds of Human Rights Act (HRA) justifications that analysts must include in their requests, the document author(s) are clear that analysts must simply include clear and concise reasons for their activities. Lengthy descriptions are not required, and some sensitive matters — such as the details of the infrastructure in question — can be left out as needed.

The section addressing cyber defence tools is principally focused on the legal requirements analysts must meet in order to access, or use responsibly, the data they might access. There are explanations of which rules (i.e. SIGINT vs IA) that are applied depending on the data source as well as the manner of accessing NSA databases (though GATEKEEPER) and make communications data requests.

In discussing how to work with partners, there are extensive discussions about what can, and cannot, be shared with external commercial parties. This is followed by a short listing of who the GCHQ can provide information assurance advice to during the London Olympics, and the ways that network abuse and sharing with second-parties functions.

GCHQ analysts are expected to protect sensitive sources, including commercial parties, by being mindful of sensitivities when discussing successful attacks against those sources’ infrastructure. This is generally true of handling vulnerabilities.

Finally, the document notes that legal training must be undertaken before analysts can access UK-collected and stored data, as well as American training before gaining access to the NSA’s “raw SIGINT” tools and databases. This training is also needed in order to access information derived from Menwith Hill Station because the GCHQ’s XKS account gives default access to COMSAT data collected by the NSA at this location. It’s noted that passing the test to receive this American training is “straightforward” and merely requires passing an open-book, multiple choice, test.

Document Published: September 25, 2015
Document Dated: Unknown (likely post-January 2012)
Document Length: 16 pages
Associated Article: Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: Cyber Defence Operations Legal and Policy
Classification: TOP SECRET STRAP 1 COMINT
Authoring Agency: GCHQ 
Codenames: ANXIOUS (Methodology), ARCADECONCERT, B3M, BLAZINGSADDLES, BROADOAK, CONTENTCLOUD, DICING, DONKEYKONG, GATEKEEPER, GOLDENEYE, GORDIANKNOT, HALTERHITCH, HARUSPEX,  IRONHAND, LOOKINGGLASS, MIRAGE, MOONRAKER, MUTANTBROTH, MWX, REPORTAL, SPAY, SQUEAL (Data), TRITON, XKEYSCORE (XKS), ZooL

Supporting Internet Operations

Summary: Created by the Special Source Access team within GCHQ, this document summarizes the current status of the GCHQ’s ability to capture communications transmitted along undersea cables that land in the UK. The GCHQ expected to be able to intercept approximately 1,513-1,583 10G bearers by March 2011 and to egress 415 of them to GCHQ processing systems by the same time.

Pages 7 and 8 detail the Supporting Internet Operations (SINO) access plans for 2010 as well as where the team is at when the document was produced. Significantly, a pair of new ‘relationships’ were being sought (PINNAGE and LITTLE) and there are extensive descriptions of the number of 10G bearers accessible at the time to the GCHQ.

Document Published: September 25, 2015
Document Dated: Unknown (pre-March 2010)
Document Length: 9 pages
Associated Article: Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: Supporting Internet Operations
Classification: TOP SECRET STRAP 1
Authoring Agency: GCHQ
Codenames: ARCANO, CIRCUIT, DEBITCARD, GERONTIC, GRASP, HIASCO, KENNINGTON, LITTLE, PINNAGE, PLANE, PROVE, SOSTRUM, VISAGE, WAYGOOD (WG)

QFDs and BLACKHOLE: Technology behind GCHQ/INOC

Summary: This document provides a high-level overview of the BLACK HOLE flat store. From the flat store, information is accessible by Question Focused Databases (QFDs), for data-mart extraction, and also to ‘clouds’. The flat store is not a database and, in 2007, was collecting roughly 10 billion events each day, with the majority of it coming from HTTP, web search, SMTP, CNE and server log traffic. The BLACK HOLE flat store system was described as cheap, costing £1000 per terabyte of storage.

A challenge facing the GCHQ was that analysts had too many specific questions; the result was that analysts could not learn what they needed to. As a result the agency recognized that analyst systems needed to be simple and intuitive so that analysts could find their targets and drill into systems as required.

Document Published: September 25, 2015
Document Dated: March 2009
Document Length: 8 pages
Associated Article: Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: QFDs and BLACKHOLE: Technology behind GCHQ/INOC
Classification: UK SECRET STRAP2 COMINT ORCON
Authoring Agency: GCHQ
Codenames: AUTOASSOC, BLACKHOLE, GOOB, HRMAP, INFINITEMONKEYS, KARMAPOLICE, LAUGHINGHYENA, MARBLEDGECKO, MEMORYHOLE, MESME, MUTANTBROTH, PSOUP, PSOUPALERT, SAMUELPEPYS, SOCIALANIMAL

Report on Architectural Risk 2012 – Summary

Summary: This document accounts for serious risks raised by the GCHQ’s investment into the delivery of intelligence at the expense of the architecture required to store, secure, and analyze that which is collected. To mitigate these risks, the document recommends a four-fold focus on big data, integrated analytics, security services, and vision and strategy. Integration and leveraging of NSA systems is also regarded as highly important.

Page 4 notes a series of reasons for risks now posing the architectural systems operated by the GCHQ. Some noteworthy ones include: increase in the number and type of partners (e.g. Ministry of Defence, industry, third-parties), increased size of Internet connectivity, the scaling up of Computer Network Exploitation (CNE) operations, major technology trends (e.g. mobile broadband and devices, spread of SSL/VPN/ubiquitous encryption), and volatility of target networks. In particular, the final slide notes that storage and analysis, as well as security services and networks are areas of high risk that need to be alleviated over the near future.

Document Published: September 25, 2015
Document Dated: March 12, 2012
Document Length: 6 pages
Associated Article: Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: Report on Architectural Risk 2012 - Summary
Classification: TOP SECRET STRAP 1
Authoring Agency: GCHQ
Codenames: BLACKHOLE

Event (SIGINT)

Summary: This wiki page provides a description of what events are, their types, what they are derived from, some databases holding them, and the interface control documents (ICDs) that format the events.

Events do not possess a single definition. In some cases an email with multiple recipients might be denoted as a single event whereas in others distinct communications involved in sending a single message form a separate event each. Alternately, an event can be a summation of many individual transactions that took place over a long period of time (e.g. instant messaging text chat events in HAUSTORIUM).

Events were historically categorized according to the technology involved (e.g. telephony, computer to computer (C2C), and geo). The GCHQ was developing a new categorization schema that included: Communications (comms) events, presence events, and geo reference events. Communications events occur when a party communicates with another, and can include: telephone calls, VoIP and SIP, sending or reading webmail. Presence events are defined by the INTERSTELLAR DUST Interface Control Document (ICD), and include real world events where there is an active user (e.g. logging into a website), google maps and earth events, HTTP Get and Post, web search events, telephony presence events that provide location updates on the person. Social events, which were in draft, did not require an active user and included webmail, chat, and mobile apps. Geo reference events provide information about the global communications network writ large.

Derived events can involve convergence between different event types or correlation between Target Description Identifiers (TDIs) (e.g. between a IMSI and TDI).

A range of GCHQ and NSA Events databases are listed on pages 3-4, including ones that were superseded.

Events are forwarded in a format specified in a Interface Control Document; with Query Focused Datasets (QFDs) becoming prominent, ICDs had to focus on the Event type rather than a specific database that it might reside within. The two most important ICDs are INTERSTELLAR DUST (aka IDUST) which covers presence events, and ACTOR ACTION, which is a generic schema meant to accommodate a range of event types. While ACTOR ACTION initially covered presence and communication (social) events, it was to be expanded to a range of additional protocols and applications.

Document Published: September 25, 2015
Document Dated: Unknown
Document Length: 5 pages
Associated Article: Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: Event (SIGINT)
Classification: SECRET STRAP 1 COMINT
Authoring Agency: GCHQ
Codenames: ACTORACTION, AUTOASSOC, AUTOTDI, ASSOCIATION, BANYAN, EVOLVEDMUTANTBROTH, HARDASSOC, FASCIA, GEOFUSION, HAUSTORIUM, HRMap, INFINITEMONKEYS, INTERSTELLARDUST (IDUST), KARMAPOLICE, MAINWAY, MARBLEDGECKO, MEMORYHOLE, MUTANTBROTH, PILBEAM, SALAMANCA, SAMREF, SAMUELPEPYS, SOCIALANIMAL, SOCIALANTHROPOID, TEEDALE

Events Analysis – SALAMANCA, HAUSTORIUM, THUGGEE, IMMINGLE

Summary: This single slide reveals that a series of databases that did not collect communications content could be queried for persons in the UK without authorization. Searches of the data were logged and audited for necessity and compliance purposes, meaning that “necessity and proportionality still matter”.

Document Published: September 25, 2015
Document Dated: Unknown
Document Length: 1 page
Associated Article: Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: Events Analysis - SALAMANCA, HAUSTORIUM, THUGGEE, IMMINGLE
Classification: Unknown
Authoring Agency: GCHQ
Codenames: HAUSTORIUM, IMMINGLE, SALAMANCA, THUGGEE

Data Stored in BLACK HOLE

Summary: This short document begins by noting the wide range of data that is stored in BLACK HOLE, the flat file databases GCHQ uses to hold: webmail, email transfers, chat, internet browsing, website logins, vbulletin web fora, webcams, gaming, social networking, and other events.

At the time of publication there were approximately 200GB of data entering BLACK HOLE each day. The conclusion of the database indicates how long different Question Focused Databases (QFDs) stored data that was extracted from BLACK HOLE.

Document Published: September 25, 2015
Document Dated: Unknown
Document Length: 2 pages
Associated Article: Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: Data Stored in BLACK HOLE
Classification: TOP SECRET STRAP 1 COMINT
Authoring Agency: GCHQ
Codenames: AUTOASSOC, BLACKHOLE, HRMAP, INFINITEMONKEYS, KARMAPOLICE, MEMORYHOLE, MUTANTBROTH, SOCIALANIMAL

Events Product Centre

Summary: This document provides a summary of some projects associated with the Events Product Centre as of the date of publication. It focuses on a series of programs: IMMINGLE, SALAMANCA, QFDs, and GUIDING LIGHT.

IMMINGLE is used to run queries based on seed identifiers (e.g. phone number, IMSI, IMEI, C2C). Queries can be enriched from a series of databases and analysts can specify the event stores they are interested in. IMMINGLE also offers a range of visualization options. Going forward, FASCIA GPRS flagging, HAUSTORIUM decommissioning, and next generation contact chaining trials were forthcoming; this trial may have held the cover name FIRE STORM.

BRIO/SALAMANCA was storing near real time data for 3 days, while getting extra TERRAIN feeds from Bude Station and Sounder (in Cyprus). There was also 2nd party usage of SALAMANCA and new metadata types added to the TERRAIN-SALAMANCA system.

QFDs (Question Focused Datasets) had over 30 billion events being fed, each day, into an input buffer. It required over 400TB of storage for 6 months of data retention, with total storage over 1 PB. Intake and storage capacity was expected to increase; by Q1 2011 MUTANT BROTH was projected to ingest 20 billion events and require 2.5 PB of storage.

SAMUEL PEPYS was expected to enjoy continued upscaling, both in terms of the bearers of data as well as the users of the system.

SOCIAL ANTHROPOID was expected to replace most existing communications databases. Data in the program includes: all SALAMANCA data (telephony), SOCIAL ANIMAL data, instant messenger, webmail, SIP and H323 VOIP, Yahoo! voice, Blackberry, MMS, SMS (from SALAMANCA and other sources), GTP, and more. SMTP, POP3, and IMAP data was also starting to be received by SOCIAL ANTHROPOID. A sequence of slides demonstrates what it looks like when searching based on C2C, telephony, convergence (GTP tunnels as well as leaky gateways), and OSN. There was also a new data source available for North Africa — part of LUSTRE — and new source fields for CNE, and others. Latency was also reduced, such that events were available 12 hours after being collected as opposed to up to 5 days later.

GUIDING LIGHT is a new QFD that is meant “[t]o understand the traffic seen on Next Gen Events bearers.” It was receiving data from Bude station, including that from SWORDPLAY. New fields had been added and there were plans to expand targeting data (from BROAD OAK), incorporating functionality from REFORMER, and adding additional feeds and linking to ARTEMIS.

Document Published: September 25, 2015
Document Dated: October 2010 or later
Document Length: 37 pages
Associated Article: Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: Events Product Centre
Classification: SECRET STRAP 1
Authoring Agency: GCHQ
Codenames:  ARTEMIS, B3M, BLAZINGSADDLES, BRIO, BROADOAK, COLLATERAL, CONTRAOCTAVE, CRYINGFOWL, CULTWEAVE, ESCHAR, FASCIA, FIRESTORM, FREEFORM, GLASSBACK, GUIDINGLIGHT, HARDASSOC, HAUSTORIUM, HEARTBEAT11, HRMap, IMMINGLE, INFINITEMONKEYS, KARMAPOLICE, LUSTRE, MAINWAY, MARBLEDGECKO, MEMORYHOLE, MERLOT, MUTANTBROTH, REFORMER, SALAMANCA, SAMDYCE, SAMUELPEPYS, SHAREOWN, SOCIALANIMAL, SOCIALANTHROPOID (SANTHROPOID), SOUNDER, SWORDPLAY, TERRAIN, THUGGEE

14. BLACKHOLE

Summary: This screenshot details information about BLACKHOLE, namely that it is for exporting bulk, unselected metadata to a repository where high-order analytics can be carried out. A direct connection between BLACKHOLE and an unnamed other location are suggested.

Document Published: September 25, 2015
Document Dated: July 2009
Document Length: 1 page
Associated Article: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: 14. BLACKHOLE
Classification: Unknown
Authoring Agency: GCHQ
Codenames: BLACKHOLE, MAILORDER

Access: The Vision

Summary: This two-page high-level document outlines the 2013 vision of the GCHQ’s capabilities on the first page, and charts the strategy for doing so on the second. It notes the GCHQ’s continuing commitment to the Tordella doctrine — the belief that the NSA and the GCHQ have a partnership and could share tasking and operations while functioning independently of one another — and broad-based goal to expand the GCHQ’s operational capacities. Thus, the ability to both events and content will be expanded along with capabilities to “perform CNE exfiltration, eAD, deaconry and geo-location,” and collecting environmental information, like cookies.

The GCHQ strategy to execute its vision takes into account such factors as scale and pace, balance, agility, legal question, as well as diversity, integration, and cooperation. Notably, the ‘scale and pace’ section includes sharing challenges with 2nd and 3rd parties while also increasing both “innovative and experimental” work.

Document Published: September 25, 2015
Document Dated: July 2010
Document Length: 2 pages
Associated Article: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: Access: The Vision
Classification: SECRET
Authoring Agency: GCHQ
Codenames: —

Black Hole Analytics

Summary: This document, by the GCHQ’s Government Technical Assistance Centre (GTAC) team, accounts for the existing state of the GCHQ’s Question Focused Databases (QFDs), which use data that is deposited in a flat file system, known as BLACK HOLE. A roadmap of next generation events, or the actions that can be taken on the event/data that is collected, is presented along with definitions for: presence events (which includes a single atomic element of information, such as that an identifier was online, on an IP address, at a particular time); Target Description Identifiers (TDIs) (where the data possesses a type, such as a Yahoo! cookie, and a value, such as an email address), and Generic Target Detection Identifiers (which expands the TDI concept to telephony, such as by including a GSM location update message).

Analysts are provided with a QFD desktop and a range of different databases are noted, along with the approximate use cases. There are also outlines of how this desktop will be enhanced with forthcoming QFDs in the near future, such as by mapping social networks using telephony information and finding alternative identifiers for a target across phone and Internet systems.

The final slides outline the workflow of the BLACK HOLE system and, also, indicate how BLACK HOLE data can likely be leveraged to help analysts detect real-time changes in data, facilitate joint collaboration between the GCHQ and the NSA, and enable experiments on the data itself.

Document Published: September 25, 2015
Document Dated: September 2009
Document Length: 15 pages
Associated Article: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: Black Hole Analytics
Classification: TOP SECRET STRAP 1
Authoring Agency: GCHQ
Codenames: AUTOASSOC, BLACKHOLE, BLAZINGSADDLES, EVOLVEDMUTANTBROTH, EVOLVEDSOCIALANIMAL, HARDASSOC, HRMap, INFINITEMONKEYS, KARMAPOLICE, MARBLEDGECKO, MEMORYHOLE, MUTANTBROTH, SAMUELPEPYS, SOCIALANIMAL, TELLURIAN

Blazing Saddles

Summary: This document principally outlines a range of Question Focused Databases (QFDs) that compose BLAZING SADDLES. BLAZING SADDLES is the TBD portion of the Next Generation Events project that was encompassed under the Better Analysis Programme. Specifically, BLAZING SADDLES was meant to increase supportability and scale of presence events, such that analysts could use QFDs to extract useful intelligence derived from the flat-file BLACK HOLE database.

A range of operational QFDs are listed in the document, together with a description of what each QFD holds, as well as what questions it answers. These QFDs include: AUTO ASSOC, BLAZING SADDLES, GOLDEN AXE, HRMap, INFINITE MONKEYS, KARMA POLICE, MARBLED GECKO, MEMORY HOLE, MUTANT BROTH, SAMUEL PEPYS, SOCIAL ANIMAL, SOCIAL ANTHROPOID.

Document Published: September 25, 2015
Document Dated: Unknown
Document Length: 4 pages
Associated Article: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: Blazing Saddles
Classification: TOP SECRET STRAP 1 COMINT
Authoring Agency: GCHQ
Codenames: AUTOASSOC, BLACKHOLE, BLAZINGSADDLES, GOLDENAXE, HAUSTORIUM, HRMap, INFINITEMONKEYS, KARMAPOLICE, MARBLEDGECKO, MEMORYHOLE, MUTANTBROTH, SAMUELPEPYS, SOCIALANIMAL, SOCIALANTHROPOID

Broadcast/Internet Radio Exploitation and Analysis

Summary: This document outlines an experiment in which the GCHQ monitored internet radio stations with the intent of determining what stations were most popular, ascertaining how individuals accessed and listened to internet radio, where those listeners were likely geographically located, and top stations in each country.

As part of the research, GCHQ analysts determined which were the top stations in Pakistan as well as which ones were classified as ‘Islamic’ radio stations (and which were all, by merit of including Islam or Quran in their title, included as possible radicalization sources). After determining which stations met these latter criteria analysts determined the countries from which people were listening to the most popular stations and, subsequently, relied on BLAZING SADDLES and KARMA POLICE to understand trends or behaviours and actual identifiers of listeners, respectively.

Given the apparent success of linking specific TDIs to radio stations, it was recommended the future work establish a Question Focused Database (QFD) for analysts to run these queries normally. Moreover, it was recognized that it would be useful to GCHQ to be able to listen to radio stations that “were private, or not accessible by the Internet”, as well as that datamining might reveal covert communication channels used by foreign intelligence agencies, terrorist cells, or serious crime targets.

Document Published: September 25, 2015
Document Dated: November 6, 2009
Document Length: 17 pages
Associated Article: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: Broadcast/Internet Radio Exploitation and Analysis
Classification: UK TOP SECRET / COMINT / REL FVEY
Authoring Agency: GCHQ 
Codenames: BLACKHOLE, BLAZINGSADDLES, GEOFUSION, KARMAPOLICE, SAMUELPEPYS

Laws on Interception Oversight: Implications for JCE

Summary: This slide explains some of the oversight mechanisms that apply to GCHQ operations. It breaks down the different oversight checks at each level of government, in the form of the secretaries of state/executive branch, parliamentary committees, commissioners/judiciary.The document identifies judicial oversight—which includes the Interception of Communications Commissioner and the Intelligence Services Commissioner—as “the main issue” for the GCHQ, and notes that Senior High Court judges are independent and “not openly swayed by personal contact”. It further notes that the UK intelligence services have a “light oversight regime” as compared to American intelligence.

Because the GCHQ operates globally the Human Rights Act is recognized as applying extraterritorially; complaints can be received from anyone in the world. While no evidence is required for a complaint, it does have to be made within two years of the alleged incident.

Document Published: September 25, 2015
Document Dated: Undated
Document Length: 10 pages (including notes)
Associated Article: Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: Laws on Interception Oversight: Implications for JCE
Classification: No classification
Authoring Agency: GCHQ
Codenames: None

OP HIGHLAND FLING – Event Log

Summary: This document summarizes several days worth of operations to try and identify, and subsequently target, Gemalto employees for computer network exploitation. This included employees in France, Poland, and the UK.

Document Published: September 25, 2015
Document Dated: Unknown (Post January 18, 2011)
Document Length: 3 pages
Associated Article: Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: OP HIGHLAND FLING - Event Log
Classification: TOP SECRET STRAP 1 COMINT
Authoring Agency: GCHQ
Codenames: BROADOAK, DAPINOGAMMA, HIGHLANDFLING, MUTANTBROTH

PullThrough Steering Group Meeting #16

Summary: This meeting document provides some details on a series of prototype programs. SALTY OTTER was focused on improving cross-media timing patterns (e.g. telephone call triggering a chat event). KARMA POLICE aimed to correlate every user visible to passive SIGINT with every website they visit. ORB FINDER would enable the identification of Operational Relay Boxes (ORBs). MOOSE MILK was a data mining algorithm designed to detect suspicious use of UK telephone kiosks. And LIGHTWOOD was aimed at extracting email addresses from any character stream, including those that are not addressable on the public internet (e.g. better@management).

Document Published: September 25, 2015
Document Dated: February 29, 2008
Document Length: 3 pages
Associated Article: Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: PullThrough Steering Group Meeting #16
Classification: TOP SECRET STRAP1
Authoring Agency: GCHQ
Codenames: B17, CLASP, KARMAPOLICE, LIGHTWOOD, MERAPEAK, MONTEVISTA, MOOSEMILK, MYOFIBRIL, ORBFINDER, PRIMETIME, SALTYOTTER

STA: Authority To Target An Individual/Organization With A Sensitive Nationality Or In A Sensitive Location

Summary: This is an internal legal form that GCHQ analysts must complete (and receive approval on) before they can target an individual or organization with a sensitive nationality or in a sensitive geographical location. The entire form is part of the Sensitive Targeting Authorization (STA) Reference COP5377. Unless it receives OPP-LEG agreement, the form cannot be used to task requests for addresses in the British Isles, though it can be used for content database searches (i.e. datamining). In the latter case, one historical search only can be conducted within two working days of the approval, and the Sensitive Targeting Authorization (STA) cannot be renewed. When targets enter sensitive areas the analyst must re-evaluate the authorization and determine if they require additional, or supplementary, authorization.

Analysts are required to note the intelligence rationale for the tasking of overseas targets or datamining of sensitive information. Such rationales must be such that a senior member of the GCHQ could make an informed judgement as to the reasonableness and proportionality of the request. The same is true of any renewal requests.

Document Published: September 25, 2015
Document Dated: Unknown (before June 2007)
Document Length: 4 pages
Associated Article: Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: STA: Authority To Target An Individual/Organization With A Sensitive Nationality Or In A Sensitive Location
Classification: Not specified (<PROTECTIVE MARKING>)
Authoring Agency: GCHQ
Codenames: None

Summary: This document provides an overview of how the SOCIA ANTHROPOID system operates. SOCIALANTHROPOID operates as a converged communications database that collates phone, internet, as well as ‘converged’ (i.e. sending emails from a phone, or making voice calls over internet) communications. It is designed as the replacement for: SOCIAL ANIMAL, REFORMER, HAUSTORIUM, AND SALAMANCA.

The system addresses scaling and convergence challenges that existed with earlier tools but, at time of writing, still needed to be enriched with information and merged with NSA sources of metadata. The full range of information meant to be accessed by SOCIAL ANTHROPOID includes: SALAMANCA information, SOCIAL ANIMAL information, instant messenger, webmail, SIP and H323 VOIP and Yahoo! Voice, Blackberry, MMS, SMS, GTP (GPRS Session set ups), SMTP, POP3, and IMAP data.

Slides 6 – 10 outline how to query to database for information, and the kinds of results that can be provided. Slide 12 notes how redirected calls can be found in the database. Slide 15 indicates the data that is provided by ‘leaky’ internet gateways, and 16 the kinds of computer to computer (C2C) information that can be searched. Geofiltering, selector pairs queries, email domain queries, and locator queries are profiled on slides 18 – 21. Slide 23 indicates how the information collated within SOCIAL ANTHROPOID can be visualized to an analyst.

Document Published: September 25, 2015
Document Dated: Undated (post-February 1, 2011)
Document Length: 26 pages
Associated Article: Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: Social Anthropoid
Classification: SECRET STRAP1
Authoring Agency: GCHQ
Codenames: BLACKHOLE, BROADOAK, HAUSTORIUM, REFORMER, SALAMANCA, SOCIALANIMAL, SOCIALANTHROPOID

Target Detection Identifiers

Summary: This document provides an overview of what Target Detection Identifiers (TDIs) are and how they are used by the GCHQ. TDIs are “definite indicators of presence, that are unique and persistent for a user/machine.” They are a kind of standardized SIGINT code that come from a range of locations around the internet, from news websites to social media to online commerce stores. At the time the document was produced there were over 70 distinct TDIs, with 2500 captures per second and up to 200 million per day.

Perhaps most interestingly, pages 13-17 in this document provide screenshots of different internal tools. Specifically, page 13 has a screenshot of AUTO TDI and pages 15-17 screenshots of MUTANT BROTH.

The TDIs can be used for a range of things, including: collecting file transfer signatures (for proof of life videos), detection by internet profile (for dead letter drops), to collect Yahoo! webcam images, and to collect airline confirmation emails.

Document Published: September 25, 2015
Document Dated: March 2009
Document Length: 18 pages
Associated Article: Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities 
Download Document: Target Detection Identifiers
Classification: UK SECRET STRAP 2 COMINT ORCON
Authoring Agency: GCHQ
Codenames: AUTOASSOC, AUTOTDI, HRMAP, INFINITEMONKEYS, KARMAPOLICE, MARBLEDGECKO, MEMORYHOLE, MUTANTBROTH, SOCIALANIMAL

Next Generation Events

Summary: This document outlines the current status of the GCHQ’s efforts to retain data and present it to analysts, while integrating its systems with Five Eyes partners. The ‘Next Generation’ aspect is needed because previous ingestion systems such as HAUSTORIUM are reaching their inject capacity and because it will promote a more standardized way of collecting and sharing metadata. Much of the NGE efforts depend on taking research conducted by the GCHQ’s Information and Communications Technology Research group (ICTR) and placing it before analysts. There are three principle ‘plugs’ that NGE was pursuing at the time of writing.

Plug one focused on internet profiling. Using BLAZING SADDLES as a delivery mechanism, eight Question Focused Datasets (QFDs) are brought to bear so analysts are able to parse large volumes of data. The BLAZING SADDLES bundle of QFDs scales up to 100 x 10G bearers. Some of these QFDs are shared with the NSA and additional QFDs were planned to be added in the following months. In the longer term, the GCHQ planned to expand datamining capabilities, to conduct contact chaining using GCHQ and NSA datasets, to seamlessly navigate between events and content, and to improve visualization.

Plug two was meant to expand ‘TIPC’, by way of increasing the STM rate (i.e. improving ability to parse data travelling fibre optics) and enable event triggering by TDI instead of basing this on particular services (e.g. Gmail, Yahoo!, Maktoob). The goal was to identify material that wasn’t previously selected.

Plug three focused on XKS and TINT experiments that were being undertaken at Bude station. Significantly, these experiments were designed to make better use of data visualization, re-sessionalize all data traffic, tag traffic based on strong selectors/geography/application and contextual fingerprints, extract metadata in bulk, and retain a three-day rolling buffer of ‘interesting’ content. Such content was meant for retrospective analysis and to refine fingerprints/selectors. Part of the goal was to better capture content that would be of use to analysts: at the time, 97% of captured content was never examined.

The goal was to enable all aspects of the NGE by the London Olympics.

Document Published: September 25, 2015
Document Dated: September 29, 2009
Document Length: 10 pages
Associated Article: Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: Next Generation Events
Classification: TOP SECRET STRAP 1
Authoring Agency: GCHQ
Codenames: AUTOASSOC, BLAZINGSADDLES, CAFFEINEHIT,  EVOLVEDMUTANTBROTH, FUMECUPBOARD, HAUSTORIUM,  HARBOURPILOT, HRMAP, INFINITEMONKEYS, KARMAPOLICE, LAUGHINGHYENA, LOOKINGGLASS, MARBLEDGECKO, MEMORYHOLE, MONTEVISTA, MUTANTBROTH, ROCKRIDGE, SALMANCA, SAMUELPEPYS, SIMMER, SOCIALANIMAL, TINT, TINTPUT, XKS (XKEYSCORE)

HRA Auditing

Summary: This wiki page outlines some of the compliance requirements that analysts must fulfil when using GCHQ-collected data. Rationales for analysts to access the data include to investigate national security, economic well-being, or prevention of serious crime purposes. Moreover, intelligence requirements, human rights act justification(s), and warrant reference (when appropriate) must be provided. Amendments may be required following inspection by an auditor from the GCHQ’s legal team.

The document also notes the time periods in which audits of BROADOAK, in particular, are to be completed and submitted to the GCHQ’s legal services. There are also expectations for business leads to conduct ‘light touch spot checks’ of BROADOAK audits in order to ensure that audit teams are completing their tasks in a satisfactory manner. Such spot checks, and their results, are to be reported to the GCHQ’s legal services.

Analysts are expected to provide a justification concerning their infringement on a person’s human right to privacy and such justification be suitably transparent that a non-analyst understands what occurred and why. In some cases (e.g. targeting a UK person or who is sensitive on grounds of nationality) the analyst will also need to provide the warrant or COPPER information that justifies the capture or analysis of a person’s information.

Document Published: September 25, 2015
Document Dated: Undated
Document Length: 5 pages
Associated Article: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: HRA Auditing
Classification: UK Confidential
Authoring Agency: GCHQ
Codenames:  BROADOAK

Next Generation Events (NGE) — BLACK HOLE ConOp

Summary: This document provides an early overview of how the BLACK HOLE flat database is meant to operate within the context of the Question Focused Datasets (QFDs) for operational and Technology Research (TR) purposes. The database was originally created by TR and was being shifted to an operational role, but BLACK HOLE itself was not a queryable database: instead it was a flat store that was the source of data for populating other analytic tools (QFDs).

The TR division would continue to work on a research-based, non-operational, BLACK HOLE in an effort to develop and maintain additional QFDs for analysts. There were also opportunities to access additional information via the MAILORDER data-transfer system to further enrich data. Therewere also plans to ensure that TR and operational BLACK HOLE datasets were kept in relative lockstep — both in terms of data they retained and versioning of the flat database — in an effort to enhance technical sharing between operations and research. Furthermore, there were plans to ensure that TR would no longer be responsible for providing support for operations’ use of BLACK HOLE.

BLACK HOLE had numerous feeds, including TELLURIAN, DEBIT CARD, IP Probes, DEBIT CARD, and (ad hoc) MAILORDER. The retention periods were meant to be about six months, though this could potentially be expanded subject to clear need and legal authorization.

Access controls are outlined in some depth, with analysts rarely gaining direct access to BLACK HOLE itself. The access that was provided was read-only.

The development of new QFDs were conditional on clear need and ensuring that other QFDs were not modifiable to meet an operational/research need. TR was warned that processing and storage space was ultimately limited and, as such, at some point a ’priority call’ might be made which would affect which tools were authorized for continuing research.

For operations, the primary goals of BLACK HOLE were to: run queries on selectors or geographical regions, try new bulk analysis ideas and apply existing statistical methods, look for particular patterns and behaviours for target discovery, bulk access/extraction for specific logs, monitor hits against various Target Description Identifiers (TDIs) to inform the Protocol Prioritization List (PPL) and ensure TDIs remain up to date and relevant.

BLACK HOLE was also authorized for use of crypt and SIGINT development. This entailed using data for processing packets/events to generate enriched events that are fed into QFDs, test and add new ‘crypt’ QFDs, accessing encrypted data samples to aid research meant to decrypt the said samples, accessing cyst events to aid in target discovery and development, and monitoring hits against targets to inform PPL and future crypt research and capability development.

Access to BLACK HOLE would be authorized by managers though, at the time of writing, no person(s) had been identified for the role of BLACK HOLE Manager.

Document Published: September 25, 2015
Document Dated: August 18, 2009
Document Length: 13 pages
Associated Article: Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: Next Generation Events (NGE) — BLACK HOLE ConOp
Classification: SECRET STRAP 1
Authoring Agency: GCHQ
Codenames:  BLACKCAT, BLACKFIND, BLACKHOLE, BLAZINGSADDLES, CIRCUIT, CHORDAL, DATAFLOWCAB, DEBITCARD, KARMAPOLICE, MAILORDER, MARBLEDGECKO, MUTANTBROTH, SALAMANCA, SMOKINGSADDLES, SOCIALANIMAL, TELLURIAN

Legalities – GCHQ Databases // Legalities – NSA Databases

Summary: This one page snippet provides a breakdown of what legal requirements the GCHQ must meet in order to collect either metadata or content using UK systems — such as PILBEAM, SALAMANCA, or UDAQ — or using NSA systems — such as MARINA, MAINWAY, or DISHFIRE.

When using GCHQ databases, the GCHQ was authorized to query metadata on UK persons, Second Party persons (i.e. persons in other Five Eyes countries) and others without warrant or Sensitive Targeting Authorization. It required warrants for querying content from targets in the UK, and Sensitive Targeting Authorizations for all operations in second party countries and other countries involving either UK persons or second party persons. No authorization was required to query content of other persons in non-Five Eye jurisdictions.

When using NSA databases, the GCHQ was authorized to query metadata on UK persons and others who were located in the UK. It was not permitted to query the databases for second party persons who were in the UK. It was only permitted to query UK persons when they were in other countries or for metadata pertaining to other persons in non-Five Eyes countries. In no situation was it authorized to query metadata pertaining to second party persons or pertaining to second party locations. The GCHQ could only query NSA content databases for UK persons in non-Five Eyes countries following a “1-off” Sensitive Targeting Authorization.

Document Published: September 25, 2015
Document Dated: October 2007
Document Length: 1 pages
Associated Article: Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: Legalities - GCHQ Databases // Legalities - NSA Databases
Classification: No Markings
Authoring Agency: Presumed GCHQ
Codenames: DISHFIRE, MAINWAY, MARINA, PILBEAM, SALAMANCA, UDAQ

“ICTR Cloud Efforts” developing “canonical” SIGINT analytics, finding hard targets and exploratory data analysis at scale

Summary: This document discusses how bulk analysis of unselected events — that is, events that are not seeded to specific targets — when correlated with known communications habits and patterns of types of targets can reveal unknown targets. The level of analysis takes place at the national level, with events correlated with geolocation information in order to, in part, ascertain where specific events are likely to have taken place.

This approach helped the GCHQ discover phone groups of interest that otherwise would not have been detected but the usage of this technique depends on analyst knowledge of other patterns of behaviour, and some of these might be geographically related. In effect, data mining, understanding of target MOs, ability to follow up on leads, supporting IT infrastructure, and bulk access to relevant data sets are required for this technique to function.

AWKWARD TURTLE, the GCHQ’s recommender system to detect terror suspects, is discussed to some extent. It, in part, relies on website to website correlations that, in turn, is predicated on Page rank research.

Future work was planned to understand whether web browsing sessions can be fingerprinted, such that users could be identified based on browsing habits as opposed to other target discovery identifiers. Moreover, using the HTTP graph associated with AWKWARD TURTLE, the GCHQ planned to evaluate whether they could identify malicious sites, as well as summarize and visualize IP activity. This analysis might integrate with BLOOD HOUND, which was planned to detect electronic attacks that were distributed and automated in nature.

Document Published: September 25, 2015
Document Dated: July 1, 2011
Document Length: 29 pages
Associated Article: From Radio to Porn, British Spies Track Web Users’ Online Identities
Download Document: “ICTR Cloud Efforts” developing “canonical” SIGINT analytics, finding hard targets and exploratory data analysis at scale
Classification: TOP SECRET STRAP 1 5EYES
Authoring Agency: GCHQ
Codenames: AWKWARDTURTLE, BLOODHOUND, CULTWEAVE, EVERYASSOC, EVERYPOLICE, FIVEALIVE, GORDIANKNOT, KARMAPOLICE, PROBABILITYCLOUD, SANDIA, SILVERLINING

Cyprus Snippet

Summary: This snippet discusses the importance of the Cyprus COMSAT collection programs, and the need to better facilitate interaction across the GCHQ’s collection and data processing facilities to realize better efficiencies and avoid double-collection. Such efficiencies also noted the importance of sharing collected data between the GCHQ and the NSA.

The collection of intelligence information is regarded as positive, in part, because it will “guarantee a continued positive relationship” with the US and other Five Eyes nations while potentially opening up interoperability and sharing opportunities. The document notes how the Cyprus Stakeholders’ Conference “will continue to be an important forum for resolving issues and strengthening relationships.”

The conclusion of the document notes the UK and US intelligence facilities that are stationed on Cyprus for COMINT, MASINT, ELINT, SPACOL, and FIS.

Document Published: August 3, 2015
Document Dated: Unknown
Document Length: 2 pages
Associated Article: GCHQ and Me: My Life Unmasking British Eavesdroppers
Download Document: Cyprus Snippet
Classification: TOP SECRET STRAP1
Authoring Agency: GCHQ
Codenames: APPARITION, BASSQUEST, DARKQUEST, ECHELON, FORESIGHT, GLAIVE, IVE, LECKWITH, SHAREDVISION, SHARKQUEST, SOUNDER

COMSAT SNIPPET

Summary: This is a single page from a 57-page document. It describes the GCHQ’s usage of ComSat for surveillance capabilities and the budgetary pressures the agency faces in the future. Such pressures might be alleviated with Torus dishes but, before any decisions are made, the NSA must be consulted because some of the existing ComSat equipment was purchased by the NSA to be serviced by the GCHQ under the ECHELON Agreement. A new procurement decision would need to be made based on strategic purchases instead of on buying the newest technologies, as has happened in the past.

Prior to this document’s production the SHAREDVISION programme, which was part of the Five Eyes ComSat modernization programme, came to a close and had been replaced by the SHAREDQUEST project that was intended to deal with antennas specifically. The goal was to provide direction for front-end collection so as to provide capability to support more missions and counter the emergence of new technologies.

Document Published: August 3, 2015
Document Dated: July 2, 2010
Document Length: 1 page
Associated Article: My Life Unmasking British Eavesdroppers
Download Document: COMSAT SNIPPET
Classification: SECRET
Authoring Agency: GCHQ
Codenames: CARBOY, CONVERSIONQUEST, ECHELON, SHAREDVISION (SV), SHAREDQUEST, SNICK, SOUNDER

Operational Legalities

Summary: This slide deck provides an overview of the laws that the GCHQ operates under in the course of its activities. The half-day length lesson begins with an overview of the legal framework around the agency, and then the laws pertaining to tasking and targeting (as well as those addressing location and nationality). It then shifts to discuss SIGINT Development (SD), second parties, dissemination and disclosure, and safeguards and oversight. The slides do not address data protection laws, the Official Secrets Act, or freedom of information and access legislation. The presenters emphasize their job is to offer advice and help shape new tools and applications, as well as to develop new policies, in order to enable the GCHQ’s signals intelligence mission.

The targeting section of the slides note that such activities will focus on a name, communications address, web service authentication data, ID card number or passport number, driving license number, car registration number, of banking/credit card account numbers. BROADOAK is the database designated to hold strategic target knowledge and includes the justification of targeting selectors. When inputting information into BROADOAK, users must include a date, MIRANDA number that equates to the intelligence requirement, explain the rationale for target development, explain the Human Rights Act justification for the targeting (e.g. wife of Russian Minister, targeted to provide travel details of target), why the target must be revalidated, and the relevant databases to be queried. Approximately 10% of entries are audited each year, as well as all UK entries in a given year.

When targeting parties, if analysts lack additional information they are to assume that the individual is in their country, mobile phone is in the country of registration, and the email address with country digraph is located in that country. When and if a target is believed to be in the UK, targeting can continue for 5 days until the targeting is either turned over to the customer requesting the information or they are targeted under RIPA s.16(3). Sensitive Targeting Authorizations (STAs) are used to record actions in areas where UK and/or British Overseas Territory (BOT) law does not require authorization, authorizations are expected to respect second party sensitivities, and actions are validated by a GCHQ senior so that targeting can be justified. Datamining in the UK can be valid for two days. A single RIPA s.8(4) external warrant (at least one end foreign) is used to cover Bude, Menwith Hill Station, and Cyprus stations, with others for special source accesses. In the case of RIPA s.8(1) warrants (target in the UK) they will compel Communications Service Providers (CSP) to disclose relevant information to the GCHQ. Furthermore, there was a policy that a target entering a second party country must be detached from all second party collection systems.

SD proportionality revolves around refining the initial terms, defining the length of the task and/or volumes, and limiting dissemination and retention of data. The goal is to move towards sustained targeting as soon as practicable. Content for SD may include voice mail boxes, SMS text, email inside a message, email subject lines, URL beyond the domain name, an attached routing diagram, a password save for those for authenticating to a communications service. Metadata, in contrast, may include an IP address, email address, Dual Tone Multi-Frequency (tone dialling), a URL up to the domain, location, or authentication to a communications service. Cookies may be either content or metadata.

The slides addressing second parties make clear that other Five Eyes (FVEY) countries treat UK nationals as their own, that the GCHQ may not ask a partner to do something that the GCHQ would need a warrant to do, and that all partners respect each other’s laws and policies. This means that a warrant is required to intercept US persons outside of the United States, persons inside the United States, and that using NSA collection and databases must obey second party laws and policies.

In discussing dissemination and disclosure, SIGINT collected under RIPA cannot be used in court.

The slides addressing safeguards and oversight make clear that intercepted material must be destroyed as soon as retention is no longer necessary, as well as copies and disseminated as little as required. The slides recognize that mistakes take place, and that they might entail having broken the law, breaching RIPA safeguards, or nothing to worry about. In addition to the assistance provided by government counsel, there is also oversight of GCHQ exercised through the Secretary of State as well as the Parliamentary Intelligence and Security Committee. Whereas the former exercises authority over the intelligence and security services and is answerable to Parliament, the latter examines expenditure, administration and policy (not operations) and reports annually to Parliament. Oversight is also provided by judges who review the Secretary of State’s use of powers and possess guaranteed access to the agencies, and provide annual reports to the Prime Minister. The Investigatory Powers Tribunal (IPT) is responsible for investigating complaints against the intelligence and security agencies, as well as law enforcement, and over 40 people in the GCHQ are tasked with providing assistance in response to any complaints.

Document Published: June 22, 2015
Document Dated: After November 2008 but before March 2009
Document Length: 156 pages (including speaking notes)
Associated Article: Spies Hacked Computers Thanks to Sweeping Secret Warrants, Aggressively Stretching U.K. Law
Download Document: Operational Legalities
Classification: SECRET STRAP1
Authoring Agency: GCHQ
Codenames: BROADOAK, B3M, CORINTH, DISHFIRE, FARNDALE(_KESSE), HAUSTORIUM, JEDI, (KESSE) CARBOY, (KESSE) SOUNDER, (KESSE) SCAPEL, MAMBOOKIE, NEOPUDDING, PILBEAM, PRESTON, PRIMORDIAL SOUP, SAMDYCE, THUGGEE, UDAQ

Software Reverse Engineering

Summary: This document provides a high-level summary of why the GCHQ engages in software reverse engineering (SRE) and what its rationales are for doing so. Both malicious and non-malicious code is analyzed, the latter to determine vulnerabilities in operating systems and applications, as well as to evaluate the claims made by security products. Material to reverse engineer comes from HARUSPEX, GORDIANKNOT, commercial organizations, as well as from commercial channels in the case of non-malicious code.

Reverse engineering commercial products requires warranted authorization to engage in work pertaining to SIGINT or Information Assurance purposes. The document notes that because it was difficult for the GCHQ’s ID team to determine which products it may have to reverse engineer, ID team SRE work was authorized en masse on a yearly basis. Yet prior to February 2008, software reverse engineering work was being conducted by the ID team without a warrant, thereby contradicting the internal authorisation procedure. When this error was discovered, warrants were retroactively authorized.

Document Published: June 22, 2015
Document Dated: July 15, 2008
Document Length: 2 pages
Associated Article: Popular Security Software Came Under Relentless NSA and GCHQ Attacks
Download Document: Software Reverse Engineering
Classification: TOP SECRET
Authoring Agency: GCHQ
Codenames: GORDIANKNOT, HARUSPEX

TECA Product Centre

Summary: This is a printout of a GCWiki page for the Technical Enabling Covert Access (TECA) Product Centre. TECA designs specialist technologies to bridge gaps where the GCHQ’s conventional access cannot reach, and works closely with SIS and other agencies with staff capable of deploying and operating equipment covertly in the field. The TECA group is divided into teams based on operational outcomes: Access, Crypt, Mobile, and Specialist Facilities. The team has a portfolio of products which are typically only made available after consultation with clients to ensure that all the necessary elements are available to deliver the requested access to the client.

Document Published: June 22, 2015
Document Dated: April 28, 2011
Document Length: 4 pages
Associated Article: Spies Hacked Computers Thanks to Sweeping Secret Warrants, Aggressively Stretching U.K. Law
Download Document: TECA Product Centre
Classification: TOP SECRET STRAP 1 COMINT
Authoring Agency: GCHQ
Codenames: HELMAGE, PORRIDGE, STRAIN, SYRINGE, VAGRANT

Reverse Engineering

Summary: This wiki page explains what the Technical Enabling Access Reverse Engineering (TEA-RE) team does within Technical Enabling Covert Access (TECA) product centre. TEA-RE reverse engineering hardware and embedded software of cryptographic related products and equipment. They act as a point of liaison with UK intelligence agencies on topics including the defeat of secure microprocessors (e.g. smart cards). All of the work is covered as Exceptionally Classified Information (ECI) and thus isn’t discussed on GCWiki; details about the lab and work on products is available on CAWiki.

The TEA-RE team offers a five-day course in reverse engineering that is focused on helping people reverse engineer a black box for SIGINT purposes. It has previously conducted live demonstrations and given tours of the TECA lab facilities.

Document Published: June 22, 2015
Document Dated: November 18, 2011
Document Length: 4 pages
Associated Article: Spies Hacked Computers Thanks to Sweeping Secret Warrants, Aggressively Stretching U.K. Law
Download Document: Reverse Engineering
Classification: UK SECRET
Authoring Agency: GCHQ
Codenames: INSIGHT

NDIST 5-a-day

Summary: This two-page document outlines some of the event and enrichment data stores that can be integrated into Palantir’s offering to GCHQ.

Document Published: June 22, 2015
Document Dated: Undated
Document Length: 2 pages
Associated Article: Popular Security Software Came Under Relentless NSA and GCHQ Attacks
Download Document: NDIST 5-a-day
Classification: TOP SECRET 5EYES
Authoring Agency: GCHQ
Codenames: FRACTALJOKER, HALTERHITCH, PENSIVEGIRAFFE, XKEYSCORE

GCHQ Stakeholders

Summary: This document outlines a number of the GCHQ’s customers, or parties in government which receive the GCHQ’s services or which could be impacted by the GCHQ’s activities. Along with the different government departments that are noted, are specific persons with whom the GCHQ has assigned leads, along with the GCHQ’s assessments of how to proceed with those persons (e.g. they have issues with the tempo of intelligence being provided, issues with security clearances, or want strategic instead of tactical intelligence). Each of the assessments includes what the GCHQ’s top aim with the customer is, key objectives for calendar year 2009-2009, and the headline issues for the customer and GCHQ’s areas of impact on the agency’s operations.

The customers that the GCHQ had during the period included: Bank of England, Cabinet Office and Prime Minister’s Office, Ministry of Housing, Communities, and Local Government (DCLG), Children, Schools & Families (DCSF), Department of Energy and Climate Change (DECC), Department for Environment, Food & Rural Affairs (DEFRA), Department for International Development (DfID), Export Credits Guarantee Department (ECGD), Foreign and Commonwealth Office (FCO), Financial Services Authority (FSA), Health, Ministry of Justice, and Transport.

Document Published: June 22, 2015
Document Dated: 2008
Document Length: 26 pages
Associated Article: Controversial GCHQ Unit Engaged in Domestic Law Enforcement, Online Propaganda, Psychology Research
Download Document: GCHQ Stakeholders
Classification: RESTRICTED
Authoring Agency: GCHQ 
Codenames: SAXLINGHAM

Legal Authorisation Flowchart: TARGETING

Summary: This short, two page document provides a flowchart to indicate the legal restrictions which apply to targeting communications that are wholly within the United Kingdom, which involve a second party, or which involve targets or locations outside of the Five Eyes. Topics covered are whether persons either within or entering the United Kingdom can be targeted, and what kinds of data can be collected and for how long. Also covered are whether the entity being targeted is in a second party country or national of a second party country (i.e. another Five Eyes country). In the case of second party country or citizen targeting, the operation requires a nominated Grade 6 Sensitive Targeting Authorization (STA) and can only use UK assets if the target is in, or is, a second party.

Document Published: June 22, 2015
Document Dated: August 2011
Document Length: 2 pages
Associated Article: Spies Hacked Computers Thanks to Sweeping Secret Warrants, Aggressively Stretching U.K. Law
Download Document: Legal Authorisation Flowchart: TARGETING
Classification: UK CONFIDENTIAL
Authoring Agency: GCHQ
Codenames: None

Legal Authorisation Flowchart: COLLECTION

Summary: This short, two page, document provides a flowchart that indicates what legal requirements must be met before the GCHQ can collect communications content (if collecting the technical characteristics of communications then no further authorization is needed). Where communications content is being deliberately collected (i.e. not bulk collection) and one end is in the United States, the GCHQ can only survey for 2 hours and then re-collect on the same bearer after the composition is believed to have changed. As a note, ‘bearers’ tend to refer to fibre optic lines.

In the case of full or coarse unselected take, and where one end is in Australia, Canada, New Zealand, or the United States, a nominated Grade 6 Sensitive Targeting Authorization is required. If one end is in the United States then the communications can be surveyed for up to two hours worth of data, but may only return to the same bearer after believing that the composition has changed. This restriction does not apply to other second party countries.

Document Published: June 22, 2015
Document Dated: June 2011
Document Length: 2 pages
Associated Article: Spies Hacked Computers Thanks to Sweeping Secret Warrants, Aggressively Stretching U.K. Law
Download Document: Legal Authorisation Flowchart: COLLECTION
Classification: UK CONFIDENTIAL
Authoring Agency: GCHQ
Codenames: NONE

GCHQ’s developing Cyber Defence Mission

Summary: This subset of a larger deck of presentation slides notes that the GCHQ’s Network Defence Intelligence & Security Team (NDIST) is tasked with supporting UK partners to build a national level picture of significant and strategic threats to the UK, as well as provide support to international second- and third-party partners in order to develop a national level picture of the most significant and strategic threats facing them. At the time of the document’s creation, the GCHQ was responsible for collecting approximately 100,000,000 malware events daily.

Document Published: June 22, 2015
Document Dated: undated; after 2007
Document Length: 3 pages
Associated Article: Popular Security Software Came Under Relentless NSA and GCHQ Attacks
Download Document: GCHQ’s developing Cyber Defence Mission
Classification: TOP SECRET 5EYES // TOP SECRET STRAP1
Authoring Agency: GCHQ
Codenames: None

ISA-94: Application For Renewal Of Warrant GPW/1160 In Respect Of Activities Which Involve The Modification Of Commercial Software

Summary: This is a warrant renewal that pertains to the GCHQ’s ability to conduct Software Reverse Engineering (SRE) when not otherwise authorized to do so under either the law or alternate authorization held by the agency. SRE is used to support the GCHQ’s Computer Network Exploitation (CNE) and Information Assurance (IA) operations. The warrant is to shield the GCHQ from possible legal action from companies whose products they are reversing.

A number of past CNE operations which relied on SRE are discussed in the warrant. This includes successful efforts to find vulnerabilities in popular web forum software, developing capability against Cisco routers that was subsequently leveraged to target Internet Exchanges in Pakistan to afford “access to almost any user of the Internet inside Pakistan”, as well as ongoing efforts to defeat Kaspersky anti-virus software from detecting malware and longer-term CNE activities designed to establish the future of CNE. IA activities focus on examining certain products, such as Microsoft’s Mobile Data Manager, as well as malware which is designed to target different operating systems and pieces of software.

As part of this warrant, the GCHQ is also permitted to reverse engineer software in order to provide assistance to law enforcement and other security agencies vis-a-vis the National Technical Assistance Centre (NTAC). These efforts include reverse engineering encryption software so that encrypted data could ultimately be decrypted.

Document Published: June 22, 2015
Document Dated: June 13, 2008
Document Length: 5 pages
Associated Article: Popular Security Software Came Under Relentless NSA and GCHQ Attacks
Download Document: ISA-94: Application For Renewal Of Warrant GPW/1160 In Respect Of Activities Which Involve The Modification Of Commercial Software
Classification: TOP SECRET STRAP2 UK EYES ONLY
Authoring Agency: GCHQ
Codenames: None

Intrusion Analysis/JeAC

Summary: This document outlines what the Intrusion Analysis team, which forms part of the Joint Electronic Attack Cell (JeAC), does in the course of its duties. The material used in its analysis of inbound-to-the-UK attacks is derived from signals intelligence, HARUSPEX, tasking of Computer Network Exploitation operations, as well as open source information. HARUSPEX sensors detect inbound attacks using signature analysis, whereas SIGINT is used to detect attack activity linked with foreign governments or other identified parties of interest.

Any reporting that emerges from JeAC activities is distributed using PROSPERO. On a monthly basis the selectors which are used to detect activities are audited to confirm their validity; the team has approximately 1,500 eA signatures associated with information on nationality, release, likely false positive rate, and more. Formal human rights authorization checking was “enforced by the SIGINT system, in that selectors will age off if not re-validated” (2).

Document Published: June 22, 2015
Document Dated: July 23, 2008
Document Length: 2 pages
Associated Article: Spies Hacked Computers Thanks to Sweeping Secret Warrants, Aggressively Stretching U.K. Law
Download Document: Intrusion Analysis/JeAC
Classification: SECRET STRAP 1
Authoring Agency: GCHQ
Codenames: CORINTH, HARUSPEX, PROSPERO

ACNO Skill 12: Malware Analysis & Reverse Engineering

Summary: This document is a job listing for a malware analysis and software reverse engineering (SRE) position. Of most interest are the five different skill levels ascribed to persons who might have the job, from someone who only understands basic concepts of malware and analysis but lacks operational-ready skills, versus someone who has detailed knowledge of internal five-eyes analysis tools, how they operate, and can work independently, versus someone considered ‘an expert in the field of malware analysis’ and who operates as a point of reference in the intelligence community and external, and who speaks at conferences and delivers specialized training.

Document Published: June 22, 2015
Document Dated: Not dated
Document Length: 2 pages
Associated Article: Popular Security Software Came Under Relentless NSA and GCHQ Attacks
Download Document: ACNO Skill 12: Malware Analysis & Reverse Engineering
Classification: SECRET
Authoring Agency: GCHQ
Codenames: None

JTAC Attack Methodology Team

Summary: This wiki page is for JTB, a group within the Joint Terrorism Analysis Centre (JTAC) responsible for assessing “Islamist attack methodology”. It is a combined team that includes officers from the GCHQ as well as branches of the UK military; the group can be consulted on counter terrorism issues related to weaponry, tactics, and training of Islamic threat actors. This team can also respond to informal questions and/or direct requesters to specialists who may hold the answer in question.

Some of the group’s work, at the time the wiki page was last updated, focused on analyzing Norway’s vehicle-borne improvised explosive device and firearms methodology, exploiting intelligence from the Bin Laden compound, and evaluating lone terrorist improvised explosive device capabilities.

Document Published: May 18, 2015
Document Dated: September 8, 2011
Document Length: 3 pages
Associated Article: What the Snowden Files Say About the Osama Bin Laden Raid
Download Document: JTAC Attack Methodology Team
Classification: TOP SECRET STRAP1 COMINT
Authoring Agency: GCHQ
Codenames: None

Comet News (March 2010)

Summary: This short snippet from one (or, perhaps, more) documents provides updates to GCHQ staff about recent technology developments, tasking of interest, and future capabilities of the overhead constellation. One snippet notes that successes were made in geolocating at least seven Argentinian digital microwave emitters and TETRA collects. However, the desired content of high priority military and leadership communications had not “yet” been acquired.

Document Published: April 2, 2015
Document Dated: March 2010
Document Length: 1 page
Associated Article: Britain Used Spy Team to Shape Latin American Public Opinion on Falklands
Download Document: Comet News (March 2010)
Classification: TOP SECRET//STRAP 1
Authoring Agency: GCHQ
Codenames: TETRA

JTRIG Operational Highlights, August 2009

Summary: This document snippet provides an update concerning OP QUITO, which is an effects operation to support the Foreign and Commonwealth Office (FCO) and that Office’s goals relating to Argentina and the Falkland Islands (JTRIG Operational Highlights, August 2009). At the time of writing there were plans to soon launch the operation, which was described as a “long-running, large scale, pioneering effects operation.”

Document Published: April 2, 2015
Document Dated: August 2009
Document Length: 1 page
Associated Article: Britain Used Spy Team to Shape Latin American Public Opinion on Falklands
Download Document: JTRIG Operational Highlights, August 2009
Classification: TOP SECRET STRAP 1
Authoring Agency: GCHQ
Codenames: OP QUITO

Behavioural Science Support for JTRIG’s (Joint Threat Research and Intelligence Group’s) Effects and Online HUMINT Operations

Summary: This document provides an overview of the activities which were being undertaken by the Joint Threat Research and Intelligence Group (JTRIG), within the GCHQ, and specifically with regards to JTRIG’s effects and online HUMINT operations. JTRIG’s HUMINT operations involve techniques designed to discredit, disrupt, delay, deny, degrade, and deter targets’ activities, and may include: uploading YouTube videos that have messaging supportive of the GCHQ’s operational intents; establishing online aliases with Facebook and Twitter accounts, blogs and forum memberships for conducting HUMINT or encouraging discussion on specific issues; sending spoof emails and text messages as well as providing spoof online resources and hosting extremist content or communications; and setting up spoof trade sites.

JTRIG was responsible for a range of activities, with some of the more noteworthy being conducting HUMINT to prevent Argentina’s acquisition of the Falkland Islands, hosting extremist websites for SIGINT purposes, and engaging in surveillance of domestic extremist groups. Many of the operations, which include creating false personas and aliases, establishing Facebook groups, and tracking the uptake and spread of different messages parallel those of other intelligence agencies. JTRIG is also involved in providing access to censored materials in some cases, sending messages to persons to help them access censored materials, interrupting communications between sellers and buyers (e.g. in cybercrime forums, those trafficking in child pornography, etc), taking over control of websites, denial of telephone or computer access, and contacting hosting providers to take down certain materials.

The document provides a strong overview of the different aspects of JTRIG and their areas of operational responsibility, as well as noting the importance of developing risk profiles for operations, developing comprehensive briefs so that new operations can be authorized based on comprehensive awareness of the importance of the operation, as well as the need to develop a code of conduct/ethics that stands separate from those used by authorities or academic researchers. The document concludes that “JTRIG’s effects and online HUMINT capability can be further enhanced by behavioural science support and improvement of some of JTRIG’s non-technical operational planning and management,” and provides seven recommendations to address this.

Document Published: April 2, 2015
Document Dated: March 10, 2011
Document Length: 42 pages
Associated Article: Britain Used Spy Team to Shape Latin American Public Opinion on Falklands
Download Document: Behavioural Science Support for JTRIG’s (Joint Threat Research and Intelligence Group’s) Effects and Online HUMINT Operations
Classification: TOP SECRET
Authoring Agency: GCHQ
Codenames: None

Welcome to the Mission Driven Access Workshop

Summary: This document contains two slides of what may be a longer slide deck. It states that GCHQ has underperformed on Brazil in the past, which is of special concern because of a perceived swing in attitudes favouring Argentina in the Falklands Islands dispute. It suggests that additional information needs to be collected to assist the Foreign and Commonwealth Office.

Document Published: April 2, 2015
Document Dated: November 2011
Document Length: 2 pages
Associated Article: Britain Used Spy Team to Shape Latin American Public Opinion on Falklands
Download Document: Welcome to the Mission Driven Access Workshop
Classification: CONFIDENTIAL
Authoring Agency: GCHQ
Codenames: None

2Q NAC Business Plan Review

Summary: This snippet of a document provides some information concerning the Network Analysis Centre’s (NAC) offensive cyber operations. It indicates work has progressed concerning Iran and Argentina, as well as work having been done which concerns Yemen. The Menwith Hill Station NAC supported OP-WHICHED, which targeted an Iranian naval base near the straits of Hormuz during the reporting period.

Document Published: April 2, 2015
Document Dated: July-September 2011
Document Length: 1 page
Associated Article: Britain Used Spy Team to Shape Latin American Public Opinion on Falklands
Download Document: 2Q NAC Business Plan Review
Classification: TOP SECRET STRAP1 AUS/CAN/NZ/UK/US EYES ONLY
Authoring Agency: GCHQ
Codenames: OP-WHICHED

GCSB Access (Snippet)

Summary: This screenshot indicates that the GCSB has provided access to another intelligence partner — possibly the GCHQ — to both strongly selected as well as full take data from IRONSAND. Before gaining access, the partner’s analysts were required to take a legal briefing (followed by a test), and only act in ways that accord with New Zealand law.

Document Published: March 8, 2015
Document Dated: Unknown
Document Length: 1 pages
Associated Article: Snowden revelations / The price of the Five Eyes club: Mass spying on friendly nations
Download Document: GCSB Access (Snippet)
Classification: Unknown
Authoring Agency: Unknown (likely GCHQ)
Codenames: IRONSAND, XKEYSCORE (XKS)

PCS Harvesting At Scale

Summary: This document discusses how the GCHQ has automated its collection of individual subscriber keys (‘Ki Values’, or ‘Kis’) in order to increase the volume of keys that can be collected by Target Discovery and SIGINT Development (TDSD). Kis are required in order for the GCHQ to decrypt communications between mobile phones’ GMS communications and cellular towers. The document further describes the successes of tests to automate collection, which have effectively enhanced the numbers of Kis that are collected from Computer to Computer (C2C) communications and that it would be useful to have further access to the bulk collection systems operated by the GCHQ to increase the number of automated Kis that were collected.

Kis were most prolifically found with systems associated with hardware and network operators. Targeting mail providers was productive, whereas SIM manufacturers and ‘other/unknown’ were ranked as the least productive points to collect Kis from.

Many of the collected Kis are matched against telecom companies providing service in regions of interest to the GCHQ. Some of these regions included: Afghanistan, Iran, Yemen, Serbia, Iceland, Tajikistan, India, Somalia, and Pakistan.

The document concludes that the automated method “can deliver significant results”, and that increased corporate support for such bulk data processing activities could result in benefits for various GCHQ business areas. Though the automated method was useful in producing information, it did not provide all of the data that was also found when conducting manual inspections for the data. Automated queries thus have to be further refined to improve production rates and, separately, detection of IMSI numbers of Kis requires improvement. The methods that were tested were also restricted in the bulk data they could analyze: increasing the bulk would likely improve amounts of data provided.

Going forward, the document identifies seven areas for improvement in the future, including additional research into searching for additional key types (e.g. OTA and UMTS), and using the methodology more generally for other kinds of data mining.

Document Published: February 19, 2015
Document Dated: April 27, 2010
Document Length: 24 pages
Associated Article: The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle
Download Document: PCS Harvesting At Scale
Classification: TOP SECRET STRAP1
Authoring Agency: GCHQ
Codenames: JEDI, LLANDARCYPARK, UDAQ

CNE access to core mobile networks

Summary: The slide summarizes the Government Communications Headquarters (GCHQ) Computer Network Exploitation unit’s access to mobile networks. Per the slide, the GCHQ can prevent SMS messages from appearing on billing servers, obtain the secret keys needed to gain user and administrator rights over a mobile device and push updates to SIM cards, and chart mobile network infrastructure and collect customer information. Moreover, the slide specifically mentions a comprehensive attack against Gemalto, a multinational SIM card, payment card and e-Identity producer.

Document Published: February 19, 2015.
Document Dated: n.d.
Document Length: 1 page.
Associated Article: The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle
Download Document: CNE access to core mobile networks
Authoring Agency: GCHQ
Classification: SECRET STRAP 1
Codenames: None

CCNE Successes January 10-March 10 Trial

Summary: This document is a single slide from a Government Communications Headquarters (GCHQ) Counter Computer Network Exploitation (CCNE) slide deck. The slide lists technical successes using automated methods to collect Kis, which are encryption keys burned into SIM cards. There were no false positives using the unstated collection methods, the methods let the GCHQ collect Kis from a “wider range of targets” and enabled the GCHQ to collect 300,000 Kis for a Somali cell service provider. In addition to the Kis linked to this provider, the GCHQ acquired the associated international mobile subscriber identities (IMSI), ciphering key identifiers (KiC) as well as other SIM authentication keys.

Document Published: February 19, 2015.
Document Dated: n.d.
Document Length: 1 page.
Associated Article: The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle
Download Document: CCNE Successes January 10-March 10 Trial
Authoring Agency: GCHQ
Classification: TOP SECRET STRAP 1
Codenames mentioned: None

Where are these keys?

Summary: This document is a single slide from a Government Communications Headquarters (GCHQ) Counter Computer Network Exploitation (CCNE) slide deck. The slide explains that “keys” relating to mobile communications are stored in SIM cards as well as the core of mobile networks.

Document Published: February 19, 2015
Document Dated: n.d.
Document Length: 1 page
Associated Article: The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle
Download Document: Where are these keys?
Authoring Agency: GCHQ
Classification: TOP SECRET STRAP 1
Codenames mentioned: None

Associated email addresses

Summary: The document is a single slide from a Government Communications Headquarters (GCHQ) Counter Computer Network Exploitation (CCNE) slide deck. The slide lists several redacted email addresses that were either “high scoring” or associated with South African telecommunications traffic. This slide does not clarify why a given email address would be “high scoring”.

Document Published: February 19, 2015
Document Dated: n.d.
Document Length: 1 page.
Associated Article: The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle
Download Document: Associated email addresses
Authoring Agency: GCHQ
Classification: TOP SECRET STRAP 1
Codenames: None

Open Source for Cyber Defence/Progress

Summary: This document is a screenshot of a Government Communications Headquarters (GCHQ) wiki page addressing the use of open source intelligence to advance cyber defence activities. More specifically, it identifies current and future sources of data for cyber defence action. It also notes that structured datasets are available in HAPPY TRIGGER and unstructured datasets in LOVELY HORSE. Further, TWO FACE and ZooL are integrated with open source repositories, and additional sources will “come to XKEYSCORE.” It is unclear what, exactly, this final clause means.

A range of data sources are listed. Notable sources include POSITIVE PONY (maps IP addresses to company and sector mappings) as well as ContagioMiniDump.com (helps CDO analysts declassify information for reporting). In the future, WHOIS records from regional internet registries may be collected; the author(s) of the wiki page question whether the NSA’s FOXTRAIL, GCHQ’s GeoFusion, or REFRIED CHICKEN (a passively collected database of searchable WHOIS records) could meet this need. Analysts also note it would be helpful to add recent domain registrations and vulnerability notification websites into the open source repository.

The wiki entry describes GhostNet as a “known ORB server” under the ‘Bulk Infrastructure Data’ heading. GhostNet is a command and control infrastructure that was mainly used by the People’s Republic of China in the course of targeting organizations such as foreign embassies and the Tibetan Government-In-Exile. Research on GhostNet was conducted by a collection of academic institutions, including the Citizen Lab at the Munk School of Global Affairs and Public Policy, University of Toronto. Operational Relay Boxes (ORBs) are used by SIGINT agencies as proxies and let SIGINT actors to take actions that victims cannot positively attribute to the responsible agency. It is unclear from the document whether the GCHQ or other Five Eyes agencies plan to use GhostNet infrastructure as their own ORBs or whether they classified activities coming from that infrastructure as likely attributable to Chinese-signals intelligence groups.

Document Published: February 4, 2015 
Document Dated: Last Updated June 25, 2012 
Document Length: 2 pages 
Associated Article: Western Spy Agencies Secretly Rely On Hackers For Intel And Expertise
Download Document: Open Source for Cyber Defence-Progress
Classification: TOP SECRET STRAP 1 COMINT
Authoring Agency: GCHQ
Codenames Mentioned: BIRDSEED, BIRDSTRIKE, FOXTRAIL, HAPPYTRIGGER, GEOFUSION, HIDDENSPOTLIGHT, JANET, LOVELYHORSE, MARBLEPOLLS, NETPLATE, OVAL, POSITIVEPONY, REFRIEDCHICKEN, SHORTFALL, TWOFACE, XKEYSCORE, ZooL

LOVELY HORSE

Summary. This document is a screenshot of a Government Communications Headquarters (GCHQ) wiki on a project called LOVELY HORSE. LOVELY HORSE was a prototype at the time this page was last modified. It was a “TCP Task Order 144 [TCP TO144] initiative as part of CDO (formerly NDIST) and the Cyber Theme towards developing Open Source capacity.” The project was meant to consolidate unstructured open source information (e.g. blog posts, Twitter feeds, forum materials, etc) relevant to the signals intelligence mandate of the GCHQ and deliver it as structured data to analysts as per their individual interests.

The wiki lists 60 blogs and Twitter accounts monitored in the prototype stage. Per the initial prototype, members of this initiative were collaborating to use existing BIRDSTRIKE architecture for capturing tweets. Members were working with CISA to capture blog content. Twitter accounts monitored include known hacktivist groups and “academics specialising in the identification and investigation of vulnerabilities and malware.” In addition to separating content and metadata, and incorporating a ‘like’ function for analysts, there were questions about how best to visualize collected data and provide analysts with access to it.

Document Published: February 4, 2015.
Document Dated: February 6, 2012.
Document Length: 2 pages.
Associated Article: Western Spy Agencies Secretly Rely on Hackers for Intel and Expertise
Download Document: LOVELY HORSE
Authoring Agency: GCHQ
Classification: TOP SECRET STRAP 1 COMINT
Codenames: BIRDSTRIKE, BIRDSEED, HAPPYTRIGGER, JEDI, LEXHOUND (NSA controlled/owned), LOVELYHORSE, MERAPEAK

Mobile apps doubleheader: BADASS Angry Birds

Summary: This presentation was jointly prepared by both employees of the GCHQ Global Telecommunications Exploitation (GTE) team, and the CSE’s GA5A teams. The goal of BADASS (BEGAL Automated Development/Deployment and System Survey) was to accelerate the rate by which the GCHQ and CSE could develop and monitor for useful Target Description Identifiers (TDIs). The methods used meant that there was no single person responsible for propagating TDIs and, as a result, a ‘backdoor’ corporate TDI repository was created.

To generate a bulk of TDIs, the CSE discussed how the Establishment was successfully extracting unique identifiers from traffic collected by advertising and tracking companies. TDIs are definite indicators of presence that are unique and persistent and the CSE successfully found ways of extracting such indicators from Mobclix, AdMob, Mydas, and Dataflurry, as well as by monitoring for updates to Android IDs and information associated with Windows Phone 7 User and Device IDs. The latter half of the presentation underscores that ‘anonymous’ analytics information can be used to, in combination, re-identify persons. Moreover, much of the collected information can come from the same device and, when a series of parties’ identification information is aggregated, present a relatively complete perspective of the devices about which information is collected (e.g. IMEI, IMSI, MSISDN, unique tracking cookies, etc).

Document Published: January 17, 2015
Document Dated: Post April 2011
Document Length: 58 pages
Associated Article: The Digital Arms Race: NSA Preps America for Future Battle
Download Document: Mobile apps doubleheader: BADASS Angry Birds
Classification: UK SECRET STRAP 1 COMINT // S//SI//REL
Authoring Agency: GCHQ, CSE
Codenames: BABELFISH, BADASS, BISHOP, BLACK HOLE, UNIQUELY CHALLENGED

iPhone target analysis and exploitation with unique device identifiers

Summary: This document discusses how the GCHQ, working with the NSA, successfully targeted iPhones for exploitation. The targeting worked by, first, identifying whether compromised end point machines were syncing with iPhones and subsequently identifying the Unique Device Identifier (UDID) associated with the Apple device. Second, the GCHQ queried its metadata databases to determine whether the agency had seen the UDID as part of its collection of Yahoo! Admob traffic. From there analysts ensured that there was a strong correlation between the Admob traffic and the target’s UDID; sometimes this entailed also determining that the correct mail client (i.e. Apple Mail) was also associated with the target’s Yahoo! identifiers.

Once analysts were certain they had identified a relevant iPhone for exploitation they worked to fire ‘shots’ using QUANTUM. The ‘shots’ were designed to direct the target’s Safari queries to a server which would deliver a WARRIORPRIDE implant. WARRIORPRIDE was used to extract: the target’s address book, SMS, call logs, notes, WLAN logs, bookmarks, map query history, Safari browsing history, and some images.

In the future, analysts hoped to use the UDID as a real-time means of tracking large phones and using it as a selector for QUANTUM events when other selections (e.g. Yahoo! cookie identifiers) are not present.

Document Published: January 17, 2015
Document Dated: November 12, 2010
Document Length: 11 pages
Associated Article: The Digital Arms Race: NSA Preps America for Future Battle
Download Document: iPhone target analysis and exploitation with unique device identifiers
Classification: TOP SECRET STRAP1
Authoring Agency: GCHQ
Codenames: ABSOLINEEPILSON, AUTOASSOC, BLACKHOLE, BROADOAK, BROKER, CROWNPRINCE, DEBITCARD, HARDASSOC, LOOKINGGLASS, MARINA, MUTANTBROTH, OVERLIT, PRESTON, QUANTUM, SHORTSHEET, SLIDE, SOCIALANTHROPOID, SOLARSHOCK116, WARRIORPRIDE, WHIPSAW, XKS (XKEYSCORE)

CNE End Point Requirements

Summary: This document outlines a range of refinements and experiments pertaining to CNE endpoint operations that were considered by the GCHQ at the time the document was produced. The refinements and experiments were linked to capabilities development (used to target or act on endpoints), convergence development (where data from endpoints was accessible to, or usable by, multiple kinds of databases or systems), query development (where analysts could retrieve information either from endpoints or from analyst systems which summarized information about retrieved information); tasking development (so analysts could better target GCHQ systems to track or acquire certain content or metadata from endpoints); and viewer developments (so that analysts could visualize endpoints and their networks, or data collected from endpoints, in an easier or more useful fashion). Each listed item is prioritized from 1-3.

Document Published: January 17, 2015
Document Dated: [Date]
Document Length: 9 pages
Associated Article: The Digital Arms Race: NSA Preps America for Future Battle
Download Document: CNE End Point Requirements
Classification: TOP SECRET STRAP 1 COMINT
Authoring Agency: GCHQ
Codenames: BROADOAK, CARBONROD, CIAQUINCY, DANCINGBEAR, EREPO, EVOLVEDMUTANTBROTH, FLAMECARPET2, FUMECUPBOARD, GLOBALREACH, GLOBALSURGE, GOLDENEYE2, HAUSTORIUM, HIGHNOTE, JACKPOT, LOOKINGGLASS, LUNARHORNET, MARINA, MOONRAKER, MUGSHOT, MUTANTBROTH, OVERHEAD, QUANTUM, QUINCEY (CIA QUINCY), ROADBED, ROCKOPERA, RUFFLE, SLIPSTREAM, STARGATE, STARGATEROADMAP, THUGGEE, TURBINE, UDAQ2, XKEYSCORE

2014

BULLRUN

Summary: This document discusses the BULLRUN capability to “defeat encryption used in specific network communications” (2) and the sensitivities associated with the capabilities. In the past decade before the document’s production, the NSA had led “an aggressive, multi-pronged effort to break widely used Internet encryption technologies” with the effect that cryptoanalysis capabilities were coming online, which made previously-unexploitable encrypted content and metadata now subject to analysis.

Efforts were in place to protect BULLRUN capabilities as well as derived information. The technical and operational details were classified as ECI, under AMBULANT, PAWLEYS, and PICARESQUE, and while the facts of the information needed to be known within the SIGINT community this knowledge had to be protected in security Community of Interest (COI).

At the time of the document’s writing, BULLRUN was in use by the GCHQ, NSA, and CSE, with plans for DSD (now, ASD) and GCSB to follow. It was not, however, to be shared with UK partners or customers.

Examples of targeted encryption included those used in: VPNs, IPSEC, TLS/SSL, HTTPS, SSH, PPTP, eChat, and eVoIP. The final slide notes that these groundbreaking capabilities were very fragile and, as such, individuals were not to “ask about or speculate on sources or methods underpinning BULLRUN successes” and indoctrination was “required for access to secure COI” (10).

Document Published: December 28, 2014
Document Dated: Undated
Document Length: 10 pages
Associated Article: Inside the NSA's War on Internet Security
Download Document: BULLRUN
Classification: TOP SECRET STRAP 1
Authoring Agency: GCHQ
Covernames: AMBULENT, BULLRUN, PAWLEYS, PICARESQUE

STARGATE CNE Requirements

Summary: This is a wiki page that was, ultimately, meant to include information pertaining to STARGATE, which is a CNE-related project. This document exclusively includes the framework for CNE requirements; other pages (not included) focused on the User Guide, Bugs & Feedback, Deployments, ‘Surgery’, and Support. It was linked to other covernamed projects, including: VORPAL SWORD, CLOTHO 2, and relied on a series of other architectures used within GCHQ such as ERIDANUS, CHEYENNE MOUNTAIN, CHEYENNE MOUNTAIN2, AQUILA, and BIG BUS.

Document Published: December 13, 2014
Document Dated: Unknown
Document Length: 2 pages
Associated Article: The Inside Story of How British Spies Hacked Belgium's Largest Telco
Download Document: STARGATE CNE Requirements
Classification: SECRET STRAP1 COMINT
Authoring Agency: GCHQ
Codenames:  ANDROMEDA, AQUILA, BIGBUS, CHEYENNEMOUNTAIN, CHEYENNEMOUNTAIN2, CLOTHO2, DAREDEVIL, ERIDANUS, FEDEX, IRONINGBOARD, KITCHENSINK, MAD, MARVALICE, ROYALMANTLE, SORCERER, STARGATE, THICKISHALPHA, TINREVERIE, VORPALSWORD

Network Analysis Centre Belgacom Update Snippet 1

Summary: This snippet indicates that MyNOC successfully developed knowledge about GRX operators that included their customer sets and knowledge of/access to encrypted and unencrypted GRX bearers. This led to successful CNE operations against Belgacom (MERION ZETA) that situated implants deep into the network as well as along the company’s edges.

Document Published: December 13, 2014
Document Dated: Unknown, suggested January - March 2011 in filename
Document Length: 1 page
Associated Article: The Inside Story of How British Spies Hacked Belgium's Largest Telco
Download Document: Network Analysis Centre Belgacom Update Snippet 1
Classification: Unknown
Authoring Agency: GCHQ
Codenames:  MERIONZETA

CNE Access to BELGACOM GRX Operator Snippet 1

Summary: This snippet notes that OP SOCIALIST, which was to provide CNE access to Belgacom GRX, was successful and that the Network Analysis Centre continued to provide assistance in mapping the company’s internal network for continued CNE operations. The goal was to facilitate Man-in-the-Middle operations against roaming mobile handsets.

Document Published: December 13, 2014
Document Dated: Unknown, though filename suggests April to June 2011
Document Length: 1 page
Associated Article: The Inside Story of How British Spies Hacked Belgium's Largest Telco
Download Document: CNE Access to BELGACOM GRX Operator Snippet 1
Classification: Unknown
Authoring Agency: GCHQ
Codenames: MERIONZETA, OPSOCIALIST

CNE Access to BELGACOM GRX Operator Snippet 2

Summary: This snippet indicates the Network Analysis Centre continued to provide assistance in mapping out the internal network of BELGACOM and provide assistance to CNE operators as they deploy implants throughout the organization’s network.

Document Published: December 13, 2014
Document Dated: Unknown, though filename suggests July to September 2011
Document Length: 1 page
Associated Article: The Inside Story of How British Spies Hacked Belgium's Largest Telco
Download Document: CNE Access to BELGACOM GRX Operator Snippet 2
Classification: Unknown 
Authoring Agency: GCHQ
Codenames: MERIONZETA, OPSOCIALIST

CNE Access to BELGACOM GRX Operator Snippet 3

Summary: OP SOCIALIST successfully enabled CNE access to Belgacom networks while also identifying VPN exploitation opportunities. The intrusion against Belgacom’s GRX network was required as part of the GCHQ’s Mobile Theme. The operation involved: identifying mobile network operators that connected to Belgacom’s network through VPN, characterizing each VPN and determining those containing GTP, facilitating the processing of GTP events and extract and use target selectors, conducting analysis to identify best points of access to key networks, and recommending how to sustain GTP processing.

GTP is an IP-based protocol used within GSM and UMTS mobile networks, and is registered on UDP/TCP port 3386. It is used for carrying charging data so that operators can bill based on usage.

Document Published: December 13, 2014
Document Dated: Unknown, though file name indicates October to December 2011
Document Length: 1 page
Associated Article: The Inside Story of How British Spies Hacked Belgium's Largest Telco
Download Document: CNE Access to BELGACOM GRX Operator Snippet 3
Classification: Unknown
Authoring Agency: GCHQ
Codenames:  MERIONZETA, OPSOCIALIST II, VERACIOUS

Making Network Sense of the encryption problem (Roundtable)

Summary: The GCHQ currently collects metadata concerning encrypted communications that take place online and stores such information in BEARDED PIGGY. The roundtable focused on whether the Network Access Centre (NAC) could better isolate the information that the GCHQ wants decrypted.

Where a target is already known, the GCHQ might identify their subnet and select against the subnet to determine if there is a way to access unencrypted data. Alternatively, an Autonomous System (AS), which is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators, might be targeted in the hopes of capturing data in an unencrypted state (e.g., prior to being encrypted over a VPN). The benefit of both of these methods is that either data may be obtained in an unencrypted format or, alternatively, that double-ended collection can take place.

Belgacom is used as an example for targeting a given AS.

Document Published: December 13, 2014
Document Dated: January 1, 2007
Document Length: 11 pages
Associated Article: Operation Socialist: The Inside Story of How British Spies Hacked Belgium’s Largest Telco
Download Document: Making Network Sense of the encryption problem (Roundtable)
Classification: TOP SECRET STRAP 2 // REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: GCHQ
Codenames:  BEARDEDPIGGY, IRASCIBLEEMITT, IRASCIBLEHARE, IRASCIBLEMOOSE, IRASCIBLERABBIT

Automated NOC Detection

Summary: Major enterprise networks manage their networks from Network Operations Centres (NOCs). GCHQ and CSE analysts evaluated whether they could implement NOCTURNAL SURGE in OLYMPIA, CSE’s network knowledge engine, during a March 2011 meeting in Canada.

Analysts use NOCTURNAL SURGE to find NOCs. The system draws from pre-existing databases to identify ‘Access Control Lists’. GCHQ draws from the 5-ALIVE database and CSE from the HYPERION databases. Access control lists include commonly used ports that network administrators use in initiating TELNET or SSH connections to systems they administrate. Similar port information is recorded for Virtual Teletype (VTY) lines; VTY is a legacy term associated with older systems’ (e.g. routers) command line interfaces.

After combing through databases using NOCTURNAL SURGE and identifying NOCs, the NOCs can be targeted for computer network exploitation operations. Exploitation involves correlating NOC IP addresses with affiliated identifiers from the MUTANT BROTH database. MUTANT BROTH stores correlations between IP addresses with cookies and other identifying data. The QUANTUM INSERTexploitation system is used to target administrators after analysts have correlated NOC data with information from MUTANT BROTH.

Document Published: December 13, 2014
Document Dated: Post May 2011
Document Length: 25 pages
Associated Article: Operation Socialist: The Inside Story of How British Spies Hacked Belgium’s Largest Telco
Download Document: Automated NOC Detection
Classification: TOP SECRET STRAP 2
Authoring Agency: GCHQ (lead agency), CSE
Codenames: FIVEALIVE, CHAINGUARD, GLOBALSURGE, HACIENDA, HYPERION, MUTANTBROTH, NOCTURNALSURGE, OPSOCIALIST, PENTAHO, QUANTUM INSERT, SAMUELPEPYS, TERMINALSURGE, TIDALSURGE

Belgacom Connections

Summary: This is an image taken from CARBON ROD that showcases the connections between Belgacom and other networks.

Document Published: December 13, 2014
Document Dated: Unknown
Document Length: 1 pages
Associated Article: The Inside Story of How British Spies Hacked Belgium's Largest Telco
Download Document: Belgacom Connections
Classification: None
Authoring Agency: GCHQ
Codenames:  CARBONROD

Mobile Networks in MyNOC World

Summary: This document outlines actions undertaken by the GCHQ’s Network Analysis Centre (NAC) and, specifically, the division of NAC that is tasked with running the My Network Operations Centre (aka MyNOC). MyNOC is designed to bring together analysts and specialists from across the GCHQ to facilitate collaboration; the team included fifteen or more personnel.

This document focuses, in particular, on OP SOCIALIST. This operation involved targeting, and gaining access to, Belgacom’s GRX core routers. This meant identifying and implanting key engineers’ devices to facilitate subsequent CNE operations against core Belgacom routers. MyNOC then used LinkedIn and SlashDot selectors to target QUANTUM, an NSA toolset, which the GCHQ enhanced to allow shots on LinkedIn and ‘white listing’ when shooting on a proxy. Doing so helped enable the GCHQ to undertake man-in-the-middle operations against targeted roaming smartphones. In addition to extensive information extracted pertaining to Belgacom’s network and operations (e.g. identifying owners of Target Description Identifiers (TDIs)), MyNOC was also able to identify FTP services, identify laptops, conduct SSL research, and analyze mail servers.

OP SOCIALIST was, in part, seen as a way of showcasing to other partners in the GCHQ that MyNOC was of value: it brought to bear a focused working group capable of combining skills by improving working relationships between the Network Analysis Centre and Computer Network Exploitation teams. Based on OP SOCIALIST, MyNOC believed that there would be further efforts following the Belgacom work.

Document Published: December 13, 2014
Document Dated: Post-May 2011
Document Length: 22 pages
Associated Article: Operation Socialist: The Inside Story of How British Spies Hacked Belgium’s Largest Telco
Download Document: Mobile Networks in MyNOC World
Classification: TOP SECRET STRAP 2
Authoring Agency: GCHQ
Codenames: CADDIS, CERBERUS, COPPERHEAD, E-BEAM, EREPO, HIGHNOTE, JEDI, MERIONZETA, MUTANTBROTH, NEXUS, OP INTERACTION, OP SOCIALIST, OP WYLEKEY, PIA, QUANTUM, QI (QUANTUM INSERT), WOODCUTTER

‘HOPSCOTCH’ Snippet

Summary: This is a small, one paragraph, selection from a larger document. It asserts that ‘sending edges’ from one cloud to another would let the GCHQ summarize contact pairs and thus make analytics easier. It references the HOPSCOTCH Question Focused Database (QFD) but does not expand in any detail on what HOPSCOTCH is or does.

Document Published: December 13, 2014
Document Dated: Unknown
Document Length: 1 pages
Associated Article: The Inside Story of How British Spies Hacked Belgium's Largest Telco
Download Document: ‘HOPSCOTCH’ Snippet
Classification: Unknown
Authoring Agency: GCHQ
Codenames:  HOPSCOTCH

CNE Access to BELGACOM GRX Operator Snippet 4

Summary: This snippet merely says that the Network Analysis Centre (NAC) was receiving requirements from a Computer Network Exploitation (CNE) EREPO team to steer and support NAC’s operations.

Document Published: December 13, 2014
Document Dated: Unknown, though file name suggests January to March 2012
Document Length: 1 page
Associated Article: The Inside Story of How British Spies Hacked Belgium's Largest Telco
Download Document: CNE Access to BELGACOM GRX Operator Snippet 4
Classification: Unknown
Authoring Agency: GCHQ
Codenames: EREPO

WOLFRAMITE (snippet)

Summary: This excerpt from a GCHQ document focuses on outcomes that the agency wants to achieve for 2011/2012. It suggests scaling up the exploitation of handsets and mobile applications to meet GCHQ’s mobile broadband challenge, use (or develop) WOLFRAMITE to provide capability against mobile encryption (specifically A5/3), and also leverage WOLFRAMITE research and development to work, in tandem with the NSA, on an attack against mobile over the air (OTA) GSM encryption (A5/3).

Document Published: December 4, 2014
Document Dated: March 9, 2011
Document Length: 1 page
Associated Article: Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide 
Download Document: WOLFRAMITE (snippet)
Classification: TOP SECRET STRAP1
Authoring Agency: GCHQ
Codenames: WOLFRAMITE

A5/3 crypt attack proof-of-concept demonstrator (snippet)

Summary: This snippet from a GCHQ document describes how changes must be made to how GCHQ intercepts, and decrypts, mobile wireless communications. The current processing chain, which targets A5/1 had to be updated to “successfully prosecute” A5/3-encrypted GSM communications. This requirement to target A5/3 was given the covername OPULENTPUP.

Document Published: December 4, 2014
Document Dated: September 18, 2009
Document Length: 1 page
Associated Article: Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide
Download Document: A5/3 crypt attack proof-of-concept demonstrator (snippet)
Classification: TOP SECRET STRAP1
Authoring Agency: GCHQ
Codenames: OPULENTPUP (OPULANTPUP)

2nd SCAMP at CSEC process

Summary: This single slide from the 2nd Summer Conference on Applied Mathematical Problems (SCAMP), which occurred at the CSE, outlines progress made in partnership with CSE H3 developers to enhance and evaluate existing capabilities focused around signals intelligence.

According to the document, new systems (IRASCIABLERABBIT and TOYGRIPPE) were integrated with OLYMPIA. Progress was also made towards identifying virtual private networks of interest for cryptanalysis. The document further notes that there was ‘progress’ in sharing and analyzing SIGINT-collected International Roaming documents (i.e. IR.21).The CSE-specific document is part of a larger collection of documents linked to the AURORAGOLD project. AURORAGOLD maintains and collects information about mobile telecommunications networks’ properties so that analysts can understand the current state of global mobile systems’ networks, trending patterns in the state of these networks, and future evolutions of the networks. Much of this information is contained in IR.21 documents. Also included are e-mail selectors and metadata that is captured alongside the content of the documents themselves.

Document Published: December 4, 2014
Document Dated: Undated
Document Length: 1 page
Associated Article: Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide
Download Document: 2nd SCAMP at CSEC process
Classification: TOP SECRET // COMINT // REL TO USA, FVEY//20320108 
Authoring Agency: Unknown, likely GCHQ
Codenames: BOLSHIEPOSSUM, IRASCIABLEHARE, IRASCIABLERABBIT, OLYMPIA, TOYGRIPPE

What is HACIENDA?

Summary: This set of slides provides a high-level overview of the HACIENDA program, which is a data reconnaissance tool developed within the GCHQ’s Joint Threat Research Intelligence Group (JTRIG). The tool uses nmap to scan ports in different countries or subnets and then correlates collected Internet Protocol (IP) information with geolocation data using GEOFUSION. HACIENDA is tasked to target specific countries or subnets, and is accessible by contacting individuals at either GCHQ, CSEC, NSA, or DSD. All data collected using HACIENDA are stored in JTRIG’s internal database and available via GLOBALSURGE, which is GCHQ’s Network Analysis Centre’s ‘networks knowledge base prototype’. Information stored in GLOBALSURGE is then shared to partners in Canada, Australia, and the United States using MAILORDER.

HACIENDA has completed full scans of 27 countries (list of examples redacted) and partial scans of 5 additional countries.

Data collected using HACIENDA is used for computer network exploitation (CNE) activities as well as discovery activities. CNE activities are designed to conduct vulnerability assessment of systems and networks, as well as to detect systems which might be exploited as operational relay boxes (ORBs). In terms of discovery activities, HACIENDA is used for network analysis as well as target discovery.

Document Published: August 15, 2014
Document Dated: 2009
Document Length: 8 pages
Associated Article: The HACIENDA Program for Internet Colonization
Download Document: What is HACIENDA?
Classification: UK TOP SECRET STRAP1 | TOP SECRET//COMINT//REL FVEY
Authoring Agency: GCHQ
Codenames: GEOFUSION, GLOBALSURGE, HACIENDA, MAILORDER

Finding Orbs

Summary: This series of slides provide an overview of the kinds of information that the GCHQ is, or would, automatically analyze in the course of evaluating the security status of computer networks and machines generally connected to the Internet. Specifically, MUGSHOT, the covername for this effort, would be used to automate target characterization and monitoring (i.e. to understand network characteristics of targets designated for computer network exploitation from existing GCHQ data sources) and automate un-targeted characterization (i.e. to automatically understand everything important about all machines on the Internet from existing GCHQ data sources). Networks and machines which are recognized as vulnerable are termed ‘operational relay boxes’, or ORBs.

Document Published: August 15, 2014
Document Dated: Undated
Document Length: 4 pages
Associated Article: NSA/GCHQ: The HACIENDA Program for Internet Colonization
Download Document: Finding Orbs
Classification: UK TOP SECRET STRAP 1
Authoring Agency: GCHQ
Codenames: COMBINEHARVESTER, HACIENDA, HIGHNOTE, MUGSHOT

OPA~TAS Covert Mobile Phones Policy

Summary: This document summarizes restrictions on GCHQ officers’ use of mobile phones that are assigned for travel-based usage. In addition to signing for and having to return the mobile devices, they are to have the Bluetooth disabled and battery removed within a 50-mile radius of Cheltenham and, also not recharged within an officer’s home or temporary address (e.g. hotel room). Furthermore officers are to avoid calling family or friends or any mobile devices within 50-miles of Cheltenham, and these mobile phones are not be carried with any other kind of mobile device (e.g. iPad, smartphone).

Document Published: August 12, 2014
Document Dated: June 28, 2010
Document Length: 6 pages
Associated Article: NPR Is Laundering CIA Talking Points to Make You Scared of NSA Reporting
Download Document: OPA~TAS Covert Mobile Phones Policy
Classification: SECRET
Authoring Agency: GCHQ
Codenames: PISECGIAS, TRYST

JTRIG tools and techniques

Summary: This is a deprecated GCHQ internal wiki page that, prior to being deprecated, provided a listing of the tools and techniques developed by teams at JTRIG. Some were experimental whereas others were not. Some of the covernames refer to engineering-related activities and others to collection-related activities. Some covernames also refer to effects capabilities, though additional capabilities may exist but not be listed. Other covernames concern workflow management, analysis tools, databases, forensic exploitation, techniques, and shaping and honeypots. While there are brief summaries of what each covername refers to, the wiki does not provide extensive details on each covername’s full scope of capabilities.

Document Published: July 14, 2014
Document Dated: Last updated July 5, 2012
Document Length: 8 pages
Associated Article: Hacking Online Polls and Other Ways British Spies Seek to Control the Internet
Download Document: JTRIG tools and techniques
Classification: TOP SECRET STRAP1 COMINT
Authoring Agency: GCHQ
Codenames: AIRBAG, AIRWOLF, ALLIUMARCH, ANCESTRY, ANGRYPIRATE, ARSONSAM, ASTRALPROJECTION, AXLEGREASE, BABYLON, BADGER, BEARSCRAPE, BEARTRAP, BERRYTWISTER, BERRY TWISTER+, BIRDSONG, BIRDSTRIKE, BOMBBAY, BOMBAYROLL, BRANDYSNAP, BUGSY, BUMBLEBEEDANCE, BUMPERCAR+, BURLESQUE, BYSTANDER, CANNONBALL, CERBERUS, CHANGELING, CHINESEFIRECRACKER, CLEANSWEEP, CLUMSYBEEKEEPER, CONCRETEDONKEY, CONDUIT, COUNTRYFILE, CRINKLECUT, CRYOSTAT, CYBERCOMMANDCONSOLE, DAILYMOTION, DANCINGBEAR, DEADPOOL, DEERSTALKER, DEVILSHANDSHAKE, DIALd, DIRTYDEVIL, DIRTYRAT, DOGHANDLER, DRAGONSSNOUT, EARTHLING, ELATE, EXCALIBUR, EXPOW, FATYAK, FORESTWARRIOR, FRUITBOWL, FUSEWIRE, GAMBIT, GATEWAY, GEOFUSION, GESTATOR, GLASSBACK, GLITTERBALL, GLOBALSURGE, GODFATHER, GOODFELLA, GURKHASSWORD, HACIENDA, HAVOK, HOMEPORTAL, HUSK, ICE, IMPERIALBARGE, INSPECTOR, JAZZFUSION, JAZZFUSION+, JEDI, JILES, JTRIG RADIANTSPLENDOUR, LANDINGPARTY, LONGSHOT, LUMP, MIDDLEMAN, MINIATUREHERO, MIRAGE, MOBILEHOOVER, MOLTENMAGMA, MOUTH, MUSTANG, NAMEJACKER, NEVIS, NEWPIN, NIGHTCRAWLER, NUBILO, NUTALLERGY, OUTWARD, PHOTONTORPEDO, PISTRIX, PITBULL, PODRACE, POISONARROW, POISONEDDAGGER, PREDATORSFACE, PRIMATE, QUINCY,, RANA, REAPER, RESERVOIR, ROLLINGTHUNDER, SCARLETEMPEROR, SCRAPHEAPCHALLENGE, SCREAMINGEAGLE, SEBACIUM, SERPENTSTONGUE, SFT, SHADOWCAT, SHORTFALL, SILENTMOVIE, SILVERBLADE, SILVERFOX, SILVERSPECTOR, SILVERLORD, SKYSCRAPER, SLAMMER, SLIPSTREAM, SNOOPY, SODAWATER, SPACEROCKET, SPICEISLAND, SPRINGBISHOP, STEALTHMOOSE, SUNBLOCK, SWAMPDONKEY, SYLVESTER, TANGLEFOOT, TANNER, TECHNOVIKING, TOPHAT, TORNADOALLEY, TRACERFIRE, TWILIGHTARROW, UNDERPASS, VIEWER, VIKINGPILLAGE, VIPERSTONGUE, WARPATH, WATCHTOWER, WINDFARM, WURLITZER

JSA Restrictions – Access Central: Targeting

Summary: This document outlines restrictions placed on running operations from JSA, a US/German COMSAT site. Broadly the restrictions include no targeting German or Five Eyes nationalities or locations, no European economic targeting, no Five Eyes/No Eyes Only, and No Unknown Nationality/Locations. It also outlines a series of domains which cannot be targeted, including: .as, .at, .au, .ca, .de, .gu, .mp, .nz, .pr, .uk, .us, .vi, and a series of specific German companies or entities.

Document Published: June 18, 2014
Document Dated: Undated
Document Length: 4 pages
Associated Article: New NSA Revelations: Inside Snowden’s Germany File
Download Document: JSA Restrictions - Access Central: Targeting
Classification: TOP SECRET STRAP1 COMINT
Authoring Agency: GCHQ
Codenames: None

Full-Spectrum Cyber Effects: SIGINT Development as an enabler for GCHQ’s “Effects” mission

Summary: Effects operations represented 5% of the GCHQ’s operations at the time this document was produced and were principally conducted by JTRIG and CNE groups. One aspect, Computer Network Information Operations (CNIO) involved activities such as promoting propaganda, deception, and mass messaging, whereas Computer Network Attack (CNA) involved spoofing and denial of service operations. The activities undertaken by either group ranged from individual, low-impact, targeted activities to those with country-wide impact such as targeting critical infrastructure.

Other activities, such as ROYAL CONCIERGE, collected hotel reservation information so that targets could be either redirected to SIGINT friendly locations (e.g. cancelling visits if going to unfriendly location) or facilitate human intelligence or close access technical operations against them when they arrive. Other efforts focused on making messages go viral as well as monitoring social media such as Twitter for Target Description Identifiers (TDIs). This information was useful for determining location as well as relative importance of given users who are communicating en masse to others.

In addition to using a vulnerability assessment process to determine the types of ways that a target could be exploited, the document notes how foreign news agencies are targeted as part of human systems analysis. Specifically, this latter operation-type involves harvesting credentials and engaging in employee analysis to know who is speaking with whom, and why.

For the future, the GCHQ recognized the value of working with other Five Eyes agencies for signals development, before launching effects operations, as well engaging in BGP and MPLS operations, while also evaluating how SIP and VOIP effects could be used for denial of service and psychological operations.

Document Published: April 4, 2014
Document Dated: Undated
Document Length: 19 pages
Associated Article: The “Cuban Twitter” Scam Is a Drop in the Internet Propaganda Bucket
Download Document: Full-Spectrum Cyber Effects: SIGINT Development as an enabler for GCHQ’s “Effects” mission
Classification: UK TOP SECRET STRAP 1
Authoring Agency: GCHQ
Codenames: BLACKHOLE, GUILTYSPARK, HOTWIRE, ROYALCONCIERGE, SALAMANCA

The Art of Deception: Training For A New Generation Of Online Covert Operations

Summary: This is a slide presentation from the GCHQ’s Human Science division, which was engaging in operations meant to collect online human intelligence, engage in influencing and information operations, and conduct disruption and computer network attack activities. The division separates between individuals, groups, and global engagements for each of these operations-types, and includes different ways of understanding and looking at various types of operations.

The focus of the division is to deceive targets of operations by exploiting what targets expect to see in order to bias behaviours. The slides also note the importance of exploiting human psychology as well as how disruption and computer network attacks can be used to advance a range of operations, such as those emphasizing: infiltration, ruse, set piece, false flag, false rescue, disruption, and sting.

At the time that the slide deck was presented there were plans to fully ’roll out’ the division in 2013. This will have involved training 150+ JTRIG and Ops staff.

Document Published: February 24, 2014
Document Dated: Undated
Document Length: 50 pages
Associated Article: How Covert Agents Infiltrate the Internet to Manipulate, Deceive, and Destroy Reputations
Download Document: The Art of Deception: Training For A New Generation Of Online Covert Operations
Classification: SECRET//SI//REL TO USA, FVEY
Authoring Agency: GCHQ
Codenames: None

DISRUPTION Operational Playbook

Summary: This document contains slides from two different sources. The first slide, also found in a GCHQ document titled “The Art of Deception”, begins by describing a range of disruption operation types, including infiltrations, ruses, set pieces, false flag and false rescue, disruption, and sting operations. Effects, themselves, involve using online techniques to make something happen in the real or cyber domain, using either information or technical operations. One slide outlines a series of ways to discredit a target, and the final slide suggests that such effects might be discussed as part of a presentation on pushing the boundaries and taking action against hacktivism.

Document Published: February 24, 2014
Document Dated: Undated
Document Length: 4 pages
Associated Article: How Covert Agents Infiltrate the Internet to Manipulate, Deceive, and Destroy Reputations | Exclusive: Snowden Docs Show British Spies Used Sex and 'Dirty Tricks'
Download Document: DISRUPTION Operational Playbook
Classification: TOP SECRET//COMINT//REL TO USA, AUS, CAN GBR, NZL
Authoring Agency: GCHQ (likely)
Codenames: None

Mobile Theme Briefing

Summary: This GCHQ briefing presentation outlines the importance of mobile communications devices for the intelligence agency and discusses the development of the Mobile Applications Project. The Mobile Applications Project was created to develop capacities towards mobile applications writ large, as well as to facilitate target-centric analysis of voice, text, computer-to-computer, and geolocation data.

A part of the Mobile Applications Project included the GCHQ porting WARRIOR PRIDE to the iPhone. WARRIOR PRIDE is a computer network exploitation program. The GCHQ also developed specialized plugins for iOS.

The CSE initiated a similar port of WARRIOR PRIDE to the Android platform. The Establishment created Android plugins similar to those created for iOS.

Document Published: January 28, 2014
Document Dated: May 28, 2010
Document Length: 6 pages
Associated Article: Angry Birds and 'leaky' phone apps targeted by NSA and GCHQ for user data
Download Document: Mobile Theme Briefing
Classification: SECRET STRAP 1
Authoring Agency: GCHQ
Codenames: DREAMYSMURF, NOSEYSMURF, PARANOIDSMURF, PORUS, TRACKERSMURF, WARRIORPRIDE

Psychology: A New Kind of SIGDEV

Summary: These slides showcase the relative value of using passively collected information to maintain, or generate, real-time statistics on website visits as well as to target activities online. Using this information, influencing or attack operations could be conducted based on the awareness of individual and population level attitudes or activities showcased online.

Document Published: January 27, 2014
Document Dated: 2012
Document Length: 44 pages
Associated Article: Snowden docs reveal British spies snooped on YouTube and Facebook 
Download Document: Psychology: A New Kind of SIGDEV
Classification: TOP SECRET//SI//REL TO USA, FVEY
Authoring Agency: GCHQ
Codenames: AIRWOLF, ANTICRISISGIRL, DISTILLERY, FIREANT, HOLLOWPOINT, SQUEAKYDOLPHIN

Capability – iPhone

Summary: This is a single slide from a GCHQ slide deck. It denotes iPhone-specific WARRIORPRIDE plugins that are targeted at power management, hot mic, geolocation, kernel stealth, self-protection, and file retrieval. WARRIORPRIDE is a covername for Five Eyes nations’ smartphone exploitation platform or tools.

Document Published: January 27, 2014
Document Dated: Undated
Document Length: 1 page
Associated Article: Spy Agencies Tap Data Streaming From Phone Apps
Download Document: Capability - iPhone
Classification: SECRET STRAP 1
Authoring Agency: GCHQ
Codenames: DREAMYSMURF, NOSEYSMURF,  PARANOIDSMURF, PORUS, TRACKERSMURF, WARRIORPRIDE

2013

BULLRUN CoI–Briefing Sheet

Summary: This briefing sheet explains the sensitivity of the BULLRUN capacity to gain access to decrypts of encrypted communications, and how accessing the facts and decrypts associated with BULLRUN must be protected. Decrypts were made possible due to the NSA’s efforts to “make major improvements in defeating networks security and privacy” using a variety of sources and methods, including: Computer Network Exploitation (CNE), collaboration with other intelligence agencies, investment in high-performance computers, and the development of advanced mathematical techniques (1).

The NSA introduced the BULLRUN Community of Interest (COI) to protect the Five Eyes’ “abilities to defeat the encryption used in network communication technologies”. This meant it was important to restrict knowledge about the “fact of” a capability against a specific technology as well as the result decrypts (1). CSE, DSD (now ASD), and GCSB were all expected to also introduce BULLRUN COIs.

BULLRUN capabilities pertained to numerous kinds of encryption technologies, including but not limited to: TLS/SSL, HTTPS, SSH, encrypted chat, VPNs, and encrypted VOIP. Both the methods used to achieve exploitations and knowledge about the technologies that were exploitable were protected information. Similarly protected was knowledge about any support from internal and external organizations to the GCHQ that made the decrypts possible. Access to BULLRUN did not mean that individuals needed to know the details of how sources and methods used to exploit communications operated. All decrypts from BULLRUN had to be marked with the label, “BULLRUN” and all BULLRUN marking was restricted to the GCHQ and its SIGINT Second Parties.

There was a gradient of confidentiality associated with BULLRUN information. It was TOP SECRET STRAP1 COMMINT AUSCANZUKUS EYES that the GCHQ had “unspecified capabilities against network security technologies” and that “capability does not necessarily equate to decryption capability” (3). TOP SECRET STRAP1 COMINT AUSCANZUKUS EYES denoted that the GCHQ or its Second Party partners had “some capability against the encryption used in a class or type of network communications technology” (3). The highest level classification, TOP SECRET STRAP2 COMINT BULLRUN AUSCANZUKUS EYES, was reserved for information about capability against specific encrypted network security technology, that the GCHQ or its Second Party partners exploited specific network communications, as well as decrypts obtained from BULLRUN capabilities.

Document Published: September 5, 2013
Document Dated: Undated
Document Length: 4 pages
Associated Article: Revealed: The NSA's Secret Campaign to Crack, Undermine Internet Security
Download Document: BULLRUN CoI--Briefing Sheet 
Classification: TOP SECRET STRAP1 COMINT
Authoring Agency: GCHQ
Covernames: BULLRUN, ENDUE, NOCON

Unknown

Site Updates (OPA-MHS-[REDACTED])

Summary: This document snippet outlines research that is ongoing at the GCHQ to conduct directed GSM tower geolocation. Using synthetic geolocation, the DYMO prototype discussed would allow for greater accuracy for higher resolution results.

Document Published: Unknown
Document Dated: Unknown
Document Length: 1 pages
Associated Article: Unknown
Download Document: Site Updates (OPA-MHS-[REDACTED])
Classification: TOP SECRET STRAP 1
Authoring Agency: GCHQ
Codenames: DYMO, RUFIS, WHAMI

Yemen Microwave (Snippet)

Summary: This snippet provides an update concerning GCHQ’s tasking against a Yemen microwave tower, and noted that the subsequent collection of voice, SMS, and at least one DNR hit have contributed “highly” to counter terrorism work on the target.

Document Published: Unknown
Document Dated: Undated
Document Length: 1 pages
Associated Article: Unknown
Download Document: Yemen Microwave (Snippet)
Classification: TOP SECRET//STRAP 1
Authoring Agency: GCHQ
Codenames: None