This page contains a listing of covernames associated with the Government Communications Headquarters (GCHQ). GCHQ responsible for providing signals intelligence (SIGINT) and information assurance services to the government and armed forces of the United Kingdom.

I have produced similar lists for the Communications Security Establishment (CSE) and Government Communications Security Bureau (GCSB). A list for the National Security Agency (NSA) is forthcoming. You may also want to visit Electrospaces.net, which has also developed lists of covernames for some of the above mentioned agencies, as well as the National Security Agency (NSA).

All material provided below is derived from publicly available documents, books, and other resources. Descriptions of what the covernames mean or refer to are done on a best-effort basis; if you believe there is additional publicly referenced material derived from GCHQ documents which could supplement descriptions please let me know. Entries will be updated periodically as additional materials come available.


#

8BALL


A

ABSOLINE EPILSON – This covername refers to the target of a CNE end point operation (iPhone target analysis and exploitation with unique device identifiers, 3)

ACUILA

ACCUMULO

ACRIDMINI – This covername refers to a projects associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).

AIR BAG – This covername refers to an operational engineering tool created by JTRIG. The covername refers to JTRIG’s laptop capability for field operations (JTRIG tools and techniques, 2).

AIRWOLF – This covername refers to a beta-release collection tool created by JTRIG. The covername refers to YouTube profile, comment, and video collection (JTRIG tools and techniques, 3).

ALLIUM ARCH – This covername refers to an operational engineering tool created by JTRIG. It facilitates the JTRIG UIA via the Tor Network (JTRIG tools and techniques, 2).

ALPHA CENTAURI

ALPINE BUTTERFLY

ACTOR ACTION – This covername refers to an Interface Control Document (ICD) which provides a generic schema that allows for different types of events to be captured. It was initially intended for present (HARD ASSOC, evolved MUTANT BROTH) and communications (SOCIAL ANTHROPOID) events. However, a range of protocols and applications were being adopted to the AA format, including email, messaging, VoIP, GTP, and general apps (including Google Mobile Maps and Blackberry) (Event (SIGINT), 4-5).

ANCESTRY – This covername refers to a fully operational collection tool created by JTRIG. The covername refers to a tool for discovering the creation date of Yahoo selectors (JTRIG tools and techniques, 3).

ANGRY PIRATE – This covername refers to an effects capability tool created by JTRIG that was ready to fire, though possessed targeting restrictions. The covername refers to a tool that will permanently disable a target’s account on their computer (JTRIG tools and techniques, 5).

ANTICRISIS GIRL – This covername refers to a program that is designed to provide targeted website monitoring using passive collection. It is a customized Piwiki and is integrated into GCHQ’s GTE division’s passive capabilities. The example provided is of Wikileaks, and tracking inbound and outbound link clicks, as well as numbers of visitors (Psychology: A New Kind of SIGDEV, 33-34).

ANXIOUS – This covername refers to a methodology that entails creating an XKS fingerprint for the UK IP addresses of potential victim networks in order to tag SIGINT traffic that relates to these networks. The traffic may then be searched in conjunction with a signature to look for evidence of known electronic attack on targeted companies’ networks (Cyber Defence Operations Legal and Policy, 8).

APPARITION – This covername refers to a system which provides very small aperture terminal (VSAT) geolocation and mapping information. APPARITION is used for target development and survey work, with its information derived from Internet Protocol information as well as Cross Access Regional Development (CARD) Comsat sites. These sites include: LADYLOVE (Misawa), JACKNIFE (west coast USA), MOONPENNY (Menwith Hill Station), and CARBOY (Bude Station) (APPARITION/GHOSTHUNTER Tasking Info, 1)

APERTURESCIENCE – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).

ARCADE CONCEPT – This covername refers to an operation (Cyber Defence Operations Legal and Policy, 11).

ARCANO

ARSENIDE

ARSON SAM – This is an effects capability tool created by JTRIG that was ready to fire, but not against live targets because it was a R&D tool. The covername refers to a tool to test the effect of certain types of PDU SMS messages on phones and networks. It also includes PDU SMS Dumb Fuzzing testing (JTRIG tools and techniques, 5).

ARTEMIS

ASTRAL PROJECTION – This covername refers to an operational engineering tool created by JTRIG. It is associated with using Tor hidden services to establish a remote GSM secure covert internet proxy (JTRIG tools and techniques, 2).

AURA

AUTOASSOC – This covername refers to a Question Focused Database (QFD) (Black Hole Analytics, 6). The metadata-focused database (Next Generation Events, 5) is used to find other identifiers for the target (Black Hole Analytics, 8) by matching bulk and unselected event-based Target Description Identifiers (TDIs) with one another and producing a confidence score of which TDIs have been seen at the same time from the same IP addresses as IP addresses from other TDIs (Blazing Saddles, 2). At one point the database retained data for 6 months and consumed 0.1 TB of disk space (Data Stored in BLACK HOLE, 2). Information in this includes presence events (Event (SIGINT), 4). The intent behind AUTOASSOC is to find out when multiple TDIs belong to the same user or machine (HIMR Data Mining Research Problem Book, 40).

AUTO TDI

AWKWARD TURTLE – This covername refers to a ‘recommender’ system designed to detect possible terror suspects based on their HTTP activity (“ICTR Cloud Efforts”, 14).

AXLE GREASE – This covername refers to an operational engineering tool created by JTRIG. The covername refers to the covert banking link for CPG (JTRIG tools and techniques, 2).


B

B17 – This covername refers to a technique for finding cross-media timing patterns, and which incorporates the CLASP algorithm (PullThrough Steering Group Meeting #16, 1).

B3M – IT Services will not provide new accounts for this database unless the user completes the appropriate mandatory operational legalities training, and records it in iLearn (Cyber Defence Operations Legal and Policy, 15).

BABELFISH

BABYLON – This is an analysis tool created by JTRIG. The covername refers to a tool that bulk queries webmail addresses and verifies whether they can be signed up for. A green tick indicates that the address is currently in use. Verification can currently be done for Hotmail and Yahoo (JTRIG tools and techniques, 7).

BADASS – This acronym refers to BEGAL Automated Deployment And Survey System (Mobile apps doubleheader: BASASS Angry Birds, 3).

BADGER – This is an effects capability tool created by JTRIG that was ready to fire. The covername refers to mass delivery of email messaging to support an Information Operations campaign (JTRIG tools and techniques, 5).

BAKER’S DOZEN – This covername refers to a technique for finding batches in near-sequential phone numbers that displays causal behaviour (HIMR Data Mining Research Problem Book, 27).

BALLONKNOT – This covername refers to a projects associated with the United Kingdom’s collection of DNI and DNR information, and is incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).

BASSQUEST

BEARDED PIGGY

BEARSCAPE – This is a forensic exploitation capability created by JTRIG. The covername refers to a capability to extract WiFi connection history (MAC and timing) when supplied with a copy of the registry structure or run on the box (JTRIG tools and techniques, 7).

BEARTRAP – This is a fully operational operational collection tool created by JTRIG. The covername refers to bulk retrieval of public BEBO profiles from member or group ID (JTRIG tools and techniques, 3).

BERRY TWISTER – This is a pilot engineering tool created by JTRIG. The covername refers to a sub-system of FRUITBOWL (JTRIG tools and techniques, 2).

BERRY TWISTER+ – This is a pilot engineering tool created by JTRIG. The covername refers to a sub-system of FRUITBOWL (JTRIG tools and techniques, 2).

BIG BUS

BIRCH – This covername refers to a kind of data clustering (HIMR Data Mining Research Problem Book, 94).

BIRD SEED – This covername refers to a tool designed to use the Twitter API and filter for updates from known malware and security researchers (Open Source for Cyber Defence/Progress, 1).

BIRDSONG – This is an decommissioned collection tool created by JTRIG which was replaced by SYLVESTER. The BIRDSONG covername refers to automated posting of Twitter updates (JTRIG tools and techniques, 3).

BIRDSTRIKE – This covername refers to a tool designed by JTRIG that scrapes Twitter for a handful of IDs and doesn’t repeat; information collected using BIRDSTRIKE require datamining (Open Source for Cyber Defence/Progress, 1). More generally it involves Twitter monitoring and profile collection (JTRIG tools and techniques, 3).

BISHOP

BLACKCAT – This covername refers to a HTTP interface for BLACK HOLE (Next Generation Events (NGE) — BLACK HOLE ConOp, 6). It is responsible for returning the list of files that are found using BLACKFIND to an analyst or user (Next Generation Events (NGE) — BLACK HOLE ConOp, 11).

BLACKFIND – This covername refers to an interface for BLACK HOLE (Next Generation Events (NGE) — BLACK HOLE ConOp, 6). It involves sending a list of criteria (e.g. data type, date) and returning list of files that meet the criteria. BLACKCAT is responsible for streaming files to the analyst (Next Generation Events (NGE) — BLACK HOLE ConOp, 11).

BLACK HOLE – This covername refers to the large flat fie storage where GCHQ data resides after initial processing, and before being manipulated and correlated and loaded into Question Focused (QFD) database tables (Black Hole Analytics, 6). It contains: webmail, email transfers, chat, internet browsing, website logins, vbulletin web fora, web cams, gaming, social networking, and other events (Data Stored in BLACK HOLE, 1). BLACK HOLE is seen as enabling a range of activities, including: new QFDs to be rapidly prototyped and added to operational QFD suites, trailing new bulk analysis ideas, introducing new data sources to QFDs very quickly, look for particular patterns and behaviours for target discovery, and access to more data for research purposes that might not be QFD related. BLACK HOLE is part of ROUGH DIAMOND (Demystifying NGE Rock Ridge, 8).

BLACKNIGHT – This covername refers to a methods which can be used by TERRAIN for selection (PRESTON Architecture (Version 3.0), 32). BLACKNIGHT selectors can be used to reduce data intake rates to the PRESTON system. It was not supported any longer, as of 2007, and was not expected to support data from high-bandwidth sources.

BLAZING SADDLES – This was a covername for an Internet profiling development project undertaken by Next Generation Events (NGE). The goal was to take internal GCHQ research and apply it to process events at scale. This entails a “significant effort on End-to-End Sigint process (Next Generation Events, 4).

BLOOD HOUND – Designed to detect electronic attack, such as that which is distributed and automated in nature (“ICTR Cloud Efforts, 28).

BLUE SHIFT

BOMB BAY – This is an effects capability tool created by JTRIG that was in development. The covername refers to the capability to increase website hit and rankings (JTRIG tools and techniques, 5).

BOMBAYROLL – This is an operational engineering tool created by JTRIG. The covername refers to JTRIG’s legacy UIA standalone capability (JTRIG tools and techniques, 2).

BOSTROM

BOXSTER – This covername refers to a legacy circuit switched and line access solution (PRESTON Architecture (Version 3.0), 5)

BOUNCER – Used by NTAC to collect special source material, which is used by GCHQ (Source: The National Technical Assistance Centre).

BRANDY SNAP – This is an engineering tool created by JTRIG that is in the implementation state. The covername refers to JTRIG’s UIA contingency in Scarborough (JTRIG tools and techniques, 2).

BRIGHTON – Can be used for legacy delivery for TERRAIN system (PRESTON Architecture (Version 3.0), 32).

BRIO – This covername is associated with SALAMANCA. As of October or November 2010 BRIO was storing near real time data for 3 days, while getting extra TERRAIN feeds from Bude Station and Sounder (in Cyprus) (Events Product Centre, 7-8)

BROADOAK – This covername refers to “GCHQ’s targeting database” which provides selectors to front-end processing systems so that those systems can determine whether to process content; example selectors might include telephone numbers, email address, IMEIs, or IP ranges. A selector whose communications are currently being targeted are said to be ‘on cover’ (HIMR Data Mining Research Problem Book, 10; iPhone target analysis and exploitation with unique device identifiers, 5). Users must justify and review the retention of information which has been collected, including the justification of each targeting selector (Operational Legalities, 27).

BROKER

BUGSY – This is an early development  collection tool created by JTRIG. The covername refers to Google+ collection (circles, profiles, etc) (JTRIG tools and techniques, 3).

BUMBLEBEE DANCE – This is an operational engineering tool created by JTRIG. The covername refers to JTRIG operational virtual machine and Tor architecture (JTRIG tools and techniques, 2).

BUMPERCAR – BUMPERCAR operations are used to disrupt and deny Internet-based terror videos or other material (JTRIG tools and techniques, 5).

BUMPERCAR+ – This is an effects capability tool created by JTRIG that was ready to fire. The covername refers to an automated system developed by JTRIG CITD to support JTRIG BUMPERCAR operations. BUMPERCAR operations are used to disrupt and deny Internet-based terror videos or other material. The technique employs the services provided by upload providers to report offensive materials (JTRIG tools and techniques, 5).

BURLESQUE – This is an effects capability tool created by JTRIG that was ready to fire. The covername refers to the capability to send spoofed SMS text messages (JTRIG tools and techniques, 5).

BYSTANDER – This is a database created by JTRIG. The covername refers to a categorization database that is accessed via web services (JTRIG tools and techniques, 7).


C

CADDIS – This is a SIS desktop (Mobile Networks in My NOC World, 3).

CADENCE – This covername refers to a dictionary management process, whereby selectors such as those in BLACKNIGHT are used by the PRESTON system to select relevant identifiers in a lawful interception.

CAFFEINE HIT – This is a Question Focused Dataset (QFD) that is part of the ROCK RIDGE roll out by the Next Generation Events (NGE) group.

CALDWELL PARK

CANLEY – Used by NTAC to collect special source material, which is used by GCHQ (Source: The National Technical Assistance Centre).

CANNONBALL – This is an effects capability tool created by JTRIG that was ready to fire. The covername refers to the capability to send repeated text messages to a single target (JTRIG tools and techniques, 5).

CARBON ROD

CARBOY – This covername refers to a GCHQ COMSAT access location (COMSAT Snippet) located at Bude Station (APPARITION/GHOSTHUNTER Tasking Info, 1).

CASK – This covername refers to situational awareness for the 2012 Olympics in London (HIMR Data Mining Research Problem Book, 94).

CATSUP – Used by NTAC to collect special source material, which is used by GCHQ (Source: The National Technical Assistance Centre).

CERBERUS – This is an operational engineering tool created by JTRIG. The covername refers to JTRIG’s legacy UIA desktop, which was soon to be replaced with FORESTWARRIOR (JTRIG tools and techniques, 2).

CHAINGUARD

CHANGELING – This is a techniques capability created by JTRIG. The covername refers to the ability to spoof any email address and send email under that identity (JTRIG tools and techniques, 8).

CHART BREAKER – This covername refers to research that initially looked at handling the multiple scores derived from the email communication hypergraph. This scoring was being extended to handle multiple communications mediums as part of FIRSTCONTACT in 2011 (HIMR Data Mining Research Problem Book, 21).

CHEYENNE MOUNTAIN

CHEYENNE MOUNTAIN2

CHINESE FIRECRACKER – This is an effects capability tool created by JTRIG that was ready to fire. The covername refers to overt brute login attempts against online forums (JTRIG tools and techniques, 5).

CHOKEPOINT

CIA QUINCY

CIRCUIT – This covername refers to a UK base located at Seeb, on the northern coast of Oman. The base is referred to as Overseas Processing Centre 1 (OPC-1). The base is used to tap into various undersea cables passing through the Strait of Hormuz into the Persian/Arabian Gulf (Revealed: GCHQ’s beyond top secret Middle Eastern internet spy base, 1).

CLASP – This covername refers to an algorithm that is similar, yet more general, than the PRIME TIME algorithm that is used to identify cross-media timing chains ((PullThrough Steering Group Meeting #16, 1).

CLARINET – This covername refers to a UK base located in the south of Oman, and proximate to Yermen (Revealed: GCHQ’s beyond top secret Middle Eastern internet spy base, 1).

CLEAN SWEEP – This is an effects capability tool created by JTRIG that was ready to fire, though SIGINT sources are required. The covername refers to the ability to masquerade Facebook wall posts for individuals or entire countries (JTRIG tools and techniques, 5).

CLOTHO2

CLOUDBASE

CLOUDY COBRA – This covername is described as a glorified grep driven by a GUI; it finds events that contain user search terms  (GCHQ Analytic Cloud Challenges, 10).

CLUMBSY BEEKEEPER – This is an effects capability tool created by JTRIG that was not ready to fire. The covername refers to some work in process to investigate IRC effects (JTRIG tools and techniques, 5).

COLLATERAL

COMBINEHAVESTER

COMET – This covername refers to a recipe for learning and using large ensembles on massive data (HIMR Data Mining Research Problem Book, 85).

CONCRETE DONKEY – This is an effects capability tool created by JTRIG that was in development. The covername refers to the capability to scatter an audio message to a large number of telephones, or repeatedly bomb a target number with the same message (JTRIG tools and techniques, 5).

CONDONE – Used by NTAC to collect special source material, which is used by GCHQ (Source: The National Technical Assistance Centre).

CONDUIT – This is a database created by JTRIG. The covername refers to a database of C2C identifiers for Intelligence Community assets  acting online, either under alias or in real name (JTRIG tools and techniques, 7).

CONTRAOCTIVE

CONVERSION QUEST – A COMSAT programme under the umbrella of the SHAREDQUEST COMSAT modernization program (COMSAT SNIPPET).

COPPERHEAD – This covername refers to a Computer Network Exploitation (CNE) attack box (Mobile Networks in My NOC World, 3).

CORINTH – Used by GCHQ to manage selectors and filters associated with PRESTON.

COUNTRY FILE – This is an operational engineering tool created by JTRIG. The covername refers to sub-system of JAZZFUSION (JTRIG tools and techniques, 2).

COURIERSKILL

CRAN

CRINKLECUT – This covername refers to a tool developed by ICTR-CISA to enable JTRIG to track images as part of SPACEROCKET (JTRIG tools and techniques, 8).

CROSSEYEDSLOTH – This covername refers to a projects associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).

CROUCHING SQUIRREL – This covername refers to a way of detecting botnets (HIMR Data Mining Research Problem Book, 41) by filtering and classifying using behavioural vector analysis (HIMR Data Mining Research Problem Book, 86).

CROWNPRINCE – This covername refers to a technique for identifying Apple UDIDs in HTTP traffic (iPhone target analysis and exploitation with unique device identifiers, 1) and likely includes extracting the identifier from Yahoo! Admob traffic and other sources (iPhone target analysis and exploitation with unique device identifiers).

CRYINGFOWL

CRYOSTAT – This is an analysis tool created by JTRIG. The covername refers to a JTRIG tool that runs against data held in NEWPIN. It then displays this data in a  chart to show links between targets (JTRIG tools and techniques, 7).

CULT WEAVE

CYBER COMMAND CONSOLE – This is a workflow management tool created by JTRIG. The covername refers to a centralize suite of tools, statistics, and views for tracking current operations across the Cyber community (JTRIG tools and techniques, 6).


D

DAILYMOTION

DANCINGBEAR – This is a fully operational collection tool created by JTRIG. The covername refers to a tool which obtains the locations of WiFi access points (JTRIG tools and techniques, 3).

DAPINO GAMMA

DAREDEVIL – This covername refers to GCHQ’s scalable, flexible, and portable CNE platform that parallels the Canadian WARRIORPRIDE program. Some plugins are used for machine recon and operational security assessments, as well as for counter computer network operations. Specifically, the plugins enable machine reconnaissance, implant detection, rootkit detection, file identification and retrieval, DNS analysis, and network sniffing and characterization (CSE SIGINT Cyber Discovery: Summary of the current effort, 8).

DARKFIRE – This covername refers to a projects associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).

DARKQUEST

DATA FLOW CAB – This covername refers to a system used by researchers within GCHQ to request MAILORDER data feeds for BLACK HOLE.

DEADPOOL – This is a shaping and honeypots capability created by JTRIG. The covername refers to a URL shortening service (JTRIG tools and techniques, 8).

DEADSEA

DEBIT CARD

DEER STALKER – This is an effects capability tool created by JTRIG that was ready to fire. The covername refers to the ability to aid geolocation of satellite phones/GSM phones via a silent calling to the phone (JTRIG tools and techniques, 5).

DEVILS HANDSHAKE  – This is a fully operational collection tool created by JTRIG. The covername refers to an ECI data technique (JTRIG tools and techniques, 3).

DIALd – This is an operational engineering tool created by JTRIG. The covername refers to an eternal internet redial and monitor daemon (JTRIG tools and techniques, 2).

DICING – This covername refers to an operation (Cyber Defence Operations Legal and Policy, 11).

DIRTY DEVIL – This is an in-design engineering tool created by JTRIG. The covername refers to JTRIG’s research network (JTRIG tools and techniques, 2).

DIRTYRAT

DISCOVER – This covername refers to GCHQ’s document repository (HIMR Data Mining Research Problem Book, 65).

DISTILLERY – This covername refers to a stream processing platform which enables near real-time processing of data (HIMR Data Mining Research Problem Book, 11).

DOG HANDLER – This is an in-design engineering tool created by JTRIG. The covername refers to JTRIG’s development network (JTRIG tools and techniques, 2).

DONKEY KONG

DRAGON’S SNOUT – This is a beta release collection tool created by JTRIG. The covername refers to Paltalk group chat collection (JTRIG tools and techniques, 3).

DREAMY SMURF – This covername is for an iPhone specific plugin that GCHQ uses to manage or analyze power management (Capability – iPhone).

DYMO – This covername refers to a prototype tools for directed GMS tower geolocation that would allow for greater accuracy for high resolution results (Site Updates (OPA-MHS-[REDACTED]), 1).


E

E-BEAM

EARTHLING

ECHELON – A cover name for the program designed in collect and process INTELSAT communications, and under the broader umbrella of the FROSTING program (The Northwest Passage (Volume 2, Issue 1), 1). ECHELON eventually grew to encompass non-Intelsat satellites, and included COMSAT/FORNSAT stations in all of the Five Eyes countries. As part of ECHELON, the NSA purchased COMSAT assets that GCHQ was subsequently responsible for providing service and support for (COMSAT Snippet).

ELATE – This is an analysis tool created by JTRIG. The covername refers to a suite of tools for monitoring target use of the UK site eBay (www.ebay.co.uk). These tools are hosted on an Internet server and can be retried by encrypted email (JTRIG tools and techniques, 7).

ENCHANTERSS

EPIC FAIL – Identifies careless use of TOR networks (GCHQ Analytic Cloud Challenges, 10).

EREPRO – This is a covername for router operations. EREPO provides access to in country collection through the exploitation of routers, and provides crypt material, event tip-offs, and target metadata (GCHQ CNE Presentation, 14).

ERIDANUS

ESCHAR

EVERY ASSOC – Used for Target Description Identifier (TDI) alternative identifier scoring (“ICTR Cloud Efforts”, 7) that engages in user/machine correlations from computer to computer presence (GCHQ Analytic Cloud Challenges, 10).

EVERY CIPHER – Holds user/machine cipher events (GCHQ Analytic Cloud Challenges, 10).

EVERY CREATURE – Holds user/machine search terms (GCHQ Analytic Cloud Challenges, 10).

EVERY eAD – Holds user/machine electronic attack patterns (GCHQ Analytic Cloud Challenges, 10).

EVERY POLICE – Holds user/machine website visits (GCHQ Analytic Cloud Challenges, 10).

EVOLVED MUTANT BROTH – This covername refers to a Question Focused Database (QFD) (Black Hole Analytics, 6). The database is used to create a profile of a target’s online activities alongside telephony (Black Hole Analytics, 9). Specifically, it is used to identify when certain Target Description Identifiers (TDIs) appear in traffic which indicate target usage and their location. Telephony and computer to computer data provide the converged view. This QFD responds to the question of: “Where has my target been? What kind of communications devices has my target been using?” (GCHQ Analytic Cloud Challenges, 5).

EVOLVED SOCIAL ANIMAL – This covername refers to a Question Focused Database (QFD) (Black Hole Analytics, 6). The database is used to create a social network including telephony (Black Hole Analytics, 9).

EXCALIBUR – This is a fully operational collection tool created by JTRIG that worked against the current version of Paltalk in 2012. The covername refers to a tool which acquires a Paltalk UID and/or email address from a screen name (JTRIG tools and techniques, 3).

EXPOW – This is an operational engineering tool created by JTRIG. The covername refers to GCHQ’s UIA capability provided by JTRIG (JTRIG tools and techniques, 2).


F

FASCIA

FAST GROK – This covername refers to a selection engine, similar to BLACKNIGHT, which was developed as part of TERRAIN 9 to replace six other selection engines; FAST GROK was meant to deprecate all others in use for TERRAIN. It works with selector sets, such as TACHO, CORNITH, and TRAFFIC MASTER, as well as a dictionary format.

FATYAK – This is an in-development collection tool created by JTRIG. The covername refers to a tool which collects public data from LinkedIn (JTRIG tools and techniques, 3).

FARNDALE – Holds survey or target development data for analysis (PRESTON Architecture (Version 3.0), 22); TERRAIN is responsible for sending at least some of this data. FARNDALE is a local repository of survey data, to ensure that it does not burden delivery networks or collection systems associated with TERRAIN.

FEDEX

FIRE ANT – This is an open source visualization tool (Psychology: A New Kind of SIGDEV, 42).

FIRE ENGINE – This covername refers to a question-based system that enables federated access to events and reference data sources, and which is accessible using the LOOKING GLASS client platform  (GCHQ Analytic Cloud Challenges, 11).

FIRE STORM

FIRST CONTACT – Holds first and second hop contact chains between seeds and targets (GCHQ Analytic Cloud Challenges, 10).

FIVE ALIVE (aka: 5-Alive): This covername refers to a bulk store of IP flow records, coupled with some simple analytics that summarize and visualize IP activity (“ICTR Cloud Efforts”, 27). This dataset has a record of each IP event seen, consisting of the 5-tuple (time stamp, source IP, source port, destination IP, destination port) plus some information on session length and size (HIMR Data Mining Research Problem Book, 11).

FLAME CARPET 2

FLUID INK – This covername refers to a subset of SOLID INK, but which was seen through GCHQ’s SIGINT collection. It lacked in-country calls as compared to SOLID INK. The INK data set had four fields: timestamp, user-1, user-2, and a number (HIMR Data Mining Research Problem Book, 73-74).

FOGHORN – Is used to find non-targets using target machines (GCHQ Analytic Cloud Challenges, 10).

FORESIGHT

FOREST WARRIOR – This is an in-design engineering tool created by JTRIG. The covername refers to a desktop replacement for CERBERUS (JTRIG tools and techniques, 2).

FOXTRAIL

FRACTAL JOKER – This program presents statistical information to analysts, with the information having been derived from MVR/PPF, GORDION KNOT, XKEYSCORE, SAMUEL PEPYS, and ALPINE BUTTERFLY. In the process it grants a ‘wide’ vision of data by collecting SIGINT and Information Assurance-related data (The Tale of Two Sources, 16). It is designated as a mission management dashboard (NDIST 5-a-day, 1).

FRACTAL WEB

FREEFORM 

FRUIT BOWL – This is a design-stage engineering tool created by JTRIG. The covername refers to the CERBERUS UIA replacement and new tools infrastructure (JTRIG tools and techniques, 2).

FUME CUPBOARD – A native file viewer what is part of the XKS and TINT Bude experiments (Next Generation Events, 10).

FUSEWIRE – This is a fully operational collection tool created by JTRIG. The covername refers to a tool which provides 24/7 mentoring of VBulletin forums for target postings/online activity. It also allows staggered posting to be made (JTRIG tools and techniques, 3).


G

GAMBIT – This is an effects capability tool created by JTRIG that was in development. The covername refers to a deployable pocket-sized proxy server (JTRIG tools and techniques, 5).

GATEWAY – This is an effects capability tool created by JTRIG that was ready to fire. The covername refers to the ability to artificially increase traffic to a website (JTRIG tools and techniques, 5).

GENESIS  – A language that is used by analysts to query GCHQ’s TEMPORA, which is a large-scale instantiation of XKEYSCORE (TEMPORA — “The World’s Larges XKEYSCORE” — Is Now Available to Qualified NSA Uses, 2).

GENTIAN – This covername refers to a legacy circuit switched and line access solution (PRESTON Architecture (Version 3.0), 5)

GEOFUSION – This covername refers to a system used by the GCHQ to conduct Internet Protocol (IP) Geolocation (What is HACIENDA?, 1).

GERONTIC – The covername for Vodafone Cable (former Cable & Wireless company) (Revealed: GCHQ’s beyond top secret Middle Eastern internet spy base, 1)

GESTATOR – This is an effects capability tool created by JTRIG. The covername refers to the amplification of a given message, normally video, on popular multimedia websites such as Youtube (JTRIG tools and techniques, 5).

GHOSTHUNTER – This covername refers to a system designed to provide very small aperture terminal (VSAT) geolocation and mapping information. Systems for GHOSTHUNTER are located at Menwith Hill Station (MHS) and SOUNDER, and the information is used for high priority tasking and support for operations. GHOSTHUNTER is used to provide the geolocation of modems of interest, and is capable of narrowing modems of interest by geographic region, as well as all modems proximate to a modem of interest (APPARITION/GHOSTHUNTER Tasking Info, 1-2).

GLAIVE – The covername refers to GCHQ’s HF/VHF/UHF collection architecture; GLAIVE systems were deployed to Kuwait in early 2003 to monitor Iraqi communications prior to Operation Iraqi Freedom, to Balad Iraq in December 2003 to collect local insurgents as well as provide a strategically located SIGINT capability in the Middle East. This latter system was used for COMSEC monitoring (NSA and GCHQ Team Up to Tackle HF).

GLASSBACK – This is a fully operational collection tool created by JTRIG. The covername refers to a technique of getting a target’s IP address by pretending to be a spammer and ringing them. The target does not need to answer (JTRIG tools and techniques, 3).

GLITTERBALL – This is an effects capability tool created by JTRIG that was in development. The covername refers to online gaming capabilities for sensitive operations, with development focusing at the time on Second Life (JTRIG tools and techniques, 5).

GLOBALREACH – This covername refers to a consolidated analytic metadata interface that lets analysts log in one and then search across all of the TAC/TDS datasets for their targets of interest. Datasets available through GLOBALREACH include: ASSOCIATION, BROOMSTICK, CONTRAOCTIVE, DISHFIRE, DISTANTFISH, ENTANGLER, FASCIA, GNDB, LAMPSHADE, MAINWAY, OCTAVE, SPOTBEAM, and YAUGHTSHOP. Tools available through GLOBALREACH include: BANYAN, CONTRAOCTIVE, DISHFIRE, ENTANGLER, GNDB, SPOTBEAM, and YAUGHTSHOP. As of August 2004, GLOBALREACH allowed for searches of telephony metadata but there were plans to bridge telephony and DNI (e.g. email) analysis as of September 2004 (One Login, Many Searches).

GLOBAL SURGE – This covername refers to the Network Analysis Centre’s (NAC) network knowledge base prototype. It includes data which is collected using the HACIENDA program ((What is HACIENDA?, 7).

GODFATHER – This is a fully operational collection tool created by JTRIG. The covername refers to a method of publicly collecting data from Facebook (JTRIG tools and techniques, 3).

GOLDEN AXE – This covername refers to an events-based Question Focused Database (QFD) that records IMEI defeats, and the severity score and associated correlations for the IMEI. The database was planned to include IMSI, MSC_GT, and VLR_GT selectors sometime in the future (Blazing Saddles, 4). It is described by GCHQ as being used to generate a list of suspected clone mobile phones using an IMEI grey list (GCHQ Analytic Cloud Challenges, 10).

GOLDEN EYE

GOLDENEYE2

GOLD MINE – This covername refers to a cyber/content cluster that is available to HIMR researchers (HIMR Data Mining Research Problem Book, 61).

GOOB

GOODFELLA – This is an in-development collection tool created by JTRIG that supports RenRen and Xing. The covername refers to a generic framework for public data collection from online social networks (JTRIG tools and techniques, 3).

GORDIAN KNOT – This data type includes unselected Information Assurance (IA) data. It is not clear how long this data is retained: on the one hand, under XKS, it can be stored for 6 months and RIPA for 2 years. When the data is derived purely from GORDIAN KNOT the metadata is retained for 6 months; when it is derived from XKS and Content Cloud, in contrast, it is only stored for 30 days (Cyber Defence Operations Legal and Policy, 3-4). Data collected comes from 6 full-take sources, GSI logs, local input sensors, and SPAY. It is linked with XKS and FRACTALJOKER (The Tale of Two Sources, 19).

GRASP

GREENHEART

GREY FOX – Holds country-level summer of where identifiers are observed (GCHQ Analytic Cloud Challenges, 10).

GRINNING ROACH – This covername refers to a tool for visualizing SIGINT event and is used to produce pattern of life events (HIMR Data Mining Research Problem Book, 38).

GUIDING LIGHT – Possesses MI information types/volume of traffic on the bearer (GCHQ Analytic Cloud Challenges, 10). It was a Question Focused Database (QFD) that was meant “[t]o understand the traffic seen on Next Gen Events bearers.” It was receiving data from Bude station, including that from SWORDPLAY. New fields had been added and there were plans on expanding targeting data (from BROAD OAK), incorporating functionality from REFORMER, and adding additional feeds and linking to ARTEMIS (Events Product Centre, 18-36).

GUILTY SPARK – Associated with template-based targeting methods (Full-Spectrum Cyber Effects: SIGINT Development as an enabler for GCHQ’s “Effects” mission, 16).

GURKHAS SWORD – This is a techniques capability created by JTRIG. The covername refers to beaconed Microsoft Office documents which are intended to elicit a target’s IP address (JTRIG tools and techniques, 8).


H

HACIENDA – This is used for GCHQ’s bulk port scanning (Automated NOC Detection, 19). More specifically, this is a fully operational port scanning tool used by JTRIG to scan an entire country of city. It uses GEOGUSION to identify IP locations. Banners and content are pulled back on certain ports. Content is put into the EARTHLING database, and all other scanned data is sent to GNE and is available through GLOBALSURGE and Fleximart (JTRIG tools and techniques, 3). Data collected using HACIENDA is used for computer network exploitation (CNE) activities as well as discovery activities. CNE activities are designed to conduct vulnerability assessment of systems and networks, as well as to detect systems which might be exploited as operational relay boxes (ORBs). In terms of discovery activities, HACIENDA is used for network analysis as well as target discovery (What is HACIENDA?, 7).

HAGER AWEL – This refers to the Hadoop-based Bude events cluster. It is available to HIMR researchers (HIMR Data Mining Research Problem Book, 61).

HAKIM – This is a research prototype that is designed to function as a considered database with multiple indexes and flexible additions. Specifically, HAKIM facilitates the unification of data, such that associated data is key together, as well as quick and flexible addition of new data types and indexes, while being scalable and cost-effective. It could be converged with the HADOOP stack, HBASE/ACCUMULO (GCHQ Analytic Cloud Challenges, 20).

HALTER HITCH – Used to record IP addresses, likely domestic UK ones, that are used in the course of targeting parties attacking domestic infrastructure (Cyber Defense Operations Legal and Policy, 8). Broadly the information retained in HALTER HITCH is internally regarded as signature storage (The Tale of Two Sources, 14), and includes Snort and Squeal signatures (NDIST 5-a-day, 1).

HANGER LANE

HAPPY TRIGGER – This covername refers to a database containing structured datasets. Information in the database includes that from: Alexa.com, user-agency.org, nsurl.nist.gov, maxmind.com, zeustracker.abuse.ch, SpyEyeTracker.abuse.ch, amada.abuse.ch, torstatus.blutmagie.de, EmergingThreats.net, MalwareDomainList.com, ics.sans.edu, and POSITIVE PONY (Open Source for Cyber Defence/Progress, 1-2).

HARBOUR PILOT – This was the covername under NGE for a development effort to standardize, and share, enriched metadata with Five Eyes partners (Next Generation Events, 4).

HARD ASSOC – This covername refers to a Question Focused Database (QFD) (Black Hole Analytics, 6). The database is used to find alternative identifiers across telephony and the internet (Black Hole Analytics, 9). More specifically, it provides strongly correlated selectors for both computer to computer and telephony traffic taken from Target Description Identifiers (TDIs) appearing in the same packet. It is used to answer the question: “Are there any alternative computer to computer or telephony selectors for my target?” (GCHQ Analytic Cloud Challenges, 5).

HARDY – This is a technology candidate for the ‘core’ of GCHQ’s analytic work. It would technically rest upon a HADOOP cluster with map/reduce and interactive query and analytics capabilities that likely uses CLOUDBASE/ACCUMULO and reuses NSA knowledge. HARDY would be used to promote data and summaries from the bulk stores and include categories of known target, know query, and some known target/unknown query. HARDY would be optimized for major use and data sharing, while providing resilience by duplicating important data. The issue, however, is that GCHQ has limited experience with CLOUDBASE/ACCUMULO and the promotion analytics and criteria are not developed. (GCHQ Analytic Cloud Challenges)

HARUSPEX – This covername refers to sensors which are used to monitor attacks against UK systems based on known attack signatures. The signatures typically reflect attack vectors, infrastructure or entities identifiers associated with attacks. In some cases UK-to-UK traffic may be collected if the attacker is using UK infrastructure (Intrusion Analysis/JeAC, 1).

HAUSTORIUM – Received Computer-to-Computer events from TERRAIN (PRESTON Architecture (Version 3.0), 22). Scheduled for decommission in October 2010 (Source: Mobile Apps — Checkpoint meeting Archives) and replaced by SOCIAL ANTHROPOID (Event (SIGINT), 2). It was used to retain metadata and authorization for accessing this information does not require authorization when querying individuals in the UK. However, searches were logged and audited to ensure proportionality and necessity (Events Analysis – SALAMANCA, HAUSTORIUM, THUGEE, IMMINGLE)

HAVOK – This is a techniques capability created by JTRIG. The covername refers to real-time website cloning techniques which allow for on-the-fly alterations (JTRIG tools and techniques, 8).

HBASE

HEADERS NU – This project involved targeting the Pakistan government/military secure network.

HEADMOVIES – This covername refers to a projects associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).

HELMAGE

HIASCO

HIDDEN OTTER  – This covername refers to an ICTR-NE prototype which tried to find temporal chains in communications data, and it was focused on finding things such as backhaul networks, TOR networks, and botnet structures (HIMR Data Mining Research Problem Book, 27).

HIDDEN SPOTLIGHT – This covername refers to a vulnerability database (Open Source for Cyber Defence/Progress, 1).

HIGHLAND FLING – An operation that involved targeting Gemalto employees for Computer Network Exploitation (OP HIGHLAND FLING – Event Log)

HIGH NOTE – This covername refers to a Computer Network Exploitation (CNE) tool suite (Mobile Networks in My NOC World, 3).

HOLLOW POINT

HOME PORTAL – This is a workflow management tool created by JTRIG. The covername refers to the central hub for all JTRIG CERBERUS tools (JTRIG tools and techniques, 6).

HOOCH – Used by NTAC to collect special source material, which is used by GCHQ (Source: The National Technical Assistance Centre).

HOPSCOTCH – This covername refers to a Question Focused Database (QFD) that may be involved in performing analytics on contact pairs (HOPSCOTCH Snippet).

HOTLINE – This covername refers to a location where operational TERRAIN data is processed.

HOTWIRE – This covername refers to to BGP/MPLS network effects (Full-Spectrum Cyber Effects: SIGINT Development as an enabler for GCHQ’s “Effects” mission, 18).

HRMap – This covername refers to a Question Focused Database (QFD) that aggregates events which reveal host-referrer relationships, such as how people get to websites including linked followed and direct accesses (Blazing Saddles, 2). The metadata-focused database (Next Generation Events, 5), at one point, stored 3 months of data and used 7 TB of disk space. GCHQ estimated it would take 14 TB of diskspace to extend the retention period to 6 months (Data Stored in BLACK HOLE, 2). The QFD responds to the questions: “How doe people get to my website of interest and where do they go next? What websites have been visited from a given IP?” (GCHQ Analytic Cloud Challenges, 5).

HUSK – This is a shaping and honeypots capability created by JTRIG. The covername refers to a secure one-to-one web-based dead drop messaging platform (JTRIG tools and techniques, 8).


I

ICE – This is a collection tool created by JTRIG. The covername refers to a kind of advanced IP harvesting technique (JTRIG tools and techniques, 3).

IMMINGLE – Used to retain metadata and authorization for accessing this information does not require authorization when querying individuals in the UK. However, searches were logged and audited to ensure proportionality and necessity (Events Analysis – SALAMANCA, HAUSTORIUM, THUGEE, IMMINGLE). More broadly, IMMINGLE is used to run queries based on seed identifiers (e.g. phone number, IMSI, IMEI, C2C). Queries can be enriched from a series of databases and analysts can specify the event stores they are interested in. IMMINGLE also offers a range of visualization options. Going forward, FASCIA GPRS flagging, HAUSTORIUM decommissioning, and next generation contact chaining trials were forthcoming; this trial may have held the cover name FIRE STORM (Events Product Centre, 3-6).

IMPERIAL BARGE – This is an effects capability tool created by JTRIG that was tested. The covername refers to a method for connecting two target phones together in a call (JTRIG tools and techniques, 5).

INCENSOR – This covername refers to a GCHQ Special Source (TEMPORA — “The World’s Larges XKEYSCORE” — Is Now Available to Qualified NSA Uses, 2).

INFINITE MONKEYS –  This covername refers to a Question Focused Database (QFD) (Black Hole Analytics, 6). This metadata-focused database (Next Generation Events, 5) retains Target Description Identifiers (TDIs) and VBulletin extractions. TDIs have a type (e.g. Yahoo-Y-cookie) and a value (e.g. tom123@yahoo.com) (Black Hole Analytics, 7). The database is used to investigate websites or web forums of interest (Black Hole Analytics, 8). It is an events-based QFD and is used to both determine if targets have VBulletin accounts, who uses particular VBulletin forums, or where the members of a forum are based (Blazing Saddles, 2). The database stored data for 6 months at one point, and used 0.02 TB of data (Data Stored in BLACK HOLE, 2).

INJUNCTION – This covername refers to a type of IP data (HIMR Data Mining Research Problem Book, 83).

INSIGHT – This covername refers to an account used to access information on CAWiki, which is where GCHQ’s Technical Enabling Covert Access (TECA) Product Centre publishes information of its activities.

INSPECTOR – This is a fully operational collection tool created by JTRIG. The covername refers to a tool for monitoring domain information and site availability (JTRIG tools and techniques, 3).

INTEGER SPIN – This covername refers to a Question Focused Dataset (QFD) that was previously known as Evolved GEO FUSION (Source: Mobile Apps — Checkpoint meeting Archives).

IRASCIBLE EMITT

IRASCIBLE HARE

IRASCIBLE MOOSE

IRASCIBLE RABBIT

INTERSTELLAR DUST – This covername refers to an Interface Control Document (ICD), and it is capable of covering GTDI (presence events) from: MUTANT BROTH, AUTO ASSOC, MARBLED GECKO, KARMA POLICE, HRMap, MEMORY HOLE, INFINITE MONKEYS, SOCIAL ANIMAL, AUTO TDI, and SAMUEL PEPYS  (Event (SIGINT), 4)

IRON HAND – Used to manage the lifecycle of, and store, Communications Data requests (Cyber Defence Operations Legal and Policy, 10).

IRONING BOARD

IVE


J

JACKNIFE – This covername refers to a Cross Access Regional Development (CARD) Comsat site that is used by the APPARITION system. JACKNIFE is located in the west coast of the USA (APPARITION/GHOSTHUNTER Tasking Info, 1). It refers to Yakima Research Station in Washington state.

JACKPOT

JANET

JAZZ FUSION – This is an implementation-stage engineering tool created by JTRIG. The covername refers to a BOMBAYROLL replacement, which will also incorporate new collectors (JTRIG tools and techniques, 2).

JAZZ FUSION+ – This is an in-design engineering tool created by JTRIG. The covername refers to a sub-system of JAZZFUSION (JTRIG tools and techniques, 2).

JEDI – This is an analysis tool created by JTRIG. The covername refers to pods that will be deployed to all members of an Intelligence Production Team. As of July 2012 the challenge was to scale up to over 1,200 users whilst remaining agile, efficient, and responsive to customer needs (JTRIG tools and techniques, 7).

JILES – This is an analysis tool created by JTRIG. The covername refers to a JTRIG bespoke web browser (JTRIG tools and techniques, 7).

JTRIG RADIANT SPLENDOUR – This is classified as an operational engineering tool used by JTRIG, and operates as a data diode connecting the CEREBUS network with GCNET (JTRIG tools and techniques, 2).


K

KARMA POLICE –  This covername refers to a Question Focused Database (QFD) (Black Hole Analytics, 6). This metadata-focused database (Next Generation Events, 5) retains Target Description Identifiers (TDIs) and HTTP GET and POST requests. TDIs have a type (e.g. Yahoo-Y-cookie) and a value (e.g. tom123@yahoo.com) (Black Hole Analytics, 7). In other words, it holds information about which TDIs have been seen at approximately the same time, and from the same computer, as visits to websites (GCHQ Analytic Cloud Challenges, 5).The database is used to investigate websites or web forums of interest (Black Hole Analytics, 8) by collecting information about which TDIs have been seen at approximately the same time, and from the same computer, as visits to websites (Blazing Saddles, 2). The database retained 3 months of data at one point, which used 6.8 TB of space. If data retention was extended to 6 months the data usage was estimated at 13.6 TB (Data Stored in BLACK HOLE, 2). The QFD is used to answer the questions: “Which websites your target visits, and when/where those visits occurred? Who visits suspicious websites, and when/where those visits occurred? Which other websites are visited by people who visit a suspicious website? Which IP address and web browser were being used by your target when they visited a website?” (GCHQ Analytic Cloud Challenges, 5).

KENNINGTON

KEYCARD

KITCHEN SINK

KOALAPUNCH – This covername refers to a projects associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).


L

LADYLOVE – This covername refers to a Cross Access Regional Development (CARD) Comsat site that is used by the APPARITION system. LADYLOVE is located in Misawa, Japan (APPARITION/GHOSTHUNTER Tasking Info, 1)

LANDINGPARTY – This is a fully operational collection tool created by JTRIG. The covername refers to a tool for auditing dissemination of VIKINGPILLAGE data (JTRIG tools and techniques, 3).

LAUGHING HYENA – This covername refers to a Question Focused Dataset (QFD) that the Next Generation Events (NGE) group used to converge different events (Next Generation Events, 6).

LECKWITH – This is the covername of a COMSAT facility in Oman, which hosts SNICK and CIRCUIT (Expanded Communications Satellite Surveillance and Intelligence Activities utilising Multi-beam Antenna Systems, 18).

LIGHTWOOD – Extracts email addresses from any character stream, including those that appear to be email addresses but are not for open Internet resolution (e.g. better@management). It also has additional email and URL detection capabilities that standard regular expression extraction rules lack (PullThrough Steering Group Meeting #16, 2-3).

LITTLE – A party with whom GCHQ was attempting to develop a ‘relationship’ for access to communications (Supporting Internet Operations, 8).

LLANDARCYPARK

LOCHNVAR – This covername refers to a project designed to migrate circuit-based intercept from existing (circuit-switched) handover to a NHIS 2 handover (PRESTON Architecture (Version 3.0), 24).

LONGSHOT – This is a shaping and honeypots capability created by JTRIG. The covername refers to a file uploading and sharing website (JTRIG tools and techniques, 8).

LOOKING GLASS – This is a client platform that facilitates rich visualization of some Question Focused Databases (QFD)  (GCHQ Analytic Cloud Challenges, 11).

LOVELY HORSE – Unstructured datasets associated with open source information for cyber defence. Such datasets include: twitter.com. (Open Source for Cyber Defence/Progress, 1-2).

LUCKY STRIKE

LUMP – This is a techniques capability created by JTRIG. The covername refers to a system that finds the avatar name of a SecondLife AgentID (JTRIG tools and techniques, 8).

LUNAR HORNET

LUSTRE – This covername refers to a datasource for SOCIAL ANTHROPOID that drew data from North Africa ((Events Product Centre, 26).

LUTEUSICARUS – This covername refers to a projects associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).


M

MAD

MADFORGE

MAGLITE

MAGNUMOPUS – This covername refers to a projects associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).

MAILORDER – This covername refers to the system which is used by GCHQ to transfer data into other Five Eyes’ agencies data repositories (What is HACIENDA?, 7).

MAINLY

MAMBA – This covername refers to a visual analytics tool that was being developed in partnership with Detica in 2011 (HIMR Data Mining Research Problem Book, 38).

MAMBOOKIE

MARBLE POLLS – This covername refers to a database used to enrich events. The database contains vulnerabilities-related data (The Tale of Two Sources, 39)

MARBLED GECKO – This covername refers to a Question Focused Database (QFD) (Black Hole Analytics, 6). The database is used to find out who has been looking at what on Google Earth (Black Hole Analytics, 8) by combining the content of MARBLED GECKO with data contained in MUTANT BROTH (Blazing Saddles, 2-3).

MARINA – See NSA Covernames.

MARMION – This covername refers to a legacy circuit switched and line access solution (PRESTON Architecture (Version 3.0), 5).

MARVEL ICE

MASTERSHAKE

MEMORY HOLE – This covername refers to a Question Focused Database (QFD) (Black Hole Analytics, 6). The content-focused database (Next Generation Events, 5) is used to find out who has been searching the web, and for what (Black Hole Analytics, 8), though is focused exclusively on Google-based searches. When combined with data in MUTANT BROTH the specific users who ran searches can be identified (Blazing Saddles, 3). The database retained 0.5 months of data at one point, which consumed 0.6 TB of data. GCHQ estimated that extending the retention period to 6 months would cause the database to use 7.2 TB of data (Data Stored in BLACK HOLE, 2).

MERA PEAK

MERION ZETA – The covername for Belgacom.

MERLOT

MESNE

METEOR SHOWER

MIDDLEMAN – This is an analysis tool created by JTRIG. The covername refers to a distributed real-time event aggregation, tip-off, and tasking platform used by JTRIG as a middleware layer (JTRIG tools and techniques, 7).

MIDDLESEX GREEN – Used to task either SSOs or particular 10G lines that GCHQ has access to (Source: Mobile Apps – Checkpoint meeting Archives, 9). Is associated with a collection request form (Source: PRESTON Business Processes 1.0, 8).

MILKWHITE – This covername refers to a target enrichment service, sometimes referred to as the MILKWHITE Enrichment Service (MES), that is designed to help non-GCHQ agencies identify IP selectors for their targets

MINIATURE HERO – This is a fully operational collection tool created by JTRIG, though there are usage restrictions on its operation. The covername refers to an active Skype capability that provisions real time call records (SkypeOut and SkypetoSkype) and bidirectional instant messaging, as well as contact lists (JTRIG tools and techniques, 4).

MIRAGE – This composes data that has generally been selected by electronic attack signature. It is stored in XKS and retained for 30 days (Cyber Defence Operations Legal and Policy, 4).

MOBILEHOOVER – This is a forensic exploitation capability created by JTRIG. The covername refers to a tool to extract data from field forensics reports created by Celldek, Cellebrite, XRY, Snoopy, and USIM detective. These reports are transposed into a NEWPIN XLM format to be uploaded to NEWPIN (JTRIG tools and techniques, 7).

MOLTEN-MAGMA – This is a shaping and honeypots capability created by JTRIG. The covername refers to a CGI HTTP Proxy with the ability to log all traffic and perform HTTPS man-in-the-middle (JTRIG tools and techniques, 8).

MONACO – This covername refers to a delivery network used by the PRESTON system to send data from leased telecommunication lines to narrowband processing systems.

MONKEY PUZZLE – Involved in ingesting mobile selectors (Source: Mobile Apps — Checkpoint meeting Archives).

MONOPOLY – Retains special source events (Demystifying NGE Rock Ridge, 5).

MONTE VISTA – This covername refers to the “analysts’s notebook” used by some GCHQ analysts, and which lets them visualize information that has been collected (Review of VisWeek 2008).

MOONPENNY – This covername refers to a Cross Access Regional Development (CARD) Comsat site that is used by the APPARITION system. MOONPENNY is located in Menwith Hill Station (APPARITION/GHOSTHUNTER Tasking Info, 1)

MOONRAKER

MOOSE MILK – This covername refers to a data mining algorithm that detects suspicious use of telephone kiosks in the UK (PullThrough Steering Group Meeting #16, 2).

MOUNT MCKINLEY – This covername refers to a Linux compute cluster and which is available from VALHALLA. However, it has few user tools available and is thus best to run compiled code and used for operational processing, so researchers have to abide by conventions around HIMR’s use of the cluster (HIMR Data Mining Research Problem Book, 66).

MOUTH – This is a fully operational collection tool created by JTRIG. The covername refers to a tool for collecting and downloading a user’s files from Archive.org (JTRIG tools and techniques, 4).

MUGSHOT – This covername refers to a project to automate the detection of vulnerabilities in networks designated for being targeted using computer network exploitation (CNE) activities, as well as vulnerabilities in all machines which are connected to the Internet (Finding Orbs, 4).

MURPHYSLAW – This covername refers to a projects associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).

MUSCULAR  – A GCHQ special source (TEMPORA — “The World’s Larges XKEYSCORE” — Is Now Available to Qualified NSA Uses, 2).

MUSTANG – This is a fully operational collection tool created by JTRIG. The covername refers to a means of providing covert access to the locations fo GSM cell towers (JTRIG tools and techniques, 4).

MUTANT BROTH –  This database retains all Target Description Identifiers (TDIs) in bulk (Target Detection Identifiers, 14). TDIs have a type (e.g. Yahoo-Y-cookie) and a value (e.g. tom123@yahoo.com) (Black Hole Analytics, 7). The database is used to create a profile of a target’s activities (Black Hole Analytics, 8) by correlating it with a range of other Question Focused Databases (QFDs) (Blazing Saddles, 1-4). At one point, the database retained 4 months of data at one point, which amounted to 7.7 TB of data. Extending retention to 6 months was estimated to use 11.55 TB of space (Data Stored in BLACK HOLE, 2). Information in this includes presence events (Event (SIGINT), 4). When used to assist in targeting Belgacom for OP SOCIALIST, MUTANT BROTH was used to identify TDIs/selectors coming from previously identified ranges and proxies (Mobile Networks in My NOC World, 14).

MVR

MWX – This covername refers to a database used to enrich events. The database contains malware-related data (The Tale of Two Sources, 39)

MYOFIBRIL


N

NAMEJACKER – This is a workflow management tool created by JTRIG. The covername refers to a web service and administration console for the translation of usernames between networks. This was to be used with gateways and similar technologies (JTRIG tools and techniques, 6).

NEO PUDDING

NET PLATE – Includes multiple data types, which are to be disclosed publicly to GCHQ when the program is in releasable state (Open Source for Cyber Defence/Progress, 1).

NEVIS – This is a forensic exploitation capability created by JTRIG. The covername refers to a tool developed by NTAC to search disk images for signs of possible encryption products. CMA have further developed this tool to look for signs of steganography (JTRIG tools and techniques, 7).

NEXUS – This is a BSS desktop (Mobile Networks in My NOC World, 3).

NEWPIN – This is a database created by JTRIG. The covername refers to a database of C2C identifiers obtained from a variety of unique sources, and a suite of tools for exploring this data (JTRIG tools and techniques, 7).

NIGHTCRAWLER – This is a shaping and honeypots capability created by JTRIG. The covername refers to a public online group against dodgy websites (JTRIG tools and techniques, 8).

NGE – Stands for ‘Next Generation Events’, which is a multi-stage project that tackled a series of problems, at increasing scale and increasing collaboration (Next Generation Events, 2) and which was intended to ultimately engage in corporate processing and storage system for 10G bearers (HIMR Data Mining Research Problem Book, 10). .

NOCTURNAL SURGE – This covername refers to a GCHQ tool that is used to identify Network Operation Centres (Automated NOC Dectection).

NOSEY SMURF – This covername is for an iPhone specific plugin that GCHQ uses to activate the mic on the phone (Capability – iPhone).

NUBILO – The covername refers to a method of changing the outcome of online polls (JTRIG tools and techniques, 6).

NUT ALLERGY – This is a pilot engineering tool created by JTRIG. The covername refers to the JTRIG Tor web browser, which entails a sandboxed Internet Explorer replacement and FRUITBOWL subsystem (JTRIG tools and techniques, 2).


O

OBERON

OB DEVICE

OP WAFTER

OP INTERACTION – This covername refers to refers to a Network Analysis Centre (NAC) event focused on developing in-depth knowledge of mobile gateways (Mobile Networks in My NOC World, 7).

OP QUITO – This covername refers to an effects operation to support the Foreign and Commonwealth Office (FCO) and that Office’s goals relating to Argentina and the Falkland Islands (JTRIG Operational Highlights, August 2009).

OP SOCIALIST – This covername refers to refers to a Network Analysis Centre (NAC) event focused on exploitation of a GRX operator (Mobile Networks in My NOC World, 7). A core focus of this was to enable Computer Network Exploitation (CNE) access to Belgacom; after compromising its GRX routers GCHQ intended to undertake Man-in-the-Middle (MITM) operations against targets roaming on smartphones while, also, expanding the NAC’s breadth of knowledge about GRX operators (Mobile Networks in My NOC World, 9). Ultimately, after identifying engineering and support staff and targeting them with QUANTUM INSERT, GCHQ successfully achieved CNE access: this meant the agency could further target Belgacom staff, expand internal CNE access throughout the Belgacom network with the ultimate goal of implanting GRX routers, and to better understand Belgacom’s network, credentials assigned to staff, and identification of different staff and their associated roles (Mobile Networks in My NOC World, 20).

OP SOCIALIST II – Undertaken by the Network Analysis Centre alongside Crypt Ops to identify the extent of opportunity provided by OP SOCIALIST (CNE Access to BELGACOM GRX Operator Snippet 3).

OP WYLEKEY – This covername refers to a Network Analysis Centre (NAC) event focused on exploiting international mobile billing clearing houses (Mobile Networks in My NOC World, 7).

ORB FINDER – This program is used to identify potential candidate Operational Relay Boxes (ORBs) for use in CNE active network exploitation activities. Such activities provide a richer picture of end-systems and thus reduce CNE’s operational footprint by focusing attention on candidates that meet particular sets of criteria ((PullThrough Steering Group Meeting #16, 2).

OUTWARD – This is an analysis tool created by JTRIG. The covername refers to a collection of DNS lookup, WHOIS lookup, and other network tools (JTRIG tools and techniques, 7).

OVAL – This covername refers to a list fir NDR to feed into HIDDEN SPOTLIGHT (Open Source for Cyber Defence/Progress, 1).

OVERLIT


P

PACMAN

PARANOID SMURF – This covername is for an iPhone specific plugin that GCHQ uses to employ self-protection, presumably of the SMURF-malware family  (Capability – iPhone).

PEBBLE BED

PENSIVE GIRAFFE – This covername refers to a cyber defence analyst portal that is used by analysts to group and summarize events to increase efficiency and capability (NDIST 5-a-day, 1).

PENTAHO – This is used by GCHQ and CSE alike. CSE uses it for tradecraft modelling (Automated NOC Detection, 9).

PHOTON TORPEDO – This is an operational collection tool created by JTRIG, but that has some usage restrictions. The covername refers to a technique to actively grab the IP address of a MSN messenger user (JTRIG tools and techniques, 4).

PIA

PIGS EAR

PILBEAM – Superseded by HAUSTORIUM  (Event (SIGINT), 4)

PINNATE – A party with whom GCHQ was attempting to develop a ‘relationship’ for access to communications (Supporting Internet Operations, 8).

PIRATE CAREBEAR – This covername refers to a tool for visualizing SIGINT events and is used to produce plots for pattern-of-life analysis (HIMR Data Mining Research Problem Book, 38).

PISECGIAS

PISTRIX – This is a shaping and honeypots capability created by JTRIG. The covername refers to an image hosting and sharing website (JTRIG tools and techniques, 8).

PITBULL – This is an effects capability tool created by JTRIG that was in development. The covername refers to the capability for enabling large scale delivery of a tailored message to users of instant messaging services (JTRIG tools and techniques, 5).

PLANE

POD RACE – This is an in-design engineering tool created by JTRIG. The covername refers to JTRIG’s MS update farm (JTRIG tools and techniques, 2).

POISON ARROW – This is a design-stage engineering tool created by JTRIG. The covername refers to safe maleware download capacity (JTRIG tools and techniques, 2).

POISONED DAGGER – This is an effects capability tool created by JTRIG. The covername refers to effects against Gigatribe. It was built by ICTR and deployed by JTRIG (JTRIG tools and techniques, 5).

POKERFACE – Used to task either SSOs or particular 10G lines that GCHQ has access to (Source: Mobile Apps – Checkpoint meeting Archives, 8)

PORRIDGE

PORUS – This covername is for an iPhone specific plugin that GCHQ uses to ensure kernel stealth on the device, presumably for the SMURF-malware or exploit family (Capability – iPhone).

POSITIVE PONY – This covername refers to a database that links IP address to companies and sector mappings (Open Source for Cyber Defence/Progress, 1).

PPF – This is likely an acronym which refers to Packet Processing Framework, a software framework which allows a very limited set of matching operations to be run on specialized hardware. As packets hit on these matches they are then passed back to the software layer, where more complicated processing (including sessionalization, done by TERRAIN) can be performed on the selected subset of data (HIMR Data Mining Research Problem Book, 10).

PREDATORS FACE – This is an effects capability tool created by JTRIG. The covername refers to targeted denial of service attacks against web servers (JTRIG tools and techniques, 6).

PRESTON – This covername refers to the process whereby a UK service provider is compelled by warrant signed by the Home Secretary or Foreign Secretary to provide GCHQ with the communications data for a specific line or account for a specified time. It is also referred to as lawful intercept and warranted collection (HIMR Data Mining Research Problem Book, 9).

PRESTON OPS (CALDWELL PARK) – This is the tasking manager for the PRESTON system (PRESTON Business Processes 1.0, 21).

PRIMATE – This is an analysis tool created by JTRIG. The covername refers to a JTRIG tool that aims to provide the capability to identify trends in seized computer media and metadata (JTRIG tools and techniques, 7).

PRIME TIME – This covername refers to an algorithm that is used to look for cross-media timing chains (PullThrough Steering Group Meeting #16, 2). In 2011 it was being developed by Detica for the Steaming Analysis team in ICTR (HIMR Data Mining Research Problem Book, 27).

PRIMODIAL SOUP

PROBABILITY CLOUD – Used for handset geo-association scoring (“ICTR Cloud Efforts”, 7).

PROSPERO – This covername refers to a method of distributing reports (Intrusion Analysis/JeAC, 1).

PROVE

PSOUP

PSYCHIC SALMON – This covername refers to a type of IP data (HIMR Data Mining Research Problem Book, 83).

PUBLIC ANEMONE – Contained geolocation based on web-based map searches (GCHQ Analytic Cloud Challenges, 10).


Q

QUANTUM – QUANTUM is a tool designed by the National Security Agency (NSA). Most information pertaining to this tool is available under the summaries and explanations of NSA covernames. However, GCHQ documents reveal that LinkedIn and Slashdot selectors were used to target QUANTUM for OP SOCIALIST (Mobile Networks in My NOC World, 14). See also: NSA Covernames.

QUANTUM INSERT (QI) – The QUANTUM family of tools were designed by the National Security Agency (NSA). Most information pertaining to this tool is available under the summaries and explanations of NSA covernames. However, GCHQ documents reveal that QI’s capacity was enhanced to allow shots on LinkedIn and to allow ‘white listing’ when shooting on proxies (Mobile Networks in My NOC World, 14). See also: NSA Covernames.

QUINCY – This is a database created by JTRIG. The covername refers to an enterprise level suite of tools for the exploitation of seized media (JTRIG tools and techniques, 7).


R

RADIANT SPLENDOR – this covername refers to a data diode that connects the CEBERUS network with GCNET (JTRIG tools and techniques, 2).

RADONSHARPEN-B – This covername refers to a method used, in tandem with GeoFusion, to combine country labels and confidences from multiple sources to come up with a decision for an IP address’s country (HIMR Data Mining Research Problem Book, 21).

RAGING BULLFROG – This covername refers to a type of IP data (HIMR Data Mining Research Problem Book, 83).

RANA – This is a techniques capability created by JTRIG. The covername refers to a system developed by ICTR-CISA which provides CAPTCHA-solving via a web service on CERBERUS. This is intended for use by BUMPERCAR+ and possibly by SHORTFALL in the future, though anyone was welcome to use it (JTRIG tools and techniques, 8).

RAPID TAPIR

REAPER – This is an operational engineering tool created by JTRIG. The covername refers to the CERBERUS to GCNET import gateway interface system (JTRIG tools and techniques, 2).

REFORMER

REFRIED CHICKEN – A database of passively intercepted WHOIS records, searchable by any word in the record and in existence since February 2011 (Open Source for Cyber Defence/Progress, 1).

REMEDY – This covername refers to the British telecommunications company, BT (Revealed: GCHQ’s beyond top secret Middle Eastern internet spy base, 1).

RESERVOIR – This is a fully operational collection tool created by JTRIG that has some usage restrictions. The covername refers to a Facebook application that allows for the collection of various information (JTRIG tools and techniques, 4).

ROBOTIC FISH – This covername refers to a type of IP data (HIMR Data Mining Research Problem Book, 83).

ROCK OPERA

ROCK RIDGE – This covername refers to Next Generation Events’ (NGE) efforts to integrate Question Focused Datasets (QFDs) into the NGE program, such as SAMUEL PEPYS and CAFFEINE HIT.

ROLLING THUNDER – This is an effects capability tool created by JTRIG. The covername refers to distributed denial of service attacking using P2P. It was built by ICTR and deployed by JTRIG (JTRIG tools and techniques, 6).

ROUGH DIAMOND

ROYAL CONCIERGE – This covername refers to a system that exploits the messages hotels send to customers reminding them about forthcoming reservations and sends notices of ‘hard targets’ messages to analysts (Full-Spectrum Cyber Effects: SIGINT Development as an enabler for GCHQ’s “Effects” mission, 8.)

ROYAL MANTLE

RUFFLE – This covername refers to the Israeli SIGINT National Unit (also referred to as Unit 8200) (Cash, Weapons and Surveillance: the U.S. is a Key Party to Every Israeli Attack).

RUFUS – This covername refers to a system which, in tandem with WHAMI Fast Image, is used to to target specific areas of interest and produce GSM tower data with high quality metadata unique to the tower. RUFUS is used as part of the DYMO prototype tool (Site Updates (OPA-MHS-[REDACTED]), 1).

RUMOUR MILL – This covername refers to a dashboard available to GCHQ analysts that lets them prioritize new work as it arrives from customers by quickly determining what GCHQ already knows about a given question/request from a customer. Moreover, this tool is meant to enable analysts to monitor existing work to spot when something happens that would change their priorities. Many of the questions are derived from cloud-based analytics that run each day again the current identifier list(s)  (GCHQ Analytic Cloud Challenges, 12).


S

SALAMANCA – Holds (legacy) VoIP events in telephony form. Receives such events from TERRAIN (PRESTON Architecture (Version 3.0), 22). It was due to be subsumed into SOCIAL ANTHROPOID  (Event (SIGINT), 3). It was used to retain metadata and authorization for accessing this information does not require authorization when querying individuals in the UK. However, searches were logged and audited to ensure proportionality and necessity (Events Analysis – SALAMANCA, HAUSTORIUM, THUGEE, IMMINGLE). Data types collected include: timestamp and callLength along with identifiers, such as dialledNumber, dialledNumberNorm, callerID, and callerIDNorm. Other identifiers may include IMSI, IMEI, MSISDN (HIMR Data Mining Research Problem Book, 69).

SALTY OTTER – The cover name for efforts to use a better algorithm for identifying cross-media timing patterns (e.g. a telephone call triggers a chat event). Specifically, efforts were considering whether to use the B17 technique that incorporated the CLASP algorithm, as opposed to the less general and popular PRIME TIME algorithm (PullThrough Steering Group Meet #16, 1-2).

SAMBOK – Holds Geo events. Receives such events from TERRAIN (PRESTON Architecture (Version 3.0), 22).

SAMDYCE – Holds SMS content, at least some of which is from TERRAIN (PRESTON Architecture (Version 3.0), 22).

SAMUEL PEPYS – A Question Focused Database (QFD) (Black Hole Analytics, 6) that is designed to correlate near real-time presence alerting (GCHQ Analytic Cloud Challenges, 3). The database is used to find out what has been happening in real time(Black Hole Analytics, 9) by fusing all available traffic (content and events) in one place so that answers can be derived based on all of the available traffic that it contains (Blazing Saddles, 3). This can include HTTP Host URI as well as FTP information (Event (SIGINT), 4).

SANDIA

SAXLINGHAM

SCARLET EMPEROR – This is an effects capability tool created by JTRIG that was ready to fire. The covername refers to targeted denial of service against a target’s phone via call bombing (JTRIG tools and techniques, 6).

SCRAPHEAP CHALLENGE – This is an effects capability tool created by JTRIG that was ready to fire but subject to constraints. The covername refers to perfecting spoofing of emails from Blackberry targets (JTRIG tools and techniques, 6).

SCREAMING EAGLE – This is an analysis tool created by JTRIG. The covername refers to a tool that processes kismet data into geolocation informatin (JTRIG tools and techniques, 7).

SEBACIUM – This is an collection tool created by JTRIG. The covername refers to an ICTR-developed system that is meant to identify P2P file sharing activity of intelligence value. Logs are accessible via DIRTYRAT (JTRIG tools and techniques, 4).

SEPANG – This covername refers to a Linux compute cluster available to HIMR researchers. It was expected to be decommissioned soon (as of late 2011) and was firewalled from the rest of the GCHQ network and, thus, lacks easy access to data sources described in the HIMR Data Mining Research Problem Book. However, it does have a wide range of user tools installed and is reserved for HIMR’s sole use (HIMR Data Mining Research Problem Book, 66).

SERPANTS TONGUE – This is an effects capability tool created by JTRIG that was in redevelopment. The covername refers to a means of fax message broadcasting to multiple numbers (JTRIG tools and techniques, 6).

SFT – This is a forensic exploitation capability created by JTRIG. The covername refers to the SIGINT Forensics Lab, which was developed within the NSA. It has been adapted by JTRIG as its email extraction and first-pass analysis of seized media solution (JTRIG tools and techniques, 7).

SHADOWCAT – This is a techniques capability created by JTRIG. The covername refers to end-to-end encrypted access to a VPS over SSH using the Tor network (JTRIG tools and techniques, 8).

SHARED VISION (SV) – A COMSAT architecture modernization programme amongst the Five Eyes that came to an end before July 2010. It explicitly did not address antenna modernization (COMSAT SNIPPET).

SHAREDQUEST – A COMSAT programme that followed SHAREDVISION, a part of it was focused on antenna command and control in order to reduce the total cost of ownership of COMSAT assets while supporting and expanding missions and addressing the emergence of new technologies (COMSAT SNIPPET).

SHARKQUEST

SHARON

SHORTFALL – The covername refers to data that is drawn from open source into GCNet (The Tale of Two Sources, 22).

SHORTSHEET – This covername refers to an exploitation server run by the Joint CNE/TECA Mobile Exploitation Team. Targets are redirected to this server after being targeted by QUANTUM tipping; it is likely a GCHQ alternate covername for FOXACID servers (iPhone target analysis and exploitation with unique device identifiers, 6)

SILENT MOVIE – This is an effects capability tool created by JTRIG that was ready to fire. The covername refers to a targeted denial of service against SSH services (JTRIG tools and techniques, 6).

SILVERBLADE – This is an effects capability tool created by JTRIG that was ready to fire. The covername refers to reporting of extremist material on DAILYMOTION (JTRIG tools and techniques, 6).

SILVER FOX – This is an effects capability tool created by JTRIG that was ready to fire. The covername refers to a list provided to industry of live extremist material files found on Free File Upload (FFU) sites (JTRIG tools and techniques, 6).

SILVER LINING

SILVER LIBRARY – This is a library of Hadoop parsers, writables and other utility classes to simplify development of MapReduce analytics in Java (HIMR Data Mining Research Problem Book, 65).

SILVERLORD – This is an effects capability tool created by JTRIG that was ready to fire. The covername refers to the disruption of video-based websites which host extremist content through concerted targeted discovery and content removal (JTRIG tools and techniques, 6).

SILVER SPECTOR – This is an in-development collection tool created by JTRIG. The covername refers to a tool that allows batch Nmap over Tor (JTRIG tools and techniques, 4).

SIMMER

SKYSCRAPER – This is an effects capability tool created by JTRIG that was ready to fire. The covername refers to the production and dissemination of multimedia via the web in the course of information operations (JTRIG tools and techniques, 6).

SLAMMER – This is an analysis tool created by JTRIG. The covername refers to a data index and repository that provides analysts with the ability to query data collected from the internet from various JTRIG sources, such as EARTHING, HACIENDA, web pages saved by analysts, etc (JTRIG tools and techniques, 7).

SLIDE – This covername refers to the exploit the GCHQ used in 2010 against iPhones to subsequently implant WARRIORPRIDE. The exploit was likely the open-source PDF vulnerability that GCHQ was using against iOS Safari clients at the time ((iPhone target analysis and exploitation with unique device identifiers, 8).

SLIPSTREAM – This is an effects capability tool created by JTRIG that was ready to fire. The covername refers to the ability to inflate page views on websites (JTRIG tools and techniques, 6).

SMOKING SADDLES

SNICK – A GCHQ COMSAT access location (COMSAT SNIPPET) located in Oman at LECKWITH (Seeb) (Expanded Communications Satellite Surveillance and Intelligence Activities utilising Multi-beam Antenna Systems, 18).

SNOOPY – This is a forensic exploitation capability created by JTRIG. The covername refers to a tool to extract mobile phone data from a cop of the phone’s memory (usually supplied as an image extracted through FTK) (JTRIG tools and techniques, 7).

SOCIAL ANIMAL – This covername refers to a Question Focused Database (QFD) (Black Hole Analytics, 6). The metadata-focused database (Next Generation Events, 5) is used to develop a social network (Black Hole Analytics, 8) by determining how users interact with one another, and with pictures, files, and video on the Internet (Blazing Saddles, 3-4). At one point, the database stored data for 1 month and used 1.6 TB of space. GCHQ estimated the extending the retention period to 6 months would lead to the database consuming 9.6 TB of space (Data Stored in BLACK HOLE, 2).

SOCIAL ANTHROPOID – Involved in ingesting social networking site activity (Target Detection Identifiers, 14), including Facebook Events (Source: Mobile Apps — Checkpoint meeting Archives). More broadly, it is a converged communications database that lets analysts understand who their targets have communicated with using telephony and internet-based communications. More specifically, data accessible to SOCIAL ANTHROPID includes: SALAMANCA information, SOCIAL ANIMAL information, instant messenger, webmail, SIP and H323 VOIP and Yahoo! Voice, Blackberry, MMS, SMS, GTP (GPRS Session set ups), SMTP, POP3, and IMAP data (Social Anthropoid). This Question Focused Database (QFD) is designed to subsume SOCIAL ANIMAL and replaced HAUSTORIUM (Blazing Saddles, 4). The QFD answered the questions: “What communications your target is engaged in? Who has your target been communicating with? What communications have occurred using a particular locator, such as an IP address or cellular tower?” (GCHQ Analytic Cloud Challenges, 5).

SODAWATER – This is a fully operational collection tool created by JTRIG. The covername refers to a tool for regularly downloading Gmail messages and forwarding them onto CERBERUS mailboxes (JTRIG tools and techniques, 4).

SOLARSHOCK119 – See: NSA Covernames

SOLID INK – This covername refers to a telephony dataset containing three weeks of telephony records from 2007, as seen from billing records. There were 2.7 billion events involving 74 million numbers. Data was anonymized for legal reasons. The INK dataset has four fields: timestamp, user-1, user-2, and a number (HIMR Data Mining Research Problem Book, 73-74).

SORCERER

SOSTRUM

SOUNDER – A GCHQ COMSAT access location (COMSAT Snippet) that the NSA provides 50% of the funding for (Cyprus Snippet, 1) and which is located at Ayios Nikolaos in eastern Cyprus (Expanded Communications Satellite Surveillance and Intelligence Activities utilising Multi-beam Antenna Systems, 13).

SPACEROCKET – This is a techniques capability created by JTRIG. The covername refers to a programme covering insertion of media into target networks. CRINKELCUT is a tool developed by ICTR-CISA to enable JTRIG to track images as part of SPACEROCKET (JTRIG tools and techniques, 8).

SPAY – An XKEYSCORE data type that includes Information Assurance (IA) metadata. This data is selected by electronic attack signature and is derived from the GORDIAN KNOT, XKS, and Content Cloud Repositories. SPAY data is retained for 6 months, though under RIPA it is defined as ‘communications data’ and thus could be held for up to 2 years. Under XKS, in contrast, it can only be retained for 6 months (Cyber Defence Operations Legal and Policy, 3). SPAY data may be provided to defence contractors at unclassified locations in response to China’s efforts to ‘hunt’ intelligence secrets (The Tale of Two Sources, 20).

SPICE ISLAND – This is a developmental engineering tool created by JTRIG. It is described as new infrastructure as of 2012; FORESTWARRIOR, FRUITBOWL, JAZZFUSION and other JTRIG systems form part of the SPICE ISLAND infrastructure (JTRIG tools and techniques, X).

SPIKY ROCK

SPING BISHOP – This is an collection tool created by JTRIG. The covername refers to a way of finding private photographs of targets on Facebook (JTRIG tools and techniques, 4).

SQUEAKY DOLPHIN – This program is designed to provide broad real-time monitoring of online activities, such as YouTube video views, URLs ‘Liked’ on Facebook, or Blogger/Blog visits. It relies on passive collection that uses streaming analytics via DISTILLERY to provide a real-time dashboard of activities (Psychology: A New Kind of SIGDEV, 27).

SQUEAL – This is SIGINT data that has been selected by electronic attack signature, and is stored in XKS. Such data is retained for 30 days (Cyber Defence Operations Legal and Policy, 4). Some of this information cannot be shared to other Five Eyes partners (Cyber Defence Operations Legal and Policy, 14).

STARGATE – This is a CNE-related program (STARGATE CNE Requirements).

STARGATE ROADMAP

STARLING MOTH

STEALTH MOOSE – This is an effects capability tool created by JTRIG that was ready to fire, subject to restrictions. The covername refers to a tool that will disrupt a target’s Windows machine. It generates logs of how and when the effect is active (JTRIG tools and techniques, 6).

STRAIN

STREETCAR – This covername refers to a Special Source Operation (SSO) company (Revealed: GCHQ’s beyond top secret Middle Eastern internet spy base, 1).

SUNBLOCK – This is an effects capability tool created by JTRIG that was tested but subject to operational limitations. The covername refers to an ability to deny functionlity to send or receive email, or view material online (JTRIG tools and techniques, 6).

SUN STORM – This covername refers to the Cheltenham events cluster; it is the largest such cluster available to HIMR (HIMR Data Mining Research Problem Book, 61).

SUPERDRAKE

SUPPORTING INO

SWAMP – This refers to a two-month long extended workshop, usually on two topics of high importance, to HIMR researchers (HIMR Data Mining Research Problem Book, 51).

SWAMP DONKEY – This is an effects capability tool created by JTRIG that was ready to fire, though subject to target restrictions. The covername refers to a tool that will silently locate all predefined types of files and encrypt them on a target’s machine (JTRIG tools and techniques, 6).

SWORDPLAY

SYLVESTER – This is an in-development collection tool created by JTRIG. The covername refers to a framework for automated interaction and alias management on online social networks (JTRIG tools and techniques, 4).

SYRINGE


T

TACHO – Involved in ingesting mobile selectors (Source: Mobile Apps — Checkpoint meeting Archives).

TAMING PASTRIES

TANGLEFOOT – This is an analysis tool created by JTRIG. The covername refers to a bulk search tool which queries a setoff online resources. It is used to let analysts quickly check the online presence of a target (JTRIG tools and techniques, 7).

TANNER – This is an collection tool created by JTRIG that has been replaced by HAVOK. The covername refers to a technical program allowing operators to log onto a JTRIG website to grab IP addresses of internet cafes (JTRIG tools and techniques, 4).

TECHNOVIKING – This is an in-design engineering tool created by JTRIG. The covername refers to a sub-system of JAZZFUSION (JTRIG tools and techniques, 2).

TEEDEE – Superseded by PILBEAM  (Event (SIGINT), 4)

TERMINALSURGE – This database is used to retain telnet session information collected by GCHQ’s Network Access Centre (Automated NOC Detection, 15).

TERRAIN – Computer-to-Computer processing system used by GCHQ (PRESTON Architecture (Version 3.0), 6). TERRAIN is responsible for processing lawful interception streams by sessionalizing data (HIMR Data Mining Research Problem Book, 10).

TELLURIAN

TEMPORA – GCHQ’s XKEYSCORE “Internet Buffer” which exploits the most valuable Internet links available to GCHQ. TEMPORA provides discovery capability against Middle East, North African, and European targets (amongst others) and serves to “slow down” a large chunk of Internet data for three days. This lets analysts use the GENESIS language to discover data that would otherwise have been missed. Such tradecraft relies on content-based discovery (TEMPORA — “The World’s Larges XKEYSCORE” — Is Now Available to Qualified NSA Uses, 2).

TETRA

THICKISH ALPHA

THUGEE – Used to retain metadata and authorization for accessing this information does not require authorization when querying individuals in the UK. However, searches were logged and audited to ensure proportionality and necessity (Events Analysis – SALAMANCA, HAUSTORIUM, THUGEE, IMMINGLE). Data from this database can be used to check the location of targets, such as to determine which legal authorizations are required for targeting the person(s) or identifier(s) in question (Operational Legalities, 46).

TIDAL SURGE – The database scheme for TIDALSURGE has been implemented by CSE as well as DSD. GCHQ’s use of TIDALSURGE is based on AS, whereas CSE’s use is based on country (Automated NOC Detection, 9).

TIMID TOAD – This covername refers to a type of IP data (HIMR Data Mining Research Problem Book, 83).

TIMPANI – This covername refers to a UK base located near the Strait of Hormuz, and which is used to monitor Iraqi communications  (Revealed: GCHQ’s beyond top secret Middle Eastern internet spy base, 1).

TIN REVERIE

TINT – Used to trial new ways of collecting and processing content (Next Generation Events, 8).

TINT PUT – Part of the Next Generation Events XKS and TINT Bude experiments (Next Generation Events, 10).

TOP HAT – This is an in-development collection tool created by JTRIG. The covername refers to a version of the MUSTANG and DANCINGBEAR techniques that let JTRIG pull back cell tower and WiFi locations targeted against particular areas (JTRIG tools and techniques, 4).

TORNADO ALLEY – This is an effects capability tool created by JTRIG that was ready to fire, subject to targeting restrictions. The covername refers to a delivery method (i.e. Excel speadsheet) that could silently extract and run an executable on a target’s machine (JTRIG tools and techniques, 6).

TRACER FIRE – This is an in-development collection tool created by JTRIG. The covername refers to a Microsoft Office document that grabs the target’s machine information, including files and logs, and posts it back to GCHQ (JTRIG tools and techniques, 4).

TRACKER SMURF – This covername is for an iPhone specific plugin that GCHQ uses to conduct high-precision geolocation of the phone (Capability – iPhone).

TRAFFICMASTER

TRIBAL CARNEM – Uses radius logs to identify and collect activity for IP sessions (GCHQ Analytic Cloud Challenges, 10).

TRITON

TRYST – This covername refers to a covert interception station in the UK embassy in the USSR, in the 1960s-1970s (The Secret Sentry: The Untold History of the National Security Agency, 152) and, in NSA documentation, refers to special collection facilities which may include embassies or consular buildings (Managing the Challenge, 4).

TURBINE – This covername refers to an intelligence command and control capability that is designed to manage a large number of covert implants for active SIGINT and active attack that reside on the GENIE cover infrastructure (for endpoint data extraction). It was designed to increase the capability to deploy and manage hundreds of Computer Network Exploitation (CNE) and Computer Network Attack (CAN) implants to potentially millions of implants. TURBINE is a NSA tool. See also: NSA Covernames.

TWILIGHT ARROW – This is an operational engineering tool created by JTRIG. It is used to establish remote GSM secure covert internet proxy using VPN services (JTRIG tools and techniques, X).

TWO FACE – This covername refers to a database containing information pertaining to open source data for cyber defence. Datasets in TWO FACE include: alexa.com, ZeusTracker.abuse.ch, SpyEyeTracker.abuse.ch, amada.abuse.ch, torstatus.blutmagie.de, and EmergingThreats.net, (Open Source for Cyber Defence/Progress, 1).


U

UDAQ

UDAQ2

UNDERPASS – This is an effects capability tool created by JTRIG that was in development. The covername refers to a method of changing the outcome of online polls (previously known as NUBILO) (JTRIG tools and techniques, 6).

UNIQUELY CHALLENGED – This covername refers to a situation where “[o]ne person has complete oversight of a technology from analysis to deployment — important for rapidly changing protocols” (Mobile apps doubleheader: BASASS Angry Birds, 3).


V

VAGRANT

VALHALLA – This covername refers to a standard Microsoft Windows environment provisioned to HIMR researchers. The environment provides email, Microsoft Office, web browsing, instant messaging, and a gateway to other systems (HIMR Data Mining Research Problem Book, 66).

VERACIOUS

VAIL – These are web-user interfaces that are installed on GCHQ servers and that are accessible from a partner site. It enables interactive queries of Question Focused Datasets (QFDs) and, thus, allows exposure of GCHQ tradecraft  (GCHQ Analytic Cloud Challenges, 13).

VIEWER – This is an operational collection tool created by JTRIG that was awaiting field trial as of July 2012. The covername refers to a program that would hopefully provide advance tipoff of a kidnapper’s IP address for HMG personnel (JTRIG tools and techniques, 4).

VIKING PILLAGE – This is an operational collection tool created by JTRIG. The covername refers to a distributed network for the automatic collection of encrypted/compressed data from remotely hosted JTRIG projects (JTRIG tools and techniques, 4).

VIPERTONGUE – This is an effects capability tool created by JTRIG that was ready to fire, subject to targeting restrictions. The covername refers to a tool that will silently conduct denial of service calls towards a satellite phone or GSM phone (JTRIG tools and techniques, 6).

VISAGE

VORPAL SWORD


W

WARPATH – This is an effects capability tool created by JTRIG that was ready to fire. The covername refers to the mass delivery of SMS messages to support an Information Operations campaign (JTRIG tools and techniques, 6).

WARRIORPRIDE – This covername refers to the CSE-created exploit set designed to initially target mobile devices. CSE and GCHQ worked to port WARRIORPRIDE to the Android platform and completed the activity in the third quarter of 2010 (Mobile Briefing, 6). See also CSE Covernames.

WATCHTOWER – This is an operational engineering tool created by JTRIG. The covername refers to the GCNET to CERBERUS export gateway interface system (JTRIG tools and techniques, 2).

WAXTITAN – This covername refers to a projects associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).

WAYGOOD

WHAMI – This covername refers to a system which, in tandem with RUFUS-bis is used to to target specific areas of interest and produce GSM tower data with high quality metadata unique to the tower. RUFUS is used as part of the DYMO prototype tool (Site Updates (OPA-MHS-[REDACTED]), 1).

WHARFRAT

WHIPSAW – This covername refers to a redirect and exploitation server. In 2010, GCHQ intended to use the server to implant WARRIORPRIDE directly on target iPhones, but the WHIPSAW exploit was only available on the ADSL lines which were tasked at the time (iPhone target analysis and exploitation with unique device identifiers, 9).

WHITERAVEN

WILDCOUGAR – This covername refers to a projects associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).

WIND FARM – This is an in-design engineering tool created by JTRIG. The covername refers to a research and design offsite facility (JTRIG tools and techniques, 2).

WOODCUTTER

WURLITZER – This is a shaping and honeypots capability created by JTRIG. The covername refers to the ability to distribute a file to multiple file hosting websites (JTRIG tools and techniques, 8).


X

XKEYSCORE (XKS) – XKEYSCORE is a computer-network exploitation system that combines high-speed filtering with SIGDEV. XKEYSCORE performs filtering and selection to enable analysts to quickly find information they need based on what they already know, but it also performs SIGDEV functions such as target development to allow analysts to discover new sources of information (TEMPORA — “The World’s Larges XKEYSCORE” — Is Now Available to Qualified NSA Uses, 3). IT Services will not provide new accounts for this database unless the user completes the appropriate mandatory operational legalities training, and records it in iLearn (Cyber Defence Operations Legal and Policy, 15). See also: NSA Covernames.


Z

ZAMENSIS – Used by NTAC to collect special source material, which is used by GCHQ (Source: The National Technical Assistance Centre).

ZooL – This covername refers to a database containing information pertaining to open source data for cyber defence. Datasets in ZooL include: alexa.com, user-agents.org, maxmind.com, ZeusTracker.abuse.ch, SpyEyeTracker.abuse.ch, amada.abuse.ch, torstatus.blutmagie.de, EmergingThreats.net, and ics.sans.edu. (Open Source for Cyber Defence/Progress, 1).