This page contains a listing of covernames associated with the Government Communications Headquarters (GCHQ). GCHQ responsible for providing signals intelligence (SIGINT) and information assurance services to the government and armed forces of the United Kingdom.
I have produced similar lists for Communications Security Establishment (CSE), Australian Signals Directorate (ASD), Government Communications Security Bureau (GCSB), and National Security Agency (NSA). You may also want to visit Electrospaces.net, which has also developed lists of covernames for some of the above mentioned agencies.
In some cases, you may find that covernames are listed across different agencies. This results from how covernames lists have often been created, which involved close reading of documents that were associated with different agencies and then listing covernames under the agency which authored the documents. In all cases, I would suggest you search across agency covername lists when researching a given covername.
All material provided below is derived from publicly available documents, books, and other resources. Descriptions of what the covernames mean or refer to are done on a best-effort basis; if you believe there is additional publicly referenced material derived from GCHQ documents which could supplement descriptions please let me know. Entries will be updated periodically as additional materials come available.
Last updated January 12, 2023.
#
8BALL –
A
ABSOLINEEPILSON – This covername refers to the target of a CNE end point operation (iPhone target analysis and exploitation with unique device identifiers, 3).
ACCUMULO –
ACRIDMINI – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).
ACTORACTION – This covername refers to an Interface Control Document (ICD) which provides a generic schema that allows for different types of events to be captured. It was initially intended for present (HARD ASSOC, evolved MUTANT BROTH) and communications (SOCIAL ANTHROPOID) events. However, a range of protocols and applications were being adopted to the AA format, including email, messaging, VoIP, GTP, and general apps (including Google Mobile Maps and Blackberry) (Event (SIGINT), 4-5).
AIRBAG – This covername refers to an operational engineering tool created by JTRIG, to be used as a laptop capability for field operations (JTRIG tools and techniques, 2).
AIRWOLF – This covername refers to a beta-release collection tool created by JTRIG for YouTube profile, comment, and video collection (JTRIG tools and techniques, 3).
ALLIUMARCH – This covername refers to an operational engineering tool created by JTRIG. It facilitates the JTRIG UIA via the Tor Network (JTRIG tools and techniques, 2).
ALPHACENTAURI –
ALPINEBUTTERFLY –
AMBULANT – This covername refers to an ECI that was used, in part, to protect the technical and operational details associated with BULLRUN (BULLRUN, 6).
ANCESTRY – This covername refers to a fully operational collection tool created by JTRIG for discovering the creation date of Yahoo selectors (JTRIG tools and techniques, 3).
ANDROMEDA –
ANGRYPIRATE – This covername refers to an effects capability tool created by JTRIG that, as of July 2012, was ready to fire—though it possessed targeting restrictions. ANGRYPIRATE was to permanently disable a target’s account on their computer (JTRIG tools and techniques, 5).
ANTICRISISGIRL – This covername refers to a program that was designed to provide targeted website monitoring using passive collection. It was a customized Piwiki and was integrated into GCHQ’s GTE division’s passive capabilities. The example provided in one document is of Wikileaks, and tracking inbound and outbound link clicks, as well as numbers of visitors (Psychology: A New Kind of SIGDEV, 33-34).
ANXIOUS – This covername refers to a methodology that entailed creating an XKEYSCORE (XKS) fingerprint for the UK IP addresses of potential victim networks in order to tag SIGINT traffic that related to these networks. The traffic could then be searched in conjunction with a signature to look for evidence of known electronic attack on targeted companies’ networks (Cyber Defence Operations Legal and Policy, 8).
APERTURESCIENCE – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).
APPARITION (APN) – This covername refers to a system which provided very small aperture terminal (VSAT) geolocation and mapping information. APPARITION was used for target development and survey work, with its information derived from Internet Protocol information as well as Cross Access Regional Development (CARD) Comsat sites. These sites included: LADYLOVE (Misawa), JACKNIFE (west coast USA), MOONPENNY (Menwith Hill Station), and CARBOY (Bude Station) (APPARITION/GHOSTHUNTER Tasking Info, 1).
AQUILA –
ARCADECONCERT – This covername refers to an operation (Cyber Defence Operations Legal and Policy, 11).
ARCANO –
ARSENIDE –
ARSONSAM – This was an effects capability tool created by JTRIG that was ready to fire, but not against live targets because it was a R&D tool. ARSONSAM was a tool to test the effect of certain types of PDU SMS messages on phones and networks. It also included PDU SMS Dumb Fuzzing testing (JTRIG tools and techniques, 5).
ARTEMIS –
ASTRALPROJECTION – This covername refers to an operational engineering tool created by JTRIG. It was associated with using Tor hidden services to establish a remote GSM secure covert internet proxy (JTRIG tools and techniques, 2).
AURA –
AUTOASSOC – This covername refers to a Question Focused Dataset (QFD) (Black Hole Analytics, 6). The metadata-focused database (Next Generation Events, 5) was used to find other identifiers for the target (Black Hole Analytics, 8) by matching bulk and unselected event-based Target Description Identifiers (TDIs) with one another and producing a confidence score of which TDIs have been seen at the same time from the same IP addresses as IP addresses from other TDIs (Blazing Saddles, 2). At one point in time, the database retained data for 6 months and consumed 0.1 TB of disk space (Data Stored in BLACK HOLE, 2). Information in AUTOASSOC included presence events (Event (SIGINT), 4). The intent behind AUTOASSOC was to find out when multiple TDIs belong to the same user or machine (HIMR Data Mining Research Problem Book, 40).
AUTOTDI –
AWKWARDTURTLE – This covername refers to a ‘recommender’ system designed to detect possible terror suspects based on their HTTP activity (“ICTR Cloud Efforts”, 14).
AXLEGREASE – This covername refers to an operational engineering tool created by JTRIG, and relates specifically to the covert banking link for CPG (JTRIG tools and techniques, 2).
B
B17 – This refers to the GCHQ’s Data Mining Applied Research team (Review of VisWeek 2008, 1). Amongst their proposed projects included a technique for finding cross-media timing patterns, and a technique which incorporates the CLASP algorithm (PullThrough Steering Group Meeting #16, 1).
B3M – IT Services will not provide new accounts for this database unless the user completes the appropriate mandatory operational legalities training, and records it in iLearn (Cyber Defence Operations Legal and Policy, 15).
BABELFISH –
BABYLON – This was an analysis tool created by JTRIG, that bulk queries webmail addresses and verifies whether they can be signed up for. A green tick indicates that the address is currently in use. As of July 2012, verification could be done for Hotmail and Yahoo (JTRIG tools and techniques, 7).
BADASS – This acronym refers to BEGAL Automated Deployment And Survey System (Mobile apps doubleheader: BASASS Angry Birds, 3).
BADGER – This is an effects capability tool created by JTRIG that was ready to fire as of July 2012, and refers to mass delivery of email messaging to support an Information Operations campaign (JTRIG tools and techniques, 5).
BAKERSDOZEN (BAKER’S DOZEN) – This covername refers to a technique for finding batches in near-sequential phone numbers that displayed causal behaviour (HIMR Data Mining Research Problem Book, 27).
BALLOONKNOT – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and was incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).
BASSQUEST –
BEARDEDPIGGY –
BEARSCRAPE – This was a forensic exploitation capability created by JTRIG, and refers to a capability to extract WiFi connection history (MAC and timing) when supplied with a copy of the registry structure or run on the box (JTRIG tools and techniques, 7).
BEARTRAP – This is an operational collection tool created by JTRIG which was fully operational in July 2012. More specifically, BEARTRAP refers to bulk retrieval of public BEBO profiles from member or group ID (JTRIG tools and techniques, 3).
BEGAL – BEGAL is a automated deployment and survey system (Mobile apps doubleheader: BADASS Angry Birds, 3) that uses Target Description Identifiers (TDIs) which are then used as part of UNIQUELYCHALLENGED (Mobile apps doubleheader: BADASS Angry Birds, 16) to apply rules and collect content and metadata of interest (Mobile apps doubleheader: BADASS Angry Birds, 53-57) that pass along 10G links (Mobile apps doubleheader: BADASS Angry Birds, 6 and 16).
BERRYTWISTER (BERRYTWISTER+) – This was a pilot engineering tool created by JTRIG, and refers to a sub-system of FRUITBOWL (JTRIG tools and techniques, 2).
BIGBUS –
BIRCH – This covername refers to a kind of data clustering (HIMR Data Mining Research Problem Book, 94).
BIRDSEED – This covername refers to a tool designed to use the Twitter API and filter for updates from known malware and security researchers (Open Source for Cyber Defence/Progress, 1).
BIRDSONG – This was a decommissioned collection tool created by JTRIG which was replaced by SYLVESTER. The BIRDSONG covername refers to automated posting of Twitter updates (JTRIG tools and techniques, 3).
BIRDSTRIKE – This covername refers to a tool designed by JTRIG that scraped Twitter for a handful of IDs (e.g., for a handful of Twitter accounts of known malware and vulnerability researchers) and did not repeat; information collected using BIRDSTRIKE required datamining (Open Source for Cyber Defence/Progress, 1). More generally it involved Twitter monitoring and profile collection (JTRIG tools and techniques, 3).
BISHOP –
BLACKCAT – This covername refers to a HTTP interface for BLACK HOLE (Next Generation Events (NGE) — BLACK HOLE ConOp, 6). It was responsible for returning the list of files that were found using BLACKFIND to an analyst or user (Next Generation Events (NGE) — BLACK HOLE ConOp, 11).
BLACKFIND – This covername refers to an interface for BLACK HOLE (Next Generation Events (NGE) — BLACK HOLE ConOp, 6). It involved sending a list of criteria (e.g. data type, date) and returning a list of files that met the criteria. BLACKCAT was responsible for streaming files to the analyst (Next Generation Events (NGE) — BLACK HOLE ConOp, 11).
BLACKHOLE – This covername refers to the large flat file storage repository where GCHQ data resides after initial processing, and before being manipulated and correlated and loaded into Question Focused Dataset (QFD) tables (Black Hole Analytics, 6). It contained: webmail, email transfers, chat, Internet browsing, website logins, vbulletin web fora, webcams, gaming, social networking, and other events (Data Stored in BLACK HOLE, 1). BLACK HOLE was seen as enabling a range of activities, including: new QFDs to be rapidly prototyped and added to operational QFD suites, trailing new bulk analysis ideas, introducing new data sources to QFDs very quickly, looking for particular patterns and behaviours for target discovery, and providing access to more data for research purposes that might not be QFD related. BLACK HOLE was part of ROUGH DIAMOND (Demystifying NGE Rock Ridge, 8).
BLACKNIGHT – This covername refers to a method which could be used by TERRAIN for selection (PRESTON Architecture (Version 3.0), 32). BLACKNIGHT selectors could be used to reduce data intake rates to the PRESTON system. It was not supported any longer, as of 2007, and was not expected to support data from high-bandwidth sources.
BLAZINGSADDLES (BzS) – This was a covername for an Internet profiling development project undertaken by Next Generation Events (NGE). The goal was to take internal GCHQ research and apply it to process events at scale. This entailed a “significant effort on End-to-End Sigint process (Next Generation Events, 4).
BLOODHOUND – Designed to detect electronic attacks, such as those which were distributed and automated in nature (“ICTR Cloud Efforts, 28).
BLUESHIFT –
BOMBBAY – This was an effects capability tool created by JTRIG that was in development in July 2012, and was to provide the capability to increase website hits and rankings (JTRIG tools and techniques, 5).
BOMBAYROLL – This was an operational engineering tool created by JTRIG, which referred to JTRIG’s legacy UIA standalone capability (JTRIG tools and techniques, 2).
BOSTROM –
BOXSTER – This covername refers to a legacy circuit switched and line access solution (PRESTON Architecture (Version 3.0), 5).
BOUNCER – Used by NTAC to collect special source material, which was used by the GCHQ (The National Technical Assistance Centre, 3).
BRANDYSNAP – This was an engineering tool created by JTRIG and referred to JTRIG’s UIA contingency in Scarborough. In July 2012, BRANDYSNAP was in the implementation state. (JTRIG tools and techniques, 2).
BRIGHTON – This covername could be used for legacy delivery for the TERRAIN system (PRESTON Architecture (Version 3.0), 32).
BRIO – This covername was associated with SALAMANCA. As of October or November 2010, BRIO was storing near real-time data for 3 days, while getting extra TERRAIN feeds from Bude Station and Sounder (in Cyprus) (Events Product Centre, 7-8).
BROADOAK – This covername refers to “GCHQ’s targeting database” which provided selectors to front-end processing systems so that those systems could determine whether to process content; example selectors might have included telephone numbers, email address, IMEIs, or IP ranges. A selector whose communications were being targeted were said to be ‘on cover’ (HIMR Data Mining Research Problem Book, 10; iPhone target analysis and exploitation with unique device identifiers, 5). Users had to justify and review the retention of information which had been collected, including the justification of each targeting selector (Operational Legalities, 27).
BROKER –
BUGSY – This was a collection tool created by JTRIG, in early development in July 2012. More specifically, BUGSY refers to Google+ collection (circles, profiles, etc) (JTRIG tools and techniques, 3).
BULLRUN – This covername refers to a decryption capacity that was used by Five Eyes SIGINT agencies (GCHQ-BULLRUN CoI–Briefing Sheet, 1). The capacity was used to exploit network communications that were encrypted, and included technologies such as: TLS/SSL, HTTPS, SSH, encrypted chat, VPNs, and encrypted VOIP (GCHQ-BULLRUN CoI–Briefing Sheet, 2). BULLRUN decrypts were possible due to the NSA’s efforts to “make major improvements in defeating networks security and privacy” using a variety of sources and methods, including: Computer Network Exploitation (CNE), collaboration with other intelligence agencies, investment in high-performance computers, and the development of advanced mathematical techniques (GCHQ-BULLRUN CoI–Briefing Sheet, 1). Access to BULLRUN did not mean that individuals needed to know the details of how sources and methods used to exploit communications operated (GCHQ-BULLRUN CoI–Briefing Sheet, 2). All decrypts from BULLRUN had to be marked with the label, “BULLRUN” and all BULLRUN marking was restricted to the GCHQ and its SIGINT Second Parties (GCHQ-BULLRUN CoI–Briefing Sheet, 2).
BUMBLEBEEDANCE – This was an operational engineering tool created by JTRIG, which referred to JTRIG operational virtual machine and Tor architecture (JTRIG tools and techniques, 2).
BUMPERCAR – BUMPERCAR operations were used to disrupt and deny Internet-based terror videos or other material (JTRIG tools and techniques, 5).
BUMPERCAR+ – This was an effects capability tool created by JTRIG that was ready to fire in July 2012. The covername refers more specifically to an automated system developed by JTRIG CITD to support JTRIG BUMPERCAR operations. BUMPERCAR operations were used to disrupt and deny Internet-based terror videos or other material. The technique employed the services provided by upload providers to report offensive materials (JTRIG tools and techniques, 5).
BURLESQUE – This was an effects capability tool created by JTRIG that was ready to fire in July 2012. The covername refers specifically to the capability to send spoofed SMS text messages (JTRIG tools and techniques, 5).
BUZZ – This covername refers to an ICTR research cluster (HIMR Data Mining Research Problems Book, 62).
BYSTANDER – This was a database created by JTRIG, and refers to a categorization database that was accessed via web services (JTRIG tools and techniques, 7).
C
CADDIS – This is a SIS desktop (Mobile Networks in My NOC World, 3).
CADENCE – This NSA covername refers to a dictionary management process, whereby selectors such as those in BLACKNIGHT were used by the PRESTON system to select relevant identifiers in a lawful interception (PRESTON-Architecture-(Version 3.0), 37). See: NSA Covernames.
CAFFEINEHIT – This is a Question Focused Dataset (QFD) that was part of the ROCK RIDGE roll out by the Next Generation Events (NGE) group (Next Generation Events, 6).
CADWELLPARK –
CANLEY – Used by NTAC to collect special source material, which was used by the GCHQ (The National Technical Assistance Centre, 3).
CANNONBALL – This was an effects capability tool created by JTRIG that was ready to fire as of July 2012. The covername refers to the capability to send repeated text messages to a single target (JTRIG tools and techniques, 5).
CARBONROD –
CARBOY – This covername refers to a GCHQ COMSAT access location (COMSAT Snippet) located at Bude Station (APPARITION/GHOSTHUNTER Tasking Info, 1). This covername is prefaced with “KESSE” in “Operational Legalities” (35).
CASK – This covername refers to situational awareness for the 2012 Olympics in London (HIMR Data Mining Research Problem Book, 94).
CATSUP – Used by NTAC to collect special source material, which was used by the GCHQ (The National Technical Assistance Centre, 3).
CERBERUS – This was an operational engineering tool created by JTRIG. The covername referred to JTRIG’s legacy UIA desktop which was, as of July 2012, soon to be replaced with FORESTWARRIOR (JTRIG tools and techniques, 2).
CHAINGUARD –
CHANGELING – This is a techniques capability created by JTRIG. The covername referred to the ability to spoof any email address and send email under that identity (JTRIG tools and techniques, 8).
CHARTBREAKER – This covername refers to research that initially looked at handling the multiple scores derived from the email communication hypergraph. This scoring was being extended to handle multiple communications mediums as part of FIRSTCONTACT in 2011 (HIMR Data Mining Research Problem Book, 21).
CHEYENNEMOUNTAIN –
CHEYENNEMOUNTAIN2 –
CHINESEFIRECRACKER – This was an effects capability tool created by JTRIG that was ready to fire as of July 2012. The covername referred to overt brute login attempts against online forums (JTRIG tools and techniques, 5).
CHOKEPOINT –
CHORDAL – This was a COI that protected raw network communication data collected via special source collection (HIMR Data Mining Research Problem Book, 9)
CIA QUINCY –
CIRCUIT –
CLEANSWEEP – This was an effects capability tool created by JTRIG that was ready to fire as of July 2012, though SIGINT sources were required. The covername referred to the ability to masquerade Facebook wall posts for individuals or entire countries (JTRIG tools and techniques, 5).
CLOTHO2 –
CLOUDBASE –
CLOUDYCOBRA – This covername was described as a glorified grep (Global regular expression print) driven by a GUI; it found events that contained user search terms (GCHQ Analytic Cloud Challenges, 10).
CLUMSYBEEKEEPER – This was an effects capability tool created by JTRIG that was not ready to fire as of July 2012. The covername referred to some work in process to investigate IRC effects (JTRIG tools and techniques, 5).
COLLATERAL –
COMBINEHARVESTER –
COMET – This covername refers to a recipe for learning and using large ensembles on massive data (HIMR Data Mining Research Problem Book, 85).
CONCRETEDONKEY – This was an effects capability tool created by JTRIG that was in development in July 2012. The covername refers to the capability to scatter an audio message to a large number of telephones, or repeatedly bomb a target number with the same message (JTRIG tools and techniques, 5).
CONDONE – Used by NTAC to collect special source material, which was used by the GCHQ (The National Technical Assistance Centre, 3).
CONDUIT – This is a database created by JTRIG. The covername refers to a database of C2C identifiers for Intelligence Community assets acting online, either under alias or in real name (JTRIG tools and techniques, 7).
CONTENTCLOUD – This covername refers to a GCHQ repository, which was a source for SPAY and GORDIAN KNOT type data (Cyber Defence Operations Legal and Policy, 3-4).
CONTRAOCTAVE –
CONVERSIONQUEST – A COMSAT programme under the umbrella of the SHAREDQUEST COMSAT modernization program (COMSAT SNIPPET).
COPPERHEAD – This covername refers to a Computer Network Exploitation (CNE) attack box (Mobile Networks in My NOC World, 3).
CORINTH – This covername refers to a selector set used as part of the PRESTON lawful interception system (PRESTON Architecture (Version 3.0), 38). Entering information into CORINTH was required to justify targeting (Operational Legalities, 105) and used for auditing purposes (Operational Legalities, 101). CORINTH was replaced by BOT within the BROADOAK program (Operational Legalities, 105).
COUNTRYFILE – This was an operational engineering tool created by JTRIG. The covername refers to a sub-system of JAZZFUSION (JTRIG tools and techniques, 2).
COURIERSKILL –
CRAN –
CRINKLECUT – This covername refers to a tool developed by ICTR-CISA to enable JTRIG to track images as part of SPACEROCKET (JTRIG tools and techniques, 8).
CROSSEYEDSLOTH – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).
CROUCHINGSQUIRREL – This covername refers to a way of detecting botnets (HIMR Data Mining Research Problem Book, 41) by filtering and classifying using behavioural vector analysis (HIMR Data Mining Research Problem Book, 86).
CROWNPRINCE – This covername refers to a technique for identifying Apple UDIDs in HTTP traffic (iPhone target analysis and exploitation with unique device identifiers, 1) and likely included extracting the identifier from Yahoo! Admob traffic and other sources (iPhone target analysis and exploitation with unique device identifiers).
CRYINGFOWL – This was an enrichment source for IMMINGLE (Events Product Centre, 4).
CRYOSTAT – This was an analysis tool created by JTRIG. Specifically, CRYOSTAT ran against data held in NEWPIN. It then displayed this data in a chart to show links between targets (JTRIG tools and techniques, 7).
CULTWEAVE – This was an event source for IMMINGLE (Events Product Centre, 4).
CYBER COMMAND CONSOLE – This was a workflow management tool created by JTRIG, and refers to a centralized suite of tools, statistics, and views for tracking current operations across the Cyber community (JTRIG tools and techniques, 6).
D
DAILYMOTION –
DANCINGBEAR – This was a fully operational collection tool created by JTRIG, and refers to a tool which obtains the locations of WiFi access points (JTRIG tools and techniques, 3).
DAPINOGAMMA –
DAREDEVIL – This covername refers to GCHQ’s scalable, flexible, and portable CNE platform that paralleled the Canadian WARRIORPRIDE program. Some plugins were used for machine recon and operational security assessments, as well as for counter computer network operations. Specifically, the plugins enabled machine reconnaissance, implant detection, rootkit detection, file identification and retrieval, DNS analysis, and network sniffing and characterization (CSE SIGINT Cyber Discovery: Summary of the current effort, 8).
DARKFIRE – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).
DARKQUEST –
DATAFLOWCAB – This covername refers to a system used by researchers within the GCHQ to request MAILORDER data feeds for BLACK HOLE (Next Generation Events, 8).
DEADPOOL – This was a shaping and honeypots capability created by JTRIG. Specifically, DEADPOOL refers to a URL shortening service (JTRIG tools and techniques, 8).
DEADSEA –
DEBITCARD –
DEERSTALKER – This was an effects capability tool created by JTRIG that was ready to fire as of July 2012. The covername refers to the ability to aid geolocation of satellite phones/GSM phones via a silent calling to the phone (JTRIG tools and techniques, 5).
DEVILSHANDSHAKE – This was a fully operational collection tool created by JTRIG, which specifically refers to an ECI data technique (JTRIG tools and techniques, 3).
DIALd – This was an operational engineering tool created by JTRIG, and refers to an eternal internet redial and monitor daemon (JTRIG tools and techniques, 2).
DICING – This covername refers to an operation (Cyber Defence Operations Legal and Policy, 11).
DIRTYDEVIL – This is an in-design engineering tool created by JTRIG. DIRTYDEVIL refers to JTRIG’s research network (JTRIG tools and techniques, 2).
DIRTYRAT –
DISCOVER – This covername refers to the GCHQ’s document repository (HIMR Data Mining Research Problem Book, 65).
DISTILLERY – This covername refers to a stream processing platform which enabled near real-time processing of data (HIMR Data Mining Research Problem Book, 11).
DOGHANDLER – This was an in-design engineering tool created by JTRIG. The covername refers to JTRIG’s development network (JTRIG tools and techniques, 2).
DONKEYKONG –
DRAGONSSNOUT – This was a beta release collection tool created by JTRIG. The covername refers to Paltalk group chat collection (JTRIG tools and techniques, 3).
DREAMYSMURF – This covername was for an iPhone specific plugin that the GCHQ used to manage or analyze power management (Capability – iPhone).
DYMO – This covername refers to a prototype tool for directed GMS tower geolocation that was to allow for greater accuracy for high resolution results (Site Updates (OPA-MHS-[REDACTED]), 1).
E
E-BEAM –
EARTHLING –
ECHELON – An agreement that, in part, involved the NSA purchasing COMSAT assets that the GCHQ was subsequently responsible for providing service and support for (COMSAT Snippet).
ELATE – This was an analysis tool created by JTRIG. The covername refers to a suite of tools for monitoring target use of the UK site eBay (www.ebay.co.uk). These tools were hosted on an Internet server and could be retrieved by encrypted email (JTRIG tools and techniques, 7).
ENCHANTRESS – This covername refers to a system used for content selection (Mobile apps checkpoint meeting archives, 17).
EPICFAIL – Identified careless use of TOR networks (GCHQ Analytic Cloud Challenges, 10).
EREPO – This was a covername for router operations. EREPO provided access to in-country collection through the exploitation of routers, and provided crypt material, event tip-offs, and target metadata (GCHQ CNE Presentation, 14).
EREPOGAMMA –
ERIDANUS –
ESCHAR –
EVERYASSOC – Used for Target Description Identifier (TDI) alternative identifier scoring (“ICTR Cloud Efforts”, 7) that engaged in user/machine correlations from computer to computer presence (GCHQ Analytic Cloud Challenges, 10).
EVERYCIPHER – Held user/machine cipher events (GCHQ Analytic Cloud Challenges, 10).
EVERYCREATURE – Held user/machine search terms (GCHQ Analytic Cloud Challenges, 10).
EVERYeAD – Held user/machine electronic attack patterns (GCHQ Analytic Cloud Challenges, 10).
EVERYPOLICE – Held user/machine website visits (GCHQ Analytic Cloud Challenges, 10).
EVOLVEDMUTANTBROTH – This covername refers to a Question Focused Dataset (QFD) (Black Hole Analytics, 6). The database was used to create a profile of a target’s online activities alongside telephony (Black Hole Analytics, 9). Specifically, it was used to identify when certain Target Description Identifiers (TDIs) appeared in traffic which indicated target usage and location. Telephony and computer-to-computer data provided the converged view. This QFD responded to the question of: “Where has my target been? What kind of communications devices has my target been using?” (GCHQ Analytic Cloud Challenges, 5).
EVOLVEDSOCIALANIMAL – This covername refers to a Question Focused Dataset (QFD) (Black Hole Analytics, 6). The database was used to create a social network including telephony (Black Hole Analytics, 9).
EXCALIBUR – This was a fully operational collection tool created by JTRIG that worked against the current version of Paltalk in 2012. The covername refers to a tool which acquired a Paltalk UID and/or email address from a screen name (JTRIG tools and techniques, 3).
EXPOW – This was an operational engineering tool created by JTRIG. The covername refers to GCHQ’s UIA capability provided by JTRIG (JTRIG tools and techniques, 2).
F
FASCIA – See NSA covernames.
FASTGROK – This covername refers to a selection engine, similar to BLACKNIGHT, which was developed as part of TERRAIN 9 to replace six other selection engines (PRESTON Architecture (Version 3.0), 38); FAST GROK was meant to deprecate all others in use for TERRAIN. It worked with selector sets, such as TACHO, CORINTH, and TRAFFIC MASTER, as well as a dictionary format (PRESTON Architecture (Version 3.0), 38).
FATYAK – This was an in-development collection tool created by JTRIG. The covername refers to a tool which collects public data from LinkedIn (JTRIG tools and techniques, 3).
FARNDALE – Held survey or target development data for analysis (PRESTON Architecture (Version 3.0), 22); TERRAIN was responsible for sending at least some of this data. FARNDALE was a local repository of survey data, to ensure that it does not burden delivery networks or collection systems associated with TERRAIN. “_KESSE” is appended to this covername in “Operational Legalities” (35).
FEDEX –
FIREANT – This was an open source visualization tool (Psychology: A New Kind of SIGDEV, 42).
FIREENGINE – This covername refers to a question-based system that enabled federated access to events and reference data sources, and which was accessible using the LOOKING GLASS client platform (GCHQ Analytic Cloud Challenges, 11).
FIRESTORM –
FIRSTCONTACT – Held first and second hop contact chains between seeds and targets (GCHQ Analytic Cloud Challenges, 10).
FIVEALIVE (5-Alive): This covername refers to a bulk store of IP flow records, coupled with some simple analytics that summarized and visualized IP activity (“ICTR Cloud Efforts”, 27). This dataset had a record of each IP event seen, consisting of the 5-tuple (time stamp, source IP, source port, destination IP, destination port) plus some information on session length and size (HIMR Data Mining Research Problem Book, 11).
FLAMECARPET2 –
FLUIDINK – This covername refers to a subset of SOLID INK, but which was seen through the GCHQ’s SIGINT collection. It lacked in-country calls as compared to SOLID INK. The INK data set had four fields: timestamp, user-1, user-2, and a number (HIMR Data Mining Research Problem Book, 73-74).
FOGHORN – Was used to find non-targets using target machines (GCHQ Analytic Cloud Challenges, 10).
FORESIGHT –
FORESTWARRIOR – This was an in-design engineering tool created by JTRIG. The covername refers to a desktop replacement for CERBERUS (JTRIG tools and techniques, 2).
FOXTRAIL –
FRACTALJOKER – This program presented statistical information to analysts, with the information having been derived from MVR/PPF, GORDIAN KNOT, XKEYSCORE, SAMUEL PEPYS, and ALPINE BUTTERFLY. In the process it granted a ‘wide’ vision of data by collecting SIGINT and Information Assurance-related data (The Tale of Two Sources, 16). It was designated as a mission management dashboard (NDIST 5-a-day, 1).
FRACTALWEB –
FREEFORM –
FRUITBOWL – This was a design-stage engineering tool created by JTRIG. The covername refers to the CERBERUS UIA replacement and new tools infrastructure (JTRIG tools and techniques, 2).
FUMECUPBOARD – A native file viewer that was part of the XKS and TINT Bude experiments (Next Generation Events, 10).
FUNFAIR –
FUSEWIRE – This was a fully operational collection tool created by JTRIG. The covername refers to a tool which provided 24/7 mentoring of VBulletin forums for target postings/online activity. It also allowed staggered posting to be made (JTRIG tools and techniques, 3).
G
GAMBIT – This was an effects capability tool created by JTRIG that was in development. The covername refers to a deployable pocket-sized proxy server (JTRIG tools and techniques, 5).
GATEWAY – This was an effects capability tool created by JTRIG that was ready to fire as of July 2012. The covername refers to the ability to artificially increase traffic to a website (JTRIG tools and techniques, 5).
GENESIS – A language that was used by analysts to query the GCHQ’s TEMPORA, which was a large-scale instantiation of XKEYSCORE (TEMPORA — “The World’s Largest XKEYSCORE” — Is Now Available to Qualified NSA Uses, 2).
GENTIAN – This covername refers to a legacy circuit switched and line access solution (PRESTON Architecture (Version 3.0), 5)
GEOFUSION – This covername refers to a system used by the GCHQ to conduct Internet Protocol (IP) Geolocation (What is HACIENDA?, 1).
GEORGELET –
GERONTIC –
GESTATOR – This was an effects capability tool created by JTRIG. The covername refers to the amplification of a given message, normally video, on popular multimedia websites such as Youtube (JTRIG tools and techniques, 5).
GHOSTHUNTER (GH) – This covername refers to a system designed to provide very small aperture terminal (VSAT) geolocation and mapping information. Systems for GHOSTHUNTER were located at Menwith Hill Station (MHS) and SOUNDER, and the information was used for high priority tasking and support for operations. GHOSTHUNTER was used to provide the geolocation of modems of interest, and was capable of narrowing modems of interest by geographic region, as well as all modems proximate to a modem of interest (APPARITION/GHOSTHUNTER Tasking Info, 1-2).
GLAIVE – See NSA covernames.
GLASSBACK – This was a fully operational collection tool created by JTRIG. The covername refers to a technique of getting a target’s IP address by pretending to be a spammer and ringing them. The target did not need to answer (JTRIG tools and techniques, 3).
GLITTERBALL – This was an effects capability tool created by JTRIG that was in development. The covername refers to online gaming capabilities for sensitive operations, with development focusing at the time (July 2012) on Second Life (JTRIG tools and techniques, 5).
GLOBALREACH – See NSA covernames.
GLOBALSURGE – This covername refers to the Network Analysis Centre’s (NAC) network knowledge base prototype. It included data which was collected using the HACIENDA program (What is HACIENDA?, 7).
GODFATHER – This was a fully operational collection tool created by JTRIG. The covername refers to a method of publicly collecting data from Facebook (JTRIG tools and techniques, 3).
GOLDENAXE – This covername refers to an events-based Question Focused Dataset (QFD) that recorded IMEI defeats, and the severity score and associated correlations for the IMEI. The database was planned to include IMSI, MSC_GT, and VLR_GT selectors sometime in the future (Blazing Saddles, 4). It was described by the GCHQ as being used to generate a list of suspected clone mobile phones using an IMEI grey list (GCHQ Analytic Cloud Challenges, 10).
GOLDENEYE –
GOLDENEYE2 –
GOLDMINE – This covername refers to a cyber/content cluster that was available to HIMR researchers (HIMR Data Mining Research Problem Book, 61).
GOOB –
GOOBZS – This refers to a Query Federator for Question Focused Datasets (QFDs) (ROCK RIDGE – Next Generation Events, 4).
GOODFELLA – This was a collection tool under development in July 2012, created by JTRIG that supports RenRen and Xing. The covername refers to a generic framework for public data collection from online social networks (JTRIG tools and techniques, 3).
GOOGLEFUSION –
GORDIANKNOT (GK) – This data type included unselected Information Assurance (IA) data. It is not clear how long this data was retained: on the one hand, under XKS, it could be stored for 6 months and RIPA for 2 years. When the data was derived purely from GORDIAN KNOT the metadata was retained for 6 months; when it was derived from XKS and Content Cloud, in contrast, it was only stored for 30 days (Cyber Defence Operations Legal and Policy, 3-4). Data collected comes from 6 full-take sources, GSI logs, local input sensors, and SPAY. It was linked with XKS and FRACTALJOKER (The Tale of Two Sources, 19).
GRASP –
GREENHEART –
GREYFOX – This covername refers to a dataset which held country-level summaries of where identifiers were observed (GCHQ Analytic Cloud Challenges, 10).
GRINNINGROACH – This covername refers to a tool for visualizing SIGINT events and was used to produce pattern of life events (HIMR Data Mining Research Problem Book, 38).
GUIDINGLIGHT – GUIDINGLIGHT possessed MI information types/volume of traffic on the bearer (GCHQ Analytic Cloud Challenges, 10). It was a Question Focused Dataset (QFD) that was meant “[t]o understand the traffic seen on Next Gen Events bearers.” It was receiving data from Bude station, including from SWORDPLAY. New fields had been added and there were plans on expanding targeting data (from BROAD OAK), incorporating functionality from REFORMER, and adding additional feeds and linking to ARTEMIS (Events Product Centre, 18-36).
GUILTYSPARK – This was associated with template-based targeting methods (Full-Spectrum Cyber Effects: SIGINT Development as an enabler for GCHQ’s “Effects” mission, 16).
GURKHASSWORD – This was a techniques capability created by JTRIG. The covername refers to beaconed Microsoft Office documents which were intended to elicit a target’s IP address (JTRIG tools and techniques, 8).
H
HACIENDA – This tool was used for the GCHQ’s bulk port scanning (Automated NOC Detection, 19). More specifically, HACIENDA was a fully operational port scanning tool used by JTRIG to scan an entire country or city. It used GEOFUSION to identify IP locations. Banners and content were pulled back on certain ports. Content was put into the EARTHLING database, and all other scanned data was sent to GNE and made available through GLOBALSURGE and Fleximart (JTRIG tools and techniques, 3). Data collected using HACIENDA was used for computer network exploitation (CNE) activities as well as discovery activities. CNE activities were designed to conduct vulnerability assessment of systems and networks, as well as to detect systems which might be exploited as operational relay boxes (ORBs). In terms of discovery activities, HACIENDA was used for network analysis as well as target discovery (What is HACIENDA?, 7).
HAGERAWEL – This refers to the Hadoop-based Bude events cluster. It was available to HIMR researchers (HIMR Data Mining Research Problem Book, 61).
HAKIM – This was a research prototype designed to function as a considered database with multiple indexes and flexible additions. Specifically, HAKIM facilitated the unification of data, such that associated data was kept together, as well as quick and flexible additions of new data types and indexes, while being scalable and cost-effective. It could be converged with the HADOOP stack, HBASE/ACCUMULO (GCHQ Analytic Cloud Challenges, 20).
HALTERHITCH – This covername refers to a signature management system and replaced a previously used system (CSE SIGINT Cyber Discovery: Summary of the current effort, 18). Further, HALTERHITCH was used to record IP addresses, likely domestic UK ones, that were used in the course of targeting parties attacking domestic infrastructure (Cyber Defense Operations Legal and Policy, 8). It was also to be used for targeting processes; in 2010, there were plans to open the SIGINT-related HALTERHITCH program to ITS for signature sharing as well as with Five Eyes partners to retrieve signatures (CSE SIGINT Cyber Discovery: Summary of the current effort, 18). Broadly the information retained in HALTERHITCH was internally regarded as signature storage (The Tale of Two Sources, 14), and included Snort and Squeal signatures (NDIST 5-a-day, 1).
HANGERLANE –
HAPPYTRIGGER – This covername refers to a database containing structured datasets. Information in the database included that from: Alexa.com, user-agency.org, nsurl.nist.gov, maxmind.com, zeustracker.abuse.ch, SpyEyeTracker.abuse.ch, amada.abuse.ch, torstatus.blutmagie.de, EmergingThreats.net, MalwareDomainList.com, ics.sans.edu, and POSITIVE PONY (Open Source for Cyber Defence/Progress, 1-2).
HARBOURPILOT – This was the covername under NGE for a development effort to standardize, and share, enriched metadata with Five Eyes partners (Next Generation Events, 4).
HARDASSOC – This covername refers to a Question Focused Dataset (QFD) (Black Hole Analytics, 6). The database was used to find alternative identifiers across telephony and the Internet (Black Hole Analytics, 9). More specifically, it provided strongly correlated selectors for both computer-to-computer and telephony traffic taken from Target Description Identifiers (TDIs) appearing in the same packet. It was used to answer the question: “Are there any alternative computer-to-computer or telephony selectors for my target?” (GCHQ Analytic Cloud Challenges, 5).
HARDY – This was a technology candidate for the ‘core’ of GCHQ’s analytic work. It would technically rest upon a HADOOP cluster with map/reduce and interactive query and analytics capabilities that likely used CLOUDBASE/ACCUMULO and reused NSA knowledge. HARDY would be used to promote data and summaries from the bulk stores and include categories of known target, known query, and some known target/unknown query. HARDY would be optimized for major use and data sharing, while providing resilience by duplicating important data. The issue, however, was that GCHQ had limited experience with CLOUDBASE/ACCUMULO and the promotion analytics and criteria were not developed. (GCHQ Analytic Cloud Challenges)
HARUSPEX – This covername refers to sensors which were used to monitor attacks against UK systems based on known attack signatures. The signatures typically reflected attack vectors, infrastructure or entities identifiers associated with attacks. In some cases UK-to-UK traffic could be collected if the attacker was using UK infrastructure (Intrusion Analysis/JeAC, 1).
HAUSTORIUM – Received Computer-to-Computer events from TERRAIN (PRESTON Architecture (Version 3.0), 22). Scheduled for decommission in October 2010 (Source: Mobile Apps — Checkpoint meeting Archives) and replaced by SOCIAL ANTHROPOID (Event (SIGINT), 2). It was used to retain metadata, and authorization for accessing this information did not require authorization when querying individuals in the UK. However, searches were logged and audited to ensure proportionality and necessity (Events Analysis – SALAMANCA, HAUSTORIUM, THUGGEE, IMMINGLE).
HAVOK – This was a techniques capability created by JTRIG. The covername refers to real-time website cloning techniques which allow for on-the-fly alterations (JTRIG tools and techniques, 8).
HBASE –
HEADERS NU – This project involved targeting the Pakistani government/military secure network.
HEADMOVIES – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).
HEARTBEAT11 –
HELMAGE –
HIASCO –
HIDDENOTTER – This covername refers to an ICTR-NE prototype which tried to find temporal chains in communications data, and it was focused on finding things such as backhaul networks, TOR networks, and botnet structures (HIMR Data Mining Research Problem Book, 27).
HIDDENSPOTLIGHT – This covername refers to a vulnerability database (Open Source for Cyber Defence/Progress, 1).
HIGHLANDFLING – An operation that involved targeting Gemalto employees for Computer Network Exploitation (OP HIGHLAND FLING – Event Log)
HIGHNOTE – This covername refers to a Computer Network Exploitation (CNE) tool suite (Mobile Networks in My NOC World, 3).
HOLLOWPOINT –
HOMEPORTAL – This was a workflow management tool created by JTRIG. The covername refers to the central hub for all JTRIG CERBERUS tools (JTRIG tools and techniques, 6).
HOOCH – Used by NTAC to collect special source material, which was used by the GCHQ (The National Technical Assistance Centre, 3).
HOPSCOTCH – This covername refers to a Question Focused Dataset (QFD) that may have been involved in performing analytics on contact pairs (HOPSCOTCH Snippet).
HOTLINE – This covername refers to a location where operational TERRAIN data was processed (PRESTON Architecture (Version 3.0), 31).
HOTWIRE – This covername refers to BGP/MPLS network effects (Full-Spectrum Cyber Effects: SIGINT Development as an enabler for GCHQ’s “Effects” mission, 18).
HRMap – This covername refers to a Question Focused Dataset (QFD) that aggregated events which revealed host-referrer relationships, such as how people got to websites – including links followed and direct accesses (Blazing Saddles, 2). The metadata-focused database (Next Generation Events, 5), at one point, stored 3 months of data and used 7 TB of disk space. GCHQ estimated it would take 14 TB of disk space to extend the retention period to 6 months (Data Stored in BLACK HOLE, 2). The HRMap QFD responds to the questions: “How do people get to my website of interest and where do they go next? What websites have been visited from a given IP?” (GCHQ Analytic Cloud Challenges, 5).
HUSK – This was a shaping and honeypots capability created by JTRIG. The covername refers to a secure one-to-one web-based dead drop messaging platform (JTRIG tools and techniques, 8).
HYPERION – See CSE covernames.
I
ICE – This is a collection tool created by JTRIG. The covername refers to a kind of advanced IP harvesting technique (JTRIG tools and techniques, 3).
IMMINGLE – IMMINGLE was used to retain metadata, and authorization for accessing this information did not require authorization when querying individuals in the UK. However, searches were logged and audited to ensure proportionality and necessity (Events Analysis – SALAMANCA, HAUSTORIUM, THUGGEE, IMMINGLE). More broadly, IMMINGLE was used to run queries based on seed identifiers (e.g. phone number, IMSI, IMEI, C2C). Queries could be enriched from a series of databases and analysts could specify the event stores they were interested in. IMMINGLE also offered a range of visualization options. Going forward, FASCIA GPRS flagging, HAUSTORIUM decommissioning, and next generation contact chaining trials were forthcoming; this trial may have held the cover name FIRE STORM (Events Product Centre, 3-6).
IMPERIALBARGE – This was an effects capability tool created by JTRIG that was tested. The covername refers to a method for connecting two target phones together in a call (JTRIG tools and techniques, 5).
INCENSOR (INCENSER) – This covername refers to a GCHQ Special Source (TEMPORA — “The World’s Largest XKEYSCORE” — Is Now Available to Qualified NSA Uses, 2) that was sometimes used to tip QUANTUMBOT (DEFIANTWARRIOR and the NSA’s Use of Bots, 13). INCENSOR was associated with the SIGAD number DS-300 (GCHQ QUANTUMTHEORY, 10).
INFINITEMONKEYS – This covername refers to a Question Focused Dataset (QFD) (Black Hole Analytics, 6). This metadata-focused database (Next Generation Events, 5) retains Target Description Identifiers (TDIs) and VBulletin extractions. TDIs had a type (e.g. Yahoo-Y-cookie) and a value (e.g. tom123@yahoo.com) (Black Hole Analytics, 7). The database was used to investigate websites or web forums of interest (Black Hole Analytics, 8). INFINITEMONKEYS was an events-based QFD and was used to determine if targets have VBulletin accounts, who uses particular VBulletin forums, or where the members of a forum were based (Blazing Saddles, 2). The database stored data for 6 months at one point, and used 0.02 TB of data (Data Stored in BLACK HOLE, 2).
INJUNCTION – This covername refers to a type of IP data (HIMR Data Mining Research Problem Book, 83).
INSIGHT – This covername refers to an account used to access information on CAWiki, which was where GCHQ’s Technical Enabling Covert Access (TECA) Product Centre publishes information of its activities (Reverse Engineering, 2).
INSPECTOR – This was a fully operational collection tool created by JTRIG. The covername refers to a tool for monitoring domain information and site availability (JTRIG tools and techniques, 3).
INSTINCT – This covername refers to a “UK government project to use data mining for counter-terrorism, led out of the Home Office.” INSTINCT organized other activities too, such as “a public competition on ways of fusing data streams.” INSTINCT also sponsored UKVAC (HIMR Data Mining Research Problem Book, 43).
INTEGERSPIN – This covername refers to a Question Focused Dataset (QFD) that was previously known as Evolved GEOFUSION (Source: Mobile Apps — Checkpoint meeting Archives).
INTERACTION (OP INTERACTION) – This covername refers to a Network Analysis Centre (NAC) operation event focused on developing in-depth knowledge of mobile gateways (Mobile Networks in My NOC World, 7).
IRASCIBLEEMITT –
IRASCIBLEHARE (IRASCIABLEHARE)– This covername refers to a Question Focused Dataset (QFD) that entailed analyzing or collecting data on GPRS Roam Exchange (GRX) operators who transmitted data over VPNs (2nd SCAMP at CSEC, 1).
IRASCIBLEMOOSE –
IRASCIBLERABBIT (IRASCIABLERABBIT) –
INTERSTELLARDUST – This covername refers to an Interface Control Document (ICD), and was capable of covering GTDI (presence events) from: MUTANT BROTH, AUTO ASSOC, MARBLED GECKO, KARMA POLICE, HRMap, MEMORY HOLE, INFINITE MONKEYS, SOCIAL ANIMAL, AUTO TDI, and SAMUEL PEPYS (Event (SIGINT), 4)
IRONHAND – Used to manage the lifecycle of, and store, Communications Data requests (Cyber Defence Operations Legal and Policy, 10).
IRONINGBOARD –
IVE –
J
JACKNIFE – This covername refers to a Cross Access Regional Development (CARD) Comsat site that was used by the APPARITION system. JACKNIFE was located in the west coast of the USA (APPARITION/GHOSTHUNTER Tasking Info, 1).
JACKPOT –
JANET –
JAZZFUSION – This was an implementation-stage engineering tool created by JTRIG. The covername refers to a BOMBAYROLL replacement, which will also incorporate new collectors (JTRIG tools and techniques, 2).
JAZZFUSION+ – This was an in-design engineering tool created by JTRIG. The covername refers to a sub-system of JAZZFUSION (JTRIG tools and techniques, 2).
JEDI – This was an analysis tool created by JTRIG. The covername refers to pods that will be deployed to all members of an Intelligence Production Team. As of July 2012 the challenge was to scale up to over 1,200 users whilst remaining agile, efficient, and responsive to customer needs (JTRIG tools and techniques, 7).
JILES – This was an analysis tool created by JTRIG. The covername refers to a JTRIG bespoke web browser (JTRIG tools and techniques, 7).
JTRIG RADIANTSPLENDOUR – This was classified as an operational engineering tool used by JTRIG, and operated as a data diode connecting the CERBERUS network with GCNET (JTRIG tools and techniques, 2).
K
KACHINA – This covername refers to a multi-year effort by Sandia National Lab in the US, which includes the Questa project to look at large graph processing for defence analysis (HIMR Data Mining Research Problem Book, 49).
KARMAPOLICE – This covername refers to a Question Focused Dataset (QFD) (Black Hole Analytics, 6). This metadata-focused database (Next Generation Events, 5) retained Target Description Identifiers (TDIs) and HTTP GET and POST requests. TDIs had a type (e.g. Yahoo-Y-cookie) and a value (e.g. tom123@yahoo.com) (Black Hole Analytics, 7). In other words, KARMAPOLICE held information about which TDIs had been seen at approximately the same time, and from the same computer, as visits to websites (GCHQ Analytic Cloud Challenges, 5). The database was used to investigate websites or web forums of interest (Black Hole Analytics, 8) by collecting information about which TDIs had been seen at approximately the same time, and from the same computer, as visits to websites (Blazing Saddles, 2). The database retained 3 months of data at one point, which used 6.8 TB of space. If data retention was extended to 6 months the data usage was estimated at 13.6 TB (Data Stored in BLACK HOLE, 2). The QFD was used to answer the questions: “Which websites your target visits, and when/where those visits occurred? Who visits suspicious websites, and when/where those visits occurred? Which other websites are visited by people who visit a suspicious website? Which IP address and web browser were being used by your target when they visited a website?” (GCHQ Analytic Cloud Challenges, 5).
KENNINGTON –
KEYCARD –
KITCHENSINK –
KNIME –
KOALAPUNCH – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).
L
LABORO –
LADYLOVE – This covername refers to a Cross Access Regional Development (CARD) Comsat site that was used by the APPARITION system. LADYLOVE was located in Misawa, Japan (APPARITION/GHOSTHUNTER Tasking Info, 1)
LANDINGPARTY – This was a fully operational collection tool created by JTRIG. The covername refers to a tool for auditing dissemination of VIKINGPILLAGE data (JTRIG tools and techniques, 3).
LARKSPUR –
LAUGHINGHYENA – This covername refers to a Question Focused Dataset (QFD) that the Next Generation Events (NGE) group used to converge different events (Next Generation Events, 6).
LECKWITH – This refers to a GCHQ processing centre (similar to Bude and Cheltenham), which was also known as OPC-1 (HIMR Data Mining Research Problem Book, 9).
LIGHTWOOD – This extracted email addresses from any character stream, including those that appear to be email addresses but are not for open Internet resolution (e.g. better@management). It also had additional email and URL detection capabilities that standard regular expression extraction rules lack (PullThrough Steering Group Meeting #16, 2-3).
LITTLE – A party with whom GCHQ was attempting to develop a ‘relationship’ for access to communications (Supporting Internet Operations, 8).
LLANDARCYPARK – This refers to a research server that provided ICTR with a bulk data download capability (PCS harvesting at scale, 7).
LOCHNVAR – This covername refers to a project designed to migrate circuit-based intercept from existing (circuit-switched) handover to a NHIS 2 handover (PRESTON Architecture (Version 3.0), 24).
LONGSHOT – This was a shaping and honeypots capability created by JTRIG. The covername refers to a file uploading and sharing website (JTRIG tools and techniques, 8).
LOOKINGGLASS – This was a client platform that facilitated rich visualization of some Question Focused Datasets (QFD) (GCHQ Analytic Cloud Challenges, 11).
LOVELYHORSE – This covername refers to unstructured datasets associated with open source information for cyber defence. Such datasets included twitter.com. (Open Source for Cyber Defence/Progress, 1-2).
LUCKYSTRIKE –
LUMP – This was a techniques capability created by JTRIG. The covername refers to a system that finds the avatar name of a SecondLife AgentID (JTRIG tools and techniques, 8).
LUNARHORNET –
LUSTRE – This covername refers to a datasource for SOCIAL ANTHROPOID that drew data from North Africa ((Events Product Centre, 26).
LUTEUSICARUS – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and was incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).
M
MAD –
MADFORGE –
MAGLITE –
MAGNUMOPUS – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and was incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).
MAILORDER – This covername refers to the system which was used by GCHQ to transfer data into other Five Eyes’ agencies data repositories (What is HACIENDA?, 7).
MAINWAY – This was an NSA database used for contact chaining (Events (SIGINT), 3). See NSA covernames.
MAINWAY II – This was an event source for IMMINGLE (Events Product Centre, 4).
MAMBA – This covername refers to a visual analytics tool that was being developed in partnership with Detica in 2011 (HIMR Data Mining Research Problem Book, 38).
MAMBOOKIE –
MARBLEPOLLS – This covername refers to a database used to enrich events. The database contained vulnerabilities-related data (The Tale of Two Sources, 39)
MARBLEDGECKO – This covername refers to a Question Focused Dataset (QFD) (Black Hole Analytics, 6). The database was used to find out who had been looking at what on Google Earth (Black Hole Analytics, 8) by combining the content of MARBLED GECKO with data contained in MUTANT BROTH (Blazing Saddles, 2-3).
MARINA – See NSA Covernames.
MARMION – This covername refers to a legacy circuit switched and line access solution (PRESTON Architecture (Version 3.0), 5).
MARVALICE –
MASTERSHAKE – See NSA covernames.
MEMORYHOLE – This covername refers to a Question Focused Dataset (QFD) (Black Hole Analytics, 6). The content-focused database (Next Generation Events, 5) was used to find out who had been searching the web, and for what (Black Hole Analytics, 8), though was focused exclusively on Google-based searches. When combined with data in MUTANT BROTH the specific users who ran searches could be identified (Blazing Saddles, 3). The database retained 0.5 months of data at one point, which consumed 0.6 TB of data. The GCHQ estimated that extending the retention period to 6 months would cause the database to use 7.2 TB of data (Data Stored in BLACK HOLE, 2).
MERAPEAK –
MERIONZETA – The covername for Belgacom (CNE Access to BELGACOM GRX Operator Snippet 2).
MERLOT –
MESME –
METEORSHOWER –
MIDDLEMAN – This was an analysis tool created by JTRIG. The covername refers to a distributed real-time event aggregation, tip-off, and tasking platform used by JTRIG as a middleware layer (JTRIG tools and techniques, 7).
MIDDLESEXGREEN – This is a business process that must be fulfilled prior to receiving authorization to task either SSOs or particular 10G lines that the GCHQ had access to (Source: Mobile Apps – Checkpoint meeting Archives, 9). When considering a warrant for interception in the PRESTON business process, a collection request form known as MIDDLESEXGREEN would be prepared for submission (PRESTON Business Processes 1.0, 8).
MILKWHITE – This covername refers to a target enrichment service, sometimes referred to as the MILKWHITE Enrichment Service (MES), that was designed to help non-GCHQ agencies identify IP selectors for their targets (MILKWHITE Enrichment Service (MES) Programme, 1).
MINIATUREHERO – This was a fully operational collection tool created by JTRIG, though there were usage restrictions on its operation as of July 2012. The covername refers to an active Skype capability that provisioned real-time call records (SkypeOut and Skype-to-Skype) and bidirectional instant messaging, as well as contact lists (JTRIG tools and techniques, 4).
MIRAGE – This composed data that has generally been selected by electronic attack signature. It was stored in XKS and retained for 30 days (Cyber Defence Operations Legal and Policy, 4).
MOBILEHOOVER – This was a forensic exploitation capability created by JTRIG. The covername refers to a tool to extract data from field forensics reports created by Celldek, Cellebrite, XRY, Snoopy, and USIM detective. These reports were transposed into a NEWPIN XLM format to be uploaded to NEWPIN (JTRIG tools and techniques, 7).
MOLTENMAGMA – This was a shaping and honeypots capability created by JTRIG. The covername refers to a CGI HTTP Proxy with the ability to log all traffic and perform HTTPS man-in-the-middle (JTRIG tools and techniques, 8).
MONACO – This covername refers to a delivery network used by the PRESTON system to send data from leased telecommunication lines to narrowband processing systems (PRESTON Architecture (Version 3.0), 25).
MONKEYPUZZLE – Involved in ingesting mobile selectors (Mobile Apps — Checkpoint meeting Archives).
MONOPOLY – Retained special source events (Demystifying NGE Rock Ridge, 5).
MONTEVISTA – This covername refers to the “analyst notebook” used by some GCHQ analysts, and which let them visualize information that had been collected (Review of VisWeek 2008, 4).
MOONPENNY – This covername refers to a Cross Access Regional Development (CARD) Comsat site that was used by the APPARITION system. MOONPENNY was located in Menwith Hill Station (APPARITION/GHOSTHUNTER Tasking Info, 1).
MOONRAKER –
MOOSEMILK – This covername refers to a data mining algorithm that detected suspicious use of telephone kiosks in the UK (PullThrough Steering Group Meeting #16, 2).
MOUNTMCKINLEY – This covername refers to a Linux compute cluster and which was available from VALHALLA. However, it had few user tools available and was thus best to run compiled code and used for operational processing, so researchers had to abide by conventions around HIMR’s use of the cluster (HIMR Data Mining Research Problem Book, 66).
MOUTH – This was a collection tool created by JTRIG which was fully operational as of July 2012. The covername refers to a tool for collecting and downloading a user’s files from Archive.org (JTRIG tools and techniques, 4).
MUGSHOT – This covername refers to a project to automate the detection of vulnerabilities in networks which were designated for being targeted using computer network exploitation (CNE) activities, as well as vulnerabilities in all machines which were connected to the Internet (Finding Orbs, 4).
MURPHYSLAW – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and was incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).
MUSCULAR – This refers to a A GCHQ special source location where access to Google’s conduits was gained (TEMPORA — “The World’s Largest XKEYSCORE” — Is Now Available to Qualified NSA Uses, 2, and Gellman, Dark Mirror, 305). MUSCULAR functioned despite preexisting NSA access to Google through PRISM (Gellman, Dark Mirror, 306). Some data flows from MUSCULAR were diverted through the NSA’s TURMOIL processing system (Gellman, Dark Mirror, 305).
MUSTANG – This was a fully operational collection tool created by JTRIG. The covername refers to a means of providing covert access to the locations of GSM cell towers (JTRIG tools and techniques, 4).
MUTANTBROTH – This database retained all Target Description Identifiers (TDIs) in bulk (Target Detection Identifiers, 14). TDIs had a type (e.g. Yahoo-Y-cookie) and a value (e.g. tom123@yahoo.com) (Black Hole Analytics, 7). The database was used to create a profile of a target’s activities (Black Hole Analytics, 8) by correlating it with a range of other Question Focused Dataset (QFDs) (Blazing Saddles, 1-4). At one point, the database retained 4 months’ worth of data, which amounted to 7.7 TB of data. Extending retention to 6 months was estimated to use 11.55 TB of space (Data Stored in BLACK HOLE, 2). Information in MUTANTBROTH included presence events (Event (SIGINT), 4). When used to assist in targeting Belgacom for OP SOCIALIST, MUTANTBROTH was used to identify TDIs/selectors coming from previously identified ranges and proxies (Mobile Networks in My NOC World, 14).
MWX – This covername refers to a database used to enrich events. The database contains malware-related data (The Tale of Two Sources, 39 & Cyber Defence Operations Legal and Policy, 4).
MYOFIBRIL –
N
NAMEJACKER – This was a workflow management tool created by JTRIG. The covername refers to a web service and administration console for the translation of usernames between networks. This was to be used with gateways and similar technologies (JTRIG tools and techniques, 6).
NEOPUDDING –
NETPLATE – Included multiple data types, which were to be disclosed publicly to GCHQ when the program reached a releasable state (Open Source for Cyber Defence/Progress, 1).
NEVIS – This was a forensic exploitation capability created by JTRIG. The covername refers to a tool developed by NTAC to search disk images for signs of possible encryption products. CMA had further developed this tool to look for signs of steganography (JTRIG tools and techniques, 7).
NEXUS – This was a BSS desktop (Mobile Networks in My NOC World, 3).
NEWPIN – This was a database created by JTRIG. The covername refers to a database of C2C identifiers obtained from a variety of unique sources, and a suite of tools for exploring this data (JTRIG tools and techniques, 7).
NIGH –
NIGHTCRAWLER – This was a shaping and honeypots capability created by JTRIG. The covername refers to a public online group against dodgy websites (JTRIG tools and techniques, 8).
NOCTURNAL SURGE – This covername refers to a GCHQ tool that was used to identify Network Operation Centres (Automated NOC Detection).
NORWALK –
NOSEYSMURF – This covername was for an iPhone specific plugin that GCHQ used to activate the mic on the phone (Capability – iPhone).
NUBILO – The covername refers to a method of changing the outcome of online polls (JTRIG tools and techniques, 6).
NUTALLERGY – This was a pilot engineering tool created by JTRIG. The covername refers to the JTRIG Tor web browser, which entailed a sandboxed Internet Explorer replacement and FRUITBOWL subsystem (JTRIG tools and techniques, 2).
O
OBERON –
OB DEVICE –
OLYMPIA – See CSE covernames.
OPULENTPUP (OPULANTPUP) – This refers to a project requirement pertaining to GCHQ’s mobile wireless interception capability. This capability had been designed to target A5/1 communications and had to be updated to intercept and decrypt A5/3 GSM wireless communications (A5/3 crypt attack proof-of-concept demonstrator (snippet)).
ORBFINDER – This program was used to identify potential candidate Operational Relay Boxes (ORBs) for use in CNE active network exploitation activities. Such activities provided a richer picture of end-systems and thus reduced CNE’s operational footprint by focusing attention on candidates that met particular sets of criteria (PullThrough Steering Group Meeting #16, 2).
OUTWARD – This was an analysis tool created by JTRIG. The covername refers to a collection of DNS lookup, WHOIS lookup, and other network tools (JTRIG tools and techniques, 7).
OVAL – This covername refers to a list for NDR to feed into HIDDEN SPOTLIGHT (Open Source for Cyber Defence/Progress, 1).
OVERHEAD –
OVERLIT –
P
PACMAN –
PARANOIDSMURF – This covername is for an iPhone-specific plugin that the GCHQ used to employ self-protection, presumably of the SMURF-malware family (Capability – iPhone).
PAWLEYS – This covername refers to an ECI that was used, in part, to protect the technical and operational details associated with BULLRUN (BULLRUN, 6).
PEBBLEDBED –
PECTASE –
PENSIVEGIRAFFE – This covername refers to a cyber defence analyst portal that was used by analysts to group and summarize events to increase efficiency and capability (NDIST 5-a-day, 1).
PENTAHO – This was used by GCHQ and CSE alike. The CSE used it for tradecraft modelling (Automated NOC Detection, 9). See CSE covernames.
PHOTONTORPEDO – This was an operational collection tool created by JTRIG, but that had some usage restrictions. The covername refers to a technique to actively grab the IP address of a MSN messenger user (JTRIG tools and techniques, 4).
PIA –
PICARESQUE – This covername refers to an ECI that was used, in part, to protect the technical and operational details associated with BULLRUN (BULLRUN, 6).
PIGSEAR –
PILBEAM – Superseded by HAUSTORIUM (Event (SIGINT), 4).
PINNAGE – A party with whom GCHQ was attempting to develop a ‘relationship’ for access to communications (Supporting Internet Operations, 8).
PIRATECAREBEAR – This covername refers to a tool for visualizing SIGINT events and was used to produce plots for pattern-of-life analysis (HIMR Data Mining Research Problem Book, 38).
PISECGIAS –
PISTRIX – This was a shaping and honeypots capability created by JTRIG. The covername refers to an image hosting and sharing website (JTRIG tools and techniques, 8).
PITBULL – This was an effects capability tool created by JTRIG that was in development. The covername refers to the capability for enabling large scale delivery of a tailored message to users of instant messaging services (JTRIG tools and techniques, 5).
PLANE –
PODRACE – This was an in-design engineering tool created by JTRIG. The covername refers to JTRIG’s MS update farm (JTRIG tools and techniques, 2).
POISONARROW – This was a design-stage engineering tool created by JTRIG. The covername refers to safe malware download capacity (JTRIG tools and techniques, 2).
POISONEDDAGGER – This is an effects capability tool created by JTRIG. The covername refers to effects against Gigatribe. It was built by ICTR and deployed by JTRIG (JTRIG tools and techniques, 5).
POKERFACE – Used to task either SSOs or particular 10G lines that GCHQ had access to (Source: Mobile Apps – Checkpoint meeting Archives, 8).
PORRIDGE –
PORUS – This covername was for an iPhone specific plugin that GCHQ used to ensure kernel stealth on the device, presumably for the SMURF-malware or exploit family (Capability – iPhone).
POSITIVEPONY – This covername refers to a database that linked IP addresses to companies and sector mappings (Open Source for Cyber Defence/Progress, 1).
PPF –
PREDATORSFACE – This was an effects capability tool created by JTRIG. The covername refers to targeted denial of service attacks against web servers (JTRIG tools and techniques, 6).
PRESTON – This covername refers to the process whereby a UK service provider was compelled by warrant, signed by the Home Secretary or Foreign Secretary, to provide the GCHQ with the communications data for a specific line or account for a specified time. It was also referred to as lawful intercept and warranted collection (HIMR Data Mining Research Problem Book, 9). PRESTON collection covered fixed and mobile communications, as well as voice and data, and as of July 2007 the GCHQ was one of 8 UK intelligence and law enforcement agencies who conducted this type of collection (PRESTON Architecture (Version 3.0), 5).
PRESTON4 –
PRESTONOPS (CALDWELL PARK) – This was the tasking manager for the PRESTON system (PRESTON Business Processes 1.0, 21).
PRIMATE – This was an analysis tool created by JTRIG. The covername refers to a JTRIG tool that aimed to provide the capability to identify trends in seized computer media and metadata (JTRIG tools and techniques, 7).
PRIMETIME – This covername refers to an algorithm that was used to look for cross-media timing chains (PullThrough Steering Group Meeting #16, 2). In 2011 it was being developed by Detica for the Steaming Analysis team in ICTR (HIMR Data Mining Research Problem Book, 27).
PRIMORDIALSOUP –
PROBABILITYCLOUD – Used for handset geo-association scoring (“ICTR Cloud Efforts”, 7).
PROSPERO – This covername refers to a method of distributing reports (Intrusion Analysis/JeAC, 1).
PROVE –
PSOUP –
PSOUPALERT –
PSYCHICSALMON – This covername refers to a type of IP data (HIMR Data Mining Research Problem Book, 83).
PUBLICANEMONE – Contained geolocation based on web-based map searches (GCHQ Analytic Cloud Challenges, 10).
Q
QUANTUM – QUANTUM was a tool designed by the NSA. GCHQ documents reveal that LinkedIn and Slashdot selectors were used to target QUANTUM for OP SOCIALIST (Mobile Networks in My NOC World, 14). See NSA covernames.
QUANTUMINSERT (QI) – The QUANTUM family of tools were designed by the NSA. GCHQ documents reveal that QI’s capacity was enhanced to allow shots on LinkedIn and to allow ‘white listing’ when shooting on proxies (Mobile Networks in My NOC World, 14). See NSA Covernames.
QUINCY (QUINCEY) – This was a database created by JTRIG. The covername refers to an enterprise level suite of tools for the exploitation of seized media (JTRIG tools and techniques, 7).
QUITO (OP QUITO) – This covername refers to an effects operation to support the Foreign and Commonwealth Office (FCO) and that Office’s goals relating to Argentina and the Falkland Islands (JTRIG Operational Highlights, August 2009).
R
RADONSHARPEN-B – This covername refers to a method used, in tandem with GeoFusion, to combine country labels and confidences from multiple sources to come up with a decision for an IP address’s country (HIMR Data Mining Research Problem Book, 21).
RAGINGBULLFROG – This covername refers to a type of IP data (HIMR Data Mining Research Problem Book, 83).
RANA – This was a techniques capability created by JTRIG. The covername refers to a system developed by ICTR-CISA which provided CAPTCHA-solving via a web service on CERBERUS. This was intended for use by BUMPERCAR+ and possibly by SHORTFALL in the future, though anyone was welcome to use it (JTRIG tools and techniques, 8).
RAPIDTAPIR –
RAPTOR – This covername refers to an analytics platform (not a bulk store) used for data import from customer systems (Review of Visweek, 12). The RAPTOR federator made it possible to set up persistent stored queries against data sources, which could return data as it appeared on underlying systems (Review of Visweek 2008, 11).
REAPER – This was an operational engineering tool created by JTRIG. The covername refers to the CERBERUS to GCNET import gateway interface system (JTRIG tools and techniques, 2).
REFORMER –
REFRIEDCHICKEN – A database of passively intercepted WHOIS records, searchable by any word in the record and came to existence after February 2011 (Open Source for Cyber Defence/Progress, 1).
REMEDY –
REPORTAL –
RESERVOIR – This was a fully operational collection tool created by JTRIG that had some usage restrictions. The covername refers to a Facebook application that allowed for the collection of varying information (JTRIG tools and techniques, 4).
ROADBED – See NSA covernames.
ROBOTICFISH – This covername refers to a type of IP data (HIMR Data Mining Research Problem Book, 83).
ROCKOPERA –
ROCKRIDGE – This covername refers to Next Generation Events’ (NGE) efforts to integrate Question Focused Datasets (QFDs) into the NGE program, such as SAMUEL PEPYS and CAFFEINE HIT (Next Generation Events, 6).
ROLLINGTHUNDER – This was an effects capability tool created by JTRIG. The covername refers to distributed denial of service attacks using P2P. It was built by ICTR and deployed by JTRIG (JTRIG tools and techniques, 6).
ROUGHDIAMOND –
ROYALCONCIERGE – This covername refers to a system that exploits the messages hotels send to customers reminding them about forthcoming reservations and sends notices of ‘hard targets’ messages to analysts (Full-Spectrum Cyber Effects: SIGINT Development as an enabler for GCHQ’s “Effects” mission, 8).
ROYALMANTLE –
RUFFLE –
RUFIS – This covername refers to a system which, in tandem with WHAMI Fast Image, was used to to target specific areas of interest and produce GSM tower data with high quality metadata unique to the tower. RUFIS was used as part of the DYMO prototype tool (Site Updates (OPA-MHS-[REDACTED]), 1).
RUMOURMILL – This covername refers to a dashboard available to GCHQ analysts that let them prioritize new work as it arrived from customers by quickly determining what the GCHQ already knew about a given question/request from a customer. Moreover, this tool was meant to enable analysts to monitor existing work, to spot when something happened that would change their priorities. Many of the questions were derived from cloud-based analytics that ran each day against the current identifier list(s) (GCHQ Analytic Cloud Challenges, 12). RUMOURMILL was used during the 2012 Olympics in the context of information sharing with the NSA (NSA – Identifier Lead Triage with ECHOBASE, 12).
S
SALAMANCA – Held (legacy) VoIP events in telephony form. Received such events from TERRAIN (PRESTON Architecture (Version 3.0), 22). It was due to be subsumed into SOCIAL ANTHROPOID (Event (SIGINT), 3). It was used to retain metadata and authorization for accessing this information did not require authorization when querying individuals in the UK. However, searches were logged and audited to ensure proportionality and necessity (Events Analysis – SALAMANCA, HAUSTORIUM, THUGGEE, IMMINGLE). Data types collected included: timestamp and callLength along with identifiers, such as dialledNumber, dialledNumberNorm, callerID, and callerIDNorm. Other identifiers included IMSI, IMEI, MSISDN (HIMR Data Mining Research Problem Book, 69).
SALTYOTTER – The cover name for a prototype of efforts—which, in February 2008 was seeking PullThrough Steering Group (PTSG) approval—to use a better algorithm for identifying cross-media timing patterns (e.g. a telephone call triggers a chat event). Specifically, SALTYOTTER involved the B17 technique that incorporated the CLASP algorithm, as opposed to the less general, but popular PRIME TIME algorithm (PullThrough Steering Group Meet #16, 1-2).
SAMBOK – Held Geo events. Received such events from TERRAIN (PRESTON Architecture (Version 3.0), 22).
SAMDYCE – Held SMS content, at least some of which was from TERRAIN (PRESTON Architecture (Version 3.0), 22). It was also an event source for IMMINGLE (Event Product Centre, 4).
SAMREF –
SAMUELPEPYS – A Question Focused Dataset (QFD) (Black Hole Analytics, 6) that was designed to correlate near real-time presence alerting (GCHQ Analytic Cloud Challenges, 3). The database was used to find out what was happening in real time (Black Hole Analytics, 9) by fusing all available traffic (content and events) in one place so that answers could be derived based on all of the available traffic that it contained (Blazing Saddles, 3). This included HTTP Host URI as well as FTP information (Event (SIGINT), 4).
SANDIA –
SAXLINGHAM –
SCAPEL – This covername is prefaced with “KESSE” in “Operational Legalities” (35).
SCARLETEMPEROR – This was an effects capability tool created by JTRIG that was ready to fire as of July 2012. The covername refers to targeted denial of service against a target’s phone via call bombing (JTRIG tools and techniques, 6).
SCRAPHEAPCHALLENGE – This was an effects capability tool created by JTRIG that was ready to fire as of July 2012 but subject to constraints. The covername refers to perfecting spoofing of emails from Blackberry targets (JTRIG tools and techniques, 6).
SCREAMINGEAGLE – This was an analysis tool created by JTRIG. The covername refers to a tool that processes kismet data into geolocation information (JTRIG tools and techniques, 7).
SEBACIUM – This was a collection tool created by JTRIG. The covername refers to an ICTR-developed system that was meant to identify P2P file sharing activity of intelligence value. Logs were accessible via DIRTYRAT (JTRIG tools and techniques, 4).
SEPANG – This covername refers to a Linux compute cluster available to HIMR researchers. It was expected to be decommissioned soon (as of late 2011) and was firewalled from the rest of the GCHQ network and, thus, lacked easy access to data sources described in the HIMR Data Mining Research Problem Book. However, it did have a wide range of user tools installed and was reserved for HIMR’s sole use (HIMR Data Mining Research Problem Book, 66).
SERPENTSTONGUE – This was an effects capability tool created by JTRIG that was in redevelopment. The covername refers to a means of fax message broadcasting to multiple numbers (JTRIG tools and techniques, 6).
SHADOWCAT – This was a techniques capability created by JTRIG. The covername refers to end-to-end encrypted access to a VPS over SSH using the Tor network (JTRIG tools and techniques, 8).
SHAREDQUEST – A COMSAT programme that followed SHAREDVISION, a part of it was focused on antenna command and control in order to reduce the total cost of ownership of COMSAT assets while supporting and expanding missions and addressing the emergence of new technologies (COMSAT SNIPPET). This covername further encompassed the DARKQUEST and FALLOWHAUNT projects or programs (GCSB Update 21 March 2012, 12-13). See GCSB covernames.
SHAREDVISION (SV) – A COMSAT architecture modernization programme amongst the Five Eyes that came to an end before July 2010. It explicitly did not address antenna modernization (COMSAT SNIPPET).
SHARKQUEST –
SHAREOWN –
SHORTFALL – The covername refers to data that was drawn from open source into GCNet (The Tale of Two Sources, 22).
SHORTSHEET – This covername refers to an exploitation server run by the Joint CNE/TECA Mobile Exploitation Team. Targets were redirected to this server after being targeted by QUANTUM tipping; it is likely a GCHQ alternate covername for FOXACID servers (iPhone target analysis and exploitation with unique device identifiers, 6)
SILENTMOVIE – This was an effects capability tool created by JTRIG that was ready to fire as of July 2012. The covername refers to a targeted denial of service against SSH services (JTRIG tools and techniques, 6).
SILVERBLADE – This was an effects capability tool created by JTRIG that was ready to fire as of July 2012. The covername refers to reporting of extremist material on DAILYMOTION (JTRIG tools and techniques, 6).
SILVERFOX – This was an effects capability tool created by JTRIG that was ready to fire as of July 2012. The covername refers to a list provided to industry of live extremist material files found on Free File Upload (FFU) sites (JTRIG tools and techniques, 6).
SILVERLINING –
SILVERLIBRARY – This was a library of Hadoop parsers, writables and other utility classes to simplify development of MapReduce analytics in Java (HIMR Data Mining Research Problem Book, 65).
SILVERLORD – This was an effects capability tool created by JTRIG that was ready to fire as of July 2012. The covername refers to the disruption of video-based websites which hosted extremist content through concerted targeted discovery and content removal (JTRIG tools and techniques, 6).
SILVERSPECTOR – This was a collection tool created by JTRIG that was in development as of July 2012. The covername refers to a tool that allows batch Nmap over Tor (JTRIG tools and techniques, 4).
SIMMER –
SKYSCRAPER – This was an effects capability tool created by JTRIG that was ready to fire as of July 2012. The covername refers to the production and dissemination of multimedia via the web in the course of information operations (JTRIG tools and techniques, 6).
SLAMMER – This was an analysis tool created by JTRIG. The covername refers to a data index and repository that provided analysts with the ability to query data collected from the Internet from various JTRIG sources, such as EARTHING, HACIENDA, web pages saved by analysts, etc (JTRIG tools and techniques, 7).
SLIDE – This covername refers to the exploit the GCHQ used in 2010 against iPhones to subsequently implant WARRIORPRIDE. The exploit was likely the open-source PDF vulnerability that the GCHQ was using against iOS Safari clients at the time (iPhone target analysis and exploitation with unique device identifiers, 8).
SLIPSTREAM – This was an effects capability tool created by JTRIG that was ready to fire as of July 2012. The covername refers to the ability to inflate pageviews on websites (JTRIG tools and techniques, 6).
SMOKINGSADDLES –
SNICK – A GCHQ COMSAT access location (COMSAT SNIPPET).
SNOOPY – This was a forensic exploitation capability created by JTRIG. The covername refers to a tool to extract mobile phone data from a copy of the phone’s memory (usually supplied as an image extracted through FTK) (JTRIG tools and techniques, 7).
SOCIALANIMAL – This covername refers to a Question Focused Dataset (QFD) (Black Hole Analytics, 6). The metadata-focused database (Next Generation Events, 5) was used to develop a social network (Black Hole Analytics, 8) by determining how users interacted with one another, and with pictures, files, and video on the Internet (Blazing Saddles, 3-4). At one point, the database stored data for 1 month and used 1.6 TB of space. The GCHQ estimated that extending the retention period to 6 months would lead to the database consuming 9.6 TB of space (Data Stored in BLACK HOLE, 2).
SOCIALANTHROPOID (SOC ANTH) – Involved in ingesting social networking site activity (Target Detection Identifiers, 14), including Facebook Events (Source: Mobile Apps — Checkpoint meeting Archives). More broadly, it was a converged communications database that let analysts understand who their targets had communicated with using telephony and internet-based communications. More specifically, data accessible to SOCIAL ANTHROPOID included: SALAMANCA information, SOCIAL ANIMAL information, instant messenger, webmail, SIP and H323 VOIP and Yahoo! Voice, Blackberry, MMS, SMS, GTP (GPRS Session set ups), SMTP, POP3, and IMAP data (Social Anthropoid). This Question Focused Dataset (QFD) was designed to subsume SOCIAL ANIMAL, and replaced HAUSTORIUM (Blazing Saddles, 4). The QFD answered the questions: “What communications your target is engaged in? Who has your target been communicating with? What communications have occurred using a particular locator, such as an IP address or cellular tower?” (GCHQ Analytic Cloud Challenges, 5).
SOCIALIST (OP SOCIALIST) – This covername refers to a Network Analysis Centre (NAC) operation focused on exploitation of a GRX operator (Mobile Networks in My NOC World, 7). A core focus of this was to enable Computer Network Exploitation (CNE) access to Belgacom; after compromising its GRX routers, the GCHQ intended to undertake Man-in-the-Middle (MITM) operations against targets roaming on smartphones while, also, expanding the NAC’s breadth of knowledge about GRX operators (Mobile Networks in My NOC World, 9). Ultimately, after identifying engineering and support staff and targeting them with QUANTUM INSERT, the GCHQ successfully achieved CNE access: this meant the agency could further target Belgacom staff, expand internal CNE access throughout the Belgacom network with the ultimate goal of implanting GRX routers, and to better understand Belgacom’s network, credentials assigned to staff, and identification of different staff and their associated roles (Mobile Networks in My NOC World, 20).
SOCIALIST II (OP SOCIALIST II) – An operation undertaken by the Network Analysis Centre alongside Crypt Ops to identify the extent of opportunity provided by OP SOCIALIST (CNE Access to BELGACOM GRX Operator Snippet 3).
SODAWATER – This was a collection tool created by JTRIG, fully operational as of July 2012. The covername refers to a tool for regularly downloading Gmail messages and forwarding them onto CERBERUS mailboxes (JTRIG tools and techniques, 4).
SOLARSHOCK116 – See NSA Covernames
SOLIDINK – This covername refers to a telephony dataset containing three weeks of telephony records from 2007, as seen from billing records. There were 2.7 billion events involving 74 million numbers. Data was anonymized for legal reasons. The INK dataset had four fields: timestamp, user-1, user-2, and a number (HIMR Data Mining Research Problem Book, 73-74).
SORCERER –
SOSTRUM –
SOUNDER – A GCHQ COMSAT access location (COMSAT Snippet) that the NSA provided 50% of the funding for (Cyprus Snippet, 1). This covername is prefaced with “KESSE” in “Operational Legalities” (35).
SPACEROCKET – This was a techniques capability created by JTRIG. The covername refers to a programme covering insertion of media into target networks. CRINKELCUT was a tool developed by ICTR-CISA to enable JTRIG to track images as part of SPACEROCKET (JTRIG tools and techniques, 8).
SPAY – An XKEYSCORE data type that included Information Assurance (IA) metadata. This data was selected by electronic attack signature and was derived from the GORDIAN KNOT, XKS, and Content Cloud Repositories. SPAY data was retained for 6 months, though under RIPA it was defined as ‘communications data’ and thus could be held for up to 2 years. Under XKS, in contrast, it could only be retained for 6 months (Cyber Defence Operations Legal and Policy, 3). SPAY data could be provided to defence contractors at unclassified locations in response to China’s efforts to ‘hunt’ intelligence secrets (The Tale of Two Sources, 20).
SPICEISLAND – This was a developmental engineering tool created by JTRIG. It was described as new infrastructure as of 2012; FORESTWARRIOR, FRUITBOWL, JAZZFUSION and other JTRIG systems formed part of the SPICE ISLAND infrastructure (JTRIG tools and techniques, 2).
SPIKYROCK –
SPRINGBISHOP – This was a collection tool created by JTRIG. The covername refers to a way of finding private photographs of targets on Facebook (JTRIG tools and techniques, 4).
SQUEAKYDOLPHIN – This program was designed to provide broad real-time monitoring of online activities, such as YouTube video views, URLs ‘Liked’ on Facebook, or Blogger/Blog visits. It relied on passive collection that used streaming analytics via DISTILLERY to provide a real-time dashboard of activities (Psychology: A New Kind of SIGDEV, 27).
SQUEAL – This was SIGINT data that had been selected by electronic attack signature, and was stored in XKS. Such data was retained for 30 days (Cyber Defence Operations Legal and Policy, 4). Some of this information could not be shared to other Five Eyes partners (Cyber Defence Operations Legal and Policy, 14).
STARGATE (SG) – This was an NSA CNE-related program (STARGATE CNE Requirements). See NSA covernames.
STARGATEROADMAP –
STARPROC – See NSA covernames.
STEALTHMOOSE – This was an effects capability tool created by JTRIG that was ready to fire as of July 2012, subject to restrictions. The covername refers to a tool that will disrupt a target’s Windows machine. It generated logs of how and when the effect is active (JTRIG tools and techniques, 6).
STERLINGMOTH –
STRAIN –
SUNBLOCK – This was an effects capability tool created by JTRIG that was tested but subject to operational limitations. The covername refers to an ability to deny functionality to send or receive email, or view material online (JTRIG tools and techniques, 6).
SUNSTORM – This covername refers to the Cheltenham events cluster; it was the largest such cluster available to HIMR (HIMR Data Mining Research Problem Book, 61).
SUPERDRAKE –
SUPPORTING INO –
SWAMP – This refers to a two-month long extended workshop, usually on two topics of high importance, to HIMR researchers (HIMR Data Mining Research Problem Book, 51).
SWAMPDONKEY – This was an effects capability tool created by JTRIG that was ready to fire as of July 2012, though subject to target restrictions. The covername refers to a tool that would silently locate all predefined types of files and encrypt them on a target’s machine (JTRIG tools and techniques, 6).
SWORDPLAY –
SYLVESTER – This was an in-development collection tool created by JTRIG. The covername refers to a framework for automated interaction and alias management on online social networks (JTRIG tools and techniques, 4).
SYRINGE –
T
TACHO – Involved in ingesting mobile selectors (Source: Mobile Apps — Checkpoint meeting Archives).
TAMINGPASTRIES –
TANGLEFOOT – This was an analysis tool created by JTRIG. The covername refers to a bulk search tool which queried a set of online resources. It was used to let analysts quickly check the online presence of a target (JTRIG tools and techniques, 7).
TANNER – This was a collection tool created by JTRIG that had been replaced by HAVOK. The covername refers to a technical program that allowed operators to log onto a JTRIG website to grab IP addresses of internet cafes (JTRIG tools and techniques, 4).
TECHNOVIKING – This was an in-design engineering tool created by JTRIG. The covername refers to a sub-system of JAZZFUSION (JTRIG tools and techniques, 2).
TEEDALE – Superseded by PILBEAM (Event (SIGINT), 4)
TERMINALSURGE – This database was used to retain telnet session information collected by GCHQ’s Network Access Centre (Automated NOC Detection, 15).
TERRAIN – Computer-to-Computer processing system used by the GCHQ (PRESTON Architecture (Version 3.0), 6). TERRAIN was responsible for processing lawful interception streams by sessionalizing data (HIMR Data Mining Research Problem Book, 10).
TELLURIAN –
TEMPORA – GCHQ’s XKEYSCORE “Internet Buffer” which exploited the most valuable Internet links available to the GCHQ. TEMPORA provided discovery capability against Middle East, North African, and European targets (amongst others) and served to “slow down” a large chunk of Internet data for three days. This let analysts use the GENESIS language to discover data that would otherwise have been missed. Such tradecraft relied on content-based discovery (TEMPORA — “The World’s Largest XKEYSCORE” — Is Now Available to Qualified NSA Uses, 2).
TETRA –
THICKISHALPHA –
THUGGEE – Used to retain metadata, and authorization for accessing this information does not require authorization when querying individuals in the UK. However, searches were logged and audited to ensure proportionality and necessity (Events Analysis – SALAMANCA, HAUSTORIUM, THUGGEE, IMMINGLE). Data from this database could be used to check the location of targets, such as to determine which legal authorizations were required for targeting the person(s) or identifier(s) in question (Operational Legalities, 46).
TICKETWINDOW –
TIDALSURGE – The database scheme for TIDALSURGE had been implemented by the CSE as well as the DSD. The GCHQ’s use of TIDALSURGE was based on AS, whereas the CSE’s use was based on country (Automated NOC Detection, 9).
TIMIDTOAD – This covername refers to a type of IP data (HIMR Data Mining Research Problem Book, 83).
TINREVERIE –
TINT – Used to trial new ways of collecting and processing content (Next Generation Events, 8).
TINTPUT – Part of the Next Generation Events XKS and TINT Bude experiments (Next Generation Events, 10).
TOPHAT – This was a collection tool created by JTRIG, in development as of July 2012. The covername refers to a version of the MUSTANG and DANCINGBEAR techniques that let JTRIG pull back cell tower and WiFi locations targeted against particular areas (JTRIG tools and techniques, 4).
TORNADOALLEY – This was an effects capability tool created by JTRIG that was ready to fire as of July 2012, subject to targeting restrictions. The covername refers to a delivery method (i.e. Excel spreadsheet) that could silently extract and run an executable on a target’s machine (JTRIG tools and techniques, 6).
TRACERFIRE – This was a collection tool created by JTRIG, in development as of July 2012. The covername refers to a Microsoft Office document that grabbed the target’s machine information, including files and logs, and posted it back to the GCHQ (JTRIG tools and techniques, 4).
TRACKERSMURF – This covername was for an iPhone specific plugin that the GCHQ used to conduct high-precision geolocation of the phone (Capability – iPhone).
TRAFFICMASTER –
TRIBALCARNEM – Used radius logs to identify and collect activity for IP sessions (GCHQ Analytic Cloud Challenges, 10).
TRITON –
TRYST – This covername referred to a covert interception station in the UK embassy in the USSR, in the 1960s-1970s (The Secret Sentry: The Untold History of the National Security Agency, 152). More contemporary documents refer to ‘TRYST Travellers’ (OPA~TAS Covert Mobile Phones Policy, 5), who were subject to significant communications security programs to ensure that their mobile phones remained covert. Measures included ensuring Bluetooth functions were not enabled within 50 miles of Cheltenham and removing the battery from the device when within this proximity, not charging the device within an officer’s home or a temporary residence, exclusively calling GCHQ numbers using a pre-assigned out of area phone numbers, not calling family members or home phone numbers using the covert phone or any phone number registered within 50 miles of Cheltenham, not carrying personal mobile technologies (e.g., smartphones, laptops, tablets) when carrying the covert phone ((OPA~TAS Covert Mobile Phones Policy, 5-6). Calls between covert phones was permitted so long as both were more than 50 miles away from Cheltenham ((OPA~TAS Covert Mobile Phones Policy, 6) and individuals were to stop using a device if they believed it had been compromised and report the situation to staff upon returning to the UK ((OPA~TAS Covert Mobile Phones Policy, 6).
TURBINE –
TWILIGHTARROW – This was an operational engineering tool created by JTRIG. It was used to establish remote GSM secure covert internet proxy using VPN services (JTRIG tools and techniques, 2).
TWOFACE – This covername refers to a database containing information pertaining to open source data for cyber defence. Datasets in TWO FACE included: alexa.com, ZeusTracker.abuse.ch, SpyEyeTracker.abuse.ch, amada.abuse.ch, torstatus.blutmagie.de, and EmergingThreats.net, (Open Source for Cyber Defence/Progress, 1).
U
UDAQ –
UDAQ2 –
UNDERPASS – This was an effects capability tool created by JTRIG that was in development. The covername refers to a method of changing the outcome of online polls (previously known as NUBILO) (JTRIG tools and techniques, 6).
UNIQUELYCHALLENGED – This covername refers to a situation where “[o]ne person has complete oversight of a technology from analysis to deployment — important for rapidly changing protocols” (Mobile apps doubleheader: BASASS Angry Birds, 3).
V
VAGRANT –
VALHALLA – This covername refers to a standard Microsoft Windows environment provisioned to HIMR researchers. The environment provided email, Microsoft Office, web browsing, instant messaging, and a gateway to other systems (HIMR Data Mining Research Problem Book, 66).
VERACIOUS –
VAIL – These are web-user interfaces that were installed on GCHQ servers and that were accessible from a partner site. It enabled interactive queries of Question Focused Datasets (QFDs) and, thus, allowed exposure of GCHQ tradecraft (GCHQ Analytic Cloud Challenges, 13).
VIEWER – This was an operational collection tool created by JTRIG that was awaiting field trial as of July 2012. The covername refers to a program that would hopefully provide advance tipoff of a kidnapper’s IP address for HMG personnel (JTRIG tools and techniques, 4).
VIKINGPILLAGE – This was a collection tool created by JTRIG, operational as of July 2012. The covername refers to a distributed network for the automatic collection of encrypted/compressed data from remotely hosted JTRIG projects (JTRIG tools and techniques, 4).
VIPERSTONGUE – This was an effects capability tool created by JTRIG that was ready to fire as of July 2012, subject to targeting restrictions. The covername refers to a tool that will silently conduct denial of service calls towards a satellite phone or GSM phone (JTRIG tools and techniques, 6).
VISAGE –
VOLSUNGA – Refers to an interface specification for GEOFUSION (HIMR Data Mining Research Problem Book, 89).
VORPALSWORD –
W
WAFTER (OP WAFTER) –
WARPATH – This was an effects capability tool created by JTRIG that was ready to fire as of July 2012. The covername refers to the mass delivery of SMS messages to support an Information Operations campaign (JTRIG tools and techniques, 6).
WARRIORPRIDE – This covername refers to the CSE-created exploit set designed to initially target mobile devices. CSE and GCHQ worked to port WARRIORPRIDE to the Android platform and completed the activity in the third quarter of 2010 (Mobile Briefing, 6). See also CSE Covernames.
WATCHTOWER – This was an operational engineering tool created by JTRIG. The covername refers to the GCNET to CERBERUS export gateway interface system (JTRIG tools and techniques, 2).
WAXTITAN – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).
WAYGOOD –
WHAMI – This covername refers to a system which, in tandem with RUFIS-bis was used to to target specific areas of interest and produce GSM tower data with high quality metadata unique to the tower. RUFIS was used as part of the DYMO prototype tool (Site Updates (OPA-MHS-[REDACTED]), 1).
WHARFRAT –
WHIPSAW – This covername refers to a redirect and exploitation server. In 2010, the GCHQ intended to use the server to implant WARRIORPRIDE directly on target iPhones, but the WHIPSAW exploit was only available on the ADSL lines which were tasked at the time (iPhone target analysis and exploitation with unique device identifiers, 9).
WHITERAVEN –
WILDCOUGAR – This covername refers to a project associated with the United Kingdom’s collection of DNI and DNR information, and incorporated into the BOUNDLESSINFORMANT program (BOUNDLESSINFORMANT Countries Data, 9).
WINDFARM – This was an in-design engineering tool created by JTRIG. The covername refers to a research and design offsite facility (JTRIG tools and techniques, 2).
WOLFRAMITE – This covername refers to a GCHQ tool under development in 2011 that was intended to provide a capability against mobile over the air (OTA) GSM (A5/3) encryption (WOLFRAMITE (snippet)).
WOODCUTTER –
WOODY – This covername refers to an ICTR research cluster (HIMR Data Mining Research Problems Book, 62).
WURLITZER – This was a shaping and honeypots capability created by JTRIG. The covername refers to the ability to distribute a file to multiple file hosting websites (JTRIG tools and techniques, 8).
WYLEKEY (OP WYLEKEY) – This covername refers to a Network Analysis Centre (NAC) operation focused on exploiting international mobile billing clearing houses (Mobile Networks in My NOC World, 7).
X
XKEYSCORE (XKS) – XKEYSCORE was a computer-network exploitation system that combined high-speed filtering with SIGDEV. XKEYSCORE performed filtering and selection to enable analysts to quickly find information they need based on what they already know, but it also performed SIGDEV functions such as target development to allow analysts to discover new sources of information (TEMPORA — “The World’s Largest XKEYSCORE” — Is Now Available to Qualified NSA Uses, 3). IT Services will not provide new accounts for this database unless the user completes the appropriate mandatory operational legalities training, and records it in iLearn (Cyber Defence Operations Legal and Policy, 15). See NSA covernames, See CSE covernames.
Z
ZAMENSIS – Used by NTAC to collect special source material, which was used by the GCHQ (The National Technical Assistance Centre, 3).
ZooL – This covername refers to a database containing information pertaining to open source data for cyber defence. Datasets in ZooL included:alexa.com, user-agents.org, maxmind.com, ZeusTracker.abuse.ch, SpyEyeTracker.abuse.ch, amada.abuse.ch, torstatus.blutmagie.de, EmergingThreats.net, and ics.sans.edu. (Open Source for Cyber Defence/Progress, 1).
Technology, Thoughts & Trinkets 