Title: Cyber Integration “The art of the possible”
Release Date: 2014-02-07
Document Date: 2012-01-01
Description: This GCHQ presentation, given to the 2012 SigDev Conference by a representatives of the Joint Threat Research and Intelligence Group (JTRIG) and Cyber Defence Operations (CDO) describes how JTRIG attempts to “deny, disrupt, degrade and deceive” its targets. Speaker notes are included: see the NBC News article Snowden Docs: British Spies Used Sex and ‘Dirty […]
Document: A NBC NEWS INVESTIGATIONS
The Snowden Files: British Spies Used Sex and 'Dirty Tricks'
Slideshow No. 1
GCHQ, the British signals intelligence agency, prepared the
following slides for a top-secret spy conference in 2012, describing
cyber operations. The slides focus on the efforts of a unit, the Joint
Intelligence Threat Research Group, or JTRIG. According to the
documents, JTRIG conducts "honey traps," sends adversaries
computer viruses, deletes their online presence, and employs
several other tactics. Documents previously published by NBC
News showed JTRIG engaged in cyber attacks on the hacktivist
collective known as Anonymous.
The slides were leaked by former NS A ontractor Edward Snowden
and obtained exclusively by NBC News. NBC News is publishing
the documents with minimal redactions to protect individuals. The
presenter's notes for the slideshow are included.
NBC NEWS INVESTIGATIONS
r defence operations
The art of the poss/O/e”
JTRIG / GCHQ
JTRIG - Core^m
JTRIG has the following core functions:
• Covert Internet Investigations
• Forensic Investigation and Analysis
• Active Covert Internet Operations, (including online Humint and Effects)
• Covert Technical Operations
• Provision of Unattributable Internet Access
• Development of new capability
Explanation of the “base-line” for JTRIG-related work and make-up:
The structure of JTRIG:
- Ops / Technical (Cap Dev) / JBOS.
Mention the “Online Covert Action Accreditation” Programme.
- Commenced September 2011.
- Initially for JTRIG staff.
- A small number of ISD analysts now being accepted on courses.
Main skills covered:
- Information & Influence Operations.
- Online Humint.
- Disruption & CNA.
- Briefing to be provided by
^k NBCNEWS INVESTIGATIONS
Development of new capability:
- Capabilities being developed to access data from various internet services
- How these data sources may help to mitigate the loss that passive access could
suffer to encryption etc
- How to look further at integrating /fusing these data sources into our analytic stores
"Using online techniques to make something
happen in the real or cyber world"
Two broad categories:
- Information Ops (influence or disruption)
- Technical disruption
Known in GCHQ as Online Covert Action
The 4 D's: Deny / Disrupt / Degrade / Deceive
Key statement is the initial one.
Explain the categories more.
The one thing to remember for JTRIG is the 4 “D’s”.
¿fe NBC NEWS INVESTIGATIONS
Stop Someone From
Bombard their phone with text messages
Bombard their phone with calls
Delete their online presence
Block up their fax machine
SMO examples from Afghanistan.
- Significantly disrupting Taleban Operations.
- Sending targets a text message every 10 seconds or so.
- Calling targets consistently on a regular basis.
Ability to delete a target’s online presence. Very annoying!!
Older type of Effects, but faxes are still used in some areas.
•»k NBCNEWS INVESTIGATIONS
Discredit a target
Set up a honey-trap
Change their photos on social networking sites
Write a blog purporting to be one of their victims
Email/text their colleagues, neighbours, friends etc
Honey-trap; a great option. Very successful when it works.
- Get someone to go somewhere on the internet, or a physical location to be
met by a “friendly face”.
- JTRIG has the ability to “shape” the environment on occasions.
Photo change; you have been warned, “JTRIG is about!!”
Can take “paranoia” to a whole new level.
- Has worked on a number of different Ops.
- One example is on a Serious Crime Opf
- Other examples on Iran work.
- Infiltration work.
- Helps JTRIG acquire credibility with online groups etc.
NBC NEWS INVESTIGATIONS
- Helps with bringing SIGINT/Effects together.
Leak confidential information to companies / the
press via blogs etc
Post negative information on appropriate forums
Stop deals / ruin business relationships
Info Ops style work:
- Use of Open Source info and/or releasable Sigint items.
- Attempts to inform the public, where necessary (government protected
- First stages of disruption and/or discrediting companies / organisations
- Stop /divert the flow of funding. Introduce panic etc.
believe a 'secre
• Place 'secret' information on a compromised
• Send 'secret' information across a network visible
• Provide 'secret' information through an online
Work alongside CNE:
- Use of various masquerade type techniques.
- Placement of potential “damming” information, where appropriate.
- Shape the environment, so that Sigint can provide BDA for Operations.
- Use of releasable information, (support from SIA’s etc).
- Use of online aliases to good effect.
- Visibly shaping the online environment.
Ààk NBCNEWS INVESTIGATIONS
Send them a virus:
• AMBASSADORS RECEPTION - encrypt itself, delete
all emails, encrypt all files, make screen shake, no
more log on
Conduct a Denial of Service attack on their computer
- Use of various JTRIG tools, including AMBASSADORS RECEPTION.
- Has been used in a variety of different areas, very effective.
SÏÏ& NBC NEWS INVESTIGATIONS
Use of active techniques to collect intelligence required
to map out:
- Who does what?
- What institutions etc are being used?
- What companies?
- Who sets up the websites?
- How do they communicate between ministeries
and / or each other?
- How do they communicate to investors?
- How do they store information?
Some basic questions, that are normally associated with scoping potential
In essence Intelligence Analysts use SIGINT to answer the “pattern of life”
But... do they know the “online - pattern of life” for their target set??
Do the analyst’s know not just what their target is doing, but what is it
How do we measure the impact of "effects"?
"Blitz" style approach:
- Creating as much disruption as possible within a
short period of time
More subtle approach:
- Effects use less likely to be detected, therefore
- More sustainable over a longer period of time
Two main ways to measure the impact of “Effects” Operations.
•ik NBCNEWS INVESTIGATIONS
• Provide an opportunity for JTRIG analysts to be
more actively involved with ISD counterparts
• Enable further upskilling (e.g. C2C etc)
• Provide JTRIG analysts with the opportunity to
identify CNA-type options a lot earlier in Operations
• Provides ISD analysts a greater baseline and
understanding of JTRIG work
• An Opportunity for analysts to learn new ACNO
skills, (e.g. On-line HUMINT etc)
•ik NBCNEWS INVESTIGATIONS
Current lack of JTRIG IT infrastructure on the general
Lack of wider resource investment
Lack of overall training and support resources
Integration process will be resource intensive for CDO