Title: JTRIG Tools and Techniques
Release Date: 2014-07-14
Document Date: 2012-07-01
Description: This page from GCHQ’s internal GCWiki describes tools developed by the Joint Threat Research Intelligence Group and their status. The page was last edited in July 2012 and was accessed nearly 20,000 times: see the Intercept article Hacking Online Polls and Other Ways British Spies Seek to Control the Internet, 14 July 2014. jtrigall
Document: navigation
■ Main Page
■ Help Pages
■ Wikipedia Mirror
■ Ask Me About...
■ Random page
■ Recent changes
■ Report a Problem
■ Contacts
■ GCWeb
search
toolbox
■ What links here
■ Related changes
■ Upload file
■ Special pages
■ Printable version
■ Permanent link
I: Ml 1 k**o
1: •'ll MedioWiki
This page was last
modified on 5 July 2012, at
13:05. This page has
been accessed 19,579
times.
All material is UK
my talk my preferences my watchlist my contributions
| page | | discussion | | edit | | history | | delete | | move | | watch | additional statistics |
TOP SECRET STRAP1 COMINT
The maximum classification allowed on GCWiki is TOP SECRET STRAP1 COMINT. Click to report inappropriate content.
For GCWiki help contacpage
JTRIG tools and techniques
(Redirected from JTRIG CITD - Covert Internet Technical Development)
Overview
JTRIG Capabilities
[edit] JTRIG tools
Contacts
ß
Contents
1 JTRIG tools
1.1 Understanding this page
1.2 Current Priorities
1.2.1 Engineering
1.2.2 Collection
1.2.3 Effects Capability
1.2.4 Work Flow Management
1.2.5 Analysis Tools
1.2.6 Databases
1.2.7 Forensic Exploitation
1.2.8 Techniques
1.2.9 Shaping and Honeypots
We don't update this page anymore, it became somewhat of a Chinese menu for effects operations. Information is now available for JTRIG staff at [[1]^]
[edit] Understanding this page
Tools and techniques are developed by various teams within JTRIG. We like to let people know when we have something that we can think we can use,
but we also dont want to oversell our capability.
For this reason, each tool indicates its current status. We may put up experimental tools or ones that are still in development so you know what we are
working on, and can approach JTRIG with any new ideas. But experimental tools by their nature will be unreliable, if you raise expectations or make
external commitments before speaking to us you will probably end up looking stupid.
Most of our tools are fully operational, tested and reliable. We will indicate when this is the case; however there can be reasons why our tools wont work
for some operational requirements (eg if it exploits a provider specific vulnerability). There may also be legal restrictions.
So please come and speak to JTRIG operational staff early in your operational planning process.
[edit] Current Priorities
Capability Development Priorities can be fond by following the link below
■ CapDev Priorities (Discover) H
[edit] Engineering
Tool/System Description Status Contacts
Cerberus Statistics Collection Collects on-going usage information about how many users utilise JTRIG's UIA capability, what sites are the most frequently visited etc. This is in order to provide JTRIG infrastucture and ITServices management information statistics. OPERATIONAL JTRIG Software Developers E3
JTRIG
RADIANT is a 'Data Diode' connecting the CERBERUS network with GCNET OPERATIONAL JTRIG Software Developers E3
SPLENDOUR
ALLIUM ARCH JTRIG UIA via the Tor network. OPERATIONAL JTRIG Infrastructure Team S
ASTRAL PROJECTION Remote GSM secure covert internet proxy using TOR hidden services. OPERATIONAL JTRIG Infrastructure Team S
TWILIGHT ARROW Remote GSM secure covert internet proxy using VPN services. OPERATIONAL JTRIG Infrastructure Team S
JTRIG's new Infrastructure. FOREST WARRIOR, FRUIT BOWL, JAZZ
SPICE ISLAND FUSION and other JTRIG systems will form part of the SPICE ISLAND infrastructure DEV JTRIG Infrastructure Team S
POISON ARROW Safe Malware download capability. DESIGN JTRIG Infrastructure Team S
CERBERUS UIA Replacement and new tools infrastructure - Primary
FRUIT BOWL Domain for Generic User/Tools Access and TOR split into 3 sub- systems. DESIGN JTRIG Infrastructure Team S
NUT ALLERGY JTRIG Tor web browser - Sandbox IE replacement and FRUIT BOWL sub-system PILOT JTRIG Infrastructure Team S
BERRY TWISTER A sub-system of FRUIT BOWL PILOT JTRIG Infrastructure Team S
BERRY TWISTER+ A sub-system of FRUIT BOWL PILOT JTRIG Infrastructure Team 3m]
BRANDY SNAP JTRIG UIA contingency at Scarborough. IMPLEMENTATION JTRIG Infrastructure TeamS
WIND FARM R&D offsite facility. DESIGN JTRIG Infrastructure Team S
CERBERUS JTRIG's legacy UIA desktop, soon to be replaced with FOREST WARRIOR. OPERATIONAL JTRIG Infrastructure Team S
BOMBAYROLL JTRIG's legacy UIA standalone capability. OPERATIONAL JTRIG Infrastructure Team S
JAZZ FUSION BOMBAY ROLL Replacement which will also incorporate new collectors - Primary Domain for Dedicated Connections split into 3 sub-systems. IMPLEMENTATION JTRIG Infrastructure TeamS
COUNTRY FILE A sub-system of JAZZ FUSION OPERATIONAL JTRIG Infrastructure Team S
TECHNO VIKING A sub-system of JAZZ FUSION DESIGN JTRIG Infrastructure Team S
JAZZ FUSION+ A sub-system of JAZZ FUSION DESIGN JTRIG Infrastructure Team S
BUMBLEBEE DANCE JTRIG Operational VM/TOR architecture OPERATIONAL JTRIG Infrastructure Team S
AIR BAG JTRIG Laptop capability for field operations. OPERATIONAL JTRIG Infrastructure Team S
EXPOW GCHQ's UIA capability provided by JTRIG. OPERATIONAL JTRIG Infrastructure Team S
AXLE GREASE The covert banking link for CPG OPERATIONAL JTRIG Infrastructure Team S
POD RACE JTRIG'S MS update farm DESIGN JTRIG Infrastructure Team S
WATCHTOWER GCNET -> CERBERUS Export Gateway Interface System OPERATIONAL JTRIG Software Developers Is3
REAPER CERBERUS -> GCNET Import Gateway Interface System OPERATIONAL JTRIG Software Developers Is3
DIALtl External Internet Redial and Monitor Daemon OPERATIONAL JTRIG Software Developers Is3
FOREST WARRIOR Desktop replacement for CERBERUS DESIGN JTRIG Infrastructure Team S
DOG HANDLER JTRIG's development network DESIGN JTRIG Infrastructure Team S
JTRIG Infrastructure Team a
DIRTY DEVIL JTRIG'S research network DESIGN
[edit] Collection
Tool Description
AIRWOLF YouTube profile, comment and video collection.
ANCESTRY Tool for discovering the creation date of yahoo selectors.
BEARTRAP Bulk retrieval of public BEBO profiles from member or group ID.
BIRDSONG Automated posting of Twitter updates.
BIRDSTRIKE Twitter monitoring and profile collection. Click here for the User Guide.
BUGSY Google+ collection (circles, profiles etc.)
DANCING
BEAR
DEVILS
HANDSHAKE
DRAGON’S
SNOUT
obtains the locations of WiFi access points.
ECI Data Technique.
Paltalk group chat collection.
EXCALIBUR acquires a Paltalk UID and/or email address from a Screen Name.
FATYAK
FUSEWIRE
GLASSBACK
Public data collection from Linkedln.
Provides 24/7 monitoring of Vbulliten forums for target postings/online activity. Also allows
staggered postings to be made.
Technique of getting a targets IP address by pretending to be a spammer and ringing them.
Target does not need to answer.
GODFATHER Public data collection from Facebook.
GOODFELLA Generic framework for public data collection from Online Social Networks.
Contacts
JTRIG Software
Developers E3
JTRIG Software
Developers E3
JTRIG Software
Developers Is3
JTRIG Software
Developers Is3
Tech Leads:MI
[Tech Lead:|
¡Expert
User
Status
Beta release.
Fully
Operational.
Fully
Operational.
Decomissioned.
Replaced by
SYLVESTER.
Fully
Operational.
I In early
(development.
Fully
Operational.
[Tech Lead:^^J
Expert Fully
User Operational.
Beta release.
Fully
JTRIG Software operational
Developers E3 (against current
Paltalk version)
[Tech Lead:
In development
JTRIG Software
Developers Is3
JTRIG Software Fully
Developers IO operational.
[Tech Lead: _ „
Fully
operational.
[Tech Lead:
In Development
(Supports
RenRen and
Xing).
is a port scanning tool designed to scan an entire country or city. It uses GEOFUSION to
HACIENDA identify lp locations. Banners and content are pulled back on certain ports. Content is put into NAC HACIENDA Fully
the EARTHLING database, and all other scanned data is sent to GNE and is available through Taskers IO operational.
GLOBAL SURGE and Fleximart.
ICE
INSPECTOR
LANDING
PARTY
is an advanced IP harvesting technique.
Tool for monitoring domain information and site availability.
Tool for auditing dissemination of VIKING PILLAGE data.
JTRIG Software
Developers Is3
JTRIG Software Fully
Developers E3 Operational.
Fully
JTRIG Software Operational.
Developers E3
MINIATURE
HERO
MOUTH
MUSTANG
PHOTON
TORPEDO
RESERVOIR
SEBACIUM
SILVER
SPECTER
SODAWATER
SPRING
BISHOP
SYLVESTER
TANNER
TRACER
FIRE
VIEWER
VIKING
PILLAGE
TOP HAT
Active skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and JTRIG Software
bidirectional instant messaging. Also contact lists. Developers IO
Tool for collection for downloading a user's files from Archive.org.
provides covert access to the locations of GSM cell towers.
JTRIG Software
Developers E3
[Tech Lead:|
Expert
A technique to actively grab the IP address of an MSN messenger user.
Facebook application allowing collection of various information.
JTRIG Software
Developers Is3
An ICTR developed system to identify P2P file sharing activity of intelligence value. Logs are
accessible via DIRTY RAT.
Allows batch Nmap scanning over TOR
A tool for regularly downloading gmail messages and forwarding them onto CERBERUS
mailboxes
Find private photographs of targets on Facebook.
Framework for automated interaction / alias management on online social networks.
[Tech Lead:
JTRIG Software
Developers E3
JTRIG Software
Developers E3
Tech Lead:
A technical programme allowing operators to log on to a JTRIG website to grab IP addresses of
Internet Cafe's.
JTRIG OSOS
An Office Document that grabs the targets Machine info, files, logs, etc and posts it back to
GCHQ.
FIRE JTRIG S
A programme that (hopefully) provides advance tip off of the kidnappers IP address for HMG
personnel.
Distributed network for the automatic collection of encrypted/compressed data from remotely
hosted JTRIG projects.
A version of the MUSTANG and DANCING BEAR techniques that allows us to pull back Cell
Tower and WiFi locations targeted against particular areas.
[Tech Lead:
Expert
PILLAGE JTRIG
Software
Developers S
[Tech Lead:
Fully
operational, but
note usage
restrictions.
Fully
Operational.
Fully
lOperational.
Operational, but
usage
restrictions.
Fully
operational, but
note operational
restrictions.
In Development
Fully
Operational.
In Development.
Replaced by
HAVOK.
In Development.
■Operational, but
awaiting field
trial.
Operational
In development.
[edit] Effects Capability
JTRIG develop the majority of effects capability in GCHQ. A lot of this capability is developed on demand for specific operations and then further
developed to provide weaponised capability.
Dont treat this like a catalogue. If you dont see it here, it doesn't mean we cant build it. If you involve the JTRIG operational teams at the start of your
operation, you have more of a chance that we will build something for you.
For each of our tools we have indicated the state of the tool. We only advertise tools here that are either ready to fire or very close to being ready
(operational requirements would re-prioritise our development). Once again, involve the JTRIG operational teams early.
Tool
ANGRY
PIRATE
ARSON SAM
Description
Status Contacts
is a tool that will permanently disable a target's account on their computer.
Ready to fire (but
see target
restrictions).
[Tech Lead:
Ready to fire (Not ^ ,
[Tech Lead:
is a tool to test the effect of certain types of PDU SMS messages on phones / network. It against live
also includes PDU SMS Dumb Fuzz testing r§>. targets, this is a
R&D Tool).
Expert User:]
is an automated system developed by JTRIG CITD to support JTRIG BUMPERCAR
operations. BUMPERCAR operations are used to disrupt and deny Internet-based terror „ .... JTRIG Software
BUMPERCAR+ 1 ' 1 y Ready to fire.
videos or other material. The technique employs the services provided by upload providers Developers S
to report offensive materials.
BOMB BAY
is the capability to increase website hits/rankings.
BADGER mass delivery of email messaging to support an Information Operations campaign
BURLESQUE is the capability to send spoofed SMS text messages.
CANNONBALL is the capability to send repeated text messages to a single target.
In Development.
Ready to fire. JTRIG OSOS
Ready to fire. JTRIG OSOS
Ready to fire. JTRIG OSOS
CLEAN
SWEEP
Masquerade Facebook Wall Posts for individuals or entire countries
[Tech Lead:
Ready to fire I
(SIGINT sources Expert User:
required)
CLUMSY
BEEKEEPER
Some work in progress to investigate IRC effects.
CHINESE
FIRECRACKER
CONCRETE
DONKEY
Overt brute login attempts against online forums
is the capability to scatter an audio message to a large number of telephones, or
repeatedly bomb a target number with the same message.
DEER
STALKER
Ability to aid-geolocation of Sat Phones / GSM Phones via a silent calling to the phone.
GATEWAY Ability to artificially increase traffic to a website
GAMBIT Deployable pocket-sized proxy server
GESTATOR
amplification of a given message, normally video, on popular multimedia websites
(Youtube).
GLITTERBALL Online Gaming Capabilities for Sensitive Operations. Currently Second Life.
IMPERIAL
BARGE
For connecting two target phone together in a call.
PITBULL
POISONED
DAGGER
Capability, under development, enabling large scale delivery of a tailored message to
users of Instant Messaging services.
Effects against Gigatribe. Built by ICTR, deployed by JTRIG.
NOT READY TO
FIRE.
Ready to fire.
FIRECRACKERS
In development.
Ready to fire.
Ready to fire.
In-development
[Tech Lead:
JTRIG OSOS
JTRIG OSOS
In development.
Tested.
[Tech Lead: ?;
In development.
PREDATORS
FACE
Targeted Denial Of Service against Web Servers.
ROLLING
THUNDER
SCARLET
EMPEROR
SCRAPHEAP
CHALLENGE
Distributed denial of service using P2P. Built by ICTR, deployed by JTRIG.
Targeted denial of service against targets phones via call bombing.
Perfect spoofing of emails from Blackberry targets.
SERPENTS
TONGUE
for fax message broadcasting to multiple numbers.
SILENT
MOVIE
Targeted denial of service against SSH services.
SILVERBLADE Reporting of extremist material on DAILYMOTION.
SILVERFOX List provided to industry of live extremist material files hosted on FFUs.
Disruption of video-based websites hosting extremist content through concerted target
SILVERLORD
discovery and content removal.
Production and dissemination of multimedia via the web in the course of information
operations.
Ability to inflate page views on websites
SKYSCRAPER
SLIPSTREAM
Tech Lead:
Ready to fire.
Ready to fire, but
see constraints.
JTRIG Software
Developers Is3
Ready to fire
Ready to fire.
[Tech Lead:
Expert User:
Ready to fire.
Ready to fire.
[Tech Lead: Section
X; Expert Users:
Language Team]
JTRIG OSOtO
STEALTH
MOOSE
SUNBLOCK
Swamp
donkey
is a tool that will Disrupt target's Windows machine. Logs of how long and when the effect
is active.
Ability to deny functionality to send/receive email or view material online.
Ready to fire (but [Tech Lead:___________
see target | |
restrictions). Expert User: ]
lested, but L1 ecn Lead: section
operational
limitations.
is a tool that will silently locate all predefined types of file and encrypt them on a targets
machine.
Ready to fire (but
see target
restrictions).
[Tech Lead:
TORNADO
ALLEY
UNDERPASS
VIPERS
TONGUE
WARPATH
is a delivery method (Excel Spreadsheet) that can silently extract and run an executable
on a target's machine.
Change outcome of online polls (previously known as NUBILO)
is a tool that will silently Denial of Service calls on a Satellite Phone or a GSM Phone.
Mass delivery of SMS messages to support an Information Operations campaign
Ready to fire (but
see target
restrictions).
[Tech Lead:
Expert User:
[Tech Lead: Section
In development. X; Expert User:
Ready to fire (but
see target
restrictions).
Ready to fire.
[edit] Work Flow Management
Tool Description
HOME PORTAL A central hub for all JTRIG Cerberus tools
Contacts
JTRIG Software
Developers E3
CYBER COMMAND
CONSOLE
NAMEJACKER
A centralised suite of tools, statistics and viewers for tracking current operations across the Cyber
community.
A web service and admin console for the translation of usernames between networks. For use wi:h
gateways and other such technologies.
JTRIG Software
Developers E3
JTRIG Software
Developers E3
[edit] Analysis Tools
Tool
BABYLON
CRYOSTAT
ELATE
PRIMATE
JEDI
JILES
MIDDLEMAN
OUTWARD
TANGLEFOOT
Description
is a tool that bulk queries web mail addresses and verifies whether they can be signed up for. A green tick
indicates that the address is currently in use. Verification can currently be done for Hotmail and Yahoo,
is a JTRIG tool that runs against data held in NEWPIN. It then displays this data in a chart to show links
between targets.
is a suite of tools for monitoring target use of the UK auction site eBay (www.ebay.co.uk). These tools are
hosted on an Internet server, and results are retreived by encrypted email.
is a JTRIG tool that aims to provides the capability to identify trends in seized computer media data and
metadata.
JTRIG will shortly be rolling out a JEDI pod to every desk of every member of an Intelligence Production
Team. The challenge is to scale up to over 1,200 users whilst remaining agile, efficent and responsive to
customer needs.
is a JTRIG bespoke web browser.
is a distributed real-time event aggregation, tip-off and tasking platform utilised by JTRIG as a middleware
layer.
is a collection of DNS lookup, WHOIS Lookup and other network tools.
is a bulk search tool which queries a set of online resources. This allows analysts to quickly check the
online presence of a target.
Contacts
JTRIG Software
Developers E3
JTRIG Software
Developers E3
JTRIG Software
Developers Is3
JTRIG Software
Developers E3
[Tech Lead:H^^|
Expert User:
[Tech Lead:
He • pert. User:]
JTRIG Software
Developers Is3
JTRIG Software
Developers Is3
JTRIG Software
Developers Is3
is a data index and repository that provides analysts with the ability to query data collected from the
SLAMMER Internet from various JTRIG sources, such as EARTHLING, HACIENDA, web pages saved by analysts
etc.
JTRIG Software
Developers Is3
[edit] Databases
Tool Description
BYSTANDER is a categorisation database accessed via web service.
CONDUIT
NEWPIN
is a database of C2C identifiers for Intelligence Community assets acting online,
either under alias or in real name.
is a database of C2C identifiers obtained from a variety of unique sources, and a
suite of tools for exploring this data.
QUINCY is an enterprise level suite of tools for the exploitation of seized media.
Contacts
JTRIG Software Developers E3
JTRIG Software Developers E3
JTRIG Software Developers Is3
[Tech Lead Expert
[edit] Forensic Exploitation
Tool Description
can extract WiFi connection history (MAC and timing) when supplied with a copy of the
BEARSC RAPE
registry structure or run on the box.
The Sigint Forensics Laboratory was developed within NSA. It has been adapted by JTRIG
as its email extraction and first-pass analysis of seized media solution.
Contacts
Snoopy
is a tool to extract mobile phone data from a copy of the phone's memory (usually supplied
as an image file extracted through FTK.
[Tech Lead
is a tool to extract data from field forensics' reports created by Celldek, Cellebrite, XRY,
MobileHoover Snoopy and USIM detective. These reports are transposed into a Newpin XML format to
upload to Newpin.
is a tool developed by NTAC to search disk images for signs of possible Encryption
products. CMA have further developed this tool to look for signs of Steganography.
[edit] Techniques
Tool Description
CHANGELING Ability to spoof any email address and send email under that identity
HAVOK Real-time website cloning technique allowing on-the-fly alterations
MIRAGE
SHADOWCAT End-toEnd encrypted access to a VPS over SSH using the TOR network
Contacts
JTRIG OSOS
JTRIG OSOS
JTRIG OSOS
JTRIG OSOS
SPACE
ROCKET
is a programme covering insertion of media into target networks. CRINKLE CUT is a tool developed by ICTR-
CISA to enable JTRIG track images as part of SPACE ROCKET.
Tech Lead:
Expert
User:
RANA
LUMP
is a system developed by ICTR-CISA providing CAPTCHA-solving via a web service on CERBERUS. This is
intended for use by BUMPERCAR+ and possibly in future by SHORTFALL but anyone is welcome to use it.
Tech Lead:
~~®Expeit Ust
A system that finds the avatar name fron a SecondLife AgentID
JTRIG Software
Developers S
GURKHAS
SWORD
Beaconed Microsoft Office Documents to elicite a targets IP address.
JTRIG Software
Developers S
[edit] Shaping and Honeypots
Tool
DEADPOOL
HUSK
LONGSHOT
MOLTEN-MAGMA
NIGHTCRAWLER
PISTRIX
Description
URL shortening service
Secure one-to-one web based dead-drop messaging platform
File-upload and sharing website
CGI HTTP Proxy with ability to log all traffic and perform HTTPS Man in the Middle.
Public online group against dodgy websites
Image hosting and sharing website
Contacts
JTRIG OSOS
JTRIG OSOS
JTRIG OSOS
JTRIG Software Developers S
JTRIG OSOS
JTRIG OSOS
WURLITZER Distribute a file to multiple file hosting websites.
JTRIG Logo.png
ß
Category: JTRIG
Copyright] © 2008 O' is held under licence from third parties. This information is exempt under the Freedom of Information Act
arid may be exempt under other UK information legislation. Refer any FOI A queries to GCHQ
Privacy policy About GCWiki Disclaimers
TOP SECRET STRAP1 COMINT
The maximum classification allowed on GCWiki is TOP SECRET STRAP1 COMINT. Click to report inappropr ate content.