“Effects capabilities” allow analysts to twist truth subtly or spam relentlessly.
by Sean Gallagher – 2014
What appears to be an internal Wiki page detailing the cyber-weaponry used by the British spy agency GCHQ was published today by Glenn Greenwald of The Intercept. The page, taken from the documents obtained by former NSA contractor Edward Snowden, lists dozens of tools used by GCHQ to target individuals and their computing devices, spread disinformation posing as others, and “shape” opinion and information available online.
The page had been maintained by GCHQ’s Joint Threat Research Intelligence Group (JTRIG) Covert Internet Technical Development team, but it fell out of use by the time Snowden copied it. Greenwald and NBC previously reported on JTRIG’s “dirty tricks” tactics for psychological operations and information warfare, and the new documents provide a hint at how those tactics were executed. GCHQ’s capabilities included tools for manipulating social media, spoofing communications from individuals and groups, and warping the perception of content online through manipulation of polls and web pages’ traffic and search rankings.
Originally intended to inform other organizations within GCHQ (and possibly NSA) of new capabilities being developed by the group, the JTRIG CITD team noted on the page, “We don’t update this page anymore, it became somewhat of a Chinese menu for effects operations.” The page lists 33 “effects capability” tools, as well as a host of other capabilities for collecting information, tracking individuals, attacking computers, and extracting information from seized devices.
As described in a previously revealed GCHQ document, effects tools are defined as “using online techniques to make something happen in the real world.” The capabilities give GCHQ the ability to widely track, manipulate, and interfere with online communications between targets. One, called Miniature Hero, allows for the “provision of real time call records (SkypeOut and SkypetoSkype) and bidirectional instant messaging. Also contact lists.” Other tools allow for widespread automated postings on video sites and social networks, plus the silencing of individuals who qualify as “terrorists” or “extremists” (which, as recently revealed by Jacob Appelbaum, could be construed to include Linux users).
The effects tools fall into a few broad categories, including:
Denial of service and access:
- JTRIG CITD has developed its own equivalent of CryptoLocker—Swamp Donkey, a tool “that will silently locate all predefined types of file [sic] and encrypt them on a target’s machine.”
- Sunblock blocks a target from sending or receiving e-mail and viewing websites.
- Stealth Moose will “disrupt [the] target’s Windows machine.” And for the ultimate in harassment, there’s ANGRY PIRATE, “a tool that will permanently disable a target’s account on their computer.”
Information harassment tools:
- A tool appropriately called Badger allows GCHQ to overwhelm targets with spam e-mails “to support an Information Operations campaign.”
- Concrete Donkey “is the ability to scatter an audio message to a large number of telephones, or repeatedly bomb a target number with the same message.”
- Cannonball is a similar “bombing” tool for SMS messages, and Pitbull targets instant messaging accounts.
- For those who prefer old-school communications, Serpent’s Tongue is a fax-bomb, designed for fax broadcasting to multiple phone numbers.
- Imperial Barge can connect two target phones together in a call arbitrarily, for those times when GCHQ wants to force people to talk to each other.
Information disruption tools:
- BUMPERCAR is a system that uses complaints to YouTube and other sites about “offensive content” to “disrupt and deny Internet-based terror videos and other material.”
- Another tool, Silverlord, is used for “disruption of video-based websites hosting extremist content through concerted target discovery and content removal.”
- Silverblade is used specifically to report terrorist content on the video site Dailymotion.
Misinformation and spoofing tools.
- Underpass is used to “change outcome of online polls.”
- Slipstream and Gateway can be used to manipulate traffic to a website, inflating its page views and raising its search rank to alter perception of its popularity.
- Gestator can be used for “amplification of a given message, normally video, on popular multimedia websites (Youtube).”
- Clean Sweep allows GCHQ to “masquerade Facebook Wall Posts for individuals or entire countries.”
- Burlesque, an SMS robot, can send SMS messages spoofed from a particular user.
- Scrapheap Challenge does “perfect spoofing of e-mails from Blackberry targets.”
- Another tool, called Clumsy Beekeeper, may have been used in GCHQ’s targeting of Anonymous. It is an “IRC effects” tool that was still under development the last time the page was updated.
- Chinese Firecracker is intended to crack passwords to forums and other sites so that analysts can post under someone else’s name.
And then there’s GCHQ’s focus on Second Life. The agency has already developed Lump, a tool for identifying the avatar name of a user based on their Second Life agent ID. That’s useful for targeting an individual based on intercepted traffic to the virtual reality environment. And the JTRIG developer team was also working on Glitterball: “Online Gaming Capabilities for Sensitive Operations. Currently Second Life.”
The capabilities described in the Wiki page aren’t theoretical. GCHQ used a number of them in Afghanistan to disrupt Taliban operations. They were able to send text messages to targeted Taliban leaders every 10 seconds, place calls to them with voice messages regularly, and even “delete a target’s online presence.” JTRIG has also used social media in Iran in an attempt to target and disrupt Iranian nuclear development