A secret British spy unit created to mount cyber attacks on Britain’s enemies has waged war on the hacktivists of Anonymous and LulzSec, according to documents taken from the National Security Agency by Edward Snowden and obtained by NBC News.
The blunt instrument the spy unit used to target hackers, however, also interrupted the web communications of political dissidents who did not engage in any illegal hacking. It may also have shut down websites with no connection to Anonymous.
According to the documents, a division of Government Communications Headquarters (GCHQ), the British counterpart of the NSA, shut down communications among Anonymous hacktivists by launching a “denial of service” (DDOS) attack – the same technique hackers use to take down bank, retail and government websites – making the British government the first Western government known to have conducted such an attack.
The documents, from a PowerPoint presentation prepared for a 2012 NSA conference called SIGDEV, show that the unit known as the Joint Threat Research Intelligence Group, or JTRIG, boasted of using the DDOS attack – which it dubbed Rolling Thunder — and other techniques to scare away 80 percent of the users of Anonymous internet chat rooms.
The existence of JTRIG has never been previously disclosed publicly.
The presentation on hacktivism, called “Pushing the Boundaries and Action Against Hacktivism,” lists Anonymous, Lulzsec and the Syrian Cyber Army among “Hacktivist Groups.” Under “Hacktivism: Online Covert Action,” the presentation refers to “Effects Operations.” According to other Snowden documents obtained by NBC News, “Effects” campaigns are offensive operations intended to “destroy” and “disrupt” adversaries.
In another document taken from the NSA by Snowden and obtained by NBC News, a JTRIG official said the unit’s mission included computer network attacks, disruption, “Active Covert Internet Operations,” and “Covert Technical Operations.” Among the methods listed in the document were jamming phones, computers and email accounts and masquerading as an enemy in a “false flag” operation. The same document said GCHQ was increasing its emphasis on using cyber tools to attack adversaries.
The documents also show that JTRIG infiltrated chat rooms known as IRCs and identified individual hackers who had taken confidential information from websites. In one case JTRIG helped send a hacktivist to prison for stealing data from PayPal, and in another it helped identify hacktivists who attacked government websites.
The presentation gives detailed examples of “humint” (human intelligence) collection from hacktivists known by the on-line names G-Zero, Topiary and p0ke, as well as a fourth whose name NBC News has redacted to protect the hacker’s identity. The hacktivists were contacted by GCHQ agents posing as fellow hackers in internet chat rooms. The presentation includes transcripts of instant message conversations between the agents and the hackers in 2011.
“Anyone here have access to a website with at least 10,000+ unique traffic per day?” asks one hacktivist in a transcript taken from a conversation that began in an Operation Payback chat room. An agent responds and claims to have access to a porn website with 27,000 users per day. “Love it,” answers the hacktivist. The hackers ask for access to sites with traffic so they can identify users of the site, secretly take over their computers with malware and then use those computers to mount a DDOS attack against a government or commercial website.
A GCHQ agent then has a second conversation with a hacker known as GZero who claims to “work with” the first hacktivist. GZero sends the agent a series of lines of code that are meant to harvest visitors to the agent’s site and make their computers part of a “botnet” operation that will attack other computers.
The “outcome,” says the presentation, was “charges, arrest, conviction.” GZero is revealed to be a British hacker in his early 20s named Edward Pearson, who was prosecuted and sentenced to 26 months in prison for stealing 8 million identities and information from 200,000 PayPal accounts between Jan. 1, 2010 and Aug. 30, 2011.
In a transcript taken from a second conversation in an Operation Payback chat room, a hacktivist using the name “p0ke” tells another named “Topiary” that he has a list of emails, phone numbers and names of “700 FBI tards.”
An agent then begins a conversation with p0ke, asking him about what sites he’s accessed. The hacktivist responds that he was able to defeat the security on a U.S. government website, and pulled up credit card information that’s attached to congressional and military email addresses.
The agent then asks whether p0ke has looked at a BBC News web article called “Who loves the hacktivists?” and sends him a link to the story.
“Cool huh?” asks the agent, and pOke responds, “ya.”
When p0ke clicked on the link, however, JTRIG was able to pull up the IP address of the VPN (virtual private network) the hacktivist was using. The VPN was supposed to protect his identity, but GCHQ either hacked into the network, asked the VPN for the hacker’s personal information, or asked law enforcement in the host nation to request the information.
A representative of the VPN told NBC News the company had not provided GCHQ with the hacker’s information, but indicated that in past instances it has cooperated with local law enforcement.
In whatever manner the information was retrieved, GCHQ was able to establish p0ke’s real name and address, as shown in the presentation slides. (NBC News has redacted the information).
P0ke was never arrested for accessing the government databases, but Topiary, actually an 18-year-old member of Anonymous and LulzSec spokesman from Scotland named Jake Davis, was arrested in July 2011. Davis was arrested soon after LulzSec mounted hack attacks against Congress, the CIA and British law enforcement.
In the concluding portion of the JTRIG presentation, the presenters sum up the unit’s “Effects on Hacktivism” as part of “Op[eration] Wealth” in the summer of 2011 and apparently emphasize the unit’s success against Anonymous, including the DDOS attack. The listed effects include identifying top targets for law enforcement and “Denial of Service on Key Communications outlets.”
— Anonymous (@YourAnonNews) February 9, 2014
“DDOS and hacking is illegal, please cease and desist,” GCHQ told to Anonymous, as GCHQ DDoS’ed and hacked them. http://t.co/4Knf0I69zS
— Trevor Timm (@trevortimm) February 5, 2014
— Anonymous (@YourAnonNews) February 5, 2014
Following latest GCHQ revelations, who are the real criminals? http://t.co/dqHzeizloq
— Jake Davis (@DoubleJake) February 5, 2014
My Government used a DDoS attack against servers I owned, and then convicted me of conducted DDoS attacks. Seriously what the fucking fuck?
— Chris Weatherhead (@CJFWeatherhead) February 5, 2014
This is the UK criminal statute outlawing denial of service attacks. I guess GCHQ will argue they were “authorized”. http://t.co/M6rv0bdAVw
— MarthaGroup (@marthagroup) February 5, 2014
— Christopher Soghoian (@csoghoian) February 5, 2014
— Jacob Appelbaum (@ioerror) February 5, 2014
IRC network calls 4 investigations over GCHQ’s attack on Anonymous. QuakeNet calls GCHQ actions grossly hypocritical http://t.co/zLpuXDH03p
— Anonymous (@YourAnonNews) February 7, 2014