Your Source for Leaks Around the World!

GCHQ’s War on Anonymous: DDOS Attacks, Covert Actions, Malware Implants, False Flag Operations

In Anonymous, Archive, GCHQ, Hacking, Internet, JTRIG, LulzSec, Malware, NSA, NSA Files, Surveillance on February 5, 2014 at 5:29 PM


Glenn Greenwald/NBC News:

A secret British spy unit created to mount cyber attacks on Britain’s enemies has waged war on the hacktivists of Anonymous and LulzSec, according to documents taken from the National Security Agency by Edward Snowden and obtained by NBC News.

The blunt instrument the spy unit used to target hackers, however, also interrupted the web communications of political dissidents who did not engage in any illegal hacking. It may also have shut down websites with no connection to Anonymous.

According to the documents, a division of Government Communications Headquarters (GCHQ), the British counterpart of the NSA, shut down communications among Anonymous hacktivists by launching a “denial of service” (DDOS) attack – the same technique hackers use to take down bank, retail and government websites – making the British government the first Western government known to have conducted such an attack.

The documents, from a PowerPoint presentation prepared for a 2012 NSA conference called SIGDEV, show that the unit known as the Joint Threat Research Intelligence Group, or JTRIG, boasted of using the DDOS attack – which it dubbed Rolling Thunder — and other techniques to scare away 80 percent of the users of Anonymous internet chat rooms.

The existence of JTRIG has never been previously disclosed publicly.

The presentation on hacktivism, called “Pushing the Boundaries and Action Against Hacktivism,” lists Anonymous, Lulzsec and the Syrian Cyber Army among “Hacktivist Groups.” Under “Hacktivism: Online Covert Action,” the presentation refers to “Effects Operations.” According to other Snowden documents obtained by NBC News, “Effects” campaigns are offensive operations intended to “destroy” and “disrupt” adversaries.

In another document taken from the NSA by Snowden and obtained by NBC News, a JTRIG official said the unit’s mission included computer network attacks, disruption, “Active Covert Internet Operations,” and “Covert Technical Operations.” Among the methods listed in the document were jamming phones, computers and email accounts and masquerading as an enemy in a “false flag” operation. The same document said GCHQ was increasing its emphasis on using cyber tools to attack adversaries.

The documents also show that JTRIG infiltrated chat rooms known as IRCs and identified individual hackers who had taken confidential information from websites. In one case JTRIG helped send a hacktivist to prison for stealing data from PayPal, and in another it helped identify hacktivists who attacked government websites.

The presentation gives detailed examples of “humint” (human intelligence) collection from hacktivists known by the on-line names G-Zero, Topiary and p0ke, as well as a fourth whose name NBC News has redacted to protect the hacker’s identity. The hacktivists were contacted by GCHQ agents posing as fellow hackers in internet chat rooms. The presentation includes transcripts of instant message conversations between the agents and the hackers in 2011.

“Anyone here have access to a website with at least 10,000+ unique traffic per day?” asks one hacktivist in a transcript taken from a conversation that began in an Operation Payback chat room. An agent responds and claims to have access to a porn website with 27,000 users per day. “Love it,” answers the hacktivist. The hackers ask for access to sites with traffic so they can identify users of the site, secretly take over their computers with malware and then use those computers to mount a DDOS attack against a government or commercial website.

A GCHQ agent then has a second conversation with a hacker known as GZero who claims to “work with” the first hacktivist. GZero sends the agent a series of lines of code that are meant to harvest visitors to the agent’s site and make their computers part of a “botnet” operation that will attack other computers.

The “outcome,” says the presentation, was “charges, arrest, conviction.” GZero is revealed to be a British hacker in his early 20s named Edward Pearson, who was prosecuted and sentenced to 26 months in prison for stealing 8 million identities and information from 200,000 PayPal accounts between Jan. 1, 2010 and Aug. 30, 2011.

In a transcript taken from a second conversation in an Operation Payback chat room, a hacktivist using the name “p0ke” tells another named “Topiary” that he has a list of emails, phone numbers and names of “700 FBI tards.”

An agent then begins a conversation with p0ke, asking him about what sites he’s accessed. The hacktivist responds that he was able to defeat the security on a U.S. government website, and pulled up credit card information that’s attached to congressional and military email addresses.

The agent then asks whether p0ke has looked at a BBC News web article called “Who loves the hacktivists?” and sends him a link to the story.

“Cool huh?” asks the agent, and pOke responds, “ya.”

When p0ke clicked on the link, however, JTRIG was able to pull up the IP address of the VPN (virtual private network) the hacktivist was using. The VPN was supposed to protect his identity, but GCHQ either hacked into the network, asked the VPN for the hacker’s personal information, or asked law enforcement in the host nation to request the information.

A representative of the VPN told NBC News the company had not provided GCHQ with the hacker’s information, but indicated that in past instances it has cooperated with local law enforcement.

In whatever manner the information was retrieved, GCHQ was able to establish p0ke’s real name and address, as shown in the presentation slides. (NBC News has redacted the information).

P0ke was never arrested for accessing the government databases, but Topiary, actually an 18-year-old member of Anonymous and LulzSec spokesman from Scotland named Jake Davis, was arrested in July 2011. Davis was arrested soon after LulzSec mounted hack attacks against Congress, the CIA and British law enforcement.

In the concluding portion of the JTRIG presentation, the presenters sum up the unit’s “Effects on Hacktivism” as part of “Op[eration] Wealth” in the summer of 2011 and apparently emphasize the unit’s success against Anonymous, including the DDOS attack. The listed effects include identifying top targets for law enforcement and “Denial of Service on Key Communications outlets.”

Related Link: Destroy, Deny, Degrade, Disrupt, Deceive: GCHQ “Effects” Operations Revealed

  1. […] King of Privacy International, said: “They hack their way, remove and substitute your hardware and software and enable intelligence collection […]


  2. […] “full intake” tapping of Internet cables, its mass interception of journalists’ emails, its aggressive hacking of non-terrorist groups that are not a threat to the government, and many other disturbing […]


  3. […] GCHQ’s War on Anonymous: DDOS Attacks, Covert Actions, Malware Implants, False Flag Operations […]


  4. […] Documents previously published by The Intercept reveal extensive, and sometimes extreme, tactics employed by GCHQ to infiltrate, discredit and disrupt that group. The agency employed some of the same […]


  5. […] GCHQ’s War on Anonymous: DDOS Attacks, Covert Actions, Malware Implants, False Flag Operations […]


  6. […] under UK terrorism legislation, a spokesperson for the group declined to comment but emphasized hacktivists are regularly targeted internationally on these […]


  7. […] Previously disclosed documents have detailed JTRIG’s use of “fake victim blog posts,” “false flag operations,” “honey traps” and psychological manipulation to target online activists, monitor visitors […]


  8. […] Related: GCHQ’s War on Anonymous: DDOS Attacks, Covert Actions, Malware Implants, False Flag Operations […]


  9. […] the last several weeks, I worked with NBC News to publish a series of articles about “dirty trick” tactics used by GCHQ’s previously secret unit, JTRIG (Joint Threat […]


  10. […] GCHQ’s War on Anonymous: DDOS Attacks, Covert Actions, Malware Implants, False Flag Operations […]


  11. […] as part of a growing mission to go on offense and attack adversaries ranging from Iran to the hacktivists of Anonymous. According to the documents, which come from presentations prepped in 2010 and 2012 for NSA cyber […]


  12. […] GCHQ’s War on Anonymous: DDOS Attacks, Covert Actions, Malware Implants, False Flag Operations […]


  13. […] LeakSource 0 likesLeaksActionsAnonymousattacksCovertDDOSFalseFlagGCHQ’sImplantsMalwareOperations […]


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: