Exposing GCHQ’s Top Secret “GORDIAN KNOT” Cyber Defense Sensor Program — An Analysis

Dancho Danchev
Oct 28 · 9 min read
Sample Publicly Obtainable Top Secret “GORDIAN KNOT” Presentation Slide

In a previous post on Medium entitled “Assessment of U.S Intelligence Community Cyber Surveillance Programs and Tradecraft — Part One” I offered practical security tips and actual advice for the purpose of setting up the foundations for an upcoming set of posts detailing some of the most prolific U.S Intelligence Community Cyber Surveillance Programs and how you can protect yourself from wide-spread surveillance and eavesdropping attempts including practical advice on how the U.S Intelligence Community can actually make them work better.

In this post I’ll discuss in-depth GCHQ’s “GORDIAN KNOT” Top Secret Sensor for Cyber Defense Program which largely relies on Information Assurance Sensor development network including the “HARUSPEX” Top Secret Program which collects malicious software based on specific signatures targeting U.K-based infrastructure in the context of malicious software and phishing including spam campaigns with the help of data and E-mail attack signatures produced to be utilized by MessageLabs E-mail monitoring infrastructure acting as a Sensor Network successfully protecting U.K based Email infrastructure including several other currently active Top Secret U.S Intelligence Community Programs actively collecting malicious software and collerating data using SIGINT for possible malicious cyber adversary attribution.

Sample Screenshot of MessageLabs Email Attack Signatures Configuration Interface

Program Name: “GORDIAN KNOT” — The program is among the U.S Intelligence Community’s active malware spam and phishing emails collecting Sensor Networks which in combination with the “HARUSPEX” Top Secret Program aims to build the foundations for a successful Technical Collection of malicious software spam and phishing emails for the purpose of using active legal surveillance authorization measures including SIGINT for the purpose of establishing a successful cyber adversary attribution program efforts. How exactly does this work? Keep reading.

Current Status: This is a currently Top Secret U.S Intelligence Community Program aiming to collect malicious software spam and phishing emails for active Cyber Defense including the use of legal surveillance authorization measures for the purpose of using SIGINT for possible cyber adversary and attack attribution.

How it works: The program relies on both proprietary classified and public including commercial sensor networks used by the U.S Intelligence Community for Cyber Defense purposes including possibly cyber adversary attack attribution including the active use of U.K infrastructure implementations of MessageLabs Cloud-Based Security Solutions for the purpose of intercepting and responding to malicious software spam and phishing attack campaigns using active legal surveillance authorization measures including the use of SIGINT for possible cyber adversary attack attribution.

The targeted population? Pretty much everyone using MessageLabs Cloud Based Email Security Solution including various U.K Government bodies through a possible legal authorization to actually eavesdrop and put the E-mail traffic under active surveillance for the purpose of using SIGINT for possible attack attribution further protecting U.K based infrastructure.

Long story short — whenever a malicious attack reaches to any of the monitored users the U.S Intelligence Community and the GCHQ will feed the attack data using a specifically crafted set of E-mail signatures back to their “HARUSPEX” Top Secret program for the purpose of using SIGINT for attribution purposes.

How does the process actually work? It’s fairly simple that once an attack is launched U.K based infrastructure and the attack falls victim into the E-signatures database developed by the GCHQ for the purpose of enhancing Cyber Defense through intercepting and feeding back into related SIGINT-based programs various malware-serving and phishing email campaigns for the purpose of using SIGINT for attribution purposes.

The digitally naughty part: Based on various legal surveillance authorization mechanisms the U.S Intelligence Community and the GCHQ can easily achieved a what can be best described a fully working public and private sector Monitoring Sensor for anticipating to and responding to malicious software phishing and spam campaigns with the U.S Intelligence Community and the GCHQ actively relying on SIGINT for cyber adversary and attack attribution in combination with MessageLabs relevant API-based data synchronization and export functionality which could possibly offer relevant colleration type of malicious data enrichment and processing for the purpose of using SIGINT for cyber adversary and cyber attack attribution purposes.

How you can make it work better: Long story short — taking under consideration that U.K based infrastructure is under the jurisdiction of U.K’s GCHQ in terms of SIGINT and possible Information Assurance and Cyber Defense initiatives — it should be fairly easy to assume that based on a legal authorization surveillance and eavesdropping initiative the GCHQ can basically and practically monitor and respond to basically all the cyber attack incidents affecting U.K based infrastructure while possibly using SIGINT for active and passive cyber attack and cyber adversary attack attribution. Actively relying on public private sector API-based data-warehouse data information and knowledge including hundreds of thousands of active and potentially fraudulent and malicious IoCs (Indicators of Compromise) the GCHQ can be perfectly positioned to take advantage of U.K’s vast Internet infrastructure and actually utilize it as a mainstream U.S Intelligence Community type of Sensor Network for Early Warning Systems including active Cyber Defense purposes.

Sample Screenshot of MessageLabs Email Security Cloud Based Solution Anti-Email Spoofing Mechanism in Action

How you can take measures to protect yourself: In case you’re a major U.K based infrastructure provide or a private organization including a company that basically wants to preserve the confidentiality availability and integrity of its communication — it should be fairly easy to assume that basic “enforced encryption” type of communication both internally and externally should be taken into consideration including possibly the use of DKIM (Domain Keys Identified Email) for the purpose of establishing a decent degree of “security through obscurity” type of mentality including basic OPSEC (Operational Security) in terms of ensuring that basic email impersonation or email spoofing type of campaigns cannot really reach the targeted organization or an individual in question through basic implementation of various MessageLabs “security through obscurity” practices and mechanisms.

How does the attribution actually work? Pretty simple. Based on the publicly obtainable data from the “GORDIAN KNOT” and the “HARUSPEX” Top Secret Cyber Sensor for Cyber Defense Programs the U.S Intelligence Community including the GCHQ is capable of collerating the obtained data from the original malicious software serving including phishing campaign to a particular individual or a set of individuals through the active use of SIGINT which means that the U.S Intelligence Community including the GCHQ can launch offensive including active legal measures in terms of surveillance and eavesdropping authorization for the purpose of establishing the true identity behind a particular malware-serving including phishing campaign including actual legal action next to the active hijacking or a specific set of malicious and fraudulent botnet that managed to targeted U.K based infrastructure.

Same Screenshot of a Publicly Accessible Top Secret U.S Intelligence Community Presentation Slide Discussion Public and Commercial Sensors for Cyber Defense

Among the next logical example would be to go through Lockheed Martin’s publicly accessible OSINT Fusion Project presentation slides which also details similar offensive and defensive SIGINT use for actual cyber adversary attribution through the reliance on public and private Internet-based Cyber Security Events Sensors. The research published within Lockheed Martin’s OSINT Fusion Project presentation slides is pretty similar to what I’ve been doing for over a decade now — namely raising awareness on current and emerging cyber threats through the direct publication of research material on my personal Security Blog using basic Technical Collection methodologies including a personally developed OSINT methodology in terms of attribution and actual discovery of current and emerging cyber threats globally.

Sample Publicly Obtainable Screenshot of a Top Secret U.S Intelligence Community Botnet Hijacking Program Known as QUANTUMTHEORY

Yet another currently active Top Secret U.S Intelligence Community Program whose purpose is to hijack and disrupt various currently active botnets including basic C&C (command and control) infrastructure courtesy of the U.S Intelligence Community is “QUANTUMTHEORY” which basically allows a U.S Intelligence Community offensive and defensive CNO (Computer Network Operation) Operator the ability to hijack and track down any currently active botnet which in combination with other Top Secret U.S Intelligence Community Programs can greatly result in the actual cyber adversary attribution of a specific malicious and fraudulent actor through the use of legally authorized and active basic SIGINT operations.

Sample Screenshot of a Publicly Obtainable Presentation Slide Detailing How the X-KEYSCORE System Could be Used to Track Down Conficker-Based Malware Infections

It should be also worth pointing out that the U.S Intelligence Community is also known to be actively utilizing the X-KEYSCORE system for active and passive SIGINT in terms of cyber attack adversary attribution including the active use of software and digital attack fingerprints and signatures developed exclusively to be used by the U.S Intelligence Community and X-KEYSCORE Top Secret Program users.

Sample Screenshot from a publicly accessible Top Secret Program Known as X-KEYSCORE Actively Looking for BackEnergy DDoS Attack Tool Including the Mujahideen Secrets 2 Encryption Tool

It appears that the same system has been also used to detect possible Mujahideen Secrets 2 type of network-based activity for the purpose of covering possible attribution a release which I originally covered in a research posted in 2007 including another analysis posted in 2008 at my extremely popular Security Blog.

Same Screenshot of a Publicly Obtained Top Secret EONBLUE Presentation Slide Detailing the Use of Sensor Networks for Cyber Defense

Yet another program including a possible Top Secret Program use of SIGINT for cyber attack attribution is the EONBLUE Program which relies on “deep packet inspection” using signatures for detection known and already profiled threats including possible network-based anomalies — an area where I’ve offered extensive technical background throughout the years at my extremely popular Security Blog successfully anticipating and proactively detailing the malicious and fraudulent activities of cybercriminals and nation-state actors.

Sample Publicly Obtainable Presentation Slide Discussing the Top Secret X-KEYSCORE Program Use and Reliance on Malware-Detecting Fingerprints

What the U.S Intelligence Community further attempt to do in an attempt to improve the overall utilization and use of passive and active OSINT for cyber adversary type of attribution including the combination of SIGINT part of some of the Top Secret anti-malware and anti-botnet type of Programs that I’ve discussed — is to rely on public and commercial sources further enhancing the use of OSINT for Cyber Defense including the reliance on SIGINT in terms of cyber adversary attribution.

Do you want to find out more about successful active and passive SIGINT cyber operations courtesy of some of the research that I conducted during the years and published at my extremely popular Security Blog? Keep reading. On the majority of occasions I’ve managed to archive a decent degree of active communication between the actual campaign owners and malicious botnet operations who personally greeted me or used my name and personal blog as a reference within their C&C (command and control) infrastructure including for their actual domain registration purposes next to the active redirection of Facebook’s entire IP space to my personal blog courtesy of the Koobface botnet circa 2009.

Case in point are the following cases where I’ve successfully managed to establish a direct connection between the botnet operations who successfully reached back and left messages referencing me and my research including active typosquatting of my name some of the actual domain registrations including the active redirection of one of the malicious domains involved in the U.S Treasury Department circa 2010 to my personal Blogger profile.

  • hxxp://mikkohypponen-suc.kz — is known to have been registered using my name — Danch Danchev
  • hxxp://seximalinki.ru/images/ddanchev-sock-my-dick.php
  • hxxp://seo.hostia .ru/ddanchev-sock-my-dick.php
  • hxxp://hidancho.mine .nu/login.js

In conclusion it should be clearly noted that the U.S Intelligence Community is perfectly positioned to track down disrupt and undermine a huge portion of today’s modern trend including the active use of SIGINT for cyber attack and cyber adversary attribution. With the currently ongoing commercialization of what was once best known as Technical Collection — today’s modern Threat Intelligence market segment — it shouldn’t be surprising that the U.S Government including the U.S Intelligence Community is actively taking measures to keep track of and potentially undermine various cyber threats online including the active use of botnets and various other nation-state or rogue actors through the reliance on SIGINT for cyber attack and cyber adversary attribution.

Dancho Danchev

Written by

The World’s Leading Expert in the field of Cybercrime Research and Threat Intelligence Gathering — https://ddanchev.blogspot.com

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade