Exposing the U.S Intelligence Community and GCHQ’s Use of “Dirty Tricks” Online — An Analysis

It should be fairly easy to assume that the prominent U.K’s Intelligence Agency — the GCHQ — is both a master of offensive and defensive CNE (Computer Network Exploitation) tactics including the active use of network and Internet-host based including connected devices “dirty tricks” online. Largely relying on both an old-school set of espionage techniques successfully migrated in today’s modern Internet-connected World including innovative and never-seen before type of technical and cyber espionage “know-how” and Cyber Assets SIGINT type of discovery including technical expertise the GCHQ continues to further master the Internet for the purpose of exfiltrating and targeting individuals and Communities-of-Notice internationally.

In this post I’ll discuss in-depth the inner workings of GCHQ’s Joint Threat Research Intelligence Group (JTRIG)’s use of “dirty tricks” online and the group’s activities including the fact that what the group has managed to achieve is pretty much basically what I’ve managed to achieve in my Security Lab throughout 2008–2013 for both offensive and defensive Cyber Warfare purposes in terms of R&D and actually becoming a partner of U.S Intelligence Community in terms of “ 4th Party Exfiltration” also known as “outsourcing SIGINT” including to provide active discussion on possible protection techniques and how the programs can actually perform better including an active discussion on various “Online Covert Operation” activities and actual cyber and good-old fashioned HUMINT in the context of the GCHQ’s Joint Threat Research Intelligence Group (JTRIG) group activities online.

Sample Screenshot Indicating that I Was Featured as a Primary and Only EU-Based Individual As A Direct Competitor to the U.S Cyber Threat Intelligence Market Segment Courtesy of Jeffrey Carr’s Taia Global Presentation

Among some of the key good-old fashioned “Covert Cyber Operations” activities including good old-fashioned cyber HUMINT tactics and techniques include:

  • Establishing online aliases/personalities who support the communications or messages in YouTube videos, Facebook groups, forums, blogs etc. — as I’ve already discussed in a previous post detailing and actually exposing the GCHQ’s use of “sockpuppets” type of fake and non-existent online aliases and personalities it should be also worth pointing out that the entire rogue bogus and potentially non-existent online and rogue account creation process can be easily outsourced using publicly accessible and obtainable DIY (do-it-yourself) type of rogue and bogus content generation tools. A sample similar service includes the automatic generation of “Fake Person” type of photos includes — http://thispersondoesnotexist.com which can be greatly used for the purpose of generating and basically creating fake online person accounts which can be greatly used to achieve the GCHQ’s and U.S Intelligence Community’s goals and objectives on their way to create “sockpuppet” type of accounts further spreading propaganda and disinforming in current and future-based propaganda and disinformation campaigns.
Sample Proposed “Fake Person” Honeytoken-Based Human-Layer Honeypot Deception Framework Graph
  • Establishing online aliases/personalities who support other aliases — the so called “establishment of sockpuppets” culture should be clearly considered as an automated way to spread propaganda disinform and actually compromise the OPSEC of a variety of individuals online that also includes reputable Security Researchers whose OPSEC and actually online privacy while doing online research can be greatly compromised and their opinion greatly influenced in the context of possibly “engineering cyber warfare tensions” or potentially disinform on “island-hoping” tactics similar to what I’ve been aiming to achieve with my “Fake Person” type of honeytoken-based type of rogue person-layer based deception framework.
Sample Proposed “Fake Person” Honeytoken-Based Human-Layer Honeypot Deception Framework MindMap
  • Sending spoof e-mails and text messages from a fake person or mimicking a real person (to discredit, promote distrust, dissuade, deceive, deter, delay or disrupt) — it should be clearly noted that modern spam campaigns and the actual malware that comes with it should be clearly treated as a form of economic terrorism with a handful of researchers out there who would take the necessary steps to ensure that such widespread campaigns remain properly “taken care” of in a bigger context of preventing widespread damage caused by malicious and fraudulent releases online.
Sample Personal Greeting Courtesy of the Koobface Gang Which Personally Thanks me for Exposing and Basically Attempting to Successfully Shut Down the Actual Koobface 1.0 C&CInfrastructure

Case in point is the Koobface botnet which I’ve extensively profiled throughout the years and I’ve successfully managed to prompt them to issue a response in the form of redirecting Facebook’s entire IP space to my personal blog including to actually issue a “say hi” type of message within the actual command and control infrastructure personally greeting me for having successfully profiled and taken down a huge portion of the actual Koobface 1.0 command and control infrastructure.

Sample “Exposing Koobface — The World’s Largest Botnet” Presentation Presented at CyberCamp 2016 Courtesy of Dancho Danchev
  • Providing spoof online resources such as magazines and books that provide inaccurate information (to disrupt, delay, deceive, discredit, promote distrust, dissuade, deter or denigrate/degrade) — some of these tactics can be basically described as good old-fashioned espionage campaigns in the context of utilizing cyberspace for the purpose of using basic HUMING and CYBERINT principles further positioning the campaign as a possible cyber espionage one with the actual orchestrator behind it successfully looking for ways to monetize access to malware infected hosts or to actually cause widespread damage internationally. These type of targeted attacks can be better attributed to good old-fashioned espionage techniques and tools of the trade which in the broader context of CYBERINT can include the active use of basic “engineering of cyber warfare tensions” including the active use of “island hoping” tactics making it for an analyst or Cyber Threat Intelligence to actually track down and properly attribute a specific malware-serving or malicious and fraudulent online campaign.
  • Providing online access to uncensored material (to disrupt) — these type of techniques should be clearly considered as an important milestone from a hacktivism type of perspective most importantly for the purpose of spreading data information and knowledge and to actually recruit Team Members and train and educate a new generation of Cyber Warrriors and potentially CYBERINT Intelligence Analysts on their way to properly attribute and track down a specific fraudulent and malicious online campaign.
  • Sending instant messages to specific individuals giving them instructions for accessing uncensored websites — unless the campaign is a widespread one it should be clearly noted that these type of attack campaigns can be potentially dangerous in the context of exposing a specific individual possibly in a restrictive regime to a regulated or forbidden type of content and then basically launch a privacy-violating Target Identificator type of campaign or to basically launch a basic client-side exploits serving campaign in a targeted fashion for the purpose of compromising the OPSEC of the individual in question and to actually track them down.
  • Setting up spoof trade sites (or sellers) that may take a customer’s money and/or send customers degraded or spoof products (to deny, disrupt, degrade/denigrate, delay, deceive, discredit, dissuade or deter) — these type of techniques can be best described as a possible form of financial and economic terrorism which basically aim to infiltrate the client or the target’s supply chain for the purpose of shipping them rogue and possibly modified products which could greatly undermine their OPSEC and potentially lead to some pretty serious privacy and security risks in case the orchestrator somehow managed to infiltrate the actual supply chain of the client or the actual target in question.
  • Interrupting (i.e., filtering, deleting, creating or modifying) communications between real customers and traders (to deny, disrupt, delay, deceive, dissuade or deter) — these type of campaigns can be best described as basic DDoS (Distributed Denial of Service) attack campaigns including the active use of TDoS (Telephony Denial of Service) attack campaigns which could eventually aim to properly disrupt the communication between a seller and a buyer.
Sample Screenshot of the Shenron DDoS Booter Kit in Action Which Basically Represents a Common Attack Technique in the Today’s Modern Hacktivism-Driven World
  • Taking over control of online websites (to deny, disrupt, discredit or delay — these type of tactics directly include Web site Defacements and the use of DDoS (Denial of Service) attacks against a specific target for the purpose of stealing and compromising data or to actually deny a specific Web site’s access to potential clients and customers include to properly spread a message potentially recruiting spreading data information and knowledge to millions of users globally.
  • Denial of telephone and computer service (to deny, delay or disrupt) — it used to be case where modern TDoS (Telephony Denial of Service) attacks used to be a highly restrictive and sensitive type of DoS (Denial of Service) attack techniques. However, thanks to the rise of commercial and on demand TDoS (Telephony Denial of Service) type of services courtesy of Russian and Eastern European cybercriminals that also includes capabilities currently offered and in use by the GCHQ and the U.S Intelligence Community it should be clearly noted that these type of attacks are prone to increase in terms of volume and sophistication. Case in point is BAT911.Worm which will basically attempt to call 911 with calls originating from the infected host’s PC in case there’s a modem present basically representing among the first distributed TDoS (Telephone Denial of Service) type of attack campaigns.
  • Hosting targets’ online communications/websites for collecting SIGINT (to disrupt, delay, deter or deny) — as I’ve already pointed out in one of my previous analysis detailing and actually providing practical and relevant actionable intelligence on how the NSA utilizes rogue Iran-based VPN service providers to further eavesdrop and put under surveillance some of the actual users to further participate in the BOUNDLESS INFORMANT Top Secret Program.
  • Contacting host websites asking them to remove material (to deny, disrupt,delay, dissuade or deter) — it’s fairly assume to assume that what the GCHQ’s Joint Threat Research Intelligence Group (JTRIG) managed to achieve in terms of active online propaganda including terrorism and botnet type of shut-down activity online is pretty much similar to what I’ve managed to achieve in the context of shutting down and actually attempting to take down the Koobace 1.0’s command and control infrastructure.

In future posts I’ll continue to detail the inner workings of the GCHQ’s Cyber Surveillance and Intelligence Programs in-depth including various other U.S Intelligence Community Programs similar to what I’ve managed to achieve throughout 2008–2013 in my Security Lab at by producing actionable threat intelligence at my extremely popular Dancho Danchev’s Blog — Mind Streams of Information Security Knowledge including the active distribution of classified potentially sensitive type of content at my newly launched https://unit-123.org — feel free to go thought the actual Project Introduction post.

DNS Threat Researcher - https://www.whoisxmlapi.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store