How the GCHQ Used the Top Secret “ANTICRISIS GIRL” Program to Spy on Users — An Analysis

On the majority of occasions it appears that what the GCHQ managed to achieve in terms of “Passive SIGINT” namely to passively monitor and not interfere is pretty similar to what I’ve managed to achieve throughout the years in the field of cybercrime research and threat intelligence gathering namely to passively monitor a variety of newly born cyber threats including the emergence and actively profiling and tracking down of a variety of cybercriminals internationally.

Sample Screenshot of the Top Secret GCHQ “ANTICRISIS GIRL” Passive Web Traffic and Search Engine and Web Site Traffic Monitoring Program

Passive “SIGINT” also known as passively monitoring for cyber threats and the general approach of proactively monitoring for trends and anticipation of new and fraudulent and potentially malicious “event-based” activities and campaigns online can be best described as a proactive approach in terms of proactively responding to a growing threat posed by fraudulent and malicious cyber actors and fraudulent and malicious cyber attackers whose ultimately goal would be to launch and execute and orchestrate a variety of fraudulent and malicious campaigns online.

How exactly does the Top Secret “ANTICRISIS GIRL” “passive SIGINT” program work? It’s fairly simple to assume that basics “passive SIGINT” approaches similar to what I’ve manage to achieve while monitoring profiling and actually attempting to track down the Koobface 1.0 C&C infrastructure is pretty similar to what the Top Secret “ANTICRISIS GIRL” Program aims to achieve in the context of embedding basic Web Analytics tools on a variety of publicly-owned and private-sector type of automatically generated Blackhat SEO and rogue and potentially fraudulent and malicious content-farms for the purpose of trends monitoring and the eventual direct intersection with Target Identifiers for the purpose of launching a variety of legal surveillance and eavesdropping campaigns against a multi-tude of targets.

Sample “Exposing Koobface — The World’s Largest Botnet” Video Presentation Discussing In-Depth the Use of OSINT Methodologies Including “Passive SIGINT” To Actually Track Down and Monitor and Eventually Shut Down the Koobface Infrastructure Botnet

Based on the “passive SIGINT” obtained in that particular case that also includes the direct and potentially malicious attempt to actually inject Web Analytics code and monitoring analytics type of tools on legitimate Web Properties whose visitors might fall victim into a possible legal surveillance and legal eavesdropping attempts such as for instance Wikileaks or Piratebay users including basically anyone who falls victim and actually visits an automatically generated and on purposely created rogue and fraudulent including potentially malicious Blackhat SEO themed online “content-farm”.

Key topics that might attract the GCHQ’s and the U.S Intelligence Community’s attention:

  • Rogue and Bogus Clearance Jobs and Resources Type of Portals and Materials
  • Rogue and Bogus Lyrics and other traffic acquisition tactics and techniques
  • Publicly Accessible Statistics for Major Online Properties that also includes URL Shortening Services whose visitors can be easily geolocated and Target Identifiers easily applied to further track down the individuals behind the actual use of these URL Shortening services
Sample Koobface 1.0 Infrastructure Web Site Referrers Obtained from Publicly Accessible Statistics

Case in point is the Koobface 1.0’s infrastructure which successfully redirected Facebook’s IP Space to my personal blog the active use of publicly accessible Web statistics tracker which at certain point made it possible to actually track down where most of the Koobface 1.0’s infrastructure traffic was coming from.

Sample Koobface 1.0 Infrastructure Originating Countries Traffic Obtained from Publicly Accessible Statistics

What end users and Web site owners should keep in mind is to preserve the privacy of their Web analytics including possibly the URL shortening service of use in the context of limiting access to publicly obtainable statistics which could be easily used for “passive SIGINT” including to eventually apply Target Identifiers to the visitors of a particular Web site or a Social Media Account and eventually violate the privacy and put under legal surveillance and eavesdropping a specific set of users or specific visitors to a specific Web site.

DNS Threat Researcher -

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store