JTRIG Tools and Techniques

A transcription of the catalog of exploit tools posted on The Intercept.

JTRIG tools

We don’t update this page anymore, it became somewhat of a Chinese menu for effects operations. Information is now available for JTRIG staff at [1]

Understanding this page

Tools and techniques are developed by various teams within JTRIG. We like to let people know when we have something that we can think we can use, but we also don’t want to oversell our capability.

For this reason, each tool indicates its current status. We may put up experimental tools or ones that are still in development so you know what we are working on, and can approach JTRIG with any new ideas. But experimental tools by their nature will be unreliable, if you raise expectations or make external commitments before speaking to us you will probably end up looking stupid.

Most of our tools are fully operational, tested and reliable. We will indicate when this is the case, however there can be reasons why our tools won’t work for some operational requirements (eg if it exploits a provider specific vulnerability). There may also be legal restrictions.

So please come and speak to JTRIG operational staff early in your operational planning process.

Engineering

Tool/System

Description

Status

Contacts

Cerberus Statistics Collection

Collects on-going usage information about how many users utilise JTRIG's UIA capability, what sites are the most frequently visited etc. This is in order to provide JTRIG infrastucture and ITServices management information statistics.

OPERATIONAL

JTRIG Software Developers

JTRIG RADIANT SPLENDOUR

is a 'Data Diode' connecting the CERBERUS network with GCNET

OPERATIONAL

JTRIG Software Developers

ALLIUM ARCH

JTRIG UIA via the Tor network.

OPERATIONAL

JTRIG Infrastructure Team

ASTRAL PROJECTION

Remote GSM secure covert internet proxy using TOR hidden services.

OPERATIONAL

JTRIG Infrastructure Team

TWILIGHT ARROW

Remote GSM secure covert internet proxy using VPN services.

OPERATIONAL

JTRIG Infrastructure Team

SPICE ISLAND

JTRIG's new Infrastructure. FOREST WARRIOR, FRUIT BOWL, JAZZ FUSION and other JTRIG systems will form part of the SPICE ISLAND infrastructure

DEV

JTRIG Infrastructure Team

POISON ARROW

Safe Malware download capability.

DESIGN

JTRIG Infrastructure Team

FRUIT BOWL

CERBERUS UIA Replacement and new tools infrastructure - Primary Domain for Generic User/Tools Access and TOR split into 3 sub-systems.

DESIGN

JTRIG Infrastructure Team

NUT ALLERGY

JTRIG Tor web browser - Sandbox IE replacement and FRUIT BOWL sub-system

PILOT

JTRIG Infrastructure Team

BERRY TWISTER

A sub-system of FRUIT BOWL

PILOT

JTRIG Infrastructure Team

BERRY TWISTER+

A sub-system of FRUIT BOWL

PILOT

JTRIG Infrastructure Team

BRANDY SNAP

JTRIG UIA contingency at Scarborough.

IMPLEMENTATION

JTRIG Infrastructure Team

WIND FARM

R&D offsite facility.

DESIGN

JTRIG Infrastructure Team

CERBERUS

JTRIG's legacy UIA desktop, soon to be replaced with FOREST WARRIOR.

OPERATIONAL

JTRIG Infrastructure Team

BOMBAYROLL

JTRIG's legacy UIA standalone capability.

OPERATIONAL

JTRIG Infrastructure Team

JAZZ FUSION

BOMBAY ROLL Replacement which will also incorporate new collectors - Primary Domain for Dedicated Connections split into 3 sub-systems.

IMPLEMENTATION

JTRIG Infrastructure Team

COUNTRY FILE

A sub-system of JAZZ FUSION

OPERATIONAL

JTRIG Infrastructure Team

TECHNO VIKING

A sub-system of JAZZ FUSION

DESIGN

JTRIG Infrastructure Team

JAZZ FUSION+

A sub-system of JAZZ FUSION

DESIGN

JTRIG Infrastructure Team

BUMBLEBEE DANCE

JTRIG Operational VM/TOR architecture

OPERATIONAL

JTRIG Infrastructure Team

AIR BAG

JTRIG Laptop capability for field operations.

OPERATIONAL

JTRIG Infrastructure Team

EXPOW

GCHQ's UIA capability provided by JTRIG.

OPERATIONAL

JTRIG Infrastructure Team

AXLE GREASE

The covert banking link for CPG

OPERATIONAL

JTRIG Infrastructure Team

POD RACE

JTRIG'S MS update farm

DESIGN

JTRIG Infrastructure Team

WATCHTOWER

GCNET -> CERBERUS Export Gateway Interface System

OPERATIONAL

JTRIG Software Developers

REAPER

CERBERUS -> GCNET Import Gateway Interface System

OPERATIONAL

JTRIG Software Developers

DIALd

External Internet Redial and Monitor Daemon

OPERATIONAL

JTRIG Software Developers

FOREST WARRIOR

Desktop replacement for CERBERUS

DESIGN

JTRIG Infrastructure Team

DOG HANDLER

JTRIG's development network

DESIGN

JTRIG Infrastructure Team

DIRTY DEVIL

JTRIG'S research network

DESIGN

JTRIG Infrastructure Team

Collection

Tool

Description

Contacts

Status

AIRWOLF

YouTube profile, comment and video collection.

████████

Beta release.

ANCESTRY

Tool for discovering the creation date of yahoo selectors.

JTRIG Software Developers

Fully Operational.

BEARTRAP

Bulk retrieval of public BEBO profiles from member or group ID.

JTRIG Software Developers

Fully Operational.

BIRDSONG

Automated posting of Twitter updates.

JTRIG Software Developers

Decommissioned. Replaced by SYLVESTER.

BIRDSTRIKE

Twitter monitoring and profile collection. Click here for the User Guide.

JTRIG Software Developers

Fully Operational.

BUGSY

Google+ collection (circles, profiles etc.)

Tech Leads: █████████████

In early development.

DANCING BEAR

obtains the locations of WiFi access points.

[Tech Lead: ███████ Expert User: █████████████

Fully Operational.

DEVIL'S HANDSHAKE

ECI Data Technique.

[Tech Lead: ███████ Expert User: █████████████

Fully Operational.

DRAGON'S SNOUT

Paltalk group chat collection.

Tech Leads: ████████████████████████████████

Beta release.

EXCALIBUR

acquires a Paltalk UID and/or email address from a Screen Name.

JTRIG Software Developers

Fully Operational (against current Paltalk version)

FATYAK

Public data collection from Linkedln.

[Tech Lead: ████████████████

In Development.

FUSEWIRE

Provides 24/7 monitoring of Vbulliten forums for target postings/online activity. Also allows staggered postings to be made.

JTRIG Software Developers


GLASSBACK

Technique of getting a targets IP address by pretending to be a spammer and ringing them. Target does not need to answer.

JTRIG Software Developers

Fully Operational.

GODFATHER

Public data collection from Facebook.

[Tech Lead: ████████████████

Fully Operational.

GOODFELLA

Generic framework for public data collection from Online Social Networks.

[Tech Lead: ████████████████

In Development (Supports RenRen and Xing).

HACIENDA

is a port scanning tool designed to scan an entire country or city. It uses GEOFUSION to identify IP locations. Banners and content are pulled back on certain ports. Content is put into the EARTHLING database, and all other scanned data is sent to GNE and is available through GLOBAL SURGE and Fleximart.

NAC HACIENDA Taskers

Fully Operational.

ICE

is an advanced IP harvesting technique.

JTRIG Software Developers


INSPECTOR

Tool for monitoring domain information and site availability

JTRIG Software Developers

Fully Operational.

LANDING PARTY

Tool for auditing dissemination of VIKING PILLAGE data.

JTRIG Software Developers

Fully Operational.

MINIATURE HERO

Active skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and bidirectional instant messaging. Also contact lists.

JTRIG Software Developers

Fully operational, but note usage restrictions.

MOUTH

Tool for collection for downloading a user's files from Archive.org.

JTRIG Software Developers

Fully Operational.

MUSTANG

provides covert access to the locations of GSM cell towers.

[Tech Lead: ███████ Expert User: █████████████

Fully Operational.

PHOTON TORPEDO

A technique to actively grab the IP address of MSN messenger user.

Tech Lead: █████████████

Operational, but usage restrictions.

RESERVOIR

Facebook application allowing collection of various information.

JTRIG Software Developers

Fully operational, but note operational restrictions.

SEBACIUM

An ICTR developed system to identify P2P file sharing activity of intelligence value. Logs are accessible via DIRTY RAT.

[Tech Lead: ███████ Expert User: █████████████


SILVER SPECTER

Allows batch Nmap scanning over Tor.

JTRIG Software Developers

In Development.

SODAWATER

A tool for regularly downloading gmail messages and forwarding them onto CERBERUS mailboxes

JTRIG Software Developers

Fully Operational.

SPRING BISHOP

Find private photographs of targets on Facebook.

Tech Lead: ████████████████████████


SYLVESTER

Framework for automated interaction / alias management on online social networks.

Tech Lead: ████████████████████████

In Development.

TANNER

A technical programme allowing operators to log on to a JTRIG website to grab IP addresses of Internet Cafe's.

JTRIG OSO

Replaced by HAVOK.

TRACER FIRE

An Office Document that grabs the targets Machine info, files, logs, etc and posts it back to GCHQ.

█████████████ TRACER FIRE JTRIG

In Development.

VIEWER

A programme that (hopefully) provides advance tip off of the kidnappers IP address for HMG personnel.


Operational, but awaiting field trial.

VIKING PILLAGE

Distributed network for the automatic collection of encrypted/compressed data from remotely hosted JTRIG projects.

PILLAGE JTRIG Software Developers

Operational.

TOP HAT

A version of the MUSTANG and DANCING BEAR techniques that allows us to pull back Cell Tower and WiFi locations targeted against particular areas.

[Tech Lead: ████████████████████████

In Development.

Effects Capability

JTRIG develop the majority of effects capability in GCHQ. A lot of this capability is developed on demand for specific operations and then further developed to provide weaponised capability.

Don’t treat this like a catalogue. If you don’t see it here, it doesn’t mean we can’t build it. If you involve the JTRIG operational teams at the start of your operation, you have more of a chance that we will build something for you.

For each of our tools we have indicated the state of the tool. We only advertise tools here that are either ready to fire or very close to being ready (operational requirements would re-prioritise our development). Once again, involve the JTRIG operational teams early.

Tool

Description

Status

Contacts

ANGRY PIRATE

is a tool that will permanently disable a target's account on their computer.

Ready to fire (but see target restrictions).

[Tech Lead: █████████████ Expert User: ████████

ARSON SAM

is a tool to test the effect of certain types of PDU SMS messages on phones / network. It also includes PDU SMS Dumb Fuzz testing

Ready to fire (Not against live targets, this is a R&D Tool).

[Tech Lead: █████████████ Expert User:]

BUMPERCAR+

is an automated system developed by JTRIG CITD to support JTRIG BUMPERCAR operations. BUMPERCAR operations are used to disrupt and deny Internet-based terror videos or other materials. The technique employs the services provided by upload providers to report offensive materials.

Ready to fire.

JTRIG Software Developers

BOMB BAY

is the capability to increase website hits/rankings.

In Development.

[Tech Lead: █████████████

BADGER

mass delivery of email messaging to support an Information Operations campaign

Ready to fire.

JTRIG OSO

BURLESQUE

is the capabiltiy to send spoofed SMS text messages.

Ready to fire.

JTRIG OSO

CANNONBALL

is the capability to send repeated text messages to a single target.

Ready to fire.

JTRIG OSO

CLEAN SWEEP

Masquerade Facebook Wall Posts for individuals or entire countries.

Ready to fire (SIGINT sources required)

[Tech Lead: █████████████ Expert User:

CLUMSY BEEKEPER

Some work in progress to investigate IRC effects.

NOT READY TO FIRE.

[Tech Lead: █████████████ Expert User: ████████

CHINESE FIRECRACKER

Overt brute login attempts against online forums

Ready to fire.

FIRECRACKER

CONCRETE DONKEY

is the capability to scatter an audio message to a large number of telephones, or repeatedly bomb a target number with the same message.

In development.

████████████

DEER STALKER

Ability to aid-geolocation of Sat Phones / GSM Phones via a silent calling to the phone.

Ready to fire.

[Tech Lead: █████████████ Expert User: ████████████████

GATEWAY

Ability to artificially increase traffic to a website.

Ready to fire.

JTRIG OSO

GAMBIT

Deployable pocket-sized proxy server

In-development

JTRIG OSO

GESTATOR

amplification of a given message, normally video, on popular multimedia websites (Youtube).


[Tech Lead: ?, Expert User: ████████████████

GLITTERBALL

Online Gaming Capabilities for Sensitive Operations. Currently Second Life.

In development.


IMPERIAL BARGE

For connecting two target phone together in a call.

Tested.

[Tech Lead: ████████████ Expert User: █████████

PITBULL

Capability, under development, enabling large scale delivery of a tailored message to users of Instant Messaging services.

In development.


POISONED DAGGER

Effects against Gigatribe. Built by ICTR, deployed by JTRIG.


Tech Lead: ████████████████

PREDATORS FACE

Targeted Denial Of Service against Web Servers.


Tech Lead: ████████████████

ROLLING THUNDER

Distributed denial of service using P2P. Built by ICTR, deployed by JTRIG.


Tech Lead: ████████████████

SCARLET EMPEROR

Targeted denial of service against targets phones via call bombing.

Ready to fire.

JTRIG Software Developers

SCRAPHEAP CHALLENGE

Perfect spoofing of emails from Blackberry targets.

Ready to fire, but see constraints.

██████████████████████████

SERPENTS TONGUE

for fax message broadcasting to multiple numbers.

In redevelopment.

[Tech Lead: ████████████ Expert User: █████████

SILENT MOVIE

Targeted denial of service against SSH services.

Ready to fire.

Tech Lead: ███████████████████

SILVERBLADE

Reporting of extremist material on DAILYMOTION.

Ready to fire.

[Tech Lead: ██████████ Expert User: █████████████

SILVERFOX

List provided to industry of live extremist material files hosted on FFUs.

Ready to fire.

[Tech Lead: ██████████ Expert User: █████████████

SILVERLORD

Disruption of video-based websites hosting extremist content through concerted target discovery and content removal.

Ready to fire.

[Tech Lead: ██████████ Expert User: █████████████

SKYSCRAPER

Production and dissemination of multimedia via the web in the course of information operations.

Ready to fire.

[Tech Lead: Section X; Expert Users: Language Team]

SLIPSTREAM

Ability to inflate page views on websites

Ready to fire.

JTRIG OSO

STEALTH MOOSE

is a tool that will Disrupt target's Window’s machine. Logs of how long and when the effect is active.

Ready to fire (but see target restrictions).

[Tech Lead: ██████████ Expert User: ]

SUNBLOCK

Ability to deny functionality to send/receive email or view material online.

Tested, but operational limitations.

[Tech Lead: Section X; Expert User ████████████████

Swamp donkey

is a tool that will silently locate all predefined types of file and encrypt them on a targets machine.

Ready to fire (but see target restrictions).

[Tech Lead: █████████████ Expert User: █████████████████

TORNADO ALLEY

is a delivery method (Excel Spreadsheet) that can silently extract and run an executable on a target’s machine.

Ready to fire (but see target restrictions).

[Tech Lead: █████████████ Expert User: █████████████████

UNDERPASS

Change outcome of online polls (previously known as NUBILO)

In development.

[Tech Lead: Section X; Expert User ████████████████

VIPERS TONGUE

is a tool that will silently Denial of Service calls on a Satellite Phone or a GSM Phone.

Ready to fire (but see target restrictions).

[Tech Lead: Section X; Expert User ████████████████

WARPATH

Mass delivery of SMS messages to support an Information Operations campaign

Ready to fire.

JTRIG OSO

Work Flow Management

Tool

Description

Contacts

HOME PORTAL

A central hub for all JTRIG Cerberus Tools

JTRIG Software Developers

CYBER COMMAND CONSOLE

A centralised suite of tools, statistics and viewers for tracking current operations across the Cyber community.

JTRIG Software Developers

NAMEJACKER

A web service and admin console for the translation of usernames between networks. For use with gateways and other such technologies.

JTRIG Software Developers

Analysis Tools

Tool

Description

Contacts

BABYLON

is a tool that bulk queries web mail addresses and verifies whether they can be signed up for. A green tick indicates that the address is currently in use. Verification can currently be done for Hotmail and Yahoo.

JTRIG Software Developers

CRYOSTAT

is a JTRIG tool that runs against data held in NEWPIN. It then displays this data in a chart to show links between targets.

JTRIG Software Developers

ELATE

is a suite of tools for monitoring target use of the UK auction site eBay (www.ebay.co.uk). These tools are hosted on an Internet server, and results are retreived by encrypted email.

JTRIG Software Developers

PRIMATE

is a JTRIG tool that aims to provides the capability to identify trends in seized computer media data and metadata.

JTRIG Software Developers

JEDI

JTRIG will shortly be rolling out a JEDI pod to every desk of every member of an Intelligence Production Team. The challenge is to scale up to over 1,200 users whilst remaining agile, efficent and responsive to customer needs.

[Tech Lead: ██████████ Expert User: █████████████

JILES

is a JTRIG bespoke web browser.

[Tech Lead: ██████████ Expert User: ]

MIDDLEMAN

is a distributed real-time event aggregation, tip-off and tasking platform utilised by JTRIG as a middleware layer.

JTRIG Software Developers

OUTWARD

is a collection of DNS lookup, WHOIS Lookup and other network tools.

JTRIG Software Developers

TANGLEFOOT

is a bulk search tool which queries a set of online resources. This allows analysts to quickly check the online presence of a target.

JTRIG Software Developers

SCREAMING EAGLE

is a tool that processes kismet data into geolocation information


SLAMMER

is a data index and repository that provides analysts with the ability to query data collected from the Internet from various JTRIG sources, such as EARTHLING, HACIENDA, web pages saved by analysts etc.

JTRIG Software Developers

Databases

Tool

Description

Contacts

BYSTANDER

is a categorisation database accessed via web service.

JTRIG Software Developers

CONDUIT

is a database of C2C identifiers for Intelligence Community assets acting online, either under alias or in real name.

JTRIG Software Developers

NEWPIN

is a database of C2C identifiers obtained from a variety of unique sources, and a suite of tools for exploring this data.

JTRIG Software Developers

QUINCY

is an enterprise level suite of tools for the exploitation of seized media.

[Tech Lead: ███████ Expert User: ████████████████████

Forensic Exploitation

Tool

Description

Contacts

BEARSCRAPE

can extract WiFi connection history (MAC and timing) when supplied with a copy of the registry structure or run on the box.

[Tech Lead: ████████ Expert User: ]

SFL

The Sigint Forensics Laboratory was developed within NSA. It has been adapted by JTRIG as its email extraction and first-pass analysis of seized media solution.

[Tech Lead: ███████████████████████ Expert User: █████████████

Snoopy

is a tool to extract mobile phone data from a copy of the phone's memory (usually supplied as an image file extracted through FTK.

[Tech Lead: ████████████

MobileHoover

is a tool to extract data from field forensics' reports created by Celldek, Cellebrite, XRY, Snoopy and USIM detective. These reports are transposed into a Newpin XML format to upload to Newpin.

[Tech Lead: ███████████████████████

Nevis

is a tool developed by NTAC to search disk images for signs of possible Encryption products. CMA have further developed this tool to look for signs of Steganography.

[Tech Lead: ███████████████████████

Techniques

Tool

Description

Contacts

CHANGELING

Ability to spoof any email address and send email under that identify

JTRIG OSO

HAVOK

Real-time website cloning techniques allowing on-the-fly alterations.

JTRIG OSO

MIRAGE


JTRIG OSO

SHADOWCAT

End-toEnd encrypted access to a VPS over SSH using the TOR network

JTRIG OSO

SPACE ROCKET

is a programme covering insertion of media into target networks. CRINKLE CUT is a tool developed by ICTR-CISA to enable JTRIG track images as part of SPACE ROCKET.

Tech Lead: ███████████████████████ Expert User:

RANA

is a system developed by ICTR-CISA providing CAPTCHA-solving via a web service on CERBERUS. This is intended for use by BUMPERCAR+ and possibly in future by SHORTFALL but anyone is welcome to use it.

Tech Lead: ███████████████████████ Expert User:

LUMP

A system that finds the avatar name from a SecondLife AgentID

JTRIG Software Developers

GURKHAS SWORD

Beaconed Microsoft Office Documents to elicite a targets IP address.

JTRIG Software Developers

Shaping and Honeypots

Tool

Description

Contacts

DEADPOOL

URL shortening service

JTRIG OSO

HUSK

Secure one-on-one web based dead-drop messaging platform

JTRIG OSO

LONGSHOT

File-upload and sharing website

JTRIG OSO

MOLTEN-MAGMA

CGI HTTP Proxy with ability to log all traffic and perform HTTPS Man in the Middle.

JTRIG OSO

NIGHTCRAWLER

Public online group against dodgy websites

JTRIG OSO

PISTRIX

Image hosting and sharing website

JTRIG OSO

WURLITZER

Distribute a file to multiple file hosting websites.

█████████████████