Schneier on Security: JTRIG Tools and Techniques

JTRIG Tools and Techniques

A transcription of the catalog of exploit tools posted on The Intercept.

JTRIG tools

We don’t update this page anymore, it became somewhat of a
Chinese menu for effects operations. Information is now available for
JTRIG staff at [1]

Understanding this page

Tools and techniques are developed by various teams within JTRIG. We
like to let people know when we have something that we can think we
can use, but we also don’t want to oversell our capability.

For this reason, each tool indicates its current status. We may put
up experimental tools or ones that are still in development so you
know what we are working on, and can approach JTRIG with any new
ideas. But experimental tools by their nature will be unreliable, if
you raise expectations or make external commitments before speaking
to us you will probably end up looking stupid.

Most of our tools are fully operational, tested and reliable. We will
indicate when this is the case, however there can be reasons why our
tools won’t work for some operational requirements (eg if it
exploits a provider specific vulnerability). There may also be legal
restrictions.

So please come and speak to JTRIG operational staff early in your
operational planning process.

Engineering

Tool/System	Description	Status	Contacts
Cerberus Statistics Collection	Collects on-going usage information about how many users utilise JTRIG’s UIA capability, what sites are the most frequently visited etc. This is in order to provide JTRIG infrastucture and ITServices management information statistics.	OPERATIONAL	JTRIG Software Developers
JTRIG RADIANT SPLENDOUR	is a ‘Data Diode’ connecting the CERBERUS network with GCNET	OPERATIONAL	JTRIG Software Developers
ALLIUM ARCH	JTRIG UIA via the Tor network.	OPERATIONAL	JTRIG Infrastructure Team
ASTRAL PROJECTION	Remote GSM secure covert internet proxy using TOR hidden services.	OPERATIONAL	JTRIG Infrastructure Team
TWILIGHT ARROW	Remote GSM secure covert internet proxy using VPN services.	OPERATIONAL	JTRIG Infrastructure Team
SPICE ISLAND	JTRIG’s new Infrastructure. FOREST WARRIOR, FRUIT BOWL, JAZZ FUSION and other JTRIG systems will form part of the SPICE ISLAND infrastructure	DEV	JTRIG Infrastructure Team
POISON ARROW	Safe Malware download capability.	DESIGN	JTRIG Infrastructure Team
FRUIT BOWL	CERBERUS UIA Replacement and new tools infrastructure – Primary Domain for Generic User/Tools Access and TOR split into 3 sub-systems.	DESIGN	JTRIG Infrastructure Team
NUT ALLERGY	JTRIG Tor web browser – Sandbox IE replacement and FRUIT BOWL sub-system	PILOT	JTRIG Infrastructure Team
BERRY TWISTER	A sub-system of FRUIT BOWL	PILOT	JTRIG Infrastructure Team
BERRY TWISTER+	A sub-system of FRUIT BOWL	PILOT	JTRIG Infrastructure Team
BRANDY SNAP	JTRIG UIA contingency at Scarborough.	IMPLEMENTATION	JTRIG Infrastructure Team
WIND FARM	R&D offsite facility.	DESIGN	JTRIG Infrastructure Team
CERBERUS	JTRIG’s legacy UIA desktop, soon to be replaced with FOREST WARRIOR.	OPERATIONAL	JTRIG Infrastructure Team
BOMBAYROLL	JTRIG’s legacy UIA standalone capability.	OPERATIONAL	JTRIG Infrastructure Team
JAZZ FUSION	BOMBAY ROLL Replacement which will also incorporate new collectors – Primary Domain for Dedicated Connections split into 3 sub-systems.	IMPLEMENTATION	JTRIG Infrastructure Team
COUNTRY FILE	A sub-system of JAZZ FUSION	OPERATIONAL	JTRIG Infrastructure Team
TECHNO VIKING	A sub-system of JAZZ FUSION	DESIGN	JTRIG Infrastructure Team
JAZZ FUSION+	A sub-system of JAZZ FUSION	DESIGN	JTRIG Infrastructure Team
BUMBLEBEE DANCE	JTRIG Operational VM/TOR architecture	OPERATIONAL	JTRIG Infrastructure Team
AIR BAG	JTRIG Laptop capability for field operations.	OPERATIONAL	JTRIG Infrastructure Team
EXPOW	GCHQ’s UIA capability provided by JTRIG.	OPERATIONAL	JTRIG Infrastructure Team
AXLE GREASE	The covert banking link for CPG	OPERATIONAL	JTRIG Infrastructure Team
POD RACE	JTRIG’S MS update farm	DESIGN	JTRIG Infrastructure Team
WATCHTOWER	GCNET -> CERBERUS Export Gateway Interface System	OPERATIONAL	JTRIG Software Developers
REAPER	CERBERUS -> GCNET Import Gateway Interface System	OPERATIONAL	JTRIG Software Developers
DIALd	External Internet Redial and Monitor Daemon	OPERATIONAL	JTRIG Software Developers
FOREST WARRIOR	Desktop replacement for CERBERUS	DESIGN	JTRIG Infrastructure Team
DOG HANDLER	JTRIG’s development network	DESIGN	JTRIG Infrastructure Team
DIRTY DEVIL	JTRIG’S research network	DESIGN	JTRIG Infrastructure Team

Collection

Tool	Description	Contacts	Status
AIRWOLF	YouTube profile, comment and video collection.	████████	Beta release.
ANCESTRY	Tool for discovering the creation date of yahoo selectors.	JTRIG Software Developers	Fully Operational.
BEARTRAP	Bulk retrieval of public BEBO profiles from member or group ID.	JTRIG Software Developers	Fully Operational.
BIRDSONG	Automated posting of Twitter updates.	JTRIG Software Developers	Decommissioned. Replaced by SYLVESTER.
BIRDSTRIKE	Twitter monitoring and profile collection. Click here for the User Guide.	JTRIG Software Developers	Fully Operational.
BUGSY	Google+ collection (circles, profiles etc.)	Tech Leads: █████████████	In early development.
DANCING BEAR	obtains the locations of WiFi access points.	[Tech Lead: ███████ Expert User: █████████████	Fully Operational.
DEVIL’S HANDSHAKE	ECI Data Technique.	[Tech Lead: ███████ Expert User: █████████████	Fully Operational.
DRAGON’S SNOUT	Paltalk group chat collection.	Tech Leads: ████████████████████████████████	Beta release.
EXCALIBUR	acquires a Paltalk UID and/or email address from a Screen Name.	JTRIG Software Developers	Fully Operational (against current Paltalk version)
FATYAK	Public data collection from Linkedln.	[Tech Lead: ████████████████	In Development.
FUSEWIRE	Provides 24/7 monitoring of Vbulliten forums for target postings/online activity. Also allows staggered postings to be made.	JTRIG Software Developers
GLASSBACK	Technique of getting a targets IP address by pretending to be a spammer and ringing them. Target does not need to answer.	JTRIG Software Developers	Fully Operational.
GODFATHER	Public data collection from Facebook.	[Tech Lead: ████████████████	Fully Operational.
GOODFELLA	Generic framework for public data collection from Online Social Networks.	[Tech Lead: ████████████████	In Development (Supports RenRen and Xing).
HACIENDA	is a port scanning tool designed to scan an entire country or city. It uses GEOFUSION to identify IP locations. Banners and content are pulled back on certain ports. Content is put into the EARTHLING database, and all other scanned data is sent to GNE and is available through GLOBAL SURGE and Fleximart.	NAC HACIENDA Taskers	Fully Operational.
ICE	is an advanced IP harvesting technique.	JTRIG Software Developers
INSPECTOR	Tool for monitoring domain information and site availability	JTRIG Software Developers	Fully Operational.
LANDING PARTY	Tool for auditing dissemination of VIKING PILLAGE data.	JTRIG Software Developers	Fully Operational.
MINIATURE HERO	Active skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and bidirectional instant messaging. Also contact lists.	JTRIG Software Developers	Fully operational, but note usage restrictions.
MOUTH	Tool for collection for downloading a user’s files from Archive.org.	JTRIG Software Developers	Fully Operational.
MUSTANG	provides covert access to the locations of GSM cell towers.	[Tech Lead: ███████ Expert User: █████████████	Fully Operational.
PHOTON TORPEDO	A technique to actively grab the IP address of MSN messenger user.	Tech Lead: █████████████	Operational, but usage restrictions.
RESERVOIR	Facebook application allowing collection of various information.	JTRIG Software Developers	Fully operational, but note operational restrictions.
SEBACIUM	An ICTR developed system to identify P2P file sharing activity of intelligence value. Logs are accessible via DIRTY RAT.	[Tech Lead: ███████ Expert User: █████████████
SILVER SPECTER	Allows batch Nmap scanning over Tor.	JTRIG Software Developers	In Development.
SODAWATER	A tool for regularly downloading gmail messages and forwarding them onto CERBERUS mailboxes	JTRIG Software Developers	Fully Operational.
SPRING BISHOP	Find private photographs of targets on Facebook.	Tech Lead: ████████████████████████
SYLVESTER	Framework for automated interaction / alias management on online social networks.	Tech Lead: ████████████████████████	In Development.
TANNER	A technical programme allowing operators to log on to a JTRIG website to grab IP addresses of Internet Cafe’s.	JTRIG OSO	Replaced by HAVOK.
TRACER FIRE	An Office Document that grabs the targets Machine info, files, logs, etc and posts it back to GCHQ.	█████████████ TRACER FIRE JTRIG	In Development.
VIEWER	A programme that (hopefully) provides advance tip off of the kidnappers IP address for HMG personnel.		Operational, but awaiting field trial.
VIKING PILLAGE	Distributed network for the automatic collection of encrypted/compressed data from remotely hosted JTRIG projects.	PILLAGE JTRIG Software Developers	Operational.
TOP HAT	A version of the MUSTANG and DANCING BEAR techniques that allows us to pull back Cell Tower and WiFi locations targeted against particular areas.	[Tech Lead: ████████████████████████	In Development.

Effects Capability

JTRIG develop the majority of effects capability in GCHQ. A lot of
this capability is developed on demand for specific operations and
then further developed to provide weaponised capability.

Don’t treat this like a catalogue. If you don’t see it
here, it doesn’t mean we can’t build it. If you involve
the JTRIG operational teams at the start of your operation, you have
more of a chance that we will build something for you.

For each of our tools we have indicated the state of the tool. We
only advertise tools here that are either ready to fire or very close
to being ready (operational requirements would re-prioritise our
development). Once again, involve the JTRIG operational teams early.

Tool	Description	Status	Contacts
ANGRY PIRATE	is a tool that will permanently disable a target’s account on their computer.	Ready to fire (but see target restrictions).	[Tech Lead: █████████████ Expert User: ████████
ARSON SAM	is a tool to test the effect of certain types of PDU SMS messages on phones / network. It also includes PDU SMS Dumb Fuzz testing	Ready to fire (Not against live targets, this is a R&D Tool).	[Tech Lead: █████████████ Expert User:]
BUMPERCAR+	is an automated system developed by JTRIG CITD to support JTRIG BUMPERCAR operations. BUMPERCAR operations are used to disrupt and deny Internet-based terror videos or other materials. The technique employs the services provided by upload providers to report offensive materials.	Ready to fire.	JTRIG Software Developers
BOMB BAY	is the capability to increase website hits/rankings.	In Development.	[Tech Lead: █████████████
BADGER	mass delivery of email messaging to support an Information Operations campaign	Ready to fire.	JTRIG OSO
BURLESQUE	is the capabiltiy to send spoofed SMS text messages.	Ready to fire.	JTRIG OSO
CANNONBALL	is the capability to send repeated text messages to a single target.	Ready to fire.	JTRIG OSO
CLEAN SWEEP	Masquerade Facebook Wall Posts for individuals or entire countries.	Ready to fire (SIGINT sources required)	[Tech Lead: █████████████ Expert User:
CLUMSY BEEKEPER	Some work in progress to investigate IRC effects.	NOT READY TO FIRE.	[Tech Lead: █████████████ Expert User: ████████
CHINESE FIRECRACKER	Overt brute login attempts against online forums	Ready to fire.	FIRECRACKER
CONCRETE DONKEY	is the capability to scatter an audio message to a large number of telephones, or repeatedly bomb a target number with the same message.	In development.	████████████
DEER STALKER	Ability to aid-geolocation of Sat Phones / GSM Phones via a silent calling to the phone.	Ready to fire.	[Tech Lead: █████████████ Expert User: ████████████████
GATEWAY	Ability to artificially increase traffic to a website.	Ready to fire.	JTRIG OSO
GAMBIT	Deployable pocket-sized proxy server	In-development	JTRIG OSO
GESTATOR	amplification of a given message, normally video, on popular multimedia websites (Youtube).		[Tech Lead: ?, Expert User: ████████████████
GLITTERBALL	Online Gaming Capabilities for Sensitive Operations. Currently Second Life.	In development.
IMPERIAL BARGE	For connecting two target phone together in a call.	Tested.	[Tech Lead: ████████████ Expert User: █████████
PITBULL	Capability, under development, enabling large scale delivery of a tailored message to users of Instant Messaging services.	In development.
POISONED DAGGER	Effects against Gigatribe. Built by ICTR, deployed by JTRIG.		Tech Lead: ████████████████
PREDATORS FACE	Targeted Denial Of Service against Web Servers.		Tech Lead: ████████████████
ROLLING THUNDER	Distributed denial of service using P2P. Built by ICTR, deployed by JTRIG.		Tech Lead: ████████████████
SCARLET EMPEROR	Targeted denial of service against targets phones via call bombing.	Ready to fire.	JTRIG Software Developers
SCRAPHEAP CHALLENGE	Perfect spoofing of emails from Blackberry targets.	Ready to fire, but see constraints.	██████████████████████████
SERPENTS TONGUE	for fax message broadcasting to multiple numbers.	In redevelopment.	[Tech Lead: ████████████ Expert User: █████████
SILENT MOVIE	Targeted denial of service against SSH services.	Ready to fire.	Tech Lead: ███████████████████
SILVERBLADE	Reporting of extremist material on DAILYMOTION.	Ready to fire.	[Tech Lead: ██████████ Expert User: █████████████
SILVERFOX	List provided to industry of live extremist material files hosted on FFUs.	Ready to fire.	[Tech Lead: ██████████ Expert User: █████████████
SILVERLORD	Disruption of video-based websites hosting extremist content through concerted target discovery and content removal.	Ready to fire.	[Tech Lead: ██████████ Expert User: █████████████
SKYSCRAPER	Production and dissemination of multimedia via the web in the course of information operations.	Ready to fire.	[Tech Lead: Section X; Expert Users: Language Team]
SLIPSTREAM	Ability to inflate page views on websites	Ready to fire.	JTRIG OSO
STEALTH MOOSE	is a tool that will Disrupt target’s Window’s machine. Logs of how long and when the effect is active.	Ready to fire (but see target restrictions).	[Tech Lead: ██████████ Expert User: ]
SUNBLOCK	Ability to deny functionality to send/receive email or view material online.	Tested, but operational limitations.	[Tech Lead: Section X; Expert User ████████████████
Swamp donkey	is a tool that will silently locate all predefined types of file and encrypt them on a targets machine.	Ready to fire (but see target restrictions).	[Tech Lead: █████████████ Expert User: █████████████████
TORNADO ALLEY	is a delivery method (Excel Spreadsheet) that can silently extract and run an executable on a target’s machine.	Ready to fire (but see target restrictions).	[Tech Lead: █████████████ Expert User: █████████████████
UNDERPASS	Change outcome of online polls (previously known as NUBILO)	In development.	[Tech Lead: Section X; Expert User ████████████████
VIPERS TONGUE	is a tool that will silently Denial of Service calls on a Satellite Phone or a GSM Phone.	Ready to fire (but see target restrictions).	[Tech Lead: Section X; Expert User ████████████████
WARPATH	Mass delivery of SMS messages to support an Information Operations campaign	Ready to fire.	JTRIG OSO

Work Flow Management

Tool	Description	Contacts
HOME PORTAL	A central hub for all JTRIG Cerberus Tools	JTRIG Software Developers
CYBER COMMAND CONSOLE	A centralised suite of tools, statistics and viewers for tracking current operations across the Cyber community.	JTRIG Software Developers
NAMEJACKER	A web service and admin console for the translation of usernames between networks. For use with gateways and other such technologies.	JTRIG Software Developers

Analysis Tools

Tool	Description	Contacts
BABYLON	is a tool that bulk queries web mail addresses and verifies whether they can be signed up for. A green tick indicates that the address is currently in use. Verification can currently be done for Hotmail and Yahoo.	JTRIG Software Developers
CRYOSTAT	is a JTRIG tool that runs against data held in NEWPIN. It then displays this data in a chart to show links between targets.	JTRIG Software Developers
ELATE	is a suite of tools for monitoring target use of the UK auction site eBay (www.ebay.co.uk). These tools are hosted on an Internet server, and results are retreived by encrypted email.	JTRIG Software Developers
PRIMATE	is a JTRIG tool that aims to provides the capability to identify trends in seized computer media data and metadata.	JTRIG Software Developers
JEDI	JTRIG will shortly be rolling out a JEDI pod to every desk of every member of an Intelligence Production Team. The challenge is to scale up to over 1,200 users whilst remaining agile, efficent and responsive to customer needs.	[Tech Lead: ██████████ Expert User: █████████████
JILES	is a JTRIG bespoke web browser.	[Tech Lead: ██████████ Expert User: ]
MIDDLEMAN	is a distributed real-time event aggregation, tip-off and tasking platform utilised by JTRIG as a middleware layer.	JTRIG Software Developers
OUTWARD	is a collection of DNS lookup, WHOIS Lookup and other network tools.	JTRIG Software Developers
TANGLEFOOT	is a bulk search tool which queries a set of online resources. This allows analysts to quickly check the online presence of a target.	JTRIG Software Developers
SCREAMING EAGLE	is a tool that processes kismet data into geolocation information
SLAMMER	is a data index and repository that provides analysts with the ability to query data collected from the Internet from various JTRIG sources, such as EARTHLING, HACIENDA, web pages saved by analysts etc.	JTRIG Software Developers

Databases

Tool	Description	Contacts
BYSTANDER	is a categorisation database accessed via web service.	JTRIG Software Developers
CONDUIT	is a database of C2C identifiers for Intelligence Community assets acting online, either under alias or in real name.	JTRIG Software Developers
NEWPIN	is a database of C2C identifiers obtained from a variety of unique sources, and a suite of tools for exploring this data.	JTRIG Software Developers
QUINCY	is an enterprise level suite of tools for the exploitation of seized media.	[Tech Lead: ███████ Expert User: ████████████████████

Forensic Exploitation

Tool	Description	Contacts
BEARSCRAPE	can extract WiFi connection history (MAC and timing) when supplied with a copy of the registry structure or run on the box.	[Tech Lead: ████████ Expert User: ]
SFL	The Sigint Forensics Laboratory was developed within NSA. It has been adapted by JTRIG as its email extraction and first-pass analysis of seized media solution.	[Tech Lead: ███████████████████████ Expert User: █████████████
Snoopy	is a tool to extract mobile phone data from a copy of the phone’s memory (usually supplied as an image file extracted through FTK.	[Tech Lead: ████████████
MobileHoover	is a tool to extract data from field forensics’ reports created by Celldek, Cellebrite, XRY, Snoopy and USIM detective. These reports are transposed into a Newpin XML format to upload to Newpin.	[Tech Lead: ███████████████████████
Nevis	is a tool developed by NTAC to search disk images for signs of possible Encryption products. CMA have further developed this tool to look for signs of Steganography.	[Tech Lead: ███████████████████████

Techniques

Tool	Description	Contacts
CHANGELING	Ability to spoof any email address and send email under that identify	JTRIG OSO
HAVOK	Real-time website cloning techniques allowing on-the-fly alterations.	JTRIG OSO
MIRAGE		JTRIG OSO
SHADOWCAT	End-toEnd encrypted access to a VPS over SSH using the TOR network	JTRIG OSO
SPACE ROCKET	is a programme covering insertion of media into target networks. CRINKLE CUT is a tool developed by ICTR-CISA to enable JTRIG track images as part of SPACE ROCKET.	Tech Lead: ███████████████████████ Expert User:
RANA	is a system developed by ICTR-CISA providing CAPTCHA-solving via a web service on CERBERUS. This is intended for use by BUMPERCAR+ and possibly in future by SHORTFALL but anyone is welcome to use it.	Tech Lead: ███████████████████████ Expert User:
LUMP	A system that finds the avatar name from a SecondLife AgentID	JTRIG Software Developers
GURKHAS SWORD	Beaconed Microsoft Office Documents to elicite a targets IP address.	JTRIG Software Developers

Shaping and Honeypots

Tool	Description	Contacts
DEADPOOL	URL shortening service	JTRIG OSO
HUSK	Secure one-on-one web based dead-drop messaging platform	JTRIG OSO
LONGSHOT	File-upload and sharing website	JTRIG OSO
MOLTEN-MAGMA	CGI HTTP Proxy with ability to log all traffic and perform HTTPS Man in the Middle.	JTRIG OSO
NIGHTCRAWLER	Public online group against dodgy websites	JTRIG OSO
PISTRIX	Image hosting and sharing website	JTRIG OSO
WURLITZER	Distribute a file to multiple file hosting websites.	█████████████████

Sidebar photo of Bruce Schneier by Joe MacInnis.