Documents
JTRIG Tools and Techniques
July 14, 2014
navigation
I Main Page
Help Pages
Wikipedia Mirror
Ask Me
Random page
Recent changes
Report a Problem
I Contacts
I
search
Go Search
toolbox
I What links here
I Related changes
I Upload file
I Special pages
I Printable version
I Permanent link
r. Pow-d By
0, ll MeleWIlu
This page was last
modified on 5 July 2012, at
13:05. This page has
been accessed 19,579
times.
All material is UK
9. my talk my preferences
additional statistics
my watchlist my contributions
page discussion edit delete move watch
TOP SECRET COMINT
The maximum classification allowed on GCWiki is TOP SECRET COMINT. Click to report inappropriate content.
For GCWilti help contact?Support page
JTRIG tools and techniques
(Peclirectecl from JTRIG CITD - Coven Internet Technical Development)
history
Overview Contacts
JTRIG Capabilities
[edit] JTRIG tools
Contents
1 JTRIG tools
1.1 Understanding this page
1.2 Current Priorities
1.2.1 Engineering
1.2.2 Collection
1.2.3 Effects Capability
1.2.4 Work Flow Management
1.2.5 Analysis Tools
1.2.6 Databases
1.2.7 Forensic Exploitation
1.2.8 Techniques
1.2.9 Shaping and Honeypots
We don?t update this page anymore, it became somewhat of a Chinese menu for effects operations. Information is now available for JTRIG staff at
[edit] Understanding this page
Tools and techniques are developed by various teams within JTRIG. We like to let people know when we have something that we can think we can use,
but we also don?t want to oversell our capability.
For this reason, each tool indicates its current status. We may put up experimental tools or ones that are still in development so you know what we are
working on, and can approach JTRIG with any new ideas. But experimental tools by their nature will be unreliable, if you raise expectations or make
external commitments before speaking to us you will probably end up looking stupid.
Most of our tools are fully operational, tested and reliable. We will indicate when this is the case; however there can be reasons why our tools won?t work
for some operational requirements (eg if it exploits a provider specific vulnerability). There may also be legal restrictions.
80 please come and speak to JTRIG operational staff early in your operational planning process.
[edit] Current Priorities
Capability Development Priorities can be fond by following the link below
I CapDev Priorities (Discover)?
navigation
I Main Page
Help Pages
Wikipedia Mirror
Ask Me
Random page
Recent changes
Report a Problem
I Contacts
I
search
Go Search
toolbox
I What links here
I Related changes
I Upload file
I Special pages
I Printable version
I Permanent link
r. Pow-d By
0, ll MeleWIlu
This page was last
modified on 5 July 2012, at
13:05. This page has
been accessed 19,579
times.
All material is UK
9. my talk my preferences
additional statistics
my watchlist my contributions
page discussion edit delete move watch
TOP SECRET COMINT
The maximum classification allowed on GCWiki is TOP SECRET COMINT. Click to report inappropriate content.
For GCWilti help contact?Support page
JTRIG tools and techniques
(Peclirectecl from JTRIG CITD - Coven Internet Technical Development)
history
Overview Contacts
JTRIG Capabilities
[edit] JTRIG tools
Contents
1 JTRIG tools
1.1 Understanding this page
1.2 Current Priorities
1.2.1 Engineering
1.2.2 Collection
1.2.3 Effects Capability
1.2.4 Work Flow Management
1.2.5 Analysis Tools
1.2.6 Databases
1.2.7 Forensic Exploitation
1.2.8 Techniques
1.2.9 Shaping and Honeypots
We don?t update this page anymore, it became somewhat of a Chinese menu for effects operations. Information is now available for JTRIG staff at
[edit] Understanding this page
Tools and techniques are developed by various teams within JTRIG. We like to let people know when we have something that we can think we can use,
but we also don?t want to oversell our capability.
For this reason, each tool indicates its current status. We may put up experimental tools or ones that are still in development so you know what we are
working on, and can approach JTRIG with any new ideas. But experimental tools by their nature will be unreliable, if you raise expectations or make
external commitments before speaking to us you will probably end up looking stupid.
Most of our tools are fully operational, tested and reliable. We will indicate when this is the case; however there can be reasons why our tools won?t work
for some operational requirements (eg if it exploits a provider specific vulnerability). There may also be legal restrictions.
80 please come and speak to JTRIG operational staff early in your operational planning process.
[edit] Current Priorities
Capability Development Priorities can be fond by following the link below
I CapDev Priorities (Discover)?
[edit] Engineering
Cerberus
Statistics
Collection
JTRIG
RADIANT
SPLENDOUR
ALLIUM ARCH
ASTRAL
PROJECTION
TWILIGHT
ARROW
SPICE ISLAND
POISON
ARROW
FRUIT BOWL
NUT ALLERGY
BERRY
TWISTER
BERRY
BRANDY SNAP
WIND FARM
CERBERUS
BOMBAYROLL
JAZZ FUSION
COUNTRY FILE
TECHNO
VIKING
JAZZ
BUMBLEBEE
DANCE
AIR BAG
EXPOW
AXLE GREASE
POD RACE
WATCHTOWER GCNET CERBERUS Export Gateway Interface System
CERBERUS GCNET Import Gateway Interface System
External Internet Redial and Monitor Daemon
REAPER
FOREST
WARRIOR
DOG HANDLER
DIRTY DEVIL
Description
Collects on-going usage information about how many users utilise
UIA capability, what sites are the most frequently visited etc.
This is in order to provide JTRIG infrastucture and lTServices
management information statistics.
is a 'Data Diode' connecting the CERBERUS network with GCNET
JTRIG UIA via the Tor network.
Remote GSM secure covert internet proxy using TOR hidden services.
Remote GSM secure covert internet proxy using VPN services.
new Infrastructure. FOREST WARRIOR, FRUIT BOWL, JAZZ
FUSION and other JTRIG systems will form part of the SPICE ISLAND
infrastru re
Safe Malware download capability.
CERBERUS UIA Replacement and new tools infrastructure Primary
Domain for Generic User/Tools Access and TOR split into 3 sub-
systems.
JTRIG Torweb browser- Sandbox IE replacement and FRUIT BOWL
sub-system
A sub-system of FRUIT BOWL
A sub-system of FRUIT BOWL
JTRIG UIA contingency at Scarborough.
offsite facility.
legacy UIA desktop, soon to be replaced with FOREST
WARRIOR.
legacy UIA standalone capability.
BOMBAY ROLL Replacement which will also incorporate new collectors
- Primary Domain for Dedicated Connections split into 3 sub-systems.
A sub-system of JAZZ FUSION
A sub-system of JAZZ FUSION
A sub-system of JAZZ FUSION
JTRIG Operational architecture
JTRIG Laptop capability for field operations.
GCHQ's UIA capability provided by JTRIG.
The covert banking link for CPG
MS update farm
Desktop replacement for CERBERUS
development network
research network
Status
OPERATIONAL
OPERATIONAL
OPERATIONAL
OPERATIONAL
OPERATIONAL
DEV
DESIGN
DESIGN
ntacts
JTRIG Software Developers
JTRIG Software Developers
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
IMPLEMENTATION JTRIG Infrastructure Team E1
DESIGN
OPERATIONAL
OPERATIONAL
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
IMPLEMENTATION JTRIG Infrastructure Team
OPERATIONAL
DESIGN
DESIGN
OPERATIONAL
OPERATIONAL
OPERATIONAL
OPERATIONAL
DESIGN
OPERATIONAL
OPERATIONAL
OPERATIONAL
DESIGN
DESIGN
DESIGN
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team IE
JTRIG Infrastructure Team
JTRIG Software Developers IE
JTRIG Software Developers IS
JTRIG Software Developers IE
JTRIG Infrastructure Team
JTRIG Infrastructure Team E1
JTRIG Infrastructure Team
[edit] Engineering
Cerberus
Statistics
Collection
JTRIG
RADIANT
SPLENDOUR
ALLIUM ARCH
ASTRAL
PROJECTION
TWILIGHT
ARROW
SPICE ISLAND
POISON
ARROW
FRUIT BOWL
NUT ALLERGY
BERRY
TWISTER
BERRY
BRANDY SNAP
WIND FARM
CERBERUS
BOMBAYROLL
JAZZ FUSION
COUNTRY FILE
TECHNO
VIKING
JAZZ
BUMBLEBEE
DANCE
AIR BAG
EXPOW
AXLE GREASE
POD RACE
WATCHTOWER GCNET CERBERUS Export Gateway Interface System
CERBERUS GCNET Import Gateway Interface System
External Internet Redial and Monitor Daemon
REAPER
FOREST
WARRIOR
DOG HANDLER
DIRTY DEVIL
Description
Collects on-going usage information about how many users utilise
UIA capability, what sites are the most frequently visited etc.
This is in order to provide JTRIG infrastucture and lTServices
management information statistics.
is a 'Data Diode' connecting the CERBERUS network with GCNET
JTRIG UIA via the Tor network.
Remote GSM secure covert internet proxy using TOR hidden services.
Remote GSM secure covert internet proxy using VPN services.
new Infrastructure. FOREST WARRIOR, FRUIT BOWL, JAZZ
FUSION and other JTRIG systems will form part of the SPICE ISLAND
infrastru re
Safe Malware download capability.
CERBERUS UIA Replacement and new tools infrastructure Primary
Domain for Generic User/Tools Access and TOR split into 3 sub-
systems.
JTRIG Torweb browser- Sandbox IE replacement and FRUIT BOWL
sub-system
A sub-system of FRUIT BOWL
A sub-system of FRUIT BOWL
JTRIG UIA contingency at Scarborough.
offsite facility.
legacy UIA desktop, soon to be replaced with FOREST
WARRIOR.
legacy UIA standalone capability.
BOMBAY ROLL Replacement which will also incorporate new collectors
- Primary Domain for Dedicated Connections split into 3 sub-systems.
A sub-system of JAZZ FUSION
A sub-system of JAZZ FUSION
A sub-system of JAZZ FUSION
JTRIG Operational architecture
JTRIG Laptop capability for field operations.
GCHQ's UIA capability provided by JTRIG.
The covert banking link for CPG
MS update farm
Desktop replacement for CERBERUS
development network
research network
Status
OPERATIONAL
OPERATIONAL
OPERATIONAL
OPERATIONAL
OPERATIONAL
DEV
DESIGN
DESIGN
ntacts
JTRIG Software Developers
JTRIG Software Developers
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
IMPLEMENTATION JTRIG Infrastructure Team E1
DESIGN
OPERATIONAL
OPERATIONAL
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
IMPLEMENTATION JTRIG Infrastructure Team
OPERATIONAL
DESIGN
DESIGN
OPERATIONAL
OPERATIONAL
OPERATIONAL
OPERATIONAL
DESIGN
OPERATIONAL
OPERATIONAL
OPERATIONAL
DESIGN
DESIGN
DESIGN
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team
JTRIG Infrastructure Team IE
JTRIG Infrastructure Team
JTRIG Software Developers IE
JTRIG Software Developers IS
JTRIG Software Developers IE
JTRIG Infrastructure Team
JTRIG Infrastructure Team E1
JTRIG Infrastructure Team
[edit]
Tool
AIRWOLF
ANCESTRY
BEARTRAP
BIRDSONG
BUGSY
DANCING
BEAR
DEVILS
HANDSHAKE
SNOUT
EXCALIBUR
FAT YAK
FUSEWIRE
GLASSBACK
GODFATHER
GOODFELLA
HACIENDA
ICE
INSPECTOR
LANDING
PARTY
Collection
Description
YouTube profile, comment and video collection.
Tool for discovering the creation date of yahoo selectors.
Bulk retrieval of public BEBO profiles from member or group ID.
Automated posting of Twitter updates.
Twitter monitoring and profile collection. Click here for the User Guide.
Google+ collection (circles, profiles etc.)
obtains the locations of WiFi access points.
ECI Data Technique.
Paltalk group chat collection.
acquires a Paltalk UID and/or email address from a Screen Name.
Public data collection from Linkedln.
Provides 2447 monitoring of Vbulliten forums for target postings/online activity. Also allows
staggered postings to be made.
Technique of getting atargets IP address by pretending to be a spammer and ringing them.
Target does not need to answer.
Public data collection from Facebook.
Generic framework for public data collection from Online Social Networks.
is a port scanning tool designed to scan an entire country or city. It uses GEOFUSION to
identify IP locations. Banners and content are pulled back on certain ports. Content is put into
the EARTHLING database, and all other scanned data is sent to ONE and is available through
GLOBAL SURGE and Fleximart.
is an advanced IP harvesting technique.
Tool for monitoring domain information and site availability.
Tool for auditing dissemination of VIKING PILLAGE data.
Contacts
I I13
I '13 '3 oftware
I '13 '3 oftware
[Ilez'elcqiei's
'13
[Ile'xelcqiers
Status
Beta release.
Fully
Operational.
Fully
Operational.
Decomissioned.
Replaced by
SYLVESTER.
Fully
Operational.
Tech Leadsz-In early
[Tech Lead:-
Expen
Usen
[Tech Lead:-
Expen
User:
Tech Leads:
I <3 '3 oftwar
Erie'selcrper-E.
[Tech Lead:
I '13 cuftware
[ieuelcqner-g
1:3 '3 oftwar?e
[Tech Lead:
[I'ech Lead:
IIAC HACIENDA
Tail. er-s.
I '3 ottware
Deselcqyei
I I13 oftware
'13 '3
[Jez'eIc-ijers.
development.
Fully
Operational.
Fully
Operational.
Beta release.
Fully
operational
(against current
Paltalk version)
In development
Fully
operational.
Fully
operational.
In Development
(Supports
RenRen and
Xing).
Fully
operational.
Fully
Operational.
Fully
Operational.
[edit]
Tool
AIRWOLF
ANCESTRY
BEARTRAP
BIRDSONG
BUGSY
DANCING
BEAR
DEVILS
HANDSHAKE
SNOUT
EXCALIBUR
FAT YAK
FUSEWIRE
GLASSBACK
GODFATHER
GOODFELLA
HACIENDA
ICE
INSPECTOR
LANDING
PARTY
Collection
Description
YouTube profile, comment and video collection.
Tool for discovering the creation date of yahoo selectors.
Bulk retrieval of public BEBO profiles from member or group ID.
Automated posting of Twitter updates.
Twitter monitoring and profile collection. Click here for the User Guide.
Google+ collection (circles, profiles etc.)
obtains the locations of WiFi access points.
ECI Data Technique.
Paltalk group chat collection.
acquires a Paltalk UID and/or email address from a Screen Name.
Public data collection from Linkedln.
Provides 2447 monitoring of Vbulliten forums for target postings/online activity. Also allows
staggered postings to be made.
Technique of getting atargets IP address by pretending to be a spammer and ringing them.
Target does not need to answer.
Public data collection from Facebook.
Generic framework for public data collection from Online Social Networks.
is a port scanning tool designed to scan an entire country or city. It uses GEOFUSION to
identify IP locations. Banners and content are pulled back on certain ports. Content is put into
the EARTHLING database, and all other scanned data is sent to ONE and is available through
GLOBAL SURGE and Fleximart.
is an advanced IP harvesting technique.
Tool for monitoring domain information and site availability.
Tool for auditing dissemination of VIKING PILLAGE data.
Contacts
I I13
I '13 '3 oftware
I '13 '3 oftware
[Ilez'elcqiei's
'13
[Ile'xelcqiers
Status
Beta release.
Fully
Operational.
Fully
Operational.
Decomissioned.
Replaced by
SYLVESTER.
Fully
Operational.
Tech Leadsz-In early
[Tech Lead:-
Expen
Usen
[Tech Lead:-
Expen
User:
Tech Leads:
I <3 '3 oftwar
Erie'selcrper-E.
[Tech Lead:
I '13 cuftware
[ieuelcqner-g
1:3 '3 oftwar?e
[Tech Lead:
[I'ech Lead:
IIAC HACIENDA
Tail. er-s.
I '3 ottware
Deselcqyei
I I13 oftware
'13 '3
[Jez'eIc-ijers.
development.
Fully
Operational.
Fully
Operational.
Beta release.
Fully
operational
(against current
Paltalk version)
In development
Fully
operational.
Fully
operational.
In Development
(Supports
RenRen and
Xing).
Fully
operational.
Fully
Operational.
Fully
Operational.
MINIATURE Active skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and
HERO bidirectional instant messaging. Also contact lists.
MOUTH Tool for collection for downloading a user's files from Archiveorg.
MUSTANG provides covert access to the locations of GSM cell towers.
PHOTON At t' I th IP dd MON
TORPEDO ec nique 0 ac Ivey gra a ress 0 an a messenger user.
RESERVOIR Facebook application allowing collection of various information.
SEBACIUM An ICTR developed system to identify P2P file sharing activity of intelligence value. Logs are
accessible via DIRTY RAT.
SILVER
Allows batch Nmap scanning over TOR
SPECTER
SODAWATER A tool for regularly downloading gmail messages and forwarding them onto
mailboxes
SPRING F'd't ht ft bk
BISHOP in priva ograp arge on ace oo .
SYLVESTER Framework for automated interaction alias management on online social networks.
TANNER A technical programme allowing operators to log on to a JTRIG website to grab IP addresses of
Internet Cafe's.
TRACER An Office Document that grabs the targets Machine info, files, logs, etc and posts it back to
FIRE GCHQ.
VIEWER A programme that (hopefully) provides advance tip off of the kidnappers IP address for HMG
personnel.
VIKING Distributed network for the automatic collection of data from remotely
PILLAGE hosted JTRIG projects.
TOP HAT A version of the MUSTANG and DANCING BEAR techniques that allows us to pull back Cell
Tower and WiFi locations targeted against particular areas.
Fully
operational, but
note usage
restrictions .
oftware
[Jaselchera
oftware Fully
Operational.
[Tech Lead -
Expert Fully
Operational.
User:
Operational, but
usage
restrictions.
Tech Lead:
Fully
Soft-wan:- operational, but
note operational
restrictions.
[Tech Lead:-
User:
JTFIIG Somme In Development
[Jen'elcuper-s.
Software Fully
Operational.
Tech Lead:
Tech Lead:
?23 CI C)
In Development.
Replaced by
HAVOK.
In Development.
PACER
ech Lead:
-Operational, but
Expert . . .
awaiting field
User: .
PILLAGE
Operational
[Ilez'eloljuer-a
[Tech Lead:
In development.
MINIATURE Active skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and
HERO bidirectional instant messaging. Also contact lists.
MOUTH Tool for collection for downloading a user's files from Archiveorg.
MUSTANG provides covert access to the locations of GSM cell towers.
PHOTON At t' I th IP dd MON
TORPEDO ec nique 0 ac Ivey gra a ress 0 an a messenger user.
RESERVOIR Facebook application allowing collection of various information.
SEBACIUM An ICTR developed system to identify P2P file sharing activity of intelligence value. Logs are
accessible via DIRTY RAT.
SILVER
Allows batch Nmap scanning over TOR
SPECTER
SODAWATER A tool for regularly downloading gmail messages and forwarding them onto
mailboxes
SPRING F'd't ht ft bk
BISHOP in priva ograp arge on ace oo .
SYLVESTER Framework for automated interaction alias management on online social networks.
TANNER A technical programme allowing operators to log on to a JTRIG website to grab IP addresses of
Internet Cafe's.
TRACER An Office Document that grabs the targets Machine info, files, logs, etc and posts it back to
FIRE GCHQ.
VIEWER A programme that (hopefully) provides advance tip off of the kidnappers IP address for HMG
personnel.
VIKING Distributed network for the automatic collection of data from remotely
PILLAGE hosted JTRIG projects.
TOP HAT A version of the MUSTANG and DANCING BEAR techniques that allows us to pull back Cell
Tower and WiFi locations targeted against particular areas.
Fully
operational, but
note usage
restrictions .
oftware
[Jaselchera
oftware Fully
Operational.
[Tech Lead -
Expert Fully
Operational.
User:
Operational, but
usage
restrictions.
Tech Lead:
Fully
Soft-wan:- operational, but
note operational
restrictions.
[Tech Lead:-
User:
JTFIIG Somme In Development
[Jen'elcuper-s.
Software Fully
Operational.
Tech Lead:
Tech Lead:
?23 CI C)
In Development.
Replaced by
HAVOK.
In Development.
PACER
ech Lead:
-Operational, but
Expert . . .
awaiting field
User: .
PILLAGE
Operational
[Ilez'eloljuer-a
[Tech Lead:
In development.
[edit]
Effects Capability
JTRIG develop the majority of effects capability in GCHQ. A lot of this capability is developed on demand for specific operations and then further
developed to provide weaponised capability.
Don?t treat this like a catalogue. If you don?t see it here, it doesn?t mean we can?t build it. If you involve the JTRIG operational teams at the start of your
operation, you have more of a chance that we will build something for you.
For each of our tools we have indicated the state of the tool. We only advertise tools here that are either ready to fire or very close to being ready
(operational requirements would re-prioritise our development). Once again, involve the JTRIG operational teams early.
Tool
ANGRY
PIRATE
ARSON SAM
BOMB BAY
BADGER
BURLESQUE
CANNONBALL
CLEAN
SWEEP
CLUMSY
BEEKEEPER
CHINESE
FIRECRACKER
CONCRETE
DONKEY
DEER
STALKER
GATEWAY
GAMBIT
GESTATOR
GLITTERBALL
IMPERIAL
BARGE
PITBULL
POISONED
DAGGER
Description
is a tool that will permanently disable a target's account on their computer.
is a tool to test the effect of certain types of PDU SMS messages on phones network. It
also includes PDU SMS Dumb Fu:: testing??
is an automated system developed by JTRIG CITD to support JTRIG BUMPERCAR
operations. BUMPERCAR operations are used to disrupt and deny Internet-based terror
videos or other material. The technique employs the services provided by upload providers
to report offensive materials.
is the capability to increase website hits/rankings.
mass delivery of email messaging to support an Information Operations campaign
is the capability to send spoofed SMS text messages.
is the capability to send repeated text messages to a single target.
Masquerade Facebook Wall Posts for individuals or entire countries
Some work in progress to investigate IRC effects.
Overt brute Iogin attempts against online forums
is the capability to scatter an audio message to a large number of telephones, or
repeatedly bomb a target number with the same message.
Ability to aid-geolocation of Sat Phones GSM Phones via a silent calling to the phone.
Ability to artificially increase traffic to a website
Deployable pocket-sized proxy server
amplification of a given message, normally video, on popular multimedia websites
(Youtube).
Online Gaming Capabilities for Sensitive Operations. Currently Second Life.
For connecting two target phone together in a call.
Capability, under development, enabling large scale delivery of a tailored message to
users of Instant Messaging services.
Effects against Gigatribe. Built by ICTR, deployed by JTRIG.
Status
Contacts
[Tech Lead:
Ready to fire (but
see target
restrictions).
Expen
User:
Ready to fire (Not
[Tech Lead:
against live
tar ets this is a
Expert User:]
Tool).
'13
Ready to fire.
Developers
ech Lead
In Development. [r
Ready to fire. Ci
Ready to fire. (3'30
Ready to fire. nzizv'Enzii
[Tech Lead:
Ready to fire
(SIGINT sources Expert User;
required)
Tech Lead:-
Expen
User:
NOT READY TO
FIRE.
Ready to fire.
In development.
[Tech Lead:
Ready to fire.
Expert User:
Ready to fire.
ln-development
[Tech Lead:
Expert User:
In development.
[Tech Lead:
Tested.
In development.
Tech Lead:
[edit]
Effects Capability
JTRIG develop the majority of effects capability in GCHQ. A lot of this capability is developed on demand for specific operations and then further
developed to provide weaponised capability.
Don?t treat this like a catalogue. If you don?t see it here, it doesn?t mean we can?t build it. If you involve the JTRIG operational teams at the start of your
operation, you have more of a chance that we will build something for you.
For each of our tools we have indicated the state of the tool. We only advertise tools here that are either ready to fire or very close to being ready
(operational requirements would re-prioritise our development). Once again, involve the JTRIG operational teams early.
Tool
ANGRY
PIRATE
ARSON SAM
BOMB BAY
BADGER
BURLESQUE
CANNONBALL
CLEAN
SWEEP
CLUMSY
BEEKEEPER
CHINESE
FIRECRACKER
CONCRETE
DONKEY
DEER
STALKER
GATEWAY
GAMBIT
GESTATOR
GLITTERBALL
IMPERIAL
BARGE
PITBULL
POISONED
DAGGER
Description
is a tool that will permanently disable a target's account on their computer.
is a tool to test the effect of certain types of PDU SMS messages on phones network. It
also includes PDU SMS Dumb Fu:: testing??
is an automated system developed by JTRIG CITD to support JTRIG BUMPERCAR
operations. BUMPERCAR operations are used to disrupt and deny Internet-based terror
videos or other material. The technique employs the services provided by upload providers
to report offensive materials.
is the capability to increase website hits/rankings.
mass delivery of email messaging to support an Information Operations campaign
is the capability to send spoofed SMS text messages.
is the capability to send repeated text messages to a single target.
Masquerade Facebook Wall Posts for individuals or entire countries
Some work in progress to investigate IRC effects.
Overt brute Iogin attempts against online forums
is the capability to scatter an audio message to a large number of telephones, or
repeatedly bomb a target number with the same message.
Ability to aid-geolocation of Sat Phones GSM Phones via a silent calling to the phone.
Ability to artificially increase traffic to a website
Deployable pocket-sized proxy server
amplification of a given message, normally video, on popular multimedia websites
(Youtube).
Online Gaming Capabilities for Sensitive Operations. Currently Second Life.
For connecting two target phone together in a call.
Capability, under development, enabling large scale delivery of a tailored message to
users of Instant Messaging services.
Effects against Gigatribe. Built by ICTR, deployed by JTRIG.
Status
Contacts
[Tech Lead:
Ready to fire (but
see target
restrictions).
Expen
User:
Ready to fire (Not
[Tech Lead:
against live
tar ets this is a
Expert User:]
Tool).
'13
Ready to fire.
Developers
ech Lead
In Development. [r
Ready to fire. Ci
Ready to fire. (3'30
Ready to fire. nzizv'Enzii
[Tech Lead:
Ready to fire
(SIGINT sources Expert User;
required)
Tech Lead:-
Expen
User:
NOT READY TO
FIRE.
Ready to fire.
In development.
[Tech Lead:
Ready to fire.
Expert User:
Ready to fire.
ln-development
[Tech Lead:
Expert User:
In development.
[Tech Lead:
Tested.
In development.
Tech Lead:
Tech Lead: -
PREDATORS
Targeted Denial Of Service against Web Sewers.
FACE
ROLLING Tech Lead:
Distributed denial of service using P2P. Built by ICTR, deployed by JTRIG.
THUNDER
SCARLET 9
Targeted denial of service against targets phones via call bombing. Ready to fire. 1'
EMPEROR [Ile'xelc-pei-s.
SCRAPHEAP f'
Perfect spoofing of emails from Blackberry targets. ea 0 Ir??
CHALLENGE see constraints.
SERPENTS t? It I [rem LeaEd: it
TONGUE or ax message roa cas ing 0 mu ip num ers. re eve opmen . xpe
User:
SILENT . . . . . ech Lead:
Targeted denial of service against SSH seNices. Ready to fire.
MOVIE
[Tech Lead:-
SILVERBLADE Reporting of extremist material on DAILYMOTION. Ready to fire. Expert User:
[Tech Lead:-
SILVERFOX List provided to industry of live extremist material files hosted on FFUs. Ready to fire. Ex ert User:
[Tech Lead:-
Disruption of video-based websites hosting extremist content through concerted target
Expert User:
SILVERLORD . Ready to fire.
discovery and content removal.
[Tech Lead: Section
Ready to fire. Expert Users:
Production and dissemination of multimedia via the web in the course of information
operations.
Language Team]
SLIPSTREAM Ability to inflate page views on websites Ready to fire.
Read to fire but ech Lead:
STEALTH is atool that will Disrupt target's Windows machine. Logs of how long and when the effect ty
see ar
MOOSE is active. I I9
restrictions). Expert User:
Tested, but [Tech Lead: Section
SUNBLOCK Ability to deny functionality to send/receive email orview material online. operational Ex ert User
limitations.
ech Lead:
. . . . . Ready to fire (but
Swamp is atool that Will Silently locate all predefined types of file and them on a targets see tar et
donkey machine. . Expert User:
restrictions).
ech Lead:
I I I Ready to fire (but
TORNADO is a delivery method (Excel Spreadsheet) that can Silently extract and run an executable see tar et
ALLEY on a target's machine. . Expert User:
restrictions).
[Tech Lead: Section
UNDERPASS Change outcome of online polls (previously known as NUBILO) In development. Expert User:
ech Lead:
VIPERS Ready to fire (buttr?
is atool that will silently Denial of Service calls on a Satellite Phone or a GSM Phone. see target
TONGUE . . Expert User:
restrictions).
i Ci C)
WARPATH Mass delivery of SMS messages to support an Information Operations campaign Ready to fire.
[edit] Work Flow Management
Tool Description Contacts
(3
HOME PORTAL A central hub for all JTRIG Cerberus tools E. I
opera
CYBER COMMAND A centralised suite of tools, statistics and viewers for tracking current operations across the Cyber
CONSOLE community. [hex'elclpei-s.
I (3
A web service and admin console for the translation of usernames between networks. For use with
NAMEJACKER I
gateways and other such technologies.
Tech Lead: -
PREDATORS
Targeted Denial Of Service against Web Sewers.
FACE
ROLLING Tech Lead:
Distributed denial of service using P2P. Built by ICTR, deployed by JTRIG.
THUNDER
SCARLET 9
Targeted denial of service against targets phones via call bombing. Ready to fire. 1'
EMPEROR [Ile'xelc-pei-s.
SCRAPHEAP f'
Perfect spoofing of emails from Blackberry targets. ea 0 Ir??
CHALLENGE see constraints.
SERPENTS t? It I [rem LeaEd: it
TONGUE or ax message roa cas ing 0 mu ip num ers. re eve opmen . xpe
User:
SILENT . . . . . ech Lead:
Targeted denial of service against SSH seNices. Ready to fire.
MOVIE
[Tech Lead:-
SILVERBLADE Reporting of extremist material on DAILYMOTION. Ready to fire. Expert User:
[Tech Lead:-
SILVERFOX List provided to industry of live extremist material files hosted on FFUs. Ready to fire. Ex ert User:
[Tech Lead:-
Disruption of video-based websites hosting extremist content through concerted target
Expert User:
SILVERLORD . Ready to fire.
discovery and content removal.
[Tech Lead: Section
Ready to fire. Expert Users:
Production and dissemination of multimedia via the web in the course of information
operations.
Language Team]
SLIPSTREAM Ability to inflate page views on websites Ready to fire.
Read to fire but ech Lead:
STEALTH is atool that will Disrupt target's Windows machine. Logs of how long and when the effect ty
see ar
MOOSE is active. I I9
restrictions). Expert User:
Tested, but [Tech Lead: Section
SUNBLOCK Ability to deny functionality to send/receive email orview material online. operational Ex ert User
limitations.
ech Lead:
. . . . . Ready to fire (but
Swamp is atool that Will Silently locate all predefined types of file and them on a targets see tar et
donkey machine. . Expert User:
restrictions).
ech Lead:
I I I Ready to fire (but
TORNADO is a delivery method (Excel Spreadsheet) that can Silently extract and run an executable see tar et
ALLEY on a target's machine. . Expert User:
restrictions).
[Tech Lead: Section
UNDERPASS Change outcome of online polls (previously known as NUBILO) In development. Expert User:
ech Lead:
VIPERS Ready to fire (buttr?
is atool that will silently Denial of Service calls on a Satellite Phone or a GSM Phone. see target
TONGUE . . Expert User:
restrictions).
i Ci C)
WARPATH Mass delivery of SMS messages to support an Information Operations campaign Ready to fire.
[edit] Work Flow Management
Tool Description Contacts
(3
HOME PORTAL A central hub for all JTRIG Cerberus tools E. I
opera
CYBER COMMAND A centralised suite of tools, statistics and viewers for tracking current operations across the Cyber
CONSOLE community. [hex'elclpei-s.
I (3
A web service and admin console for the translation of usernames between networks. For use with
NAMEJACKER I
gateways and other such technologies.
[edit] Analysis Tools
Tool Description Contacts
BABYLON is a tool that bulk queries web mail addresses and verifies whether they can be signed up for. A green tick 'E-oftwai'e
indicates that the address is currently in use. Verification can currently be done for Hotmail and Yahoo. [iexelcqner-s.
CRYOSIAT is a JTRIG tool that runs against data held in NEWPIN. It then displays this data in a chart to show links 'E-oftware
between targets. [ie?xelcrper-s.
ELATE is a suite of tools for monitoring target use of the UK auction site eBay (vwvw.ebay.co.uk). These tools are Software
hosted on an Internet sewer, and results are retreived by email.
PRIMATE is a JTRIG tool that aims to provides the capability to identify trends in seized computer media data and
metadata. Developer-3.
JTRIG will shortly be rolling out a JEDI pod to every desk of every member of an Intelligence Production [Tech Lead:-
JEDI Team. The challenge is to scale up to over 1,200 users whilst remaining agile, efficent and responsive to -Expert User:
customer needs.
ech Lead:
JILES is bespoke web browser. -
-Expert User:]
- . . 'E-off: 'e
MIDDLEMAN is a distributed real time event aggregation, tip off and tasking platform utilised by JTRIG as a middleware war
layer.
. .
OUTWARD is a collection of DNS Iookup, WHOIS Lookup and other network tools. I
opera
is a bulk search tool which queries a set of online resources. This allows to quickly check the
TANGLEFOOT .
online presence of a target.
is a data index and repository that provides with the ability to query data collected from the smwa'e
SLAMMER Internet from various JTRIG sources, such as EARTHLING, HACIENDA, web pages saved by
etc.
[edit] Databases
Tool Description Contacts
BYSTANDER is a categorisation database accessed via web service. ?E-oftware Eire-seloiziers
is a database of C2C identifiers for Intelli ence Communi assets actin online
CONDUIT ty 9 Software [Irex'elopei-s.
either under alias or in real name.
is a database of C2C identifiers obtained from a variety of unique sources, and a
NEWPIN . ?E-oftware [Zie'seloiziere
swte of tools for exploring this data.
[Tech Lead:_Expert Users: -
QUINCY is an enterprise level suite of tools for the exploitation of seized media.
[edit] Forensic Exploitation
Tool Description Contacts
BEARSCRAPE can extract WiFi connection history (MAC and timing) when supplied With a copy of the [Tech Lead:_Expert
registry structure or run on the box. User:]
ech Lead
The Sigint Forensics Laboratory was developed within NSA. It has been adapted by JTRIG
SFL
as its email extraction and first-pass analysis of seized media solution.
Expert User:
Snoo is a tool to extract mobile phone data from a copy of the phone's memory (usually supplied Uech Lma?
py as an image file extracted through FTK.
is atool to extract data from field forensics' reports created by Celldek, Cellebrite, XRY, ?ech Lead.
MobileHoover Snoopy and USIM detective. These reports are transposed into a Newpin XML format to
upload to Newpin.
News is a tool developed by NTAC to search disk images for signs of possible [Tech Lead:
products. CMA have further developed this tool to look for signs of Steganography.
[edit] Analysis Tools
Tool Description Contacts
BABYLON is a tool that bulk queries web mail addresses and verifies whether they can be signed up for. A green tick 'E-oftwai'e
indicates that the address is currently in use. Verification can currently be done for Hotmail and Yahoo. [iexelcqner-s.
CRYOSIAT is a JTRIG tool that runs against data held in NEWPIN. It then displays this data in a chart to show links 'E-oftware
between targets. [ie?xelcrper-s.
ELATE is a suite of tools for monitoring target use of the UK auction site eBay (vwvw.ebay.co.uk). These tools are Software
hosted on an Internet sewer, and results are retreived by email.
PRIMATE is a JTRIG tool that aims to provides the capability to identify trends in seized computer media data and
metadata. Developer-3.
JTRIG will shortly be rolling out a JEDI pod to every desk of every member of an Intelligence Production [Tech Lead:-
JEDI Team. The challenge is to scale up to over 1,200 users whilst remaining agile, efficent and responsive to -Expert User:
customer needs.
ech Lead:
JILES is bespoke web browser. -
-Expert User:]
- . . 'E-off: 'e
MIDDLEMAN is a distributed real time event aggregation, tip off and tasking platform utilised by JTRIG as a middleware war
layer.
. .
OUTWARD is a collection of DNS Iookup, WHOIS Lookup and other network tools. I
opera
is a bulk search tool which queries a set of online resources. This allows to quickly check the
TANGLEFOOT .
online presence of a target.
is a data index and repository that provides with the ability to query data collected from the smwa'e
SLAMMER Internet from various JTRIG sources, such as EARTHLING, HACIENDA, web pages saved by
etc.
[edit] Databases
Tool Description Contacts
BYSTANDER is a categorisation database accessed via web service. ?E-oftware Eire-seloiziers
is a database of C2C identifiers for Intelli ence Communi assets actin online
CONDUIT ty 9 Software [Irex'elopei-s.
either under alias or in real name.
is a database of C2C identifiers obtained from a variety of unique sources, and a
NEWPIN . ?E-oftware [Zie'seloiziere
swte of tools for exploring this data.
[Tech Lead:_Expert Users: -
QUINCY is an enterprise level suite of tools for the exploitation of seized media.
[edit] Forensic Exploitation
Tool Description Contacts
BEARSCRAPE can extract WiFi connection history (MAC and timing) when supplied With a copy of the [Tech Lead:_Expert
registry structure or run on the box. User:]
ech Lead
The Sigint Forensics Laboratory was developed within NSA. It has been adapted by JTRIG
SFL
as its email extraction and first-pass analysis of seized media solution.
Expert User:
Snoo is a tool to extract mobile phone data from a copy of the phone's memory (usually supplied Uech Lma?
py as an image file extracted through FTK.
is atool to extract data from field forensics' reports created by Celldek, Cellebrite, XRY, ?ech Lead.
MobileHoover Snoopy and USIM detective. These reports are transposed into a Newpin XML format to
upload to Newpin.
News is a tool developed by NTAC to search disk images for signs of possible [Tech Lead:
products. CMA have further developed this tool to look for signs of Steganography.
[edit] Techniques
Tool Description Contacts
CHANGELING Ability to spoof any email address and send email under that identity JTPIG 0'30
HAVOK Real-time website cloning technique allowing on-the-fly alterations 0'30
MIRAGE 0'30
SHADOWCAT End-toEnd access to a VPS over SSH using the TOR network JTPIG 0'30
Tech Lead:
SPACE is a programme covering insertion of media into target networks. CRIHKLE CUT is a tool developed by ICTR- BE
ROCKET CISA to enable JTRIG track images as part of SPACE ROCKET.
- - .
RAMA Is a system developed by ICTR Clo CAPTCHA vra aweb servrce on CERBERUS This Is Tech Lead -
intended for use by and possibly in future by SHORTFALL but anyone is welcome to use it. -Expert Us:
JTPIG 'E-oftware
LUMP A system that finds the avatar name from a SecondLife AgentlD
Developers
JTPIG Software
GURKHAS ., . .
SWORD Beaconed Microsoft Office Documents to elicite atargets IP address.
[edit] Shaping and Honeypots
Tool Description Contacts
DEADPOOL URL shortening service JTPIG 0'30
HUSK Secure one-to~one web based dead-drop messaging platform 0'30
LONGSHOT File-upload and sharing website 0'30
MOLTEN-MAGMA CGI HTTP Proxy with ability to log all traffic and perform Man in the Middle. JTPIG '3oftware Developers
Public online group against dodgy websites 0'30
PISTRIX Image hosting and sharing website JTPIG 030
WURLITZER Distribute a file to multiple file hosting websites.
JTRIG Logo.png
Category: JTRIG
?Crown Copyright] 2008 or is held under licence from third parties. This information is exempt under the Freedom of Information Act
and may be exempt under other UK information legislation. Pefer any FOIA queries to GCHQ on?
Privacy policy About GCWiki Disclaimers
TOP SECRET COMINT
The maximum classification allowed on GCWiki is TOP SECRET COMINT. Click to report inappropriate content.
[edit] Techniques
Tool Description Contacts
CHANGELING Ability to spoof any email address and send email under that identity JTPIG 0'30
HAVOK Real-time website cloning technique allowing on-the-fly alterations 0'30
MIRAGE 0'30
SHADOWCAT End-toEnd access to a VPS over SSH using the TOR network JTPIG 0'30
Tech Lead:
SPACE is a programme covering insertion of media into target networks. CRIHKLE CUT is a tool developed by ICTR- BE
ROCKET CISA to enable JTRIG track images as part of SPACE ROCKET.
- - .
RAMA Is a system developed by ICTR Clo CAPTCHA vra aweb servrce on CERBERUS This Is Tech Lead -
intended for use by and possibly in future by SHORTFALL but anyone is welcome to use it. -Expert Us:
JTPIG 'E-oftware
LUMP A system that finds the avatar name from a SecondLife AgentlD
Developers
JTPIG Software
GURKHAS ., . .
SWORD Beaconed Microsoft Office Documents to elicite atargets IP address.
[edit] Shaping and Honeypots
Tool Description Contacts
DEADPOOL URL shortening service JTPIG 0'30
HUSK Secure one-to~one web based dead-drop messaging platform 0'30
LONGSHOT File-upload and sharing website 0'30
MOLTEN-MAGMA CGI HTTP Proxy with ability to log all traffic and perform Man in the Middle. JTPIG '3oftware Developers
Public online group against dodgy websites 0'30
PISTRIX Image hosting and sharing website JTPIG 030
WURLITZER Distribute a file to multiple file hosting websites.
JTRIG Logo.png
Category: JTRIG
?Crown Copyright] 2008 or is held under licence from third parties. This information is exempt under the Freedom of Information Act
and may be exempt under other UK information legislation. Pefer any FOIA queries to GCHQ on?
Privacy policy About GCWiki Disclaimers
TOP SECRET COMINT
The maximum classification allowed on GCWiki is TOP SECRET COMINT. Click to report inappropriate content.