Skip to main content

Leaked documents from JTRIG (the Joint Threat Research Intelligence Group) show that GCHQ’s operations are not only bigger, more invasive and more manipulative than previously realised, but also that they name their tools and techniques after films, TV shows and even genres of music.

A recent article by Tom Coburg of UndercoverInfo alerted me to the existence of these documents, which confirm a trend seen previously in GCHQ’s mass surveillance of internet radio, where operations were codenamed Blazing Saddles and Karma Police.  One of the leaked documents is a 2011 Top Secret report on how to enhance GCHQ cyber-operations through behavioural science.  It outlines both the broad methods used by JTRIG and other units, before detailing some examples of what they were used for:

JTRIG targets a range of individual, group and state actors across the globe who pose criminal, security and defence threats. JTRIG staff use a range of techniques to, for example, discredit, disrupt, delay, deny, degrade, and deter. The techniques include: uploading YouTube videos containing persuasive messages; establishing online aliases with Facebook and Twitter accounts, blogs and forum memberships for conducting HUMINT or encouraging discussion on specific issues; sending spoof emails and text messages as well as providing spoof online resources; and setting up spoof trade sites.


According to staff, the Iran team currently aims to achieve counter-proliferation by: (1) discrediting the Iranian leadership and it’s nuclear programme; (2) delaying and disrupting access to materials used in the nuclear programme; (3) conducting online HUMINT; and (4) counter-censorship. The Serious Crime team currently aims
to reduce online organised crime by: (1) disrupting the activities of front companies; and (2) discrediting the online presence of such companies and their owners as well as promoting distrust among them and consumers. Two of the Global team’s current aims are regime change in Zimbabwe by discrediting the present regime, and
preventing Argentina from taking over the Falkland Islands by conducting online HUMINT. The CT group’s operations currently aim to counter Islamic radicalisation and monitor Irish Republican dissident groups by: (1) disrupting the dissemination of extremist material over the internet; (2) discrediting extremist sites and individuals/groups; (3) conducting online HUMINT; and (4) hosting extremist sites (to enable collection of SIGINT). The Cyber Coordination and Operations team currently aims to investigate cybercrime and electronic attack by: (1) denying, deterring or dissuading criminals, state actors and hacktivists; (2) providing intelligence for judicial outcomes; and (3) discrediting cybercrime forums and their users. The team also acts as a liaison and support for JTRIG teams in Bude and Scarborough. The Network Defence team currently aims to safeguard critical computer networks against cyberattack by: (1) discrediting cybercriminals and malware providers; (2) disrupting State sponsored malware infrastructure; and (2) conducting online HUMINT. Two of the Cyber Crime team’s current aims are to prevent and reduce online credit card fraud and child exploitation by: (1) disrupting the dissemination of child porn, malware and data gathered by it; (2) discrediting those selling stolen credit card and ID details or child porn online and promoting distrust in them; (3) deterring, disrupting or degrading online consumerism of stolen data or child porn; and (4) increasing the reporting of online crime. The Cyber Crime team’s other current aim is to monitor domestic extremist groups such as the English Defence League by conducting online HUMINT. Finally, some of the SMO group’s current aims are counter-insurgency including counter-improvised explosive device by: (1) denying and disrupting the Taliban message; (2) strategic messaging; (3) delivering tactical in-theatre effects supporting Special Forces; and (4) seized media exploitation.

Another document, which is from some kind of internal wikipedia for GCHQ tools and techniques, lists dozens of entries at various stages of development and deployment.

Almost all of these tools and techniques have stupid names – Radiant Splendour, Dragon’s Snout and Gateway Gambit being among the worst.  But curiously, a number of the codenames have been lifted from popular culture, including Airwolf, Jazz Fusion, Country File, Bugsy, Godfather, Hacienda, Jedi, Deadpool and Scrapheap Challenge.

In particular, Deadpool and Nightcrawler (this is three years before the film of that name) comes from comic books, confirming what I’ve long suspected – that GCHQ is full of nerds.  More importantly, it suggests that being locked inside a giant donut-shaped building carrying out psychological warfare via the internet has a tendency to detach people from reality.  They end up in a fantasy land of comic books and TV shows, believing themselves to be the superheroes who are saving the day.  In reality they’re destabilising foreign governments, running child porn websites and generally spying on everything and anything they can get access to (which is almost everything).


Behavioural Science Support for JTRIG’s (Joint Threat Research and Intelligence Group’s) Effects and Online HUMINT Operations

JTRIG Tools and Techniques