Pierluigi Paganini February 06, 2014

New slides leaked by Snowden, and published by NBC NEWS, reveal that GCHQ ran DoS attack on chatrooms used by Anonymous and LulzSec.

The last revelation on the investigation conducted by NBC News on Snowden case reveals that British intelligence GCHQ ran denial-of-service attacks against Anonymous and LulzSec. Documents leaked by the NSA whistleblower Edward Snowden reports the existence of a GCHQ unit known as the Joint Threat Research Intelligence Group (JTRIG) that ran DoS attack against chatrooms used by hacktivists. It is the first time that is mentioned the secret unit, the existence of JTRIG has never been previously disclosed publicly.

The leaked slides contains a dedicated page that mentions the Rolling Thunder operation operated by JTRIG, the document erroneously reports a “DDoS” attack instead a DoS.

The state-sponsored hackers hit Anonymous and LulzSec, the offensive campaign was codenamed  Rolling Thunder, the attackers used a packet flood technique to break down the adversaries.

“The documents, from a PowerPoint presentation prepared for a 2012 NSA conference called SIGDEV, show that the unit known as the Joint Threat Research Intelligence Group, or JTRIG, boasted of using the DDOS attack – which it dubbed Rolling Thunder — and other techniques to scare away 80 percent of the users of Anonymous internet chat rooms.” NBC reports.

GCHQ spies also infiltrated the chat rooms for Intelligence purpose, the British agents in this way have identified a hacktivist who has stolen confidential data from PayPal and also another member who had participated in attacks against government websites.

Intelligence sources in the past referred that in 2011, authorities were alarmed by a wave of cyber attacks on government and corporate websites, so they decided to go on the attack.

“While there must of course be limitations,”  “law enforcement and intelligence officials must be able to pursue individuals who are going far beyond speech and into the realm of breaking the law: defacing and stealing private property that happens to be online.” “No one should be targeted for speech or thoughts, but there is no reason law enforcement officials should unilaterally declare law breakers safe in the online environment,” said Michael Leiter, the former head of the U.S. Government’s National Counterterrorism Center and now an NBC News analyst.

The GCHQ offensive operation started in September 2011, in that period, both groups LulzSec and Anonymous were very active, in December of the same year Anonymous group violated the systems of Stratfor Intelligence firm. Hacktivists from collectives LulzSec ran a DDoS attack on the website of the Serious and Organised Crime Agency in June 2011 and on the US Central Intelligence Agency. LulzSec had also hacked InfraGard chapters’ websites, a non-profit organization linked to the FBI, email and database were leaked during the attack. Always in the same period the hacktivists bombarded website Senate.gov stealing internal data, and within the #OpPayback the hit PayPal and Mastercard websites who were guilty to block WikiLeaks banking transfers in 2010.

The presentation gives detailed examples of “humint” (human intelligence) on a collective of hacktivists known with pseudonymous G-Zero, Topiary and pOke, they were contacted by undercover GCHQ agents via IRC. 

All the chat session were recorded, following an extract of one of them:

“Anyone here have access to a website with at least 10,000+ unique traffic per day?” asks one hacktivist in a transcript taken from a conversation that began in an Operation Payback chat room. An agent responds and claims to have access to a porn website with 27,000 users per day. “Love it,” answers the hacktivist. The hackers ask for access to sites with traffic so they can identify users of the site, secretly take over their computers with malware and then use those computers to mount a DDOS attack against a government or commercial website. 

“In a transcript taken from a second conversation in an Operation Payback chat room, ahacktivist using the name “pOke” tells another named “Topiary” that he has a list of emails, phone numbers and names of “700 FBI tards.”

Edward Pearson is the person identified as GZero, a 25 year-old from York, who was convicted and sentenced to 26 months in prison for stealing information from 200,000 PayPal accounts. The investigators also discovered that Pearson and his then girlfriend used stolen credit card details to pay for a hotel stay. All the details of the investigation were reported in the leaked GCHQ presentation.

After the disclosure of the slides the advocates and security experts are questioning the legality of the operation ran by the GCHQ. Is it legal to hack back an attacker? What happens if the attacker is an intelligence agency and the target is the communication channel of a group of hacktivists like LulzSec and Anonymous?