Joint Threat Research Intelligence Group

The Joint Threat Research Intelligence Group (JTRIG) is a unit of the Government Communications Headquarters (GCHQ), the British intelligence agency. The existence of JTRIG was revealed as part of the global surveillance disclosures in documents leaked by the former National Security Agency contractor Edward Snowden.

Mission
The scope of the JTRIG's mission includes using "dirty tricks" to "destroy, deny, degrade [and] disrupt" enemies by "discrediting" them, planting misinformation and shutting down their communications. Known as "Effects" operations, the work of JTRIG had become a "major part" of GCHQ's operations by 2010. Slides leaked by Snowden also disclose the deployment of "honey traps" of a sexual nature by British intelligence agents.

Operations


In 2011, the JTRIG conducted a denial-of-service attack (DoS) on the activist network Anonymous. Other JTRIG targets have included the government of Iran and the Taliban in Afghanistan.

Campaigns operated by JTRIG have broadly fallen into two categories; cyber attacks and propaganda efforts. The propaganda efforts (named "Online Covert Action") utilize "mass messaging" and the "pushing [of] stories" via the medium of Twitter, Flickr, Facebook and YouTube. Online "false flag" operations are also used by JTRIG against targets. JTRIG have also changed photographs on social media sites, as well as emailing and texting colleagues and neighbours with "unsavory information" about the targeted individual.

JTRIG developed a URL shortening service called Lurl.me to manipulate and collect intelligence on social media users. The service was used to spread pro-revolution messages in the Middle East during the Arab Spring.

A computer virus named Ambassadors Reception has been used by GCHQ "in a variety of different areas" and has been described in the slides as "very effective." The virus can "encrypt itself, delete all emails, encrypt all files, [and] make [the] screen shake" when sent to adversaries. The virus can also block a user from logging on to their computer. Information obtained by GCHQ is also used in "close access technical operations," in which targets are physically observed by intelligence officers, sometimes in person at hotels. Telephone calls can also be listened to and hotel computers tapped, the documents asking "Can we influence hotel choice? Can we cancel their visits?".

In a "honey trap", an identified target is lured "to go somewhere on the Internet, or a physical location" to be met by "a friendly face", with the aim to discredit them. A "honey trap" is described as "very successful when it works" by the slides. The disclosures also revealed the technique of "credential harvesting", in which journalists could be used to disseminate information and identify non-British journalists who, once manipulated, could give information to the intended target of a secret campaign, perhaps providing access during an interview. It is unknown whether the journalists would be aware that they were being manipulated.

A JTRIG operation saw GCHQ "significantly disrupt" the communications of the Taliban in Afghanistan with a "blizzard" of faxes, phone calls and text messages scheduled to arrive every minute. Specific JTRIG operations also targeted the nuclear programme of Iran with negative information on blogs attacking private companies, to affect business relationships and scupper business deals.

JTRIG also undertook cyber-operations as part of a wider GCHQ mission to prevent the Argentine takeover of the Falkland Islands. The scope of the cyber tactics used in this operation was unclear. The name given to JTRIG's role was Operation Quito.

In June 2015, NSA files published by Glenn Greenwald revealed new details about JTRIG's work at covertly manipulating online communities and internal activities within the United Kingdom. UK agencies that JTRIG says it co-operates with include the Metropolitan police, Security Service (MI5), National Crime Agency (NCA), Border Agency, Revenue and Customs (HMRC), and National Public Order and Intelligence Unit (NPOIU). It is also involved in what it calls "missions" with various other agencies described as "customers", including the Bank of England, and the Department for Children, Schools and Families.

Info-weapons held or being developed by JTRIG can be used to send bulk email, spoof SMS messages, impersonate Facebook posts for individuals or entire countries, artificially increase traffic to a website and change the outcome of online polls.