GCHQ created an application to help its internal hackers more easily track a select group of security professionals and hackers on Twitter in order to better inform its own security analysts, according to new documents leaked by US National Security Agency (NSA) whistleblower Edward Snowden.
The aim was to provide a feed of distilled security information from the best-informed online sources, with staff also invited to propose their own suggestions. The feed was made available direct to GCHQ hackers’ computer desktops and was intended to provide more information so that they did not need to read up on them at home or out of hours.
“Analysts are potentially missing out on valuable open source information relating to cyber defence because of an inability to easily keep up to date with specific blogs and Twitter sources. Accessing these resources involves using specific JEDI terminals, or reading up at home,” according to the leaked document.
It continued: “Analysts don’t have the time to spend hours and hours reading through loads of blogs. In addition, we don’t want this repository to be yet another tool that analysts have to access – this information needs to be incorporated into existing workflows.
Under the code-name “Lovely Horse”, GCHQ built a tool for dredging the Twitter feeds and blogs of the most pertinent hackers and security specialists in order to deliver their information direct to GCHQ’s hackers’ own desktops. The organisation built the tool around the “Birdstrike” infrastructure, which GCHQ built in order to track online information.
Hackers and security specialists “followed” by GCHQ on Twitter included Kevin Mitnick, Lulzsec, F-Secure’s Mikko Hyppönen, The Grugq and Vupen. Blogs followed include xs-sniper.com, Secureworks, Offensive Computing, Mandiant and Securityvulns.com.
The tool, according to reports, was based on software from data analytics company Palantir.