NBC News has published new documents from the National Security Agency trove provided by former NSA contractor Edward Snowden. The latest revelation is that British intelligence agency GCHQ conducted a covert campaign against Anonymous in September of 2011, crippling one operation by the hacktivist group and unmasking several of its members. The slides indicate that the GCHQ infiltrated the Internet relay chat (IRC) for Operation Payback, a collective “op” by hackers affiliated with Anonymous that targeted PayPal, MasterCard, and Visa after they stopped electronic donations to WikiLeaks.

The irony of the efforts is that the GCHQ operative used almost precisely the same sort of techniques and methods that hackers who have often aligned themselves with Anonymous employ. The GCHQ employed a covert informant to conduct the campaign, and the informant used social engineering, denial-of-service attacks, and malware against the targets.

It’s not clear if there’s a connection between the GHCQ’s “CHIS” (covert human intelligence source) and the FBI’s turning of Hector “Sabu” Monsegur in June of 2011. But the timing of the GCHQ's operation against the Anonymous IRC corresponds to the time frame during which Sabu became a government informant.

Hacking the hackers

The PowerPoint slides show IRC logs between two individuals: “Gzero,” later identified as a now-25-year-old English hacker named Edward Pearson, and “p0ke,” a hacker who ironically may have been a co-author of Anonymous’ guide for IRC anonymity. Pearson was arrested and is serving a two-year prison sentence; p0ke’s identity (which has been redacted from the slides) was exposed, along with his Facebook and e-mail account data. In both cases, the GCHQ’s covert informant used IRC conversations about the targets’ efforts to gain access to identity data to steer the targets into traps that had been laid for them.

A hacker working with Gzero, whose username has been redacted, came onto the #OperationPayback IRC channel looking for a webpage with high traffic. The hacker's intent was to use the page in order to launch a browser exploit package against visitors that would install a SpyEye botnet and other malware on their PCs.

The GCHQ informant said he had administrative access to a porn site that fit the bill, and Gzero later contacted him in private chat to discuss a deal—pointing the informant at the server running the exploit package. WHOIS data for the server was used to identify Gzero, and he was later convicted for stealing over 200,000 PayPal accounts, 2,700 credit card numbers, and the personally identifying information of over eight million British residents.

The informant also jumped into a conversation with p0ke when the hacker bragged to LulzSec’s Topiary (later identified as Jake Davis), “I has list of email:phonenumber:name of 700 FBI tards.” p0ke claimed the data was from a table called “FBI” in a database from a US Department of Agriculture website. The informant then got p0ke into a private chat and posted a Web link that redirected to a BBC story on hacktivism. This link also captured data about p0ke’s virtual private network provider, and the GCHQ was subsequently able to use that to identify p0ke and share his information with law enforcement.

DDoSing the DDoSers

The GCHQ claimed to take Anonymous IRC offline for over a day using a distributed denial-of-service (DDoS) attack against its network, apparently using a SYN flood—bombarding the network’s servers with bogus partial TCP-IP connections to use up network resources. (A similar attack was used against Ars last year after we reported on the “swatting” of security reporter Brian Krebs.)

In the summer of 2011—around the time of Sabu’s arrest and conversion to informant—the GCHQ was involved in coordinated effort with law enforcement to identify “top targets” within Anonymous, perform “Information ops” using the confidential informant, and go after the collective’s infrastructure. The DDoS attack by the GCHQ, called “ROLLING THUNDER” in the agency’s slide deck, was used in a trial run in early September. The attack took the server irc.anonops.li offline, and it may have affected any “hivemind” denial-of-service attacks launched using Anonymous’ denial-of-service tools.

The details of the “information ops” against Anonymous during the campaign, which was called Operation WEALTH, aren’t clear from the slides. However, the GCHQ apparently used the confidential informant to message individuals active in the IRC with information aimed at ending their involvement with the organization. The GCHQ slide deck reported, “80 percent of those messaged where [sic] not in the IRC channels one month later.”