A secret spy unit linked to the UK Government Communications Headquarters (GCHQ) proactively attacked hackers related to the Anonymous collective, according to leaked NSA documents.
NBC published documents leaked by whistleblower Edward Snowden showing that the group, codenamed the Joint Threat Research Intelligence Group (JTRIG), attempted to shut down and spread information throughout the Anonymous collective.
The document alleged the unit attempted to phish Anonymous members and launched attacks designed to disrupt and infiltrate its networks as part of an operation called Rolling Thunder.
The documents show the spies mounted a sophisticated espionage campaign that let intelligence officers phish a number of Anonymous members to extrapolate key bits of information.
The leaked documents include conversations between intelligence officers and the GZero, Topiary and pOke Anonymous members in 2011.
One log shows a GCHQ spy duped pOke into clicking on a malicious link dressed up to look like a news article about Anonymous. The link used an unspecified method to extract data from the virtual private network (VPN) being used by pOke.
The documents allege pOke was not arrested, but that the information gathered during the phishing attack was used in the arrest of Jake Davis (Topiary) in July 2011.
Davis' arrest was taken as a key victory for law enforcement. Davis, a British citizen, was believed to have acted as a spokesman for many Anonymous cells and is credited as the author of several of the group's statements.
Intelligence officers also attempted to sabotage and hinder Anonymous members' communications, though it is unclear how they did this as the leaked slides refer to both distributed denial of service (DDoS) and denial of service (DoS) attacks. F-Secure analyst Sean Sullivan told V3 that while it is hard to know which was used, evidence suggests that the spies used DoS attacks.
"The Rolling Thunder slide has 'DDoS' at the top, the slide previous to that states ‘Denial of Service on Key Communications outlets’,” he told V3.
“I’m of the opinion that the Rolling Thunder slide is mislabeled – thus, the GCHQ performed a DoS on Anonymous, not a DDoS. There’s a difference in scale, and if the GCHQ had engaged in a DDoS in the summer of 2011 we would have learned about it then, not now.”
A GCHQ spokesman declined V3's request for comment on NBC's report, but reiterated the agency's previous insistence that all its operations are carried out within the letter of the law.
"It is a longstanding policy that we do not comment on intelligence matters. Furthermore, all of GCHQ's work is carried out in accordance with a strict legal and policy framework," read the statement.
Experts within the security community have questioned the GCHQ's argument. Chief operating officer at Corero Network Security Andrew Miller said the secret unit's use of black hat tactics is at the very least morally questionable.
"We have to remember that cyber spooks within GCHQ are equally if not more skilled than many black hat hackers, and the tools and techniques they are going to use to fight cybercrime are surely going to be similar to those of the bad guys," he said.
"Legally, we enter a very grey area here; where members of Lulzsec were arrested and incarcerated for carrying out DDoS attacks, but it seems that JTRIG are taking the same approach with impunity."
The campaign against Anonymous is one of many revelations to stem from the leaked Snowden files.
The files were originally leaked to the press in 2013 and detail several intelligence operations carried out by the UK GCHQ and US National Security Agency (NSA). Documents emerged alleging that the GCHQ and NSA were using mobile applications such as Angry Birds to spy on citizens earlier in January.