While sometimes alternative sources, such as a tip off, might have alerted ISAF forces to
an imminent attack, no such information was available in this instance. Bulk interception
was the only means through which the UK was alerted to the intended attack.
Case study A8/8
GCHQ
Action/anomaly detection
Cyber-defence
GCHQ used bulk interception in order to identify malware placed on a nationally
important UK computer network by an overseas-based organised crime gang who
controlled a particularly sophisticated piece of malware.
The malware was initially identified by financial institutions as a potential threat. By
looking for traces of this malware within the bulk data available to GCHQ, analysts were
able to obtain a more accurate understanding of the scale of the attack and the risk
posed to the UK. Further GCHQ analysis of bulk data identified the infrastructure being
used by criminals to deploy and control the malware. GCHQ was able to alert the users
and also to monitor the success of the cyber-defences then put in place by those users.
The information obtained by GCHQ allowed law enforcement officers subsequently to
take action and arrest members of the organised crime gang.
It is possible that commercial anti-virus companies might have been able to provide
some defence against the attack, if appropriate software had been installed on the
devices under attack. However, commercial companies would not have been able to
identify the overseas attackers nor to provide information to potential victims in advance
of an attack. An industry view will be on a customer-by-customer basis and will not
provide a picture of the overall threat to the UK.
By analysing secondary data obtained under bulk interception warrants, GCHQ can
identify the overseas-based criminals behind significant malware threats and the key
computer network infrastructures that they are using. GCHQ told the Review team that
there is a high volume of criminal cyber threats in circulation, and that the National Crime
Agency (NCA) needs to identify those who pose the most significant danger to citizens
and the broader UK economy. GCHQ analysis of bulk communications data helps the
NCA to mitigate these threats, informing and enabling disruption activity against them.
GCHQ currently deals with over 200 cyber incidents every month.
163