Documents
Ghosthunter tasking process
Sep. 6, 2016
TOP SECRET//COMINT
GHOSTHUNTER Tasking Process
(
, Sept 09)
Written to understand how the current GHOSTHUNTER (GH) process works and
how GCHQ should present tasking.
Note: APPARITION has been designed to provide global access for VSAT
geolocation requirements in future and will have its own unique tasking process in
place. Some requests which are assessed by the NAC may be put on the
APPARITION system depending on the location of the modem and which system has
best access.
Background/Current Formal Tasking
There is an Overhead task (362) which drives tasking requirements using
GHOSTHUNTER. It includes both a US and GCHQ CRN. Despite its title of MultiCountry (stems from when a limited number of AOIs were included), the US CRN
requests coverage of targets worldwide (GW). However, note that the GCHQ CRN
only mentions Iraq, Iran, Pakistan, Afghanistan, Algeria, Philippines, Lebanon, Mali,
Kenya, Sudan and Somalia.
The task consists of two priorities:
1. Pri 2/336 (336 is OH speak for a tipper). This priority is usually used for
actionable requests using GH, that is when the decision has been made
between the Network Analysis Centre (NAC) at NSA in liaison with Task Force
commanders in-theatre (usually covert) to apprehend a specific target. This is
likely to be a short suspense request.
2. Pri 3. There are two parts to this priority (both non-actionable):
routine daily VSAT search/survey performed by two OH resources and
scheduled daily by Denver which will provide a lat/long for a VSAT dish
(not GH);
the more dynamic GH tasking used in conjunction with Comsat assets to
provide the timely location of an internet user. Tasking may consist of an
attempt to locate a known target of interest or a VSAT survey type request.
Locational data can be matched with imagery if required.
[Note: Overhead resources are requested on an adhoc basis to achieve geos].
GH tasking used at its non-actionable priority is to learn and establish pattern of life
for known terrorists who use internet cafes to communicate. The whereabouts of
such targets is established using known IP/MAC addresses in conjunction with the
Comsat/OH accesses and the GH system at MHS (main GH hub) which resides in
the New Mission Development Centre at site.
1 of 3
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to GCHQ on
TOP SECRET COMINT
TOP SECRET//COMINT
GHOSTHUNTER Tasking Process
(
, Sept 09)
Written to understand how the current GHOSTHUNTER (GH) process works and
how GCHQ should present tasking.
Note: APPARITION has been designed to provide global access for VSAT
geolocation requirements in future and will have its own unique tasking process in
place. Some requests which are assessed by the NAC may be put on the
APPARITION system depending on the location of the modem and which system has
best access.
Background/Current Formal Tasking
There is an Overhead task (362) which drives tasking requirements using
GHOSTHUNTER. It includes both a US and GCHQ CRN. Despite its title of MultiCountry (stems from when a limited number of AOIs were included), the US CRN
requests coverage of targets worldwide (GW). However, note that the GCHQ CRN
only mentions Iraq, Iran, Pakistan, Afghanistan, Algeria, Philippines, Lebanon, Mali,
Kenya, Sudan and Somalia.
The task consists of two priorities:
1. Pri 2/336 (336 is OH speak for a tipper). This priority is usually used for
actionable requests using GH, that is when the decision has been made
between the Network Analysis Centre (NAC) at NSA in liaison with Task Force
commanders in-theatre (usually covert) to apprehend a specific target. This is
likely to be a short suspense request.
2. Pri 3. There are two parts to this priority (both non-actionable):
routine daily VSAT search/survey performed by two OH resources and
scheduled daily by Denver which will provide a lat/long for a VSAT dish
(not GH);
the more dynamic GH tasking used in conjunction with Comsat assets to
provide the timely location of an internet user. Tasking may consist of an
attempt to locate a known target of interest or a VSAT survey type request.
Locational data can be matched with imagery if required.
[Note: Overhead resources are requested on an adhoc basis to achieve geos].
GH tasking used at its non-actionable priority is to learn and establish pattern of life
for known terrorists who use internet cafes to communicate. The whereabouts of
such targets is established using known IP/MAC addresses in conjunction with the
Comsat/OH accesses and the GH system at MHS (main GH hub) which resides in
the New Mission Development Centre at site.
1 of 3
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to GCHQ on
TOP SECRET COMINT
TOP SECRET//COMINT
What GHOSTHUNTER can do for you
Basically, it provides geolocation of modems of interest, when active, based on
certain locational data (usually from Mastershake). The more you know about the
location the better, though requests may be made to country level (depending on size)
as well as the more usual city level. In order to forward requests, tasking must
contain as much locational info as possible from Mastershake; liaise with the NAC
directly for further help and verification of targets.
Also, if an IPT is seeing interesting traffic on a satellite modem, GH may be able to
help to establish patterns of activity, again use the NAC to discuss your request.
A bonus to the geolocation of a modem is that GH will also geolocate all modems
which are on the same signal, close to the targeted area and active at the time of the
initial geolocation.
It’s not advised to request geolocation of every modem on a bearer as GH requires at
least some locational data as a starting point.
How tasking is performed
What GH allows at MHS is a 24/7 search for targets of interest. The position is
tasked using an IP/MAC Priority list provided and managed by the NAC, so all
requests must come through NAC channels. Searches are performed using where
possible MP15 (search antenna) or MP14 (NMDC special dish) at site; Moonpenny
sustained collection is not interrupted. If the target cannot be accessed via these
dishes, site may use other GH connected sites such as Sounder.
[[Note to above: coordination of resources is usually done by phone for timeliness,
am told sometimes requests go through Bude (email) but this isn’t slick. Also, unlike
TK sites, no access to Info WorkStation (IWS) chat facility which MHS uses. Sounder
has a callout rota for HVTs (Pri 2 type requests) as they don’t operate 24/7]].
Using the target list, the GH operator at MHS performs a search with a comsat asset
using information on the tasking list (MAC, downlink RF, IP etc); once a target is
noted active, an adhoc OH resource is then requested via Denver to perform the
geolocation. This process can be performed 24/7. Results of this are either emailed
or klieglighted
) as well as input to Mastershake. I’m
told the Mastershake entry is tagged with a GH line for id. For both Pri 2 tippers and
Pri 3 requests, a KL is issued and can be married up with imagery if this has been
requested.
How to task
Initially, it’s been agreed with the NAC that any potential tasking will be forwarded to
them or discussed initially to check before being submitted for tasking. As well as
Mastershake, they check the NAC Knowledge Database (NKD, US Eyes).
2 of 3
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to GCHQ on
TOP SECRET COMINT
TOP SECRET//COMINT
What GHOSTHUNTER can do for you
Basically, it provides geolocation of modems of interest, when active, based on
certain locational data (usually from Mastershake). The more you know about the
location the better, though requests may be made to country level (depending on size)
as well as the more usual city level. In order to forward requests, tasking must
contain as much locational info as possible from Mastershake; liaise with the NAC
directly for further help and verification of targets.
Also, if an IPT is seeing interesting traffic on a satellite modem, GH may be able to
help to establish patterns of activity, again use the NAC to discuss your request.
A bonus to the geolocation of a modem is that GH will also geolocate all modems
which are on the same signal, close to the targeted area and active at the time of the
initial geolocation.
It’s not advised to request geolocation of every modem on a bearer as GH requires at
least some locational data as a starting point.
How tasking is performed
What GH allows at MHS is a 24/7 search for targets of interest. The position is
tasked using an IP/MAC Priority list provided and managed by the NAC, so all
requests must come through NAC channels. Searches are performed using where
possible MP15 (search antenna) or MP14 (NMDC special dish) at site; Moonpenny
sustained collection is not interrupted. If the target cannot be accessed via these
dishes, site may use other GH connected sites such as Sounder.
[[Note to above: coordination of resources is usually done by phone for timeliness,
am told sometimes requests go through Bude (email) but this isn’t slick. Also, unlike
TK sites, no access to Info WorkStation (IWS) chat facility which MHS uses. Sounder
has a callout rota for HVTs (Pri 2 type requests) as they don’t operate 24/7]].
Using the target list, the GH operator at MHS performs a search with a comsat asset
using information on the tasking list (MAC, downlink RF, IP etc); once a target is
noted active, an adhoc OH resource is then requested via Denver to perform the
geolocation. This process can be performed 24/7. Results of this are either emailed
or klieglighted
) as well as input to Mastershake. I’m
told the Mastershake entry is tagged with a GH line for id. For both Pri 2 tippers and
Pri 3 requests, a KL is issued and can be married up with imagery if this has been
requested.
How to task
Initially, it’s been agreed with the NAC that any potential tasking will be forwarded to
them or discussed initially to check before being submitted for tasking. As well as
Mastershake, they check the NAC Knowledge Database (NKD, US Eyes).
2 of 3
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to GCHQ on
TOP SECRET COMINT
TOP SECRET//COMINT
There are formatted forms to submit tasking requests on email which I hold once we
get the process running.
NAC POCs:
,
.
The NAC is aware that not everyone has TK email and don’t see this as a problem.
Once accepted by the NAC, tasking is forwarded to sites for execution.
Also, tasking can be discussed with MHS before submission (POC:
to check whether it’s a suitable).
Results
Will be input to Mastershake, be aware that all the data is replicated daily into the 2 nd
party Mastershake (ie the one GCHQ accesses) and at the very most will take 24
hours to populate.
In addition to this, klieglights are issued and can be found in the following db:
(
can help with forwarding these.
Imagery may also be requested, again I’d go through
if you need help.
3 of 3
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to GCHQ on
TOP SECRET COMINT
TOP SECRET//COMINT
There are formatted forms to submit tasking requests on email which I hold once we
get the process running.
NAC POCs:
,
.
The NAC is aware that not everyone has TK email and don’t see this as a problem.
Once accepted by the NAC, tasking is forwarded to sites for execution.
Also, tasking can be discussed with MHS before submission (POC:
to check whether it’s a suitable).
Results
Will be input to Mastershake, be aware that all the data is replicated daily into the 2 nd
party Mastershake (ie the one GCHQ accesses) and at the very most will take 24
hours to populate.
In addition to this, klieglights are issued and can be found in the following db:
(
can help with forwarding these.
Imagery may also be requested, again I’d go through
if you need help.
3 of 3
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to GCHQ on
TOP SECRET COMINT