GCHQ Codewords and Abbreviations

(Updated: December 7, 2023)

Below is a listing of some 500 codewords and nicknames, as well as abbreviations and acronyms used by the British signals intelligence agency Government Communications Headquarters (GCHQ) in past and present. Also included are some related codewords from the British military and other intelligence agencies.

CODEWORDS are single words which are always expressed in capital letters and are used to provide a security cover for reference to a particular protected matter. Codewords can be classified or unclassified and are taken from the United Kingdom Codeword Index, which is maintained by the Defence Crisis Management Centre (DCMC).

NICKNAMES are names made up of two words selected by the originator and used for convenience for reference to any matter where security protection is not required. Nicknames consist of two words, which are chosen at random and must be distinct and which cannot be run together into a single word. This to avoid confusion with codewords.

Similar lists are available on this website for NSA, CSE and BND. See also the lists of abbreviations of SIGINT and COMSEC, and general telephony and internet terms.

See also the summaries of GCHQ covernames compiled by Christopher Parsons.

Please keep in mind that a listing like this will always be work in progress!

Codewords and Nicknames


5-ALIVE - Database for 5-tuple (TCP/IP) metadata *
8BALL - Discovery prototype (for cyber defense operations?) *

ABSOLINE EPILSON - CNE endpoint operation *
ALCATRAZ - Special purpose cryptanalytic machine, built in the late 1940s *
AIRWAVE - Products based on Baseline and Enhanced grades *
ALPHA CENTAURI - Visualisation and analysis tool "for everyone", under development in March 2012 *
ALPINE BUTTERFLY - Storage for Information Assurance (IA) data acquired from GORDIAN KNOT sensors for Cyber Defense Operations (CDO) *
ALVIS (BID 610) - British high-level encryption machine, developed by Plessey (1960s-1980s)*
AMBASSADORS RECEPTION - A computer virus used by GCHQ's JTRIG unit
ANARCHIST - Joint NSA-GCHQ program to intercept video from Israeli drones from an RAF facility on Cyprus * or a conventional collection site at Mt. Troodos on Cyprus *
ANGRY PIRATE - is a tool that will permanently disable a target's account on their computer
ANTICRISIS GIRL - Initiative to monitor websites like Wikileaks *
ANXIOUS - Methodology for creating an XKS fingerprint for UK IP addresses of potential victim networks *
AQUILA - STARGATE CNE architecture component *
ARCADE CONCERT - Cyber defence operation (2011)*
ARCANO - Access point for a Cable & Wireless access to the Apollo South submarine internet cable *
ASPHALT - Software modem, increasing the volume of satellite signals *
AUTO ASSOC - Query Focused Dataset (QFD) with bulk metadata and other identifier correlations * *
AWKWARD TURTLE - Cloud query focused dataset for website correlations *

BADASS - See Abbreviations
BASSQUEST - Signal analysing/processing capability *
BEARDED PIGGY - Database used for discovering Virtual Private Networks (VPNs) *
BEGAL - Something related to smartphone tracking *
BIG BUS - STARGATE CNE architecture component *
BIGOT - List of personnel cleared for access to highly sensitive information or operations
BIRD SEED - System for capturing tweets from known malware/vulnerability researchers *
BIRDSTRIKE - JTRIG architecture for capturing tweets from a handful of twitter acounts of known malware/vulnerability researchers *
BLACKCAT - System that will stream requested dataset from the GNE BLACK HOLE repository back to the analyst *
BLACKFIND - Web interface that enables analysts to request a set of data from the GNE BLACK HOLE repository *
BLACK HOLE - Flat file repository for bulk internet metadata and some content; feeds various Question-Focused Databases, part of ROUGH DIAMOND * *
BLACKNIGHT - Selection system which applies selectors to intercepted data *
BLAZING SADDLES (BzS) - Internet profiling work package under the Next Generation Events (NGE) project; includes the BLACK HOLE metadata store *
BLUE - Complex cypher used by the Japanese government since 1930, broken in 1932
BOLSHIE POSSUM - Question-focussed dataset related to mobile phone exploitation *
BOMB BAY - Capacity to increase website hits/rankings
BOUNCER - NTAC targeted interception special source access *
BOURBON - Joint NSA and GCHQ program for breaking Soviet encryption codes (1946-?)*
Box 500 - A code for MI5
Box 600 - A code for MI6
BOXTER - Legacy circuit switched and line access interception system (in 2007) *
BRAHMS - Portable secure telephone, developed by GCHQ in 1980.
BRENT - Secure telephone capable of securing calls up to the level of Top Secret
BRIDE - Joint US-UK project for decrypting intercepts of messages from the KGB (US codename: VENONA) *
BRIGHTON - Legacy delivery system for collected data (in 2007) *
BRIO - ?*
BROAD OAK - GCHQ tasking or targeting database * *
BROKER - Some type of target *
BULLROARER - Something used for fiber-optic cable "node balancing" *
BUMPERCAR - Operations to disrupt and deny Internet-based terror videos or other materials
BUMPERCAR+ - An automated system developed by JTRIG CITD to support JTRIG BUMPERCAR operations
BURLESQUE - Capacity to send spoofed SMS messages
BURRITO ALPHA - Computer Network Exploitation (CNE) End Point project *

CADDIS - MI6 (Secret Intelligence Service) desktop interface *
CADWELL PARK - PRESTON Operations tasking *
CAFFEINE HIT - Query Focused Dataset *
CANLEY - NTAC targeted interception special source access *
CARBON ROD - Map viewer? *
CARBOY - Satellite intercept station near Bude in the UK
CARPAT - Filtering tool to get surrounding targets from bulk data *
CATEGORY - Non-cable access through Verizon *
CATSUP - NTAC targeted interception special source access (UKC-311A) *
CAVIAR - Encrypted teleprinter traffic from the Soviet Union (1940s) *
CHARTBREAKER - Prototype for a new contact-chaining tool * *
CHEESY NAME - Program to single out vulnarable encryption keys *
CHEYENNE MOUNTAIN - STARGATE CNE architecture component *
CHEYENNE MOUNTAIN2 - STARGATE CNE architecture component *
CHORDAL - Community of Interest (COI) for highly sensitive data *
CIRCUIT - Internet interception monitoring center in Seeb, Oman, also known as Overseas Processing Centre 1 (OPC-1) *
CLARET - Counter-infiltration operations on Borneo, in which SIGINT played an important role (1964-'65) *
CLARINET - Fiber-optic cable intercept facility in the south of Oman *
CLEAN SWEEP - Masquerade Facebook Wall Posts for individuals or entire countries
CLOTHO2 - Component of STARGATE CNE *
CLOUDY COBRA - Metadata dataset for finding events containing user search terms *
COBRA MIST - Large over-the-horizon radar station at Orford Ness in Suffolk (terminated in 1973) *
COLERIDGE - Soviet military machine cypher from the "Poets" series (1940s) *
COLOSSUS - The first general purpose cryptanalytic machine
CONCRETE DONKEY - Capacity to scatter an audio message to a large number of telephones, or repeatedely bomb a target number with the same message
CONDONE - NTAC targeted interception special source access (UKC-311B) *
CONFLICT - Tunnel under Vienna dug by the SIS to wiretap Soviet telephone cables (1948-195?) *
CONTEST - The UK's post-9/11 counterterrorism strategy *
COPPERHEAD - A Computer Network Exploitation (CNE) attack box used by MyNOC *
CORINTH - Management/tasking system for (telephony) selectors and filters **
CRIMSON - Gateway to GCNet for open source information *
CROUCHING SQUIRREL - Discovery prototype (for cyber defense operations?) *
CROWN PRINCE - Technique for identifying Apple UDIDs in HTTP traffic *

DACRON - Cover name for Verizon Business
DAMAGE - Operation involving 8 reconaissance flights in the Mediterranean by Comet spy planes (1974) *
DAPINO GAMMA - Hacking operation in order to acquire SIM card keys from Gemalto *
DAREDEVIL - Scalable, flexible and portable unified CNE platform; equivalent at CSE is WARRIORPRIDE * *
DEAF AID - Portable short-range ELINT reception and analysis kit (developed in the 1950s) *
DEBIT CARD - Processing system for cable accesses *
DEFIANT - Submarine SIGINT collecting mission off the Soviet coast (1955) *
DEMOS-1 - Satellite intercept station at Chum Hom Kok in Hong Kong, since the 1980s *
DEMOS-4 - Program to intercept civil traffic from Chinese communication satellites, as well as telemetry from missile tests, from the listening post at Chum Hom Kok in Hong Kong *
DEPTHGAUGE - Tool for mapping links between telephone switches *
DETROIT CITY - Limited purpose front-end supercomputer, similar to PARIS DAKAR (2008) *
DEVICE - Cyber defense operation *
DICING - Cyber defence operation (2011)*
DISCOVER - Classification and retention matrix of the Cyber Defence Operations (CDO) unit *
DISTILLERY - Data analytic framework, according to an agreement between NSA and IBM,* for example used for (near) real time analysis of data streams for SQUEAKY DOLPHIN
DONNINGTON - Access point for the FLAG and Apollo South submarine internet cables *
DONKEY KONG - Cyber Defense Operations (CDO) tool *
DOLVEN - Operation involving 5 reconaissance flights along the Egyptian and Syrian coast by Comet spy planes (1974) *
DREAMY SMURF - Method to stealthily activate a mobile phone that is turned of
DRUDGE - Cable & Wireless access point for a submarine internet cable (tested in 2008) *
DRUMKIT - Tool for analysing telephony data on satellite links *
DRUMROLL - Tool for viewing hits from analysing telephone numbers on satellite links by DRUMKIT *
DYNAMIC WORLD - Tool for managing analytics and target tracking operations *

Eclipse RCP - Analysis tool suite that represents data in graphs *
EDGEHILL - Program similar to NSA's BULLRUN program
ELAPSE - Non-cable access through Cable & Wireless *
ENCHANTRESS - Content selection system *
ENGULF - Operation that conducted a succesful TEMPEST attack on the Hagelin cypher machines in the Egyptian embassy in London (1956)*
EPIC FAIL - Metadata dataset to identify careless use of TOR networks *
EREPO - Covername for routers operations * * data are processed by the Traditional version of XKeyscore *
ERIDANUS - STARGATE CNE architecture component *
ESCHAR - Interface for 2nd Party usage of SALAMANCA (replaced by SHAREOWN in July 2010) *
EVERY ASSOC - Metadata dataset for user/machine correlations from computer-to-computer presence * *
EVERY CIPHER - Metadata dataset for user/machine cipher events *
EVERY CREATURE - Metadata dataset for user/machine search terms *
EVERY eAD - Metadata dataset for user/machine electronic attack patterns *
EVERY POLICE - Metadata dataset for user/machine website visits *
EXPERIMENT - An Analytics Agility Service (AAS) *

FAINT - Cable & Wireless access point for a submarine internet cable (2008) *
FARNDALE - System for analysing data for survey or target development purposes *
FAST GROK - Selection engine within the TERRAIN system *
FEDEX - Component of STARGATE CNE *
FIRE ANT - Open Source visualisation tool
FIRECREST - Internal network of the Foreign and Commonwealth Office (FCO)
FISH - Messages produced by the Nazi German teleprinter Lorenz SZ-40/42 (codenamed TUNNY) *
FIRE ENGINE - Question-based federated access to events and reference data sources *
FIRST CONTACT - Metadata dataset for 1 and 2 hop contact chains between seeds and targets *
FLUENCY - Joint MI5-MI6 committee to investigate the Soviet penetration of Britain (1964-?)
FLYING PIG - Tool for querying databases for TLS/SSL encrypted traffic
FOGHORN - Metadata dataset for finding non-targets using targets machines *
FORESIGHT - SIGINT survey capability *
FRACTAL JOKER - Mission management dashboard for cyber defense information * *
FUME CUPBOARD - Native file viewer *
FUNFAIR - Processing facility for PRESTON intercepts *

GATEWAY - Ability to artificially increase traffic to a website
GENTIAN - Legacy circuit switched and line access interception system (in 2007) *
GERONTIC - Cover name for Cable & Wireless, since 2012 part of Vodafone
GESTATOR - Amplification of a given message, normally video, on popular multimedia websites like Youtube
GIB(B)US - SeaMeWe-3 or TAT-14S submarine cable to which Cable & Wireless has a "non-cable access" *
GLADDY CHI - Computer Network Exploitation (CNE) End Point project *
GLADDY IOTA - Computer Network Exploitation (CNE) End Point project *
GLAIVE - (Satellite) interception common architecture *
GLASSBACK - Technique of getting a targets IP address by pretending to be a spammer and ringing them; target does not need to answer
GLOBAL SURGE - Prototype network knowledge base of the NAC unit *
GOLD - Joint SIS-CIA operation to wiretap Soviet army landlines through a tunnel under Berlin (1953-1956; UK codename: STOPWATCH)
GOLDEN AXE - Query focused dataset with IMEI numbers from the grey list (suspected clone mobile phones) * *
GOLDENEYE - Some kind of operational system related to LOOKING GLASS * *
GORDIAN KNOT (GK) - Information Assurance (IA) data acquired from sensors for Cyber Defense Operations (CDO) * *
GRASP - Access point for a Cable & Wireless submarine internet cable * (since 2008) *
GREENHEART - LI contract/partner, which includes an emulator *
GREMIO - ? *
GREY - American diplomatic code (early 1940s) *
GREY FOX - Metadata dataset for country level summaries of where identifiers were observed *
GUIDING LIGHT - Question-Focused Dataset developed in August 2010 to provide information about types and volumes of traffic on bearers * *
GUITAR - Fiber-optic cable intercept station in Seeb, Oman *

HACIENDA - JTRIG tool that performs bulk port scans (of entire countries) * *
HAKIM - Research prototype for a consolidated database with multiple indexes and flexible additions (March 2012) *
HALTER HITCH - SNORT and SQUEAL signature management database * *
HANNIBAL - Secure ISDN telephone capable of protecting voice and data up to the level Top Secret
HAPPY TRIGGER - Database for structured open source datasets for cyber defense purposes *
HARBOUR PILOT - Tool voor sharing enriched metadata *
HARD ASSOC - Database with correlations for mobile phone metadata *
HARUSPEX - Cyber defense system to manage detections of malicious code * *
HAUSTORIUM - Database for computer-to-computer communications and social media metadata; replaced by SOCIAL ANTHROPOID *
HAVLOCK - Real-time website cloning techniques allowing on-the-fly alterations
HEADRESS IOTA - Computer Network Exploitation (CNE) End Point project *
HEADRESS KAPPA - Computer Network Exploitation (CNE) End Point project *
HEADRESS NU - Computer Network Exploitation (CNE) End Point project *
HEADRESS OMICRON - Computer Network Exploitation (CNE) End Point project *
HECATE - Special purpose cryptanalytic machine, built in the late 1940s *
HENCE - Processing facility for PRESTON intercepts *
HIASCO - Access point for a British Telecom submarine internet cable *
HIDDEN OTTER - Discovery prototype (for cyber defense operations?) *
HIDDEN SPOTLIGHT - Vulnarability database fed by the OVAL list *
HIFI - Exchange of Russian intercepts with the former Dutch security services BVD *
HIGHLAND FLING - Operation to mine the e-mail accounts of Gemalto employees in France and Poland *
HIGHNOTE - A Computer Network Exploitation (CNE) toolsuite use by MyNOC * *
HOOCH - NTAC targeted interception special source access (UKC-311B) *
HOMING PIGEON - Tool for correlating GSM handsets from airplane passengers to subscribers * *
HOPSCOTCH - GHCQ hacking tool or question-focussed dataset
HOTLINE - GCHQ processing location *
HRMAP - Bulk store of Host Referer (HR) references *
HUSH PUPPY - Knowledge base for encrypted traffic
HUSK - Secure one-on-one web based dead-drop messaging platform

IMMINGLE - Tasking interface which can also access NSA databases like FASCIA and MAINWAY *
INCENSER - Joint NSA-GCHQ program for tapping an internet cable between Europe and Asia with the help of Cable & Wireless; part of the WINDSTOP program
INFINITE MONKEYS - Query Focused Dataset (QFD) with bulk data (usernames, passwords, email addresses, etc) from online forum (vBulletin) users *
INSIGHT - Internal GCHQ access system *
INTEGER SPIN - Query-Focussed Dataset formerly known as Evolved GEO FUSION *
INTEGRAND - Joint NSA-IBM developed "Cyclops" limited purpose supercomputer (2008) *
INTERACTION - Operation of the MyNOC unit for development of in-depth knowledge of mobile gateways *
INTERSTELLAR DUST - Interface Control Document (ICD) specifying the format for metadata stored in QFDs *
IRASCIBLE EMITT - Tool or question-focussed dataset for data from mobile network operators *
IRASCI(A)BLE HARE - Tool or question-focussed dataset related to mobile phone exploitation * *
IRASCIBLE MOOSE - Tool or question-focussed dataset for data from mobile network operators *
IRASCI(A)BLE RABBIT - Tool or question-focussed dataset related to mobile phone exploitation * *
IRIS - ? *
IRONHAND - System for managing the lifecycle of, and to store requests for metadata *
ISCOT - Wartime Comintern traffic in Europe *
IVE - SIGINT survey capability *

JANET - ? *
JEDI - JTRIG terminal that enables access to the public internet from a secure GCHQ workstation

KARMA POLICE (KP) - Query Focused Dataset (QFD) with bulk metadata correlated to websites, showing who visited a certain website over the last 6 months *
KEEPNET - New recording equipment for radio intercept operators, introduced in the late 1980s *
KENNINGTON - Agreement to enable increased access and egress from SOSTRUM, GRASP and VISAGE cable access points
KESSE - Classification codeword that precedes the intercept stations CARBOY, SOUNDER, SCALPEL *
KIRKISTOWN - Non-cable access through Cable & Wireless *
Kite - Software-plugin from Palantir for more complicated database analysis *
KITTIWAKE - GCHQ/DSD listening post at Stanley Fort in Hong Kong (1977-1997)
KNAPWEED - Non-cable access through Verizon *
KNIME - Visualisation tool(?) *

LATUS - Access point for the Cable & Wireless access to the Apollo North and another submarine internet cable *
LAUGHING HYENA - Query Focused Dataset (QFD) for converged metadata
LECKWITH - Overseas Processing Centre (OPC-1), near Seeb in Oman * *
LEGION JADE - See NSA Codenames
LEGION RUBY - See NSA Codenames
LEGSPIN - GHCQ hacking tool
LINNELL - Non-cable access through Cable & Wireless *
LITTLE - Cover name for Level 3
LIVEBAIT - System to compare different signals, used by radio operators and introduced in the late 1980s *
LIVE - ? *
LLANDARCYPARK - GCHQ research server
LOCHNVAR - Project to migrate from the circuit-switched handover to an NHIS 2 handover *
LONGFELLOW - Soviet military machine cypher from the "Poets" series (1940s) *
LOOKING GLASS - User platform for metadata and content fusion & visualisation, * with LUCKY STRIKE as a plug-in *
LORD - Tunnel under Vienna dug by the SIS to wiretap Soviet telephone cables (1948-195?) *
LOVELY HORSE - Database for unstructured open source datasets for cyber defense purposes (like twitter feeds from cyber security researchers) *
LUCKY ESCAPE - A finance/travel tool with restricted access, under development in 2012;* enables analysts to quickly run unselected TDI's (e.g. MSISDN, email, passport) against a multitude of travel and financial datasets *
LUCKY STRIKE (LS) - Collateral "weak identifier" trace database, which in 2012 held over a billion records across 40+ unique datasets;* includes PANTHOM PARROT and a plug-in for LOOKING GLASS *
LUSTRE - Source of data from North Africa e.a., which are available in MUTANT BROTH *

MAD - Component of STARGATE CNE *
MADISON AVENUE - Limited purpose back-end supercomputer *
MAGIC - Joint US-UK cryptanalysis program during World War II
MAGLITE - Some kind of infrastructure system *
MAMBA - An in-house built integrated analytics platform, but less polished and usable than Palantir Government * to visualise the results of contact-chaining algorithms *
MARBLED GECKO - Query Focused Dataset (QFD) with bulk Google Maps/Earth requests (intercept: search engine queries in bulk, which are linked to an IP address) *
MARBLE POLLS - Something related to cyber vulnarabilities *
MARMION - Legacy circuit switched and line access interception system (in 2007) *
MARVEL ICE - Component of STARGATE Computer Network Exploitation *
MASK - Comintern communications (targeted since 1929)*
MEMORY HOLE - Query Focused Dataset (QFD) with bulk web search requests *
MERA PEAK - Front-end tool that performs Google-like searching across repositories *
MERION ZETA - Covername for Belgacom (and/or its GRX network)
MINIATURE HERO - Active skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and bidirectional instant messaging. Also contact lists.
MIRAGE - Certain data selected by electronic attack signature *
MIRANDA - System for managing intelligence requirements of GCHQ customers *
MoaG - Contact-chaining tool arising from the London bombings work, which was still being used regularly *
MONACO - Delivery networks *
MONDELLO - Access point for the Solas submarine internet cable *
MONKEY PUZZLE (MP) - GCHQ's unified targeting tool *
MONKEYSHOULDER - Proposed joint GCHQ-BND operation to tap a Deutsche Telekom cable in Frankfurt, Germany (cancelled in August 2013)*
MONOPOLY - Special Source events (metadata) *
MONTE VISTA - Analysis tool suite that represents data in graphs * Metadata and content fusion & visualisation effort *
MOONRAKER - Some kind of operational system * or a tasking/target database *
MOUTH - Tool for collection for downloading a user's files from Archive.org
MUGSHOT - Future Computer Network Exploitation technique *
MULLENIZE - GHCQ program for linking machines to IP addresses
MUSCULAR (JPM?) - Joint NSA-GCHQ operation to tap the cables linking Google and Yahoo data clouds to the internet * Part of WINDSTOP
MUTANT BROTH (MB) - Query Focused Dataset (QFD) with bulk metadata and DIs seen in the last 6 months *

NEWTONS CRADLE - TOR nodes accessible by GCHQ
NEXUS - MI5 (Security Service) desktop interface *
NIGELLA - Cover name for a Cable & Wireless access point to the FLAG Europe Asia (FEA) submarine cable in Cornwall *
NINJA - ? *
NIRAD - UK-Regional corpus of 56 hours of mostly Northern Irish accented speech *
NOCTURNAL SURGE - Database for Access Control Lists (ACLs) used for finding identifiers of system administrators *
NOSEY SMURF - An ability to covertly and remotely turn on the microphone of a mobile phone
NUMDAH - Access point for a British Telecom access to the SeaMeWe-3 submarine internet cable *

ODETTE - Intercept vehicle used in the 1990s *
O'MALLEY - Special purpose cryptanalytic machine, built in the late 1940s *
OEDIPUS - Special purpose cryptanalytic machine, working for example for the VENONA program (delivered in 1954) *
ONIONBREATH - Program for detecting hidden services on the TOR network *
OPTIC NERVE - A web interface to display Yahoo webcam images *
OPULENT PUP - Covername for an A5/3 crypto algorithm attack requirement *
OVERLIT - Some type of target *
OVERTASK - British enclave within the NATO mission network ISAF SECRET

PARANOID SMURF - Self-hiding capabilities of mobile phone spyware
PARIS DAKAR - Limited purpose front-end supercomputer, similar to DETROIT CITY (2008) *
PAT - Operation involving series of 12 reconaissance flights along the Baltic and the Polish coast by Comet spy planes (1974) *
PENSIVE GIRAFFE - Cyber defense analyst portal to group and summarise events * *
PFENNING ALPHA - Computer Network Exploitation (CNE) End Point project for access to the FLAG fiber-optic cable *
PHANTOM PARROT (PP) - A GTAC tool for querying mobile phone data, acquired from police forces under ITT Op WILDWAY *
PHOTON TORPEDO - A technique to actively grab the IP address of MSN messenger user
PIGS EAR - Profiling method(?) *
PILBEAM - Database for computer-to-computer metadata; replaced TEEDALE and was replaced by HAUSTORIUM *
PINNAGE - Cover name for Global Crossing
PLANE - Probably cover name of a telecommunications provider where GCHQ has cable access *
POKERFACE - Internet data sanitisation system *
PORUS - Kernel stealth plugin for mobile phones
POSITIVE PONY - "IP address to company and sector mapping" *
PRESCOTT - Non-cable access through Cable & Wireless *
PRESTON - Interception of voice and data authorized by individual RIPA warrants *
PRIME - UK strategic standard for encrypted IP communications, based on IPsec *
PRIME TIME - Telephony analysis timing tool *
PROBABILITY CLOUD - Tool for handset geo-location scoring *
PROVE - Probably cover name of a telecommunications provider where GCHQ has cable access *
PSOUP - Something related to contact-chaining *
PUBLIC ANEMONE - Metadata dataset for geolocation based upon web-based map searches *
PURPLE - High-level cypher machine used by Japan during World War II *

QUANTUM - Future Computer Network Exploitation technique *
QUIBBLE - Cooperation with the former Dutch security service BVD *
QUICK ANT - Tool for TOR data as part of the FLYING PIG program
QUICKIE - Submarine sonar system (1950s) *
QUITO - Operation related to Argentina and the Falkland Islands (2009) *

RADIUS - Broadband events (metadata) *
RAFTER - MI5 operation to remotely detect passive radio receivers used by Soviet illegals (1958)*
RAPID TAPIR - Discovery prototype (for cyber defense operations?) *
RAPTOR - Federated query mechanism that queries legacy/corporate repositories and analytics *
RATTAN - Joint US-UK program for decrypting Soviet radio messages (1944, renamed to BOURBON)*
RED - Lower level cypher used by the Japanese navy since World War I
RED - Particular Enigma cypher used by Nazi Germany *
REFORMER - Related or similar to HAUSTORIUM
REMEDY - Cover name for British Telecom
ROCKEX - British high-level cypher machine (1943-1973)
ROCK RIDGE - Next Generation Events (NGE) related effort *
ROLLING THUNDER (RT) - DDoS attack against hactivists *
ROSECROSS - GCHQ's equivalent of the NSA's HOTZONE voice collection system *
ROUGH DIAMOND - Something BLACK HOLE is part of *
ROYAL CONCIERGE - Program for monitoring hotel reservations to track diplomats
RUFFLE - Codename for the Israeli Sigint National Unit (ISNU) *
RUMOUR MILL - Analytic dashboard for prioritisation and showing "what does GCHQ already know"*
RUM PUNCH - Algorithm on the DISTELLERY framework used operationally at Digby for (near) real-time co-location of GSm handsets *
RUSSETT - Internal GCHQ phone system *

SALAMANCA - Database for telephone metadata, including location data; replaced by SOCIAL ANTHROPOID *
SALTY OTTER - Discovery prototype (for cyber defense operations?) *
SAMUEL PEPYS (SP) - Internet "diarisation tool" fusing all available traffic types so analysts can monitor in real time what happens from a certain IP address *
SANJAK - Submarine SIGINT collecting mission in the Arctic Circle (1955) *
SAMBOK - Storage for "geo events" from PRESTON targeted interception efforts *
SAMDYCE - Storage for SMS content from PRESTON targeted interception efforts *
SATYR - MI5 equivalent of the Soviet listening device (the Great Seal Bug) found in the US embassy in Moscow in 1952 *
SCAPEL - Former satellite intercept station near Nairobi in Kenya
SCEPTRE - Non-cable access through British Telecom *
SCRAPHEAP CHALLENGE - Perfect spoofing of e-mails from Blackberry targets
SHAREDQUEST - 5-Eyes modernization program for the satellite interception architecture (follow-up of SHAREDVISION) *
SHAREDVISION (SV) - 5-Eyes modernization program for the satellite interception architecture (until 2010, followed by SHAREDQUEST) *
SHAREOWN - Interface for 2nd Party usage of SALAMANCA (replaced ESCHAR in July 2010 *
SHARKQUEST - Signal analysing/processing capability *
SHORTFALL - Gateway to GCNet for open source information * *
SHORTSHEET - Exploitation server used in QUANTUM operations *
SILVER - SIS operation to wiretap Soviet army landlines through a tunnel under Vienna (1949-1955)
SILVER FOX - Metadata dataset for country level summaries of where identifiers were observed *
SILVER LINING - Storage for access to bulk metadata like from "GMMaps" * *
SILVER SPECTOR - Allows batch Nmap scanning over TOR
SLED - Special purpose cryptanalytic machine, built in the late 1940s *
SLIDE - Some tool to exploit iPhones *
SNAPDRAGON - A computer-to-computer (C2C) contact-chaining tool that "didn't work as intended" *
SNICK - Satellite intercept station near Seeb in Oman
SOCIAL ANIMAL - Query Focused Dataset (QFD) with bulk metadata about social network activities *
SOCIAL ANTHROPOID - QFD database of converged communication identifiers, like metadata of e-mails, social media interactions, instant messenger chats, cellphone locations, text messages, and VoIP calls (since 2010; replaced SOCIAL ANIMAL, REFORMER/HAUSTORIUM and SALAMANCA and to be enriched with BROAD OAK) * *
SOCIALIST - NAC MyNOC operation to provide access to the Belgacom GRX network (2009-2011)
SOLARSHOCK116 - End point machine in Iran, found in a TAO operation *
SORCERER - Component of STARGATE CNE * *
SORTING FRIENDS (SF) - Telephony contact-chaining tool "developed by a GCHQ integree at NSA" *
SOSTRUM - Probably an access point to a Cable & Wireless submarine fiber-optic cable *
SOUNDER - Satellite intercept station at Ayios Nikolaos on Cyprus
SOUTHWINDS - Collection program for Inmarsat satellite communications, first for its EMEA region, later global coverage *
SPAY - Information Assurance (IA) data acquired from sensors for Cyber Defense Operations (CDO) *
SPRING BISHOP - Database for URL's of a targets Facebook profile *
SQUEAKY DOLPHIN - Program for real-time monitoring of online activity on social media websites
SQUEAL - SIGINT data selected by electronic attack signature *
STARGATE - Computer Network Exploitation (CNE) tool * *
STEEPLEBUSH - 1984 extension to Menwith Hill Station *
STELLABLUE - Covert cable access or cooperating telecommunications partner *
STERLING MOTH - Metadata dataset for IP summarisation using computer-to-computer presence events *
STOCKADE - Joint MI5-GCHQ operation for analysing compromising emanation from French cipher machine cables (1960-1963) *
STOPWATCH - Joint SIS-CIA operation to wiretap Soviet army landlines through a tunnel under Berlin (1953-1956; joint UK-US codename: GOLD)
STORMFORCE - Hardware modem for processing satellite signals *
STRAP - Compartments for sensitive intelligence information, with levels 1, 2 and 3
STREETCAR - Cover name for Interoute
STUNT WORM - Program for exploiting the TOR network
STURGEON - Messages produced by the T-52 Geheimschreiber cypher machine from Nazi Germany *
SUGAR - Tunnel under Vienna dug by the SIS to wiretap Soviet telephone cables (1948-195?) *
SUNBLOCK - Ability to deny functionality to send/receive e-mail or view material online
SUPERDRAKE - A query focused dataset *
SWAMP DONKEY - A tool that will silently locate all predefined types of file and encrypt them on a targets machine
SWORDFISH - Decompression tool
SWORDPLAY - Source of data availablt via Bude RPC *

TACHO - Management/tasking system for certain selectors and filters *
TAMING PASTRIES - Part of the TERRAIN system? *
TAPER - Soviet military cypher machines used at division level (1940s)*
TEEDALE - Database for computer-to-computer metadata; replaced by PILBEAM *
TELLURIAN - Internet packet processing system
TEMPEST - Spying on information systems through leaking emanations, including unintentional radio or electrical signals, sounds, and vibrations
TEMPORA - Computer system for filtering and searching billions of internet data, mainly from the Middle East, North Africa and Europe (operational since 2011). Similar to NSA's XKEYSCORE system.
TERMINAL SURGE - Database for Telnet sessions collected by the NAC unit *
TERRAIN - Processing system that sessionizes data from internet links before sending it to XKEYSCORE * for example at Bude and SOUNDER *
THICKISH ALPHA - Some CNE-related log viewer tool *
THIEVING MAGPIE (TM) - Program for collecting metadata of mobile phones from airplane passengers; data source for HOMING PIGEON *
THUGGEE - Rules? applied to SALAMANCA events *
TIBET - Operation involving 7 reconaissance flights along the Baltic and the Polish coast by Comet spy planes (1974) *
TICKETWINDOW - System that makes Special Source collection available to 2nd Party partners *
TIDAL SURGE - Some kind of database used by the NAC unit *
TIMPANI - Fiber-optic cable intercept facility near the Strait of Hormuz in Oman *
TINT - Experimental research environment for an internet traffic filtering system * (or joint NSA/GCHQ project to develop the Deep Dive XKS capability)
TRACFIN - Database for financial information *
TRACKER SMURF - High-precision geolocation method for mobile phones
TRAFFIC MASTER - Management/tasking system for certain selectors and filters *
TRANSIENT THURIBLE - An XKEYSCORE site with "Deep Dive" capability managed by GCHQ * Part of the WINDSTOP umbrella program *
TRIBAL CARNEM - Metadata dataset using RADIUS logs to identify and collect activity for IP sessions *
TRITON - Some kind of operational system *
TRYST - GCHQ operatives working under cover abroad * like for example at the covert listening post in the British embassy in Moscow *
TUNNY - On-line cypher machine Lorenz SZ-40 used by the High Command of Nazi Germany
TUXEDO - RAF's regional stockpile of nuclear weapons on Cyprus *
TWO FACE - Supposedly the analytic user interface for cyber defense made by Palantir * *

ULTRA - Compartment for Top Secret COMINT information, like decrypted high-level military Nazi messages (until 1946) *
UNDERPASS - Change outcome of online polls (previously known as NUBILO)

VAIL - Web user interface through which 2nd Party analysts can query QFDs on GCHQ servers *
VAMPIRE - Intercept vehicle used in the 1990s *
VENONA - Joint US-UK project for decrypting intercepts of messages from the KGB (British codename: BRIDE)
VISAGE - Probably a submarine cable access point of Cable & Wireless (2008)*
VITREOUS - Cover name for Viatel

WAFTER - Cyber defense operation *
WARFRAT - Tool that is part of "CNE support PTD" *
WARLOCK - Special purpose cryptanalytic machine, built in the late 1940s *
WARPATH - Mass delivery of SMS messages to support an Information Operations campaign
WARPIG - A botnet that can be deployed against target computers *
WARRIORPRIDE (WP) - Scalable, flexible and portable unified CNE platform used throughout the Five Eyes; equivalent at GCHQ is DAREDEVIL * It was for example used to break into iPhones *
WAYGOOD - Cable intercept center similar, or related to CIRCUIT *
WEALTH - Operation against hacktivism in support to law enforcement (2011) *
WHICHED - INOC-led operation looking at an Iranian naval base near the Straits of Hormuz *
WHIPSAW - Redirect and exploitation server *
WIDOWMAKER - British team, based at Menwith Hill, in Denver, and in Alice Springs, that had to discover communications intelligence gaps in support of the global war on terror (2008)*
WILDWAY - ITT operation under which police forces acquire mobile phone data *
WOLFRAMITE - Capability against the A5/3 GSM encryption algorithm *
WYLEKEY - Operation of GCHQs MyNOC unit targeting international mobile billing clearing houses *

ZAMENIS - NTAC targeted interception special source access (UKC-105) *
ZIRCON - British SIGINT satellite intended to be launched in 1988, before being cancelled in 1987.
ZOOL - Database with open source information related to cyber defense(?) *

- See also the codenames of JTRIG tools and techniques


Abbreviations and Acronyms

A - Alpha (classification marking)
AA - Actor Action (an ICD)
AAS - Analytics Agility Service
ACD - ?

B3M - ? (GCHQ's equivalent of NSA's NUCLEON)
BADASS - BEGAL Automated Deployment And Survey System *
B3M - ? (storage for VoIP call data)
BEPD - (Billion Events Per Day?)
BJ - Blue Jacket (file cover for signals intelligence information)
BOT - BROAD OAK Tasking(?)
BP - Bletchley Park
BPD - Bulk Personal Dataset
BSS - British Security Service (MI5)
BzS - BLAZING SADDLES (see Codewords)

C - Chief of the Secret Intelligence Service (SIS or MI6)
CAPS - Certified Assisted Products (approved cryptographic products)
CCD - Communications Capabilities Directorate (of the Home Office)
CCD - Communications Capabilities Development (before 2011: IMP)
CCDF - Cryptologic Common Data Format
CCM - Combined Cipher Machine (1942-1950s)
CCNE - ?
CD - Communications Data (metadata)
CDC - Cyber Development Centre
CDO - Cyber Defence Operations (formerly NDIST)
CE - ? (delivery system for collected data)
CESD - Communications-Electronics Security Department (1965, in 1969 renamed into CESG)
CESG - Communications-Electronics Security Group
CET - Communications and Engagement Team
CHI - Computer Human Interaction
CHOTS - Corporate Headquarters Office Technology System
CISA - ?
CITD - Covert Internet Technical Development (JTRIG unit)
CKX - ? (team working on hacker forums?)
CMDU - Cypher Machine Development Unit
CNE - Computer Network Exploitation
CNIO - Computer Network Information Operations
COPA - Combined Policy Authorisation (replaced STA, TTA and FININT authorisations)
CPC - (Central or Cheltenham?) Processing Centre
CSOC - Cyber Security Operations Centre
CSP - Communication Service Provider
CTC - Counter-Terrorist Check (clearance level)
CX - Prefix for a report from the SIS

DAA - Data Acquisition Authorisation
DCMC - Defence Crisis Management Centre
DCO - Direct Cable Ownership (submarine cables)
DD - Delivery Domain
DFTS - Defence Fixed Telecommunications Service
DGI - Director General of Intelligence (at the Ministry of Defence)
DII - Defence Information Infrastructure
DIS - Defence Intelligence Staff
DIT - Digint Identification Team
DMZ - Demilitarized Zone
DP - Designated Person
DRIP - Data Retention and Investigatory Powers (act)
DV - Developed Vetting (clearance level)
DWR - Director's Workbook Review
DWS - Diplomatic Wireless Service

eAD - (electronic Attack Discovery?)
EAD-GK - (IA data feed in XKS)
EAD-SP - (IA data feed in XKS)
ECB - ? (GCHQ unit?)
ECI - Exceptionally Controlled Information
EI - Equipment Interference (Computer Network Exploitation, or hacking)
EIS - ?
EPR - ?
EWB - Economic Well-Being (lawful purpose for GCHQ SIGINT operations)

FCO - Foreign & Commonwealth Office
FRU - Force Research Unit (1982-2007)

GC&CS - Government Code & Cypher School (predecessor of GCHQ)
GCHQ - Government Communications Headquarters
GCO - Government Communications Officer *
GDR - ? (delivery system for collected data)
GK - GORDIAN KNOT (See codewords listing)
GTAC - GCHQ Target Analysis Center
GTAC - Government Technical Assistance Center (est. 2000, later: NTAC)
GTDI - Generic Target Detection Identifier
GTE - Global Telecommunications Exploitation
GTN - Global Telecommunications Network (BT backbone network?)
GTP - GPRS Tunnelling Protocol

HANDEX - Handset Exploitation
HB - ?
HHFP - ?
HMGCC - His Majesty's Government Communications Centre (at Hanslope Park outside Milton Keynes)
HMGS - Harrogate Mission Ground Station
HMRC - HM Revenue & Customs
HRA - Human Rights Act
HSOC - Human Science Operations Cell

IACSCG - Information Assurance and Cyber Security Co-ordination Group (for the 2012 Olympics)
ICD - Interface Control Document (specifies formats for storing metadata)
ICR - Internet Connection Record
ICTR - ICT Research
iDU - internet Data Unit
IIB - ? (delivery system for collected data)
IMP - Interception Modernisation Programme (since 2011: CCD)
InfoVis - Information Visualisation
INOC - InterNet Operations Centre
IntRep - Intelligence Report
IOCA - Interception of Communications Act 1985
IPP - ?
IPT - ?
IRIS - ? *
IRU - Indefeasible Right of Use (submarine cables)
ISA - Intelligence Services Act (1994)
ITT - ?

JARIC - Joint Air Reconnaissance Intelligence Cell
JBOS - ?
JCA - Joint Capability Activity
JCA - Joint Collaboration Environment
JIC - Joint Intelligence Committee
JMB - ?
JPC - (Joint) Processing Centre(?)
JPT - Joint Project Team
JSRU - Joint Speech Research Unit
JSSW - Joint Service Signal Wing
JTLS - Joint Technical Language Service
JTRIG - Joint Threat Research Intelligence Group

KMSG - Key Management Strategy Group (5-Eyes)
KP - KARMA POLICE (see Codewords)

LAPEL - Legal and Policy Effects Licence
LC - Leased Capacity (submarine cables)
LCSA - London Communications Security Agency (1953, in 1965 renamed into CESD)*
LCSB - London Communications Security Board
LPG - London Processing Group

MB - MUTANT BROTH (see Codewords)
MCE - ? (GCHQ unit)
MCIC - Maritime Cryptologic Integration Centre
MCT - ? (GCHQ unit)
MES - MILKWHITE Enrichment Service
MHE - ? (GCHQ unit)
MHET - Mobile Handset Exploitation Team (joint NSA-GCHQ unit since 2010)
MI - ?
MIKEY - Multimedia Internet KEYing (key management protocol)
MISD - ?
MISD1 - ?
MO - Modus Operandi
MOAG - ?
MoD - Ministry of Defence
MoMo - ?
MP - MONKEY PUZZLE (see codewords listing)
MP-LEG - ? (legal unit in the MP division)
MTI - Mastering the Internet
MTI - Methods to Improve (sequential 5 year SIGINT programs at GCHQ)
MVR - Massive Volume Reduction *
MWX - ?
MyNOC - My Network Operations Centre

NAC - Network Analysis Centre
NCND - Neither Confirm Nor Deny
NDIST - Network Defence Intelligence & Security Team (now: CDO)
NEP - NATO & Europe Policy (Ministry of Defense division)
NGE - Next Generation Events
NHIS - National Handover Interface Specifications (for warranted intercepts)
NOC - Network Operations Centre
NPAC - National Ports Analysis Center
NRT - Near Real Time *
NS - National Security (lawful purpose for GCHQ SIGINT operations)
NSEC - ? (phone network?)
NTAC - National Technical Assistance Centre (previously: GTAC)
NTAT - Network Tradecraft Advancement Team (Five Eyes working group)

OCAA - Online Covert Action Accreditation
OCCT - Olympic Cyber Co-ordination Team (for the 2012 Olympics)
OCE - Other Current Expenditure
ODF - ?
OH - ?
OMG - ?
OOA - ?
OPA - ?
OPC - Office of Primary Concern (GCHQ units)
OPC - Overseas Processing Centre
OPC-CNE - Office of Primary Concern-Computer Network Exploitation(?)
OPD - (GCHQ Operations Division?)
OPP-LEG - (legal unit in the OPP division)
OSDS - ?

PCS - Personal Communication Services (mobile phone technology)
PDO - Processed Data Output (NTAC service)
PFS - Perfect Forward Secrecy
PP - PHANTOM PARROT (See codewords)
PPF - ? (system that delivers telephony metadata to TERRAIN?)
PPR - Personalised Page Rank
PSIS - Permanent Secretaries' Committee on the Intelligence Services
PTC - Production Tasking Co-ordinator
PTC - ?
PTD - Penetrate Target Defense?
PTSG - Pull Through Steering Group

QFD - Query-Focused Dataset *
QI - QUANTUM INSERT (See NSA codewords listing)

RCP - ?
RE - Reverse Engineering
RFS - Ready For Service (submarine cables)
RIPA - Regulation of Investigatory Powers Act (2000)
ROC - Radio Operations Committee (1960-?)
RPC - Regional Processing Centre (at GCHQ Bude)
RT - ROLLING THUNDER (see Codewords)

SC - Security Check (clearance level)
SC - Serious Crime (lawful purpose for GCHQ SIGINT operations)
SCDU - Services Communications Development Unit
SD - SIGINT Development
SDC - SIGINT Development Conference (annual Five Eyes event)
SDSG - SIGINT Development Steering Group (GHCQ)
SEM - ?
SEP - Single End Point
SIA - (Signals Intelligence Agencies?)
SigMod - SIGINT Modernisation
SINO - Supporting Internet Operations
SIRDCC - ? (Speech Technology Working Group)
SIS - Secret Intelligence Service (MI6)
SKB - Signature Knowledge Base *
SLR - Single-Line Record (data format)
SME - ?
SMI - Secure Management Infrastructure (for crypto management)
SMO - ?
SOCA - Serious Organised Crime Agency
SP - SAMUEL PEPYS (see Codewords)
SPQR - ? (metadata management format?, incl. GDR, CE, IIB)
SRE - Software Reverse Engineering
SRT - Sensitive Relationship Team *
SSDG - ?
SSE - Special Source Exploitation
SSMG - ?
SSOS - ? (GCHQ unit)
STA - Sensitive Targeting Authorisation (replaced by COPA)

T - Technology (GCHQ division)
TACT - Terrorism Act
TCP - ? (GCHQ unit?)
TDB - ? (related to metadata or GCHQ unit)
TDE - ?
TDI - Target Detection Identifier (like computer cookies)
TDS - ?
TDSD - Target Discovery and SIGINT Development
TEA - ? (GCHQ unit?)
TECA - Technical Enabling Cover Access (unit for mobile phone exploitation)
TGA - ?
TICOM - Target Intelligence COMmittee (after World War II)
TLV - Tag Length Value (data format)
TND - Target Number Database
TPS - ? (GCH unit)
TR - Technology Research (GCHQ division)
TRL - ?
TSI - ?
TSS2 - (Top Secret STRAP 2?)
TTA - Travel Tracking Authorisation (replaced by COPA)
TYPEX - British high-level cypher machine (1937-1950s)

UDAQ - Unified Data Access and Query (GCHQ tool)*
UKEO - UK Eyes Only
UKTF - United Kingdom Task Force (Afghanistan)
UKUSA - UK-USA signals intelligence agreements

VAST - Visual Analytics Science and Technology
Vis - Visualisation
VSLT - ? (storage database)
VX - Vauxhall Cross (SIS/MI6)

WG - WAYGOOD (see Codewords)

Y - Wireless interception (usually low-level)
Y (Section) - SIS unit undertaking interception activities
Y Station - Signals interception arms of the three armed services

Links and Sources
- Christopher Parsons: GCHQ Covernames/Programs and Suggested Use/Implementation
- NSA Observer: Things the NSA doesn't want you to know
- The Defence Manual of Security (2001)
- Richard J. Aldrich, GCHQ, The uncensored story of Britain's most secret intelligence agency, Harper Press, London 2010.

No comments:

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties