GCHQ port scans 32 countries to find servers it can hack and use in attacks

GCHQ's 'Hacienda' programme to find insecure servers it can compromise - and from which it can conduct attacks

Spy agency GCHQ has been routinely scanning internet-connected servers in 27 countries in a bid to find insecure systems that it can compromise.

GCHQ has been using port-scanning programmes since 2009 under its Hacienda programme, according to documents published by Germany's c't magazine.

According to security expert Bruce Schneier, it's unclear whether or not the documents are from the trove of data stolen by US National Security Agency (NSA) whistleblower Edward Snowden.

The documents indicate that GCHQ "randomly scans every IP identified for that country" and conducts partial scans on five others. However, the report blanks out the 32 countries affected.

While port scanning is not unusual, the scale and indiscriminate nature of the operation conducted by GCHQ is. It also indicates that GCHQ considers itself above the law, given that it would appear to be searching out any servers to hack not based on operational necessity.

According to c't magazine, the documents show that GCHQ uses Hacienda for "vulnerability assessment, network analysis and target discovery", and to detect "operational relay boxes" - servers it can use to hide the source of its attacks.

The Hacienda programme gathers data on all insecure servers, including host name, system and application information, port status, and directory listings. It also profiles the machines concerned, including browser, operating system and its patch status. This information is also shared with the US, Canada, Australia and New Zealand - the UK's partners in the Five Eyes spying programme.

The magazine claims that Hacienda is part of GCHQ's £1bn programme of "Mastering the Internet", which has the explicit aim of attacking and compromising every internet-connected system that it can.