British Spies Used a URL Shortener to Honeypot Arab Spring Dissidents

FYI.

This story is over 5 years old.

Tech

British Spies Used a URL Shortener to Honeypot Arab Spring Dissidents

A shadowy GCHQ unit used several Twitter accounts to try to influence protests in Iran and across the region since 2009.

A shadowy unit of the British intelligence agency GCHQ tried to influence online activists during the 2009 Iranian presidential election protests and the 2011 democratic uprisings largely known as the Arab Spring, as new evidence gathered from documents leaked by Edward Snowden shows.

The GCHQ's special unit, known as the Joint Threat Research Intelligence Group or JTRIG, was first revealed in 2014, when leaked top secret documents showed it tried to infiltrate and manipulate—using "dirty trick" tactics such as honeypots—online communities including those of Anonymous hacktivists, among others.

Advertisement

The group's tactics against hacktivists have been previously reported, but its influence campaign in the Middle East has never been reported before. I was able to uncover it because I was myself targeted in the past, and was aware of a key detail, a URL shortening service, that was actually redacted in Snowden documents published in 2014.

THE HONEYPOT

A now-defunct free URL shortening service—lurl.me—was set up by GCHQ that enabled social media signals intelligence. Lurl.me was used on Twitter and other social media platforms for the dissemination of pro-revolution messages in the Middle East.

These messages were intended to attract people who were protesting against their government in order to manipulate them and collect intelligence that would help the agency further its aims around the world. The URL shortener made it easy to track them.

I was able to uncover it because I was myself targeted in the past

The project is linked to the GCHQ unit called the Joint Threat Research Intelligence Group or JTRIG, whose mission is to use "dirty tricks" to "destroy, deny, degrade [and] disrupt" enemies by "discrediting" them, according to leaked documents.

The URL shortening service was codenamed DEADPOOL and was one of JTRIG's "shaping and honeypots" tools, according to a GCHQ document leaked in 2014.

Leaked GCHQ document listing shaping and honeypot tools used by JTRIG.

Earlier in the same year, NBC News released a leaked document showing that JTRIG attacked the hacktivist outfits Anonymous and LulzSec by launching Distributed Denial of Service (DDoS) attacks on chatroom servers know as Internet Relay Chat (IRC) networks.

Advertisement

The group also identified individuals by using social engineering techniques to trick them into clicking links—a technique commonly used by cybercriminals.

One slide showed a covert agent sending a link—redacted by NBC in the slide—to an individual known as P0ke. According to the slide, this enabled the signals intelligence needed to deanonymize P0ke and discover his name, along with his Facebook and email accounts.

In the fall of 2010, I was an early member of the AnonOps IRC network attacked by JTRIG and used by a covert GCHQ agent to contact P0ke, and in 2011 I co-founded LulzSec with three others. The leaked document also shows that JTRIG was monitoring conversations between P0ke and the LulzSec ex-member Jake Davis, who went by the pseudonym Topiary.

Through multiple sources, I was able to confirm that the redacted deanonymizing link sent to P0ke by a covert agent was to the website lurl.me.

Leaked GCHQ slide from document titled "Hacktivism: Online Covert Action."

COVERT DISRUPTION

Further investigation of the URL shortener using public data on the web exposed a revealing case study of JTRIG's other operations that used the DEADPOOL tool, including covert operations in the Middle East.

The Internet Archive shows that the website was active as early as June 2009 and was last seen online on November 2013. A snapshot of the website shows it was a "free URL shortening service" to "help you get links to your friends and family fast."

Public online resources, search engines and social media websites such as Twitter, Blogspot and YouTube show it being used to fulfill GCHQ geopolitical objectives outlined in previously leaked documents. Almost all 69 Twitter pages that Google has indexed referencing lurl.me are anti-government tweets from supposed Iranian or Middle Eastern activists.

Advertisement

The vast majority are from Twitter accounts with an egg avatar only active for a few days and have a few tweets, but there were a couple from legitimate accounts that have been tweeting for years, who have retweeted or quoted the other accounts tweeting from the URL shortener.

According to agency documents published by The Intercept, one of the strategies for measuring the effectiveness of an operation is to check online to see if a message has been "understood accepted, remembered and changed behaviour". This could for example involve tracking those who shared or clicked on the lurl.me links created by GCHQ.

The group also identified individuals by using social engineering techniques to trick them into clicking links

Another JTRIG document published by The Intercept titled "Behavioural Science Support for JTRIG'S Effects and Online HUMINT Operations" can be used to understand the content associated with social media accounts that used the URL shortener.

JTRIG has an operations group for global targets, which then has a subteam for Iran, According to the document. It further states that "the Iran team currently aims to achieve counter-proliferation by: (1) discrediting the Iranian leadership and its nuclear programme; (2) delaying and disrupting access to materials used in the nuclear programme; (3) conducting online HUMINT; and (4) counter-censorship."

The document goes on to detail the methods that JTRIG employs to achieve these goals, such as creating false personas, uploading YouTube videos, and starting Facebook groups to push specific information or agendas. Many of the techniques outlined are evident in social media accounts that aggressively use the URL shortener.

Advertisement

AGENTS OF THE CAMPAIGN

There appear to be a small number of Twitter accounts that were only active during the month of June 2009, have very few followers, and repeatedly tweet the same content and links from lurl.me. One of the earliest and prolific accounts to tweet using the URL shortener is 2009iranfree.

A large portion of the network of barely-active sockpuppet Twitter accounts appears to revolve around an objective of enabling Iranians to access information that would otherwise be censored by the regime.

In the JTRIG behavioural science document, this is categorized as "providing online access to uncensored material (to disrupt)." This objective is achieved by providing information about blocked websites and access to international news reports. The commonly recurring site that the Twitter accounts link to was iran-news.info, which was a feed of English news reports about Iran.

It may appear that the objectives of anti-government protesters and GCHQ align in that both wish to discredit the regime and perform counter-censorship. However, it is worth remembering that one of the other stated objectives of JTRIG's Iran program is to conduct online human intelligence, and lurl.me has been historically used to enable signals intelligence for deanonymization as shown in the leaked GCHQ hacktivism document.

A curious recurring theme of this network of Twitter accounts is to encourage readers outside of Iran to call a particular number in Iran to protest, which claimed to be that of the president. The number was also posted on activism forum WhyWeProtest. One of the methods described in the JTRIG document is "mimicking a real person (to discredit, promote distrust, dissuade, deceive, deter, delay or disrupt."

Advertisement

Regardless of the ultimate goal, which seems unclear, it seemed to be successful at promoting distrust; one of the comments on the thread is "Can't be Ahmedinijad's #. And if it were, the second call will be answered by Iranian intelligence services. Still, these are strange days. I suppose anything could happen at this point."

A TANGLED WEB

The URL shortener had no new activity on Twitter in 2010, and was next seen in 2011 predominantly by an account tweeting about Syria during the Arab Spring called access4syria. The account was only active between May and June 2011, and only tweeted between 9 AM and 5 PM UK time on Monday to Friday.

It seems bizarre that when managing fake personas, JTRIG is only capable of controlling a limited number of accounts, with exactly the same content, at limited times, and mainly using English. However, a page from the leaked JTRIG document provides some insight into the difficulties faced by JTRIG agents in conducting their operations, including difficulty in maintaining more than two or three aliases and limited access to language advisors.

The Syrian activism account, like the Iranian accounts, also revolved around the objective of providing citizens a means to bypass online government censorship.

The Arabic instructions encourages readers to "connect to the Internet via satellite, for example, at your friends' houses, Internet shops, or at company offices" in order to avoid being disconnected from the global internet. It also asks to "Use a proxy to access blocked pages. This will allow you to use the Internet safely. For example, you can use the following proxy:" and goes on to give two IP addresses for use as proxies.

Advertisement

Those who used JTRIG-associated proxies may find that they are not what they seem to be. For example, one of the JTRIG honeypot tools listed in the same category as the URL shortening tool is MOLTEN-MAGMA, which is a "CGI HTTP Proxy with ability to log all traffic and perform HTTPS Man in the Middle." In other words, JTRIG could spy on people who used a MOLTEN-MAGMA proxy.

The lurl.me URL shortener was last seen online by archive.org in November 2013, a few months after the Snowden leaks were released.

GCHQ, when asked to comment on whether it created the uncovered accounts and lurl.me, and what procedures and policies were in place to ensure oversight of undercover activity carried out by JTRIG, the agency provided its boiler-plate response.

"It is long standing policy that we do not comment on intelligence matters. Furthermore, all of GCHQ's work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee. All our operational processes rigorously support this position," a GCHQ spokesperson said in an email.

Although the internet has provided citizens with a powerful mechanism to organize and protest against oppressive regimes, it has also provided intelligence agencies with an equally powerful mechanism of access and visibility to the protesters.

While many online protest groups benefit from the open nature of the internet, they will inevitably want to develop means by which they can resist infiltration by adversaries taking advantage of that same openness.

This previously unknown wide-ranging influence operation by British spies shows how on the internet every tool is a double edged-sword.


Mustafa is a security researcher and advisor known online as @musalbas. When he was 16 he was part of the LulzSec group whose members were targeted by a GCHQ spy unit.

The Hacks We Can't See is Motherboard's theme week dedicated to the future of security and the hacks no one's talking about. Follow along here.