Fake URL’s and Shortening During Arab Spring/Iran

In 2014, it was reported but not widely so.

Edward Snowden leaked a top-secret GCHQ document which details the operations and the techniques used by JTRIG unit for propaganda and internet deception.

SecurityAffairs: The JTRIG unit of the British GCHQ intelligence agency has designed a collection of applications that were used to manipulate for internet deception and surveillance, including the modification of the results of the online polls. The hacking tools have the capability to disseminate fake information, for example artificially increasing the counter of visit for specific web sites, and could be also used to censor video content judged to be “extremist.” The set of application remembers me the NSA catalog published in December when the Germany’s Der Spiegel has revealed another disturbing article on the NSAsurveillance, the document leaked by tge media agency was an internal NSA catalog that offers spies backdoors into a wide range of equipment from major vendors.

The existence of the tools was revealed by the last collection of documents leaked by Edward Snowden, the applications were created by GCHQ’s Joint Threat Research Intelligence Group (JTRIG) and are considered one of the most advanced system for propaganda and internet deception. JTRIG is the secret unit mentioned for the first time in a collection of documents leaked by Snowden which describe the Rolling Thunder operation, the group ran DoS attack against chatrooms used by hacktivists. More here.

It is being reported again and it may be just good tradecraft by British intelligence.

British Spies Used a URL Shortener to Honeypot Arab Spring Dissidents

Motherboard: A shadowy unit of the British intelligence agency GCHQ tried to influence online activists during the 2009 Iranian presidential election protests and the 2011 democratic uprisings largely known as the Arab Spring, as new evidence gathered from documents leaked by Edward Snowden shows.

The GCHQ’s special unit, known as the Joint Threat Research Intelligence Group or JTRIG, was first revealed in 2014, when leaked top secret documents showed it tried to infiltrate and manipulate—using “dirty trick” tactics such as honeypots—online communities including those of Anonymous hacktivists, among others.

The group’s tactics against hacktivists have been previously reported, but its influence campaign in the Middle East has never been reported before. I was able to uncover it because I was myself targeted in the past, and was aware of a key detail, a URL shortening service, that was actually redacted in Snowden documents published in 2014.

THE HONEYPOT

A now-defunct free URL shortening service—lurl.me—was set up by GCHQ that enabled social media signals intelligence. Lurl.me was used on Twitter and other social media platforms for the dissemination of pro-revolution messages in the Middle East.

These messages were intended to attract people who were protesting against their government in order to manipulate them and collect intelligence that would help the agency further its aims around the world. The URL shortener made it easy to track them.

I was able to uncover it because I was myself targeted in the past

The project is linked to the GCHQ unit called the Joint Threat Research Intelligence Group or JTRIG, whose mission is to use “dirty tricks” to “destroy, deny, degrade [and] disrupt” enemies by “discrediting” them, according to leaked documents.

The URL shortening service was codenamed DEADPOOL and was one of JTRIG’s “shaping and honeypots” tools, according to a GCHQ document leaked in 2014.

Leaked GCHQ document listing shaping and honeypot tools used by JTRIG.

Earlier in the same year, NBC News released a leaked document showing that JTRIG attacked the hacktivist outfits Anonymous and LulzSec by launching Distributed Denial of Service (DDoS) attacks on chatroom servers know as Internet Relay Chat (IRC) networks.

The group also identified individuals by using social engineering techniques to trick them into clicking links—a technique commonly used by cybercriminals.

One slide showed a covert agent sending a link—redacted by NBC in the slide—to an individual known as P0ke. According to the slide, this enabled the signals intelligence needed to deanonymize P0ke and discover his name, along with his Facebook and email accounts.

In the fall of 2010, I was an early member of the AnonOps IRC network attacked by JTRIG and used by a covert GCHQ agent to contact P0ke, and in 2011 I co-founded LulzSec with three others. The leaked document also shows that JTRIG was monitoring conversations between P0ke and the LulzSec ex-member Jake Davis, who went by the pseudonym Topiary.

Through multiple sources, I was able to confirm that the redacted deanonymizing link sent to P0ke by a covert agent was to the website lurl.me.

Leaked GCHQ slide from document titled “Hacktivism: Online Covert Action.”

COVERT DISRUPTION

Further investigation of the URL shortener using public data on the web exposed a revealing case study of JTRIG’s other operations that used the DEADPOOL tool, including covert operations in the Middle East.

The Internet Archive shows that the website was active as early as June 2009 and was last seen online on November 2013. A snapshot of the website shows it was a ”free URL shortening service” to ”help you get links to your friends and family fast.”

Snapshot of lurl.me.

Public online resources, search engines and social media websites such as Twitter, Blogspot and YouTube show it being used to fulfill GCHQ geopolitical objectives outlined in previously leaked documents. Almost all 69 Twitter pages that Google has indexed referencing lurl.me are anti-government tweets from supposed Iranian or Middle Eastern activists.

The vast majority are from Twitter accounts with an egg avatar only active for a few days and have a few tweets, but there were a couple from legitimate accounts that have been tweeting for years, who have retweeted or quoted the other accounts tweeting from the URL shortener.

According to agency documents published by The Intercept, one of the strategies for measuring the effectiveness of an operation is to check online to see if a message has been “understood accepted, remembered and changed behaviour”. This could for example involve tracking those who shared or clicked on the lurl.me links created by GCHQ.

The group also identified individuals by using social engineering techniques to trick them into clicking links

Another JTRIG document published by The Intercept titled “Behavioural Science Support for JTRIG’S Effects and Online HUMINT Operations” can be used to understand the content associated with social media accounts that used the URL shortener.

JTRIG has an operations group for global targets, which then has a subteam for Iran, According to the document. It further states that “the Iran team currently aims to achieve counter-proliferation by: (1) discrediting the Iranian leadership and its nuclear programme; (2) delaying and disrupting access to materials used in the nuclear programme; (3) conducting online HUMINT; and (4) counter-censorship.”

The document goes on to detail the methods that JTRIG employs to achieve these goals, such as creating false personas, uploading YouTube videos, and starting Facebook groups to push specific information or agendas. Many of the techniques outlined are evident in social media accounts that aggressively use the URL shortener.

Page from leaked GCHQ document titled “Behavioural Science Support for JTRIG’S Effects and Online HUMINT Operations,” published at The Intercept.

AGENTS OF THE CAMPAIGN

There appear to be a small number of Twitter accounts that were only active during the month of June 2009, have very few followers, and repeatedly tweet the same content and links from lurl.me. One of the earliest and prolific accounts to tweet using the URL shortener is 2009iranfree.   Read more here from Motherboard.

Posted in #StopIran, al Qaida al Nusra Boko Haram, Citizens Duty, Cyber War, Department of Defense, Department of Homeland Security, FBI, Insurgency, Iran Israel, Military, NSA Spying, Russia, Terror, The Denise Simon Experience, Whistleblower.

Denise Simon