"That's how online guerrilla warfare works"
In the immediate aftermath of the events that took place in Beirut and Paris on November 12 and 13, 2015, the hacker group Anonymous released one of their by now well-known video statements on Youtube, declaring war on ISIS, who had claimed responsibility for the attacks which left almost 200 people dead.
The media took this statement surprisingly seriously in comparison to mainstream reactions to previous declarations released by the group. What followed were mostly reports about several fractions of Anonymous exposing and taking down ISIS-owned social media accounts, and questions about the feasibility of these actions, as well as reports questioning if these actions thwarted surveillance operations by intelligence agencies - which goes to show how insufficient the general public’s knowledge about our current informational reality is.
One splinter group, which calls itself Ghost Security Group and goes by the Twitter handle @GhostSecGroup, was reported to have exposed Bitcoin accounts owned by ISIS, containing up to three million US Dollars worth of Bitcoin, which they claimed to have then successfully shut down. That ISIS, as any other clandestine group, would use cryptocurrencies and manage operations on the Deep Web is hardly surprising. What is interesting about Ghost Security Group is that their approach to countering terrorist movements has changed from the wrath of Anonymous, which defies authority and takes direct and also sometimes illegal action, to a professional and serious attitude.
A global, mainly European shift in the way that the public gets involved in current affairs could be observed this year with large-scale volunteer activities dealing with the refugee situation. This also led, or should lead, to changes in the way that the public, NGOs, and governments act together. While Anonymous is of course also a network of volunteers they act independently. The aspect in which Ghost Security Group differs most from their base group is that not only do they collaborate with other hacker groups but also with governments and intelligence services.
In order to find out more I got in touch with the group and got the chance to chat with one of their operatives who goes by the handle @RaijinRising via the messaging service Telegram, which offers surprisingly secure end-to-end encryption, making it a tool also extensively used among ISIS ranks. What follows is an edited conversation extracted from the chat protocols:
Paul Feigelfeld, @cryptologocentric
While I will not ask you any personal questions, may I ask how long you have been active?
⚡️Raijin Rising⚡️, @RaijinRising
I've been with the group officially for several months. The group really came together around this time last year - prior to that they were all active in their own capacities with smaller teams or working solo.
Is it true that you are collaborating with intelligence officials?
Yes, we are and it's pretty amazing for us as well. It has been great so far.
How do the ideologies of Anonymous compare with those of the governmental agencies?
When we started providing info to agencies early on, we were stuck in a limbo of sorts. Anonymous didn't trust us because of who we were dealing with, and the agencies didn't want to trust us because we were associated with Anonymous. We were just out there on our own trying to get our intelligence to the right people who could do something with it. It's a shift in mentality from Anonymous' way of thinking. Traditionally Anonymous opposes big government - so with us working with agencies, some Anons feel that's a bad thing. Many are quick to write us off as 'feds' now to be avoided at all costs.
What do you get in return?
Right now there's a misconception that we're "on a payroll" or that the organizations pull the strings. While it would be nice to be compensated for the efforts of our entire team, we're still 100% volunteer. We are hoping for some assistance down the road with equipment and perhaps better forensics tools but that's not really part of the discussion right now. They aren't telling us what to do at all, we operate on our own terms. The only thing they're asking is for us to stay clean so that our information can be used legally.
So you expressly operate “in-between” and in a way that hadn't been done before. How do you decide what to share?
We have to remain above board going forward. Agencies cannot act on information that is obtained illegally, so we have to be able to prove that information we provide to them comes from legally accepted means. You can't get a warrant to arrest someone if your information was obtained illegally. We can't always do the easy things Anons can do to get information. Often their info can't be used in a court of law, so their efforts can still cause a lot of damage.
We're definitely the first team that has risen from the “underground” to a more public role and is slowly but surely being trusted by the people in the positions to make things happen.
How big do you see the role of risk assessment and prediction in this case?
Threat analysis, risk assessment and prediction is really the key right now. There's chatter everywhere and it takes a team working 24/7 to sort it all out and put it together. That’s what we do mainly.
How do you ensure both transparency and security/privacy in this kind of delicate communication?
That's a tough one. At this point we can still remain mostly anonymous. The real identities of our directors are known to the agencies that need to know. The rest of us are known by our @usernames. The agencies are also aware of all aliases we may use so they don't accidentally target our operatives. We have an internal filtration system. The outer layer harvests loads of data from social media and other encrypted resources, the inner layers sift through them for the important matter. If it feels urgent, we compile a report and fire it off ASAP.
As an organization do you aim to transform the way that agencies are collaborating with the underground? How big is the risk of being subverted or swallowed, or that the information that you collect could be misused by a government?
Our aim is to save lives first and foremost. We're not trying to transform anything. I think agencies could learn a lot by collaborating with the underground and it could certainly increase the efficacy of their operations. The real stumbling block is the legal red tape agencies have to go through. You simply can't break down a door on circumstantial evidence or a hunch from a group of aware individuals. You need solid evidence obtained in a legal way. That alone rules out so much of the intelligence from the underground.
You can't hack into a jihadi's Twitter account and use what you find to drop a bomb on him. It has to be done legally.
I find it interesting that threat analysis is your field. It’s not so much what the public perceives as direct action, takedowns, DDoS attacks and such, but the serene work of statistics.
Our relationships with agencies require us to remain a viable and credible resource. We have to be professional and serious about what we do. You have to take into consideration what limited results a DDoS [a type of attack where the source is more than one unique IP] really has, as well. It's only good while it’s happening and as soon as you decide to turn it off, the site comes right back online. I'd rather get into those sites and poke around and see who's running things, where the money's going, what their ambitions are. Know thine enemy.
Generally, the public perceives terror attacks often as quite random and contingent; not as preventable. And from this, policies are being forged: more power for agencies and military, less transparency for the individual, less privacy, more control, etc.
People have no clue what's going on in the real world, especially when you get so far removed from the action, like living in the US. We hear about a bomb here, a video there, but no one really knows just how active the theater is and how dangerously close this entire situation is to hitting every soil. When I discovered that reality last year, that's when I started getting involved.
Is there a risk for you of being used by agencies to circumvent their own regulations?
I suppose that's a possibility. But we've been asked to play by the rules so far if that says anything about the trustworthiness of our agencies.
Can you give me an idea of how big your team/network is? I assume there is not much military or intelligence training involved and most of you have civilian backgrounds. Is this a perspective that allows you to see differently?
The GhostSecurity portion is a core of 14 members. The Group as a whole also contains Controlling Section and Katiba des Narvalos, which expands us to about 50. There are also many unofficial contributors and we receive threat info through our website. The group is largely civilian; however, we do have some former military in our ranks as well as IT professionals. I believe that the diversity absolutely allows us to see things differently. Sometimes you have to get your head out of a report or an Operational Handbook to assess a situation properly.
There's book smart and there's street smart, and often, street smart wins. That's how guerilla warfare works.
Necessity is the mother of all invention. Our team, Anonymous, and every group out there fighting this battle has had to get very creative to do what they do and it's quite amazing to see what we've all learned along the way and how we put it to use.
Which brings us to the still not well-defined realm of digital rights, but also digital warfare. There is the international Geneva Protocol for ABC weapons (atomic, biological, chemical), but D weapons, there are little to no conventions for digital warfare yet. Which is highly interesting, given that if you take a popular example like Stuxnet (the highly sophisticated worm that sabotaged an Iranian nuclear facility and remained undetected for quite some time until being discovered and most possibly linked to American and Israeli intelligence in 2010), cloaking and false flag is the first thing that digital warfare does. Do as much damage as you can before anyone even realizes that something is doing damage. If discovered, point somewhere else. The absence of the weapon.
Yes, Stuxnet was a serious leap forward in digital warfare. We haven't seen anything like it since. I don't think we're at the point where we need to worry about that from ISIS. Their "Elite Cyber Team" so far has defaced a handful of sites but can barely hack a WordPress blog, let alone build a malicious virus to interface with community infrastructure.
You think the digital capabilities of ISIS are mostly making good use of certain infrastructures, but not so much direct action inside/against those infrastructures?
Their team, especially after the death of Junaid Hussain (a British-Pakistani black hat hacker and propagandist, killed with two of his bodyguards in a drone strike on a car in a Raqqa petrol station on August 26, 2015, at the age of 21), has shown no capabilities whatsoever - unless they're working quietly on something really big. The group calling itself the Islamic Cyber Army has mostly exploited very simple vulnerabilities that you could learn to do yourself with about an hour of spare time on Google. Often the sites they “hack” are old and stale websites that have been hacked dozens of times already and you can see the various shell scripts sitting on their servers - fossils from hacks past.
A concrete and subjective question: What is your opinion or assessment of the predictability and preventability in the case of Paris?
It's still all unfolding right now. I just heard that Iraqi intelligence warned Paris of an attack the day before. But chatter is hard to decipher. For every real threat there are 200 more ISIS fanboys out there saying, "You're next [insert city here]". We pick up threats every day. The reality is, you're not going to find a jihadi online saying, "I'm going meet a team of eight people in Paris tomorrow at 8pm and we're going to bomb a soccer match." Unless he's an idiot, which sometimes happens - like the guy who tweeted his photo in front of a recognizable landmark and got himself droned.
You may pick up a threat, and sometimes there are clues, but it's almost never enough to give away the full picture. Often the closest you'll get is a city. That being said, often after an event, you can go back and find the accounts of those who took part and you'll see the information staring you in the face. The Chattanooga guy (Muhammad Youssef Abdulazeez opened fire on two military installations in Chattanooga, Tennessee, on July 16, 2015) was tweeting about it right up until he left to go do it.
So we learn more about what to look for by studying the social media accounts of those who perpetrate the events after they've happened.
This is really interesting and seems to me to point into possible new ways of activism and SIGINT (signal intelligence) operations. In a way it relates to the way that, for example, the European population has started new ways of doing aid work that usually NGOs and governments are doing when it comes to the refugee situation. It's a very unregulated and fragile form of collaboration, but promising. I am very curious how, and if, this develops further.
I believe it will. It already evolves quickly. You'll see new teams form with better ideas based on their past experiences, then people leave with some of that knowledge and start a new group, and then people leave and start new groups. Some groups continue to grow, some fade away. It's like watching the Universe slowly forms from gas to planetary systems. Over time, the dust will settle and there will be a select few core groups leading the way, splinter teams and lots of satellites. But all doing great work.
How do you handle public visibility? Your appearance is very calm and professional.
We pay attention to our public presentation, for sure. We actually need more people to be aware of what we do. This movement has been happening for almost a year and we're just now starting to have some visibility with the public. One of our operatives the other day living in France actually heard a passerby talking about our team. That's good for the movement. We need people to realize two things: firstly there's a serious problem that will hit home eventually and secondly you don't need to be in the military or law enforcement to do something about it. Everyone can report ISIS on social media. Everyone can shut down a YouTube video, or a Facebook account, or a Twitter account safely. Everyone can report anonymously to us and we'll handle it from there if they like.
How hierarchically is your group structured?
We have departments with leaders - Technology, Intelligence, Research and Operations. We all contribute to multiple departments but can end up spending most of our time with one team or another. GhostSecurity acts as the technical side of things and ControllingSection and Katiba des Narvalos generally function as social media harvesting and research teams, but it's organic.
Is following the money a focus, too? You've done it with Bitcoin accounts, but are you also trying to find out more about their funding infrastructures and how to sabotage them?
I wouldn't go too deep into our operations but right identifying trails would be more important to us than sabotaging them. If we can follow it, we can show it to the right people and they'll do what they deem necessary. If we were still strictly Anon, we'd probably go out to destroy it immediately.
It's a little crazy right now, but it seems EVERYTHING is our focus, lol. There’s a lot going on since Paris. My bots have harvested a ton of data to sift through.
Are a lot of new groups forming at the moment as a reaction to the cataclysmic situation right now, older groups reforming into something newer?
Events like this get everyone fired up to take action, for sure. Our team was born out of Charlie Hebdo. You'll see some intense action for the next six weeks then I bet it will peter out as it becomes old news. Hopefully this time the media attention will keep the fire burning longer though. It's good to see so many media picking up on this “battle” now between Anons and ISIS because maybe the world will realize ISIS is much more than some CIA conspiracy. This shit's real and this shit's scary.
Can you tell me something general about your tools?
We're all over the place when it comes to “tools” but you could say that most of our research is done utilizing tools that every person with an Internet connection has access to. That's what has surprised the agencies the most about our work. We do have our own custom suite of tools for data mining, infiltration, penetration, and a slew of offensive capabilities should the need arise. I'm writing another bot as we speak :)
What to you think about the statements that encryption makes terrorists even more powerful, not only every activist, but every user of encryption is threatening democracy and that Snowden is partly responsible for the recent bombings?
As all technologies become more affordable across the globe, they become a part of more people's lives and this includes encryption. On the one hand it's a great thing but on the other hand not so much. Now that the terrorists have been driven underground, partially thanks to efforts of those trying to get them suspended and taking down their web sites, they are getting harder to track. So, yes, they are more powerful. They are getting better at sharing proper techniques for hiding their tracks, too.
I think the most powerful jihadis are already encrypted and out of sight, so we may never be able to fully track their movements unless the authorities have access to encrypted data.
To say that every user of encryption is threatening democracy is a stretch. Hopefully it's the opposite - users of encryption are threatening fascism and corruption by allowing opposition to operate and organize undetected. You can't hold Snowden responsible for the bombings. The tools were always there and those operating in illegal activities are usually the first to figure out how to use them to their advantage. So bad guys were using encryption before Snowden told everyone about it. He may have shined the light for a few people but not for the bad guys. The US government invented the Internet and therefore own every nook and cranny and every bit and byte that travels along it. Who in their right mind would think that they wouldn't be using that information to their advantage?
What would justice and rule of law look like in the 22nd century?
Whew, 85 years is along way from now. It could go either way. We'll definitely be seeing more laws covering the digital world, specifically cyber warfare. I'm afraid we'll see governments attempting to regulate public encryption even more. But much like the way torrent technology changed the way people were able to acquire software, music and video, someone out there will always develop the next application to get around the restrictions and the cycle will continue. In the end, I can only hope that the governments will continue to allow freedom of expression. There's a fine line between monitoring citizens and completely taking away freedoms, and I think the people will always win in the end.
It is possible to find out more about Ghost Security Group, as well as report suspected terrorists on social media, through their website.
Paul Feigelfeld is the academic coordinator of the Digital Cultures Research Lab at the Centre for Digital Cultures at Leuphana University Lüneburg. He is currently working on his PhD thesis titled The Great Loop Forward. Incompleteness and Media between China and the West.