Hacker group LulzSec co-founder Mustafa Al-Bassam (aka tFlow) has claimed to have used new evidence gathered from documents leaked by Edward Snowden to reveal more information on GCHQ covert operations. According to Bassam, a special unit in the British intelligence agency called the Joint Threat Research Intelligence Group (JTRIG) targeted hacktivists, in efforts to influence the socio-political climate in the Middle East.
The former black hat hacker wrote in an article for Motherboard, that JTRIG allegedly used shortened URLs as honeypot to attract online activists during the 2009 presidential elections in Iran and again, during the 2011 uprisings widely known as the Arab Spring.
"The group's tactics against hacktivists have been previously reported, but its influence campaign in the Middle East has never been reported before. I was able to uncover it because I was myself targeted in the past, and was aware of a key detail, a URL shortening service, that was actually redacted in Snowden documents published in 2014," Bassam wrote.
GCHQ created URL shortening service
JTRIG made use of its GCHQ-developed and now-obsolete URL shortening service called lurl.me to conceal links to various websites. Lurl.me, codenamed Deadpool, was used to send messages on social media platforms like Twitter, to help keep track of online activists. "These messages were intended to attract people who were protesting against their government in order to manipulate them and collect intelligence that would help the agency further its aims around the world. The URL shortener made it easy to track them," Bassam added.
According to Bassam, the URL shortening service was active between 2009 and 2013. During this period, the service was used by the JTRIG in several Twitter campaigns to tweet out dissident material in efforts to discredit the presiding Iranian government.
Active Twitter campaigns
Bassam's research revealed that a handful of Twitter accounts that were only active in June 2009, were found to be periodically tweeting the same content using lurl.me. One such account, which still exists but was last active in 2009, is @2009iranfree. The account's main goal is believed to have been making available access and information to Iranians, which would normally have been restricted or censored by Iran's leadership.
Lurl.me was also used by another Twitter account (@access4syria) in 2011, during the Arab Spring. Ironically, the account, which was only active between May and June 2011, was found to only post between 9am and 5pm UK time and only on the weekdays. This account too tweeted out links that provided information, which would have been otherwise censored by the regime.
According to Bassam, lurl.me was actively used last in 2013, briefly after the documents from the Snowden leaks were made public. "This previously unknown wide-ranging influence operation by British spies shows how on the internet every tool is a double edged-sword," Bassam concluded.
A GCHQ spokesperson said, "It is long standing policy that we do not comment on intelligence matters. Furthermore, all of GCHQ's work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee. All our operational processes rigorously support this position."