Anonymous | From Inception to Corruption

NOTE: This article was originally written in Arabic, however due to Anonymous blackmailing Cyberkov with DDOS threats, it has been updated and translated to English as a response to the threat. Details of the blackmail attempt can be found at the end of this article.

 

Anonymous .. The First Generation!

Anonymous is regarded as the foremost hacking collective, specializing in hacktivism and politically-driven hacking operations against governments, giant corporations and the intelligence sector. The goals of Anonymous are protecting freedom, privacy and anonymity of internet citizens, as well as opposing government surveillance. The results of hacktivism operations usually come in the form of DDOS, deface and leaking sensitive information, such as the case of Stratfor, the intelligence think tank linked to the CIA. Anonymous hacked Stratfor, compromised all emails and sensitive information about global spies working in media & embassies; and leaked all of the looted secrets to Wikileaks. HBGary, also a security intelligence company, fell victim to Anonymous and suffered many losses that led to its dissolution.

Anonymous disabled scores of government websites such as the White House, US Department of Justice, and countless others after the US government attempted to pass bills allowing internet surveillance, Anonymous also carried out mass-mailing campaigns to complain to US Senators, which resulted in the withdrawal of the controversial bill. Furthermore, Anonymous launched Operation Payback against Mastercard and PayPal; inflicting millions of dollars of loses for these organizations after they froze donations to Wikileaks.

OpIsrael was Anonymous’s most effective operation to date; occurring in many reiterations for 3 years; with the goal of wiping Israel off the internet map. Anonymous drowned Tel Aviv Stock Exchange and compromised financial institutions. In this operation, the Saudi hacker Omar reached legendary status after he leaked tens of thousands of Israeli credit cards compromised from Israeli financial institutions. I have written a detailed article about OpIsrael and how Anonymous managed this operation. I have also provided a summary of the operation in an interview with Al Arabiya.

These ideological operations brought Anonymous mass appeal and sympathy from the general public and internet users, especially for their defense of internet freedom even though Anonymous’s activities were officially illegal. I remember these days as being full of action and excitement as you would rarely go through a day without a single operation waging on in the internet.

These hacking activities, though noble in cause, were illegal and probably resulted in many sleepless nights for the FBI, in part because Anonymous compromised many entities related to US intelligence and military industries. The FBI in response launched major investigations and arrested dozens of Anonymous hackers, members and supporters. Some of which received disproportionately harsh sentences, others were ‘recruited’ by the FBI in the form of secret deals to reduce their sentences; in exchange for entrapping other Anonymous members and gain insight to clues that can lead to their arrest. Others, most interestingly; were surreptitiously used by the FBI to attack other websites and governments, even the website of the Kuwait Crown Prince!

All of these events ran roughly from 2010 to 2014, during which court sentences and mass arrests were the norm, however in 2015 a vastly different Anonymous appeared; this time without resistance from authorities, and without court sentences and arrests.

Thus, the start of the new Anonymous ensued…

Ideological Changes in Anonymous! The New Generation

In 2015, and specifically during the Charlie Hebdo events; two different groups emerged: the new Anonymous and GhostSec. Immediately these two groups started attacking hundreds of Arabic and Islamic websites, as well as general Arabic public figures as misguided revenge for the Charlie Hebdo massacre. These attacks raised suspicions across the internet for its uncharacteristic lack of precision and accuracy, in what seemed like an attack on random Arabic sites or those remotely related to Islam. Websites hosting religion, politics, technology and media content were attacked continuously by Anonymous and GhostSec simply for being owned or authored by Muslims. Attempts from website owners to get clarification from Anonymous/GhostSec were countered with more threats and more attacks.

Moreover, the US media and government view on Anonymous changed drastically (in fact completely reversed); Anonymous was no longer the annoying internet punks spraying bad packets on government websites; Anonymous was rather received with applause and support from US media outlets, and their operations were hailed as legitimate revenge against extremism, even though Anonymous was performing the same officially illegal activities of the first generation!

I have tweeted about the New Anonymous’s operations against Arabic websites from inside their operation chatrooms. Take for example:

نقلت لكم الأخبار السابقة من داخل غرفة الهاكرز الفرنسيين، هذه صورة من داخلها الآن، وفيها كل تحركاتهم، وأهدافهم القادمة pic.twitter.com/iEygVinHQN

— عبدالله العلي (@CyberkovCEO) January 9, 2015

Soon afterwards, Cyberkov’s website was attacked heavily by Anonymous for 10 days, launching all sorts of web and DDOS attacks against the company’s website, and going so far as to launch personal attacks against myself and the company’s personnel; claiming that I was a Russian agent (based on a photo I took in front of the Russian ministry of defense in Moscow in 2014). These false allegations were then propagated to Parismatch, the prominent French newspaper, claiming that Cyberkov acted as the NSA of Kuwait! I have responded to Parismatch with these tweets.

Most of Parismatch’s article was based on media exaggerations and almost fully devoid of facts, therefore we do not believe it is worthy of debunking.

The Emergence of GhostSec!

GhostSec emerged to the hacking scene during the CharlieHebdo massacre as a spin-off from the New Anonymous (Not the original), with one clear goal: Tracking extremism online and reporting any ISIS-related accounts (including supporters and sympathizers). The methodology, internal cooperation and communication with which this group is managed differs substantially from Anonymous, and is a telltale sign that GhostSec might include officers of intelligence and counter-terrorism.

Their goals, as stated in their website, is fighting online presence of terrorist and extremist organizations such as ISIS, Boko Haram, Al-Qaeda and others, by reporting accounts and websites to authorities, and by pressuring hosting and cloud providers to remove such content. This methodology worked in favor of GhostSec, however it worked because these extremist websites and accounts were already in violation of their terms of use, and belonged to entities blacklisted by the United Nations anyway.

GhostSec assisted in the removal of more than 23,000 accounts, domains and Twitter IDs, and is still operating to this matter to this day

Collusion Between Anonymous/GhostSec and Intelligence Agencies

Working around the clock, GhostSec and Anonymous were reporting accounts left and right, creating tools that assist in reporting (alleged) extremism accounts and content on social media, and creating lists of targeted websites and individuals (usually with no supporting evidence to their claims), and reporting their findings to US intelligence agencies; a move that sparked a change in the way the US intelligence agencies looked at these groups. So much, in fact, that US national security advisors and researchers are discussing the utilization of these groups in favor of US foreign policy and national security goals, especially knowing that the Pentagon publicly admitted its inability to counter ISIS online propaganda. And thus cooperation started between the FBI and GhostSec/Anonymous in public, even though such actions were considered by the original Anonymous to be shameful, scandalous and only perpetrated by ‘Rats’ and ‘Snitches’.

GhostSec and its leader DigitaShadow furthermore supported US intelligence agencies with names and information of whoever GhostSec suspects to be linked to online extremism. GhostSec also claims that its investigatory work led to thwarting an operation planned by ISIS.

Accepting the Mob Rule… Hijacking Ideals and Laws

How sound do you think it would be for the police to cooperate with the outlaws, or to have criminals assist in bringing justice? How can the US intelligence agencies cooperate with outlaws that lack any understanding of legal & due processes, and whose methods of obtaining knowledge are neither acceptable in court nor free of egregious errors of judgment? It is highly likely – in fact imminent – that innocent individuals and organizations will be falsely implicated due to GhostSec/Anonymous’s erroneous and unsound means of analysis and evidence collection.   Unless, of course, these risks were fully understood by US intelligence agencies, and were in fact considered acceptable as a way to subvert restrictive judicial processes, constitutional limitations and public outcry? Recruiting outlaw hackers in secret to do the agencies’ dirty work saves them money, time and most importantly: Legal responsibility.

The imminent mistakes to be made by untrained amateurs playing the role of professional investigators is already showing. Take for instance the account of ‘cybercaliphate’, first declared by them to have been run from Kuwait, then changed their story to claim it’s run from Qatar, even though CyberCaliphate’s leader was declared dead in an air strike in Syria.   GhostSec/Anonymous’s most apparent mistakes (which we think is intentional or out of extreme negligence) is blatantly accusing public figures in the Middle East, as well as unrelated websites, to be supportive of ISIS. Mind-blowing examples include Al-Jazeera TV presenter Faisal Al-Qasemi (Known anti-Assad media face), Al-Qassam Brigades website (even though ISIS declared war on Al-Qassam and Hamas), and even purely technological websites such as Cyberkov, and iSecur1ty.org.

It is immediately visible to the reader that these entities are either in conflict with ISIS, or completely unrelated to politics and religion. This is just the start of an avalanche of legal and judicial mistakes that are guaranteed to occur when the law is handed over to the outlaws, and the jury is none other than the mob.

GhostSec/Anonymous false lists of targets was rejected by Twitter itself for being wildly inaccurate, it was instead found to be full of academics and journalists. This statement by Twitter confirms our own findings, but to better show the fallacy of GhostSec/Anonymous information and prove their full inadequacy, let’s see what Matthew Prince, CEO of CloudFlare, has to say about the matter in an interview with Fortune:

There was a Twitter account that alleged that a number of ISIS-related sites—it published about 40 sites—are using CloudFlare, and that CloudFlare should kick them off the network. The thing is that there are very few ISIS-related sites [on that list]. Some were Kurdish separatists, some sites supported Chechnyan independence, some sites supported Palestinian independence. There were some that appeared to be related to some of the topics that ISIS supports as well. I don’t know any organizations that hate ISIS more than the Kurds. The only thing I could see that these sites have in common is that they’re largely written in Arabic.

I think Prince’s last sentence clearly shows the ineptitude of GhostSec/Anonymous. Any website that ‘seems’ to look like it supports ISIS (by covering news, discussions, or even just written in Arabic) is being added to the list. The result: ISIS enemies are reported by GhostSec/Anonymous to be ISIS supporters!    Matthew Prince, whose company protected Wikileaks from a massive DDOS attack, also coined proper term to describe GhostSec’s operation, calling the operation a ‘mob rule’ in his interview with IBTimes UK:

“Individuals have decided that there is content they disagree with but the right way to deal with this is to follow the established law enforcement procedures. There is no society on Earth that tolerates mob rule because the mob is fickle,” Prince said.

Wikileaks also opposed Anonymous’s mob approach to reporting online extremism, stating that Anonymous is attacking accounts based on their speech (which Anonymous is supposed to protect, even if such speech was unpopular), but more importantly Wikileaks also hinted that Anonymous is thoroughly compromised from inside with intelligence officers:

Anonymous (or the intel agents that riddle it) have a campaign to inform on social media accounts based on their speech. Great precedent.

— WikiLeaks (@wikileaks) November 20, 2015

GhostSec Evolving into a ‘Professional’ Network

A short while before the recent Paris massacre, GhostSec morphed into a professional network (and borderline company) by the name of Ghost Security Group, and changed its website to http://ghostsecuritygroup.com (GhostSec failed to supply a properly named SSL certificate for its site; an interesting failure for a hacking group). Global media such as CNN, Reuters and Daily Mail promptly started referring to GhostSec not by the hackers that they are, but by titles such as executive director (DigitaShadow currently holds this position).

GhostSec continued its officially illegal hacking activities with its new name under the pretense of combating online terrorism, hacking accounts, reporting individuals to authorities. Nobody knows who they really are, what their credentials are, who their victims are; and yet their actions as hailed as legitimate and legally acceptable, and herein lies the problem.

What if Ghost Security Group Expanded?

Outlawed groups engaging in illegal activities are bound to spread and expand once it finds rich soil to grow into, as well as silence from law enforcement agencies (whose job includes stopping self-proclaimed vigilantes and protecting the correct process of the law).   Who can say for granted whether or not the US intelligence agencies are not already exploiting this group to perform the agencies’ dirty work for them; attacking whistle-blowers, dissidents and those who disagree with the US Foreign Policy? (Including of course, officials and politicians of other countries, as Snowden leaks have repeatedly shown us such figures are indeed regular targets for the NSA and CIA).

Cyber Coalition of Anonymous and GhostSec Against ISIS

After the recent tragic Paris massacre, Anonymous and GhostSec (as well as other less known hacking groups) have joined forces to ‘permanently’ destroy the online presence and support of ISIS.

Inside the Operations Room of Anonymous and GhostSec

To coordinate attacks and information collection against ISIS, GhostSec and Anonymous created Twitter hashtags ( #OpParis , #OpISIS and #OpIceISIS), and IRC chatrooms that are open to every visitor (https://webchat.anonops.com/?channels=OpParis).   To participate or observe into their coordination methodology, simply enter the previous link and choose a Nickname.

Screenshots of the #OpParis operation room:

#OpParis Main Goals

1- Report and suspend all ISIS and ISIS sympathizer accounts, especially on Twitter.

2- Hacking and disabling ISIS or ISIS supporter websites, usually via DDOS.

3- Reporting YouTube videos and JustPaste.it notes belonging to ISIS or spreading its propaganda.

4- Pressuring hosting providers to take down ISIS or ISIS sympathizer content.

5- Creating automated tools to report ISIS activity.

Anonymous and GhostSec Guidelines to Reporting ISIS Activities:

1- The Noob Guide: A beginner’s guide to hacking websites and servers. Also provides anonymity instructions.

2- Twatter Reporter: A guide on using automated tools and scripts to report online activity.

3- Search Terms: A guide on searching for ISIS terms for volunteers

How is Anonymous and GhostSec Reporting Twitter ISIS Accounts:

1- Anonymous performs a search and collection for ISIS Twitter accounts then uses GetTwitterID tool to extract account IDs. These IDs are then collected in large lists hosted in Pastebin and Ghostbin, like this list of alleged accounts. (Note: As mentioned previously, these lists are described to be ‘wildly inaccurate’ by Twitter itself, so do not take for a fact any information extracted from it)

2- Using the TwitterReporter script, they perform mass reporting of suspected accounts. Another copy of the script can be found here.

3- TwitterReporter tool signs in using the user’s (Anonymous volunteer in this case) Twitter account credentials, then it performs mass reporting for the alleged accounts. Twitter then inspects accounts for violations and suspends any it finds to be truly in violation of Twitter terms. Sometimes errors occur and accounts are suspended by mistake, in which case you can contact Twitter and resolve it.

4- They also report accounts online using ReportOnlineTerrorism

How is GhostSec and Anonymous Finding ISIS Websites

1- Anonymous visits Google Iraq because it is the closest geographical point to ISIS.

2- Anonymous searches for ISIS phrases such as shown in the following image (Online copies of such phrases: 1 2 3 4):

3- Google Chrome is preferred because it performs automated Google Translation of pages.

4- Collection of collected results to be shared in their chatrooms and Pastebin pages.

The Clear Errors in Anonymous/GhostSec Methodology

By now the egregious mistakes in the searching methodology should have been very clear to the astute readers, but we emphasize the following major shortcomings as:

1- The alleged ISIS phrases are general well known Arabic or English phrases that are unrelated to ISIS. Some of these phrases are translations of words such as ‘brothers’, ‘Report’ , ‘killed and injured’… These phrases are definitely not ISIS trademarks.

2- Complete lack of context in evaluating discovered results, as the aforementioned phrases could be used to quote ISIS propaganda in news reporting (That is why Twitter stated Anonymous’s list is full of academics and journalists), or simply these phrases could have been used in a totally different context than that of praising ISIS.

3- Online translation tools do not correctly translate different Arabic dialects.

4- The methodology does not provide instructions on how to differentiate between ISIS supporting content and  content that simply references ISIS content.

5- No correctness threshold exists in the methodology. A website filled with ISIS propaganda is treated the same way as a website that only contains one phrase.

The result is a smorgasbord of false positives, unrelated results, and even inclusion of websites belonging to ISIS enemies. We think any experienced Data, Search or AI analyst is bound to reach the same conclusion regarding Anonymous’s badly-implemented amateurish searching methods.

Will ISIS Survive These Attacks?

When faced with stubbornness, this methodology is not expected to bring much value. As soon as accounts are suspended, more accounts can be created by ISIS. This is not convenient, but completely free of costs.   The real problem in fighting ISIS online is that ISIS does not have an official online presence, no infrastructure, no official websites, no official mail servers.

Therefore it is not possible to ‘launch’ a cyber attack on its nonexistent online infrastructure. ISIS supporters also cannot be targeted in a fashion like HackingTeam’s approach against dissidents and activists. ISIS supporters do not have official identities, nor do they use well known physical locations or devices. They simply are not static targets. Preparation and information collection performed on them can be wasted in a minute by having the ISIS supporter desert his/her current email account, for example.     In contrast, we have seen hacking groups joining forces with ISIS, which in turn demonstrates a bigger threat as governments are easily-found targets online, and therefore ISIS can utilize these skills to wage online guerrilla wars on governments. I have made numerous analyses about ISIS cyber capabilities here, here and here.

APPENDIX: Anonymous Blackmails Cyberkov with DDOS if Article Is Not Removed

After Cyberkov’s blog published an Arabic article about Anonymous’s history and corruption throughout the years (Basically the Arabic version of this article), Anonymous members emailed Cyberkov with a DDOS threat if the article was not removed immediately. The blackmail message arrived after Cyberkov endured 3 days of DDOS attempts.

The DDOS Blackmail message can be seen here:

It is very unfortunate that Anonymous had to resort to cheap tricks like DDOS to blackmail and censor content on the web; the same content Anonymous was supposed to protect had they actually believed in free speech. Anonymous has essentially turned into its worst enemy.