GhostSecGroup is taking on ISIS. It’s not clear they’re helping.

Why You Shouldn’t Believe the “Hacktivists” Who Say They’re Taking on ISIS

Why You Shouldn’t Believe the “Hacktivists” Who Say They’re Taking on ISIS

Decoding the tech world.
Dec. 10 2015 3:27 PM

The Hacktivist War on ISIS?

An offshoot of Anonymous has declared war on terrorism. But its efforts could be making things worse. 

Anonymous army.

Photo illustration by Natalie Matthews-Ramo. Guy Fawke mask by Philippe Lopez/AFP/Getty Images. Solider by Zabelin/Thinkstock.

Editor’s note: The original version of this article did not consistently distinguish between GhostSec and GhostSecGroup. The piece has been updated throughout to address those inconsistencies.

FutureTense_logo

There’s a reason Anonymous is named after a tactic, not a cause. Hackers acting under the Anonymous banner tend to share certain values, like Internet freedom and anti-authoritarianism. But the purpose and motivation of any given Anonymous operation isn’t always obvious. When Anonymous went up against the Church of Scientology and security software maker HBGary, the dynamic was pretty clear: These groups had antagonized Anonymous (taunting it, in HBGary’s case) and Anonymous wanted to strike back. Anonymous did so by trying to expose the secrets and damage the reputations of its targets.  In the Steubenville rape case, when a member of Anonymous outed the then-alleged and since-convicted rapists, the motivation was one of outrage, but the tactic of exposure remained the same.

David Auerbach David Auerbach

David Auerbach is a writer and software engineer based in New York, and a fellow at New America.

Advertisement

Now a descendant of Anonymous is taking on ISIS, and that’s where it faces a new problem. How do you damage the reputation of a group with one of the worst reputations on the planet?

By helping out the U.S. government, apparently. While Anonymous may seem emphatically autonomous and anti-establishment, this time members associated with the group have recast themselves in a kind of support role. In particular, the Anonymous offshoot Ghost Security Group, or GhostSecGroup, digs up online media accounts that support ISIS and funnels that information to federal officials. That makes GhostSecGroup, which emerged in late fall 2015 out of the more nebulous GhostSec, something of a new beast.* It suggests an Anonymous that is now angling for respectability—and maybe some defense bucks. Along the way GhostSecGroup has bamboozled the press, which is unfortunate, because it’s not clear that GhostSecGroup knows what it’s doing.

In October, the Atlantic ran a credulous profile of the hackers’ idealistic, big-talking leader, Mikro (aka CtrlSec), who made the unconfirmed claim that he and his confederates have taken down tens of thousands of ISIS social media accounts. The pseudonymous members of first GhostSec and now GhostSecGroup do their work by watching Twitter and other social networks, looking at suspected Jihadist websites and possibly hacking some of them, and gathering other intel online. That might be a fruitful area, since ISIS is far more Internet-savvy than other terrorist groups, though the extent to which its online efforts aid recruiting remains in question: Michael Smith, a co-founder of counterterrorism strategy firm Kronos Advisory, has told journalists that GhostSec produced information that led to the prevention of a suicide bombing in Tunisia, though the government has neither confirmed or denied this; in another unconfirmed claim, GhostSec’s DigitaShadow, now working with GhostSecGroup, has said the hackers helped prevent an attack on New York City.

What have the hackers accomplished?* Twitter has said that lists of ISIS-affiliated accounts that hackers associated with Anonymous have produced and asked Twitter to ban are “wildly inaccurate” and full of journalists and academics.* Claims that GhostSec had found a $20 million Bitcoin wallet belonging to ISIS turned out to be false. And disenchanted ex-GhostSec members have accused GhostSecGroup of morphing into a would-be government contractor: Writing on the Anon Insiders blog, one Anon wrote, “All but 2 of the original members had left, taking with them all the technical skills and leaving behind guys who wanted to work as intel gathering engines for the government.”

Advertisement

That last point bears examination: GhostSecGroup appears to be a typically chaotic Anonymous group turned legit. While the Anon bemoaning GhostSecGroup’s ambitions doesn’t back up his claim, there is some compelling external evidence for it. What’s fascinating, in particular, is that hackers associated with these groups have very quickly generated more positive press than any Anonymous group in history. In contrast to the general disgust directed at Anonymous by leftists and righties alike, GhostSec, and now GhostSecGroup, have benefited from long, glowing profiles in the AtlanticMic, and even Slate’s corporate sibling Foreign Policy. The Mic profile has GhostSecGroup distancing itself from Anonymous, because “the sudden interest of Anonymous [in fighting ISIS] could end up costing innocent lives.” What’s going on here?

GhostSecGroup is not Anonymous as we have come to know it. The language of its website places it quite far from hacktivism—the anarchic pastime of antisocial geek misfits—and firmly in the realm of defense-contractor jargon. “Our cyber operations consist of collecting actionable threat data, advanced analytics, offensive strategies, surveillance and providing situational awareness through relentless cyber terrain vigilance.” A slick video with thundering drums and anxious synthesizers is redolent of military recruiting videos rather than Anonymous’ traditionally homebrewed hacking operation. And then there are its capabilities: “Ghost Security Group provides offensive and defensive insight and solutions in a rapidly changing global environment to combat the increasingly growing threat from extremist ideology.” Anonymous has never offered “solutions” and “capabilities” before now. And the home page blurb from GhostSecGroup booster Michael Smith—“a tweeting jihadi is a targetable jihadi”—suggests that Smith’s praise of GhostSecGroup may not be disinterested. Smith told Foreign Policy, “I want to help this group manage what basically amounts to a source rating” and told the Atlantic that he is “collaborating” with GhostSecGroup. Cozying up with defense contractors is a very strange look for a group of Anonymous veterans.

GhostSecGroup’s carefully manicured image seems tailor-made to attract policy mavens rather than anarchist hackers. According to ex-members, that image has taken precedence over talent. “New recruitment focused on intel folks instead of technical capability because intel is what earned them the bucks,” said the same disaffected Anon on the Anon Insiders blog. Certainly, technical skill seems to have taken a backseat to image in GhostSecGroup’s recent efforts. Nowhere is this more evident than in GhostSecGroup’s new tool Ghost Reporter, a Windows application whose purpose is to allow users to report suspicious sites to GhostSecGroup. The app looks like it was cooked up in Visual Basic by a first-time programmer. “Please enter the suspected Terrorist-Account/Link/Address into the field below!” it prompts, with a sample screenshot containing the Twitter handle “@BinLaden0815.”

151210_TECH_anoncombat

This would be pretty funny if GhostSecGroup didn’t have the backing of at least some part of the defense establishment, with Smith, according to the Atlantic, serving as intermediary between the feds and GhostSecGroup. Instead, its apparent combination of incompetence, flattery of the powerful, and hacktivist afterglow is frightening, because its activities involve national security and one of the most ruthless state-like organizations in the world. GhostSecGroup has the potential to do genuine harm—not only by screwing up its mission of intelligence collection, but then by diverting money away from competent anti-terrorism work. E. T. Brooking, author of the Foreign Policy piece, gives far too much credence to Smith and David Petraeus’ endorsements of GhostSecGroup, even as he eventually admits that GhostSecGroup’s efforts are probably inconsequential.*

Advertisement

New America Foundation cybersecurity fellow (and Slate contributor) Adam Elkus told me that this embrace of GhostSecGroup is an unfortunate consequence of the drive to find some kind of quick fix for ISIS. “There is tremendous pressure to do something about ISIS, and the easiest way to do something is to fight the social media war. There is a giant industry oriented around elaborate ways to avoid actually having to kill people on the ground.” What’s most troubling, however, is that news organizations have fallen for it. As an intelligence-gathering operation, there’s little reason to have any more faith in GhostSecGroup than in the traditional avenues of U.S. espionage, and a fair bit of reason to have less.

Despite Anonymous’ many missteps, it generally can’t be accused of being tools of the establishment, and it represents a genuine social movement. GhostSecGroup, on the other hand, is a charade: an apparent would-be military contractor dressed up in countercultural clothes. Anonymous has always operated by fooling people into thinking it is larger and more powerful than it is; with GhostSecGroup, it’s unclear who’s being fooled. I doubt it’s ISIS, which may at best be annoyed with GhostSecGroup’s antics. But it may be the defense establishment, tricked into thinking these hackers-turned-contractors know something it doesn’t about social media jihad. Or perhaps the defense establishment knows, and the ones being fooled are the rest of us.

Correction, Dec. 10, 2015: This article said that a report in Foreign Policy "admits that GhostSecGroup’s efforts are probably inconsequential and possibly harmful.” That piece only admits that the group is probably inconsequential. (Return.)

Correction, Dec. 13, 2015: Due to an editing error, this article originally misstated that GhostSecGroup split from GhostSec in 2014. That split occurred in late fall 2015. (Return.) This article also originally reported that GhostSecGroup launched a denial of service attack against the website Jihadology; it also, in a correction, attributed that attack to GhostSec. In fact the proprietor of Jihadology accused GhostSec of inspiring the attack. (Return.) This article also misstated that Twitter had called lists of ISIS-affiliated accounts produced by GhostSecGroup “wildly inaccurate.” Twitter made that comment about such lists produced by Anonymous more broadly. (Return.)

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.