Ghost Security via Ghostsec.org

As France rains bombs on Syria, as states, countries, continents close their borders to refugees fleeing civil war and terrorism, as the world reels from underreaction to overreaction in the wake of the Paris and Beirut suicide attacks, men and women all over the world sit quietly, typing, reading, copying, pasting.

They are the social media warriors on the front against ISIS, and their TANGODOWNs are impressive, even though not fatal. Still, as social media is central to the propaganda and recruiting strategies of ISIS, a blow to their Twitter or Facebook arms is felt throughout the organization, decreasing outreach, ending relationships carefully built up over months, disrupting the flow of money and information, and generally doing to the terrorist caliphate what bombing bridges did to supply chains in WWII.

And because this is social media, of course there’s a spat and a schism at the heart of it all.

We separately interviewed Digita Shadow of the more government-allied Ghost Security Group and TorReaper and Ransacker of the more anarchic, Anonymous-allied GhostSec.org, which was the original site for the group, pre-breakup. Both groups continue, each in their own styles and with their own resources and allies. Ghost Security Group has been featured in Foreign Policy; GhostSec.org has been featured in the tweets of YourAnonNews. Both fight ISIS, each in their own particular styles.

As for the relationship between Ghost Security Group and GhostSec.org, DigitaShadow of GSG says there is “no affiliation at all. Our official name has been changed to Ghost Security Group and we use the hashtag #GhostSecGroup and #CtrlSec on Twitter. Our website is at ghostsecuritygroup.com. The old website was http://ghostsec.org and was named Ghost Security. We let a former member go and he continued to use our name after we moved to our new website and renaming.”

Which, to some, sounds like they had X website, left X website, and started Y website, while still claiming to be the official group. Semioticians may wish to reference the Ship of Theseus at this point. Particularly since X website is still going strong.

The (ahem) extant spokesperson of said X website, naturally, characterizes things somewhat differently, of course. He said, “We are the non-government affiliated ghostsec. Been around a long time.”

Ghost Security Group and Ghostsec via TorReaper of Ghostsec

Amusingly, although specifically contacted for an interview, and responding to interview questions, all Ghost Security Group emails still retained the business-obligatory footer “NOTICE TO RECIPIENTS” about information being confidential, privileged, and not for dissemination.

All righty then. Read on for that confidential, privileged, disseminated content.

As the oft-divided Anonymous hive proves, however, difference and disagreement are ultimately no deterrent to direct action; both groups have been highly effective at reporting and downing ISIS social media accounts. Let’s hear it in their own words.

The Cryptosphere: I see on the site that you’ve endured more than 100 attacks on your sites: were these DDoS or a different form of attack?

TorReaper of GhostSec.org: The attacks on the site have varied. Mostly very large scale layer 4 ddos attacks but those are not included in the count on the website. We get these daily and cannot count them effectively. The attacks on the site are a mix of layer 7 dos attacks (which make up most of them) or people trying to run repeated sql injection or XSS attacks on us. Our site records everything entered and automatically detects attacks based on correlation rules we built ourselves.

Before cruise misses took out most of the Cybercaliphate we were getting blasted by some very cool attacks. These aren’t tech savy folks hitting us tonight.

How many (expressed as a percentage) of the reports you get are valid?

Digita Shadow, Ghost Security Group: Around 60%. Its very hard to say because some times there is more info out there and when its easier to find we get the same tips several times. To date we have shut down 149 extremist websites and over 100,000 social media accounts. We attempt to contact the provider hosting the content and if they fail to comply we will remove it by force.

TorReaper, GhostSec.org: Hard to say, we cannot validate them all ourselves at this point but I would say in the region of 30% of the sites reported are genuine extremist activity and less than 10% are Isis. The numbers are much higher for Twitter handles reported, these can be as high as 70% accurate.

We’re trying to create a way of auto checking the accounts and sites reported and only showing the valid reports on the site, it should be ready in the next week or so. Now display all the reports, complete open policy. Then we advise those who work with us to research each account reported and if valid report it.

Can you explain what a typical report looks like, and what steps you take once you get the report? Say I reported a Twitter account for tweeting “death to the infidels, glory to ISIS” and a picture of the French massacre. What would you do then?

Digita Shadow, Ghost Security Group: If you take a look at @Ctrlsec, you will see what we do to the reported content. What it looks like? Just like the text in this interview.

TorReaper of GhostSec.org: Twitter’s policy is confusing. They seem to take down any accounts that are reported enough times without investigation (even some of ours) then they only investigate the account when you ask for the suspension to be lifted. That’s why our accounts come back but ISIS’s rarely do.

GhostSecPI of GhostSec.org: We aren’t just Twitter focused. All social media platforms. We are looking for actionable intelligence. We report it directly to the authorities. We have undercover accounts inside isis followings on message boards, etc and learn from the inside. We also dismantle ISIS extremist sites. Didn’t mean to take anything away from what Ctrlsec does. They do great. They are some decent people working with the group.

When does Twitter take accounts down and when do they leave them up?

Digita Shadow, Ghost Security Group: Each situation is different depending on the content tweeted, but in 90% of the reports we submit the accounts are suspended.

TorReaper of GhostSec.org : If the account is a Twitter account we always get it suspended; that is not hard, you just need enough reports. If we take special notice of a particular account we all tweet it and have a combined follower count of many thousands so it gets suspended. If the account is genuine then Twitter will not reinstate it. If you’re taking about websites, we will report it and if nothing is done we will attack it. First by attempting to breach the site, then by ddos as a last resort. Breach attacks will include sql injection, XSS attacks and brute force attacks amongst others

What do you do when reporting fails to get results in a case you think is genuine? What “other approaches” do you use? Can you give me an example?

Digita Shadow, Ghost Security Group: We act on the situation and each case is different however Twitter is somewhat compliant to our requests for action to be taken.

TorReaper of GhostSec.org: No comment really. Anybody who is donating time, effort and skills to removing Isis content is ok in my book. Anonymous is not a political organisation, we do not all agree, we don’t always have consistent messaging, it’s an idea not an organisation.

How many reports have you gotten relating to the Paris killings?

Digita Shadow, Ghost Security Group: Ghost Security Group receives about 200 tips an hour on average.

TorReaper of GhostSec.org: I have not counted the reports from [Friday/Saturday] yet, it’s something like 600.

When are you going to make public the lists of reported accounts from tonight?

Digita Shadow, Ghost Security Group: CtrlSec is constantly publishing accounts of what we receive and collecting our self on our Twitter accounts at @CtrlSec.

TorReaper of GhostSec.org : Lists from last night will be available today. Usually there is a 12 hour delay so we can remove the attacks and stuff from the report lists and use the data ourselves in our other systems.

What is GhostSec’s relationship to Anonymous? My understanding is that it’s similar to LulzSec or AntiSec, a subgroup that uses Anon principles but broke away to get more things accomplished more quickly than a messy, chaotic hive mind can manage.

Digita Shadow, Ghost Security Group: We fight the same cause however Ghost Security Group and CtrlSec are not directly affiliated with Anonymous. We have chosen to step away from the Anonymous brand because our work is depending on collaborating with government officials so that our data may be acted on. Our official press release in regards to that can be viewed at http://ghostsecuritygroup.com.

Ransacker of GhostSec.org : GhostSec is a subgroup of Anonymous so we are part of the Anon family.

Had you heard anything prior to the Paris attacks that would hint they were coming? Or was it kept quiet until it happened?

Digita Shadow, Ghost Security Group: We cannot comment on ongoing investigations at this time.

Have the jihadis on social media reacted to these attacks the same way they react to attacks in Beirut, Syria, etc? Or is something different about them?

Digita Shadow, Ghost Security Group: Same as always to be honest, people saluting it and people condemning it.

GhostSec.org : There is a difference in their reactions on social media. The amount of media coverage on the Paris attacks has allowed those who push their extremist propaganda to do so to a wider audience. The attacks prior to Paris did not garner as wide reaching coverage and so they weren’t as verbose with their propaganda. Many who have been silent or had not previously been propagandists have now begun to push their extremist messages, threats and promises.

Has social media jihad changed since TriCk (late of Team Poison, lately of the Cyber Caliphate) was killed by a US attack? He was their Sabu, their best political polemicist. Has his loss affected them at all?

Digita Shadow, Ghost Security Group: The Islamic State lacks the technical skill required to cause serious damage to coalition cyber infrastructure mainly because of our constant attacks on them to reduce their technical capability.

Some questions about the team: how many, roughly, work behind the scenes? Is it closer to a dozen, closer to a hundred? Is the team multinational? Are there Muslims on the team?

Digita Shadow, Ghost Security Group: Ghost Security Group and CtrlSec are international and are primarily from the United States, Europe and the Middle East. GSG is comprised of 14 operatives and CtrlSec is made up of 28.

Ransacker of GhostSec.org : We come from various different backgrounds, but one common denominator among us is a strong desire to thwart ISIS.  We view our collective skills as a way to fight terrorism–investigative skills, threat analysis, journalism and technical skills, to name a few.

Digita Shadow, Ghost Security Group: I had CtrlSec which was already having an upper hand on the social media part and Ghost Security Group were putting in a lot of effort to collaborate with us so we decided to merge in order to cover more ground on the war against terror.

What inspires you to fight terrorism via social media?

Digita Shadow, Ghost Security Group: It is everyone’s responsibility to do what they can to combat extremism and to save lives if they have the capability to do so.

Have you been threatened?

Digita Shadow, Ghost Security Group: We receive multiple death threats on a daily basis.

What would you say if you were in a room with someone from the other side?

Reaper of GhostSec.org : If I were in a room with someone from the other side? I would say that the fight is against ISIS and not against others who fight ISIS.

Digita Shadow, Ghost Security Group : Every life that the Islamic State takes only serves to strengthen our determination and resolve.

We are the ghosts that they have created.

Categories: Activism, Anonymous, Breaking, Crews, Cyber, Cyberwar, France, Ghost Security Group, GhostSec, Hackers, Hacktivism, Interviews, ISIS, Jihad, News, OpISIS, Security, Social Media, Twitter, War