GCHQ officials discuss plans to use open source discussions among hackers to improve their own knowledge, according to top secret documents leaked by Edward Snowden. “Analysts are potentially missing out on valuable open source information relating to cyber defence because of an inability to easily keep up to date with specific blogs and Twitter sources,” notes one document.
GCHQ created a program called LOVELY HORSE to monitor and index public discussion by hackers on Twitter and other social media. The Twitter accounts designated for collection in the 2012 document:
These accounts represent a cross section of the hacker community and security scene. In addition to monitoring multiple accounts affiliated with Anonymous, GCHQ monitored the tweets of Kevin Mitnick, who was sent to prison in 1999 for various computer and fraud related offenses.
The U.S. Government once characterized Mitnick as one of the world’s most villainous hackers, but he has since turned security consultant and exploit broker.
Among others, GCHQ monitored the tweets of reverse-engineer and Google employee, Thomas Dullien. Fellow Googler Tavis Ormandy, from Google’s vulnerability research team Project Zero, is featured on the list, along with other well known offensive security researchers, including Metasploit’s HD Moore and James Lee (aka Egypt) together with Dino Dai Zovi and Alexander Sotirov, who at the time both worked for New York-based offensive security company, Trail of Bits (Dai Zovi has since taken up a position at payment company, Square). The list also includes notable anti-forensics and operational security expert “The Grugq”.
GCHQ monitored the tweets of former NSA agents Dave Aitel and Charlie Miller, and former Air Force intelligence officer Richard Bejtlich as well as French exploit vendor, VUPEN (who sold a one year subscription for its binary analysis and exploits service to the NSA in 2012).
The GCHQ document states that they “currently have a list of around 60 blog and Twitter sources” that were identified by analysts for collection. A prototype of the LOVELY HORSE program ensured that “Twitter and (and subject to legal/security approval) blog content [was] manually scraped and uploaded to GCDesk.” A later version would upload content in real time.
Several of the accounts to be mined for expertise are associated with the hactivist collective Anonymous. Documents previously published by The Intercept reveal extensive, and sometimes extreme, tactics employed by GCHQ to infiltrate, discredit and disrupt that group. The agency employed some of the same hacker methods against Anonymous (e.g., mass denial of service) as governments have prosecuted Anonymous for using.
A separate GCHQ document details the open-source sites monitored and collected by the agency, including blogs, websites, chat venues and Twitter. It describes Twitter monitoring undertaken for “real-time alerting to new security issues reported by known security professionals, or planned activity by hacking groups, e.g. Anonymous.” The agency planned to expand its monitoring and aggregation program to a wide range of web locations, including IRC chat rooms and Pastebin, where “an increasing number of tip-offs are coming from . . . as this is where many hackers anonymously advertise and promote their exploits, by publishing stolen information.”