Your Source for Leaks Around the World!

LOVELY HORSE: GCHQ Program Monitored Hacker/InfoSec Community on Social Media

In Anonymous, Archive, GCHQ, Hacking, InfoSec, NSA Files, Surveillance on February 16, 2015 at 1:54 AM



Glenn Greenwald/TheIntercept:

GCHQ officials discuss plans to use open source discussions among hackers to improve their own knowledge, according to top secret documents leaked by Edward Snowden. “Analysts are potentially missing out on valuable open source information relating to cyber defence because of an inability to easily keep up to date with specific blogs and Twitter sources,” notes one document.

GCHQ created a program called LOVELY HORSE to monitor and index public discussion by hackers on Twitter and other social media. The Twitter accounts designated for collection in the 2012 document:


These accounts represent a cross section of the hacker community and security scene. In addition to monitoring multiple accounts affiliated with Anonymous, GCHQ monitored the tweets of Kevin Mitnick, who was sent to prison in 1999 for various computer and fraud related offenses.

The U.S. Government once characterized Mitnick as one of the world’s most villainous hackers, but he has since turned security consultant and exploit broker.

Among others, GCHQ monitored the tweets of reverse-engineer and Google employee, Thomas Dullien. Fellow Googler Tavis Ormandy, from Google’s vulnerability research team Project Zero, is featured on the list, along with other well known offensive security researchers, including Metasploit’s HD Moore and James Lee (aka Egypt) together with Dino Dai Zovi and Alexander Sotirov, who at the time both worked for New York-based offensive security company, Trail of Bits (Dai Zovi has since taken up a position at payment company, Square). The list also includes notable anti-forensics and operational security expert “The Grugq”.

GCHQ monitored the tweets of former NSA agents Dave Aitel and Charlie Miller, and former Air Force intelligence officer Richard Bejtlich as well as French exploit vendor, VUPEN (who sold a one year subscription for its binary analysis and exploits service to the NSA in 2012).

The GCHQ document states that they “currently have a list of around 60 blog and Twitter sources” that were identified by analysts for collection. A prototype of the LOVELY HORSE program ensured that “Twitter and (and subject to legal/security approval) blog content [was] manually scraped and uploaded to GCDesk.” A later version would upload content in real time.

Several of the accounts to be mined for expertise are associated with the hactivist collective Anonymous. Documents previously published by The Intercept reveal extensive, and sometimes extreme, tactics employed by GCHQ to infiltrate, discredit and disrupt that group. The agency employed some of the same hacker methods against Anonymous (e.g., mass denial of service) as governments have prosecuted Anonymous for using.

A separate GCHQ document details the open-source sites monitored and collected by the agency, including blogs, websites, chat venues and Twitter. It describes Twitter monitoring undertaken for “real-time alerting to new security issues reported by known security professionals, or planned activity by hacking groups, e.g. Anonymous.” The agency planned to expand its monitoring and aggregation program to a wide range of web locations, including IRC chat rooms and Pastebin, where “an increasing number of tip-offs are coming from . . . as this is where many hackers anonymously advertise and promote their exploits, by publishing stolen information.”


  1. […] des britischen GCHQ. Dabei wurden offenbar mehr oder weniger willkürliche Twitter-Accounts als “verdächtig“ geführt – unter anderem Nutzer wie der Security-Researcher H.D. Moore, siehe […]


  2. Somebody at GCHQ is a Father Ted fan!


  3. Reblogged this on Floating-voter.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: