In the past few months, dozens of media outlets reported on a disturbing secret app being used by ISIS members to exchange secure messages. The media reports were based on one another, as well as the word of a volunteer hacking collective called Ghost Security Group (GSG). Another story has also made the rounds recently: That this same group, GSG, found information and used it to stop a mass terrorist attack. These are compelling, terrifying stories -- and they're both stories with many holes, from a strange and unverifiable source.
Is a group of strangers working for free to supplement government counterterrorism intelligence in a significant way, or is this collective pulling off a massive hoax? The story of Ghost Security Group only gets weirder the closer you look.
They're anonymous, not Anonymous
Many Ghost Security Group members used to work with Anonymous, including its ringleader, DigitaShadow. But GSG has pointedly distanced itself from Anonymous, as well as an Anonymous-affiliated group simply called Ghost Security, which also runs a digital campaign against ISIS.
At one point, Ghost Security and Ghost Security Group were one and the same, before they had a schism based on how to best wage their rogue anti-ISIS operation. Now they hate each other.
GSG seems to be courting legitimacy, and has already snagged credulous profiles in Foreign Policy and The Atlantic. It trademarked its name and discarded "the hoodies and Guy Fawkes masks" in a press release in November 2015. In its own words, GSG "uses the internet as a weapon," although it says it emphasises funelling data to officials and not actually executing cyberattacks.
A GSG spokesperson says it has sixteen "operatives" in the US, Europe, the Middle East, and Asia, running a round-the-clock volunteer counterterrorism effort. These operatives collect data and pass it to DigitaShadow, who then decides what they should pass to the authorities.
DigitaShadow claims to feed the government data now, but he used to have a contentious relationship with authorities. In 2014, he was named a "malicious cyber actor" by the California State Threat Assessment Center for claiming to DoS attack law enforcement. But Tom Duffy, chair of the Multi-State ISAC of the Center for Internet Security, said the group had "not seen any activity from DigitaShadow since January 2015."
"DigitaShadow" image provided by Ghost Security Group
Anything DigitalShadow approves, the GSG spokesperson said, is "sent to Michael S. Smith II of Kronos Advisory which he in turn forwards the data to counterterror officials in the United States and abroad."
Smith, who founded the South Carolina-based Kronos in 2011, said he acts as a liaison between GSG and his government contacts, although he won't name any names. Smith (who often appears as a counter-terrorism pundit on Fox News and is quoted frequently in media reports about ISIS) has the connections, GSG has the information -- sounds like a convenient partnership for a small defence consulting firm like Kronos, since it outsources the actual intelligence-gathering to volunteers.
TorReaper, a member of the other Ghost Security, dismisses the rival group as frauds. "Those guys work exclusively through Smith because his company (Kronos Advisory) is the commercial vessel through which they sell their 'Intel'" TorReaper said, implying that GSG is actually a sort of shadowy intel subcontractor that commodifies the threats it discovers.
Smith readily admits that most of the "intel" collected by GSG comes from publicly available information on the internet, but denies that the group is working for Kronos.
He also denies that he is making any profit off GSG's work. "This is more akin to when attorneys do pro bono work," he told Gizmodo. "I saw a potential opportunity to help some people and make an impact, and I considered it a civic obligation when I saw the information."
While Smith is adamant that his liaison position with GSG is on a volunteer basis, separate from his job at Kronos, he does admit that he's open to possible intermingling in the future -- with the goal of generating revenue for the hacker collective. "I feel obligated to examine ways that I can help to generate some revenue for them and that project would basically be to put the data that they're collecting at the disposal of researchers that want more than just translations of propaganda materials," Smith said.
According to GSG, it isn't exclusive with Smith. The spokesperson told me that Smith isn't the group's only contact, but wouldn't provide the names of other partners. I asked if any members had considered joining government intelligence in an official capacity. "Several of our operatives have multiple contacts with governmental sources on a global scale however we are currently independent," the spokesperson said.
Is it bullshit?
At least one of the two major claims that put GSG in the news is clearly overblown. As the Daily Dot pointed out, there's a glaring problem with the whole "scary new ISIS encrypted messaging app" claim -- there's no evidence that the app, Alrawi, is a hotbed for terrorist activity, and all the media coverage claiming otherwise relied on bad information.
We've seen this sort of second-hand reporting before about how ISIS uses the internet. Remember those trumped-up claims about a 24/7 ISIS help desk that turned out to be nonsense?
GSG denies that the app is fake, though admits that it does not provide an encrypted messaging platform in the way media coverage claimed it did.
"The Alwari.apk does exist and we retain copies however when we were initially contacted in regards to that app we were in the middle of an analysis and found the app to only have Bluetooth file sharing abilities," the GSG spokesperson said. "This same developer has been found to be working on other projects as well however it is being investigated. Overall we feel he had ambitions to implement communications functions but lacked the technical capacity to do so. What we considered to be a small find the media hyped."
That hype could influence policymakers: House Homeland Security Committee chair Rep. Michael McCaul (R-Texas) used reports of an ISIS encrypted messaging app as an example of why encryption can become a dangerous tool. Politicians love to use sensational stories like "scary encrypted ISIS app" as bogeymen.
Meanwhile, that second claim, about straight-up helping to stop an ISIS attack? There is no evidence to support it, and the media reports on the incident all use Smith and GSG's statements as primary sources. The FBI has not confirmed this account, nor have any other government sources. There is no documentation at all that this happened beyond the word of Smith and GSG, and the media reports repeating those words.
The FBI did not respond to our requests for comment or questions about Ghost Security Group, though a spokesperson told Gizmodo "We do not normally comment" on intelligence sources.
It could be that the US government is using information pushed through unofficial side-channels and sourced by an unvetted international group of ex-Anonymous volunteers in its efforts against ISIS. Or we could be passing around the same handful of un-fact-checkable reports from a group that could secure lucrative consulting deals if Smith decides to roll its services into his business, basically doing pro bono PR work for a small defence consultancy.
In the absence of actual information about how the US government is conducting counter-terrorism intelligence to thwart ISIS, it's tempting to accept the morsels fed to us, especially when they're fed in such a fascinating and roguish package. That, of course, does not make them true.
Illustration by Jim Cooke