Activist hackers battle ISIS in cyberspace

Islamic State of Iraq and Syria (ISIS) sympathizers using social media to spread propaganda and recruit fighters are now drawing an increasing amount of return fire from activists who have been knocking some sites offline and infiltrating others.

The loose hacking collective Anonymous is the latest to draw attention to such campaigns, with members claiming credit this week for having thousands of pro-ISIS Twitter accounts disabled.

But others claim to have been doing more for longer. One group that feeds information to the U.S. government says it has suppressed tens of thousands of Twitter accounts since January, and its members have posed as would-be recruits to gain information on so-called Dark Web operations supporting the ISIS.

“We’re playing more of an intelligence role,” said the executive director of Ghost Security Group, who declined to be named, citing security concerns. The group is a volunteer organization that has been sending data to the FBI and other agencies via a Congressional terrorism adviser, Michael S. Smith II.

Smith said the group’s infiltration efforts had given some actionable information to the government, and that coordinated complaints to Twitter had helped push ISIS supporters elsewhere.

U.S. agencies “appreciate the outside support. I have constant feedback to that,” Smith said. Retired Gen. David Petraeus recently told Foreign Policy he had reviewed Smith’s data and saw how it “would be of considerable value to those engaged in counter-terrorism initiatives.”

The FBI declined to comment.

Smith, chief operating officer of defense contractor Kronos Advisory, said Ghost Security Group contacted him in June and provided screenshots of internal communications about an impending attack in Tunisia, which he said he passed along and which helped break up a militant cell in time.

The Paris attacks on Friday have brought an increase in online activity against the jihadists, but freelance efforts to counter the group online remain fraught with hazards.

Civilian hacking and denial-of-service attacks, which overwhelm a website or other outlet with meaningless traffic, are illegal no matter what the target. The most sophisticated and potentially helpful efforts - including impersonating a recruit - run the greatest risk of complicating official efforts by the U.S. or allied governments.

Retired U.S. Gen. Mike Hayden, former head of the National Security Agency and the Central Intelligence Agency, when asked whether such agencies appreciate the activities of organizations such as Ghost Security Group, said: “Officially, no. But U.S. law and policy are so constraining, I am sure the folks currently in government take secret pleasure in it, as I do.”

The easiest thing for volunteers to do is complain to Twitter, Google‘s YouTube and Facebook Inc. about accounts supporting terrorism. All three have gotten more responsive in the past year, activists said, although all declined to discuss details on the record.

Facebook this year banned any praise of “terrorist” groups on its site. YouTube now acts to take down violent videos within hours, Ghost Security Group said.

At Twitter, Ghost Security Group and an affiliate now circulate lists of problem accounts. Ordinary users who see those lists can then complain about those accounts, getting them suspended more quickly than if the groups were acting alone.

“More accounts are being taken down,” said J.M. Berger, a Brookings Institution expert on ISIS. “I do think the majority of the reporting is being done by groups like Anonymous and Ghost Security. But there are other initiatives, including the Counter Extremism Project and the Sawab Center, which are contributing to reporting efforts.”

Berger said the efforts were helping to keep the ISIS’s Twitter audience “about flat, which I think is positive.”

The pressure on Twitter is one reason that ISIS has moved a lot of its broadcast communication to Telegram, which opened a “channels” service that lets a participant reach thousands of viewers, Berger and other security experts said.

The Ghost Security Group leader, who uses the moniker DigitaShadow, said that his group was still gathering information on Telegram.

In other cases, he said websites were taken down after his group’s researchers notified the hosting provider. In a few cases, the group arranged denial-of-service attacks.

But he said the guidance coming back to him through Smith was generally away from such brute-force methods.

“We’ve backed down from denial-of-service and moved toward intelligence collection,” he said.