GCHQ used 'lurl.me' URL shortening service to attack and track targets in the Middle East

Hackers compromised and activists tracked by GCHQ-built online tool

British intelligence were able to track activists operating in the Middle East - by following the URL shorteners they used to post links online.

GCHQ's covert Joint Threat Research Intelligence Group (JTRIG) team created its own URL shortening service, called lurl.me, to disseminate articles as well as to identify and track activists, which it was also able to use for 'campaign management', tracking the success or otherwise of links to article and other propaganda disseminated during the so-called Arab Spring.

The suggestion was made by Mustafa al-Bassam, aka tFlow, co-founder of the LulzSec hacking crew. JTRIG, according to Al-Bassam, was attempting to influence elections in Iran and boost the revolutionary movement in Syria - claims he say are based on first-hand experience as part of the Lulzsec 'crew' attacked by JTRIG, as well as documents leaked by NSA whistleblower Edward Snowden.

Started in 2009, the lurl.me service was discontinued in 2013 after the Snowden disclosures. Al-Bassam, meanwhile, shifted from hacker to consultant in March.

Al-Bassam claims that GCHQ used the lurl.me service in a variety of covert campaigns, but typically as a hook to mask links to malicious sites that would use flaws in web browsers and other software to download malware onto targets' PCs.

The hacker-turned-consultant claims that a fellow hacker going by the name of P0ke was compromised in this way.

However, its main focus was the Iranian elections in 2009 and the early stages of the uprising in Syria in 2011. According to al-Bassam's research, GCHQ used a number of Twitter accounts to disseminate information via the lurl.me URL shortener, with the Twitter accounts typically only tweeting between 9am and 5.30pm GMT.

The Twitter account and associated lurl.me links promoted, in particular, two proxies for Syrians to use when the government there blocked the internet. "Al-Bassam makes the connection between these proxies and the GCHQ Molten-Magma hacking tool, a CGI HTTP proxy with the ability to log all traffic and perform HTTPS man-in-the-middle attacks, snooping on encrypted traffic," according to one report.

The Arab Spring broke out in Tunisia in 2010 and rapidly spread to other countries in the Middle East, including Libya, Egypt and Syria. While initially protests against corruption and in favour of more democracy, the instigator was the rising food prices in 2009 and 2010, which drastically eroded many people's real earnings.