GhostSec: A conversation with the hacker who took down Taliban websites

This interview was conducted via a DM chat with the hacker who claimed to have brought down the Taliban website. Security blog Security Affair confirmed the takedown.

By Aveek Sen

An activist hacker group, GhostSec, has been taking down ISIS websites, monitoring propaganda and doxing its supporters. The group researched actual identities of those running IS propaganda and recruitment online. The identities are generally not made public by them for fear of alerting the jihadis. Instead, they are passed on to law enforcement agencies. Other popular instances of public doxing include IS supporters' celebratory tweets following the Brussels Terror Attacks.

I interviewed Paladin (@virussec) of GhostSec who took down 2 major official English Taliban websites – Shahamat – and its video propaganda website.

I got some major insights from him. Abdulqahar Balkhi  could be dead in the drone strike or moved deep underground for fear of further drone strikes, though the former is more likely. Taliban websites are hosted on Turkish servers and their preferred choice of webhost is Niobe.

India has only few IS supporters or online trolls numbering just 3-4. A major part of the credit goes to Indian law enforcement agencies and ISPs. At the same time, IS propaganda is pervasive and even common on online games played by children.

I routinely track terror and anti-terror cyber-ops. I came across this tweet by him from 17 May.

Update: Since the time when the interview was conducted, Taliban online propagandist Abdulqahar Balkhi has tweeted from his account

https://twitter.com/virussec/status/732484925044064256

Here are edited excerpts from the interview in Q&A format:

GhostSec takes down terror websites by DOS attacks or various infection methods? Which method was used to take down the Taliban website?

That depends on the website vulnerabilities. We will inject if possible, but Taliban has been DDoSed for 7 days.

I remember when WikiLeaks came to light, then MasterCard, Visa and PayPal froze their accounts.

Yes, the anonymous operation?

Such hacktivist operations help in stemming terrorist propaganda, online brainwashing and recruiting. How do you feel about doing this great service to mankind?

We are dedicated to stopping all barbaric groups related to terror and horror for the locals, peace is our goal and it keeps us going.

Yesterday as the Taliban's English website was taken down by you, they couldn't carry out propaganda to reach international media. Wouldn't it be easier if media didn't gullibly carry terrorist propaganda and spread panic?

I think it's good to let people know about the cruelty in most places but most panic propaganda is unneeded. This website has been down 7 days and continuing. I agree that media should not carry out unneeded propaganda to a extent but the cruelty and slaughtering needs to be told.

A follow up question on that. Let us game a scenario where Taliban declare from their website that Mullah Mansour isn't dead and they are launching a counter operation under his leadership in say, Helmand province. It would lead to panic among civilians and would make the job difficult for the Afghan army and NATO forces. If media judiciously runs news, won't that eliminate the need to take down Taliban propaganda websites?

Propaganda is not the only reason, we will interrupt as many Taliban services as we can.

Why aren't groups other than ISIS actively targeted? You alone have gone against Taliban. Is it because ISIS cyber activities are sophisticated to need large counter ops? In other words how sophisticated is ISIS in the cyber world and are they being taken seriously enough by governments?

As a security team we are targeting all groups everyday, Hamas, Al Qaeda, Shabaab. We are an international group gathering intel daily on terror groups as we can. I don't think the government is taking it seriously or they would help remove this propaganda protected by US company cloudflare.

GhostSec is regarded as an offshoot / splinter of Anonymous. You have yourself been part of Anonymous during Occupy Wall St. Would you like to tell the readers first hand the reasons for the split?

It depends, some members are labeled as anonymous and some are just individual. We do support certain anonymous operations.

So there's dual membership and fluidity?

Between all members, yes.

Money/ fund trails of terror organisations are a major backbone? (Other than recruiting.) Does GhostSec also investigate that?

If we get the intel leading to any terror funding we will investigate and take action.

Which specific websites were taken down by you? Only official English website of Taliban?

shahamat-english.com and shahamat-movie.com remain down. We have also attacked alemara.org and shahamat-arabic.com, but we stopped due to the pages not being as vital to the Taliban.

What about the following three websites: shahamat-farsi.com/, alemara1.org/ and alemarah-urdu.com/?

We may have future plans for them but as for now we are taking English away from them, forcing English readers to not be able to look at English propaganda on the official Taliban website. That will have an effect on the English media.

That still keeps Afghans, Pakistanis and Iranians being able to read the propaganda. Also those who can read local languages…

Yes, we have attacked all languages connected to the Taliban, but they all resort to justpaste for propaganda. Only English remains down for weeks.

Justpaste?

Yes, since shahamat-english has been offline, they paste propaganda into paste bins and tweet them. With shahamat-movie.com offline as well, no one gets access to video media.

ISIS is known to use online brainwashing and subsequent recruitment in a big way. Has GhostSec come across similar attempt by Taliban or prevented such attempts?

We have many people in Afghanistan providing us with intel about recruiting and terror groups but of this point we have not yet found a recruiting service of the Taliban.

On which date did you take down the 2 websites and how long do you plan to keep them down?

shahamat-english.com has been down for 7 days and will be down for another week or more and shahamat-movie.com has been getting attacked for weeks before. Our research found that shahamat-movie.com was one of the main propaganda points, due to videos of terrorism and barbaric content.

Where were these 2 website being hosted? Who was paying for it? Who was controlling it?

Both servers were hosted in Turkey. We believe https://twitter.com/balkhi_a is the admin of the website. He has not been active for a while, so we have thoughts he might of even been killed in the drone strike.

Who is trying to win back control of the 2 websites? Who was updating the website?@balkhi_a alone? From what location? Pakistan? Any records of where he was administering website from available?

We believe he does it from portable devices and is always on the move. This is the official website of the Taliban, so we believe leader Mansour also had access to the website and Twitter accounts.

Does GhostSec have records of the locations from where the portable devices accessed the Internet?

He may even be dead for all we know. At this point, he has not been active since the drone strike on the Taliban meeting.

Could he have moved deep underground for fear of further drone strikes?

I don’t think he would be underground though, they are having another meeting shortly about the new leader.

Also, can you disclose the name of the Web hosting company that runs those servers in Turkey?

Taliban's choice of host: http://niobe.com.tr

What do you mean by free public networks?

Free VPN services. We have came across many ISIS supporters hiding behind free virtual private networks that are located in Saudi Arabia, Turkey, India and many places.

Could you share an exhaustive list of countries with latest number/percentage of ISIS supporters? Else may I use stats available from the likes of @pewresearch ?

I can't confirm all are ISIS supporters, nor do I have the data to do it.

Most credible source is Pew? US or NATO figures? Anonymous or GhostSec releases such data? When you mention 3 countries and there's India, as I am writing for Indian media.. People would be interested in more details. Like how actively has ISIS carried out online brainwashing in India? (With some stats to quote, or I can reference old news like fact that Shami witness was run by an Indian)

We have found india to be one of the least countries to be effected by recruiting and propaganda but we still have found very little traces leading to India. By very little, I mean like 3-4 people have been tracked back to India.

3-4 supporters you mean. (or recruitment?)

Supporters/trolls. Some people support it for a laugh and to try be funny so we don't investigate supporters as much as the official ISIS militants.

In India, many terror websites are filtered by ISPs. Is that a reason for low number of (online) IS supporters in India?

IS supporters in India are at a low number but they are still there. ISP blocking can only stop a majority of locals from visiting these websites.

Does GhostSec feel Indian law enforcement are doing a good work? Where should it improve - scope for improvements?

We think they are doing a good job but more can be done, the cyberspace takes a big part in propaganda reaching India and other places and they have tried preventing it but like I say more can be done.

Any specifics? That would help Indian law enforcement plug the deficiencies

Countless loops, I have even seen propaganda getting sent through virtual online games for kids of all ages to see.

What's your view on privacy vs security? A raging debate at this time and going against terrorists, you would be among one of the best persons to answer it

We value civil liberties but disregard a terrorist's rights to privacy because attacks have been thwarted by breaching the Taliban.


Published Date: May 26, 2016 06:07 pm | Updated Date: May 26, 2016 06:07 pm