Did UK spies target activists during Kenya's 2013 elections?
Cyber security Researcher and former hacktivist Mustafa Al-Bassam says he has uncovered evidence of British Intelligence Agencies covertly monitoring and spying on dissidents and human rights organisations in the run up to the 2013 national elections in Kenya.
Material has emerged which purports to show British spies tracking and identifying Kenyan dissidents who were active during the 2013 national elections in Kenya.
Evidence was discovered by tracing the Twitter activity of accounts known to be related to Government Communications Headquarters (GCHQ), the UK agency in charge of intelligence-gathering, and specifically the Joint Threat Research Intelligence Group (JTRIG). The department’s involvement was suspected owing to the repeated tweeting of links from an URL shortener hosted on the web address: lurl.me
Archive image of the now defunct URL shortener lurl.me. The name is strikingly similar to ‘lure me’.
Al-Bassam, a former member of the LulzSec hacktivist group, says he spotted the URL shortener among a list of websites said to have been hosted by the organisation. This struck him as worrying given the mention of an URL shortener code-named “Deadpool”, mentioned in earlier leaked documents from GCHQ. Deadpool was designed to allow the agency to overcome internet users’ efforts to anonymise themselves and to uncover the identity of users who clicked on links from the site.
In order to bait Kenyan dissidents, website links were posted through so called ‘sock puppet’ social media personas, fake accounts run by GCHQ that were designed to appear like normal users. These were then retweeted by default Twitter accounts, with no avatar or personal information included- the purpose of which was probably to create the impression of a large network. Al-Bassam says he was able to identify the activity of intelligence services by reverse- engineering the process which led to his identification and indictment a member of LulzSec with the help of information leaked in 2013 from the US National Security Agency (NSA).
Another clue that links lurl.me to GCHQ activity is that tweets using the lurl.me shortener were only made Monday-Friday 9am-5pm UK time, as shown by this graph.
Another clue that links lurl.me to GCHQ activity is that tweets using the lurl.me shortner were only made Monday-Friday 9am-5pm UK time.
Between 2009 and 2013, lurl.me links were posted to individuals and group chats to act as ‘honeypot’ traps. When an individual clicked on the link, it was possible for GCHQ intelligence services to track down the Internet Protocol (IP) address of the computer they used, regardless of any precautions they had taken. The IP address could then be used to locate and identify the user, by linking their computer to their Facebook or other social media accounts.
Archiving on Twitter reveals that the lurl.me shortner was used in between 150 and 200 separate instances, all these cases revolving around political unrest in the Middle East and, on one visible occasion, in Kenya. As well as targets linked to 2013 Kenyan elections, Mustafa says that the majority of tweets were directed towards Iranian, Syrian and Bahraini protestors.
One Kenyan individual who appears to have been targeted by a link from lurl.me is Abdullahi Hassan, an Associate for Human Rights Watch’s Africa Division. Hassan tweeted a lurl.me link in 2013, suggesting that British intelligence may have targeted prominent organisations and NGOs as well as individual dissidents.
Following the release of the secret NSA files in 2013 by Edward Snowdon, it appears that intelligence officials undertook a purge of all their related websites and social media accounts, taking down the lurl.me website and deleting the associated Twitter accounts. What information that has been recovered since then was hosted in archives and on other accounts.
In 2013 Abdullahi Hassan tweeted a link to a news article using the lurl.me address. Al-Bassam speculates that he may have been sent the link in a private message from a GCHQ official.
In 2013 Abdullahi Hassan tweeted a link to a news article using the lurl.me address. It is most likely that he was sent the link in a private message from a GCHQ official.
In tracking down the server that was used to host the lurl.me web address, Mustafa Al-Bassam claims to have recovered a list of other now-defunct websites relating to GCHQ. One of them was a fake tourist website based in Kenya called Dunesadventure.net. The purpose of this site is currently unclear, although it is believed to have been used as a tactic to legitimise the authenticity of a related Twitter account. Its existence could suggest that GCHQ was involved in a numerous intelligence gathering missions focused on the Kenyan state.
These fresh revelations reveal the extent and breadth of British spying activity. Mainstream media sources these days most commonly associate ‘Twitter-bots’ and misinformation with Russian spying tactics. Mustafa’s research reveals that this tactic is also being used by Western states to interfere with other democracies. The motivations of GCHQ’s actions are unclear, although their selection of targets could suggest that they were working in cahoots with the Kenyan establishment.
These fresh revelations raise further questions about British involvement in the disputed Kenyan elections of 2017. Msomi has reached out to Mustafa Al-Bassam and Abdullahi Hassan for further information. Mustafa Al-Bassam’s original 2016 presentation can be found here.