To Syria and Back

It was a quiet night until the bombs began crashing out of the sky. Only a few minutes earlier, on the roof of a gray, single-story building not far from the city of Manbij in northern Syria, Josh Walker had been peacefully sleeping. Now the walls were collapsing beneath him, he was surrounded by fire, and his friends were dead.

Walker, a 26-year-old university student from Wales in the United Kingdom, was in Syria volunteering with the People’s Protection Units, or YPG, a Kurdish-led militia that has been a leading force in the ground battle against the Islamic State. He had made the long journey to Syria after flying out of a London airport on a one-way ticket to Istanbul, appalled by the Islamic State’s brutal fascism and inspired by the YPG’s democratic socialist ideals.

Over the course of six months last year, Walker learned to speak Kurdish and shoot AK-47 assault rifles. He trained and fought alongside militia units made up of Kurds, Arabs, and young American, Canadian, and European volunteers. He faced Islamic State suicide bombers in battle and helped the YPG as it advanced toward Raqqa, the capital of the extremist group’s self-declared “caliphate.”

In late December, Walker returned to London. There was no welcome home party waiting to greet him. Instead, there were three police officers at the airport who swiftly arrested him. The officers took him into custody, interrogated him, searched his apartment, and confiscated his laptop and notebooks. After risking his life to fight against the Islamic State, Walker was charged under British counterterrorism laws — not directly because of his activities in Syria, but because the police had found in a drawer under his bed a partial copy of the infamous “Anarchist Cookbook,” a DIY explosives guide published in 1971 that has sold more than 2 million copies worldwide.

The case against Walker is highly unusual. He is the first anti-Islamic State fighter to be prosecuted by British authorities under terrorism laws after returning to the U.K., and he appears to be the only person in the country who has ever faced a terror charge merely for owning extracts of the “Anarchist Cookbook.” The authorities have not alleged that he was involved in any kind of terror plot; rather, they claim that because he obtained parts of the “Cookbook” — which is freely available in its entirety on the internet — he collected information “of a kind likely to be useful to a person committing or preparing an act of terrorism.”

Walker is due to go to trial in October, where in the worst-case scenario he could be sentenced to up to 10 years in prison. Until then, he is free on bail, living with his mother and working part time as a kitchen porter in a restaurant. In an interview with The Intercept, he talked in-depth about his experiences in Syria and shared stories about the harrowing scenes he witnessed on the front line, which have profoundly affected his life. He also discussed for the first time the British government’s charges against him, which have not previously been publicized due to court-ordered reporting restrictions that have prevented news organizations in the U.K. from disclosing information about the background of his case. A judge lifted the restrictions late last month.

**

The sun is beating down on a hot summer’s day in Bristol, the largest city in southwest England, with a population of about 449,000. Outside a derelict former electronics store on a busy residential street in the St. Werburgh’s area of the city, Josh Walker is waiting. He is thin, about 5 foot 9 with a thick head of wavy, dark brown hair, wearing a faded green T-shirt, black trousers, and sneakers, and carrying a white plastic bag. We walk to a nearby park, where Walker pulls out two cans of cold beer from his bag, lights a cigarette, and begins explaining how he wound up on a journey to fight the Islamic State in Syria.

After leaving high school at age 18 in 2009, Walker had a variety of temporary jobs — he worked in construction, in gardening, and in an office as a volunteer for a politician who would later become the mayor of Bristol. In 2014, he decided to enroll at a university in Aberystwyth in Wales, about 130 miles west of Bristol, and he began studying for a degree in international politics and strategic studies.

As an avid follower of global affairs, Walker had been keeping a close eye on the fallout from the Arab Spring — the democratic uprisings that in late 2010 spread across the Middle East and North Africa. By 2016, the major unrest in most of the countries — like Tunisia, Yemen, Bahrain, and Egypt — had largely petered out. In Syria, however, the demonstrations evolved into a full-blown civil war and led to the worst humanitarian crisis since World War II.

What began as protests against the tyrannical leadership of Bashar al-Assad morphed into something far more complex, with a multitude of warring militias fighting one another to gain control of territory across the country. Islamist extremists were quick to capitalize on the chaos. The Islamic State group, which had previously been active primarily in Iraq, entered into the fray and took control of large swaths of Syria through 2013 and 2014, imposing strict Islamic rules and draconian punishments for anyone who disobeyed.

At university, Walker had watched it all unfold and discussed the events with his friends and professors. But he was not content to view the crisis on television as a passive observer. He wanted to help.

“I had enough of talking about history while it was being made,” he recalls. “I couldn’t just let it play out without being involved somehow and without seeing it for myself.”

So he hatched a secret plan to travel to Syria.

Operation Socialist

When the incoming emails stopped arriving, it seemed innocuous at first. But it would eventually become clear that this was no routine technical problem. Inside a row of gray office buildings in Brussels, a major hacking attack was in progress. And the perpetrators were British government spies.

It was in the summer of 2012 that the anomalies were initially detected by employees at Belgium’s largest telecommunications provider, Belgacom. But it wasn’t until a year later, in June 2013, that the company’s security experts were able to figure out what was going on. The computer systems of Belgacom had been infected with a highly sophisticated malware, and it was disguising itself as legitimate Microsoft software while quietly stealing data.

Last year, documents from National Security Agency whistleblower Edward Snowden confirmed that British surveillance agency Government Communications Headquarters was behind the attack, codenamed Operation Socialist. And in November, The Intercept revealed that the malware found on Belgacom’s systems was one of the most advanced spy tools ever identified by security researchers, who named it “Regin.”

The full story about GCHQ’s infiltration of Belgacom, however, has never been told. Key details about the attack have remained shrouded in mystery—and the scope of the attack unclear.

Now, in partnership with Dutch and Belgian newspapers NRC Handelsblad and De Standaard, The Intercept has pieced together the first full reconstruction of events that took place before, during, and after the secret GCHQ hacking operation.

Based on new documents from the Snowden archive and interviews with sources familiar with the malware investigation at Belgacom, The Intercept and its partners have established that the attack on Belgacom was more aggressive and far-reaching than previously thought. It occurred in stages between 2010 and 2011, each time penetrating deeper into Belgacom’s systems, eventually compromising the very core of the company’s networks.

Snowden told The Intercept that the latest revelations amounted to unprecedented “smoking-gun attribution for a governmental cyber attack against critical infrastructure.”

The Belgacom hack, he said, is the “first documented example to show one EU member state mounting a cyber attack on another…a breathtaking example of the scale of the state-sponsored hacking problem.”

Publicly, Belgacom has played down the extent of the compromise, insisting that only its internal systems were breached and that customers’ data was never found to have been at risk. But secret GCHQ documents show the agency gained access far beyond Belgacom’s internal employee computers and was able to grab encrypted and unencrypted streams of private communications handled by the company.

Belgacom invested several million dollars in its efforts to clean-up its systems and beef-up its security after the attack. However, The Intercept has learned that sources familiar with the malware investigation at the company are uncomfortable with how the clean-up operation was handled—and they believe parts of the GCHQ malware were never fully removed.

The revelations about the scope of the hacking operation will likely alarm Belgacom’s customers across the world. The company operates a large number of data links internationally (see interactive map below), and it serves millions of people across Europe as well as officials from top institutions including the European Commission, the European Parliament, and the European Council. The new details will also be closely scrutinized by a federal prosecutor in Belgium, who is currently carrying out a criminal investigation into the attack on the company.

Sophia in ’t Veld, a Dutch politician who chaired the European Parliament’s recent inquiry into mass surveillance exposed by Snowden, told The Intercept that she believes the British government should face sanctions if the latest disclosures are proven.

“Compensating Belgacom should be the very least it should do,” in ’t Veld said. “But I am more concerned about accountability for breaking the law, violating fundamental rights, and eroding our democratic systems.”
Other similarly sophisticated state-sponsored malware attacks believed to have been perpetrated by Western countries have involved Stuxnet, a bug used to sabotage Iranian nuclear systems, and Flame, a spy malware that was found collecting data from systems predominantly in the Middle East.

What sets the secret British infiltration of Belgacom apart is that it was perpetrated against a close ally—and is backed up by a series of top-secret documents, which The Intercept is now publishing.
GCHQ declined to comment for this story, and insisted that its actions are “necessary legal, and proportionate.”

A New Cold War?

Chanting “death to England,” they burned the Union Jack, looted offices and smashed a picture of the Queen. It could scarcely have been a more symbolic protest. Outside the British embassy in Iran’s capital city, Tehran, a furious crowd gathered last week to demand the UK’s diplomats leave the country immediately. “Britain should wait for the coming moves of the great Iranian nation, which intends to settle an old score with Britain for years of plotting against Iran,” said the protesters, who some claimed had been put up to the task by their government. “We will not come short of our righteous demands.”

The story that led up to the incident reads like the plot of an elaborate spy thriller. Rooted in fear and intense diplomatic wrangling around the Islamic Republic’s nuclear ambitions, it is a murky world of assassination plots, secret agents and covert operations that many believe could be a prelude to military strikes.

Ever since the Iranian Revolution in 1979, which saw the authoritarian, American-backed ruler Mohammad Reza Pahlavi overthrown as part of a popular uprising, relations between the west and Iran have been fraught. Pahlavi had been installed in 1953, historic documents show, as part of a coup involving UK and US secret intelligence operatives amid the Cold War.

Once the new regime came in to power after Pahlavi’s departure, Iran, a newly crowned Islamic state, became increasingly isolated. Western nations imposed severe economic sanctions on the country over allegations that it was funding terrorist groups, with billions of dollars worth of assets frozen. A series of conflicts in the region throughout the 1980s saw Britain and America supply weapons – some chemical and biological – to Saddam Hussein’s regime during the Iran-Iraq war, and during the same period the US shot down an Iranian passenger plane, killing 290 civilians.

In recent years, the bitterness between the west and Iran has reached a new and unprecedented level. A pivotal moment came in 2002 – the same year George W. Bush famously declared Iran was a key player in his “Axis of Evil” – when an Iranian dissident revealed the existence of a secret underground uranium enrichment facility, leading to claims the country was attempting to develop nuclear weapons.

This was followed last month by a significant new report published by the International Atomic Energy Agency, the United Nations’ nuclear watchdog. Listing a large appendix of previously unpublished evidence sourced from ten international intelligence agencies, the report concluded there were “possible military dimensions” to Iran’s nuclear programme, which it said caused "deep concern."

Some have doubted the credibility of the findings, with the “dodgy dossier” used to justify the invasion of Iraq in 2003 still a fresh memory. But Emily Landau, an Iran expert at Israel's Institute for National Security Studies, believes this time the threat is real.

“There is serious incriminating evidence that makes it clear we’re talking about a virtual smoking gun with regards to Iran’s military programme,” she says. “Once Iran becomes a nuclear state, it will become almost invulnerable to attack. And it will be able to stir up a lot of trouble in the Gulf region. It will try to expand its clutch very soon.”

Iran has repeatedly denied claims it is trying to build a nuclear bomb, with its president, Mahmoud Ahmedinejad, saying it is an “inhumane weapon” that is against the Islamic religion. According to Landau, however, the regime’s words cannot be trusted.

“For 20 years Iran was cheating, lying and deceiving the international community, working on a nuclear programme while it was a member of the nuclear non-proliferation treaty,” she says. “There is evidence that they were working on a military programme, under government direction, until 2003.”

A major concern for western governments is that, if Iran was to develop nuclear weapons, it would be able to assert domineering power across the Middle East and beyond, ramping up instability and heightening the potential threat of war. This fear is in part fuelled by a speech made by Ahmedinejad in 2005, in which he said Israel “must be wiped off the map.”

Attempting to address the problem, and due in part to Iran’s apparent lack of cooperation, a coalition of nations, led by the US, Britain and Israel, are believed to have intensified secret intelligence operations in the country. In September 2010 it was revealed that a virus called Stuxnet, reportedly created by western powers in collaboration with Israel, was used to attack and spy on Iranian computer systems. One month later, John Sawers, the head of Britain’s foreign spy agency MI6, said in a rare public speech that “intelligence-led” operations were needed to prevent Iran from developing nuclear weapons.

More recently, a series of explosions have been reported at Iranian nuclear plants, sparking rumours of sabotage, while a number of Iranian nuclear scientists have also been assassinated. 40-year-old Majid Shahriari, a top scientist described by Time magazine as the “senior manager of Iran's nuclear effort,” was killed last November after a death squad on motorbikes attached a bomb to his car and detonated it as he drove away. Similar attacks have occurred since, all of which the Iranians claim were orchestrated by MI6 in collaboration with the US Central Intelligence Agency (CIA) and Israel’s secret service, the Mossad. UK officials have refused to comment, saying only: “We never discuss intelligence matters.”

Though current intelligence missions remain a tight-lipped secret, David Steele is well equipped to offer an insight into the realities of espionage. The 59-year-old former US spy worked for the CIA during the 1980s as a clandestine case officer, “chasing terrorists” around Latin America. His role in the CIA led him to feel he was the “Cold War equivalent of a Jesuit priest”; however, today his view of the agency, especially its alleged involvement in Iran, is highly critical.

“The president [Barack Obama] would have signed an authorisation for covert action [in Iran] but there are also rumours that the CIA is out of control on the drone program and it might be out of control in other areas,” he says. “Israel has had much too much influence on the US government, often using lies, agents of influence including dual US – Israeli citizens in top policy positions with top secret clearances, and false flag operations. Israel is paranoid and out of control. It wants nothing more than to get the US to do to Iran what Iran got the US to do to Iraq.”

Steele believes allegations of UK and US involvement in assassination plots are “absolutely credible.” He does not deny Iran could be developing a military nuclear programme, but he questions how much of a threat it poses.

“It does not justify the actions that Israel and the west are taking,” he says. “On this issue I believe that Brazil, Turkey, China, and Russia are vastly more intelligent, and have more integrity, than the US government.”

Regardless of whether the nuclear threat posed by Iran is realistic, the situation continues to move in the direction of a military standoff. Last week, just hours after protesters angry about the assassinations and economic sanctions stormed the British Embassy in Tehran, foreign secretary William Hague shut down Iran’s London embassy. “We will discuss these events and further action which needs to be taken in the light of Iran's continued pursuit of a nuclear weapons programme," he said.

Ahmedinejad has since responded by saying he is open to negotiations with the international community over Iran’s nuclear programme. But the country’s supreme leader, 72-year-old Ali Khamenei, who holds ultimate control over Iran and its military ambitions, has remained at all times defiant, casting a worrying cloud of uncertainty over the future.

“Iran has stood up against the will of the biggest arrogant and colonialist powers alone and shattered their resolve," Khamenei said in a statement. “With the awakening of different nations, the puppets of the arrogant powers will leave the scene one after the other and the glory and power of Islam will increase on a daily basis."

This article first appeared in issue no.905 of The Big Issue in the North.

Inside LulzSec

It was a tight-knit and enigmatic group finding its feet in the febrile world of hacker collectives, where exposing and embarrassing your targets is just as important as protecting your own identity.

But leaked logs from LulzSec's private chatroom – seen, and published today, by the Guardian – provide for the first time a unique, fly-on-the-wall insight into a team of audacious young hackers whose inner workings have until now remained opaque.

LulzSec is not, despite its braggadocio, a large – or even coherent – organisation. The logs reveal how one hacker known as "Sabu", believed to be a 30-year-old security consultant, effectively controls the group of between six and eight people, keeping the others in line and warning them not to discuss what they have done with others; another, "Kayla", provides a large botnet – networks of infected computers controlled remotely – to bring down targeted websites with distributed denial of service (DDoS) attacks; while a third, "Topiary", manages the public image, including the LulzSec Twitter feed.

They turn out to be obsessed with their coverage in the media, especially in physical newspapers, sharing pictures of coverage they have received in the Wall Street Journal and other papers. They also engineered a misinformation campaign to make people think they are a US-government sponsored team.

They also express their enmity towards a rival called The Jester – an ex-US military hacker who usually attacks jihadist sites, but has become embroiled in a dispute with Anonymous, WikiLeaks and LulzSec over the leaked diplomatic cables and, more recently, LulzSec's attacks on US government websites, including those of the CIA and the US Senate.

In a further sign that the spotlight is beginning to engulf LulzSec, a lone-wolf hacker managed to temporarily cripple the group's website on Friday morning. Originally thought to be the work of The Jester, an activist, known as Oneiroi, later claimed responsibility for the attack but did not provide an explanation.

The group's ambitions went too far for some of its members: when the group hit an FBI-affiliated site on 3 June, two lost their nerve and quit, fearing reprisals from the US government. After revealing that the two, "recursion" and "devrandom" have quit, saying they were "not up for the heat", Sabu tells the remaining members: "You realise we smacked the FBI today. This means everyone in here must remain extremely secure."

Another member, "storm", then asks worriedly: "Sabu, did you wipe the PBS bd [board] logs?", referring to an attack by LulzSec on PBS on 29 May, when they planted a fake story that the dead rapper Tupac Shakur was alive. If traces remained there of the hackers' identities, that could lead the FBI to them.

"Yes," Sabu says. "All PBS logs are clean." Storm replies: "Then I'm game for some more." Sabu says: "We're good. We got a good team here."

Documenting a crucial five-day period in the group's early development from 31 May to 4 June, the logs – whose authenticity has been separately confirmed through comments made online by LulzSec's members – are believed to have been posted online by a former affiliate named "m_nerva". They contain detailed conversations between the group, who have in recent weeks perpetrated a series of audacious attacks on a range of high-profile targets, including Sony, the CIA, the US Senate, and the UK's Serious Organised Crime Agency (SOCA).

LulzSec threatened m_nerva on Tuesday in a tweet saying "Remember this tweet, m_nerva, for I know you'll read it: your cold jail cell will be haunted with our endless laughter. Game over, child." As an explanation, they said: "They leaked logs, we owned them [took over their computer], one of them literally started crying for mercy". The leaked logs are the ones seen by the Guardian.

The conversations confirm that LulzSec has links with – but is distinct from – the notorious hacker group Anonymous. Sabu, a knowledgeable hacker, emerges as a commanding figure who issues orders to the small, tight-knit team with striking authority.

Despite directing the LulzSec operation, Sabu does not appear to engage in the group's public activity, and warns others to be careful who and how they talk outside their private chatroom. "The people on [popular hacker site] 2600 are not your friends," Sabu warns them on 2 June. "95% are there to social engineer [trick] you, to analyse how you talk. I am just reminding you. Don't go off and befriend any of them."

But the difficulty of keeping their exploits and identities secret proves difficult: Kayla is accused of giving some stolen Amazon voucher codes to someone outside the group, which could lead back to one of their hacks. "If he's talking publicly, Kayla will talk to him," Sabu comments, bluntly.

Topiary, who manages the public image of LulzSec – which centres around its popular Twitter feed, with almost 260,000 followers – also acted previously as a spokesman for Anonymous, once going head-to-head in a live video with Shirley Phelps-Roper of the controversial Westboro Baptist Church, during which he hacked into the church's website mid-interview.

His creative use of language and sharp sense of humour earns praise from his fellow hackers in the chat logs, who tell him he should "write a fucking book". On one occasion, after a successful DDoS attack brings down a targeted web server, Topiary responds in characteristic fashion to the hacker responsible, Storm: "You're like our resident sniper sitting in the crow's nest with a goddamn deck-shattering electricity blast," he writes. "Enemy ships being riddled with holes."

But while LulzSec has a jovial exterior, and proclaims that its purpose is to hack "for the lulz" (internet slang for laughs and giggles), Sabu is unremittingly serious. Domineering and at times almost parental, he frequently reminds the other hackers of the dangers of being tracked by the authorities, who the logs reveal are often hot on their heels.

During one exchange, a hacker named Neuron starts an IAmA (Q and A) session for LulzSec on the website Reddit for "funzies" and to engage with the public. This immediately raises the ire of Sabu, who puts an angry and abrupt halt to it.

"You guys started an IAmA on reddit?" Sabu asks in disbelief. "I will go to your homes and kill you. If you really started an IAmA bro, you really don't understand what we are about here. I thought all this stuff was common knowledge ... no more public apperances [sic] without us organizing it."

He adds: "If you are not familiar with these hostile environments, don't partake in it."

The logs also reveal that the group began a campaign of disinformation around LulzSec. Their goal was to convince – and confuse – internet users into believing a conspiracy theory: that LulzSec is in fact a crack team of CIA agents working to expose the insecurities of the web, headed by Adrian Lamo, the hacker who reported the alleged WikiLeaks whistleblower Bradley Manning to the authorities.

"You guys are claiming that LulzSec is a CIA op ... that Anonymous is working to uncover LulzSec ... that Adrian Lamo is at the head of it all ... and people actually BELIEVE this shit?" writes joepie91, another member. "You just tell some bullshit story and people fill in the rest for you."

"I know, it's brilliant," replies Topiary. The attempts did pay off, with some bloggers passing comments such as: "I hypothesize that this is a government 'red team' or 'red cell' operation, aimed at building support for government intervention into internet security from both the public and private sectors."

The group monitors news reports closely, and appears to enjoy – even thrive – on the publicity its actions bring. But the logs show that the members are frustrated by the efforts of a self-professed "patriot-hacker" known as the Jester (or th3j35t3r), whose name is pejoratively referenced throughout.

The Jester is purportedly an ex-US military hacker, and was responsible for high-profile attacks on WikiLeaks prior to the release of US diplomatic cables in November. In recent weeks he has made LulzSec his principal target, describing them as "common bullies". Topiary in turn dismisses The Jester as a "pompous elitism-fuelling blogger" – but the group is always worried that The Jester or his associates are trying to track them down.

The Jester claims LulzSec are motivated by money and points to allegations that the group tried to extort money from Unveillance, a data security company. Similar accusations against LulzSec by two other groups, "Web Ninjas" and "TeaMp0isoN_". Web Ninjas say they want to see LulzSec "behind bars" for committing "insane acts ... in the name of publicity or financial gain or anti-govt agenda".

The logs do not reveal any discussion of extortion between the LulzSec inner circle; nor do they indicate any underlying political motivations for the attacks. But amid the often tense atmosphere depicted in the logs the hackers do occasionally find time to talk politics.

"One of these days we will have tanks on our homes," writes trollpoll, shortly after it emerged the US government was reclassifying hacking as a possible act of war. "Yea, no shit," responds Storm.

"Corporations should realize the internet isn't theirs," adds joepie91. "And I don't mean the physical tubes, but the actual internet ... the community, idea, concept."

"Yes, the utopia is to create a new internet," says trollpoll. "Corporation free."

On Monday 20 June, Sabu's worst fears may have been confirmed when a 19-year-old named Ryan Cleary was arrested in Wickford, Essex and later charged with a cyber attack in connection with a joint Scotland Yard and FBI probe in to a hacking group believed to be LulzSec.

Metropolitan Police Commissioner Sir Paul Stephenson described the arrest as "very significant", though LulzSec itself was quick to claim Cleary was not a member of the group and had only allowed it to host "legitimate chatrooms" on his server.

"Clearly the UK police are so desperate to catch us that they've gone and arrested someone who is, at best, mildly associated with us," the group tweeted.

An individual named "Ryan" is occasionally referenced by the hackers in the logs, though he himself does not feature and appears to have only a loose association with the group.

Scotland Yard confirmed on Thursday that it was continuing to work with "a range of agencies" as part of an "ongoing investigation into network intrusions and distributed denial of service attacks against a number of international business and intelligence agencies by what is believed to be the same hacking group".

In response to the leaked logs, LulzSec posted a statement on the website pastebin, claiming users named joepie91, Neuron, Storm and trollpoll were "not involved with LulzSec" and rather "just hang out with us".

They added: "Those logs are primarily from a channel called #pure-elite, which is /not/ the LulzSec core chatting channel. #pure-elite is where we gather potential backup/subcrew research and development battle fleet members – ie, we were using that channel only to recruit talent for side-operations."

The group has vowed to continue its actions undeterred. But they now face a determined pincer movement from the FBI, UK police, and other hackers – including The Jester, who has been relentless in his pursuit of them for more than a fortnight. If its members' real identities are revealed, LulzSec may vanish as quickly as it rose to prominence.

This article originally appeared at: http://www.guardian.co.uk/technology/2011/jun/24/inside-lulzsec-chatroom-logs-hackers

Read the full chat logs here: http://www.guardian.co.uk/technology/2011/jun/24/lulzsec-irc-leak-the-full-record

Follow up coverage: New York Times, ZDNet, The Age, Yahoo, Maximum PC, Salon, Thinq, the Register, Washington Post, BGR.