Posted by & filed under AmanTech, Spy Watch.


Bahrain Watch recently released a report (The IP Spy Files) looking at how Bahrain’s Government apparently identified anonymous Twitter and Facebook users by sending them malicious links from a network of fake accounts.  During our investigations leading up to and following the report, a number of accounts were shut down (i.e., deactivated or suspended) by their operators, or by Twitter.  These account shutdowns occurred after the account names became public, or we reported the accounts for Terms of Service violations.  It is interesting to observe what happens when an account is shut down, because it can reveal information about linked accounts:

  • When a Facebook account is deactivated, all pages for which that account is the sole administrator are also deactivated by default.
  • In several cases where we reported an IP spy account to Twitter, it was suspended along with a few other IP spy accounts which we did not report.  We interpreted this to mean that Twitter was suspending accounts that were associated with the same entity (e.g., IP address, e-mail account, etc.) as the account we reported.

In this post, we look into some accounts that were shut down around the same time as IP spy accounts that we linked to the Government.  In all cases, we noticed that the suspended or deactivated accounts solicited support from IP spy targets, or were promoted by IP spy accounts.  The suspended or suspended accounts that we were able to identify all appear to be “extremist” in nature, i.e., accounts that explicitly advocate violence, or urge their followers to achieve a cause by “any means.”  Of course, we do not have access to information about the reason for the account shutdowns, so we do not conclusively find that the Government operated these accounts.  However, the evidence we present is suggestive of a Government connection.  If the Government did indeed run these accounts, this would raise serious questions about to what extent the Government is inciting its supporters — and the opposition — to violence.

 

Rebel Coalition

The “Rebel Coalition” was an ostensibly anti-government Facebook page and Twitter account (@rebel_coalition) that encouraged Bahrainis to “revolt against the regime” on 14 August 2013, the same day that the opposition is planning to hold mass protests.  The Rebel Coalition encouraged its followers to pursue the fall of the regime “using any means.”

rebelcoalition

IP spy Facebook account Amalalshareeef liked at least seven posts on the Rebel Coalition’s Facebook page.  IP spy Facebook account red.sky.446 shared at least four posts from Rebel Coalition’s Facebook page on his profile.

We also received the following image from the Facebook account linked to @muharraq_news, a media account that posts the latest news from the island of Muharraq.  The image shows that IP spy account Amalalshareeef sent @muharraq_news two IP spy links, as well as a link to the page of the Rebel Coalition.

amal-muharraq

We noticed that the Rebel Coalition’s Facebook page was disabled around the same time as the Amalalshareeef and red.sky.446 accounts were apparently disabled by their operators.

We believe that the Government may have run the Rebel Coalition, because:

  • IP spy accounts Amalalshareeef and red.sky.446 heavily promoted the Facebook page by liking and sharing its posts, both publicly and privately
  • The Facebook page was disabled around the same time as the IP spy accounts Amalalshareeef and red.sky.446 were apparently disabled by their operators

 

Tamarrod Al-Fateh

“Tamarrod Al-Fateh” was an ostensibly pro-Government Facebook page and Twitter account (@TamarrodAlfateh) that encouraged Bahrainis to “revolt against the [opposition] terrorists” on 14 August 2013, the same day that the opposition is planning to hold mass protests.  The Twitter account solicited support from an array of pro-Government accounts that had been favorite IP spy targets in the past (e.g., @mnarfezhom, @Malshurouki, @fatoooma92, @Dr_manber, @gulf_alkarar, @Boammar, @Deertybhr).  The account Tweeted messages to its followers such as: “we were wrong to let the security forces alone handle February 14; we will not repeat this.”

tamarrodalfateh

We noticed that Tamarrod Al-Fateh’s Facebook page was disabled around the same time as Facebook IP spy accounts Amalalshareeef and red.sky.446 were apparently disabled by their operators.

We had previously noted that IP spy account @QamrAlKhalifa had retweeted 14 out of the 30 Tweets sent by the Twitter account @TamarrodAlfateh.

We believe that the Government may have run Tamarrod Al-Fateh, because:

  • Many of the accounts that @TamarrodAlfateh solicited support from were favorite IP spy targets
  • IP spy account @QamrAlKhalifa heavily promoted the Twitter account by retweeting its Tweets
  • The Facebook page was disabled around the same time as the IP spy accounts Amalalshareeef and red.sky.446 were apparently disabled by their operators

 

Popular Resistance Brigades (@resistenceBhr)

During our investigations leading up to our IP spy report, we saw that IP spy Twitter accounts with a large number of followers were sending malicious links via Direct Message.  We began to report these accounts to Twitter for violation of their Terms of Service, which state:

You may not publish or link to malicious content intended to damage or disrupt another user’s browser or computer or to compromise a user’s privacy. 

Around the time that Twitter suspended an IP spy account that we reported, we noticed that the @resistenceBhr account had been suspended.  This account purported to be the official Twitter of the Popular Resistance Brigades, a Facebook page that has claimed responsibility for bombings and attacks around Bahrain.  There seem to be at least six individuals in custody in relation to claimed or planned operations identical to those described by the Popular Resistance Brigades (e.g., a plan to disrupt Bahrain Airport by flying hot air balloons, and bombings of ATM machines).

We had previously noticed the following suspicious characteristics of this Twitter account:

  • The Twitter account was established in February 2013, whereas the Facebook page was established in April 2012
  • The Facebook page never referenced the Twitter account, and the two accounts were not linked
  • Early tweets from @resistenceBhr were retweeted by a number of IP spy accounts:
    • @RedSky446 retweeted ten tweets from @resistenceBhr from 21 Feb to 12 April
    • @ba7raaania retweeted nine tweets from @resistenceBhr from 21 Feb to 1 Mar
  • Tweets from @resistenceBhr mentioned IP spy targets, as shown below
resistence-fake

Regarding the accounts mentioned in the Tweets:

  • At the time these Tweets were sent, @RedSky446 was participating in the IP spy attack
  • An individual would be arrested about three weeks later for insulting the King using the @Abu_Haider Twitter account
  • @BrokenAngel077 had her account hacked by the Government two months prior, in December 2012
  • @Takrooz had been a regular IP spy target for some time

We believe that the Government may have run the Twitter account for the Popular Resistance Brigades, because:

  • IP spy accounts @RedSky446 and @ba7raaania heavily promoted the Twitter account by retweeting its Tweets
  • All of the accounts mentioned by @resistenceBhr were IP spy targets or accounts
  • The Twitter account was disabled around the same time as other IP spy Twitter accounts that we had reported to Twitter

Trackbacks/Pingbacks

  1.  Bahrain on the Brink | MarcOwenJones