Yesterday we received information from highly trusted comrades about some suspicious emails that they had received from a group calling itself ANTIFAIntel, asking for information about the recipient of the email, and soliciting any information that they had about fascists in their area. Immediately these emails triggered alarm bells for many recipients, many of whom are consistent targets of phishing campaigns run by fascists.
The email campaign had a number of hallmarks of a traditional phishing campaign, including the following:
1) The emails were sent to a large number of groups who are frequently targeted without any prior contact. In some cases there had been prior contact, in the months leading up to this email blast, but those emails were also considered suspicious by a number of recipients that we have spoken to.
2) The links in the emails were to a Dropbox account, and on at least one occassion this link tripped the browser based anti-virus warnings of a trusted comrade. Even if this is a false positive we cannot make that assumption without serious forensic analysis of the file conducted by experts in the field.
3) The account attached to this project on Twitter had a number of characteristics of a sock puppet account. The groups mentioned in the description are incredibly well known, and similar to the groups used in account descriptions for other sock puppet accounts uncovered in the past. The account did not seem to be attached to a known comrade, but rather someone who, at best, could only cite connections they had made on the internet. Finally, the account was new, but seemingly involved in a project that would require the exposure of information about local groups and their research products to this unknown person.
Given these circumstances a discussion was initiated between a large number of involved, vetted and trusted persons around this project, and it was decided that this had all of the hallmarks of a potentially malicious campaign. Out of an abundance of caution a Tweet was sent out warning others about the campaign for the following reasons:
1) We had come to understand that some recipients of the email had opened the link and had accessed the Dropbox already. If this contained malicious content, as the AV warnings seem to imply, then immediate warnings had to be issued. These warning had to be issued before thorough forensic analysis of the file due to the time that this sort of analysis takes and the possible negative impacts of waiting for analysis to be completed.
2) We also came to understand that some had forwarded the message to other persons before really analyzing the potential risks involved, and we needed to get the word out to at least pause before opening and engaging with this project.
We've become aware of strange emails being sent from this brand new and unknown account. There is reason to believe that these emails may contain malicious content. Do not open these emails, click on links within them, or follow this account. Pass this message on. pic.twitter.com/dggbWqiMYn
— It's Going Down (@IGD_News) July 31, 2019
For some context, the procedures followed here are common procedures that any cyber-security expert would recommend in the attempt to stop the bleeding from a potential phishing campaign. After the Tweet was released our concerns only deepened.
First we received a combative email from the maintainer of this Twitter account accusing us of passing along misinformation for simply recommending caution due to this email campaign having the basic characteristics of a phishing campaign. The email went on to cite the access to the Dropbox that was obtained by another organization, but even in this case the connection was not a significant trust relationship, and was only an online connection. This is a common tactic of sock puppet accounts; cite some tangential connection to a project as a way to try to build trust. There was at least one other instance in which this connection was cited as “proof” of legitimacy.
Secondly, we started receiving even more information from others who received a number of emails over the past few months. In these messages ANTIFAIntel attempts to pass along information that was relatively easy to find online (another common tactic of sock puppet accounts is to build trust through passing easy to find information as “secret”), and then invited these persons to be an admin on this Dropbox account, a common tactic of those trying to gather information about others, build trust within networks and phish for information about these others that have been convinced to be admins.
After analysis of the file that was contained in the emails it seems as if the file is clean, and free from malware. This analysis involved running the file through sandboxes, analyzing the contents, decompiling the file to check for malicious contents inserted into the file (all office files are actually archives that can be unzipped to reveal the detailed contents) and checking the files for hidden macros. This analysis was conducted by experts in the field, and involved analysis within a variety of platforms and operating systems.
There are still a wide variety of issues with this project and their approach, and we recommend extreme caution for the following reasons.
1) This is an unvetted project/person who is asking for extremely sensitive information. In any circumstance, regardless of the maliciousness of intent, we should not be sharing sensitive information except with trusted persons that we know well; and that means knowing someone in person, and not just over the internet. Any project attempting to gather this sort of information should be looked upon with suspicion, and only extreme vetting of the project/person should be sufficient to allay these concerns.
2) The tactics deployed by this project (mass emailing, soliciting sensitive information, hosting information on third party platforms that are known to collaborate with the state) all have the hallmarks of a potentially malicious campaign. This is not hyperbole, we have literally seen these same tactics deployed time and time again by both the state and the far right. Again, extreme caution is the key here, and only extreme vetting can allay these concerns.
3) The response to caution (namely us warning people about warning signs we have seen and heard about) was entirely unacceptable. To try to divide people against each other, and to send combative emails to well known projects indicates, at best, a serious immaturity, and at worst troll behavior. It is absolutely critical that we exercise caution, and assume the worst until we have indications otherwise. To advise caution, and to discuss serious, verified, warning signs, is not only acceptable, it is ABSOLUTELY NECESSARY in the situation that we find ourselves in at the present moment. Remember, we are targets for both far right violence and state repression, and if something starts to smell funny, it is important to point that out.
If you are involved in a project that others raise concerns about it is important to not get defensive, start to try to grasp at straws and become combative; these are all concerning behaviors in themselves. To address these concerns one needs to actually put in work, get to know others and build trust. Until that point, there is no reason for many of us to trust you.
4) The operational security involved in this project is absolutely abysmal. Firstly, to host this information on Dropbox, or any third party service, is a significant security risk. These services can and do collaborate with the state, and have turned IP logs for exactly these sorts of files over to the state in the past. This is reckless and indicates a significant level of misunderstanding about information control and security.
Secondly, to even attempt, as an unvetted, untrusted, person or project to collect this information in the first place is highly problematic. This information is sensitive, and can have significant consequences if released in uncontrolled ways. The gathering of this information is involves research techniques that should not be revealed. The holders of this information are at risk, and should not be exposed, or expose themselves, to others without extreme vetting. In emails we have seen the project indicates that it takes security seriously, and is open to suggestions. But, given what we have seen, there is not nearly enough expertise or experience among the project participants to warrant any trust in their skills or aptitude in information security.
Thirdly, sending mass emails to a large number of local collectives is always sketchy behavior, unless you are a vetted, well known person. Even, in this day and age, to do event outreach using embedded images in an email should raise concerns. These concerns should be heightened any time an email contains an unverified link to an unverified file, contains images that are embedded in the body of the email or contains attachments. These are all common vectors for infection through email, and the mass email approach is common among malicious agents trying to hunt fot targets.
5) Releasing unverified information out into the world, to unknown others, is extremely reckless. Even if we assume the best here, and this is, as was stated in some messages we have seen since yesterday, an inexperienced person with good intentions, the very idea that one would gather and release unverified information to unknown others is incredibly dangerous.
Remember, this information has consequences, and these consequences should not be taken lightly. There has been a tendency amongst some of the newer participants within the anti-fascist scene to focus on doxxing others that they perceive to be Nazis, and in some circumstances this information is wrong. Incorrect information can lead to people losing their jobs, housing, friends, and that is not a responsibility that we have to take into account. Even if information is correct, and verified, uncontrolled release of information gives away too much about what we know and who we know it about, and can risk burning a number of other information gathering attempts, with clear and consistent goals, to the ground. Information is a tool, and should be approached as such, and that means always having a clear idea why it is being gathered, for what purpose and what the conditions of release, if any, are.
Further, when we release information we give the targets of this information gathering exercise an insight into our thinking, our understanding of their networks, and allow them to take counter-measures to make information more difficult to gather. By releasing everything in an uncontrolled way the likelihood that this information will leak to those we don’t want it to is extremely high, and that in itself can have significant consequences.
Beyond this, the project is not only gathering information on Nazis, as they claim, but also information about those that are submitting information. This comes in the form of email addresses and local collective names, which in itself is sensitive information.
So, at the end of this entire saga we are left with three options here. It could be that this is a malicious campaign meant to gain insight into what information we have and who we have information about, and this could be done by any number of malicious agents, whether state aligned or not. It could be that this is part of some sort of state action, gathering information about anti-fascist groups and their information gathering practices, logging IPs and so on. Or, it could be that a new participant without much understanding of norms, operational security or information security practices has started a project that is ill-advised, but with good intentions.
In any of these cases we all need to exercise extreme caution in relation to this project. At the present moment we will not vouch for this project, or encourage others to engage with them at all; and would in fact highly discourage any engagement. At best this is a poorly conceived project which is attempting to help but does not know how, and does not have the trust built yet to even approach something on this scale.
To the person or people involved in this project; if you are well intentioned then that’s great. But, when engaging in highly targeted communities it is critical to put in the hard work first. One needs to build trust, develop connections, foster friendships, go into action with others. It is not enough, and never can be, to get people that you don’t know to vouch for you because you know one another on the internet; if we have learned anything in the 20 years of online, and on the ground, anti-fascist work, nothing is as it appears, and you have no idea who you are actually talking to unless you have reason to be certain otherwise. For your own safety, and for the safety of those you claim to be trying to help, step back, reassess and get involved, for real, IRL, with a group in your area. And, please, before trying something like this again, think things through, engage in a threat assessment of not only yourselves but also your audience.
For some information on surveillance and surveillance self-defense we highly recommend the Surveillance Self-Defense Guide by the Electronic Frontier Foundation:
Above all we have to understand that we are under threat in a really significant way. We are being targeted by people that will inflict violence on us if they have the chance, whether these people are state agents or not. Over the past couple of months “antifa” has become the spectre of resistance in the US, and the favored target of the right wing, whether they hold office or not. We need to wake up to this new reality; everything needs to be suspect, everything needs to be approached with scrutiny.