The Jorge Team: Hacks, Bots and Blackmail for Election Manipulation

Undercover reporters recorded a group of secret cyber influence specialists as they presented their services. These include using disinformation campaigns, fake intelligence, hacks and extortion to promote the interests of their clients. The group, which calls itself Team Jorge, claims to have worked on dozens of presidential elections around the world. Its services sell for millions of dollars.

The Israeli-based secret group uses advanced hacking technologies as well as the AIMS tool to create fake accounts and distribute fake content, including through artificial intelligence. The experts of the StoryKillers project and the Bulgarian partner BIRD.BG also found a Bulgarian connection that is still being studied. What is known so far:

• Reporters were able to verify Jorge Team’s claims of access to message accounts of important political goals and the deployment of social media campaigns orchestrated through fake accounts.
• The Jorge team appears to have interfered in last year’s Kenyan presidential election, which was hit by a disinformation campaign.
• The secret group includes people with experience in Israeli security services.

“This is our experience… to harm the logistics of the opponents, to intimidate them, to create such an atmosphere that no one goes to the elections,” a member of Team Jorge said in July 2022 in a video chat with reporters. The undercover investigation is the work of journalists Gur Megiddo (TheMarker), Frédéric Métezeau (Radio France) and Omer Benjacob (Haaretz). They are part of the investigation, called Story Killers, coordinated by Forbidden Stories and involving more than 100 journalists from 30 media organizations, including OCCRP. Forbidden Stories is an international consortium of investigative journalists who pursue the work of journalists who have been killed or work under threat. BIRD.BG is the Bulgarian partner in the project.

$15 million for a presidential campaign

In several calls and one face-to-face meeting, team members – led by a man calling himself “Jorge” – described “intelligence and influence” services they said they could provide for their clients. They say they have worked on “33 campaigns at the presidential level” – 27 of them “successful”. Their tactics include hacking, falsifying extortion material, spreading misinformation, deploying false information, physically interrupting elections, and deploying targeted social media campaigns. Reporters were able to confirm that some of these tactics were used. The Jorge team appears to have gained unauthorized access to Telegram and Gmail accounts of high-ranking government officials and deployed botnet campaigns on social media. Evidence reviewed by reporters suggests that the group interfered in at least two presidential elections.

The current price for a presidential campaign was 15 million euros, informs “Jorge” undercover reporters, who presented themselves as intermediaries for a future African client. For this short-term work – with only two free months – the Jorge team asked for a minimum of 6 million euros. Reporters were told the money could be easily transferred through covert means, possibly with the help of a French NGO, a Dubai law firm or Islamic schools. “We like to be behind the scenes and that’s part of our strength — the other side doesn’t understand that we exist,” Jorge said. His nickname is a Spanish name that did not match his accent. This is part of the legend – an attempt to conceal his identity and location. The desktop screen of the computer he used in the presentation jumps between time zones and displays a traffic camera feed in Lithuania. Its contact numbers cover the whole world: Indonesia, Ukraine, the United States and Israel. Reporters eventually discovered that his real name was Tal Hanan, a self-described counterterrorism expert who was cited in the media as a cybersecurity specialist. Hanan denied any wrongdoing, but did not answer detailed questions.

Hacking Kenya

During one of the recorded presentations on Zoom, Tal Hanan showed a screen with a Telegram account and clicked on the contacts and private chats of Kenyan political adviser Dennis Itumbi. This live demonstration took place at the end of July 2022, at a critical moment in Kenya’s presidential election campaign. Itumbi was the digital strategist of William Ruto, vice president of the East African nation at the time, who would be elected president in weeks. Local media described Itumbi as Ruto’s “right hand”. Hannan showed proof that not only could she read Itumbi’s private chats and files — including an internal survey related to the upcoming election — but that he could even pose as Itumbi by sending messages from his account. Hannan began a conversation from Itumbi’s account with a prominent Kenyan businessman and sent a text that simply read: “11.” This message was meaningless, its purpose was only a demonstration of his ability to control the account. But the Jorge Team claims to have sent falsified messages to military commanders and government ministers, all in an attempt to influence events and wreak havoc among high-level targets. “I’ll usually wait for him to see it and then delete it. Why? Because I want to create confusion,” Hannan said. In the case of the Itumbi demonstration, Hannan accidentally deleted the text message only for the sender. Subsequently, reporters had the opportunity to contact the businessman who received it and confirm that the mysterious message was indeed sent.

Kenyan elections are just one example. In their investigation, Haaretz journalists identified attacks on elections in Mexico, Ecuador, Nigeria and Catalonia, as well as disinformation interventions by accounts associated with Team Jorge in France, the UK, Canada, Morocco, Mongolia, Indonesia, Sri Lanka and other countries.

Breakthrough of communications

“I know that in some countries they believe that Telegram is very safe,” Hannan said in the Zoom demonstration. “So, behold, I will show you how safe it is… So this is also a minister of some country, I can go [and] I can check all his calls.” Hannan also showed the Gmail account of Mozambique’s agriculture minister, Celso Correa, who confirmed to reporters that the email address and content appeared to be his. During the presentation, the folders from the minister’s personal Google drive were also visible. Crucial for hacking email accounts and messaging services such as Telegram is SS7 /Signaling System 7/*, an international standard “protocol” for mobile phone communications, which should ensure that a call or SMS sent by one user is transferred to the correct number of the intended recipient. It was introduced in the 80s, in the early days of digital security and encryption, so it contains flaws that can allow third parties to impersonate a specific user and receive their messages and calls. This is what Hannan claims his team can do. He told undercover reporters that Team “Jorge” went directly to a telecommunications service provider in the country where they worked and installed a physical device that allowed his team to insert fake commands through SS7 into the system. This tricks the telecom operator into sending an SMS to authenticate the fake target account, allowing Team Jorge to read their target’s messages and even send messages. Although the loopholes are common knowledge and most telecommunications service providers have put countermeasures in place, some operators still maintain vulnerable networks.

Nothing in Israel, nothing against Mr. Putin, and careful in the U.S.

Jorge’s team said two-thirds of the presidential campaigns they have been involved in have been in Africa, but their advertising materials also include countries in Europe, Latin America, Southeast Asia and the Caribbean. Hanan’s brother, Zohar, said at a meeting in December that there were only three tasks that Team Jorge would not take: Nothing in Israel (“We don’t want to poop where we sleep.”); no U.S. politics at the party level (they claim to have declined an invitation to help elect former U.S. President Donald Trump); and “nothing against Mr. Putin”.

During demonstrations in front of undercover reporters, Tal Hanan was eager to show off the technical tools his team uses to help customers. He showed an article with headlines from Nigeria that described attacks on opposition phone lines as part of their sales video. Intelligence on Demand”. These attacks overload the telephone network. “We want some people to be silenced, we want some people to have miscommunication,” he said during a call in which he called Election Day “D-Day.” “So we have the capacity on D-Day to defuse hundreds of phones… a specific chief of police or people from the army who are not in our favor. All phones will stop working.” And Hannan claims that he used similar tactics against computer networks. “We can remove websites, anything with IP, servers. If they have their own servers, apps, sometimes two, three news agencies – we can disable them,” he boasted. The capabilities described by Hannan resemble “distributed denial-of-service” or DDOS attacks. These attacks typically involve overloading a target’s systems by flooding them with requests, forcing them to produce a “denial of service” response to legitimate requests. He showed headlines about a similar attack during the 2014 referendum in Catalonia. Spanish investigators told OCCRP they had no evidence of Hannan’s involvement, but said it was plausible.

AIMS: The Influence Platform

Team Jorge’s technology toolkit also includes an “influence platform” called Advanced Impact Media Solutions, or AIMS, which Hanan claims to have sold to the intelligence services of more than 10 countries. The AIMS software is designed to create compelling avatars for social media campaigns. Avatars or bots use stolen photos of real people, work on any social media platform, and can be linked to functioning Amazon and Bitcoin accounts. They also seem to have a longstanding presence online, including Gmail accounts and banal comments to celebrity videos on YouTube, to give investigators the impression that they are real people. “We imitate human behavior,” Hannan told undercover reporters. Most online accounts require phone number and email address verification to prevent bots like those implemented by AIMS. But there are websites created specifically to allow one-time SMS confirmation services for 50 cents or less. Many accounts — such as Gmail and WhatsApp — can be registered with “verified” phone numbers. The Jorge team appears to be using a service called SMSpva.com to verify phone numbers. SMSpva.com did not respond to a request for comment.

Local proxies – the fuel of disinformation

AIMS also relies on residential proxies that redirect internet traffic from bots through people’s homes so that it looks authentic. This makes it difficult for social media platforms to identify a coordinated disinformation campaign. As one expert who consulted the Story Killers project emphasized, residential proxies are “absolutely necessary” in the disinformation industry because they allow for the creation of hard-to-detect bots and can simulate activity from a specific region. This is difficult to prevent because IP addresses used by residential proxies are usually also used by real people. Specifically, participants in a disinformation campaign could buy residential proxies and use them to massively create fake accounts that appear to be linked to real accounts because they use real IP addresses. In the data presented by Team Jorge, the project experts and the Bulgarian partner BIRD.BG found links to sites based in Bulgaria. They are still being studied within a separate publication. Analysis by reporting partners Le Monde and the Guardian identified groups of avatars, including those seen in Hannan’s presentations, that appear to have been used for coordinated Twitter campaigns. Reporters found more than 1,700 Twitter accounts linked to 21 AIMS-related campaigns, whose networks produced tens of thousands of tweets. At a December face-to-face meeting with undercover reporters, Team “Jorge” showed off a new AIMS capability: artificial intelligence tools to generate fake news using certain keywords, tone, and topic. “One operator can have about 300 profiles,” Zohar Hanan said during the demonstration. “So within two hours, the whole country will start relaying the message, the narrative that I want.”

Avatar for Lukashenko Close Up

An avatar campaign seen on Team Jorge’s computer during the commercial presentation of services was found to promote the activities of Alexander Zingman, a businessman close to authoritarian Belarusian President Alexander Lukashenko. In March 2021, Zingman was arrested in the Democratic Republic of Congo for alleged arms trafficking, but was later released. In October of that year, OCCRP revealed how Zingman and another friend of the Belarusian president had used shell companies to hide a lucrative gold mining deal with Zimbabwe’s state mining company. The previous year, AIMS avatars promoted favorable stories about Zingman and his business in a coherent and automated campaign. Some were used to draw attention to his rival Vitaly Fishman. Journalists identified 35 more avatars linked to the Jorge Team through a defamation lawsuit in the U.S., which Fishman won. Zingman’s lawyer said his client had never worked with companies involved in disinformation campaigns, and in fact he himself had been a victim of a similar scheme.

It’s not PR, it’s intelligence.

Tal Hanan served in the Israeli special forces as an explosives expert, according to his online biography. He is listed as the CEO of at least two Israeli companies, Tal Sol Energy and Demoman International Ltd., an intelligence firm listed on the Israeli Defense Ministry’s website.

Hannan pointed out that he organized lobbying operations in the United States, although he did not register as a “foreign agent” as required by law. He said he worked through consultants and companies already registered and told reporters that he had recently set up a public relations firm called Axiomatics to advertise the Jorge Team with “existing lobby groups.” In the years following the September 2001 attacks on the World Trade Center in New York Hannan, Hannan positioned himself as a counterterrorism expert. He claimed to have trained law enforcement, including U.S. federal agencies, according to an archived page from his now-defunct website, suicide-terrorism.com. In 2010, Hannan was cited in The Jerusalem Post as a cybersecurity expert, commenting on the possibilities of hacking. During conversations with undercover reporters, the Jorge Team went deep into the technology they said the group was using to influence elections. They added that they have six offices and employ at least 100 people, stressing that they draw on experience from colleagues with intelligence experience. This positions Jorge’s activities far beyond the realm of public relations strategies typically implemented during elections. “It’s more than anything intelligence work. This is not PR work. This is intelligence work,” Hanan stressed. OCCRP and BIRD.BG team Cover illustration: OCCRP Forbidden Stories Media Partners for the Story Killers investigation: The Guardian and Observer, Le Monde, The Washington Post, Der Spiegel, ZDF, Paper Trail Media, Die Zeit, Radio France, Proceso, OCCRP, Knack, Le Soir, Haaretz, The Marker, El País, SverigesTelevision, Radio Télévision Suisse, Folha, Confluence Media, IRPI, IStories, Armando Info, Code for Africa, Bird, Tempo Media Group, El Espectador, Der Standard, Tamedia, Krik. The Story Killers project was published in collaboration with the International Center for Journalists’ (ICFJ) Online Violence Project, a partnership between ICFJ Research and computer scientists at the University of Sheffield computer scientists. The ICFJ team provided its expertise and computing power to the partners from Story Killers. *A large Israeli company is based in Bulgaria, which specializes in SS7 hacking and remote phone tapping. Her name is Circles and is part of the infamous NSO Group, which produces Pegasus software. Despite the signals to the institutions that such technology is potentially dangerous and harmful, DANS did nothing to limit the activities of Circles even after the Pegasus scandal.

***

Разследващата журналистика е разузнаването на гражданите. BIRD се финансира от дарения. Ние не публикуваме реклами. Не получаваме държавни субсидии. Не разчитаме на грантове. Финансирането чрез малки дарения от читатели е гаранция за нашата независимост. Включете се, за да продължим да разкриваме злоупотреби и да държим отговорни властимащите. Използваме Вашите пари за хонорари на журналистите, командировки, изграждане и поддръжка на нашите информационни системи, такси за фирмени и имотни регистри у нас и по света, придобиване на техника и специално оборудване, осигуряване на нашата безопасност и други важни работни мисии. Важно: Ако дарявате всеки месец това ще ни даде възможност да планираме и организираме нашата работа. Благодарим Ви! Нас ни има, защото Вас Ви има!

This post is also available in: Български (Bulgarian)