The Team Jorge: Hacks, Bots and Blackmail for Election Manipulation

Undercover reporters recorded a group of secret cyber influence specialists as they presented their services. These include using disinformation campaigns, fake intelligence, hacks and extortion to promote the interests of their clients. The group, which calls itself Team Jorge, claims to have worked on dozens of presidential elections around the world. Its services sell for millions of dollars.

The Israeli-based secret group uses advanced hacking technologies as well as the AIMS tool to create fake accounts and distribute fake content, including through artificial intelligence. The experts of the StoryKillers project and the Bulgarian partner BIRD.BG also found a Bulgarian connection that is still being studied.

What is known so far:

• Reporters were able to verify Jorge Team’s claims of access to message accounts of important political goals and the deployment of social media campaigns orchestrated through fake accounts.
• The Jorge team appears to have interfered in last year’s Kenyan presidential election, which was hit by a disinformation campaign.
• The secret group includes people with experience in Israeli security services.

“This is our experience… to damage opponents’ logistics, intimidate them, create such an atmosphere that no one goes to the polls,” a Team Jorge member said in July 2022 in a video chat with reporters.

The undercover investigation is the work of journalists TheMarker, Radio France and Omer Benjakob. They are part of the investigation, called Story Killers, coordinated by Forbidden Stories and involving more than 100 journalists from 30 media organizations, including OCCRP. Forbidden Stories is an international consortium of investigative journalists who pursue the work of journalists who have been killed or work under threat. BIRD.BG is the Bulgarian partner in the project.

$15 million for a presidential campaign

In several calls and one face-to-face meeting, team members — led by a man calling himself “Jorge” — described “intelligence and influence” services they said they could provide for their clients. They say they have worked on “33 campaigns at the presidential level” – 27 of them “successful”.

Their tactics include hacking, falsifying extortion material, spreading misinformation, deploying false information, physically interrupting elections, and deploying targeted social media campaigns.

Reporters were able to confirm that some of these tactics were used. The Jorge team appears to have gained unauthorized access to Telegram and Gmail accounts of high-ranking government officials and deployed botnet campaigns on social media. Evidence reviewed by reporters suggests the group interfered in at least two presidential choices.

The current cost of a presidential campaign was 15 million euros, according to Jorge undercover reporters who presented themselves as mediators to a future African client. For this short-term work – with only two free months – the Jorge team asked for a minimum of 6 million euros. Reporters were told the money could be easily transferred through covert means, possibly with the help of a French NGO, a Dubai law firm or Islamic schools.

“We like to be behind the scenes and that’s part of our strength — the other side doesn’t understand that we exist,” Jorge said.

His nickname is a Spanish name that did not match his accent. This is part of the legend – an attempt to conceal his identity and location. The desktop screen of the computer he used in the presentation jumps between time zones and displays a traffic camera feed in Lithuania. Its contact numbers cover the whole world: Indonesia, Ukraine, the United States and Israel.

Reporters eventually discovered that his real name was Tal Hanan, a self-described counterterrorism expert who was cited in the media as a cybersecurity specialist.

Hannah denied any wrongdoing, but did not answer detailed questions.

Hacking Kenya

During one of the recorded presentations on Zoom, Tal Hannan showed a screen with a Telegram account and clicked on the contacts and private chats of Kenyan political adviser Dennis Itumbi.

This live demonstration took place at the end of July 2022, at a critical moment in Kenya’s presidential election campaign. Itumbi was the digital strategist of William Ruto, vice president of the East African nation at the time, who would be elected president in weeks. Local media described Itumbi as Ruto’s “right hand”.

Hannan showed proof that not only could she read Itumbi’s private chats and files — including an internal survey related to the upcoming election — but that he could even pose as Itumbi by sending messages from his account. Hannan began a conversation from Itumbi’s account with a prominent Kenyan businessman and sent a text that simply read: “11.”

This message was meaningless, its purpose was only a demonstration of his ability to control the account. But the Jorge Team claims to have sent falsified messages to military commanders and government ministers, all in an attempt to influence events and wreak havoc among high-level targets.

“I’ll usually wait for him to see it and then delete it. Why? Because I want to create confusion,” Hannan said. In the case of the Itumbi demonstration, Hannan accidentally deleted the text message only for the sender. Subsequently, reporters were able to contact the businessman who received it and confirm that the mysterious message had indeed been sent.

Kenyan elections are just one example. In an investigation, Haaretz journalists identified attacks on elections in Mexico, Ecuador, Nigeria and Catalonia, as well as disinformation interventions by Jorge Team accounts in France, Britain, Canada, Morocco, Mongolia, Indonesia, Sri Lanka and other countries.

Breakthrough of communications

“I know in some countries they believe Telegram is very safe,” Hannan said in the demonstration on Zoom. “So, here, I’ll show you how safe it is… So this is also a minister of some country, I can go [and] I can check all his calls.”

Hannan also showed the Gmail account of Mozambique’s agriculture minister, Celso Korea, who confirmed to reporters that the email address and content appeared to be his. During the presentation, the folders from the Minister’s personal Google drive were also visible.

Crucial for hacking email accounts and messaging services such as Telegram is the SS7/Signaling System 7/*, an international standard “protocol” for mobile phone communications that should ensure that a call or SMS sent by a single user is transferred to the correct number of the intended recipient. It was introduced in the 1980s, in the early days of digital security and encryption, so it contains flaws that can allow third parties to impersonate a specific user and receive their messages and calls.

That’s what Hannan claims his team can do. He told undercover reporters that the Jorge Team went directly to a telecommunications service provider in the country where they operate and installed a physical device that allowed his team to insert fake commands through SS7 into the system. This tricks the telecom operator into sending an SMS to authenticate the fake target account, allowing the Jorge Team to read messages on its target and even send messages.

Although loopholes are common knowledge and most telecom providers have introduced countermeasures, some operators still maintain vulnerable networks.

Nothing in Israel, nothing against Mr. Putin, and careful in the U.S.

The Jorge team said two-thirds of the presidential campaigns they intervened in were in Africa, but their promotional material also included countries in Europe, Latin America, Southeast Asia and the Caribbean.

Hannan’s brother, Zohar, said at a meeting in December that there were only three tasks that the Jorge Team would not undertake: Nothing in Israel (“We don’t want to poop where we sleep.”); no American politics at the partisan level (they claim to have rejected an invitation to help in the election of former US President Donald Trump); And “nothing against Mr. Putin.”

During demonstrations in front of undercover reporters, Tal Hannan was eager to show off the technical tools his team used to help customers.

He showed an article with headlines from Nigeria describing attacks on opposition phone lines as part of their sales video “Team Jorge Presents: Intelligence on Demand.” These attacks overwhelm the telephone network.

“We want some people to be silenced, we want some people to have the wrong communication,” he said during one call calling election day “Day D.” “So we have the capacity on Day D to disarm hundreds of phones… a particular chief of police or people from the army who are not in our favor. All phones will stop working.”

And Hannan claims to have used similar tactics against computer networks.

“We can remove websites, anything with IP, servers. If they have their own servers, apps, sometimes two, three news agencies – we can disable them,” he boasted.

The capabilities described by Hannan resemble “distributed denial-of-service” or DDOS attacks. These attacks typically involve overloading a target’s systems by flooding them with requests, forcing them to produce a “denial of service” response to legitimate requests.

He showed headlines about a similar attack during the 2014 referendum in Catalonia. Spanish investigators told the OCCRP they had no evidence of Hannan’s involvement, but said it was plausible.

AIMS: The Influence Platform

The Jorge Team’s technological toolkit also includes a “platform for influence” called Advanced Impact Media Solutions, or AIMS, which Hannan claims she has sold to intelligence services in more than 10 countries.

The AIMS software is designed to create compelling avatars for social media campaigns. Avatars or bots use stolen photos of real people, work on any social media platform, and can be linked to functioning Amazon and Bitcoin accounts. They also seem to have a longstanding presence online, including Gmail accounts and banal comments to celebrity videos on YouTube, to give investigators the impression that they are real people.

“We imitate human behavior,” Hannan told undercover reporters.

Most online accounts require phone number and email address verification to prevent bots like those implemented by AIMS. But there are websites created specifically to allow one-time SMS confirmation services for 50 cents or less. Many accounts — such as Gmail and WhatsApp — can be registered with “verified” phone numbers. The Jorge team appears to be using a service called SMSpva.com to verify phone numbers. SMSpva.com did not respond to a request for comment.

Local proxies – the fuel of disinformation

AIMS also relies on local proxies that redirect internet traffic from bots through people’s homes so that it looks authentic. This makes it difficult for social media platforms to identify a coordinated disinformation campaign.

As one expert who consulted the Story Killers project pointed out, local proxies are “absolutely necessary” in the disinformation industry because they allow the creation of hard-to-detect bots and can simulate activity from a specific region. It is difficult to prevent this, as IP addresses used by local proxies are also usually used by real people.

Specifically, participants in a disinformation campaign could buy home proxy servers and use them to massively create fake accounts that appear to be linked to real accounts because they use real IP addresses.

In the data presented by Team Jorge, the project experts and the Bulgarian partner BIRD.BG found links to sites based in Bulgaria. They are still being studied within a separate publication.

An analysis by reporting partners Le Monde and the Guardian identified groups of avatars, including those seen in Hannan’s presentations, that appear to have been used for coordinated Twitter campaigns. Reporters found more than 1,700 Twitter accounts linked to 21 campaigns linked to AIMS, whose networks have produced tens of thousands of tweets.

At the December face-to-face meeting with undercover reporters, the Jorge team showed a new capability for AIMS: artificial intelligence tools to generate fake news using certain keywords, tone and theme.

“An operator can have about 300 profiles,” Zohar Hannan said during the demonstration. “So within two hours, the whole country will start retransmitting the message, the narrative I want.”

Avatar for Lukashenko Close Up

A campaign with an avatar seen on a Jorge Team computer during the commercial presentation of services was found to promote the activities of Alexander Zingman, a businessman close to authoritarian Belarusian President Alexander Lukashenko.

In March 2021, Zingman was arrested in the Democratic Republic of Congo for alleged arms trafficking, but was later released. In October of that year, OCCRP revealed how Zingman and another friend of the Belarusian president had used shell companies to hide a lucrative gold mining deal with Zimbabwe’s state mining company.

The previous year, AIMS avatars promoted favorable stories about Zingman and his business in a coherent and automated campaign. Some were used to draw attention to his rival Vitaly Fishman. Journalists identified 35 more avatars linked to the Jorge Team through a defamation lawsuit in the U.S., which Fishman won.

Zingman’s lawyer said his client had never worked with companies that participate in disinformation campaigns, and in fact he himself had been the victim of a similar scheme.

It’s not PR, it’s intelligence.

Tal Hanan served in Israeli special forces as an explosives expert, according to his online biography. He is listed as the CEO of at least two Israeli companies, Tal Sol Energy and Demoman International Ltd., an intelligence firm listed on the Israeli Defense Ministry’s website of defense companies.

Hannan said he had organized lobbying operations in the U.S. despite not registering as a “foreign agent” as required by law. He said he worked through consultants and companies already registered and told reporters that he had recently set up a public relations firm called Axiomatics to advertise the Jorge Team with “existing lobby groups.”

In the years following the September 2001 attacks on the World Trade Center in New York Hannan, Hannan positioned himself as a counterterrorism expert. He claimed to have trained law enforcement, including U.S. federal agencies, according to an archived page from his now-defunct website, suicide-terrorism.com. In 2010, Hannan was cited in The Jerusalem Post as a cybersecurity expert, commenting on the possibilities of hacking.

During conversations with undercover reporters, the Jorge Team went deep into the technology they said the group was using to influence elections. They added that they have six offices and employ at least 100 people, stressing that they draw on experience from colleagues with intelligence experience. This positions Jorge’s activities far beyond the realm of public relations strategies typically implemented during elections.

“It’s more than anything intelligence work. This is not PR work. This is intelligence work,” Hannan stressed.

OCCRP and BIRD.BG team

Title illustration: OCCRP

Forbidden Stories Media Partners for the Story Killers Investigation:

The Guardian and Observer, Le Monde, The Washington Post, Der Spiegel, ZDF, Paper Trail Media, Die Zeit, Radio France, Proceso, OCCRP, Knack, Le Soir, Haaretz, The Marker, El País, SverigesTelevision, Radio Télévision Suisse, Folha, Confluence Media, IRPI, IStories, Armando Info, Code for Africa, Bird, Tempo Media Group, El Espectador, Der Standard, Tamedia, Krik.

The Story Killers project was published in collaboration with the International Center for Journalists’ (ICFJ) Online Violence Project, a partnership between ICFJ Research and computer scientists at the University of Sheffield computer scientists. The ICFJ team provided its expertise and computing power to the partners from Story Killers.

*A large Israeli company is based in Bulgaria, which specializes in SS7 hacking and remote phone tapping. Her name is Circles and is part of the infamous NSO Group, which produces Pegasus software. Despite the signals to the institutions that such technology is potentially dangerous and harmful, DANS did nothing to limit the activities of Circles even after the Pegasus scandal.

***

За да научавате преди всички за нови разследвания, инсталирайте си нашето мобилно приложение:

Щом сте стигнали дотук, вероятно вече си задавате въпроса как се финансира този журналистически проект.

От създаването си BIRD се финансираше от подаяния в нашето журналистическо чекмедже. Но на чекмеджето му мина времето. Даже прокуратурата затвори онова Чекмедже, знаете кое… Нашето финансиране влиза в крак с епохата. Фондонабиращата ни кампания вече се казва

#МятайСBIRD

Дарявай за BIRD и мятай павета в блатото с корумпирани политици и други тарикати.

Защо да мятам ли?

BIRD.bg е една от малкото специализирани разследващи медии у нас и осветява мащабни корупционни схеми, конфликти на интереси и злоупотреба с власт, в които участват ключови политици, магистрати, бизнесмени. В завладяна държава като България свободните медии имат изключително важна роля и за да останат независими и обективни, се нуждаят от подкрепата на гражданите.

Ние се издържаме само от малки дарения от граждани. Изчислили сме, че за да работим като устойчива медия, ни трябват около 240,000 лв. годишно или 20,000 лв. на месец. Тук виждате актуалния брой на нашите регулярни дарители, средната месечна сума на даренията и общата сума, която те са дарили за периода от старта на сайта през септември 2020 г. до днешна дата.

Регулярните месечни дарения в размер 10, 20, 50 лв. или друга сума по избор ни дават финансова сигурност и позволяват да планираме дейността си за месеци напред.

Освен да “мятате”, можете и да “шамаросвате”. В момента срещу журналистите от BIRD се водят 10 дела SLAPP известни като “дела-шамари”. Помогнете ни за съдебните разходи, които никак не са малки. Всяко Ваше дарение за конкретно “дело-шамар” е “шамар” срещу шамаросващите, които разполагат с огромни пари срещу нашите скромни финансови възможности.

Дълбоко благодарни сме за всяка подкрепа!

This post is also available in: Български (Bulgarian)