Communications Security on Iron March – An Intelligence Analysis

How do right-wing extremists secure their communications? The recent Iron March data leak gives insight into how its members tried to communicate outside the message board.

The recent leakage of a massive white supremacist message board named Iron March  sparked a wave of independent investigations by people all of over the world. The data contained in this leak provides many leads to practice OSINT skills in various disciplines. Whether it is googling usernames, correlating email addresses to social media profiles or looking up information on some of the domains shared on this message board; the breached data is a starting point for a plethora of different OSINT methods. Of course, I couldn’t resist and also took a dive into this leak as well! I decided to have a look at the content that was posted on Iron March. Not so much OSINT here, it is more general intelligence analysis I will be applying. One of the challenges was actually defining a clear goal. What did I want to unravel here? Did I want to reconstruct organizational structures? Did I want to investigate individuals and their backgrounds? Did I want to look at certain events?

Without narrowly defined intelligence requirements and thus key intelligence questions that should be answered, approaching such a big amount of data in a methodological way is nearly impossible. After reading the first couple of Iron March messages, I realized that the users often discussed others means of communication outside of the message board. So, I decided that my first goal would be to analyze the communications, security measures and the evolution of communications within this network. Having a better understanding of this topic will surely help the OSINT community to understand where to look for further information during this investigation.

When Iron March was set up, many users migrated from a previous platform called ITPF. Background information on both platforms can be found here. The first posts on Iron March clearly showed, that the users would regularly communicate outside of the message board as well. Among the these outside channels were mainly Skype, MSN, AIM and Facebook.

“You should download Skype it is a good service. Also you can use it just like MSN; you can type, I type most of the time.” Post on 23.09.2011 by Kacen (ID2)

“Not sure if you’re interested but I thought I’d ask, I’m launching a study group for American Fascism/Nationalism quite soon via facebook.” Post on 24.11.2011 by American_Blackshirt (ID35)

Eventually, members of Iron March even set up Skype groups to ensure communications. This enabled them to communicate directly with each other without delay, as it would have been on Iron March. At the time, Skype appeared secure to the members of the message board and was soon the preferred outside communication channel. Occasionally, other channels would also be used to communicate, sometimes even including gaming platforms.

“We have a good number of people in the Skype group and you should join.” Post on 25.01.2011 by Blood and Iron (ID3)

“do you have facebook, or steam, bf3 battlelog or something where us 2 can converse?” Post on 02.07.2012 by unkown

 The main reason people would use external messengers to communicate, was that they were more practical than using Iron March’s private messaging system. To gain access to Iron March PMs, the site had to be open in the browser. MSN and other messengers were client-based and could run in the background, immediately informing users of incoming messages. By late 2012, AIM and MSN were also still used frequently, something that would soon change after Microsoft discontinued MSN as a service in 2013.

“Hobbit, do you have MSN? A lot more practical than talking through PMs.” Post on 27.06.2012 by Damnatio Memoriae (ID279)

“Alright, I’ll get back to you again tomorrow, with my AIM, MSN, and SKYPE info.“ Post on 10.10.2012 by social_justice (ID17)

As early as mid 2012, many users were slowly turning away from Facebook, stating privacy issues as their main reason.

“I don’t use facebook anymore, it gives too much information away even if you use a proxy and false information, it’s an easy way to keep a “paper trail” on someone, so to speak.” Post on 03.07.2012 by Nebuchadnezzar II (ID288)

The use of external channels remained mostly unchanged until 2015, when new messaging and chat services started to appear on Iron March. Telegram and Tox were among the most popular services and were viewed as more secure than Skype. This also led to the exchange of Tox IDs, so the members could identify each other on the chat application.

“I need to get in contact with you. Download Tox and make an account with a secure login.” Post on 08.08.2015 by Fascism=Fun (ID7962)

“Another thing I wanna recommend is to use Telegram or Tox instead of Skype for organisational procedures and meetings. These are really good ways of communicating, and I know of three NatSoc and Fascist organisations within the U.S that use these services because of their security.” Post on 05.02.2016 by TheWeissewolfe (ID9304)

The post above is actually from the deputy leader of the infamous Atomwaffen Division. Whenever someone was interested in joining this organization, they were told to use Tox or Telegram for further communications. However, there was still a reasonable amount of doubt regarding the security of these new communication channels. Discussions about adding an extra layer of encryption ensued.

“Yeah I’m well aware the skype is compromised. Literally everything Microsoft is and has been for over a decade. Tox isn’t but it’s a WIP. Discord I don’t know much about but no doubt it is too. Secure channels aren’t really possible without doing your own encryption.” Post on 21.05.2016 by Xav (ID9476)

While most members of Iron March were very naïve in terms of operational security or communications security, some members had a fairly good understanding of the risks in open communications. One of these members was Atlas (ID9174), who claimed to be responsible for network and computer security for the British group National Action.

“Hi, I’m in charge of computer and online network security with National Action.” Post on 23.08.2015 by Atlas (ID9174)

Atlas often provided guidance on the use of secure emails and encryption with PGP. Overall, members were made aware not to use Hushmail and to rely on Protonmail or Tutonota instead. When sending emails to other providers they were to use PGP. He even wrote a PGP guide for National Action and distributed it on Iron March as well.

“Good job I just designed a PGP guide for National Action then, I’ll email you it, what’s your email?” Post on 01.09.2015 by Atlas (ID9174)

Other activities included checking the security of hosting servers. One of the most interesting conversations I have found in this dump so far was between Atlas and the founder and leader of the Atomwaffen Division, Odin. In September 2015, Odin reached out to Atlas regarding issues with PGP.

“Hello comrade I need to have my pgp shit setup properly and to be able to use it for communications with certain people before this weekend. I would be very greatful if you could help me.” Post on 14.09.2015 by Odin (ID7600)

Although many security measures were put in place, a lot of members of Iron March still were fairly confident that their activities had not drawn the attention of law enforcement yet. Some even openly expressed their total negligence of security openly on the message board. There was more fear of being doxed by left-wing organizations than becoming a target of police investigations.

“I’m glad you all understood the necessity for security. Here on IM I was shot down for daring to suggest such a necessity on the basis of: We don’t need it, we’re not ISIS. I ripped off all my ideas from some corny website anyway (that website being my blog btw lol).” Post on 04.05.2015 by Atlas (ID9174)

“The use of TOR, fake names, and these secure channels is more of security culture thing – we are not being actively monitored by say, the government (at least that is my personal opinon based on the information I have) but it encourages people to act more sensibly so they don’t get themselves doxed by leftists. I don’t like hearing about workplaces getting phoned up or individuals being exposed in the newspapers. Since the mirror article on my a couple of years ago practically everyone has been able to maintain a degree of anonymity. Obviously if they ever decide to raid anyone they are not going to find anything that can be used to build a case around them.” Post on 10.04.2016 by Daddy Terror (ID7)

Given the fact, that Daddy Terror (ID7) was the leader of the National Action movement in Great Britain, this statement is truly remarkable and shows how safe some of the members of these extremist communities felt in their online communications. Next to the platforms already revealed above, there were several other communications channels that were occasionally mentioned, e.g. Discord and even MySpace in the early days of Iron March. In the end, the use of external secure communications and additional encryption were blasted when the message board itself was hacked in 2017 and the data was recently leaked, exposing the identities and ideas of many members.

Thank god the Iron March admins didn’t have proper security measures in place and hopefully this data leak will help law enforcement worldwide investigate some of the malicious activities planned and discussed on the message board. Until then, I’ll continue to dig into this data, together with other OSINT enthusiasts, and see what stories can be unraveled next.

Matthias Wilson / 09.11.2019

 

One thought on “Communications Security on Iron March – An Intelligence Analysis

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s