Skip to content
Apr 30 / Naadir Jeewa

An update: The company behind the Twitter spies?

For background, see the bottom of this post.

After talking to a few peeps, I’ve decided to throw caution to the wind, and reveal what I know. After all, I’m not in the national security field, and I’m UK based. Here goes…

If you search around in Wikipedia history, you find a vanity entry for Shawn Gorman at The Athenian Upper School in Danville, CA. Also of interest, is a photo in their prospectus:image The edit was made by someone with an IP address registered to Dynetics Inc., Huntsville, Alabama. They specialise in missile and rocket technology amongst other things, and have recently signed a $45mn contract with USAF and a $9mn contract with the US Army. Furthermore, they’ve lobbied Congress & the Army on DOD Appropriation bills “relating to missile defense, aviation, and other research, development, test, and engineering programs and all provisions relating to acquisition policy”. If you look at the missile defense related sections of HR6523, a lot of it relates to topics that @PrimorisEra often tweeted about:

image

The Petulant Skeptic pointed out a number of accounts mentioned by @FrostinaDC with marked similarities to the Shawn Gorman accounts:

  • @VeritableSaint [1]
  • @Shad0wSpear
  • @NavalSecurity
  • @ArchAngel_6

Now, @VeritableSaint, @Shad0wSpear, @PrimorisEra, and @ArchAngel_6 (now deleted) all bare similarities, and often talked amongst themselves, retweeted each other and :

image

Similar profile names, avatars, and use of Latin. Around about the time Twitter went wild, @VeritableSaint and @Shad0wSpear went private, and @ArchAngel_6 deleted itself.

@NavalSecurity deleted all previous tweets, but remains operational. @NavalSecurity links to the dodgiest looking naval shipping security site. The domain is registered to one “Markus Felchner” at an Istanbul address. He’s presented at a Turkish Shipping Summit on how to attract “foreign owners to order in Turkish yards” as the CEO of chemtanker.org, a site which is a single frame linking to navalsecurity.org.uk. The whois records for navalsecurity.org and chemtanker.org point to a hypnotherapy practice in Kiehl, Germany, which I think we can disregard. A light bulb company lives at the Turkish address, so it seems like these addresses have just been lifted or made up. Apart from that, I’m not entirely sure what the connection is here, but note that Shawn goes by Shawna Felchner on Facebook.

The Petulant Skeptic’s theory is that what we’re looking at is a bunch of cubicle workers sharing a few accounts with perhaps a middle manager above them, and they might be using the real identities of employees “to lend the whole thing credibility.” This seems plausible. Which shifts this all back to Dynetics. Here’s a description of their Stategic Programs Division in Arlington, which is where Gorman is likely to be based:

The division’s capabilities are focused on providing very experienced professionals to augment military headquarters staffs in six areas: congressional affairs, acquisition program support, science and technology, strategic planning and communications, information technology (IT) and software development, and test and experimentation.

The U.S. Army is our primary customer, but we also provide technical services to the Missile Defense Agency (MDA) and Joint Forces Command. Within the Headquarters (HQ), Department of the Army, our professionals provide key staff support to the ASA FM, OCLL, G8 and ASA ALT (in both acquisition and science and technology). Approximately half of our employees provide dedicated congressional, strategic planning, acquisition program and science and technology services to the HQ. The MDA is our next largest customer with over 10 employees doing congressional affairs and public affairs work under a prime contract, and systems engineering and program management efforts under subcontracts. The remainder of our work supports Engineering Research and Development Center, PEO Missiles and Space, PEO Simulation, Training and Instrumentation, PM Close Combat Weapon System, Space and Missile Defense Command, PM Counter Rockets, Artillery and Mortars and HQ, Fort Bliss with congressional affairs, program acquisition and management and strategic planning support; Research, Development and Engineering Command with strategic planning expertise; Joint Combat Development and Experimentation Offices with Modeling and Simulation expertise.

They’re pretty much perfectly set up to undertake the kind of intelligence operation that the above Twitter accounts may have been engaged in. Worth having a look at what the Washington Post has on Dynetics too.

Be sure to follow @PetulantSkeptic, who’s been a big help here.

[1] I have followed @VeritableSaint from before this all kicked off. I don’t think we’ve conversed before.


Original post: The Spy Who Followed Me

 

Interested in space

We all like a good conspiracy, don’t we? Enter the @PrimorisEra honeypot scandal, as reported by Spencer Ackerman:

It started out with a leggy, bikini-clad avatar. She said she was a missile expert — the “1st Lady of Missiles,” in fact — but sometimes suggested she worked with the CIA. With multiple Twitter and Facebook accounts, she earned a following of social media-crazed security wonks. Then came the accusations of using sex appeal for espionage.

The subject of much confusion and even more speculation, @PrimorisEra purports to be a woman in her late 20s named Shawn Elizabeth Gorman. Many have corresponded with her through Google Chat, IM, Facebook, and Twitter. Very few of them have met her in person. She claims to hold a security clearance and work for a Defense Department contractor that she won’t identify.

Now, Spencer finds that there is stuff to suggest that what the person behind the account was doing was not quite legit:

To some people she direct messaged, it crossed a line. One male tweeter on active duty she contacted through DM and chat thought most of her banter was harmless. But some of it struck him as “creepy,” he tells Danger Room: “Where I was stationed, where I was deploying, pressing me for details… A lot that we shouldn’t be talking about.” He thought she should know better not to ask for sensitive specifics like that, especially on unclassified forums, since @PrimorisEra “presented herself as a DoD [Department of Defense] employee.”

But @PrimorisEra didn’t always present herself as a Pentagon worker. According to a chat log acquired by Danger Room, she told someone in an unsecured GoogleChat, “you do know I do wrk w/ WINPAC.” That’s the acronym for the CIA’s arm for weapons and arms control intelligence.

She offered to help her interlocutor get a job with the CIA, prompting him to offer to send her his resume. He began to talk about an individual “known around Langley” by first name only. Asking for her last name, @PrimorisEra wanted to know what his connection to her was.

Joshua Foust writes:

More than a few Twitter users who work in national security panicked upon hearing the accusation lodged against @PrimorisEra. According to @AllThingsHLS, who identifies himself as a retired intelligence analyst, @PrimorisEra allegedly requested sensitive information using Twitter’s Direct Messaging, or DM, service. By posing as a savvy junior analyst (or, when she contacted me several months ago, a graduate student seeking sources for a paper), @PrimorisEra alledgedly tried to persuade several young men on Twitter (and Facebook, though details are even sketchier there) to divulge sensitive information for more than two years.

As far as I know, I only got as far as referring the person behind the account to my post on climate models and nuclear war, and never got round to handing over my National Insurance details. I also have no security clearance to worry about.

However, I think Shawn Gorman is almost who she most-of-the-time says she is – a research assistant at a defence contractor in North Virginia / DC (not Brussels as is claimed). In fact, I’ve traced the possible hometown & employer, and looking at what they do, this correlates highly with the tweets that came from @PrimorisEra [1]. The company does have genuine links with the CIA, and according to the WaPo “Top Secret America” database, works on missile defense, cybersecurity and MISO. There’s also a LinkedIn profile for an unnamed individual at the company for a congressional research assistant, although there’s a few discrepancies, such as egregious exaggerations of past experience (know anyone who was a building manager whilst doing a full-time BA?). This makes me suspect Shawn Gorman is just a 20-something early career analyst who thought using a few fibs might get herself ahead.

Let’s look at her outing as ‘a spy’:

Several women national security experts on Twitter rolled their eyes at @PrimorisEra, thinking she was acting out for male attention and not as much of an expert as she conveyed. During a happy hour at the D.C. bar Science Club last week, some of them got to talking about how they thought her account was either fake or a big inflation of her national security credentials.

Finally, one of them, a Defense Department contractor tweeting as @FrostinaDC — who asked Danger Room to keep her real name out of this piece — called her out on Friday.

“A bikini perpetuates your fake persona & makes the boys want to screw you,” @FrostinaDC tweeted, the first of a fusillade of tweets that quickly drew in the national-security twittersphere, eager to watch a trainwreck in progress. Questioning “the validity of that account,” @FrostinaDC followed up. She tweeted URLs for pictures that @PrimorisEra used for her avatar, as @PrimorisEra had said her “management” helped select profile pictures of herself. In a since-deleted tweet, @PrimorisEra replied that @FrostinaDC should be careful, because @PrimorisEra “knew all the right people.”

That set @FrostinaDC off for the coup de grace — something that she assembled after what she says is ferocious open source online sleuthing and conversations with those who talked to @PrimorisEra.

“Just to be clear,” she tweeted on Saturday, “I have intel that @PrimorisEra is a Honey Pot & if you’re in my field you know what that means.”

What it means is someone who uses sex appeal to get someone to divulge their secrets. It implies that @PrimorisEra is the agent of a foreign power. That was an accusation no one had heard before. It’s also about the most serious charge that someone can levy.

It’s hard not to laugh. As Ryan Tate put it:

ZOMG! The national security world is totally as petty, gossipy and vicious as a pack of 13 year old girls. Just look at the hysteria surrounding supposed Twitter spy “Shawna Gorman.”…All that’s missing to make this completely Middle School are some Trapper Keepers, elaborately folded paper notes and a hall monitor to break everything up when the school bell rings.

Ok, so @PrimorisEra used fake sexy photos and anime characters pulled from those random image-based tumblr sites, and this proved to be more than suggestive to some men with security clearances. So? The use of those pictures doesn’t tell us much. I once see lots of students use profiles not to dissimilar to @PrimorisEra. Danah Boyd explains why this is the case:

Like many social network sites, Twitter flattens multiple audiences into one – a phenomenon known as ‘context collapse’. The requirement to present a verifiable, singular identity makes it impossible to differ self-presentation strategies, creating tension as diverse groups of people flock to social network sites (boyd, 2008). Privacy settings alone do not address this; even with private accounts that only certain people can read, participants must contend with groups of people they do not normally bring together, such as acquaintances, friends, co-workers, and family. To navigate these tensions, social network site users adopt a variety of tactics, such as using multiple accounts, pseudonyms, and nicknames, and creating ‘fakesters’ to obscure their real identities (Marwick, 2005). The large audiences for sites like Facebook or MySpace may create a lowest-common denominator effect, as individuals only post things they believe their broadest group of acquaintances will find non-offensive. Similarly, Twitter users negotiate multiple, overlapping audiences by strategically concealing information, targeting tweets to different audiences and attempting to portray both an authentic self and an interesting personality.

What we ended up with was a clash of norms. People in the natsec community expect you to use your real identity for your Twitter account. There are some exceptions, but these are people who know other prominent tweeters in real life, and are therefore included in the web of trust. Outsiders like me can only be taken half-seriously by being fully transparent. Shawn Gorman did no favours by not registering an account in her name. If I were in her position, I would have had two accounts, and given all the correct information on the public-facing account. Instead, Shawn seems to have followed an opposite method – keeping the real account for personal use, and the fake accounts for natsec use. To an extent, this makes sense. If you’re an attractive female, and often like to tweet about beauty, then  using fake photos and details might be a way to avoid a whole plethora of weirdoes. That, however, is incompatible with standards of trust required in the natsec community. Especially when you’re tweeting on sensitive issues like missile defence.

Also, when I was looking for the company on LinkedIn, all of the profiles were marked private, so perhaps the company explicitly forbids the revealing of personal information on social networking sites [2]. The dubious bio details on the @PrimorisEra account may have been an attempt to avoid getting into trouble with the employer. A less charitable interpretation is that the the defence contractor in question hired Gorman to get proprietary information in order to gain a competitive advantage in two recent DOD contracts and help with their lobbying on defense appropriation bills. In which case, the real problem is the less-than-transparent links between contractors and the government. There’s no Anna Chapman story here, nor is this like the totally fake honeypot account of Robin Sage. Whatever the company’s role in all of this is, it’ll probably survive with a minor slap on the wrist.

Anyway, what’s interesting here are the two cognitive biases at play in explaining why we all lost our marbles a bit. I fell into the game of giving @PrimorisEra a good kicking because other tweeters that I respected were also doing so, and they in turn were following the example set by others – classic bandwagon effect. Also, in a case of hindsight bias, everyone seems to have updated their previous memories to fit the new narrative. So, what looked to some as a not very important source of news on missiles and random cryptic tweets about their personal lives became evidence of a honeypot operation after a very brief exchange of tweets with another user. After looking at all the available evidence, although it can’t be ruled out, there’s absolutely no reason to assume that @PrimorisEra was a honeypot account. If someone suspected the account, they should have reported it, not blurted out incomplete facts in a public audience in a way that could hamper any investigation. I suspect two people’s careers in national security are going to be irreparably harmed, and a lot of us are going to realise that we love a good bit of trashy gossip as much as everyone else.

[1] The reason I don’t want to reveal any details is that I’m not a journalist, and have zero-clue about ethical standards, so I’m sticking with minimal disclosure. The info’s not too difficult to find, depending on your Google-Fu. FWIW, I think Scot Terban’s followed the wrong trail. Also, the  @LadyCaesar started following me yesterday, and I’ve followed back. I’ve had no further conversation with the account, and there’s nothing of interest being tweeted other than one tweet on the Royal Wedding.

[2] Oddly, lots of employees have FB accounts with varying levels of privacy. I didn’t find a different Shawn Gorman amongst them.