Full Report
Recently there were revelations about a GHCQ initiative called ‘Lovely Horses’ to monitor certain hackers’ Twitter handles. The guys over at Paterva quickly whipped up a Maltego Machine to replicate this: Building your own LovelyHorse monitoring system with Maltego (even the free version) – it’s easy! We’ve wrapped some supporting transforms around that Machine to allow you to create and manage your own set of lovely horses (Twitter accounts), and dubbed it ‘Lovely Pwnies’. You can obtain the transforms and original Machine via the new Maltego Transform Hub.
Analysis Summary
# Tool/Technique: Lovely Pwnies (Maltego Machine/Transforms)
## Overview
Lovely Pwnies is a set of Maltego transforms and a Machine developed by Paterva to replicate the functionality of the GCHQ surveillance initiative known as 'Lovely Horses'. Its primary purpose is to monitor specified Twitter handles, referred to as "lovely horses," allowing users to create and manage lists of targets for intelligence gathering or analysis related to specific individuals or groups on the platform.
## Technical Details
- Type: Tool (Information Gathering/OSINT Framework Enhancement)
- Platform: Maltego (Requires Maltego installation, functionality available even with the free version)
- Capabilities: Creating and managing lists of monitored Twitter accounts ("lovely horses"); visualizing relationships and data sourced from Twitter.
- First Seen: Derived from the GCHQ 'Lovely Horses' revelation/Paterva implementation, published April 10, 2015.
## MITRE ATT&CK Mapping
As this is an open-source intelligence (OSINT) gathering tool based on public APIs and platform scraping, the primary mapping relates to reconnaissance:
- **TA0043 - Reconnaissance**
- T1593 - Search Open Websites/Domains
- T1593.002 - Search Social Media
- T1598 - Gather Victim Identity Information
- T1598.003 - Gather Information from Social Media
## Functionality
### Core Capabilities
- **Twitter Monitoring Replication:** Mimics the data gathering approach used by GCHQ's 'Lovely Horses' to track activity on specific Twitter accounts.
- **Management of Targets:** Provides transforms to easily create and maintain a collection of targeted Twitter handles ("lovely horses").
- **Visualization:** Leverages the Maltego platform to visualize the relationships and data collected from the specified Twitter accounts.
### Advanced Features
- **Pro Version in Development (as of 2015):** Mention of a planned professional version intended to handle notifications regarding "interesting events" related to the monitored accounts.
## Indicators of Compromise
Since Lovely Pwnies is a *monitoring tool* that interacts with public Twitter APIs rather than malicious malware, traditional IOCs like file hashes or registry keys are not applicable.
- File Hashes: N/A (Software package/Configuration)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Interaction with official Twitter API endpoints (e.g., api.twitter.com) is expected.
- Behavioral Indicators: High volume lookup/querying of specific Twitter user profiles or tweet streams via programmatic means.
## Associated Threat Actors
- **Paterva:** The developer of the Maltego Machine and Transforms.
- **Defensive Researchers/Analysts:** Intended use is for security professionals mimicking state-level OSINT gathering capabilities.
- **GCHQ (Inspiration):** The tool is based on the documented methodology of the agency’s 'Lovely Horses' initiative.
## Detection Methods
Detection is focused on detecting the use of the Maltego platform performing automated, high-volume queries against Twitter services, often masquerading as legitimate activity or scraping.
- Signature-based detection: Detection of the Maltego installation or specific transform files/scripts if signatures are created against them.
- Behavioral detection: Monitoring network traffic for automated, non-browser-based calls to supported API services that match Maltego communication patterns.
- YARA rules: Not applicable for this type of software implementation unless specific wrapper scripts or binaries containing the transforms are analyzed.
## Mitigation Strategies
Mitigation focuses on controlling the use of OSINT tools within a defensive organization and monitoring external use:
- **Tool Control:** Restricting the installation and execution of unauthorized powerful OSINT tools like Maltego within corporate environments.
- **API Usage Monitoring:** Monitoring API key usage, especially those linked to analytical platforms, for suspicious query volumes against social media services.
- **User Awareness:** Educating analysts and users about the capabilities of OSINT tools like Lovely Pwnies when performing external research.
## Related Tools/Techniques
- **GCHQ Lovely Horses:** The original state-level monitoring initiative that inspired the tool.
- **Maltego:** The underlying platform used to execute the transforms and visualization engine.
- **General OSINT Scraping Frameworks:** Other tools designed for programmatic collection of social media data.