Threat Inteliigence / OSINT / NETSEC / NATSEC

Keyboard strike - cyber anti-terrorist operations

In previous post we dealt with how terrorist groups use social media to support their activities, and this time we will look at how the intelligence and military services can use the Internet to carry out anti-terrorist activities. As previously indicated, terrorism is prosecuted and fought with all the might of the state apparatus, including military operations normally reserved for armed conflict situations. So it should come as no surprise that just as cyber operations are carried out against hostile countries, so will they also be used against terrorist organizations. Moreover, it will be a more appropriate tool in many situations. Due to the possibility of a very precise determination of the purpose of the operation and the lack of direct kinetic effects, the chances of collateral damage are much lower than with the use of conventional measures. On the other hand, of course, not all goals will be achievable in this way. If we are talking about the destruction of a training camp, weapons warehouse or simply the elimination of group leaders, there will be no alternative to drones, precision ammunition and soldiers. So let's look at what anti-terrorist operations have taken place so far (and we could read about them publicly 🙂), what their goals were and how they were carried out.

As with all other cyber operations conducted by government entities, we will be dealing with CNA and CNE actions. And while it might seem that destructive attacks will be much more common, given the purpose of the operations, intelligence operations will dominate strictly military operations - sometimes with some element of attack, which will be discussed in a moment.

One of the most high-profile disclosures of cyber activities targeting a terrorist organization - in this case ISIL and Al-Qaeda - there is Kaspersky's report on the Slingshot group. What seemed very advanced at first, but still one of the many APT operations tracked by security researchers, turned out to be a US operation against ISIL. Thus, the publication of the analysis of this operation was quite unfortunate and made anti-terrorist activities more difficult, but it did provide insight into how the services conduct operations of this type. In fact, what Kaspersky analysts saw does not differ much from the less noble operations of the APT groups:

Source: https://securelist.com/apt-slingshot/84312/

So we see routers as a means of spreading infections by replacing the DLL file with a substitute file by the attackers and allowing them to download more tools. Taking advantage of the vulnerabilities, the attackers loaded their own signed drivers which allowed them to run processes with SYSTEM privileges and eventually load two tool packages. Operating at the kernel level of the "Cahnadr" system and operating at the level of the user environment "GollumApp". In combination, they enabled a wide range of data acquisition activities - taking screenshots, capturing keys, retrieving clipboard content, or collecting information about connected USB devices. As we can see, a quite useful package if our goal is to collect intelligence about user behavior. Kaspersky analysts also defined the geographic scope of the activities - these covered countries in the Middle East and Africa, with particularly high infection rates in Kenji and Yemen. The researchers also found that English-speaking people were most likely responsible for the operation - as we can see, they quite accurately characterized the source and target of the burglaries. The operation was definitely not a one-off operation, as the traces indicated the beginning of activity already in 2012 and continuous activity at the time of publication of the report, i.e. in 2018.

Technical analysis, however, took a back seat in the context of information obtained by CyberScoop, according to which APT Slingshot was in fact an operation led by the American JSOC (Joint Special Operations Command), and its purpose was to infect computers used by ISIL and Al-Qaeda fighters. Very often these were computers in developing countries' internet cafes that were regularly used by terrorists to receive and send messages.

The whole situation provided a lot of information on what anti-terrorist cyber activities look like. First of all, it was the first disclosed case of a cyber intelligence operation conducted by SOCOM (Special Operations Command, of which the JSOC is part). SOCOM and Special Forces soldiers were of course very often involved in kinetic operations - including the most famous one when Osama bin Laden was killed - but little was known about the cyber components. Slingshot confirmed that highly advanced direct CNEs accompany classic operations and aid intelligence gathering. Second, this example showed the vulnerability of a cyber operation to detection associated with the need to provide tools for equipment controlled by the target of the operation. The same circumstances that enable Western threat intelligence teams to spot Chinese or Russian intelligence operations here have burned down counter-terrorism operations. Using term "burn" is not accidental here, as the CyberScoop journalists agreed, the standard procedure in the event of detection is to abandon the existing infrastructure and create a new one from scratch. Did Kaspersky know what it was posting? Taking into account the experience of the GReAT team and the presence of artifacts related to the previous activity of American groups - such as the "Gollum" tool or the tactic of attacking Mikrotik routers, it can be assumed that the analysts knew at least briefly what type of activity they are dealing with. In this context, the question arises whether the publication of the report was reasonable. The mere fact of disclosing the operation shows the difference between kinetic and cyber activities - let's try to imagine how absurd it would be if a private security entity described in detail how special forces prepare to attack a training camp. Returning to our example, and referring to the CyberScoop publication once again, opinions among government representatives were divided. Some said it was normal for Kaspersky to analyze and prevent activity targeting their customers. Others, however, pointed to the serious ramifications of disclosing the operation, including the life-threatening risk of being cut off from access to information.

In the case of Slingshot, we were dealing with a typical CNE for gathering information. Now let's look at an operation that was designed not only to gain access to terrorist computers, but also to actively disrupt operations. We are talking here about Operation Glowing Symphony launched in 2016 by the joint forces of the NSA and Cybercommand organized in the Joint Task Force-Ares.

Fragment of the document authorizing the start of the Glowing Symphony operation.

Ares' task was to investigate the habits of ISIL fighters in the use of computers and the Internet, and to implement actions to disrupt the operation of the organization. The actual anti-terrorist offensive activities were therefore preceded by a long reconnaissance, during which the operators analyzed, among other things, how ISIL disseminates its propaganda materials. This analysis led to the conclusion that terrorists only use 10 servers and an account that forms the backbone of the organization's distribution infrastructure - so hitting them would be a serious blow to ISIL's Internet arm. In the words of General Edward Cardon, who served as Ares's first commander, the group used the classic access method and sent phishing emails to militants. Further, the persistence in the network was taken care of by creating additional administrator accounts and dropping implants into the fighters' machines, and activities were initiated to finally enable the implementation of the objectives of the operation. Therefore, they started obtaining passwords for subsequent accounts, downloading encrypted folders and breaking their passwords, so in a broad sense, they conduct reconnaissance already inside the network. Here, too, the first legal and political problem appeared - not all servers to which the operators gained access were physical devices located in Syria and Iraq. Like the rest of the world, fighters also eagerly used the benefits of cloud services, and there, too, on servers that they actually shared with a lot of quite legal activity, they conducted part of the operation. So Ares had to convince policymakers that they could launch attacks in a way that would limit the results only to assets controlled by terrorists. As a demonstration of capabilities, the operators performed small operations on servers that also contained sensitive medical records.

With such preparation, Glowing Symphony has already begun its full-scale operation collecting files from fighters' machines and cutting off their access to their accounts. The operation, however, assumed two phases. After the first strike to limit the use of the Internet to conduct operations, Ares began conventional counter-terrorism measures for me. Operators began to simulate common IT and network problems with the aim of frustrating terrorists and reducing the efficiency of daily work to zero. Therefore, they began to reduce the speed of data transfers, randomly denied access to accounts and resources, or made ready-made propaganda materials ended up on the wrong servers. This method of operation had one major advantage - by simulating the problems caused not by the American army, but by the hopeless Internet and computers on which it is impossible to work normally, the anger of terrorists was directed inside the organization. For example, the aforementioned change of the destination of uploading a propaganda movie caused a conflict between the supervisor and the rest of the team because the commander was convinced that his subordinates did not follow his orders.

American law gives wide access to documents and materials written by all organizations operating within the government administration under the Act Freedom of Information Act. Despite the fact that documents obtained in this way are often subject to considerable censorship:

Source: https://nsarchive.gwu.edu/document/19817-national-security-archive-1-uscybercom-operation

in the case of Glowing Symphony, we can learn quite a lot about the effects of the operation and its assessment by the command. Despite the fact that the graphic on the above slide has been completely censored, we can learn from the accompanying materials that the green light for success was given to all of the goals, except for one which was rated "amber". This goal was therefore achieved with limitations.

Source: https://nsarchive.gwu.edu/sites/default/files/documents/6655593/National-Security-Archive-2-USCYBERCOM-Operation.pdf

Unfortunately, when it comes to the details of what exactly has succeeded and what has not, they are subject to censorship. However, we can read that the operation successfully limited ISIL's ability to disseminate propaganda materials and use the Internet to spread its ideology:

Regardless, we can indirectly draw conclusions as to how the anti-terrorist operations hit the ability to operate on the Internet on the basis of research. Audrey Alexander working in the Research Program on Extremism at George Washington University. Observing ISIL's activity on Twitter, we can notice a clear decline in activity.

Analysis of ISIL's Twitter activity, Operation Glowing Symphony was approved in November 2016.

According to the information obtained by NPR journalists, in turn, Glowing Symphony was a great success in terms of anti-terrorist effects - after six months, the ISIL media arm was strangled and the organization had significant problems with restoring its capabilities. This was due to difficulties in acquiring servers and infrastructure registration. ISIL had a lot of cash, but not many ways to spend it efficiently via electronic transfers which is necessary for ordering equipment from abroad or just domain registration, buying cloud resources and so on.

However, the disclosed documents describe not only the external effects of the operation, but also talk about problems and recommendations for the future in the context of the organization of the work of operators and the formal aspects of operations. The authors of the report emphasized the need to standardize the procedures for obtaining consent to offensive actions and the exchange of information between organizations. The current regulations on cooperation between agencies are not adapted to the pace, scale and scope of cyber activities. Unfortunately, we will not find out what Cybercommand has limited ability to challenge without changing policies 🙂

Source: https://nsarchive.gwu.edu/sites/default/files/documents/6655597/National-Security-Archive-6-USCYBERCOM.pdf

It is also worth paying attention to the following excerpt:

Again, the most important fragments were censored, but the key to interpretation here is the memory of the Trilateral Memorandum of Agreement. We are talking about the "Trilateral Memorandum of Agreement (MOA) among the Department of Defense and the Department of Justice and the Intelligence Community Regarding Computer Network Attack and Computer Network Exploitation Activities", i.e. a document constituting the basis for cooperation between military, intelligence and investigative entities in the field of cyber operations. The suggestion to create a governance entity under this document and to explicitly write certain phrases in the regulations of the operation may indicate that the formal requirements have been adapted to combined military and intelligence operations on such a scale. Let us remember that Glowing Symphony was groundbreaking in many respects - let us recall the scale and cross-border nature of requiring military offensive operations on resources used for quite legal purposes.

If we take a broader look, then what cyber counter-terrorism activities look like will not be anything new for someone who deals with cyber or military operations. We are dealing here only with typical APT operations such as gaining access to the environment and exfiltration of data or modification of the environment dressed in a regulatory framework similar to kinetic actions. Finally, we should remember that due to the status of terrorism as a crime, but also the phenomenon which requires military action, the determination of the status of actions will not always be unambiguous. Glowing Symphony is a very good example here - on the one hand, we had operations conducted in conditions where an alternative could be a "police" action - obtaining a search warrant and securing the server that was also used by terrorists, on the other hand, however, the military operation allowed for more long-term effects covering the entire organization.

Leave a Reply

Your email address will not be published. Required fields are marked *

en_USEnglish