W previous post We dealt with how terrorist groups usage social media to support their activity, and this time we will look at how intelligence and military services can usage the net to carry out anti-terrorist activities. As I pointed out earlier, terrorism is being pursued and combated with all the power of a state apparatus, including military operations under average conditions reserved for situations of armed conflict. It should not be surprising, therefore, that, as cyber operations are conducted against hostile states, so will they be applied to terrorist organisations. Moreover, in many situations it will be a more appropriate tool. Due to the anticipation of a very precise definition of the intent of the operation and the absence of direct kinetic effects, the chances of collateral harm are much lower than in the case of conventional measures. On the another hand, of course not all objectives will be possible in this way. If we're talking about destroying a training camp, a weapons depot, or simply eliminating the leaders of the groups, there's no alternate to drones, precision ammunition and soldiers. So let's see what anti-terrorist operations have taken place so far (and we could read about them publicly), what they had goals and how they were conducted.
As with all another cyber operations conducted by government entities, we will deal with CNA and CNE activities. And as much as it may seem that destructive attacks will be much more common given the intent of the action, intelligence operations will prevail, as in strictly military activities – sometimes with any component of the attack about which in a moment.
One of the loudest cases of disclosure of cyber activities directed at a terrorist organisation – in this case ISIL and Al-Qaeda – Kaspersky's study on Slingshot group. Which at first seemed very advanced, but yet 1 of the many APT operations followed by safety researchers, turned out to be an American operation against ISIL. Thus, the publication of the analysis of this operation was rather unfortunate and hampered anti-terrorist action, but it gave insight into how services conduct operations of this kind. And in fact, what Kaspersky analysts saw is not very different from the little noble operations of the APT groups:
Source: https://securitylist.com/apt-slingshot/84312/So we see routers as a way of spreading the infection by replacing the DLL file with the 1 that was substituted by the attackers and allowing them to download further tools. utilizing vulnerability, the attackers loaded their own signed drivers, allowing them to run processes with strategy privileges and yet burden 2 tool packages. Operating at the core level of the ‘Cahnadr’ and user-level ‘GollumApp’ system. In combination they enabled a wide scope of data acquisition activities – taking screenshots, capturing keys, obtaining clipboard content, or collecting information about connected USB devices. So as we see a beautiful useful package if our goal is to collect intelligence on user behaviour. Kaspersky analysts besides identified the geographical scope of the action – they included mediate East and Africa countries, with a peculiarly advanced number of infections in Kenya and Yemen. Researchers besides stated that most likely English speakers were liable for the operation – as we can see, they characterized the origin and intent of the burglaries rather accurately. The operation was definitely not a one-off action, due to the fact that traces indicated the beginning of activity already in 2012 and continued activity at the time of publication of the report, i.e. in 2018.
However, the method analysis came to a second phase in the context of the information obtained by CyberScoop, according to which APT Slingshot was in fact an operation conducted by the American JSOC (Joint peculiar Operations Command), and its aim was to infect computers utilized by ISIL and Al-Qaeda militants. Very frequently these were computers in online cafes of developing countries, which terrorists regularly utilized to receive and send messages.
This full situation has provided quite a few information on what cyber counter-terrorism looks like. First of all, it was the first revealed case of cyber intelligence operation conducted by SOCOM (Special Operations Command, of which JSOC is part). SOCOM and peculiar Forces soldiers were, of course, very frequently active in kinetic operations – including the most celebrated erstwhile Osama bin Laden was killed – but there was not much known about cyber components. Slingshot confirmed that the very advanced direct CNE accompanies classical operations and supports intelligence acquisition. Secondly, this example showed the vulnerability of cyber operations to detect the request to supply tools to equipment controlled by the intent of the operation. The same circumstances that let Western teams dealing with Threat Intelligence to detect Chinese or Russian intelligence operations here allowed to burn anti-terrorist activities. The return is not accidental, as CyberScoop journalists have agreed that the standard procedure for detection is to abandon existing infrastructure and make a fresh attitude. Did Kaspersky know what he was publishing? Given the experience of the large squad and the presence of artifacts associated with the earlier activity of American groups – specified as the tool “Gollum” or the tactics of attacking Microtik routers, it can be assumed that even in the outline of analysts they knew what kind of activity they were dealing with. In this context, the question arises as to whether the publication of the study was reasonable. The fact that the operation is revealed shows the difference between kinetic and cyber activities – let us effort to imagine how absurd it would be if a private safety operator described in item how peculiar forces were preparing to attack a training camp. Returning to our example, and citing one more time the publication of CyberScoop, the sentences between government representatives were divided. any have stated that Kaspersky analyses and prevents the activity aimed at their customers is normal. Others, however, pointed to the serious consequences of the disclosure of the operation, including the life-threatening consequences of cutting off access to information.
In the case of Slingshot, we have faced a typical CNE aimed at collecting information. Now let's look at the operation, which was designed not only to gain access to terrorist computers, but besides to actively disrupt activities. We're talking about Operation Glowing Symphony launched in 2016 by the combined NSA and Cybercommand forces organized in Joint Task Force-Ares.
A fragment of the paper authorizing the launch of Operation Glowing Symphony.Ares' task was to examine ISIL militant habits in the usage of computers and the net and implement actions to disrupt the organization. The actual anti-terrorist offensive actions were preceded by a long reconnaissance during which operators analysed, among another things, how ISIL distributed its propaganda material. This analysis led to the conclusion that terrorists usage only 10 servers and an account that is the backbone of the organization's distribution infrastructure, so hitting them would be a major blow to the ISIL net arm. According to General Edward Cardon, who served as Ares' first commander, the group utilized the classical method of access and sent phishing emails to militants. Further care was taken of the network's persistence by creating additional admin accounts and dropping implants into combatants' machines and action was started to yet make it possible to accomplish the objectives of the operation. So it started to retrieve passwords to subsequent accounts, download encrypted folders, and break their passwords, so in a broad sense conduct reconnaissance already inside the network. Here, too, the first legal and political problem arose – not all servers accessed by operators were physical devices located in Syria and Iraq. Like the remainder of the world, militants besides enjoyed the benefits of cloud services and there too, on servers that de facto shared with quite a few reasonably legal activity, conducted part of the operation. Ares so had to convince the decision-makers that they were able to carry out attacks in a way that would limit the results only to the resources controlled by terrorists. Therefore, as a demonstration of capacity, operators performed tiny operations on servers that besides included delicate as medical documentation.
With this preparation Glowing Symphony has already started a full-scale activity collecting files from militant machines and cutting off their access to accounts. However, the operation assumed 2 phases. After the first impact limiting the anticipation of utilizing the net for conducting operations, Ares started me with conventional anti-terrorism. Operators began to simulate common IT and network problems with the aim of triggering frustration of terrorists and reducing to zero the efficiency of regular work. So it began to lower the velocity of data transfers, trigger random refusals to access accounts and resources, or make ready-made propaganda materials hit the incorrect servers. This method of action had 1 fundamental advantage – by simulating the problems that the non-American army is the origin of, and this hopeless net and computers on which you cannot usually work, the anger of terrorists was directed inside the organization. For example, the mentioned change in the mark location of the propaganda video caused a conflict between the supervisor and the remainder of the squad as the commander was convinced that the subordinates did not follow his orders.
U.S. law gives wide access to papers and materials, the author of which is any organization operating within the government administration under the Act Freedom of Information Act. Although papers obtained in this way are frequently subject to considerable censorship:
Source: https://nsarchive.gwu.edu/document/19817-national-security-archive-1-uscybercom-operationIt is in the case of Glowing Symphony that we can learn rather a lot about the results of the operation and its assessment by command. Although the graphics on the above slide have been completely censored, from the accompanying materials we can learn that the green light meaning success has been given all the goals set, but for 1 that has received the evaluation of “sun”. This nonsubjective was so achieved with restrictions.
Source: https://nsarchive.gwu.edu/sites/default/files/documents/6655593/National-Security-Archive-2-USCYBERCOM-Operation.pdfUnfortunately, erstwhile it comes to details of what has been done and what is not, they are censored. However, we can see that the operation effectively limited ISIL's capacity to disseminate propaganda material and usage the net to spread its ideology:
Regardless, the conclusions on how anti-terrorist operations hit the ability to operate on the net can indirectly be drawn on the basis of investigation Audrey Alexander working on George Washington University's Extremism investigation Program. Watching ISIL on Twitter, we can see a marked decline in activity.
ISIL activity analysis on Twitter, Operation Glowing Symphony was approved in November 2016.According to the information obtained by NPR journalists, Glowing Symphony was a large success erstwhile it came to anti-terrorist effects – after six months the ISIL media arm was strangled and the organization had considerable difficulty restoring the ability, This was due to the difficulty of obtaining servers and registering infrastructure. ISIL had quite a few cash, but not many ways of effectively spending it via electronic transfers which is essential to order equipment from abroad or just registry domains, buy out cloud resources and so on.
However, the papers disclosed describe not only the external effects of the operation, but besides the problems and recommendations for the future in the context of operators' organisation of work and formal aspects of the action. The study drew attention to the request to harmonise the procedures for obtaining consent to the activities of the organisations. The current arrangements for interagency cooperation are not adapted to the pace, scale and scope of cyber activities. Unfortunately, we won't know what I'm not going to do without changing my policies.
Source: https://nsarchive.gwu.edu/sites/default/files/documents/6655597/National-Security-Archive-6-USCYBERCOM.pdfNote besides the following passage:
Again, the most crucial passages were censored, but the key to explanation is the Tripartite Memorandum of Agreement. Here we are talking about the "Trilateral Memorandum of Agreement (MOA) among the Department of defence and the Department of Justice and the Intelligence Community Regarding Computer Network Attack and Computer Network Exploitation Activities", a paper that provides the basis for the interaction of military, intelligence and cyber operations. The proposition of creating a "governance" as part of this paper and writing down certain phrases in the regulation of operations can so show that formal requirements are adapted to combined military and intelligence operations on specified a scale. Let us remember that the Glowing Symphony in many respects was groundbreaking – let us remind you of the scale and cross-border nature requiring military offensive operations on resources utilized for reasonably legitimate purposes.
If we give a small perspective, then what cyber terrorism looks like will be nothing fresh to individual who deals with cyber or military operations. We are dealing only with typical APT operations, specified as gaining access to the environment and exfiltrating data or modifying the environment dressed in a regulatory framework akin to kinetic activities. Finally, let us remember that, given the position of terrorism as a criminal offence, but besides the phenomenon of combating which requires military action, it will not always be clear to find the position of action. Glowing Symphony is simply a very good example here - on the 1 hand, we had operations conducted here under conditions where the alternate could have been a "police" action – obtaining a search warrant and safety for the server that was besides utilized by terrorists, but on the another hand, the military operation allowed to make more long-term effects covering the full organization.
