Offensive cyber operations used against ISIS
HERBERT LIN and AMY ZEGART, 2018, Bytes, Bombs, and Spies (p. 1). Brookings Institution Press. Kindle Edition, Senior Researcher for cybersecurity policy policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University. His research interests relate broadly to the policy dimensions of cybersecurity and cyberspace, with particular focus on the use of offensive operations in cyberspace as instruments of national policy. He is also Chief Scientist, Emeritus, for the Computer Science and Telecommunications Board, National Research Council of the National Academies, where he served from 1990 through 2014 as study director of major projects on public policy and information technology, and Adjunct Senior Research Scholar and Senior Fellow in Cybersecurity (nonresident) at the Saltzman Institute for War and Peace Studies of the School for International and Public Affairs at Columbia University., Amy Zegart is the Davies Family Senior Fellow at the Hoover Institution, a Senior Fellow at the Center for International Security and Cooperation, and Professor of Political Science, by courtesy, at Stanford University. She is also a contributing editor to The Atlantic. Her research examines U.S. intelligence challenges, cybersecurity, drone warfare, and American foreign policy. Her publications include Spying Blind: The CIA, the FBI, and the Origins of 9/11 (Princeton University Press, 2007) and, with Condoleezza Rice, Political Risk: How Businesses and Organizations Can Anticipate Global Insecurity (Twelve, 2018). Before coming to Stanford in 2011 she was Professor of Public Policy at UCLA’s Luskin School of Public Affairs and spent several years as a McKinsey & Company management consultant
The DoD has publicly acknowledged using cyber weapons in its fight against the Islamic State of Iraq and Syria (ISIS). For example, in February 2016 Secretary of Defense Carter said that U.S. Cyber Command is conducting offensive cyber operations to cause ISIS to “lose confidence in their networks, to overload their networks so that they can’t function, and do all of these things that will interrupt their ability to command and control forces.” Bytes, Bombs, and Spies (p. 2). Brookings Institution Press. Kindle Edition.
ISIS depends on stable computer systems to recruit and carry out attacks. We need to disrupt and degrade these systems
Work, 2019, September 17, JD Work is an intelligence professional and educator, currently serving as the Bren Chair for Cyber Conflict & Security at the Marine Corps University, Krulak Center. He additionally holds affiliations with Columbia University’s School of International and Public Affairs, Saltzman Institute of War and Peace Studies as well as George Washington University, Elliot School of International Affairs. He further serves as a senior advisor to the US Cyberspace Solarium Commission, The American way of cyber warfare and the case of ISIS, https://www.atlanticcouncil.org/blogs/new-atlanticist/the-american-way-of-cyber-warfare-and-the-case-of-isis/
There is no mistaking: this is combat between organizations. The Islamic State of Iraq and al-Sham (ISIS) is a product of utterly modern global communications networks welded to an ideologically twisted variant of a medieval governance model. The systematic nature of the group’s activities in cyberspace comes through clearly in the Operation Glowing Symphony (OGS) declassified concept of operations (CONOPS) and associated briefings. These are functions essential to ISIS’s survival as an organization—internal communications, foreign fighter recruitment, fanatic lone wolves, and the promotion of its global brand for fundraising and material support. The documents make notable reference to the underexplored role of ISIS cadres in acquiring and administering the group’s technology infrastructure, as well as brief mention of the group’s aspirational cyber espionage and attack capabilities. These ISIS members would naturally be a target for operations intended to disrupt and degrade key terrorist activities.
Cyber attacks disrupt ISIS
Dina Temple-Ralston, September 26, 2019, https://www.npr.org/2019/09/26/763545811/how-the-u-s-hacked-isis, How The U.S. Hacked ISIS
In August 2015, the NSA and U.S. Cyber Command, the military’s main cyber arm, were at a crossroads about how to respond to a new terrorist group that had burst on the scene with unrivaled ferocity and violence. The one thing on which everyone seemed to agree is that ISIS had found a way to do something other terrorist organizations had not: It had turned the Web into a weapon. ISIS routinely used encrypted apps, social media and splashy online magazines and videos to spread its message, find recruits and launch attacks. A response to ISIS required a new kind of warfare, and so the NSA and U.S. Cyber Command created a secret task force, a special mission, and an operation that would become one of the largest and longest offensive cyber operations in U.S. military history. Few details about Joint Task Force ARES and Operation Glowing Symphony have been made public. “It was a house of cards” Steve Donald, a captain in the Naval Reserve, specializes in something called cryptologic and cyber operations, and when he is not in uniform, he is launching cybersecurity startups outside Washington, D.C. He’s pale, bespectacled and has the slightly shy demeanor of a computer geek. In the spring of 2016 he received a phone call from the leader of his reserve unit. He needed Donald to come in. “I said, well, I’m not in uniform [and he said] it doesn’t matter — if you have a badge come on in,” Donald said. “I can’t believe I can actually say this but they were building a task force to conduct offensive cyber operations against ISIS.” Donald had to find a team of specialists to do something that had never been done before — hack into a terrorist organization’s media operation and bring it down. Most of the forces flowed in from Joint Forces Headquarters, an Army cyber operation in Georgia. Donald also brought in experts in counterterrorism who understood ISIS and had watched it evolve from a ragtag team of Iraqi Islamists to something bigger. There were operators — the people who would be at the keyboards finding key servers in ISIS’s network and disabling them — and digital forensics specialists who had a deep understanding of computer operating systems. “They can say this is good, this is bad, this is where the files are located that we’re interested in,” he said. He found analysts, malware experts, behaviorialists and people who had spent years studying the smallest habits of key ISIS players. The mission, he explained to them, was to support the defeat of ISIS — to deny, degrade and disrupt them in cyberspace. This was more complicated than it sounded. The battle against the group had been episodic to that point. U.S. Cyber Command had been mounting computer network attacks against the group, but almost as soon as a server would go down, communications hubs would reappear. The ISIS target was always moving and the group had good operational security. Just physically taking down the ISIS servers wasn’t going to be enough. There needed to be a psychological component to any operation against the group as well. “This cyber environment involves people,” Neil said. “It involves their habits. The way that they operate; the way that they name their accounts. When they come in during the day, when they leave, what types of apps they have on their phone. Do they click everything that comes into their inbox? Or are they very tight and restrictive in what they use? All those pieces are what we look at, not just the code.” Neil is a Marine reservist in his 30s, and it wouldn’t be an exaggeration to say that Operation Glowing Symphony was his idea. “We were down in the basement at the NSA, and we had an epiphany,” he said. He had been tracking ISIS’s propaganda arm for months — painstakingly tracing uploaded videos and magazines back to their source, looking for patterns to reveal how they were distributed or who was uploading them. Then he noticed something that he hadn’t seen before: ISIS was using just 10 core accounts and servers to manage the distribution of its content across the world. The mission — led by a special unit working with U.S. Cyber Command and the NSA — was to get inside the ISIS network and disrupt the terrorist organization’s media operation. Josh Kramer for NPR “Every account, every IP, every domain, every financial account, every email account … everything,” Neil said. The group’s network administrators weren’t as careful as they should have been. They took a shortcut and kept going back to the same accounts to manage the whole ISIS media network. They bought things online through those nodes; they uploaded ISIS media; they made financial transactions. They even had file sharing through them. “If we could take those over,” Neil said, grinning, “we were going to win everything.” The young Marine ran into his leadership’s office at the NSA, grabbed a marker and started drawing crazy circles and lines on a whiteboard. “I was pointing everywhere and saying, ‘It’s all connected; these are the key points. Let’s go,” he recalled. “I felt like I was in It’s Always Sunny in Philadelphia, when he’s doing the mystery investigation for Pepe Silvia. Pictures on the wall and red yarn everywhere and nobody was understanding me.” But as Neil kept explaining and drawing he could see the leaders begin to nod. “I drew this bicycle tire with spokes and all the things that were tied to this one node and then there was another one,” he said. “It was a house of cards.” We confirmed this account with three people who were there at the time. And from those scrawls, the mission known as Operation Glowing Symphony began to take shape. The goal was to build a team and an operation that would deny, degrade and disrupt ISIS’s media operation. The cyber equivalent of a surgical strike The spring and summer of 2016 were spent preparing for attack. And while members of Task Force ARES didn’t reveal everything they did to crack into ISIS’s network, one thing they used early on was a hacking standby: a phishing email. ISIS members “clicked on something or they did something that then allowed us to gain control and then start to move,” said Gen. Edward Cardon, the first commander of Task Force ARES. Almost every hack starts with hacking a human, cracking a password or finding some low-level unpatched vulnerability in software. “The first thing you do when you get in there is you’ve got to get some persistence and spread out,” Cardon said, adding that the ideal thing is to get an administrator’s account. “You can operate freely inside the network because you look like a normal IT person.” (ISIS didn’t just have IT people; it had an entire IT department.) Once ARES operators were inside the ISIS network, they began opening back doors and dropping malware on servers while looking for folders that contained things that might be helpful later, like encryption keys or folders with passwords. The deeper ARES got inside ISIS’s network, the more it looked like the theory about the 10 nodes was correct. But there was a problem. Those nodes weren’t in Syria and Iraq. They were everywhere — on servers around the world, sitting right next to civilian content. And that complicated things. “On every server there might be things from other commercial entities,” said Air Force Gen. Tim Haugh, the first deputy commander of JTF ARES working under Cardon. “We were only going to touch that little sliver of the adversary space and not perturb anyone else.” If ISIS had stored something in the cloud or on a server sitting in, say, France, ARES had to show Defense Department officials and members of Congress that U.S. cyber operators had the skill to do the cyber equivalent of a surgical strike: attack the ISIS material on a server without taking down the civilian material sitting right next to it. They spent months launching small missions that showed they could attack ISIS content on a server that also contained something vital like hospit
al records. Being able to do that meant they could target ISIS material outside Syria and Iraq. “And I looked at this young Marine and said, ‘How big can we go?’ and he said, ‘Sir, we can do global.’ I said, ‘That’s it — write it down, we’re going to take it to Gen. Cardon.’ ” That Marine was Neil. He began peppering the leadership with ideas. He talked to them about not just hacking one person … or ISIS in Syria and Iraq, but how to take down the media operation’s entire global network. “That’s how these attacks work,” Neil said. “They start very simple and they become more complex.” There was something else about Task Force ARES that was different: Young operators like Neil were briefing generals directly. “A lot of [ideas] come up that way, like somebody says, ‘Well, we could gain access and do this to the files.’ Really? You can do that? ‘Oh yeah.’ Would anyone notice? ‘Well, maybe, but the chances are low.’ It’s like, hmmm, that’s interesting, put that on the list.” Cardon said young operators on Joint Task Force ARES understood hacking in a visceral way and, in many respects, understood what was possible in cyberspace better than commanding officers did, so having a direct line to the people making the decisions was key. “An incredible rush” By the fall of 2016 there was a team, Joint Task Force ARES; there was a plan called Operation Glowing Symphony, and there were briefings — that had gone right up to the president. It was only then that there was finally a go. This account of the first night of Operation Glowing Symphony is based on interviews with half a dozen people directly involved. After months of looking at static webpages and picking their way through ISIS’s networks, the task force starting logging in as the enemy. They deleted files. Changed passwords. “Click there,” a digital forensic expert would say. “We’re in,” the operator would respond. There were some unintentionally comical moments. Six minutes in there was very little happening, Neil recalls. “The Internet was a little slow,” he said without irony. “And then you know minute seven, eight, nine, 10, it started to flow in, and my heart started beating again.” They began moving through the ISIS networks they had mapped for months. Participants describe it like watching a raid team clearing a house, except it was all online. Logging into accounts they had followed. Using passwords they discovered. Then, just as their move through targets started to accelerate, a roadblock: a security question. A standard, “what was your high school mascot”-type security question. The question: “What is the name of your pet?” The room quieted down. “And we’re stuck dead in our tracks,” Neil said. “We all look to each other and we’re like, what can we do? There’s no way we’re going to get in. This is going to stop the 20 or 30 targets after this.” Then an analyst stood up in the back of the room. “Sir, 1-2-5-7,” he said. “We’re like, what?” Neil says. “Sir, 1-2-5-7.” “How do you know that? [And he said] ‘I’ve been looking at this guy for a year. He does it for everything.’ And we’re like, all right … your favorite pet. 1-2-5-7. “And boom, we’re in.” After that, the momentum started to build. One team would take screenshots to gather intelligence for later; another would lock ISIS videographers out of their own accounts. “Reset Successful” one screen would say. “Folder directory deleted,” said another. The screens they were seeing on the Ops floor on the NSA campus were the same ones someone in Syria might have been looking at in real time, until someone in Syria hit refresh. Once he did that, he would see: 404 error: Destination unreadable. “Target 5 is done,” someone would yell. Someone else would walk across the room and cross the number off the big target sheet on the wall. “We’re crossing names off the list. We’re crossing accounts off the list. We’re crossing IPs off the list,” said Neil. And every time a number went down they would yell one word: “Jackpot!” “We’d draw the line out and I had stacks of paper coming up on the corner of my desk,” Neil said. “I knew in about the first 15 minutes that we were on pace to accomplish exactly what we need to accomplish.” Once they had taken control of the 10 nodes, and had locked key people out of their accounts, ARES operators just kept chewing their way through the target list. “We spent the next five or six hours just shooting fish in a barrel,” Neil said. “We’d been waiting a long time to do that and we had seen a lot of bad things happen and we were happy to see them go away.” And there was something else that Neil said was hard to describe. “When you reach through the computer and on the other side is a terrorist organization, and you’re that close, and you’re touching something that’s theirs, that they possess, that they put a lot of time and effort in to to hurt you, that is an incredible rush,” he said. “You have the control to take that away.” Enough to drive you nuts Brig. Gen. Jennifer Buckner was one of the people who took the reins of Task Force ARES after Glowing Symphony had started. And after that first night, the mission shifted into a second phase, one aimed at keeping pressure on ISIS with essentially five lines of effort: Keep the media operation under pressure, make it difficult for ISIS to operate on the Web more generally, use cyber to help forces on the ground fighting ISIS, hobble its ability to raise money, and work with other agencies in the U.S. and allies abroad. The second phase of Operation Glowing Symphony focused on sowing confusion within ISIS. Joint Task Force ARES operators worked to make the attack look like frustrating, daily-life IT problems: dead batteries, slow downloads, forgotten passwords. Josh Kramer for NPR Once the distribution hubs were hamstrung, the second phase of the mission was more creative. Joint Task Force ARES operators started making all those things that drive you crazy about today’s technology — slow downloads, dropped connections, access denied, program glitches — and made it start happening to ISIS fighters. “Some of these are not sophisticated effects, but they don’t need to be,” Buckner said. “The idea that yesterday I could get into my Instagram account and today I can’t is confusing.” And potentially enraging. When you can’t get into an email account, what do you do? You think: Maybe I mistyped the login or password. So you put it in again and it still doesn’t work. Then you type it in more deliberately. And every time you type it, press enter, and are denied, you get a little more frustrated. If you’re at work, you call the IT department, you explain the issue and then they ask you if you’re sure you typed your login and password in correctly. It is enough to drive you nuts. It might never occur to you, or to ISIS, that this might be part of a cyberattack. That’s what the follow-on phases of Operation Glowing Symphony were about. Psy-ops with a high-tech twist. A member of ISIS would stay up all night editing a film and ask a fellow ISIS member to upload it. Operators with JTF ARES would make it so it didn’t quite land at its destination. The ISIS member who stayed up all night starts asking the other ISIS member why he didn’t do what he’d asked. He gets angry. And so on. “We had to understand, how did all of that work?” Buckner said. “And so, what is the best way to cause confusion online?” The ideas that flowed up from operators like Neil were endless. Let’s drain their cellphone batteries; or insert photographs into videos that weren’t supposed to be there. Task Force ARES would watch, react and adjust its plans. It would change passwords, or buy domain names, delete content, all in a way that made it (mostly) look like it was just run-of-the mill IT problems. “Pinwheels of death; the network’s working really slow,” Cardon couldn’t help smiling as he went through the list. “People get frustrated.” According to three people who were privy to after-action reports, ISIS’s media operation was a shadow of its former self six months after Neil said “Fire” to start Operation Glowing Symphony. Most of the media operations s
ervers were down and the group had not been able to reconstitute them. There were lots of reasons for that, not the least of which is that getting a new server in the middle of a war zone deep inside Syria isn’t easy to do. ISIS had plenty of cash but few credit cards, bank accounts or reputable emails that would allow it to order new servers from outside the country. Buying new domain names, which are used to identify IP addresses, is also complicated. ISIS’s popular online magazine, Dabiq, started missing deadlines and eventually folded. The group’s foreign-language websites — in everything from Bengali to Urdu — also never came back up. The mobile app for Amaq Agency, the group’s official news service, vanished. “Within the first 60 minutes of go, I knew we were having success,” Gen. Paul Nakasone, director of the NSA, told NPR in an interview. “We would see the targets start to come down. It’s hard to describe but you can just sense it from being in the atmosphere, that the operators, they know they’re doing really well. They’re not saying that, but you’re there and you know it.” Nakasone was there because he was the head of Joint Task Force ARES when Operation Glowing Symphony actually launched. Nakasone said that before ARES the fight against ISIS in cyberspace was episodic. JTF ARES ensures it is continuous. “We were going to make sure that anytime ISIS was going to raise money or communicate with their followers, we were going to be there.” Some critics have said that the mere fact that ISIS is still on the Web means Operation Glowing Symphony didn’t work. Nakasone, naturally, sees it differently. He says ISIS has had to change the way it operates. It isn’t as strong in cyberspace as it was. It is still there, yes, but not in the same way. “We were seeing an adversary that was able to leverage cyber to raise a tremendous amount of money to proselytize,” he said. “We were seeing a series of videos and posts and media products that were high-end. We haven’t seen that recently. … As ISIS shows their head or shows that ability to act, we’re going to be right there.” Three years after Neil said “Fire,” ARES is still in ISIS networks. Gen. Matthew Glavy is now the commander of Joint Task Force ARES. He says his operators still have a thumb on ISIS’s media operations; the group is still having a lot of trouble operating freely on the Web. But it is hard to be sure why that is. While ARES has been hacking into ISIS in cyberspace, forces on the ground have driven the group out of most of Syria and Iraq. ISIS itself has spread out. It now has fighters in Libya and Mali and even the Philippines. Glavy says his operators are still there. “We cannot have for them to gain the momentum that we saw in the past,” he told me. “We have to learn that lesson.”
Cyber warfare enabled successful military attacks against ISIS
Ryan Duffy, May 28, 2018, https://www.cyberscoop.com/u-s-official-reveals-military-combined-cyber-kinetic-operations-hunt-isis/, The U.S. military combined cyber and kinetic operations to hunt down ISIS last year, general says
The military used cyber-operations alongside more conventional weaponry in an important battle against ISIS last year, a senior U.S. official revealed recently. U.S. Cyber Command, the country’s leading cyberwarfare force, was involved in secretly launching a series of cyberattacks against the terrorist group in 2017 that knocked out its computer systems in Iraq, said Gen. Stephen Townsend, the former commander of the Army’s anti-ISIS coalition. The tactic caused ISIS personnel to leave their heavy command posts, exposing them to attack with kinetic weapons such as missile strikes, Townsend said. The general discussed the covert operation in detail for the first time last week. His comments were first reported by Military.com. It’s unclear how often the U.S. military or its allies use such a combination of tactics against enemy forces, and it’s rare for top officials to even discuss such operations. The general — who commanded Combined Joint Task Force-Operation Inherent Resolve in 2017 — told an audience of Hawaii conference-goers via teleconference that the coalition cyberattacks leveled against ISIS were part of “a multi-domain operation [that] unfolded in air, land, sea, cyberspace and space.” As United States-led forces rebuffed ISIS advances, overtook its territorial holdings and prepared to mount a final offensive, they determined that the Euphrates River Valley was where the terrorist group would make a last stand. Coalition forces combed through a wide swath of land, from Al Qa’im, Iraq to Raqqa, Syria, for ISIS outposts. Though they located the primary command, they couldn’t find other subcommand posts in the area. “We knew [they existed], but we didn’t know where they were,” Townsend said. Instead of hitting the primary command post with a missile or special forces raid and risk not finding the other hidden outposts, the task force enlisted “capabilities from space and cyber to deny the enemy’s primary command post, forcing him to move and unveil his alternate command posts,” said Townsend. As ISIS militants scattered to peripheral posts, they unmasked the locations. From there, the task force moved in and struck. ‘Evolutionary not revolutionary’ Since the operation dovetailed into a larger campaign that included intelligence gathering, special forces, overhead surveillance and boots on the ground, it can be best described as an instance of “cyber in warfare” rather than outright cyberwarfare, said Rick Forno, assistant director of the Center for Cybersecurity at University of Maryland, Baltimore County. “Instead of blowing up [an outpost] with a bomb or missile, maybe we’re able to go in and disrupt the operations with a less lethal way of doing it. That’s not revolutionary, that’s evolutionary – using a new tool to achieve the same outcome,” Forno told CyberScoop. But in many ways, the ongoing cyber campaign against ISIS represents a first. U.S. leaders have publicly touted similar operations in the past, which is especially rare for these types of covert activities. “We are dropping cyber bombs,” Robert Work, then-deputy secretary of defense, told the New York Times in 2016. “We have never done that before.” And former President Barrack Obama referenced the attacks in one public speech in 2016. “The role of cyber-capabilities in joint military operations is something that’s been talked about for a long time. The campaign against the Islamic State probably represents one of the more visible examples of those capabilities in action,” said Ben Buchanan, a postdoctoral fellow at Harvard’s Belfer Center. For some time, the DOD has sought to combine cyber-operations with its more conventional military capabilities, planning and strategy. It has integrated cyber teams — both deployed and stateside — with regional commands over the last 12 months. “Historically, cyberspace operations have been stovepiped and executed independently. As the domain has matured, we have started integrating cyber-operations into all of our planning efforts,” Gen. Joseph Votel, commander of U.S. Central Command, which covers parts of the Middle East and Central Asia, said in September 2017. More broadly, the ISIS vignette also sheds light on the Pentagon’s push to ready its forces for so-called “multi-domain operations.” Operation Inherent Resolve offered planners the chance to test and showcase some of the nation’s offensive cyber-capabilities while preparing for future battles. Challenges remain, however, Townsend conceded: “The bottom line is it took us a couple of weeks to organize this pretty sophisticated but small, multi-domain operation that lasted less than a week, and it was against an enemy that could not really contest us in any of the domains.”