ISIS’ OPSEC Manual Reveals How It Handles Cybersecurity
In the wake of the Paris attacks, US government officials have been vocal in their condemnation of encryption, suggesting that US companies like Apple and Google have blood on their hands for refusing to give intelligence and law enforcement agencies backdoors to unlock customer phones and decrypt protected communications. But news reports of the Paris attacks have revealed that at least some of the time, the terrorists behind the attacks didn’t bother to use encryption while communicating, allowing authorities to intercept and read their messages.
Reports in France say that investigators were able to locate some of the suspects’ hideout this week using data from a cellphone apparently abandoned by one of the attackers in a trashcan outside the Bataclan concert hall where Friday’s attack occurred, according to Le Monde. Authorities tracked the phone’s movements prior to the attack, which led them to a safehouse in a Paris suburb where they engaged in an hours-long shootout with the other suspects early Wednesday. These would-be attackers, most of whom were killed in the apartment, had been planning to pull off a second round of attacks this week in Paris’s La Defense business district, according to authorities.
Other reports indicate that a previous ISIS terrorist plot targeting police in Belgium was disrupted in that country last January because Abdelhamid Abaaoud—suspected mastermind of both that plot and the Paris attacks—had failed to use encryption. He also carelessly left behind a cellphone in Syria, which contained unencrypted pictures and videos, including one now-infamous video showing him smiling from a truck as he dragged bodies of victims through a street.
All of this suggests that the attackers were guilty of major OPSEC failures—that is, if it weren’t for the fact that some of them still managed to pull off the Paris attacks without prior detection. This suggests they either did use encryption during earlier planning stages of their attacks, or that authorities were so overwhelmed tracking other suspects—French investigators claim they recently thwarted six other attacks—that they overlooked the suspects who pulled off the Paris attacks. This indeed might be the case since Turkish authorities have said they tried to warn French authorities twice about one of the suspects but never got a response.
Despite this, US authorities have flooded the media this week with stories about how ISIS’ use of encryption and other anti-surveillance technologies has thwarted their ability to track the terrorists. But authorities have also slyly hinted that some of the encryption technologies the terrorists use are not as secure as they think they are, or are not being configured and used in a truly secure manner. So what exactly are ISIS attackers doing for OPSEC?
It turns out ISIS has a 34-page guide to operational security (.pdf), which offers some clues. Aaron Brantly and other researchers with the Combating Terrorism Center at West Point’s military academy uncovered the manual and other related documents from ISIS forums and chat rooms. The originals are in Arabic, but the center provided WIRED with translated versions of a number of documents after passing them through Google Translate.
The guide is a handy compilation of advice on how to keep communications and location data private, as well as links to dozens of privacy and security applications and services, including the Tor browser, the Tails operating system; Cryptocat, Wickr, and Telegram encrypted chat tools; Hushmail and ProtonMail for email; and RedPhone and Signal for encrypted phone communications. Gmail, they note, is only considered secure if the account is opened using false credentials and is used with Tor or a virtual private network. Android and iOS platforms are only secure when communications are routed through Tor. “Instead of buying the [expensive] Blackphone, they’re trying to hack their own devices and route traffic through Tor,” Brantly says.
The manual instructs operatives to disable the GPS tagging feature on their mobile phones to avoid leaking location data when taking photos—a mistake that a Vice reporter made in 2012 when interviewing murder suspect John McAfee who was on the lam. Alternatively, operatives can use the Mappr app to falsify location data and throw intelligence agencies off their trail.
ISIS’ OPSEC manual also advises against using Instagram because its parent company, Facebook, has a poor track record on privacy, and it warns that mobile communications can be intercepted, even though GSM networks are encrypted. It advises followers to use encrypted phones like Cryptophone or BlackPhone instead.
Dropbox is held up for special condemnation—because Edward Snowden advised against using it, and because President Bush’s former Secretary of State Condoleezza Rice is on the company’s investors board.
There are no surprises among the documents. Most of the recommendations are the same that civil liberties and journalist groups around the world advise human rights workers, political activists, whistleblowers and reporters to use to secure their communications and obscure their identity or hide their location. The documents indicate that the jihadis have not only studied these other guides closely, but also keep pace with the news to understand the latest privacy and security vulnerabilities uncovered in apps and software that could change their status on the jihadi greatest-hits list.
“This is about as good at OPSEC as you can get without being formally trained by a government,” Brantly, a cyber fellow with the West Point center, told WIRED. “This is roughly [the same advice] I give to human rights activists and journalists to avoid state surveillance in other countries. If they do it right, then they can become pretty secure. [But] there’s a difference between telling somebody how to do it and then [them] doing it right.”
Intelligence agencies, of course, are hoping that ISIS jihadis don’t get it right.
The documents warn that followers should use strong passwords and avoid clicking on suspicious links, to prevent intelligence agencies and everyday hackers from breaching their systems. And there’s advice for communicating even when repressive regimes block Internet and mobile networks to thwart activists from organizing, such as during the Arab Spring. It coaches followers, for example, on how to set up their own private Wi-Fi network or use apps like FireChat to share photos and text short distances without needing internet access.
It advises followers to always use a VPN online to encrypt data and prevent ISPs and spy agencies from reading their communication. But it caution users to stay away from American providers of VPNs and encrypted chat tools and instead use ones like Telegram and Freedome, a VPN from the Finish computer security firm F-Secure. Apple’s iMessage, an end-to-end encryption service, also gets a thumbs-up for being impervious to both spying from government intelligence agencies and Apple itself.
Although US government officials have repeatedly cited WhatsApp as a tool ISIS uses to thwart surveillance, the manual actually puts the chat application on a “banned” list. Although WhatsApp offers end-to-end encryption, a German security firm found problems with its implementation earlier this year.
Another noticeable item missing from the list is the PlayStation 4. Although a Belgian official told media last week, prior to the Paris attacks, that ISIS operatives in Belgium had been using Sony’s videogame system to communicate, Brantly says he’s seen no sign of that in their research. “I’ve never seen PlayStation come up in any document,” he says.
He also says they’ve seen no sign yet that ISIS is using home-brewed encryption programs that its members created themselves. “Al Qaeda developed their own encryption platform for a while. But ISIS right now is largely using Telegram [for encrypted communication],” he says.
To help jihadis master their OPSEC, ISIS also reportedly provides a 24-hour help desk.
Brantly says the jihadis they encounter in ISIS forums and chatrooms vary greatly in their technical savviness. He also says there are signs of increased interest in hacking as an ISIS tactic. The so-called Cyber Caliphate, a hacking group that supports ISIS, claimed responsibility for hacking the US Central Command’s Twitter and YouTube accounts earlier this year. ISIS hackers have also taken credit for hacking a number of government ministries in Iran and stealing internal communications and login credentials, some of which they posted online.
“There’s a whole section on hacking [in the ISIS forums],” Brantley says. “They’re not super-talented hackers, but they’re reasonable.”