Darknet Diaries Episode 50 - Operation Glowing Symphony

Episode page

Podcast Summary

• The US response to Islamic State involved both physical and cyber-attacks
• While the physical attacks have been well documented, the cyber-attacks have been shrouded in much more secrecy
• This episode highlights one particular cyber-attack against Islamic State: Operation Glowing Symphony
• Wider Context
  • Islamic State comes to prominence in 2014, when it takes over the city of Mosul, in Iraq
  • Declares a caliphate
  • Inspires terrorist attacks all over the world, most notably the attack on the Bataclan theater in Paris, in 2015
  • Islamic State's capturing of physical territory, as well as its battlefield defeat of the Iraqi Army in Mosul led to increasing calls within the Obama administration for US involvement
• Background about the interviewee
  • Actual name and position not stated - only known as "the commander"
  • Started out as a Force Recon Marine - served for 5 years
  • Deployed to Afghanistan
  • Aged out of Force Recon - increasing age meant that his body was no longer able to keep up with the physical demands of special forces
  • Looked to cyberwarfare as a way to stay in the fight
  • Switched to Marine Forces Cyber Command
  • Went to school for cybersecurity
• Marine Forces Cyber Command
  • More offensive mindset than other cyber-security forces, as befitting its position in the Marine Corps
  • Engages in "full spectrum cyber operations"
• In the Fall of 2014, the commander had just finished his training and was assigned to a joint NSA/Cyber Command team focused on monitoring Islamic State propaganda
  • Magazines
  • Social media
  • Videos
• To produce this propaganda, Islamic State needed a fairly sophisticated computer network to share and distribute battlefield photos and videos
• Lots of people working on propaganda
• Islamic State's propaganda operation was judged to be a large enough target to warrant its own team
• The commander takes over this team at the end of 2014
• Maps out the network
  • Both the computer network and the human network
  • People, places and things
• Initial goal: gather data
  • 2014-2016 summer
  • Build out a picture of Islamic State's media workflow
  • Generate a target list of both cyber resources and the people responsible for running them
• As Islamic State's attacks step up in 2015, their propaganda efforts step up too
  • Videos of kidnappings and beheadings
  • Request from senior leadership to disrupt Islamic State's propaganda efforts
• At this point, the commander starts thinking about the best way to disrupt Islamic State's media teams
  • Start with small tactical steps - take control of individual, peripheral websites
  • Move up to attacking part of Islamic State's network in one country
  • As these initial attacks demonstrate success, the commander starts thinking about going global
• Decision to go global prompted by Paris attacks
  • Prior to Paris attacks, the commander's team was largely operating in a support capacity
  • Gathering data to give battlefield commanders a better picture of Islamic State's activities
  • After November 2015, there was more of an appetite for offensive cyber-attacks
• The commander's team finds out that Islamic State's network is centralized around a few key nodes, such as domain controllers
• Network is a "house of cards" that can be brought down by removing those key nodes
• Commander presents a plan to take down Islamic State's network to senior leadership, who agree that the plan is likely to be effective
• This leads to the creation of a new task force to engage in an offensive cyber-attack against Islamic State
  • Of course they have to create a new task force
  • This is the government: why reuse what you have when you can build a new one at twice the cost?
  • Joint Task Force Ares
  • Specialists focused on offensive cyber operations against Islamic State propaganda
• This is big change in mission for the commander
  • Prior to November 2015, the primary mission was to passively gather data
  • Computers were hacked in order to gather data, but no information was altered or deleted
  • After November 2015, the commander was given permission to weaponize his hacks
  • Permission granted to disrupt, degrade and destroy targets
• An aside: why "Glowing Symphony"
  • All units in the operation against Islamic State were assigned a two-letter code, and their operation names had to start with this code
  • Cyber units were all given the 'GL' code
  • Commander's specific unit was given the prefix word "Glowing", by senior leadership, much to the disappointment of the commander and his team, who wanted something more martial (like "Gladiator")
  • "Symphony" comes from the phrase "symphony of destruction", which is the Marine Corps term for the effect of hitting a target with many different weapons at the same time
  • The idea was that by hitting Islamic State's network in many places simultaneously, the team would be engaging in the cyber equivalent of a symphony of destruction
  • The commander was disappointed in the name, but I actually like it
• Operation Glowing Symphony was formally authorized by President Obama with Task Order 16-0063
• Objective: take down Islamic State's online propaganda operations
• First, the commander needs to recruit for his team
  • Recruit from NSA, Cyber Command and various other military branches
  • Hand-picked crew
  • Team broken up into 4-5 sub-teams, with 4 people per sub-team
    • Intel-analyst
      • In charge of understanding the people that they're going up against
      • Who is in charge of these networks and how do they think?
    • Operator
      • The actual "hacker"
      • Expert on various exploits, cracking tools, and knowing which tools to deploy against which systems in order to gain access quickly and do the most damage
    • Sig-dev analyst
      • Signals intelligence analyst
      • Understands the overall structure of the network
      • Tells the operator where to go next, down to highlighting individual directories
      • Rough equivalent of a navigator on a military patrol
    • Team leader
      • Responsible for reporting progress to the commander
      • Responsible for making sure the team does not stray beyond its rules of engagement or onto networks that they are not authorized to access
• Of course, like all big initiatives, Operation Glowing Symphony is subject to interagency conflict
  • Turf war between the military, the NSA and the FBI
  • This was the first major operation for Cyber Command
  • People in the NSA were doubting Cyber Command's ability to pull off such an ambitious operation
  • The interagency conflict was more urgent because of the time-sensitivity of the operation - the commander's team had amassed a bunch of exploits to use to gain access to Islamic State's network and those exploits were subject to being discovered and patched
• Finally the commander's team gains approval to execute Glowing Symphony
  • Had to present a series of mission briefs
  • Present the full operation plan for approval
  • Reassure leadership that Cyber Command could do this
  • Was told that failure would reflect very badly on himself and also on Cyber Command as a whole
• While all this was going on the hacker collective Anonymous started targeting Islamic State
  • Reporting social media accounts
  • Also compromising and taking down some of the infrastructure that the commander's team was planning to use as entry points into Islamic State's network
  • Commander's team had to reach out to Anonymous via back-channels and tell them to back off
• The overall objective of Glowing Symphony was to wreak as much havoc on Islamic State's network as possible, as fast as possible
  • Speed prevents the targets from learning how they've been hacked and implementing security protocols to prevent future hacks
  • Targets
    • Domains
    • Web servers
    • CDN accounts
    • Social media accounts
    • Telegram groups
    • E-mail accounts
    • Accounts at service providers, such as AWS
• One of the things that made Islamic State vulnerable was their insistence on choosing the cheapest providers, rather than the most security-conscious ones
• Islamic State's relatively lax security around email made them easy to hack
• The commander's team was then able to pivot from email access to accessing the rest of the network
• Then they established persistence
  • Rootkits
  • Remote access tools
  • Goal: preserve access to the network even if initial entry points are sealed
• While they were establishing persistence, they were also mapping out Islamic State's network and figuring out what tools to use against which resources
• Each of the 4-5 subteams got a list of 10-15 targets to attack
• Entire operation was to be conducted simultaneously
  • All attacks were scripted
  • A dummy replica of Islamic State's network was set up to practice attacks against
  • Much prep work was done on nights and weekends since that would limit the risk of detection
  • Team was given a 10 minute window in order to take down the most important resources, such as domain controllers
• Finally, after receiving its final go-ahead, JTF Ares assembled in an operations room to execute its plan
  • Launch scripted attacks against Islamic State's key nodes
  • Started deleting VMs, locking out accounts, etc.
• As they were doing this, they encountered a roadblock
  • One of the services they were accessing prompted them with a security question
  • Intelligence analyst tells the operator that the person who set up this account always uses "1515" as the answer to security questions
  • Operator tries "1515" and sure enough it works
    • lmao
  • Highlights the importance of having intelligence about the people who are setting up these networks in addition to the networks themselves
• While they were taking down Islamic State's systems, JTF Ares encountered several financial accounts
  • Did not have authorization to seize funds - that authority only belongs to the FBI
  • However, they did have authorization to lock Islamic State out of their accounts, rendering funds inaccessible
  • Deleted private keys to cryptocurrency wallets
• Team was successful in accomplishing its primary objectives in the first 10 minutes
• Took down a number of secondary targets over the next few hours
• Was the operation a success?
  • By its own objectives the operation was a resounding success
  • However, Islamic State was able to rebuild its infrastructure and was able to resume propaganda activities to a certain extent
  • The commander argues that the operation was an overall success because of the massive cost Islamic State incurred in having to rebuild its online presence
  • Only 40% of Islamic State websites came back online after the initial strike
  • A series of follow-on attacks over the next few months reduced that further, taking down 90% of Islamic State websites
  • Reduced the ability of Islamic State to generate propaganda in multiple languages
  • Damaged Islamic State's brand in the jihadi community, as they were no longer as prominent online, and their propaganda no longer had clear battlefield connections that it did in the past
• This is the first time the US government has public acknowledged and offensive cyber-attack
• How did Darknet Diaries get this interview?
  • Journalists at Vice's Motherboard blog submitted a Freedom of Information Act request for information about this operation
  • Jack Rhysider ran into the commander at DefCon
  • At the time, the commander had just given an interview to NPR where he'd revealed some information about Glowing Symphony
  • Jack asked the commander if he wanted to do a longer interview, and the commander received authorization to do so

My Thoughts

• If you look past the boosterism you see some real limits to the US' cyber capabilities
• US bureaucracy has trouble making go/no-go decisions at the speed required to effectively exploit opponents' information systems
• US military forcibly fits cyber operations into the same framework that uses to plan and organize physical military campaigns
  • Refers to cyber operations as "going out on patrol"
  • Fire-team like organization for cyber operations
  • Only certain people are allowed to directly interact with the target system
    • Granted, this is probably the result of a focus on maintaining operational security -- fewer people interacting with a target system means fewer opportunities for slip-ups that let the target know that their systems are breached
• Likes spectacular "big-bang" attacks
  • Did Islamic State really have to be taken down in 10 minutes?
  • If Islamic State had had a hardened network that could not have been brought down as quickly, would the US Cyber Command still have acted?
• The US looks good here, because Islamic State was so incompetent
  • Massive reuse of passwords, security questions, etc
  • Easily cracked e-mail accounts
  • Using cheapest providers rather than ones providing e.g. 2FA for their accounts
• Despite the breathlessness of the coverage, it's not like this was an especially complicated or sophisticated hack
  • Doubt any 0-days were used
  • Lots of social engineering & relying on targets' incompetence
  • Far from looking like a bunch of super-elite hackers, US Cyber Command here looks like a mid-grade cybersecurity/pen-testing firm
  • If you wrote up this hack without mentioning either the hackers or the targets, it would probably be rejected as a DefCon talk
• Don't trust the cloud if state actors are in your threat model - this should be an obvious lesson, but people still seem to fail to heed it
• I wonder what the coverage would be like if the Chinese or Russians executed a similar hack against, for example, the DNC

• HomePage
• WikiSandbox

PmWiki

• Initial Setup Tasks
• Basic Editing
• Documentation Index
• PmWiki FAQ
• PmWikiPhilosophy
• Release Notes
• ChangeLog

pmwiki.org

• Cookbook (addons)
• Skins (themes)
• PITS (issue tracking)
• Mailing Lists

edit SideBar