Death by PowerPoint

Netanyahu gave a ppt presentation to Trump by TV. WTAF 2018?!?

May 1, 2018 · 9 min read

There was a clever influence op by Netanyahu aimed at the US president. It was based on carefully packaged misinformation and props. I’m not going to talk about it, since that aspect is being covered better by more informed people. I’m going to talk about the deception operation aimed at the Iranian intelligence service (VEVAK) which was a critical, but mostly under appreciated, component of the presentation. There’s a quick summary of what happened, but then lets get to the deception op because that is way more interesting.

For the record, it is worth pointing out that there are a lot of indicators that nothing in the presentation was new, secret, or not available via OSINT. However, lets ignore the facts to talk about how intelligence agencies operate to do source protection in this sort of extreme exposure. My reasoning here is that, even if in this specific case there was no secret info, all of the following logic still applies in similar circumstances — presenting prepared secret information to an adversarial intelligence agency.

The great game state of play

The content of the presentation was developed using information collected from Iranian sources. This is gonna require some serious source protection. The Iranians want to know what those sources were/are so they can eliminate them (counterintelligence), and the Israelis want to protect those sources so they can continue to exploit them (intelligence), and therefore the presentation must include deception, and omissions, to protect those sources (counterintelligence.)

What happened?

Some pretty wild stuff to send a message directly to Trump, and it seems to have worked (at least until actually informed people got involved.) The influence op was delivered over a channel likely to reach the target audience, using a format designed to appeal to their information consumption, and included a call to action. All necessary criteria for a successful PSYOPS operation. Basically, using TV to deliver a PowerPoint using lots of pictures, small words, and references to the Ego in Chief was textbook propaganda methodology — hats off to Netanyahu on that one. Of course, there is nothing new in the information here, it was just an influence op using misinformation to present factual evidence in the worst possible light. More on that in this thread:

The most amazing part of this story is that Netanyahu conducted an influence op aimed directly at Trump. The operation was delivered over TV (high chance Trump would receive it); the information was packaged in visual aids with few words (lower chance of Trump becoming bored); and it concluded with a call to action directly targeting Trump by name. This is all textbook PSYOPS criteria, and it is amazingly clever to attempt to influence US foreign policy in this manner. I wonder who else will try this approach next?

Thats all I’m have to say about this little propaganda piece. Nice job, textbook execution, and it seems to have worked (at least initially, the Whitehouse issued a statement discussing the info in the present tense, although they later changed it to accurately reflect the fact that the info was actually historical.)

Just one more thing…

Aside from Trump (and his cohorts, base, etc.) there was another audience that mattered — the Iranians, particularly the Iranian counterintelligence apparatus. Whenever an intelligence agency (in this case, as a country, on TV) releases information — they are trading it for something of equal or greater value. The intent here appears to be a policy change from the US. How wise that is is an open question, as is the actual impact of the operation on the policy decision making process. Geopolitical speculation is not really my thing, but intelligence agency thinking is…

On to the fun stuff. Lets speculate on the deception within the presentation!

The deception op inside the influence operation

Lot of all-nighters for these guys

The target of the deception operation is the VEVAK, the Iranian Ministry of Intelligence. They will need to conduct a counterintelligence investigation to determine the “how”:

  • What information Israel collected,
  • When they collected it,
  • What else may be compromised as a result of the penetration that enabled this collection.

Then they will remediate by attempting to:

  • Stop the collection, and
  • Determine whom to punish

Basically, an investigation into the root cause, plus a damage assessment and then remediation. There is a lot of work ahead of them and Israel will have done its best to mitigate the investigation. That means — increase the resources required to conduct it and reduce the confidence of the findings. Tradecraft in the field and a deception operation in the presentation would be key elements of this mitigation strategy.

The usual suspects

The investigation will attempt to determine how the information was collected. There are a few options on the table here:

  • HUMINT: one or more people involved in the Iranian nuclear program was (is) a recruited agent for the Mossad. This is probably true (even if not connected to this particular data), the Iranians will want to know who, exactly, and deal with that leak. Israel will not (intentionally) release information that could help identify their asset.
  • OSINT: a large amount of the information released was actually known to the public via the nuclear watchdog agency IAEA (International Atomic Energy Association.) Was there anything that could not be traced directly to open source data? The Iranians will filter out all of the open source intel and focus just on the non public data.
  • SPECOPS: this is the cover story that the Israelis presented. They claimed that Mossad operatives conducted a stealth raid on a warehouse and stole the data. This is a pretty wild story, more on it below.
  • CYBER: a technical penetration into Iranian secure networks (much like Stuxnet) that was able to exfiltrate information. The target network would very likely be airgapped making this quite a complex operation. The Iranians will want to know which network(s) are compromised, and how the penetration and exfiltration were accomplished.
  • Blended Op: a combination of the HUMINT and CYBER capabilities, where a human resource helps enable the cyber operation. The risk for Israel is that the HUMINT asset remains exposed even after the op is complete. If Iran discover who was involved in the blended op it would blow that asset as well as their support infrastructure. Quite an expensive price.

Before we discuss the plausible options, lets briefly review the theory of deception.

A deception primer

Deception must have a target and it must have a goal. Beyond that it gets pretty vague (“I know it when I see it.”) One theory on deception holds that there are two types of deception, distinguished by their goals.

  • Type M: Mislead the goal is to mislead the target and cause them to reach an incorrect conclusion.
  • Type A: Ambiguity — the goal is to increase the state of confusion, the amount of unknowns/potentials, for the target.

How these are deployed and exploited is context specific. As an example, the deceptions around D-Day were Type M deceptions intended to cause the Germans to believe the location of the invasion was Calais. Intelligence agencies usually like to create Type A deceptions because they reduce the confidence of an assessment by the opposition’s analysts. This is critical.

It was the Mossad, in the warehouse, with the crowbar

The cover story of how Israel collected the intelligence about Iran’s nuclear ambitions is that a team of Mossad operatives broke into a warehouse and stole them. If this were true, the Mossad would need significant intelligence:

  • Which warehouse?
  • Where in the warehouse?
  • The security arrangements.
  • How long are the documents there? Are the checked on? How frequently, how thoroughly and in what manner
  • …and so on.

To contextualise this, remember that Iran is considered a hostile territory for Israeli operatives (i.e. if captured they will be tortured and killed), so the reliability of the intelligence on the warehouse has be extremely high. The risk assessment of the operation would be very high:

  • Diplomatic incident,
  • Death of multiple Mossad operatives
  • Compromise of all classified information they know, and
  • Collapse of all support infrastructure for the op — this would include a lot of assets and material…

Those risk must be weighed against the value of the data, which was predominantly available via OSINT sources.

It is hard for Israelis to operate in Iran at the best of times, and a failure here would blow a lot of very expensive support infrastructure necessary for continuing operations. If the theft was discovered post hoc (via say, Netanyahu going on TV and telling VEVAK that a theft had occurred), it could potentially blow all that support infrastructure anyway. The value of the data is pretty low, considering it is majority available via OSINT…so to me, it just doesn’t feel right.

SPECOPS? Yeah, nah.

My gut tells me that the decision to pursue a specops strategy would be discarded as too risky and expensive. However, while there is good reason not to pursue this operation, there are strong reasons to present this as a cover story:

  • Mossad prestige: presenting the Mossad as uber-ninja ghosts who can do anything plays an important deterrent element in Israeli national security. “Nothing is safe from the Mossad” is a good message to signal to your adversaries.
  • Ambiguity deception: raising the possibility of Mossad operatives physically collecting data from a location increases confusion for Iran counterintelligence. The story must be verified, which consumes resources, and the evidence collected must be evaluated and assessed, which consumes resources (good for Israel, bad for Iran.)

Israel can not present a flimsy cover story here, they must have created a thorough backstop. Essentially, most of the intelligence required to actually conduct the break in op would be necessary. Ideally performing at least as much of it as possible to create an evidence trail, including the clean up, to leave traces indicating the burglary was real. It is unlikely that Israel did this with the goal of a future deception operation, but it is good tradecraft to do it to protect their real source. Again, this is real source protection. Providing a plausible cover for how information was obtained to direct the investigation away from the real source. This is a typical misleading (type M) deception. Thus I would speculate:

  • There likely is a warehouse that contains this data,
  • There probably is some historical evidence of a break in, and
  • It is an entirely plausible story that will withstand investigation.

I just don’t think that they actually did it.

One possibility to consider is that the warehouse theft operation (pseudo operation?) was already known to VEVAK and so the Israelis are getting additional mileage out of a past deception operation. In which case the Iranians will still have to revisit their previous investigation to see if they overlooked something, and whether the story is plausible given the additional information now available. Even if they have already done one investigation, they will still have to do another. No matter what, this cover story will cost the VEVAK some resources.

If not ghosts, what then?

I would speculate that this was either a pure OSINT collection, with no secret information being revealed, or that any secret information was the result of CYBER collection. There are no safer ways to do collection than OSINT and CYBER, and Iran is an intelligence operational environment where safety is an important consideration. Mossad ghosts stealing documents from a warehouse just doesn’t fit with modern day espionage. Conducting a pseudo operation to ensure source protection and increase adversarial ambiguity about how the secrets were stolen makes some sense. Actually doing it does not.

Ambiguity deception masquerading as a misleading deception

The deception within the influence op was a misleading deception (convince VEVAK that there was a break in, present Mossad as ghosts) but the real goal was an ambiguity deception (reduce the confidence in the source of the information by presenting multiple plausible options.) This level of investment in resources, planning, and intelligence collection might seem excessive, but it’s how the game is played. A lot of planning and preparation for a throwaway story — Mossad operatives broke into a warehouse and stole the information.

thaddeus t. grugq

Written by

Information Security Researcher :: ::

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade