ISIS Remote Control Agent OPSEC

Same mediocre understanding of security — good.

An article from Rukmini recently published reveals how ISIS is reduced to using purely remote agents to create the illusion of transnational reach. There are some interesting details on adaptions in ISIS OPSEC, which I’ll address below, but first lets talk remote control agents.

Directing from afar

As many people have been saying for a while now (myself included), although ISIS is capable of recruiting, they can not train or deploy terrorist operatives. This is a sure sign of their weakening international capabilities and a clear indication that the counterterrorism efforts directed at them are having an effect. (Particularly sealing the Turkish border.)

Begging for bombers

The solution that ISIS has adopted is to recruit potential terrorists in-place and try to arrange loon wolf attacks using untrained amateurs. This has worked out about as well as one would expect – decidedly mixed results. Untrained unarmed amateur terrorists who don’t follow directions particularly well do not an effective and deadly transnational terrorist group make.

Strategic Shitshow

From a strategic point of view, having only ad hoc remote control agents is a disaster. The ability to foster public support is reliant on the precise strategic application of violence, however remote control agents are one of the least precise mechanism of violence available.

  • They do not provide the ISIS central command with a capability to target specific strategic objectives,
  • They’re essentially random events that happen under the ISIS brand. When these are inept and embarrassing (as has frequently been the case), it makes the terrorist group appear inept.
  • They are amateurs without training; left to cobble together the tools of the trade by watching YouTube videos. Consequently, they’re unlikely to be effective.
  • They are only weakly controlled, since their ability to defect and disobey orders is essentially free of repercussions. No violence will befall them, and no social pressure exists (the life of a loon wolf terrorist is a lonely one.)

Security Disaster

From a security point of view, remote control agents are a disaster. As they slowly progress from civilian to terrorist, their journey is easily spotted and tracked by security forces. But it gets worse…

Security for an illicit group is partially a factor of how much communication traffic it generates. The less traffic there is to monitor, the more secure the group. A remote control agent requires a huge amount of traffic, from recruitment to “training” to badgering and cajoling them into taking action. These chatterbox jihadis are an operational security nightmare. So, lets look closer at how ISIS has implemented their operational security for handling remote control agents.

Easy To Find Entry Node

The first point to make is that the aspiring recruit must have some way of locating and contacting ISIS so they can join. That means ISIS is forced, of necessity, to have an extremely visible public presence and means of access. Indeed, at least two are mentioned in the article — Telegram and Twitter:

One of the Islamic State’s most influential recruiters and virtual plotters was known by the nom de guerre Abu Issa al-Amriki, and his Twitter profile instructed newcomers to contact him via the encrypted messaging app Telegram. …
[Mr Yazdani] logged into Twitter and searched the hashtags #ISIS and #Khilafa, the terrorist group’s preferred spelling of caliphate. In a few keystrokes, he made contact with Amriki. …
“I created a Telegram ID,” Mr. Yazdani told investigators, “and sought his guidance to reach Syria.” — Source

Once the recruit makes contact, they are funnelled to the appropriate handlers. In the case of Mr Yazdani, the initial attempts to bring him to Syria failed and he was transfered over to a new handler (a fluent Hindi speaker) who convinced him to create a cell to carry out local operations inside India.

From Grunt to Guerrilla Guidance

After he was transferred from the “foot soldier recruitment pipeline” to a terrorist cell middle manager, an effort was made to improve his security posture. This is after he’s already been on heavily monitored ISIS Telegram channels.

Telegram requires a verified phone number. Even if he took precautions to use a phone number not linked to him (or anyone/anything associated with him) his participation in public ISIS channels would’ve tainted him. The IP address of his phone would be linked and any counterterrorism organization (especially the Indian state) would have the capability to identify him. Certainly with the assistance of the USA factored in it is pretty safe to assume that he’s on a watch list from this point onwards.

Tools First, Threats Later

The security procedures of the ISIS Hindi external operations handler were based on sound principles lifted from the privacy manuals of years gone by.

As soon as Mr. Yazdani indicated he was willing to undertake an attack, the handler instructed him to download ChatSecure, a messaging app to be used when they spoke by phone. When he used his laptop, he was told to contact the handler via Pidgin, another encrypted tool. He was told to create an account with Tutanota, a secure email service. And the handler taught Mr. Yazdani how to use the Tails operating system, which is contained on a USB stick and allows a user to boot up a computer from the external device and use it without leaving a trace on the hard drive.

Essentially they established the minimum operational security necessary to safely make a purchase from a darknet market. A couple of XMPP+OTR clients, a proprietary (but free!) encrypted email account and TAILS. The security provided by TAILS not leaving forensic artefacts on the laptop (data at rest) is somewhat irrelevant as the principle vulnerability is the chat traffic (data in motion.) ISIS bros and their misguided digital security procedures, love it.

Lets break that down.

Security: Enhance!
Real time chat protocol. They chose XMPP+OTR which is interoperable between a range of desktop and mobile clients. Possibly because this allowed the Hindi speaking handler to use a single identity while maintaining contact with the mobile operative. Or possible they rotated through accounts frequently.

There are some strong security properties that XMPP+OTR can offer an illicit group, but it is unclear that these were the deciding factors. From my prior research into ISIS security manuals, there is a deferential fetishisation of old digital privacy manuals. The ISIS bros don’t seem to understand:

  • why tradeoffs where made,
  • what they were, or even
  • that tradeoffs were made.

On a related note, it is highly amusing to see ISIS manuals that lift suggestions from online drug buyer security guides — buying an ounce of weed in the mail and operating a terrorist cell are totally different threat models! One can’t simply assume the procedures are interchangeable, or that just using the same tools will provide sufficient security.

Remote Control Terrorist Handler Skills

There are a number of key objectives that ISIS has when handling a remote control agent.

  • They need to get a commitment document, both so that they can provide proof of legitimate claim to an attack and as a mild sort of blackmail hopefully providing some degree of control against defection.
  • They need to keep the volunteer engaged and feeling like part of the “ISIS team”, so that requires some elements of providing a community (which is why they risk real time chat).
  • They can’t let him start to drift away, he has to remain committed to The Cause and The Struggle. After all this is some random guy off Twitter that they’re trying to convince to become a murderer, they have to provide emotional support services (lots of “O Lion! The kuffar shall tremble before you and your righteousness!”)

To accomplish those goals the handlers have a limited number of options. Primarily they must maintain a communications channel that allows a sufficiently high level of chatter that they can become a part of the operative’s life. Unfortunately for security, a high level of commo traffic is a very bad thing. The tools available for secure communications are not really designed to protect terrorists against nation state intelligence agencies that have them under the microscope.

Tools and Protocols

Real time chat: XMPP + OTR
Asynchronous comms: Tutanota
Secure Operating System: TAILS
File Sharing Site: www.gulf-up.com

The tools and protocols used by ISIS handlers are not formalised. Operatives have been handled using:

  • mobile phone messaging apps — Threema, WhatsApp, Telegram, Wickr
  • email — PGP, Tutanota
  • more innovative procedures such as TrueCrypt dead drops,

The ISIS handler suggested ChatSecure, presumably for Android (since iPhone is haram), which has been deprecated and is now end of life. However, it has some strong points in its favour from the ISIS opsec rules: 1) it has been highly recommended in some digital privacy manuals, 2) it runs on Android, 3) it is free. There are better alternatives (which I won’t mention here for security reasons).

Remote Control Requires Massive Comms Traffic

It is important that the handler form a bond with the operative and this, to some degree, requires the use of real time synchronous communication, but this exposes the operation to risk. A real time synchronous comms protocol allows easy correlation and is an poor choice for a terrorist cell given the obvious operational security problems. The only reason to make this trade off is that building a tight bond between agent and handler is more important than security.

Bear in mind that a critical role for the ISIS handler is not just issuing commands, but maintaining a relationship with the recruit. Real time chat is best suited for this sort of relationship building, where the handler has to ensure that the agent remains committed to the task. This is not a KGB Illegal who is willing to spend decades in isolation, it’s some random guy off Twitter that they’re trying to convince to become a suicidal murderer.

Fast and Furious

To counteract the problem of a high level of visible traffic between operatives and their handlers, the handlers now encourage their agents to strike rapidly. The pre operational phase is when a terrorist is most vulnerable to interdiction, so striking rapidly is the most secure approach for these random ad hoc terrorists. Their best security is relative anonymity and a fast operational cycle.

Support more work like this.