Notes On ISIS European Style

Less sophisticated than the nouveau riche

The security of ISIS communications is the subject of much speculation and debate. While there is a great deal the public does not know, from evidence that has emerged over the last few months it is possible piece together some of their operational security methodology.

This post will examine what is known about the terrorist tradecraft practiced by ISIS operatives within Europe. The security protocols and procedures promoted and used by ISIS’ online supporters are outside the scope of this analysis.

Bottom Line Up Front

  • ISIS European operatives use large numbers of burner smartphones for their communications. This is either genius, or just plain lucky.
  • Operatives use their phones for very short durations before transitioning to fresh devices. This fast flux mobile phone usage has the effect of outpacing the detection and surveillance capacity of the local security forces.
  • The “AirBnB for safe houses” is AirBnB. ISIS operatives use modern tools to handle their logistics requirements.
  • ISIS is not afraid to outsource. They call on existing covert networks to purchase skills and resources when their own shallow network is deficient.

COMSEC like its 1999

ISIS uses smartphones. Lots of smartphones. Like, really, really, a lot of smartphones.

the police found several dozen boxes of unused cellphones still in their wrappers.

Burner phones are anonymous mobile phones that are used for a temporary time and then discarded. Made famous in HBO’s The Wire, people like to talk about burners as if they are a standard part of high security tradecraft. They are not. Burners are a security solution to wiretaps and targeted monitoring, but they have problems of their own. Their anonymity can be easily breached and their isolation marks them out (the exist in so called “closed loops.”)

Using burner phones was standard security for drug dealers circa 2003. In the ensuing years, there have been significant advances in criminal security practices. Suffice to say that no successful criminals are relying on burner phones for security anymore. It is worth noting that none of these modern criminal security procedures have been discovered in connection with ISIS.

Phone Phase Shift

At each phase of the operation, the terrorist cell collectively transitions to a new set of phones and SIM cards. Although there is speculation that encrypted messengers, such as Telegram, are an integral part of ISIS tradecraft, but there is limited public evidence to support this. They definitely used their phones to make calls and to send SMS.

The reason that phase shifting (everyone together) fast flux (very quickly) burner networks worked against Belgian security forces is that the speed with which the cell moved to new devices outpaced the speed at which the security forces could detect and start monitoring those new devices.

The final operational usage of the devices, simple signaling (“we go”, “the end”) and the final frantic words of suicide bombers don’t need much security. By then it is too late for security forces to prevent the attack.

Its Encryption, Not Magic

Most striking is what was not found on the phones: Not a single email or online chat from the attackers has surfaced so far.

The mobiles were all “scoured of emails and messages”. It’s hard to understand what this means. Did the operatives perform a factory reset? Did they never send messages? How well were the devices inspected? It should be noted that it is not possible to forensically wipe an Android device. The data will still be there in the flash chips and can be recovered by standard forensic processes (called “chip off”). Was chip off forensics used to analyze the devices? If so, then finding no trace of messages means they were never there.

The terrorists did not enable encryption on their phones. They seem to have had little interest in taking advantage of the full security options available to them. This is a consistent theme with ISIS operatives — complete absence of encryption for data at rest.

At least one device is known to have had Telegram installed, however it is not clear that it was used. Telegram provides a mechanism to automatically delete messages after a timeout. However, this may still leave forensic artifacts behind on the device (the messages are inserted into an SQLite database and then removed, which could leave data behind in slack space on the disk.) Analysis of the device will, if nothing else, show that the Telegram program has been used for a period of time, which would be inconsistent with the lack of messages.

The complete absence of evidence for encryption is either due to incomplete forensics analysis, or the absence of encryption. It is hard to tell without analyzing the forensic reports, but assuming competence on the behalf of the investigators, there seems to be no indication that ISIS used any encryption at all.

Just In Time Comms

The Paris attacks were coordinated by SMS and mobile phone calls. At least one Brussels attacker was sending mobile messages minutes before he detonated his bomb. The ISIS operatives were constantly activating and switching to new phones. They activated a phone just before use, sometimes only hours before:

Security camera footage showed Bilal Hadfi, the youngest of the assailants, as he paced outside the stadium, talking on a cellphone. The phone was activated less than an hour before he detonated his vest. From 8:41 p.m. until just before he died at 9:28 p.m., the phone was in constant touch with a phone inside the rental car being driven by Mr. Abaaoud. It also repeatedly called a cellphone in Belgium.

Sometimes a day before:

police found a white Samsung phone in a trash can outside the Bataclan.

It had Belgian SIM card that had been in use only since the day before the attack. The phone had called just one other number — belonging to an unidentified user in Belgium.

After using a phone the ISIS operatives discarded it immediately.

Everywhere they went, the attackers left behind their throwaway phones,

Central Planning Committee

During the attacks there were two men based in Brussels coordinating the teams inside France. The three assault groups remained in contact with the Brussels team, providing them updates as the attack progressed.

New phones linked to the assailants at the stadium and the restaurant also showed calls to Belgium in the hours and minutes before the attacks, suggesting a rear base manned by a web of still unidentified accomplices.

Cell tower location data has been used to show that the “web of accomplices” was actually two men hanging around the same spot in Brussels. They are believed to have been part of the attack in Brussels.

There’s An App For That

The white Samsung phone was also used to conduct online research about the target of the attack. Terrorist use of the Internet to conduct pre operational research, reconnaissance and surveillance is nothing new, of course. The Mumbai attacks were planned in part using Google Earth.

In Paris, an ISIS operative saved floor plans for the Bataclan concert hall and used them to prepare an ambush by laying in wait outside the emergency exits.

the phone’s photo album police found images of the concert hall’s layout, as well as Internet searches for “fnacspectacles.com,” a website that sells concert tickets; “bataclan.fr“; and the phrase “Eagles of Death at the Bataclan.” — NYT

It seems unlikely that this planning was delayed until the night before the attack. Very plausibly this was just some final pre operational review.

Digital Dead Letter Box

At least one operative was sent to Europe with an elaborate security protocol based on exchanging an encrypted container with messages inside. The protocol is a sort of modern day dead letter box using a file sharing site as the letter box and a TrueCrypt volume as an envelope. I’ve explored this protocol in more depth in other posts.

The inherent inefficiencies of a dead drop based communications system would seem to preclude it from being the primary internal comms protocol within ISIS cells. Given their close physical proximity, their heavy reliance on phone calls, and their limited access to infrastructure (for example, living in a squat with no utilities) it seems more likely that they would use face to face meetings.

This might have been the comms protocol used to send the final dream sequence message of Khalid El Bakraoui back to ISIS Syria. The protocol is slow, but high bandwidth, and potentially very secure against monitoring. Alternatively, whatever program was used to make the audio call to Syria which was recovered from Ibrahim El Bakraoui’s laptop.

Logistics For The Modern Operative.

The head of logistics for the Paris attack, Salah, made heavy use of everyday modern tools. He arranged safe houses for staging using AirBnB and booking.com. He rented cars with his credit card and registered SIM cards using his ID.

A significant number of ISIS operatives have connections with the criminal underworld. They’ve used these connections to purchase weapons and false identity documents. When the ISIS European network lacks internal capability, they are willing and able to locate and purchase specialist assistance. ISIS’ access to preexisting covert networks allows them to purchase skills and resources to compensate for their internal deficiencies.

Netflix and Plot

There is evidence that members of the ISIS network stayed in shared safe houses. There were a number of communal living quarters where some members lived, plus a bomb factory where several of them worked.

The Paris attackers had a number of shared accommodations in the months leading up to the attacks, including “an apartment in Brussels, another in Charleroi a house in the town of Auvelais.” After the attacks, the remaining Brussels network stayed in communal safe houses, including a squat procured by Ibhahim El Bakroui.

The Brussels attackers had at least two shared flats and the bomb making factory.

These guys were literally living together in the same apartments. They were shitting in the same bucket, making plans for targets they lacked the capability to actually strike. Blaming the lack of SIGINT collection on encryption is a bit strange given that these guys were just hanging out on their couch.

Duck and Weave

European ISIS terrorists use smartphones for communication. The security comes from frequently switching to new devices and SIM cards. This allows them to execute inside the OODA loop of the Belgian federal police who cannot immediately detect and monitor the new phones.

As long as cells remain temporally compartmented, that is, each member moves to a new phone at the same time, it can be very hard to monitor. Although the tight network of operative’s phones will have the same metadata characteristics — they’ll travel to roughly the same places and interact with each other with roughly the same frequency — uncovering these emergent metadata signatures takes time. By fast forwarding to a new set of devices before the security forces can uncover the current active network, the operatives are able to stay ahead of security forces.

Within the pool of all mobile phone users, they will be temporarily secure. Maintaining that security requires very frequent device switches, and discipline to avoid contamination from the old network.

This is drug dealer tradecraft writ large.

thaddeus t. grugq

Written by

Information Security Researcher :: keybase.io/grugq :: https://www.patreon.com/grugq

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade