New Cyber Tricks Make ISIS Sophisticated

Terror attacks in Europe have killed more than 200 people in the past 20 months, reflect ing the new operational discipline and technical savvy by the Islamic State terrorists who carried them out.

Weeks before Islamic State militant Abdelhamid Abaaoud led the Nov. 13 terror attacks in Paris, French authorities thought he was holed up in northern Syria. Western Intelligence agencies pursuing Abaaoud had tracked him there using cell-phone location data and other electronic footprints. The Paris attacks, which killed 130 people, showed how badly they were fooled. Abaaoud had slipped past the dragnet and entered the city unnoticed.

Drawing from a growing bag of tricks, Islamic State accomplices located in Syria likely used phones and WhatsApp accounts belonging to Abaaoud and other attackers to mask the group’s travel to Europe, said a Western security official: “We relied too much on technology. And we lost track.”

Terror attacks in Europe, which have killed more than 200 people in the past 20 months, reflect new operational discipline and technical savvy by the Islamic State terrorists who carried them out, security officials said. The extremist group’s communications, once commonly conducted on phones and social media accounts easily tracked by authorities, have evolved into a mix of encrypted chat-app messages over WhatsApp and Telegram, face-to-face meetings, written notes, stretches of silence and misdirection.

These techniques helped protect attackers from Western intelligence agencies by leaving few electronic clues in a sea of intercepted data.

In recent months, Europe has been convulsed by a string of simple yet lethal attacks. Some were committed by people who appear to have received little direct training from Islamic State. The suspects in a failed plot in France recently were “remotely controlled” from Syria by the group, prosecutors have said. Officials worry such attacks could be a way to distract intelligence services while militants prepare more complex plots.

The Paris attackers communicated sparingly, electronic silences sometimes lasted weeks, as they crossed the continent in September and October en route to their deadly rendezvous in Paris, security officials said. When they did communicate, they at times called or sent text messages on disposable cellphones they used once and tossed.

“Try to make it so that even if the idolatrous dogs intercept and decrypt your messages…the only information they will be able to find is your username and password,” advised Islamic State’s French-language magazine Dar Al Islam this spring.

Tips posted by Islamic State-related propaganda outlets describe high- and low-tech methods to avoid detection: Switch mobile phones frequently; sign up for online accounts using temporary phone numbers; hopscotch frequently between chat apps, making any intercepted conversations difficult to follow.

“Buy cheap burner phones; use and throw,” Islamic State sympathizers wrote in one chat-app message. “This will help you not to get tracked.”

The extremist group has also apparently learned to keep secrets off the grid and to limit who knows what, techniques long used by al Qaeda, which favors messengers and handwritten notes.

“They’re using anonymity as much as they use encryption, because encryption can attract the attention of intelligence services,” said Jean-Charles Brisard, president of the Center for the Analysis of Terrorism, a Paris-based think tank. “It’s a huge challenge.”

Patrick Calvar, head of France’s main domestic intelligence agency, told French parliament investigators in May that Islamic State had become a hierarchical, militarized organization, drawing expertise from experienced jihadists and veterans of Iraqi security forces.

“We’re dealing with people who are well versed in clandestine operations, and who understand our capabilities,” Mr. Calvar said. “We’re up against real professionals.”

Lessons Learned

Islamic State is a militant group of the Internet age, its followers steeped in Facebook , smartphones and text messaging. These tools, which helped spread the terror group’s message around the world, also helped authorities foil plots, capture suspects and win convictions in the group’s early years.

Karim Mohamed-Aggad, a brother of one of the Paris attackers, sent text messages extolling jihad and martyrdom in late 2013 before heading to Syria with friends from Strasbourg, France, according to a court document. Radouane Taher, a companion, talked in one message about joining a jihadist team. Then he added that French intelligence services “are reading this. You have a message for them?”

The two men were arrested on their return to France in spring 2014. Mr. Mohamed-Aggad was sentenced in July to nine years in prison, and Mr. Taher to eight years, both for terrorist association. A lawyer for Mr. Mohamed-Aggad said she was appealing the verdict. A lawyer for Mr. Taher didn’t respond to a request for comment.

Islamic State tightened security following airstrikes by the US-led coalition on its territories in Syria and Iraq. The terror group in October 2014 banned the use of GPS to avoid detection by Western allies, according to documents seized by US Special Forces and viewed by the Journal.

Western recruits have since returned from Syria better trained, security officials said.

“At the point at which they’re leaving Belgium, France, the UK, these guys are amateurs. By the time they are turned around and come back again, they are a different breed of terrorist,” said Rob Wainwright, the director of Europol, which coordinates law-enforcement agencies in the European Union.

Abaaoud had a close call before the Paris attacks that may have taught him a lesson about the vulnerability of electronic communications.

He coordinated a group, including fighters from Islamic State territory, to attack Belgium in late 2014, Belgian judges said in May during a trial of accused participants.

Members of the group used disposable phones and communicated, in part, through at least one shared WhatsApp account and Telegram. But they may not have been careful enough. Belgian police tapped their phone lines.

The phone taps started with a Belgian man they had suspected of returning from Syria. From there, phone taps and physical surveillance led authorities to accomplices and a house in Verviers, Belgium, used by the alleged plotters.

Authorities found weapons, bomb-making chemicals and police uniforms at the house during a January 2015 raid. Two suspected terrorists were killed in a gunfight with police.

Western intelligence services used Abaaoud’s communications with the suspected plotters to locate him in Athens. By the time Greek police cordoned off the streets surrounding Abaaoud’s hideout, he was gone.

Hunting Abaaoud

Western intelligence agencies continued to pursue Abaaoud electronically, intercepting data sent by phones linked with him, French officials said.

The trail led to Syria. Security officials suspect Abaaoud and accomplices there were making final plans for the Paris attacks early last summer, selecting targets and choosing attack teams. Around that time, intelligence agencies recorded calls between Abaaoud in Syria and his family in Morocco.

In mid-August, Western intelligence agents got an inkling that Abaaoud aimed to strike France. They arrested Reda Hame, an Islamic State operative and French national, who had returned to France from Syria. Officials say Mr. Hame told them that Abaaoud had ordered him to launch an attack. He also revealed that Abaaoud planned to strike a rock concert, according to a French parliament report.

Using cellular networks, Wi-Fi hot spots and satellites, intelligence agencies, including from the US, stepped up efforts to find Abaaoud and his accomplices. Cellphones pinged their locations. The data through mid-October showed Abaaoud moving among the Syrian cities of Raqqa, Manbij and Deir ez-Zor.

Officials aren’t certain exactly when or how Abaaoud and the others landed in Europe. Evidence assembled after the attacks suggests that Abaaoud and other attackers were on the continent at least by late September.

Once in Europe, the Paris attackers kept their conversations to a minimum. The three men assigned to attack the Bataclan concert hall with machine guns had no contact for weeks with the three accomplices assigned to set off bombs at the Stade de France arena.

“By the time these guys re-entered Europe, the plan was good to go, such that the communications necessary to decide on the plan and get it ready could be kept to a minimum,” said Mr. Wainwright of Europol.

When they did communicate, the terrorists used both encrypted message apps and disposable phones. Some phones were used for a single conversation, Bernard Bajolet, head of France’s foreign-intelligence agency, told French parliamentary investigators in May.

The scale of the Paris attack came as a shock. Three teams of men armed with rifles and suicide belts arrived in rental cars on Friday, Nov. 13. One group sprayed gunfire at outdoor restaurant terraces. Another tried to enter the soccer stadium where the French president was watching the national team. At the concert hall, three terrorists killed 89 people.

Three days later, French officials realized Abaaoud wasn’t in Syria, but had directed the Paris carnage in person.

On Nov. 18, five days after the killings, a combination of tips, phone taps and cellphone-location data led French officials to an apartment north of Paris, where Abaaoud and two accomplices were killed in an hours-long firefight.

The raid left other affiliated terrorists in Belgium, including alleged Paris attacker Salah Abdeslam, who had returned to Brussels, without a leader, officials said. Some of the men used encrypted communications in an apparent effort to reach allies in Syria for instructions, including Ibrahim el-Bakraoui, one of two brothers who died in the suicide-bomb attacks in Brussels.

Four months later, on March 22, Mr. el-Bakraoui and two others set off bombs in the Brussels airport; an accomplice blew himself up on a crowded train. Altogether, 32 people were killed.

The men left behind a laptop and other digital tools for authorities to mine for information, officials said, evidence their security precautions had grown lax.

In April, investigators stumbled across another communications tool, the encrypted audio message.

Italian prosecutors said Islamic State officials in the Middle East had in April sent audio messages over WhatsApp to Abderrahim Moutaharrik, a Moroccan-born Italian.

The messages ordered attacks in Italy and were found by chance: Mr. Moutaharrik played them aloud in his car and they were captured by a recording device planted by authorities, according to a court document and prosecutors.

“Light up the fire on the flowing crowd, pour grenades on the crusader’s head,” said one message, part of an Arabic-language poem. “Don’t have mercy until he’s broken.”

WSJ
 

 

« Terror Threat In 2016 Worse Than 2001
Why Spear-Phishing Hacks Are So Successful »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CionSystems

CionSystems

CionSystems provides identity, access and authentication solutions to improve security and streamline IT infrastructure management.

Cologix

Cologix

Cologix provides reliable, secure, scalable data center and interconnection solutions from 24 prime interconnection locations across 9 strategic North American edge markets.

Viavi Solutions

Viavi Solutions

Viavi Solutions is a global leader in both network and service enablement and optical security performance products and solutions.

DynaRisk

DynaRisk

DynaRisk helps companies protect their staff, clients and supply chain from cyber threats by enabling people to take action for themselves.

WWPass

WWPass

WWPass is a global cybersecurity company that provides password-less authentication and client-side encryption technology.

Meriplex

Meriplex

Meriplex is a Managed Services provider specializing in Intelligent Networks, Cybersecurity and Cloud Communications.

Havoc Shield

Havoc Shield

Havoc Shield is an all-in-one information security platform that includes everything a growing team needs to secure their remote workforce.

Institute for Security and Technology (IST)

Institute for Security and Technology (IST)

The Institute for Security and Technology's goal is to provide the tools and insights needed for companies and governments to outpace emerging global security threats.

Arkphire

Arkphire

Arkphire provide solutions across every aspect of IT to help your business perform better.

AgileBlue (Agile1)

AgileBlue (Agile1)

AgileBlue (formerly Agile1) is a managed breach detection company with an Autonomous SOC-as-a-Service for 24×7 monitoring, detection and guided response.

Tuta

Tuta

Tuta (formerly Tutanota) is an all-in-one email, calendar and contacts app which protects your data with full end-to-end encryption and it requires zero personal information.

Fireblocks

Fireblocks

Fireblocks is a digital asset security platform that helps financial institutions protect digital assets from theft or hackers.

Block Harbor Cybersecurity

Block Harbor Cybersecurity

Block Harbor has worked closely with automakers, suppliers, and regulators since 2014 on vehicle cybersecurity.

Excite Cyber

Excite Cyber

Excite Technology Services (formerly Cipherpoint) is focused on improving the security posture of our customers.

ShieldHaus

ShieldHaus

Protect your business from evolving cyber threats with ShieldHaus. Our real-time, AI-powered security solutions block malicious IPs, phishing attempts, and harmful domains to safeguard your systems an

BB2 Technology Group

BB2 Technology Group

BB2 Technology Group offers managed IT services for businesses nationwide with 24/7 support.