New Cyber Tricks Make ISIS Sophisticated

Uploaded on 2016-09-23 in NEWS-Cybersecurity News, INTELLIGENCE--International, FREE TO VIEW

Terror attacks in Europe have killed more than 200 people in the past 20 months, reflect ing the new operational discipline and technical savvy by the Islamic State terrorists who carried them out.

Weeks before Islamic State militant Abdelhamid Abaaoud led the Nov. 13 terror attacks in Paris, French authorities thought he was holed up in northern Syria. Western Intelligence agencies pursuing Abaaoud had tracked him there using cell-phone location data and other electronic footprints. The Paris attacks, which killed 130 people, showed how badly they were fooled. Abaaoud had slipped past the dragnet and entered the city unnoticed.

Drawing from a growing bag of tricks, Islamic State accomplices located in Syria likely used phones and WhatsApp accounts belonging to Abaaoud and other attackers to mask the group’s travel to Europe, said a Western security official: “We relied too much on technology. And we lost track.”

Terror attacks in Europe, which have killed more than 200 people in the past 20 months, reflect new operational discipline and technical savvy by the Islamic State terrorists who carried them out, security officials said. The extremist group’s communications, once commonly conducted on phones and social media accounts easily tracked by authorities, have evolved into a mix of encrypted chat-app messages over WhatsApp and Telegram, face-to-face meetings, written notes, stretches of silence and misdirection.

These techniques helped protect attackers from Western intelligence agencies by leaving few electronic clues in a sea of intercepted data.

In recent months, Europe has been convulsed by a string of simple yet lethal attacks. Some were committed by people who appear to have received little direct training from Islamic State. The suspects in a failed plot in France recently were “remotely controlled” from Syria by the group, prosecutors have said. Officials worry such attacks could be a way to distract intelligence services while militants prepare more complex plots.

The Paris attackers communicated sparingly, electronic silences sometimes lasted weeks, as they crossed the continent in September and October en route to their deadly rendezvous in Paris, security officials said. When they did communicate, they at times called or sent text messages on disposable cellphones they used once and tossed.

“Try to make it so that even if the idolatrous dogs intercept and decrypt your messages…the only information they will be able to find is your username and password,” advised Islamic State’s French-language magazine Dar Al Islam this spring.

Tips posted by Islamic State-related propaganda outlets describe high- and low-tech methods to avoid detection: Switch mobile phones frequently; sign up for online accounts using temporary phone numbers; hopscotch frequently between chat apps, making any intercepted conversations difficult to follow.

“Buy cheap burner phones; use and throw,” Islamic State sympathizers wrote in one chat-app message. “This will help you not to get tracked.”

The extremist group has also apparently learned to keep secrets off the grid and to limit who knows what, techniques long used by al Qaeda, which favors messengers and handwritten notes.

“They’re using anonymity as much as they use encryption, because encryption can attract the attention of intelligence services,” said Jean-Charles Brisard, president of the Center for the Analysis of Terrorism, a Paris-based think tank. “It’s a huge challenge.”

Patrick Calvar, head of France’s main domestic intelligence agency, told French parliament investigators in May that Islamic State had become a hierarchical, militarized organization, drawing expertise from experienced jihadists and veterans of Iraqi security forces.

“We’re dealing with people who are well versed in clandestine operations, and who understand our capabilities,” Mr. Calvar said. “We’re up against real professionals.”

Lessons Learned

Islamic State is a militant group of the Internet age, its followers steeped in Facebook , smartphones and text messaging. These tools, which helped spread the terror group’s message around the world, also helped authorities foil plots, capture suspects and win convictions in the group’s early years.

Karim Mohamed-Aggad, a brother of one of the Paris attackers, sent text messages extolling jihad and martyrdom in late 2013 before heading to Syria with friends from Strasbourg, France, according to a court document. Radouane Taher, a companion, talked in one message about joining a jihadist team. Then he added that French intelligence services “are reading this. You have a message for them?”

The two men were arrested on their return to France in spring 2014. Mr. Mohamed-Aggad was sentenced in July to nine years in prison, and Mr. Taher to eight years, both for terrorist association. A lawyer for Mr. Mohamed-Aggad said she was appealing the verdict. A lawyer for Mr. Taher didn’t respond to a request for comment.

Islamic State tightened security following airstrikes by the US-led coalition on its territories in Syria and Iraq. The terror group in October 2014 banned the use of GPS to avoid detection by Western allies, according to documents seized by US Special Forces and viewed by the Journal.

Western recruits have since returned from Syria better trained, security officials said.

“At the point at which they’re leaving Belgium, France, the UK, these guys are amateurs. By the time they are turned around and come back again, they are a different breed of terrorist,” said Rob Wainwright, the director of Europol, which coordinates law-enforcement agencies in the European Union.

Abaaoud had a close call before the Paris attacks that may have taught him a lesson about the vulnerability of electronic communications.

He coordinated a group, including fighters from Islamic State territory, to attack Belgium in late 2014, Belgian judges said in May during a trial of accused participants.

Members of the group used disposable phones and communicated, in part, through at least one shared WhatsApp account and Telegram. But they may not have been careful enough. Belgian police tapped their phone lines.

The phone taps started with a Belgian man they had suspected of returning from Syria. From there, phone taps and physical surveillance led authorities to accomplices and a house in Verviers, Belgium, used by the alleged plotters.

Authorities found weapons, bomb-making chemicals and police uniforms at the house during a January 2015 raid. Two suspected terrorists were killed in a gunfight with police.

Western intelligence services used Abaaoud’s communications with the suspected plotters to locate him in Athens. By the time Greek police cordoned off the streets surrounding Abaaoud’s hideout, he was gone.

Hunting Abaaoud

Western intelligence agencies continued to pursue Abaaoud electronically, intercepting data sent by phones linked with him, French officials said.

The trail led to Syria. Security officials suspect Abaaoud and accomplices there were making final plans for the Paris attacks early last summer, selecting targets and choosing attack teams. Around that time, intelligence agencies recorded calls between Abaaoud in Syria and his family in Morocco.

In mid-August, Western intelligence agents got an inkling that Abaaoud aimed to strike France. They arrested Reda Hame, an Islamic State operative and French national, who had returned to France from Syria. Officials say Mr. Hame told them that Abaaoud had ordered him to launch an attack. He also revealed that Abaaoud planned to strike a rock concert, according to a French parliament report.

Using cellular networks, Wi-Fi hot spots and satellites, intelligence agencies, including from the US, stepped up efforts to find Abaaoud and his accomplices. Cellphones pinged their locations. The data through mid-October showed Abaaoud moving among the Syrian cities of Raqqa, Manbij and Deir ez-Zor.

Officials aren’t certain exactly when or how Abaaoud and the others landed in Europe. Evidence assembled after the attacks suggests that Abaaoud and other attackers were on the continent at least by late September.

Once in Europe, the Paris attackers kept their conversations to a minimum. The three men assigned to attack the Bataclan concert hall with machine guns had no contact for weeks with the three accomplices assigned to set off bombs at the Stade de France arena.

“By the time these guys re-entered Europe, the plan was good to go, such that the communications necessary to decide on the plan and get it ready could be kept to a minimum,” said Mr. Wainwright of Europol.

When they did communicate, the terrorists used both encrypted message apps and disposable phones. Some phones were used for a single conversation, Bernard Bajolet, head of France’s foreign-intelligence agency, told French parliamentary investigators in May.

The scale of the Paris attack came as a shock. Three teams of men armed with rifles and suicide belts arrived in rental cars on Friday, Nov. 13. One group sprayed gunfire at outdoor restaurant terraces. Another tried to enter the soccer stadium where the French president was watching the national team. At the concert hall, three terrorists killed 89 people.

Three days later, French officials realized Abaaoud wasn’t in Syria, but had directed the Paris carnage in person.

On Nov. 18, five days after the killings, a combination of tips, phone taps and cellphone-location data led French officials to an apartment north of Paris, where Abaaoud and two accomplices were killed in an hours-long firefight.

The raid left other affiliated terrorists in Belgium, including alleged Paris attacker Salah Abdeslam, who had returned to Brussels, without a leader, officials said. Some of the men used encrypted communications in an apparent effort to reach allies in Syria for instructions, including Ibrahim el-Bakraoui, one of two brothers who died in the suicide-bomb attacks in Brussels.

Four months later, on March 22, Mr. el-Bakraoui and two others set off bombs in the Brussels airport; an accomplice blew himself up on a crowded train. Altogether, 32 people were killed.

The men left behind a laptop and other digital tools for authorities to mine for information, officials said, evidence their security precautions had grown lax.

In April, investigators stumbled across another communications tool, the encrypted audio message.

Italian prosecutors said Islamic State officials in the Middle East had in April sent audio messages over WhatsApp to Abderrahim Moutaharrik, a Moroccan-born Italian.

The messages ordered attacks in Italy and were found by chance: Mr. Moutaharrik played them aloud in his car and they were captured by a recording device planted by authorities, according to a court document and prosecutors.

“Light up the fire on the flowing crowd, pour grenades on the crusader’s head,” said one message, part of an Arabic-language poem. “Don’t have mercy until he’s broken.”

WSJ
 

 

« Terror Threat In 2016 Worse Than 2001
Why Spear-Phishing Hacks Are So Successful »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Council of Europe - Cybercrime Programme Office (C-PROC)

Council of Europe - Cybercrime Programme Office (C-PROC)

The Cybercrime Programme Office of the Council of Europe is responsible for assisting countries worldwide in strengthening their legal systems capacity to respond to cybercrime

Cysec - TU Darmstadt

Cysec - TU Darmstadt

CYSEC is the Cybersecurity faculty of the Technical University of Darmstadt and performs internationally renowned research in numerous areas of cybersecurity.

Zeneth Technology Partners

Zeneth Technology Partners

Zeneth is a consulting firm providing information technology and cybersecurity services to federal and commercial clients.

The Data Privacy Group

The Data Privacy Group

The Data Privacy Group provide expert professional services underpinned by world leading automation tools and a consulting team specialized in privacy and data protection.

BehavioSec

BehavioSec

BehavioSec uses the way your customers type, swipe, and hold their devices, and enables them to authenticate themselves through their own behavior patterns.

Upstream Security

Upstream Security

Upstream Security is the first cloud-based cyber-security solution that protects the technologies and applications of connected and autonomous vehicles.

Sliced Tech

Sliced Tech

Sliced Tech provides enterprise grade managed Cloud services, including Security-as-a-Services, aimed at meeting the needs of commercial and government clients from within Australia.

Thomsen Trampedach

Thomsen Trampedach

Thomsen Trampedach offers a tailored-made brand protection solution to each customer using a proprietary enforcement automation and reporting tool and a multilingual enforcement team.

CYBER.ORG

CYBER.ORG

CYBER.ORG's goal is to empower educators as they prepare the next generation to succeed in the cyber workforce of tomorrow.

ClassNK Consulting Service (NKCS)

ClassNK Consulting Service (NKCS)

ClassNK Consulting provides consulting services to the maritime industry with a focus on safety, security and compliance.

Com Olho

Com Olho

Com Olho provides the measurement, analytics, quality assurance, and fraud protection technologies brands need for their business and customers.

SandboxAQ

SandboxAQ

SandboxAQ is an enterprise SaaS company combining AI + Quantum tech to solve hard problems impacting society.

Association for Uncrewed Vehicle Systems International (AUVSI)

Association for Uncrewed Vehicle Systems International (AUVSI)

AUVSI is the world's largest nonprofit organization dedicated to the advancement of uncrewed systems and robotics. Focus areas include cyber security for uncrewed systems and robotics.

Rampart AI

Rampart AI

Tackling DevSecOps Issues In Application Security. Rampart has revolutionized the shift left security approach, applying zero-trust to application development.

Fivecast

Fivecast

Fivecast is enabling a safer world. We help organizations around the world explore masses of data to uncover actionable insights.

Averlon

Averlon

Averlon offers organizations peerless cloud security through Panoptic Cloud Visibility, Predictive Attack Intelligence and Rapid Remediation.