Operation Glowing Symphony
Hi and welcome to malicious life in cooperation with salaries. I'm landlady for three of our mini series on the tow truck. Messaging APP will be ready in the next few days. And in the meantime I'd like to play for you an episode from talknet diaries. We've played some dot net. Diaries episodes here in the past. So you might be familiar with it for those who are not document. Diaries is a fantastic service. Acuity podcast created by Jack reciter. And I can't recommend it enough. The you'll hear shortly is called a Parisian glowing symphony and it's the story of how the US Cyber Command attacked. Is this as told by the commander of that mission. Kudos to Jack for bringing us and extremely rare peak at the inner workings of the US Cyber Command darkness. Diaries homepage is darkness. Diaries DOT com. And if my voice sounds a bit different today than he usually is. That's because I'm under quarantine and recording these words in my attic corona patient board. Trina was on and now got two whole weeks to spend in my foot of solitude. Good thing I still need to finish that. Which are three game? I started a year back. Stay safe and healthy people. Enjoy the MOZELL. That sounds like a good place to start the story. Mozell is an ancient city in Iraq. Like we're talking. People have lived there in the area of Mosel since like two thousand B C. It's right next to the Tigris river and it's grown to a population of cheese over a million and a half people it's Iraq's second largest city on June tenth two thousand fourteen. A new chapter in Muslim history was written a group of armed fighters basically an army just rated the place. Isis infiltrated Moselle. They shot it up. Set stuff on fire and they were targeting all Iraqi police and military and security in just a few days. They took over the whole city of Mozell. The whole city of a million people people began fleeing the city in huge droves hundreds of thousands of people left or or kill. Mozell was now under control of Isis the Islamic state in extremist group. A group that the US believes is made up of violent jihadist terrorists that same month isis declared a caliphate and Mozell Isis which stands for the Islamic state in Iraq and Syria says now it will simply be known as the Islamic state and declared all areas. It's overtaken Syria and Iraq to be a caliphate or Islamic state a significant move as far as I understand declaring caliphate means that they are establishing that the city of Mozell is the Islamic state. Like it's sort of their own nation. It's a place to go live and practice their beliefs. Anyone who's affiliated with Isis can come live there an isis had their own police patrolling the city their own soldiers defending in their own leadership and everything. This was a huge victory for the terrorists to take over the second largest city in Iraq and kill thousands of their enemies. This is what put Isis on the map. This is why the era common household name here in the US because since they took over mozell their number sword and their attacks rained on the world. These are true stories from the dark side of the Internet. And I'm Jack reciter. This is darkness. Diaries once took over Mozell and declared caliphate their popularity boomed tens of thousands of people around world. Were learning what Isis was and they were joining the 'cause we started to see tax in many other cities around the world. An Isis was taking responsibility for it. We were starting to see attacks in Belgium Australia Canada and when I say tax I mean people were being killed by this group today. The militant group ISIS posted a series of graphic photos on twitter claiming a massacre of more than seventeen hundred Iraqi soldiers. Tonight the urgent manhunt right now after the city of Brussels wrapped with multiple explosions at the airport and then in the subway at least thirty one killed more than two hundred injured. Two people are dead tonight in Ottawa Canadian soldier and a suspect after a shooting on Parliament Hill Canada's equivalent of Capitol Hill of violent morning that culminated in a shootout inside the ornate building. Lawmakers were caucusing. That sounds so scary. And that's not the streets of Iraq. That's isis shooting up the parliament building in the capital of Canada. The Iraqi military simply have the ability to take back their own city and with isis growing in numbers. All over the world. Something had to be done so in October. Two thousand fourteen the US military initiated Executive Order Operation Inherent Resolve Okay so what is the navy's role inherent resolve which is the name of the Isis M- Anti Isis Coalition Movement. We provide sorties meaning missions off of aircraft carrier the George George Herbert Walker Bush. Sullivan is just Information Intelligence surveillance reconnaissance others or strikes and it depends on what the central commander desires it can be jamming of of some of Isis is co networks and what they're doing It can be again intelligence gathering we are standing by with Tomahawk missiles tens and tens of them which in fact we used on that first night when we started this operation. Jeez Tomahawk missiles. This is serious business and yes. That navy ship was launching these missiles right into Mozell raining down one attack after another taking out isis infrastructure. Some key leaders. Their troops but tens of thousands of people formed Isis. So wasn't easy to stop them with airstrikes alone. Isis continued to take over towns in Iraq and Syria and claimed responsibility for more terrorist attacks around the world and one of these attacks occurred in November of two thousand fifteen and Paris France. Nine Twenty PM. The first indication of the horror being unleashed that night a suicide bomber. Exploding his best outside Francis National Soccer Stadium. There was a second detonation. Another suicide bomb. Both attackers it seems being stopped before they could get in a third attack would blow himself up outside a nearby. Mcdonald's around nine twenty five gunmen with Kalashnikovs type assault weapons targeted diners. In a string of restaurants. Fifteen people were killed. The gunman raced away in a black car. Next the cafe bomb beer was hit five. People were killed at nine thirty six at La Belle. Achey sheer terror. The same Black Car. The crowded terrace sprayed with gunfire witnesses. Say it went on and on. Nineteen people died here. Nine others were critically injured. The epicenter of the attack though would be the Batta Clung a concert venue. The Band Eagles of death metal played gunman rush the hall and opened fire. Those who escaped the survivors called it. A massacre a mass execution eighty nine people were killed and other attacks springing up all over the world to operation inherent resolve needed. More help to battle these terrorists. Here's a clip. From one of the captains on the carrier that was stationed in the Arabian Gulf. Which was launching missiles at Isis? Airstrikes can only do so much and we're very very effective and we're there to support but I think in the end it's going to be a ground fight. They needed more help to stop these terrorists. So some phone calls were made. Hello Jack. Hey how's it going good to hear from you? Thanks so much. Sorry in this one. I can't say our guest's name you'll understand leader but for now. Let's just call him. The commander is kind of a fan boy. Moment for myself to be honest okay. You're going to wonder how I got the Senate view because as you'll hear this is extremely rare interview and I'll explain how I got all that at the end of this episode but I do want you to understand more about who he is. Okay so in two thousand sixteen. I was the mission commander for a combat mission team at US. Cyber Yeah. Us is believed to be the offensive team within the NSA or actually it came out of the NFC. But now it's its own thing. So yeah you got that right to do. We're going to hear a hacking story from someone inside the US. Cyber Command which is a very secret hacking organization within the US government. Which makes this an extremely rare interview. So are you ready for this okay? So let's back up. The commander here wasn't always commander t started out as a regular recruit in the marines but quickly he knew he wanted more so I actually started. I was a force RECON marine. I five years so so I was in. I jumped out a plane. They did the Halo Heyhoe scuba dive all that stuff. Well disguise a beast. I mean my understanding is at Marines training to be a killer. It's very aggressive branch of the military but force. Recon amplifies that immensely. They're the highest trained troops in the Marines and in two thousand twelve. He was deployed to Afghanistan in the sing in Providence. Tough place and WHO's trying to neutralize the Taliban over there doing Hilo raids and other operations and after a few years of that he came back and spent a total of five years as an active force. Recon marine you get older things. Get harder physically so the way to stay in the fight is to cyber the marines. Give you a little wiggle room on where you can choose. Do you WanNa go so he decided to join the Marine Forces Cyber Command but with the switch they knew they needed to give him some training they did they sent me to school for larger cybersecurity. Stuff just basic security plus network plus C H and then they do. They did put us through some more technical training for computer network exploitation camps and cyber attack and defend and eventually you attend the Mission Commander Course for my role was as an officer so at this point. He's an officer from our for cyber. That's short for Marine forces cybercrime. Okay now let me read to you. A paraphrase version of the mission statement for this group Mar for cyber the mission statement is quote to Conduct Full Spectrum Cyberspace Operations Including Conducting Offensive Cyberspace Operations and quo. Listen the Conduct Offensive Cyberspace Operations. I once heard the US government has never admitted to conducting any cyberspace attacks. But look at this. It's right here in the mission statement of Marfo cyber and when I think of the mindset that the marines have and how they're so competitive and Gung Ho and battle hungry I just can't imagine what kind of hackers would come out of this. Everybody says overshoot cyber bullets today. We're going out on patrol. It's funny but it's true and then you know I mean we always try to keep that kind of mindset especially in the Marines. Were Marines are known to be more aggressive in? That was not different in cyber. Our team was the first to do a lot of things. It's your Computer Geek. Or your or your above like your buff guy right like which one is it or is it both yeah. There's a lot of dudes in cyber to be honest but It's it's pretty funny. I mean we. We still do all of that. Same kind of stuff. I know people have some traditions. When you're the first your first. Cyber Mission on the OPS floor. Don't make you wear a flak jacket or a helmet to look goofy when you're sitting in front of the computer because it's your first op. So that's traditions still comes into play in some of the top floors today so there is still that You know military mindset of messing with people and and things like that. I mean it's it's pretty funny. I find it I find it fun. This is how he transformed from being a trained killer to capable hacker and he's on a new mission now to battle the enemy from behind the screen. There were all in uniform. It's sitting in front of computer screens for screams just like the movies. Everybody's in uniform working out things. If you're at you know very sensitive locations and sites you'll be out of uniform and things like that but at Fort Meade you're in uniform all-time the fall of twenty fourteen. I was finishing up all my training and they had just started a team between NSA and Cyber Com. That was focused solely on isis media. Yes back to ISIS SO ISIS. Or sometimes it's called is still produces a ton of media content. I mean they have to magazines that are published in ten different languages and these magazines are excellent quality to very well done high-quality pictures from the front lines expertly designed they also have a ton of social media accounts that post news stories and even act as recruitment tools for new members and they also have people producing high quality videos filming horrific things than editing them cleaning them up to maximize the impact. Viewer to run all this. They must have a whole network to share content between the teams to store the videos and pictures and then a bunch of skilled people to run everything. So is this. Media was everything that involved the production of their magazines videos that everyone saw come out the logos. The attack claims all of the social media accounts that they had the websites everything that was associated with. That was what was under the umbrella of Isis Media and they had a lot of people. I mean we talking. We'RE TALKING CAMERAMEN. We're talking editors we're talking You know linguists for translating things into every language across the world so they could disseminate their message. We had you have your own. It shops and you know finance guys. I mean it was a large scale operation and you could see the adding like all the videos that came out. They were Hollywood quality videos that were hitting CNN and ABC on a daily basis on most. And that was. That was all isis media so since the. Us government was already using intelligence operations to keep tabs on Isis. They felt that Isis media was big enough to create a team to just focus on this alone. So Isis media had been on the scene for about a year before that and then in two thousand fourteen in the fall it was finally becoming so big and it was its own entity in warranted. Its own dedicated analysis project. Production targeting effort and that's where they pulled a few marines together after civilians and started a a pretty crack knit team and then I took over the team at the end of the year in twenty fourteen. Oh Wow this very interesting right from force recon marine tomorrow for Cyber and now to the NSA and cyber command to gather as much information as he can on isis media. So I says media became his primary focus all day every day him and his team were. They're doing everything they could understand. Who's behind this? We were trying to map out the network so everything behind everything that made isis media tick was what we were supposed to uncover and define so people places things everything minded the analogy. I give people is like if you look at CNN or you look at a regional news office. They have senior editors they have people that do translations they have a web guy that sets up the website they have a guy that configures domain names guided their. It staff that keeps the shared fought the shared drives running keeps the email accounts up there chat services up so that they can conduct their daily business and you have your field journalists and cameramen and all of those all of that stuff. The goal was to simply gather data basically spy on them and collect as much data as they could from describe and they did this for a long time. Twenty fourteen all the way through to summer of two thousand sixteen was analysis development building out the network understanding how they operated. What they did that was I mean. It was over respect a year and a half just understanding the target space and building out a high fidelity network just to give you an idea of where we are in a time line. This is still before Isis invaded. Mozell and declared a caliphate and here already the NSA Cyber Command or tracking them heavily now. Can you imagine how much data they collected in this time? I mean we're talking the NSA and Cyber Command here and dedicating a whole team to investigate this for two solid years by that time and with those resources. I'm sure they must have had everyone's name who is behind Isis media and where it was edited. Who's running the social media accounts what software they're running and I bet. That goes so much deeper. He didn't say but I bet they hacked into all these people to they had access to their phones laptops and facilities everything together as much data as it could probably even their spouses and relatives and bosses and friends to either they were infecting all these systems and bring their way deep into the Isis Media. Network and then establishing persistence maintain their foothold in there. Because if you think about this this is all going on in the same building that the NSA headquarters in Fort Meade Maryland. That big black box of a building that. I'm sure you've seen pictures of so. If they needed more help they could just walk down the hall and get another group of people who are specialized in something to help them out. I mean I'm just guessing here but here's an attack. I think they probably did. I imagine if they hacked into the phone of one of these isis media people and then on that phone they stole the private decryption keys for that phone. This would be the key used to decrypt messages to that phone. Then imagine they hacked into the Wi fi network. That phone was on and somehow captured all the traffic to that phone now. Somewhere in that traffic. Are the private chat messages to that phone and with these private keys. I'm guessing it's technically possible to decrypt those messages. This would be a pretty complex hack but I bet it's something that cyber command could do. I mean we had a long target list and it was. It was a large. You think of like a large grass just pictures servers. Domains accounts all connected with lines and it was all we had a pretty good understanding of all right. I can just picture it now. A big map. On the wall linking everything together with photos of everyone and it probably looks like a map that the FBI will create when building a case on someone red strings connecting everything together. Feel like there's very few people that know as much about Isis. Media's me and a couple of guys on the team in. Twenty fifteen if you remember in the summer and early fall. That's when Isis attacks started to really pick up and they started to have those horrific videos and beheadings and kidnappings of Westerners and the leadership. Congress and Secretary Carter at the time. We're getting set up with all of this going on and having it be all over the news so people were getting a little angry in leadership and they wanted something done about it and we weren't really doing any ops to counter it at that at that time so because they had extensive knowledge of Isis media. They started to think could we? Would it be possible for us to actually disrupt them instead of just spy on them so they started to devise some plans to actually take down some of Isis media? They were developing tactical cyber attacks to take out a website or take control of it or delete an entire server the up with a plan to take out just part of a network in one country as sort of a test to see how effective this would be made it so that we had some confidence in what we do in our abilities and then you know General Hawk came back and was like you know. What do we do now like how? How much bigger can we go? What's the next step? And then we said we can go. Global. Let's go global instead of no one country or two countries scoble. What's to do everything after the break? We'll hear how this mission went. Global stigmatise the commander felt like he had the skills and expertise to take up more of Isis media. But the leadership wasn't sure if this was the right course of action. They needed something else. And icing on the cake was November You know you had the Paris attacks and which were the horrible attacks and that kind of was the final Straw to wear before early December and before Christmas Secretary Carter said I want options. We have to do something big now. Up until November two thousand fifteen. It was all sit. Listen and enable other kinetic operations for the guys on the ground help inform them to do certain things and there wasn't a mindset or an appetite at the time for Hey let's do a strictly cyber operation to try and stop this media or try to diminish their impact of an attack in the publicity side of things we were ready at a tactical level. I felt like but there wasn't that appetite at higher levels to say. Oh we can. We can do something. That's purely cyber and have an impact on this terrorist apparatus over there. He was looking over his big map of Isis media. Looking over all the connections drawing a connection from this system to that system to that network and this person making all these connections and he was looking at the map and all of a sudden it started to make sense. Things became crystal clear. There were few key. Nodes that if you were to Disrupt or take out these key nodes the whole thing might come crashing down. This was a big discovery for the commander double checked his work and looked over it again and yet this was making sense. This was the way to take out. Isis media attack these nodes and it all unravels. That's when I had my like. Aha moment like my pappy. Sylvia moment we've been staring at this data for a long time all these lists and information and then in February it kind of struck me that it was all connected and it was very centralized so I I remember running downstairs to my boss's office in the basement at NASA and starting to draw on the board circles with names and numbers and drawing the lines together and then saying sir. It's all connected. It's all here. We take this out. It all goes away or these five things that will all fall apart. It's a house of cards. This was a big moment. The leadership agreed that perhaps using hacking takeout is this media would be ineffective approach with the strategy. A new task force had to be created to handle this first. They decided to start creating joint task force aires or JT F- Aries for short now. J. T. F. Areas was formed to carry out a specific mission. Jj Fear is just Cyprus specialists that focus in offensive cyber operations against Isis. Whoa wicked a group of military trained hackers all coming together to make joint task force areas specifically to target Isis and isis media. Well this task force was getting spun up. The captains had to decide on what the mission would be. No in my opinion. This is where a major shift in operations took place you see we know that the military in the NFC collects data and they listen for signals and decipher the messages. And sometimes they break into a computer to get that data but still that's all it is. It's gathering data from the adversary. But here. Here's where a big change takes place up until this point this team was doing was listening and watching and collecting yet the hacked into the enemy to listen and collect. But that's all they were instructed and legally allowed to do but now leadership is granting them the ability to disrupt degrade and destroy the target using cyberattacks. This is a big difference. It's kind of like the difference between someone on the roof with a pair of binoculars versus someone on the roof with a long barreled rifle and a scope with orders to kill you. See The difference. They were never allowed to weaponize. There has to destroy before but now now. They're getting permission to do this. So I think this is about to get little Perry but first things first they need to come up with a name for this cyber operation so that is a funny story. And I'm glad that I gotTa tell you that the way that military operations are named is that every unit in a specific EO in a specific area gets assigned to letters so the in those two letters have to be the the first part of the word that starts their operation so G. L. was assigned to Marine Operations from Cyber Command. And so we had to pick a the first word to make the operation so G. L. So we sat down a bunch of captains and try to come up with the most bad ass words that started with G. L. so we were like gladiator gladys global. And then you than the second word in the name of an operation is just whatever you want it to be so you can do like. I mean gladiator something or global. Something they would all be global XYZ GLOBAL ABC. And so we were coming up with all these cool names or things that we thought were cool and then it came down from higher that they were like the word is glowing like seriously glowing. That's so not cool. Let's pick something that's more bad assets more like more hard core but That was what higher told us and then the symphony part came from in marine basic training. When you're calling for fires when you have artillery and air support and mortars and machine guns all shooting at the enemy they say that it's a it's a symphony of destruction because it's you know boom boom boom boom boom like in a movie. When they play the soundtrack all stuff's blowing up so it's a symphony of destruction. And we just say we're trying to have a symphony of destruction against the enemy here and take all of Isis service domains emails. Whatever at the same time it's GONNA BE GREAT. And then one captain who was the quirkiest. One of the group is like well. That's the name gloaming symphony. We were like that's so lame and it can't be that and he wrote it down and then sent the email so then it became glowing symphony and there was no turning back. Okay I know I know there was a lot to talk about but it was only like ten people know that. Yeah I love it. So in May of two thousand sixteen task order one. Six Dash Zero zero six three was signed by President Barack Obama. An Operation Glowing symphony was a go or og. S. For short and GTS ARIES was tasked to execute operation going symphony with the first mission to take out isis media. I wasn't jt. Tiff areas and I was the mission commander for that specific team. This is why I call him the commander because he's the mission commander for all this. I was on a mission. Commander is a cyber com term and a mission commander is the one who oversees a specific cyber opera mission for that for that day. So it'd be the same as if a unit goes out on patrol and walks around enemy territory and comes back. The leader of that patrol is a cyber mission commander. And that's what I was. Okay here we go time to get ready to fire some cyber bullets. The commander just spent the last two years learning everything about isis media and is more than ready to carry out this mission. I E needed some troops. He was able to look around in the NSA and cyber command and different military branches to the right candidates. Yeah we've definitely handpicked all handpicked them. So we assembled I think it was four or five separate teams. Think of each team like a squad of soldiers infiltrating the enemy territory doing patrol and objective and each squad has to be independent on their own being able make decisions and look for the objective and execute on it so they had to start assembling these teams four people thirteen so we had an intel analyst and operator a analyst and then we had the kind of team leader so first. Let's look at. What an operator does you had a guy who's an operator and he's very skilled at setting up the infrastructure uh getting to a target and getting from target and then also he's trained on the tools and approved on the tools to use on target interesting. Not everyone on. The team was approved a hit that delete button or the enter key. Only the operator was allowed to actually execute on objective. But not only that. This would be an expert on computers knowing what exploits to us to get into things and how to move around network once you get in. This is probably one of their best trained hackers on the team The person that would sit next to him is like the big bad signals analyst Who understands the tools and the infrastructure but also understands the intricacies of the target so like directory structures domain names admins and things like that Hell underhill. No the larger target network and had to be able to provide a to that guy on the keyboard so fascinating this is kind of like a navigator of some kind somebody who knows the lay of the land so well and it's like okay. Here's where the next objective is. And here's where you have to go next and here's where this thing will be and if you go down this way then you're gonna find this next thing like crazy that there's just some person sitting there who knows all this stuff ready to help. And then we have another Intel analyst who is to the other side and that Intel analysts under understands the typical targeting charts so the face the phone number the friends the terrorist group the cells. That the you know the homes that address all of that stuff. He understands that larger picture. It can help them when they're on target of of navigating through things. This is another reunion valuable person to have on the other side of you. This is someone who's memorized faces and names and friends names and locations. Because as you're working your way through this strange foreign network you're gonNA come across words that just don't make any sense. Things like server names and network names and domain names email addresses and website. Names stuff that when you got in there and side. You wouldn't understand what that was unless you had this person sitting right next to you explaining to you what you're looking at because they've spent the last six months memorizing of this stuff and then the mission commander is the one making sure that it always going to on correctly and that they're going to accomplish the mission that they're tasked to do that. Everybody's kind of following the rules and not You know stepping in places. We shouldn't go or going places that are not legally allowed to go to in cyberspace and and that's that's the team functions. So they started assembling. These teams and one team wasn't good enough. They wanted like four five or six of these teams so I started asking around at NSA US cyber command or other military branches to see if anyone fits these criteria to recruit them so we reached out to the other units asked for these types of calls and the people that we knew that were there and then you know they coughed up. Those people in the task orders to come over amazing. We've got quite the crack team of highly skilled hackers. Now I mean this is what dozens of military trained hackers troops soldiers all with the resources of the US military behind them. I mean if they needed to the can use some pretty cutting edge hacking tools for this or they can get help from some much smarter people if they need to linguists interpreters codebreakers developers or access to aerial photos. But as they're getting the team together that was tension in the air as in any operation. We had all the accesses that we needed and we were ready to go forward and But we couldn't go forward because we were still deacon floating inner agencies and having very high up approvals. Come down before we can do it. There was a lot of talk from higher ups. They were debating on whether or not this job might be better suited for the FBI or CIA or an essay or other military branches. They weren't sure if this is something that cyber command should be doing since it hasn't done something like this in the past. So we were sitting there as hackers with all this access and it could go away at any moment at any point in time right they catch on to what you're doing and then it's gone and they lock it down so we were nervous everyday. That went by that it would go away believe as in. I saw I saw a media. Would catch on what you mean. Yeah that they would catch onto. We have varying levels of access throughout their network and from the people places and things and if they caught onto one part of it we might not be able to get back and that would have made the operation less effective. Maybe not even worth doing at all so everyday that went by we were like nervous that it was gonna go away. Not only was time taking on all this but there was also a lot of approvals that they had to go through. I mean after all it's the government and the government moves very slowly. We had to do mission brief up the chain to each of the higher officers before we went to go. Do it to make sure that you know. They had confidence in our plan. saying that you know we're GONNA GO OUT THE DOOR. We're going to make a right we're GONNA go for five miles or GonNa make a left. Turn right on this street so we had to tell them everything we were. GonNa do in after we presented the senior operator myself. You know they'd always turn to us in the hand on her shoulder and say. Are you sure we can do this right there? Are you sir we can do this? you know yes sir on the green light. Let's go let's go but nobody wanted us to fail because there was so much publicity within the community on it. Okay now get this. This isn't something the commander told me about but there was someone else also joining the fight. Greetings citizens of the world governments and corporations and facebook. We are anonymous. As most of you know by now we started a cyber war on Isis. And just a reminder Isis we will hunt you. Take down your sites accounts emails and expose you from now on no safe place for you. Online you will be treated like a virus and we are the cure remember. We are anonymous. We Are Legion. We do not forgive. We do not forget expect us. Yes so as Isis attacks started happening all over the world anonymous joined in on the fights you and they were doing things like reporting thousands of Isis twitter accounts to twitter and saying hey ban these people on twitter would and they would report facebook users. That were ISIS members and instagram. All this stuff and because the thing is one thing that anonymous is pretty good at is finding out who you are and dachshund you. So they're able to root out who these isis people are online and report them and they were getting accounts taken down like crazy some reports. Say that up to like ten. Thousand accounts were taken down because of the activism. That anonymous was doing in this fight as well and at the same time. Anonymous was actually taking down some of Isis Websites. To and while this is cool and all it kind of threw a monkey wrench in some of the intelligence communities. I mean how can you collect data on Isis? If Isis is down and win win a website that you're tracking for years goes down. Why is it down? Who knocked down. What's going on here? And so you know commander didn't say but I'm bet that he was watching this kind of stuff happening and trying to figure out who's taking this stuff down and I've heard stories from other people intelligence. Who actually got frustrated with this and went into some of the hacker chatrooms and said. Who's the one taken down these websites and then having like chats with these hackers to kind of not so much coordinate things but like just back off on this for a little bit while while will take care of it? We we know we've got this in our sites and we're GONNA do something real soon. Just kinda like cool it and so while all these anonymous operations were going on approvals. Were starting to come through for Operation Going symphony and things were starting to shape up so you could take the approach of. Let's you know slowly degrade and disrupted and take it down over time but you risk losing your access. You risk not being able to continue the slow degrading because they hard every they're gonNA learn every time. Something bad happens in hard in their network and the people places and everything that they have so well we saw with going seventy was an opportunity to give a massive blow to their operation to take down everything that we could as fast as we could in one go and then see what's left in pick apart the little pieces that were left the remnants that remain and we. That's what that's what the plan was to do was go in and just decimate as much as we could in the shortest amount of time possible and then maintain engagement with the enemy through until they were no longer. That was the goal whole man. This is getting so good and you might wonder why I'm so excited about this. Because many of you think the NSA in the US cyber command are the bad guys. They're setting up ways to constantly spy on innocent civilians and the horde zero days and don't tell the vendors that there's blogs in the code or that they're trying to make encryption weaker or make back doors and things so they can defeat it all. This does sound bad and scary and I certainly don't like it when the NSA overreaches on what they're legally allowed to do so if any one of the NSA is doing this kind of stuff. It's Nadi stop it. Privacy is important to meet. Please don't try to ruin it but I'm GonNa put all that aside for this hour because in this case in this specific course of action. Lear doing by decimating is this media. I can get behind this and I can't think of many times. Were hacking to destroy. Someone's computers is a good idea and at the same time. I'm excited to peek behind the curtain to see how. Us Cyber Command executes these missions. And there's a little part of me that kind of likes to watch chaos and destruction. Here's a moment where I get to see the full force of. Us Cyber Command unleashing a devastating blow to isis. Doesn't get you excited to and I just feel so lucky to hear this firsthand from commander within. Us Cyber Com. These people are extremely tight lipped. In fact they've never responsibility for any cyber attacks like this ever so now for the first time you to hear what operations are like inside their. This is crazy. So sorry sorry commander. Continue what are we? What are we looking at here? What's going on? So what they did have from the public view in an open source intelligence. You could see. They had over ten different languages of publication for their magazine. They had ten different websites at various various locations with new domain names every day so they had domain names. They had web servers. That were static. Ip's that spinning up for each specific language. They had magazines that were posted at You Know Accounts at Free File Upload Sites where they were push all this stuff out and the videos download and things like that. We all know that today at tons and tons of social media accounts that they were constantly Pulling together it's always. It's already been publicly reported. They had tons of telegram groups and tons of telegram accounts. So they have. Phones have email addresses to set up those accounts all across the board as they're buying servers. You can assess that. They have accounts at those specific providers. So they had servers domain names. They had emails they had. You know you can look at the code. On a webpage the source code on a Web page and see the file sharing server that served up the content for that Web server and they had all of this laid out at an at a global scale. They didn't care where it was in the world. They just wanted to be cheap fast and readily accessible. The team spent months gaining access to the network and learning what was in there. He couldn't go into detail about the techniques used but he didn't give me include that it all starts with email. 'cause I can't speak specific to us but if you look at you look at Cyber Operations Writ Large Ninety. I think this was in. This is in the hacking podcast over ninety percent of cyber attacks. Today start with email. And it's not just a spearfishing link it's access to that email account the username the email the email address in the password. That's that's that's where you can start and you can pivot everywhere from that. I've looked into a lot of hacks and whether it's an AP tea or just a bunch of teenage hackers yet. They love getting into email accounts to poke around. This is common for hackers and effective for getting more information and to move further into the network getting into an email account is golden. You can pivot from the email account into the other accounts associated to that email. Any thing that's tied to that email password reset so you can pick from email address into the aws account into the cloudflare count. Whatever that may be the email is the key that is the core piece to pivot through. Whoa that make sense. Yes of course. If you have access to my email address you could go to another service. I have my web hosting and Tell Them. I lost my password. And they'll send a link to my account with the password reset and if you had access to my email then you could see that and reset passwords so yeah getting access to someone's email account can open the doors to tons of other things. That person has to you so take note on this. Protect your email access. Make it a high priority to secure it. I give it a long complex password. Then enable two factor authentication on it make it hard for anyone to get in your email because of someone does get in. They could access to almost everything to operation. Going symphony was getting into their email accounts. This was getting them access to a ton of stuff and once they got in. They needed to establish persistence. This is where they can stay in the network hidden unseen even if how they got in got fixed or patched and this might be enabling a root kit or opening back door or leaving some program running that lets you connect back in later. We had multiple access vectors into the whole system. So it wasn't there wasn't just there wasn't just one one piece of software or exploit or something there was. It was a whole suite of things that that gave us the understanding in the access network doing this time the learned about what's in the network and they spent time pairing the infrastructure with the exploits needed us and they had a lot of meetings on what the best course of action was to take it all out if you make it on their list. It's it's not a matter of if it's just went like I was amazed working there that any challenge that would come to the folks at NSA or any of the developers. It was just a matter of time before they figured it out. There was nothing that I saw them. You know throw their hands up and say it's impossible. It might not be the way that you thought they would find a way to answer your question. Forget where you wanted to go. The assembled other people in deems. We're we're getting them ready. We had four or five of those teams because we had so many targets and they each got ten to fifteen targets right because we had to do the whole operation as quick as we could and because we didn't want to enemy no once part of the network was being taken down or locked out and then they start to they kind of like shut us off from getting to the rest. We had to do it all at the same time before they could catch on. So I'M GONNA assume targets are our servers social media accounts email addresses bank accounts mobile accounts like just. Let's try to completely delete as much as possible. All of those targets were on the docket. It was lockout. The League. Miss configure reroute. Sees anything that you could do to stop the network from functioning. We had to come up with. Who had which targets and then which ones it was. It was planned out to a T. Like down to the keystroke of this is the one I'm talking to. This is the one that I'm going. After first. And then second third fourth fifth and it was and they were pivoting and they were all dependent upon each other and the other team had their same list of starting with this one in going down the list and moving in pivoting and working their way through so we planned that out in detail and rehearsed it in detail prior to the operation. That was the that was the next step. That's amazing because when I was a network engineer I would get my scripts approved by other people before making a change and I never imagined hackers also getting their scripts approved before and they'll and then practicing as well. That's really something. Oh Yeah we we would. You had your plan to t- in we scripted it in a test environment to make sure that it worked all the way through to automate some things we automated as much as we could but then you still have to do some hands on stuff but we tested it. We had developers and technical directors review before we went to go and do it. We had an extensive amount of a Hertzel's before anything was actually executed on the real target. Everyone's got their practice on. This is their primary focus right. This is they're the one operation. Everyone was working on and focused on when you woke up when you go. This team was Ogsm all day every day. Osias operation going symphony in case. You're wondering it's name of this operation and yet the people on the team would come in and nights and weekends to conduct a lot of this preparation because there are certain things you want to do. When nobody's around to reduce your chances of being caught and certain tools and software had to be custom built to get it just right so people were working really hard to get everything ready for this cyber strike. The lastingly needed to do was pick a time window and when they can do this operation. The ten minute window was picked. Because that's when we knew they weren't going to be there so we had to we have profiled everything and know that this Two hour window was going to be the timeframe and we wanted to or at least I wanted everything executed within ten minutes. And as quick as we can at least getting the first foothold right. Once you get domain you hit the domain controller. You're good to go. But we had to get the domain controller in ten minutes. Kind of thing okay. The plan is ready to people already after the break. It's go time. Stay with us. So they set up the window. The rally the troops literal troops and they got everyone ready because this was the big day. All the teams assembled in what they call the operations room. It's a pretty big OP. Floor is what they call it so it looks. It does look like a movie a lot of screens phasing down like the command of the USS Enterprise or something like that. It's got everybody's got to keyboards four screens chairs lined up. Tv's all across the walls and the front on the sides with different. You know what you would see in a sock like infrastructures opera. Down stoplight charts. No world map rosters. All of that's up lights are dim. But it's like everyone is ready time for one last phone call to headquarters. We were waiting for approval for final approval from headquarters over the phone and once they said cleared hot then I turned to all the teams on the floor and then I say let's go put their heads down and a shift enter on the scripts and script started running. They started moving through parts of the network moving to recount swimming through servers moving through everything and executing according to plan the task unit immediately. Got To work running through the checklist exactly as they practiced it over and over in training but this was not training. This was live fire on the enemies infrastructure. You could hear the teams talking. Click this go into that directory that see Jackpot. There were running their scripts and conducting their operations deleting virtual machines taking over domain controllers. And this would give them access to key infrastructure that they were also destroying the raining down a symphony of cyber destruction. We had a large print out probably. He's three feet five. Six feet tacked up on the wall and it had everything every target printed on it every time somebody on the team would accomplish one of their objectives. They'd run a little piece of paper up to the commander to let him know what's been done. And these pieces of paper had little codes on them and so they bring a piece of paper and it's like one delta and it would say like packers or browns and I would know what that meant and then I would write it up on the board and reported up on the on the radio to higher headquarters because they retract. Everybody was tracking everything across the board. Everybody was dialed in from all across the enterprise to listening because this was a big such a big event. Things were going great. The teams were systematically destroying one thing after another within the Isis Media Network. They were hitting targets. All over the place deleting accounts wiping hard drives destroying systems in any way they could rerouting traffic taking control of accounts locking out accounts and wrecking everything in their path but then one of the teams announced that they have a problem operators on the keyboard. Everybody's there we're moving. Hit a roadblock you know your Putney you logging in from different. Ip Need to authenticate security question ruling. Oh man we don't know this. What's your pet name? Henrique figuring out disguise. Pets is his patenting. It was one of the core places that we were trying to go heart stopped. We got really all we're done. We're not going anywhere in one of the analysts who've been on the team with me for three years stands up in his like fifteen. Fifteen watt no way. It says pet's name it's gotta be new spike. Were bombed or something like that. And he's like no fifteen fifteen. It's always fifteen fifteen with this guy and we're like okay. Man Tries Fifteen fifteen phone. We're in let me continue to move onto the target. I mean the analysts. Get to know these guys down to such detail. They can anticipate what these guys are going to do before they actually do it in the technical in the technical room. Whoa this kind of trips me out. I mean this kind of highlights. The power of would insane. Us Cyber Command has right like they can infiltrate someone's life so much that the understand their secret question to all the counts that they've ever set up. That's some pretty deep burrowing into someone's network or even their mind and after that the task force continued to walk through their objectives hitting target after target taking things down and they had a lot of different types of targets. An interesting to me are the financial accounts. The commander said these. Were not the focus of the operation. But I'M GONNA assume that these did exist 'em they ran into them sometimes like you're not the FBI. We seize funds and then hold it but if you get locked out of your pay pal account and there's a thousand dollars in there that money is essentially gone you're not gonna be able to get it back and this wouldn't be a temporary lock. Because if the pay pal address was linked to an email and email gets taken over then you can change backup passwords and recovery passwords and Peop- passwords and everything so that there's no way to get back into that pay pal account ever but besides that Isis media had some crypto currencies. But with this you could just delete the private keys to those worlds and you're never getting back in there. Essentially destroying whatever crypto currency. They had there were. There was a lot of deleting going on so if they were in there. They're gone. But yeah if you could delete the private keys for I mean if you if you deleted like the private keys where they're storing this stuff on on a virtual server needs elite private keys of the virtual server. They're not getting back so it sounds like some money was lost during all of this and at this point they have successfully accomplished all of their primary objectives for this mission. We did it in about ten minutes that we got all of our key nodes and targets down in the first ten minutes and we had control and we knew at that point that they couldn't stop us and we stayed on for the next two four hours going through the rest of the target list but at that point in time we could take our time and and we knew that they couldn't take it back from us so they were totally postponed after ten minutes so we did have a brief like five moment of we got we got into all of the the main core places we needed to go to high five and then it was. Hey we still got to keep moving through the rest of the targets so after our brief moment of happiness we stayed on and kept going and going and going and going. We found more targets more and more more domains more servers. More parts of network. More files everything that we could we could find. And if it was within the approved plan that that we had approved or like are left and right lateral limits. Then we had a fax and if it wasn't we wrote it down catalogued it and then put it on the target list for the next day and so we worked until we knew that they were coming back and we kinda stopped and then related. Support yourself in isis media's shoes for a second here imagine you just got knocked out big time with hacks like you've never seen before all your servers are off lying. All your accounts were locked out like everything's just gone. What do you do right like you? Don't just say Oh. Well that's that let's be fine. No you work on trying to restore it. I mean that's what the. It team is there for right. They're not just like fired immediately. They're like called in to come help right. Now let's get everything stood back up so immediately the. It team started trying to stand up. Servers again and rebuild their websites and relaunched their email applications because they couldn't even get to emails anymore and they're rebuilding Like file servers and then having to reissue new accounts for everyone there. It's kind of like a building an entire network from scratch all over again or trying to restore from backups. And so while this was effective right away they did see is coming back online slowly and with a lot of trouble so this made some people wonder whether or not operation going symphony was successor. Not since Isis came back online just after you know. I'm obviously biased thing but I think it was very effective. He can't get into the specifics. About how effective this was. But if we step back and look at what public information we do know we see that Isis was very chatty on twitter before operation going symphony but that number of tweets drastically got reduced right after operation. Going symphony win into effect. If you don't have a file sharing server to pass the photos from from the front battlefield lines back to the middle mid level office back to the high level office. So they can edit the photos and use them in the video or from a field video of battle where they're isis is winning getting video back to somebody at another location to edit it to then you know upload it to then put it into a a a photo shop editor and make it into a sexy video if all that takes more time or you break that chain and at any point it's GonNa your whole production cycle longer and start missing deadlines you know. Your brand isn't as good nobody. Nobody likes a news outlet that has bad logo is bad videos and delays and releases. So when you impose that on them it erodes what Isis media was seeking to beat and people didn't like it as much and they didn't want to do attacks or go fight for them in Syria and one other thing that you would notice if you were kind of following the space at the time that after this initial attack from og only forty percent of the Isis websites came back online afterwards. Those other websites just never showed back up but when these new websites came back online this meant that jt aries had to attack again and so they did once you find target submitted up get it approved go take down target take down target. Take it down and we stayed on for. Oh Jeez continued from that day on for seven months and after taking down isis his websites over and over and over and over again and again for seven months they effectively took out ninety percent of Isis websites. That just never showed back up. We didn't have ops every day. But you know for the first thirty days or so we had. We almost had ops every day. Oh and another thing you can look at see how effective this was is the isis media magazines that they were put now. If you look at the Romania in the magazines were ices flagship magazine. They came out. They were fifty to sixty pages. High Quality Video Great Stories Instructions on how to tax recaps of old attacks. They did excerpts with leadership other Isis fighters to try and inspire people. And they were they were very good magazines productions. They had them in all the different languages and they were very professional when going. Sifni came into play. The RAMIAH magazine was the new magazine and they say that was coming out every thirty days. Like between twenty eight and thirty days and it was based off of the Islamic calendar at the time. We didn't know that this happened but when I was looking back you know we could definitely see the impact. They wanted it to come out between they wanted to come out on the first of each month a day of the month for the Islamic calendar. The five o'clock news comes on at five o'clock not five or five right when we look back at the impacts of growing symphony the November came out on Day. Thirty six so their average was twenty eight to thirty and it came out on day thirty six so it was very late almost a week late and then they were back on track and then other disruption ops and continued operations from. Osias came into play and when we come back we would see that date belonging and then we would see longer if you plot those dates out the dates get longer and longer until a point where the Ramiah had been discredited with other operations affects to a point to where they decided not to do it anymore that it was unsustainable the brand had been damaged and they abandoned it so it took time for the for them to give up and for the brand to be fully damaged but the operations to slow down the production to make it harder to delete the files to disrupt coordination to to do all of that had an impact over time to a point to where they abandoned it now as far as I know the US government has never taken credit for any cyberattacks like this ever. This is the first time ever that they've publicly said they have destroyed computers using cyberattacks. Now now that you say that I I think it is that they are saying. We have conducted offensive cyber operations against a target. I think this is the first time I mean in the past like the the public mission for more for cyber says we conduct offensive cyber operations in support of US government right so like the mission says offensive cyber and it said that for a long time. But I think you're right. Nobody said we did this. We deleted this. We locked out this so I never thought of it that way but I think you're right. It's still fascinating to me to see that the military trains hackers but I guess this is the natural progression of how the world has become because historically the military had four domains of warfare. Land Sea air and space but in nineteen ninety-five the added information as the fifth domain of warfare. The military has to be ready to battle on this front. Because if they aren't the enemy will be attacking us. They're in the military and all services. They're building out. Cyber branches and cyber specialties at an entry level on the enlisted side ended in officer side so kids from high school with computer skills. That WANNA get into hacking. Or after you go to college you WanNa get into hacking an officer you can. There are paths to go right into cyber career field in the military and they have the the blue team side with the cyber cyber protection teams and they have the offensive side with the combat mission teams. So whichever had you WANNA wear you can go right into those positions with training and and begin to execute on target indefens- or an offense the of the nation and while that's the story of Operation Going Symphony and J. T. F. Aries stormy isn't over. Jt Areas is still going strong conducting a lot of missions even today. Gto theories is still rocking and rolling. I mean they're moving on new targets. Every day other people involved with GTE various today have said that the attacks still go on and they do things like just annoy targets like lock them out of their accounts or slow down their computer or slow down there now work or do something to drain the cell phone battery of their target. The harder that they can make it for their target to get anything done in the day. The more of a success it feels like for JT. F.a.s.t and I mean the first push was solid six seven months of a day on. Stay on the ground forces have obviously taken back Syria from Isis. So it's a lot smaller than what it was in two thousand sixteen. But there's there's still in the fight every day so oh and as for Mozell because Iraq didn't have a strong enough army to take back their own town the. Us helped invaded and together to kick out ISIS which put an end to the caliphate. It's a stretch to say that operation going symphony helped take back Mozell but if you look at the series of events operation going symphony probably would have never happened if Isis didn't take Mozell over in the first place and you might be thinking the. Us has conducted destructive. Cyberattacks like this all the time like with stuxnet but the thing is the. Us has never admitted to doing stuxnet new. They refuse to talk about it at all so whether or not. This is the first attack like this one thing. That's alarmingly clear now is that the. Us is in the fight and not just doing signals collection but causing destruction through cyber attacks and it just makes me think that now that Oh Jesus was successful and J. T. F. Areas is still conducting these attacks today. Wonder what else does pave the way for. What are the doors got opened? Because of this. What other missions have been given the go-ahead to degrade and disrupt enemy networks with the connected modern world? We live in a lot as possible such as remotely Disabling Car Draining. A crypto wallet shutting off the power to a missile silo the NSA in Cyber Command of sometimes been accused of going over the line on what they're legally allowed to do like to innocent American people but one thing is clear if someone celebrates the death of Americans or threatens Americans. These are the people who will take full notice of this and go after them and the general goal in mission of the NSA and Cyber Command is to protect the US from threats like that. So it's just fascinating to see what happens and how they go after these people now. You might be wondering. How did I really get this interview? How did I get a mission commander from us? Sira calm to come tell the story about that time he hacked ICES will. It's interesting actually last year. I think it was some journalists from vices motherboard heard about operation going symphony. They submitted a freedom of information request to the government to learn more. Into all our surprise the government sent them tons of information about G S. It was really incredible to peek behind the curtain for the first time and then in the last few months a reporter from NPR actually asked the generals and commanders. That were involved in this to speak on the record to hear more and again everyone's surprise approvals were given and it was around this time that I just happened to bump into the commander at Defcon while I was there and we started talking and I heard this story and I was like. Oh my gosh if you were able to speak on. Npr about this. Is it possible that you could come on my show darkness? Diaries and tell me this story so he went back to. Us Cyber Command and requested to be on this show and he was given approval unbelievable and once. I had this episode all done and ready to go ahead to get one last approval from the. Us government people in Cyber Command or more for cyber had to listen to this to verify that nothing was said. That shouldn't have been said and there were even some generals ahead to approve this too. Which is just incredible to me because I thought I would never hear a story from within. Us Cyber Command about this time that they hacked anything much less ices so you had. This is a story that I never thought I would ever get to do a big. Thank you to the commander for sharing this story with us. This one really truly is unbelievable to hear firsthand what you went through. Thank you again. And thanks to Major General Gravy for approving him to be on the show. The show is made by me. Cadet. Jack reciter reporting in from the dark net division. Editing helped by the Sanguine Guard Damian. Our theme music is by the. Sonic assaulter brake master cylinder and even though someone from the Dod starts following me on linked in every time I say it. This is dark net diaries. That's it for this episode. I hope you've enjoyed it and if you did you'll find more amazing tales from the dockside of ain't as Jack puts it on dock. Diaries DOT COM MILITIAS. Life is produced by. Pi Media. Is Your organization thinking about launching a podcast? We're here to help line and ran. Ran Levy DOT com. That's R. A. N. at R. A. N. L. E. V. I dot Com. Follow us on twitter at at militias life or at ran ran. Levy visit militias dot life more episodes and transcripts. Thanks Sabahi reason for underwriting. The PODCAST SIBERIAN DOT COM by Cable Museum.