How A Classified U.S. Military Operation Hacked ISIS

Sep 26, 2019
Originally published on September 26, 2019 11:42 am
Copyright 2019 NPR. To see more, visit https://www.npr.org.

STEVE INSKEEP, HOST:

We have the fullest look yet available at a secret U.S. effort to purge the Internet of the ISIS media operation. ISIS has a media office. The U.S. has established its own special military unit to block it. NPR has exclusive access to nearly a dozen people involved in this classified operation. They gained it as part of a series of NPR radio specials on the technologies that watch us, and NPR's Dina Temple-Raston is in our studios with details.

Hi there, Dina.

DINA TEMPLE-RASTON, BYLINE: Hey, there.

INSKEEP: So what is the mission?

TEMPLE-RASTON: Well, it was something called Operation Glowing Symphony. And it was a military operation that was run by the NSA and U.S. Cyber Command. And so it was all launched by this secretive unit called Task Force ARES. And this is the first time that people who were involved with this mission, which is essentially a cyberattack against ISIS, have talked in-depth about what they did.

INSKEEP: What did they tell you?

TEMPLE-RASTON: Well, Operation Glowing Symphony was launched in November 2016. We'd heard a little bit about it before now. But what we know now because of our reporting is that it's thought to be the largest and longest offensive cyber operation ever in U.S. history, that the military has ever launched. Cyber operators behind it, Task Force ARES, were using, like, these incredibly ordinary hacks to do it.

Now, we hear about zero days or we hear about exploits or tools that NSA builds to get into cyber operations or in networks. In this case, they just used the kinds of things that hackers use, phishing emails and backdoor exploits and that sort of thing, to get inside of ISIS' network. This is how a commander named Neil, who we talked to, talked about the operation.

NEIL: And we're crossing names off the list. We're crossing accounts off the list. We're crossing IPs off the list. They were running back and forth on scratch pieces of yellow paper, and I had stacks of paper coming up on the corner of my desk. I knew in about the first 15 minutes that we were on pace to accomplish exactly what we needed to accomplish.

TEMPLE-RASTON: And what they accomplished was, basically, they took over these 10 core accounts that these administrators for ISIS were using to basically send out everything - their videos, their tweets, their financial transactions. And once they took those over, ISIS had no access to them. They were frozen in cyberspace.

INSKEEP: Why concentrate on their media operation?

TEMPLE-RASTON: Well, the media operation - basically, ISIS had been able to weaponize the Internet like no other terrorist group ever had. They had videos. They had tweets. They even had a streaming radio station, and all this was incredibly popular with young Muslims around the world. And it was so effective in 2015 and 2016 that recruits were literally lining up at the Turkish border trying to get into Syria to join the group.

So what Glowing Symphony decided to do was to stop that and basically do that by taking down their system. And we got a rare interview with NSA Director General Paul Nakasone. And he told us that, even today, the U.S. is still inside ISIS' networks. This is what he said.

PAUL NAKASONE: We were going to make sure that anytime ISIS was going to raise money or communicate with their followers, we were going to be there.

INSKEEP: I want to ask about one part of this, Dina. We've said it's classified; we've said it's secret. You interviewed a guy and just identified him as Neil without a last name. Why are they talking about a classified operation?

TEMPLE-RASTON: We asked ourselves the exact same thing, and I think there are a few reasons for that. One is - I think General Nakasone is trying to send the message that the NSA and U.S. Cyber Command are geared up for any shenanigans the Russians might do in the run up to 2020. And Cybercom is also trying to make clear that when it comes to cyber operations - until recently, it had been very defensive. And now it does something called persistent engagement, which basically means it's sitting in networks all the time.

INSKEEP: All the time. Dina, thanks so much. Really appreciate it.

TEMPLE-RASTON: You're welcome.

INSKEEP: That's NPR's Dina Temple-Raston with NPR's Investigations Team. This story is part of a series of radio specials on technologies that watch us, and you can find more on this story at npr.org. The series, by the way, is called I'll Be Seeing You. And you can hear them on some member stations or at NPR One. Transcript provided by NPR, Copyright NPR.