How Hackers Are Spying on US & Canadian Special Forces
by Cecilia Clark
The United States military has over 2 million uniformed members. When we think about that number, it’s easy to envision a massive fighting force positioned all over the world defending the country and its allies.
In reality, however, a mere 2% of that force – an elite group known as Special Operations Forces (SOF) – are fighting more and more of America’s battles.
In fact, Special Operations troops execute missions in over 80 countries on a continual basis.
Most people know this elite force by their distinct groups. They include the likes of the Army Green Berets, Army Rangers, Navy SEALs, Marine RECON, and Air Force Special Tactics.
These units are amongst the most highly trained in the military. They are strategic and tactical experts used to quickly execute high priority missions and secure long-term gains.
They are proficient. They are unconventional. They are clandestine and envied.
…They’re also engaged in apparent security lapses that could endanger confidential and secret information sharing. And more than just information sharing – these security lapses could lead to complete mission endangerment (or worse).
Work Collaboration and Messaging
Special Operations teams are often allotted a lot of autonomy to complete complex, multi-faceted tasks.
A team might be charged with preventing terrorism with focus on a known threat, capturing a named target, Special Reconnaissance, or training partner nations in counterinsurgency or defense tactics. These top secret, critical missions range from training exercises with allies to movements intended to overthrow a government.
And while the SOF (and other military forces) have access to traditional field communications – think radios – they also have access to many of the same communications tools used by civilian work teams and individuals.
These commercial (COTS) digital comms tools are useful to SOF teams because they allow them the flexibility to exchange information with teammates and partners instantly, clearly, and securely.
…Or at least they think they’re communicating securely.
Most Special Operations Forces have access to a number of COTS tools, but tend to rely heavily on only a few.
And even if you have no exposure to the military, these tools will probably sound familiar…
WhatsApp, Telegram, and Signal are the COTS apps of choice for many SOF teams.
And even though those app companies like to tout their supposed security credentials, they are all subject to serious INFOSEC flaws.
Furthermore, none of those apps were created with military or government entities in mind – which means their security protocols and practices are not designed to support the extremely critical nature of SOF comms.
So how do they stack up?
Just this month, Financial Times reported that a notorious Israeli spy firm launched an attack against WhatsApp that could inject spyware on phones that have WhatsApp installed.
Attackers simply called their targets using WhatsApp’s VoIP capabilities to inject the surveillance software.
That’s it. The target didn’t have to answer. The attacker didn’t have to uncover a password. They didn’t have to leave a voicemail.
Often times, the malicious calls disappeared from call logs before targets even knew they were there.
Once installed, it’s suspected the spyware could access a victim’s camera, microphone, emails, messages, and location data.
At this time, Facebook/WhatsApp isn’t disclosing how many people were affected. But, here’s what we do know:
- iOS and Android smartphones were susceptible.
- WhatsApp has 1.5 billion users.
- That leaves a lot of potential targets.
We also know that attackers targeted human rights lawyers and others “with access to sensitive information”…
Special Operations Forces have access to sensitive information, right?
What’s worse, Facebook/WhatsApp just released a patch to protect users from the vulnerability last week – but, the attackers have been targeting users for nearly a month.
And considering Facebook’s plans for WhatsApp, these types of breaches could become more commonplace.
At least WhatsApp offers default end-to-end encryption. Telegram doesn’t even offer default E2EE as part of its standard messaging.
To add insult to injury, Telegram was founded by the Durov brothers – Russians who also founded the Russian Facebook equivalent, VKontakte. In 2014, Pavel Durov handed over control of VKontakte to Putin allies. This, of course, raised lots of suspicion that Putin wanted to use the social media platform as a means to spy on its users. And now, it seems Putin is after Telegram users’ information as well.
Just last year, Telegram lost a Russian court case requiring them to hand over encryption keys to the FSB (KGB’s replacement) or risk being banned in the country.
…And the FSB is amongst the last places where Special Operations Forces want to see their conversations wind up.
So why does Telegram even have access to the encryption keys in order to turn them over?
Telegram stores encryption keys on their servers, giving them – and anyone who hacks the servers – access to user conversations.
And what about Signal?
Just last year, security researchers discovered a vulnerability that would allow remote attackers to inject malicious code through a target’s Signal app. Similar to the WhatsApp flaw, hackers would only need to send a message through Signal in order to implant the code.
The target wouldn’t need to interact with the message at all for successful emplacement.
Once executed, the malicious payload would allow an attacker access to all Signal conversations – in plaintext.
This attack would completely circumvent Signal’s supposed top notch encryption protocols, rendering them absolutely useless.
And the worst part about the vulnerability?
… It happened twice in less than a week.
Signal patched one vulnerability and was confronted with another very similar security flaw within a week’s time.
But the bigger and even more persistent threat with apps like WhatsApp, Telegram, and Signal exists in their reliance on phone numbers for authentication. All apps that use a phone number as the unique identifier are extremely susceptible to SS7 attacks.
With this attack pattern, hijackers can seize control of a phone number, intercept the verification code, and obtain full access to the messaging app. This access would give an attacker the ability to write messages on behalf of the target, and read all incoming and previous correspondence.
This issue is compounded by the fact that even without an SS7 attack, it’s not that hard for a sophisticated attacker to take control of a target’s phone number. In fact, nearly any employee at the target’s telephone company can temporarily port phone numbers from one device to another, without your knowledge or permission, and use the number to authenticate into the app – gaining access to the target’s messages and/or spoofing their contacts.
So, why do some SOF teams still use these and other insecure messaging platforms?
They’re fun to use and are easily accessible.
Special Operations Forces are a relatively small group, with a disproportionately large footprint. As a whole, they’re stretched incredibly thin and asked to take on an intense amount of responsibility.
And with that workload comes an increased work autonomy structure and built-in flexibility toward mission accomplishment.
In other words, many times there isn’t a lot of oversight in what messaging apps SOF teams use – especially when they work with partner forces and allied nations.
While all units operate differently, the app approval process for many SOF teams is largely driven from the bottom up. Essentially, a tech support person will recommend a messaging app to a SOF team member, and if the members of the partner force also have access to the app, they use it.
This process is largely the de facto standard for training operations between partnering forces. Keep in mind that military training communications are typically classified… especially those requiring Special Operations’ attention.
And in an environment where the world’s most highly trained and clandestine military professionals are sharing secrets and training on counterinsurgency, the standards for entry should be greater than –
Do you have access to this app? Cool. The guy in the TSD said we should try it.
While it’s obvious that trusting SOF information on unvetted tools could lead to potentially disastrous and dangerous data breaches, let’s still explore the implications of a hypothetical breach.
Imagine a SOF team training a partner force on emergency response tactics. Assume that training involves the latest guidance on what to do in the case of an IED or ambush attack. If that information leaked into the wrong hands, an enemy force would know exactly how the SOF and their partners would act and how to counter their reactions – leading to increased casualties and prolonged engagement.
In that same line, Rules of Engagement, or ROE, change regularly and are highly regarded secrets amongst deployed personnel. ROE tell the military how and when to engage with potential combatants. If a malicious actor accesses a training message exchange and amends or disseminates the most recent ROE, that could cause deadly confusion and allow the enemy an opportunity to counteract and manipulate those guidelines.
Or even more crucial – consider strategy and other mission details. While training units might not know the exact details of their mission and will likely not plan out a detailed strategy during training, they will communicate some pertinent information on their upcoming mission. After all, predeployment trainings are intended to prepare military members for their deployment.
What if strategy and mission information leaked as a result of a hacked server where supposedly secure messages were housed? How would that affect people getting ready to deploy? How would that affect troops already on the ground?
The same can be said about notable points of reference and other location details that trainers and trainees might discuss via message apps.
This type of information deserves extreme care and safeguarding that, unfortunately, most messaging apps are not capable of providing.
Special Operations Forces need a way to communicate easily and quickly. They endure the burden of dangerous, remote military missions and should be accommodated to train, plan, and execute those missions adequately. But, their communications – even unclassified – must be truly secure.
About the author
Cecilia Clark is a former US Army officer who specialized in information security and satellite communications, spending most of her tenure with the Joint Nuclear Operations Center. Since leaving the army, she uses her experiences to advance teams in the corporate, defense contracting, and start-up worlds.
Cecilia's LinkedIn profile: https://www.linkedin.com/in/freelance-cybersecurity-writer/
The article has been originally published at: https://highside.io/blog/how-hackers-are-spying-on-us-canadian-special-forces/