AUDIE CORNISH, HOST:
As the U.S. weighs using cyberweapons against Iran after the attacks on Saudi oil facilities, we're going to look at how these operations are done. NPR got exclusive access to a different secret military cyber operation, this one against ISIS. As part of an NPR investigation, Dina Temple-Raston spoke to more than a dozen people who helped launch that cyberattack.
DINA TEMPLE-RASTON, BYLINE: It was early November 2016 when the spectators started filing into the ops floor at Joint Mission Operations Command. They'd all come to Fort Meade, outside of Baltimore, to see something they'd never seen before - a global military assault in cyberspace, specifically a classified mission called Operation Glowing Symphony.
NEIL: I felt like there were over 80 people in the room between the teams and then everybody lining the back wall that wanted to watch.
TEMPLE-RASTON: That's an operator named Neil, and he was one of the commanders of a secret unit called Joint Task Force ARES. This is the first time details about ARES and Operation Glowing Symphony have been revealed publicly by the people behind it.
(SOUNDBITE OF MONTAGE)
UNIDENTIFIED PERSON #1: Islamic militants seized control of Iraq's second...
UNIDENTIFIED PERSON #2: The militants have begun to impose Islamic sharia law.
TEMPLE-RASTON: ISIS has been out of the news for so long, it's easy to forget just how much it stormed onto the world stage in 2014.
(SOUNDBITE OF ARCHIVED RECORDING)
SCOTT PELLEY: Another major piece of what America fought for in Iraq was lost today.
TEMPLE-RASTON: But the territory ISIS controlled in Syria and Iraq was the least of it.
ERIC ROSENBACH: The center of gravity was not only their territory, but their ability to use the Internet.
TEMPLE-RASTON: Eric Rosenbach was the assistant secretary of defense for Homeland Defense and Global Security at the time. And he was part of a group at the Pentagon pushing the National Security Agency and U.S. Cyber Command, the military's main cyber arm, to stop ISIS from recruiting, raising money and launching attacks from the Internet.
NEIL: We'll just go with first names, so you can just call me NeIl.
TEMPLE-RASTON: What's your call sign?
NEIL: My call sign is shadow recon. That's the hacker handle that I use.
TEMPLE-RASTON: Neil is a Marine reservist in his 30s. And we're only using his first name because he wasn't just the one who said go to start Operation Glowing Symphony; it began as his idea. He was in the basement of the NSA with other members of Task Force ARES, and they realized that the entire ISIS media network was sitting on the same 10 nodes. That meant all their key servers - domains, accounts, websites - depended on those domain controllers.
NEIL: Every account, every IP, every domain, every financial...
TEMPLE-RASTON: If Joint Task Force ARES could gain access and control those 10 nodes, they could take down ISIS' whole media operation. Task Force ARES took that kernel of an idea and spent months preparing for the attack. U.S. operators mapped the ISIS network. They dropped malware inside their systems. They stole passwords and encryption keys, slipping in and out without being noticed.
So when that November night in 2016 finally rolled around, they were ready to attack. They had login screens - actual ISIS login screens on their monitors. So they logged in. A target list hung on the wall. It was so long it had to be put on a 3-foot-by-7-foot piece of paper.
TIM HAUGH: It was almost like a very large bingo card.
TEMPLE-RASTON: That's Air Force General Tim Haugh, the first deputy commander of Joint Task Force ARES. And Haugh said the numbers on that bingo card corresponded with specific targets. One bingo number represented one of the editors of the media operation and all the accounts and IP addresses and avatars he used. The next number did the same thing for the group's graphic designer or cameraman or reporter.
According to nearly a dozen people who were there on the ops floor, Neil ordered ARES to begin Operation Glowing Symphony with a single word.
TEMPLE-RASTON: After months of looking at static webpages and picking their way through ISIS' networks, the ARES operators started logging in as the enemy. They deleted files, closed accounts, changed passwords. They began moving through the ISIS networks they had mapped for months like a raid team clearing a house, except it was all online - until they hit an unexpected obstacle.
NEIL: We get prompted a security question.
TEMPLE-RASTON: A security question. You've seen them before. What's the name of the street you grew up on? What's the first name of your best friend from childhood?
NEIL: And we're stuck dead in our tracks. What is the name of your pet?
TEMPLE-RASTON: The room went silent.
NEIL: We all looked to each other, and we're like, what can we do? And one of our best analysts stands up, and he goes, sir - one-two-five-seven. We're like, what? One-two-five-seven. We're like, how do you know that? I've been looking at this guy for a year. He does it for everything. We're like, all right. Your favorite pet - one-two-five-seven. Boom. We're in.
TEMPLE-RASTON: And the targets started to fall.
NEIL: And we're crossing names off the list. We're crossing accounts off the list. We're crossing IPs off the list.
TEMPLE-RASTON: Every time a number went down, they would yell one word - jackpot. Neil gave us an idea of how it went as members of the task force ran back and forth with pieces of yellow paper. The number 5 was down.
NEIL: Five - jackpot.
TEMPLE-RASTON: A username now under control.
NEIL: Forty-four - jackpot. And then we draw the line out. And I had stacks of paper coming up on the corner of my desk. Eighteen, 3, number 6 - jackpot, jackpot, jackpot, jackpot. I knew in about the first 15 minutes that we were on pace to accomplish exactly what we needed to accomplish. We spent the next five or six hours just shooting fish in a barrel.
TEMPLE-RASTON: Back in Syria, ISIS members couldn't get into accounts, couldn't use servers, lost key files. Then ARES began the second phase of Glowing Symphony, which continues today. The unit gathered together all the things that drive you crazy about the Internet - slow downloads, dropped connections, program glitches - and started making them happen to ISIS fighters.
General Jennifer Buckner, who led the unit in the second phase, explains.
JENNIFER BUCKNER: Some of these are not sophisticated effects, but they don't need to be. The idea that yesterday I could get into my Instagram account and today I can't is confusing.
TEMPLE-RASTON: If this sounds like something you've experienced, that's exactly the point. If you can't get into an email account, what do you do? You think, maybe I mistyped the login or password. So you put it in again - still doesn't work. Then you type it in more deliberately. And every time you type it, press enter and are denied, you get a little more frustrated. It would never occur to you or to me or ISIS that this might be part of a cyberattack.
BUCKNER: It just looks like I messed something up or something's wrong with the platform.
TEMPLE-RASTON: That's what the follow-on phases of Operation Glowing Symphony were all about - that psychological component, eroding morale. Four members of ARES told NPR that they knew of one episode in which a member of ISIS stayed up all night editing a film, and then he asked a fellow ISIS member to upload it. But operators with Glowing Symphony made sure it didn't quite land at its destination. The ISIS member who stayed up all night started asking the other ISIS member why he didn't do what he'd asked. He got angry. You get the idea.
BUCKNER: We had to understand, how did all of that work? And so what is the best way to cause confusion online?
TEMPLE-RASTON: Let's drain their cellphone batteries or insert photographs into videos that aren't supposed to be there.
ED CARDON: Pinwheels of death, the network's working really slow - people get frustrated.
TEMPLE-RASTON: That's General Ed Cardon, the first leader of Task Force ARES who stood up the unit. And Task Force ARES, he says, is still focused on ISIS, and U.S. operators are still sitting in ISIS networks today.
Dina Temple-Raston, NPR News, Washington.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.