Security Secrets of the ‘RA

Modern Clandestine Organisations Face New Challenges

There were no mobile phones or recording devices allowed at this bizarre encounter. The digital era is perceived as posing new threats to the security of terror groups in Ireland in terms of their being tracked and covertly recorded. — Source: The Guardian

Bottom Line Up Front

• Compartmentation via unlinking
• Strict anti forensic practices to mitigate police techniques
• Metadata analysis evasion by forcing the recipient to make a copy
• Brief encounters to limit the duration of exposure
• Your security is your own concern

The Source

This post is based on two separate interactions between journalists for The Guardian and the dissident Irish republican group the Real IRA (RIRA).

In 2010 The Guardian arranged to pass RIRA number of questions. RIRA then setup a secure operation to return the answers. A couple years later, in 2012, The Guardian was contacted to release a statement announcing the formation of the New IRA (NIRA), of which RIRA was a significant founding member.

In both events, the operational security practices on display show some remarkable sophistication and awareness of modern risks.

Operation 20 Questions

In 2010 the Guardian conducted an interview with the Real IRA by delivering a set of questions and collecting a written response at a later date. The security aspects of how the answers document was delivered is quite interesting.

Dead Drops, Not Dead Yet

In our final meeting at a location near the border in northwest Ulster the Guardian was advised to go into a public toilet and search around the back of the bowl for something.

The Real IRA used a dead drop in a restroom to pass a USB thumb drive containing a file with the answers to The Guardian’s questions. It sounds as if the primary RIRA operative was around to meet the journalist and provide directions, while another operative (the courier) was responsible for loading the dead drop. This arrangement would ensure that the “exposed” operative has nothing incriminating on him if he is captured by security forces.

Analog Anti Forensics

A USB memory stick was found wrapped up inside a surgical glove presumably to ensure that those who had passed it on left no finger prints on the device.

The drive was left by someone wearing latex gloves to prevent leaving fingerprints. This sort of foresight is quite impressive and shows a thorough attention to detail. Although the operations plan provides for the USB drive to be in the hands of the journalist for only a few minutes, they prepare against the security forces seizing the device.

Metadata Evasion

The terror group’s representative then suggested that the device be plugged into a laptop computer and a file containing a very detailed list of answers from the Real IRA’s leadership be copied and pasted.

RIRA is aware that the document file contains metadata. Rather than rely on a technological solution to attempt to sanitise document, they use a simpler safer technique. The journalist creates a new file on their laptop, copies the data from the document on the USB, and pastes it into their new document. This effectively strips the metadata.

Auto Delete Timer

After the written answers were copied the device was taken out of the laptop, with the surgical glove still covering the USB stick. It was then handed over to someone who had their backs to the Guardian and presumably then taken away and destroyed.

As soon as the journalist has the content from the file, the USB drive is removed. This keeps the operational environment clean of incriminating evidence. The only incriminating document is the one that exists on the journalist’s laptop. This is important for a few reasons, such as: plausible deniability; some additional legal protections, and most importantly very good cover.

The primary operative gives the USB drive to the courier with a brush pass. The courier never shows his face to the reporter, keeps the USB drive inside the prophylactic latex glove, and leaves immediately. Excellent security practice.

Security: Strengths and Weaknesses

This operation was pretty slick. It kept the information leakage down to a minimum and provided the maximum protection to the RIRA operatives. There was one serious problem though — they had to trust the journalist’s opsec.

Strengths

Using a dead drop allows the journalist to collect the USB drive without meeting the courier, and the brush pass enables the courier to regain control of the drive without revealing his face. The use of multiple agents allows RIRA to reduce risk by splitting operational actions between them. A covert operative directs the journalists actions, while the courier handles the incriminating document. In the end, the journalist gets a copy of the answers and nothing created, or handled, by RIRA is out of their control.

• The primary — exposed — operative has clean hands the entire time. He is never contaminated by incriminating evidence. He instructs the journalist where to find the dead drop, how to make a copy of the answers, and has a bit of a chat. He does nothing illegal.
• The secondary operative, the courier, is linked to the journalist only during a brush pass. He uses latex gloves to avoid leaving fingerprints on the USB drive. His exposure to risk is minimal — only the duration of time he’s in possession of the incriminating evidence. Still, most likely he’s a more expendable junior member.
• RIRA don’t rely on metadata sanitisation software, instead they simply instruct the journalist to create a clean copy of the data itself. Copying only the data is a good way to strip the metadata of a document.

Weaknesses

The main weakness of this operation is the amount of trust that it places in the operational security practices of the journalist. They must bring a safe and secure (no internet, single use only) laptop, and no mobile phone. They must ensure that they aren’t under surveillance, and they must use only robust COMSEC. That is a lot to require of the security practices of a journalist.

• The journalist’s laptop is a major risk. If the laptop was compromised with an implant then the webcam and microphone could be used for covert surveillance. The contents of the USB drive, as well as any additional information e.g. serial number, could be extracted and exfiltrated.
• Surveillance on the journalist. If the journalist was under surveillance when they traveled to the meeting location, they could’ve exposed both of the RIRA operatives. Surveillance includes the journalist’s mobile phone geolocation, if they brought one.
• Monitoring the journalist’s communications could reveal details about the operation before it happened. It is very likely that RIRA mitigated against this by restricting pre-operation information available to the journalist to the bare minimum.

Operational Security Intensifies

The second meeting addresses the core weakness of the previous event, although it is different in a number of ways. The major difference is that the New IRA (NIRA) is presenting a journalist with a press release — there is considerably less data to copy.

The Pick Up

The instructions were firm, the tone cold: walk down, parallel to the city’s ancient walls, wait for a car to stop, get in, say nothing and be taken to the destination. …their…insurance that…they were not being tailed was extremely thorough.

The journalist is given a time and a place for his collection. The place is actually a walk along a specific stretch of road. Doubtless this was to allow the NIRA operatives to observe that the journalist was not under surveillance. Once the dissidents are satisfied that it is safe, they pick up the journalist and drive them to the meeting location.

The Press Conference

Another vehicle pulled up. A man I had never seen before got out and handed over a typed statement…After the contents of the statement were taken on a notepad the communiqué was burned at the side of the road.

A courier arrives with the press release for the journalist. This time the document is on paper, and the journalist copies it out by hand. Once the journalist has made their copy, the document is immediately destroyed.

Party Like It’s 1969

There were no mobile phones or recording devices allowed at this bizarre encounter. The digital era is perceived as posing new threats to the security of terror groups in Ireland in terms of their being tracked and covertly recorded.

Security has been tightened up and no electronics are permitted. Now the dissidents are aware of the surveillance dangers of modern digital devices.

Security: Strengths and Weaknesses

This operation is almost timeless. A night time meeting on a lonely country road, no electronics, the content of a press statement copied out by hand and the original immediately burned. Almost the very definition of going dark.

Strengths

• NIRA maintains full operational control over security at all times. The journalist is not required to provide any level of security at all. No trust exposure here.
• The delivery driver has clean hands for the entire operation. They shuttle the journalist between locations, there is never any incriminating evidence or activity.
• The courier is exposed to risk only while traveling to the rendezvous with the press release. Prior to meeting the journalist is also the time when there is the lowest danger of being under surveillance.
• Incriminating evidence destroyed immediately after use. The journalist’s copy is perfect cover, plausibly deniable, and enjoys more legal protection.
• No electronics means no risk of implants, GPS trackers, or covert audiovisual surveillance.
• Country roads at night are fairly straightforward environment in which to detect, and lose, surveillance. Check for lights behind while driving at high speed on a circuitous route. The opposition’s best bet is aerial surveillance.

Weaknesses

• Surveillance on the journalist or of the delivery vehicle is entirely possible. It would be within the capabilities of the security forces to conduct surveillance without being detected.
• Country roads late at night have relatively little traffic, making it easier to locate the courier’s vehicle after they leave the meeting. Assuming that there is aerial surveillance, of course.
• No electronics is a bit of a weird break from a pattern of life. If someone is out without their phone, that looks unusual.

Liked it? Take a second to support grugq on Patreon!