WEBVTT 00:00:00.149 --> 00:00:03.840 JACK: Just as a warning up front, there’s some clips of violence in this episode such 00:00:03.840 --> 00:00:06.110 as gunfights and terrorist attacks. 00:00:06.110 --> 00:00:10.880 If that kind of thing bothers you then you might want to skip this one. 00:00:10.880 --> 00:00:14.360 [MUSIC] Mosul, that sounds like a good place to start this story. 00:00:14.360 --> 00:00:16.570 Mosul is an ancient city in Iraq. 00:00:16.570 --> 00:00:21.570 We’re talking, people have lived there in the area of Mosul since like, 2,000 BC. 00:00:21.570 --> 00:00:26.760 It’s right next to the Tigris River and it’s grown to a population of jeez, over 00:00:26.760 --> 00:00:29.090 a million and a half people. 00:00:29.090 --> 00:00:31.830 It’s Iraq’s second-largest city. 00:00:31.830 --> 00:00:36.600 On June 10th, 2014, a new chapter in Mosul’s history was written. 00:00:36.600 --> 00:00:42.940 A group of armed fighters, basically an army, just raided the place. 00:00:42.940 --> 00:00:47.250 [GUNFIRE] ISIS infiltrated Mosul. 00:00:47.250 --> 00:00:53.870 They shot it up, set stuff on fire, and they were targeting all Iraqi police and military 00:00:53.870 --> 00:00:55.480 and security. 00:00:55.480 --> 00:01:02.660 [EXPLOSIONS, YELLING] In just a few days they took over the whole city of Mosul, the whole 00:01:02.660 --> 00:01:04.949 city of a million people. 00:01:04.949 --> 00:01:11.200 People began fleeing the city in huge droves; hundreds of thousands of people left or were 00:01:11.200 --> 00:01:12.450 killed. 00:01:12.450 --> 00:01:18.780 Mosul was now under control of ISIS, the Islamic State, an extremist group, a group that the 00:01:18.780 --> 00:01:24.450 US believes is made up of violent Jihadist terrorists. 00:01:24.450 --> 00:01:27.930 That same month, ISIS declared a caliphate in Mosul. 00:01:27.930 --> 00:01:33.439 REPORTER: ISIS, which stands for the Islamic State in Iraq and Syria says now it will simply 00:01:33.439 --> 00:01:36.299 be known as the Islamic State. 00:01:36.299 --> 00:01:42.649 It declared all areas its overtaken in Syria and Iraq to be a caliphate, or Islamic State, 00:01:42.649 --> 00:01:44.080 a significant move. 00:01:44.080 --> 00:01:48.160 JACK: As far as I understand, declaring a caliphate means that they are establishing 00:01:48.160 --> 00:01:51.740 that the city of Mosul is the Islamic State. 00:01:51.740 --> 00:01:53.920 Like, it’s sort of their own nation. 00:01:53.920 --> 00:01:57.300 It’s a place to go live and practice their beliefs. 00:01:57.300 --> 00:02:00.539 Anyone who’s affiliated with ISIS can come live there. 00:02:00.539 --> 00:02:04.820 ISIS had their own police patrolling the city, their own soldiers defending it, their own 00:02:04.820 --> 00:02:06.600 leadership, and everything. 00:02:06.600 --> 00:02:11.890 This was a huge victory for the terrorists; to take over the second-largest city in Iraq 00:02:11.890 --> 00:02:14.530 and kill thousands of their enemies? 00:02:14.530 --> 00:02:16.560 This is what put ISIS on the map. 00:02:16.560 --> 00:02:21.280 This is why they are a common household name here in the US because since they took over 00:02:21.280 --> 00:02:26.040 Mosul, their numbers soared and their attacks reigned on the world. 00:02:26.040 --> 00:02:35.150 JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. 00:02:35.150 --> 00:02:39.760 I’m Jack Rhysider. 00:02:39.760 --> 00:02:43.840 This is Darknet Diaries. 00:02:43.840 --> 00:02:52.730 [INTRO MUSIC ENDS] 00:02:52.730 --> 00:03:00.110 JACK: Once ISIS took over Mosul and declared a caliphate, their popularity boomed. 00:03:00.110 --> 00:03:03.620 Tens of thousands of people around the world were learning what ISIS was and they were 00:03:03.620 --> 00:03:05.140 joining the cause. 00:03:05.140 --> 00:03:10.370 We started to see attacks in many other cities around the world and ISIS was taking responsibility 00:03:10.370 --> 00:03:11.440 for it. 00:03:11.440 --> 00:03:16.150 We were starting to see attacks in Belgium, Australia, Canada, and when I say attacks, 00:03:16.150 --> 00:03:18.690 I mean people were being killed by this group. 00:03:18.690 --> 00:03:24.220 REPORTER: Today the militant group ISIS posted a series of graphic photos on Twitter claiming 00:03:24.220 --> 00:03:27.840 a massacre of more than 1,700 Iraqi Soldiers. 00:03:27.840 --> 00:03:31.959 REPORTER2: Tonight, the urgent manhunt right now after the city of Brussels is rocked with 00:03:31.959 --> 00:03:35.240 multiple explosions at the airport and then in the subway. 00:03:35.240 --> 00:03:37.920 At least thirty-one killed; more than two hundred injured. 00:03:37.920 --> 00:03:43.110 REPORTER3: Two people are dead tonight in Ottawa, a Canadian soldier and a suspect after 00:03:43.110 --> 00:03:46.730 a shooting on Parliament Hill, Canada’s equivalent of Capitol Hill. 00:03:46.730 --> 00:03:51.480 A violent morning that culminated in a shootout inside the ornate building where lawmakers 00:03:51.480 --> 00:03:53.489 were caucusing. [GUNFIRE] 00:03:53.489 --> 00:03:57.130 JACK: Gosh, that sounds so scary. 00:03:57.130 --> 00:04:01.490 That’s not the streets of Iraq; that’s ISIS shooting up the Parliament building in 00:04:01.490 --> 00:04:04.269 the capital of Canada. 00:04:04.269 --> 00:04:08.629 The Iraqi military simply didn’t have the ability to take back their own city and with 00:04:08.629 --> 00:04:13.250 ISIS growing in numbers all over the world, [00:05:00] something had to be done. 00:04:13.250 --> 00:04:20.579 In October 2014, the US military initiated executive order Operation Inherent Resolve. 00:04:20.579 --> 00:04:24.910 HOST: Okay, so what is the Navy’s role in Inherent Resolve which is the new name of 00:04:24.910 --> 00:04:26.790 the anti-ISIS coalition movement? 00:04:26.790 --> 00:04:31.700 NAVY OFF.: We provide sorties, meaning missions, off of our aircraft carrier, the George Herbert 00:04:31.700 --> 00:04:32.919 Walker Bush. 00:04:32.919 --> 00:04:36.950 Some of it is just information; intelligence, surveillance, reconnaissance. 00:04:36.950 --> 00:04:41.070 Others are strikes and it depends on what the central commander desires. 00:04:41.070 --> 00:04:47.310 It could be jamming of some of ISIS’s networks and what they’re doing, it can be again, 00:04:47.310 --> 00:04:48.310 intelligence gathering. 00:04:48.310 --> 00:04:53.530 We are standing by with tomahawk missiles, tens and tens of them which in fact, we used 00:04:53.530 --> 00:04:55.900 on that first night when we started this operation. 00:04:55.900 --> 00:04:58.840 JACK: Jeez, tomahawk missiles? 00:04:58.840 --> 00:05:03.500 This is serious business and yes, that Navy ship was launching these missiles right into 00:05:03.500 --> 00:05:10.030 Mosul, raining down one attack after another, taking out ISIS infrastructure, some key leaders, 00:05:10.030 --> 00:05:11.150 their troops. 00:05:11.150 --> 00:05:16.400 But tens of thousands of people formed ISIS so it wasn’t easy to stop them with airstrikes 00:05:16.400 --> 00:05:17.400 alone. 00:05:17.400 --> 00:05:22.479 ISIS continued to take over towns in Iraq and Syria and claimed responsibility for more 00:05:22.479 --> 00:05:24.930 terrorist attacks around the world. 00:05:24.930 --> 00:05:30.210 One of these attacks occurred in November of 2015 in Paris, France. 00:05:30.210 --> 00:05:36.220 REPORTER4: [COMMOTION, EXPLOSIONS] 9:20 p.m.; the first indication of the horror being unleashed 00:05:36.220 --> 00:05:37.220 that night. 00:05:37.220 --> 00:05:42.820 A suicide bomber exploding his vest outside France’s national soccer stadium. 00:05:42.820 --> 00:05:46.800 There was a second detonation, another suicide bomber. 00:05:46.800 --> 00:05:51.720 Both attackers, it seems, had been stopped before they could get in. 00:05:51.720 --> 00:05:58.230 A third attacker would blow himself up outside a nearby McDonalds. 00:05:58.230 --> 00:06:04.700 Around 9:25, gunmen with Kalashnikov-type assault weapons targeted diners at a string 00:06:04.700 --> 00:06:05.810 of restaurants. 00:06:05.810 --> 00:06:08.170 Fifteen people were killed. 00:06:08.170 --> 00:06:10.690 The gunmen raced away in a black car. 00:06:10.690 --> 00:06:14.430 Next, the café Bonne Bière was hit. 00:06:14.430 --> 00:06:16.680 Five people were killed. 00:06:16.680 --> 00:06:24.940 At 9:36, at Le Belle Epoque, sheer terror; the same black car, the crowded terrorists 00:06:24.940 --> 00:06:26.840 sprayed with gunfire. 00:06:26.840 --> 00:06:29.580 Witnesses say it went on and on. 00:06:29.580 --> 00:06:31.630 Nineteen people died here. 00:06:31.630 --> 00:06:33.849 Nine others were critically injured. 00:06:33.849 --> 00:06:39.590 The epicenter of the attack though, would be the Bataclan, a concert venue. 00:06:39.590 --> 00:06:45.569 [MUSIC] As the band, Eagles of Death Metal played, gunmen rushed the hall and opened 00:06:45.569 --> 00:06:47.500 fire. 00:06:47.500 --> 00:06:53.900 [GUNFIRE] Those who escaped, the survivors, called it a massacre, a mass-execution. 00:06:53.900 --> 00:06:57.379 Eighty-nine people were killed. 00:06:57.379 --> 00:06:58.900 JACK: This was bad. 00:06:58.900 --> 00:07:02.460 Other attacks were springing up all over the world. 00:07:02.460 --> 00:07:06.190 Operation Inherent Resolve needed more help to battle these terrorists. 00:07:06.190 --> 00:07:10.520 Here’s a clip from one of the captains on the carrier stationed in the Persian Gulf 00:07:10.520 --> 00:07:12.690 which was launching missiles at ISIS. 00:07:12.690 --> 00:07:16.030 CAPTAIN: The airstrikes can only do so much and we’re very, very effective. 00:07:16.030 --> 00:07:20.389 We’re there to support but I think in the end it’s going to be a ground fight. 00:07:20.389 --> 00:07:25.150 JACK: They needed more help to stop these terrorists so some phone calls were made. 00:07:25.150 --> 00:07:26.520 [SKYPE CALLING] Hello? 00:07:26.520 --> 00:07:28.790 COMM.: Jack, hey, it’s [CENSORED]. 00:07:28.790 --> 00:07:30.160 How’s it going? 00:07:30.160 --> 00:07:31.460 JACK: Good to hear from you. 00:07:31.460 --> 00:07:32.460 Thanks so much. 00:07:32.460 --> 00:07:35.220 Sorry; in this one, I can’t say our guest’s name. 00:07:35.220 --> 00:07:38.380 You’ll understand later but for now let’s just call him the Commander. 00:07:38.380 --> 00:07:42.560 COMM.: This is kind of a fanboy moment for myself, to be honest. 00:07:42.560 --> 00:07:47.849 JACK: Okay, you’re gonna wonder how I got this interview because as you’ll hear, this 00:07:47.849 --> 00:07:49.710 is an extremely rare interview. 00:07:49.710 --> 00:07:54.031 I’ll explain how I got all that at the end of this episode but I do want you to understand 00:07:54.031 --> 00:07:55.620 more about who he is. 00:07:55.620 --> 00:08:03.639 COMM.: Okay, so in 2016 I was the mission commander for a combat mission team at USCYBERCOM. 00:08:03.639 --> 00:08:09.130 JACK: Yeah, US Cyber Command is believed to be the offensive team within the NSA. 00:08:09.130 --> 00:08:12.669 Actually, it came out of the NSA but now it’s its own thing. 00:08:12.669 --> 00:08:18.090 Yeah, you got that right, today we’re going to hear a hacking story from someone inside 00:08:18.090 --> 00:08:24.110 the US Cyber Command which is a very secret hacking organization within the US government 00:08:24.110 --> 00:08:26.940 which makes this an extremely rare interview. 00:08:26.940 --> 00:08:28.840 So, are you ready for this? 00:08:28.840 --> 00:08:35.050 [MUSIC] Okay, so let’s back up; the Commander here wasn’t always a commander. 00:08:35.050 --> 00:08:40.370 He started out as a regular recruit in the Marines but quickly he knew he wanted more. 00:08:40.370 --> 00:08:48.040 COMM.: I was a Force RECON Marine for my first five years. 00:08:48.040 --> 00:08:52.810 I jumped out of planes, I did the HALO, HAHO, scuba dive, all that stuff. 00:08:52.810 --> 00:08:54.640 JACK: Whoa, this guy’s a beast. 00:08:54.640 --> 00:08:57.260 I mean, my understanding is that the Marines train you to be a killer. 00:08:57.260 --> 00:09:02.269 It’s a very aggressive branch of the military but Force RECON amplifies that immensely. 00:09:02.269 --> 00:09:04.890 They’re the highest-trained troops in the Marines. 00:09:04.890 --> 00:09:10.399 In 2012, he was deployed to Afghanistan in the Sangin province; a tough place. 00:09:10.399 --> 00:09:14.661 He was trying to neutralize the [00:10:00] Taliban over there, doing helo raids and other 00:09:14.661 --> 00:09:16.130 operations. 00:09:16.130 --> 00:09:20.350 After a few years of that he came back and spent a total of five years as an active Force 00:09:20.350 --> 00:09:21.350 RECON Marine. 00:09:21.350 --> 00:09:25.360 COMM.: You get older, things get harder, physically. 00:09:25.360 --> 00:09:28.649 The way to stay in the fight is to use cyber. 00:09:28.649 --> 00:09:33.680 JACK: The Marines give you a little wiggle room on where you can choose you want to go. 00:09:33.680 --> 00:09:39.589 He decided to join the Marine Force’s Cyber Command but with this switch, they knew they 00:09:39.589 --> 00:09:40.650 needed to give him some training. 00:09:40.650 --> 00:09:41.650 COMM.: They did. 00:09:41.650 --> 00:09:45.990 They sent me to school for larger cyber-security stuff. 00:09:45.990 --> 00:09:50.810 Just basic Security Plus, Network Plus, CEH. 00:09:50.810 --> 00:09:56.560 Then they did put us through some more technical training for computer network exploitation 00:09:56.560 --> 00:10:00.529 boot camps and cyber-attack and defend. 00:10:00.529 --> 00:10:04.279 Eventually you attend a mission commander course for what my role was as an officer. 00:10:04.279 --> 00:10:06.830 JACK: At this point he’s an officer for MARFORCYBER. 00:10:06.830 --> 00:10:09.860 That’s short for Marine Force’s Cyber Command. 00:10:09.860 --> 00:10:10.860 Okay. 00:10:10.860 --> 00:10:16.170 Now, let me read to you a paraphrased version of the mission statement for this group, MARFORCYBER. 00:10:16.170 --> 00:10:21.780 The mission statement is quote, “To conduct full spectrum cyber-space operations, including 00:10:21.780 --> 00:10:25.640 conducting offensive cyber-space operations.” 00:10:25.640 --> 00:10:27.240 End quote. 00:10:27.240 --> 00:10:28.640 Phew, listen to that. 00:10:28.640 --> 00:10:32.010 They conduct offensive cyber-space operations. 00:10:32.010 --> 00:10:36.570 I once heard the US government has never admitted to conducting any cyber-space attacks but 00:10:36.570 --> 00:10:41.070 look at this; it’s right here in the mission statement of MARFORCYBER and when I think 00:10:41.070 --> 00:10:46.230 about the mindset that the Marines have and how they’re so competitive and gung-ho and 00:10:46.230 --> 00:10:50.980 battle-hungry, I just can’t imagine what kind of hackers would come out of this. 00:10:50.980 --> 00:10:54.250 COMM.: Everybody always says oh, we’re shooting cyber-bullets today. 00:10:54.250 --> 00:10:55.750 We’re going out on patrol. 00:10:55.750 --> 00:11:01.990 It’s funny but it’s true and then, you know, we always try to keep that mindset, 00:11:01.990 --> 00:11:03.800 especially in the Marines. 00:11:03.800 --> 00:11:08.189 The Marines are known to be more aggressive and that was not different in cyber. 00:11:08.189 --> 00:11:10.460 Our team was the first to do a lot of things. 00:11:10.460 --> 00:11:15.470 JACK: You’re a computer geek or you’re a buff guy, right? 00:11:15.470 --> 00:11:17.130 Which one is it, or is it both? 00:11:17.130 --> 00:11:22.760 COMM.: There’s a lot of buff dudes in cyber, to be honest, but it’s pretty funny. 00:11:22.760 --> 00:11:24.480 We still do all of that same kind of stuff. 00:11:24.480 --> 00:11:29.290 I know people have some traditions when you’re the first – for your first cyber-mission 00:11:29.290 --> 00:11:35.970 on the ops floor, they’ll make you wear a flak jacket or a helmet to look goofy when 00:11:35.970 --> 00:11:39.610 you’re sitting in front of the computer ‘cause it’s your first op. 00:11:39.610 --> 00:11:43.970 That tradition still comes into play in some of the op floors today. 00:11:43.970 --> 00:11:52.180 There is still that military mindset of messing with people and things like that. 00:11:52.180 --> 00:11:54.380 It’s pretty funny; I find it fun. 00:11:54.380 --> 00:11:59.510 JACK: This is how he transformed from being a trained killer to a capable hacker. 00:11:59.510 --> 00:12:03.450 He’s on a new mission now; to battle the enemy from behind the screen. 00:12:03.450 --> 00:12:08.670 COMM.: We’re all in uniform sitting in front of a computer screen; four screens just like 00:12:08.670 --> 00:12:09.910 at the movies. 00:12:09.910 --> 00:12:12.269 Everybody’s in uniform, working on things. 00:12:12.269 --> 00:12:17.800 If you’re at very sensitive locations and sites, you’ll be out of uniform and things 00:12:17.800 --> 00:12:18.820 like that. 00:12:18.820 --> 00:12:23.880 But at Fort Meade you’re in uniform the whole time. 00:12:23.880 --> 00:12:33.790 The fall of 2014, I was finishing up all of my training and they had just started a team 00:12:33.790 --> 00:12:37.620 between NSA and CYBERCOM that was focused solely on ISIS media. 00:12:37.620 --> 00:12:39.820 JACK: Ah, yes, back to ISIS. 00:12:39.820 --> 00:12:44.450 ISIS, or sometimes it’s called ISIL, produces a ton of media content. 00:12:44.450 --> 00:12:48.380 I mean, they have two magazines that are published in ten different languages. 00:12:48.380 --> 00:12:50.440 These magazines are excellent quality, too. 00:12:50.440 --> 00:12:54.820 They’re very well-done; high quality pictures from the front lines and expertly designed. 00:12:54.820 --> 00:12:59.570 They also have a ton of social media accounts that post news stories and even act as recruitment 00:12:59.570 --> 00:13:01.079 tools for new members. 00:13:01.079 --> 00:13:05.630 They also have people producing high-quality videos, filming horrific things, then editing 00:13:05.630 --> 00:13:08.960 them and cleaning them up to maximize the impact to the viewer. 00:13:08.960 --> 00:13:13.839 To run all this, they must have a whole network to share content between the teams, to store 00:13:13.839 --> 00:13:18.230 the videos and pictures, and then a bunch of skilled people to run everything. 00:13:18.230 --> 00:13:25.690 COMM.: ISIS media was everything that involved the production of their magazines, the videos 00:13:25.690 --> 00:13:31.980 that everyone saw come out, the logos, the attack claims, all of the social media accounts 00:13:31.980 --> 00:13:37.250 that they had, the websites; everything that was associated with that was what was under 00:13:37.250 --> 00:13:41.570 the umbrella of ISIS media. 00:13:41.570 --> 00:13:42.600 They had a lot of people. 00:13:42.600 --> 00:13:49.830 [MUSIC] We’re talking cameramen, we’re talking editors, we’re talking linguists 00:13:49.830 --> 00:13:54.280 for translating things into every language across the world so that they could disseminate 00:13:54.280 --> 00:14:01.820 their message, you have your own IT shops, and finance guys. 00:14:01.820 --> 00:14:08.410 It was a large-scale operation and you could see that in all the videos that came out. 00:14:08.410 --> 00:14:15.449 They were Hollywood-quality videos that were hitting CNN [00:15:00] and ABC on a daily 00:14:15.449 --> 00:14:17.389 basis, almost. 00:14:17.389 --> 00:14:19.690 That was all ISIS media. 00:14:19.690 --> 00:14:25.019 JACK: Since the US government was already using intelligence operations to keep tabs 00:14:25.019 --> 00:14:30.199 on ISIS, they felt that ISIS media was big enough to create a team to just focus on this 00:14:30.199 --> 00:14:31.199 alone. 00:14:31.199 --> 00:14:35.370 COMM.: ISIS media had been on the scene for about a year before that. 00:14:35.370 --> 00:14:42.880 Then in 2014 in the fall, it was finally becoming so big that it was its own entity and warranted 00:14:42.880 --> 00:14:48.839 its own dedicated analysis production targeting effort. 00:14:48.839 --> 00:14:56.620 That’s where they pulled a few Marines together, a few civilians, and started a pretty crack-net 00:14:56.620 --> 00:14:58.000 team. 00:14:58.000 --> 00:15:01.550 Then I took over the team at the end of the year, in 2014. 00:15:01.550 --> 00:15:04.300 JACK: Oh wow, this is very interesting, right? 00:15:04.300 --> 00:15:10.190 From Force RECON Marine to MARFORCYBER, and now to the NSA and Cyber Command to gather 00:15:10.190 --> 00:15:14.399 as much information as he can on ISIS media. 00:15:14.399 --> 00:15:17.090 ISIS media became his primary focus. 00:15:17.090 --> 00:15:22.160 All day, every day, him and his team were there doing everything they could to understand 00:15:22.160 --> 00:15:23.900 who’s behind this. 00:15:23.900 --> 00:15:31.199 COMM.: [MUSIC] We were trying to map out the network, so everything behind – everything 00:15:31.199 --> 00:15:36.040 that made ISIS media tick was what we were supposed to uncover and define. 00:15:36.040 --> 00:15:38.209 People, places, things, everything behind it. 00:15:38.209 --> 00:15:47.500 The analogy I give people is if you look at CNN or you look at a regional news office, 00:15:47.500 --> 00:15:51.830 they have senior editors, they have people that do translations, they have a web guy 00:15:51.830 --> 00:15:57.410 that sets up the website, they have a guy that configures domain names, a guy that – the 00:15:57.410 --> 00:16:03.690 IT staff that keeps the shared drives running, keeps the e-mail accounts up, their chat services 00:16:03.690 --> 00:16:07.269 up, so that they can conduct their daily business. 00:16:07.269 --> 00:16:14.040 You have your field journalists and cameramen and all of those – all of that stuff. 00:16:14.040 --> 00:16:19.430 JACK: The goal was to simply gather data; basically, spy on them and collect as much 00:16:19.430 --> 00:16:21.750 data as they could from this group. 00:16:21.750 --> 00:16:23.720 They did this for a long time. 00:16:23.720 --> 00:16:32.860 COMM.: 2014 all the way through to summer of 2016 was analysis, development, building 00:16:32.860 --> 00:16:40.320 out the network, understanding how they operated, what they did. 00:16:40.320 --> 00:16:46.010 We spent a year and a half just understanding the target space and building out a high-fidelity 00:16:46.010 --> 00:16:47.010 network. 00:16:47.010 --> 00:16:50.660 JACK: Just to give you an idea of where we are in the timeline, this is still before 00:16:50.660 --> 00:16:53.680 ISIS invaded Mosul and declared a caliphate. 00:16:53.680 --> 00:16:58.380 Here, already, the NSA and US Cyber Command are tracking them heavily. 00:16:58.380 --> 00:17:02.220 Now, can you imagine how much data they collected in this time? 00:17:02.220 --> 00:17:06.610 I mean, we’re talking the NSA and Cyber Command here and dedicating a whole team to 00:17:06.610 --> 00:17:09.230 investigate this for two solid years. 00:17:09.230 --> 00:17:13.579 By that time and with those resources, I’m sure they must have had everyone’s name 00:17:13.579 --> 00:17:18.699 who is behind ISIS media and where it was edited, who’s running the social media accounts, 00:17:18.699 --> 00:17:20.339 what software they’re running. 00:17:20.339 --> 00:17:22.230 I bet that goes so much deeper. 00:17:22.230 --> 00:17:26.449 He didn’t say but I bet they hacked into all these people, too. 00:17:26.449 --> 00:17:30.549 They had access to their phones and laptops and facilities, everything, to gather as much 00:17:30.549 --> 00:17:35.540 data as they could, probably even their spouses, and relatives, and bosses, and friends, too. 00:17:35.540 --> 00:17:39.940 I bet they were infecting all these systems and burrowing their way deep into the ISIS 00:17:39.940 --> 00:17:45.830 media network, and then establishing persistence to maintain their foothold in there. 00:17:45.830 --> 00:17:50.340 Because if you think about this, this is all going on in the same building that the NSA 00:17:50.340 --> 00:17:54.590 headquarters are in, in Fort Meade, Maryland; that big, black, box of a building that I’m 00:17:54.590 --> 00:17:56.370 sure you’ve seen pictures of. 00:17:56.370 --> 00:17:59.960 If they needed more help, they could just walk down the hall and get another group of 00:17:59.960 --> 00:18:03.400 people who are specialized in something to help them out. 00:18:03.400 --> 00:18:08.690 I mean, I’m just guessing here but here’s an attack I think they probably did; first, 00:18:08.690 --> 00:18:13.120 imagine if they hacked into the phone of one of these ISIS media people and then on that 00:18:13.120 --> 00:18:16.950 phone, they stole the private decryption keys for that phone. 00:18:16.950 --> 00:18:20.059 This would be the key used to decrypt messages to that phone. 00:18:20.059 --> 00:18:25.790 Then, imagine they hacked into the WiFi network that phone was on and somehow captured all 00:18:25.790 --> 00:18:28.040 the traffic to that phone. 00:18:28.040 --> 00:18:32.630 Somewhere in that traffic are the private chat messages to that phone and with these 00:18:32.630 --> 00:18:38.260 private keys, I’m guessing it’s technically possible to decrypt those messages. 00:18:38.260 --> 00:18:42.789 This would be a pretty complex hack but I bet it’s something that US Cyber Command 00:18:42.789 --> 00:18:43.789 could do. 00:18:43.789 --> 00:18:46.760 COMM.: We had a long target list. 00:18:46.760 --> 00:18:56.429 You think of a large graph; just pictures, servers, domains, accounts, all connected 00:18:56.429 --> 00:18:59.380 with lines. 00:18:59.380 --> 00:19:01.430 We had a pretty good understanding of the whole thing. 00:19:01.430 --> 00:19:05.410 JACK: I can just picture it now, a big map on the wall linking everything together with 00:19:05.410 --> 00:19:07.440 photos of everyone. 00:19:07.440 --> 00:19:11.510 It probably looks like a map that the FBI would create when building a case on someone; 00:19:11.510 --> 00:19:13.450 [00:20:00] red strings connecting everything together. 00:19:13.450 --> 00:19:18.929 COMM.: I feel like there’s very few people that know as much about ISIS media as me and 00:19:18.929 --> 00:19:25.230 a couple other guys on the team. 00:19:25.230 --> 00:19:30.880 In 2015, if you remember in the summer and early fall, that’s when ISIS attacks started 00:19:30.880 --> 00:19:37.710 to really pick up and they started to have those horrific videos and beheadings and kidnappings 00:19:37.710 --> 00:19:40.799 of Westerners. 00:19:40.799 --> 00:19:47.740 The leadership congress and Secretary Carter at the time were getting fed up with all of 00:19:47.740 --> 00:19:53.010 this going on and having it be all over the news so people were getting a little angry 00:19:53.010 --> 00:19:56.310 in leadership and they wanted something done about it. 00:19:56.310 --> 00:20:01.240 We weren’t really doing any ops to counter it at that time. 00:20:01.240 --> 00:20:06.770 JACK: Because they had extensive knowledge of ISIS media, they started to think could 00:20:06.770 --> 00:20:12.460 we – would it be possible for us to actually disrupt them instead of just spy on them? 00:20:12.460 --> 00:20:16.980 They started to devise some plans to actually take down some of ISIS media. 00:20:16.980 --> 00:20:21.440 They were developing tactical cyber-attacks to take out a website or take control of it, 00:20:21.440 --> 00:20:23.030 or delete an entire server. 00:20:23.030 --> 00:20:27.520 They came up with a plan to take out just part of a network in one country as sort of 00:20:27.520 --> 00:20:29.860 a test run to see how effective this would be. 00:20:29.860 --> 00:20:36.070 COMM.: Made it so that we had some confidence in what we could do in our abilities and then 00:20:36.070 --> 00:20:44.000 General Hawk came back and was like, what do we do now? 00:20:44.000 --> 00:20:45.330 How much bigger can we go? 00:20:45.330 --> 00:20:47.570 What’s the next step? 00:20:47.570 --> 00:20:50.080 We said we can go global. 00:20:50.080 --> 00:20:51.890 Let’s go global. 00:20:51.890 --> 00:20:56.770 [MUSIC] Instead of one country or two countries, let’s go global. 00:20:56.770 --> 00:20:58.190 Let’s do everything. 00:20:58.190 --> 00:21:01.820 JACK: After the break, we’ll hear how this mission went global. 00:21:01.820 --> 00:21:04.490 Stay with us. 00:21:04.490 --> 00:21:08.640 The Commander felt like he had the skills and expertise to take out more of ISIS media 00:21:08.640 --> 00:21:12.150 but the leadership wasn’t sure if this was the right course of action. 00:21:12.150 --> 00:21:13.870 They needed something else. 00:21:13.870 --> 00:21:16.840 COMM.: The icing on the cake was November. 00:21:16.840 --> 00:21:25.799 You had the Paris attacks which were the horrible Paris attacks and that kind of was the final 00:21:25.799 --> 00:21:35.940 straw to where early December and before Christmas, Secretary Carter said I want options; we have 00:21:35.940 --> 00:21:39.429 to do something big now. 00:21:39.429 --> 00:21:47.790 Up until November 2015, it was all sit, listen, and enable other kinetic operations for the 00:21:47.790 --> 00:21:53.210 guys on the ground, help inform them to do certain things. 00:21:53.210 --> 00:22:01.200 There wasn’t a mindset or an appetite at the time for hey, let’s do a strictly cyber-operation 00:22:01.200 --> 00:22:08.260 to try and stop this media or try to diminish their impact of an attack in the publicity 00:22:08.260 --> 00:22:11.150 side of things. 00:22:11.150 --> 00:22:15.500 We were ready at a tactical level, I felt like, but there wasn’t that appetite at 00:22:15.500 --> 00:22:23.159 higher levels to say oh, we can do something that’s purely cyber and have an impact on 00:22:23.159 --> 00:22:27.510 this terrorist apparatus that’s over there. 00:22:27.510 --> 00:22:33.119 JACK: He was looking over his big map of ISIS media, looking over all the connections, drawing 00:22:33.119 --> 00:22:38.570 a connection from this system to that system to that network and this person, and making 00:22:38.570 --> 00:22:39.570 all these connections. 00:22:39.570 --> 00:22:46.020 He was looking at the map and all of a sudden it started to make sense; things became crystal 00:22:46.020 --> 00:22:47.020 clear. 00:22:47.020 --> 00:22:53.580 There were a few key nodes that if you were to disrupt or take out these key nodes, the 00:22:53.580 --> 00:22:55.950 whole thing might come crashing down. 00:22:55.950 --> 00:23:01.190 This was a big discovery for the Commander. 00:23:01.190 --> 00:23:04.740 He double-checked his work and looked over it again and yeah, this making sense. 00:23:04.740 --> 00:23:07.740 This was the way to take out ISIS media. 00:23:07.740 --> 00:23:09.370 Attack these nodes and it all unravels. 00:23:09.370 --> 00:23:17.040 COMM.: That’s when I had my ah-ha moment, [00:25:00] my Pepe Silvia moment. 00:23:17.040 --> 00:23:25.000 We’ve been staring at this data for a long time at all of these lists and information 00:23:25.000 --> 00:23:29.560 and then in February, it kind of struck me that it was all connected and it was very 00:23:29.560 --> 00:23:30.560 centralized. 00:23:30.560 --> 00:23:37.610 I remember running downstairs to my boss’s office in the basement in NSA and starting 00:23:37.610 --> 00:23:45.070 to draw on the board circles with names and numbers and drawing the lines together and 00:23:45.070 --> 00:23:47.690 then saying sir, it’s all connected, it’s all here. 00:23:47.690 --> 00:23:52.500 If we take this out, it all goes away or these five things, it’ll all fall apart. 00:23:52.500 --> 00:23:54.799 It’s a house of cards. 00:23:54.799 --> 00:23:56.370 JACK: This was a big moment. 00:23:56.370 --> 00:24:01.600 The leadership agreed that perhaps using hacking to take out ISIS media would be an effective 00:24:01.600 --> 00:24:02.600 approach. 00:24:02.600 --> 00:24:06.309 With this strategy, a new task force had to be created to handle this. 00:24:06.309 --> 00:24:12.020 First, they decided to start creating Joint Task Force ARES, or JTF-ARES for short. 00:24:12.020 --> 00:24:15.620 Now, JTF-ARES was formed to carry out a specific mission. 00:24:15.620 --> 00:24:23.580 COMM.: JTF-ARES is just cyber-specialists that focus in offensive cyber-operations against 00:24:23.580 --> 00:24:25.980 ISIS. JACK: Whoa, wicked. 00:24:25.980 --> 00:24:32.340 A group of military-trained hackers all coming together to making Joint Task Force ARES specifically 00:24:32.340 --> 00:24:35.350 to target ISIS and ISIS media. 00:24:35.350 --> 00:24:39.710 While this task force was getting spun up, the captains had to decide on what the mission 00:24:39.710 --> 00:24:40.710 would be. 00:24:40.710 --> 00:24:44.919 Now, in my opinion, this is where a major shift in operations took place. 00:24:44.919 --> 00:24:49.789 You see, we know that the military and the NSA collects data and they listen for signals 00:24:49.789 --> 00:24:51.140 and decipher the messages. 00:24:51.140 --> 00:24:55.890 Yeah, sometimes they break into a computer to get that data but still, that’s all it 00:24:55.890 --> 00:24:56.890 is. 00:24:56.890 --> 00:24:58.220 It’s gathering data from the adversary. 00:24:58.220 --> 00:25:02.940 But here, here’s where a big change takes place. 00:25:02.940 --> 00:25:08.690 [MUSIC] See, up until this point, all this team was doing was listening and watching 00:25:08.690 --> 00:25:09.690 and collecting. 00:25:09.690 --> 00:25:14.270 Yeah, they hacked into the enemy to listen and collect but that’s all they were instructed 00:25:14.270 --> 00:25:15.970 and legally allowed to do. 00:25:15.970 --> 00:25:23.830 But now, leadership is granting them the ability to disrupt, degrade, and destroy the target 00:25:23.830 --> 00:25:25.950 using cyber-attacks. 00:25:25.950 --> 00:25:27.620 This is a big difference. 00:25:27.620 --> 00:25:32.480 It’s kind of like the difference between someone on the roof with a pair of binoculars 00:25:32.480 --> 00:25:37.730 versus someone on the roof with a long-barreled rifle and a scope with orders to kill. 00:25:37.730 --> 00:25:39.260 You see the difference? 00:25:39.260 --> 00:25:45.820 They were never allowed to weaponize their hacks to destroy before but now, now they’re 00:25:45.820 --> 00:25:48.380 getting permission to do this. 00:25:48.380 --> 00:25:53.270 I think this is about to get a little hairy. 00:25:53.270 --> 00:25:58.000 But first thing’s first; they need to come up with a name for this cyber-operation. 00:25:58.000 --> 00:26:04.020 COMM.: That is a funny story and I’m glad that I get to tell you that. 00:26:04.020 --> 00:26:11.940 The way that military operations are named is that every unit in a specific AO, in a 00:26:11.940 --> 00:26:16.470 specific area, gets assigned two letters. 00:26:16.470 --> 00:26:22.580 Those two letters have to be the first part of the word that starts their operation. 00:26:22.580 --> 00:26:34.309 So, GL was assigned to Marine operations from Cyber Command and so we had to pick the first 00:26:34.309 --> 00:26:36.899 word to make the operation. 00:26:36.899 --> 00:26:42.590 GL; we sat down, a bunch of captains, and tried to come up with the most badass words 00:26:42.590 --> 00:26:43.900 that started with GL. 00:26:43.900 --> 00:26:49.000 We were like Gladiator, Gladius, Global. 00:26:49.000 --> 00:26:54.860 Then the second word in the name of an operation is just whatever you want it be. 00:26:54.860 --> 00:27:03.110 You can do like, Gladiator Something, or Global Something, and it would all be Global XYZ, 00:27:03.110 --> 00:27:06.360 Global ABC. 00:27:06.360 --> 00:27:10.130 We were coming up with all these cool names or things that we thought were cool. 00:27:10.130 --> 00:27:14.630 Then it came down from higher that they were like, the word is Glowing. 00:27:14.630 --> 00:27:16.550 We were like, seriously? 00:27:16.550 --> 00:27:17.550 Glowing? 00:27:17.550 --> 00:27:19.290 That’s so not cool. 00:27:19.290 --> 00:27:25.820 Let’s pick something that’s more badass, that’s more hardcore. 00:27:25.820 --> 00:27:29.750 But that was what higher told us. 00:27:29.750 --> 00:27:37.510 Then the Symphony part came from – in Marine basic training when you’re calling for fire, 00:27:37.510 --> 00:27:43.250 so when you have artillery and air support and mortars and machine guns all shooting 00:27:43.250 --> 00:27:49.640 at the enemy, they say that it’s a symphony of destruction because it’s boom, boom, 00:27:49.640 --> 00:27:53.490 boom, like in a movie when they play the soundtrack and all the stuff’s blowing up. 00:27:53.490 --> 00:27:56.240 It’s a symphony of destruction. 00:27:56.240 --> 00:27:59.890 We just said we’re trying to have a symphony of destruction against the enemy here and 00:27:59.890 --> 00:28:04.059 take down all of the ISIS servers, domains, e-mails, whatever, at the same time. 00:28:04.059 --> 00:28:05.559 It’s gonna be great. 00:28:05.559 --> 00:28:09.370 Then one captain who was the corkiest one of the group was like, well, that’s the 00:28:09.370 --> 00:28:10.600 name; Glowing Symphony. 00:28:10.600 --> 00:28:12.480 We were like, that’s so lame, man. 00:28:12.480 --> 00:28:14.130 [00:30:00] It can’t be that. 00:28:14.130 --> 00:28:18.330 He wrote it down and then sent the e-mail so then it became Glowing Symphony. 00:28:18.330 --> 00:28:20.429 There was no turning back. 00:28:20.429 --> 00:28:21.960 JACK: Okay. 00:28:21.960 --> 00:28:28.559 COMM.: I know that was a lot to talk about but there’s only like, ten people who know 00:28:28.559 --> 00:28:32.530 that. JACK: I love it. 00:28:32.530 --> 00:28:42.260 [MUSIC] In May of 2016, Task Order 16-0063 was signed by President Barack Obama and Operation 00:28:42.260 --> 00:28:48.179 Glowing Symphony was a go, or OGS for short, and JTF-ARES was tasked to execute Operation 00:28:48.179 --> 00:28:51.400 Glowing Symphony with their first mission to take out ISIS media. 00:28:51.400 --> 00:28:55.899 COMM.: I was in JTF-ARES and I was the mission commander for that specific team. 00:28:55.899 --> 00:29:00.820 JACK: This is why I call him the Commander, because he’s the mission commander for all 00:29:00.820 --> 00:29:01.820 this. 00:29:01.820 --> 00:29:08.679 COMM.: A mission commander is a cyber-com term and a mission commander is the one who 00:29:08.679 --> 00:29:13.120 oversees a specific cyber-op or a mission for that day. 00:29:13.120 --> 00:29:20.720 It would be the same as if a unit goes out on a patrol and walks around enemy territory 00:29:20.720 --> 00:29:21.990 and comes back. 00:29:21.990 --> 00:29:25.909 The leader of that patrol is a cyber mission commander and that’s what I was. 00:29:25.909 --> 00:29:27.130 JACK: Okay, here we go. 00:29:27.130 --> 00:29:29.580 Time to get ready to fire some cyber-bullets. 00:29:29.580 --> 00:29:33.410 The commander just spent the last two years learning everything about ISIS media and is 00:29:33.410 --> 00:29:35.490 more than ready to carry out this mission. 00:29:35.490 --> 00:29:37.549 But first, he needed some troops. 00:29:37.549 --> 00:29:42.170 He was able to look around in the NSA and Cyber Command and different military branches 00:29:42.170 --> 00:29:43.710 to find the right candidates. 00:29:43.710 --> 00:29:47.350 COMM.: Yeah, we definitely hand-picked them. 00:29:47.350 --> 00:29:52.279 We assembled – I think it was four or five separate teams. 00:29:52.279 --> 00:29:57.200 JACK: Think of each team like a squad of soldiers infiltrating the enemy territory and doing 00:29:57.200 --> 00:29:59.480 a patrol and an objective. 00:29:59.480 --> 00:30:03.669 Each squad has to be independent on their own, being able to make decisions and look 00:30:03.669 --> 00:30:06.490 for the objective and execute on it. 00:30:06.490 --> 00:30:08.679 They had to start assembling these teams. 00:30:08.679 --> 00:30:12.430 COMM.: [MUSIC] There were four people per team. 00:30:12.430 --> 00:30:20.510 We had an intel analyst, an operator, a SIGDEV analyst, and then we had the team leader. 00:30:20.510 --> 00:30:22.980 JACK: First, let’s look at what an operator does. 00:30:22.980 --> 00:30:29.900 COMM.: You have a guy who’s an operator and he is very skilled at setting up the infrastructure, 00:30:29.900 --> 00:30:34.250 getting to a target, and getting from a target. 00:30:34.250 --> 00:30:40.730 Then also, he’s trained on the tools and approved on the tools to use on target. 00:30:40.730 --> 00:30:45.640 JACK: Interesting; not everyone on the team was approved to hit that Delete button or 00:30:45.640 --> 00:30:47.100 the Enter key. 00:30:47.100 --> 00:30:52.049 Only the operator was allowed to actually execute an objective but not only that, this 00:30:52.049 --> 00:30:56.830 would be an expert on computers; knowing what exploits to use to get into things and how 00:30:56.830 --> 00:30:58.740 to move around a network once you get in. 00:30:58.740 --> 00:31:01.620 This is probably one of their best-trained hackers on the team. 00:31:01.620 --> 00:31:08.690 COMM.: The person that would sit next to him was the SIGDEV signals analyst who understands 00:31:08.690 --> 00:31:14.090 the tools and the infrastructure but also understands the intricacies of the target 00:31:14.090 --> 00:31:18.490 like directory structures, domain names, domain admins, and things like that. 00:31:18.490 --> 00:31:24.029 He’ll know the larger target network and be able to provide the contacts to that guy 00:31:24.029 --> 00:31:25.290 on the keyboard. 00:31:25.290 --> 00:31:26.940 JACK: So fascinating. 00:31:26.940 --> 00:31:31.090 This is kind of like a navigator of some kind; somebody who knows the lay of the land so 00:31:31.090 --> 00:31:34.990 well and is like okay, here’s where the next objective is and here’s where you have 00:31:34.990 --> 00:31:35.990 to go next. 00:31:35.990 --> 00:31:37.500 Here’s where this thing will be. 00:31:37.500 --> 00:31:40.730 If you go down this way, then you’re gonna find this next thing. 00:31:40.730 --> 00:31:44.649 Crazy that there’s just some person sitting there who knows all this stuff, ready to help. 00:31:44.649 --> 00:31:49.610 COMM.: Then we have another intel analyst who sits to the other side and that intel 00:31:49.610 --> 00:31:57.639 analyst understands the typical targeting charts, so the face, the phone number, the 00:31:57.639 --> 00:32:03.850 friends, the terrorist group, the cells, the homes, the addresses, all of that stuff. 00:32:03.850 --> 00:32:08.149 He understands that larger picture that can help them when they’re on target of navigating 00:32:08.149 --> 00:32:09.149 through things. 00:32:09.149 --> 00:32:13.299 JACK: This is another really valuable person to have on the other side of you. 00:32:13.299 --> 00:32:18.330 This is someone who’s memorized faces and names and friends’ names, and locations 00:32:18.330 --> 00:32:22.650 because as you’re working your way through this strange, foreign network, you’re gonna 00:32:22.650 --> 00:32:27.190 come across words that just don’t make any sense, things like server names and network 00:32:27.190 --> 00:32:31.950 names and domain names, and e-mail addresses, and website names, stuff that when you got 00:32:31.950 --> 00:32:36.740 in there and saw it, you wouldn’t understand what that was unless you had this person sitting 00:32:36.740 --> 00:32:40.620 right next to you, explaining to you what you’re looking at because they’ve spent 00:32:40.620 --> 00:32:43.390 the last six months memorizing all of this stuff. 00:32:43.390 --> 00:32:49.370 COMM.: Then the mission commander is the one making sure that it all is going on correctly 00:32:49.370 --> 00:32:54.179 and that they’re going to accomplish the mission that they’re tasked to do, that 00:32:54.179 --> 00:33:00.179 everybody – we’re all following the rules and not stepping in places we shouldn’t 00:33:00.179 --> 00:33:06.660 go or going in places that are not legally allowed to go to in cyber-space. 00:33:06.660 --> 00:33:12.360 That’s the team and how it functions. 00:33:12.360 --> 00:33:16.540 JACK: [00:35:00] They started assembling these teams and one team wasn’t good enough; they 00:33:16.540 --> 00:33:18.919 wanted four, or five, or six of these teams. 00:33:18.919 --> 00:33:23.590 They started asking around at the NSA, US Cyber Command, or other military branches 00:33:23.590 --> 00:33:27.210 to see if anyone fits these criteria to recruit them. 00:33:27.210 --> 00:33:31.289 COMM.: We’ve reached out to the other units, asked for these types of quals and the people 00:33:31.289 --> 00:33:32.880 that we knew that were there. 00:33:32.880 --> 00:33:37.370 Then they coughed up those people in the task orders to come over. 00:33:37.370 --> 00:33:42.289 JACK: Amazing; we’ve got quite the crack team of highly-skilled hackers now. 00:33:42.289 --> 00:33:47.260 This is, what, dozens of military-trained hackers, or troops, soldiers? 00:33:47.260 --> 00:33:50.620 All with the resources of the US military behind them. 00:33:50.620 --> 00:33:55.059 If they needed to, they can use some pretty cutting-edge hacking tools for this or they 00:33:55.059 --> 00:34:00.150 can get help from some much smarter people if they need to; linguists, interpreters, 00:34:00.150 --> 00:34:03.960 code-breakers, developers, or access to aerial photos. 00:34:03.960 --> 00:34:07.840 But as they’re getting the team together, there was tension in the air. 00:34:07.840 --> 00:34:13.850 COMM.: [MUSIC] As in any operation we had, all the accesses that we needed, and we were 00:34:13.850 --> 00:34:20.609 ready to go forward but we couldn’t go forward because we were still deconflicting with the 00:34:20.609 --> 00:34:26.960 inner agencies and having very high-up approvals come down before we could do it. 00:34:26.960 --> 00:34:29.109 JACK: There was a lot of talk from higher-ups. 00:34:29.109 --> 00:34:34.060 They were debating on whether or not this job might be better suited for the FBI or 00:34:34.060 --> 00:34:36.859 CIA or NSA, or other military branches. 00:34:36.859 --> 00:34:42.080 They weren’t sure if this is something that Cyber Command should be doing since it hasn’t 00:34:42.080 --> 00:34:44.580 done something like this in the past. 00:34:44.580 --> 00:34:51.119 COMM.: We were sitting there as hackers with all this access and it could go away at any 00:34:51.119 --> 00:34:53.500 moment, at any point in time. 00:34:53.500 --> 00:34:59.010 They’d catch onto what you’re doing and then it’s gone and they lock it down. 00:34:59.010 --> 00:35:01.300 We were nervous every day that went by that it would go away. 00:35:01.300 --> 00:35:07.590 JACK: It would go away as in ISIL media would catch onto you, is that what you mean? 00:35:07.590 --> 00:35:13.480 COMM.: Yeah, that they would catch onto – we had varying levels of access throughout their 00:35:13.480 --> 00:35:17.460 network from the people, places, and things. 00:35:17.460 --> 00:35:22.420 If they caught onto one part of it, we might not be able to get back. 00:35:22.420 --> 00:35:31.950 That would have made the operation less effective and maybe not even worth doing at all. 00:35:31.950 --> 00:35:36.130 Every day that went by we were like, nervous that it was gonna go away. 00:35:36.130 --> 00:35:41.210 JACK: Not only was time ticking on all this but there was also a lot of approvals that 00:35:41.210 --> 00:35:42.210 they had to go through. 00:35:42.210 --> 00:35:45.790 I mean after all, it’s the government and the government moves very slowly. 00:35:45.790 --> 00:35:50.599 COMM.: We had to do mission briefs up the chain to each of the higher officers before 00:35:50.599 --> 00:35:57.210 we went to go do it to make sure that they had confidence in our plan; saying that we’re 00:35:57.210 --> 00:36:00.569 gonna go out the door, we’re gonna make a right, we’re gonna go for five miles, 00:36:00.569 --> 00:36:03.600 we’re gonna make a left, then we’re gonna turn right on this street. 00:36:03.600 --> 00:36:06.980 We had to tell them everything we were gonna do. 00:36:06.980 --> 00:36:12.260 After we presented, the senior operator, myself, they’d always turn to us and put their hand 00:36:12.260 --> 00:36:17.040 on our shoulder and say are you sure we can do this? 00:36:17.040 --> 00:36:18.940 Are you sure we can do this? 00:36:18.940 --> 00:36:23.220 We were always like, yes, sir. 00:36:23.220 --> 00:36:27.770 Give me the green light, let’s go, let’s go. 00:36:27.770 --> 00:36:33.960 But nobody wanted us to fail because there was so much publicity within the community 00:36:33.960 --> 00:36:34.960 on it. 00:36:34.960 --> 00:36:38.670 JACK: Okay, now get this; this isn’t something the Commander told me about but there was 00:36:38.670 --> 00:36:40.780 someone else also joining the fight. 00:36:40.780 --> 00:36:42.090 Can you guess who? 00:36:42.090 --> 00:36:47.270 ANON: [MUSIC] Greetings, citizens of the world, governments and corporations, and Facebook. 00:36:47.270 --> 00:36:48.580 We are Anonymous. 00:36:48.580 --> 00:36:53.109 As most of you know by now, we started a cyber war on ISIS. 00:36:53.109 --> 00:37:00.200 Just a reminder; ISIS, we will hunt you, take down your sites, accounts, e-mails, and expose 00:37:00.200 --> 00:37:02.080 you from now on. 00:37:02.080 --> 00:37:04.370 No safe place for you online. 00:37:04.370 --> 00:37:07.630 You will be treated like a virus and we are the cure. 00:37:07.630 --> 00:37:09.840 Remember, we are Anonymous. 00:37:09.840 --> 00:37:10.849 We are legion. 00:37:10.849 --> 00:37:12.200 We do not forgive. 00:37:12.200 --> 00:37:13.630 We do not forget. 00:37:13.630 --> 00:37:14.630 Expect us. 00:37:14.630 --> 00:37:18.520 JACK: Yeah, so as the ISIS attacks started happening all over the world, Anonymous joined 00:37:18.520 --> 00:37:20.080 in on the fight, too. 00:37:20.080 --> 00:37:24.470 They were doing things like reporting thousands of ISIS Twitter accounts to Twitter and saying 00:37:24.470 --> 00:37:27.060 hey, ban these people, and Twitter would. 00:37:27.060 --> 00:37:31.290 They would report Facebook users that were ISIS members, and Instagram, all this stuff. 00:37:31.290 --> 00:37:36.020 Because the thing is, is one thing that Anonymous is pretty good at is finding out who you are 00:37:36.020 --> 00:37:37.390 and doxing you. 00:37:37.390 --> 00:37:43.589 They’re able to root out who these ISIS people are online and report them. 00:37:43.589 --> 00:37:45.720 They were getting accounts taken down like crazy. 00:37:45.720 --> 00:37:51.010 Some reports say that up to ten thousand accounts were taken down because of the activism that 00:37:51.010 --> 00:37:53.610 Anonymous was doing in this fight, as well. 00:37:53.610 --> 00:37:58.670 At the same time, Anonymous was actually taking down some of ISIS’s websites, too. 00:37:58.670 --> 00:38:03.599 While this is cool and all, it kind of threw a monkey wrench in some of the intelligence 00:38:03.599 --> 00:38:05.430 communities. 00:38:05.430 --> 00:38:09.710 How can you collect data on ISIS if ISIS is down? 00:38:09.710 --> 00:38:14.690 When a website that you’re tracking for years goes down, [00:40:00] why is it down? 00:38:14.690 --> 00:38:15.690 Who knocked it down? 00:38:15.690 --> 00:38:18.560 What’s going on here? 00:38:18.560 --> 00:38:23.020 The Commander didn’t say but I bet that he was watching this kind of stuff happening 00:38:23.020 --> 00:38:25.700 and trying to figure out who’s taking this stuff down. 00:38:25.700 --> 00:38:30.510 I’ve heard stories from other people in intelligence who actually got frustrated with 00:38:30.510 --> 00:38:34.980 this and went into some of the hacker chatrooms and said who’s the one taking down these 00:38:34.980 --> 00:38:35.980 websites? 00:38:35.980 --> 00:38:39.890 Then having chats with these hackers to like – not so much coordinate things but just 00:38:39.890 --> 00:38:43.760 back off on this for a little bit while we take care of it. 00:38:43.760 --> 00:38:49.050 We’ve got this in our sights and we’re gonna do something real soon; just cool it. 00:38:49.050 --> 00:38:53.119 While all these Anonymous operations were going on, approvals were starting to come 00:38:53.119 --> 00:38:56.340 through for the Operation Glowing Symphony. 00:38:56.340 --> 00:38:59.020 Things were starting to shape up. 00:38:59.020 --> 00:39:04.600 COMM.: [MUSIC] You could take the approach of let’s slowly degrade and disrupt it and 00:39:04.600 --> 00:39:11.720 take it down over time but you risk losing your access, you risk not being able to continue 00:39:11.720 --> 00:39:16.270 the slow degrading because they’re gonna learn every time something bad happens and 00:39:16.270 --> 00:39:20.630 harden their network; the people, the places, and everything that they have. 00:39:20.630 --> 00:39:29.180 What we saw with Glowing Symphony was an opportunity to give a massive blow to their operation, 00:39:29.180 --> 00:39:36.329 to take down everything that we could as fast as we could in one go, and then see what’s 00:39:36.329 --> 00:39:42.010 left, and then pick apart the little pieces that were left, the remnants that remained. 00:39:42.010 --> 00:39:48.580 That’s what the plan was to do, was go in and just decimate as much as we could in the 00:39:48.580 --> 00:39:55.230 shortest amount of time possible and then maintain engagement with the enemy through 00:39:55.230 --> 00:39:57.730 until they were no longer. 00:39:57.730 --> 00:39:58.750 That was the goal. 00:39:58.750 --> 00:40:01.869 JACK: Oh man, this is getting so good. 00:40:01.869 --> 00:40:06.069 You might wonder why I’m so excited about this because many of you think the NSA and 00:40:06.069 --> 00:40:10.960 the US Cyber Command are the bad guys; they’re setting up ways to constantly spy on innocent 00:40:10.960 --> 00:40:15.150 US civilians and they hoard zero-days and don’t tell the vendors that there’s bugs 00:40:15.150 --> 00:40:19.099 in the code, or that they’re trying to make encryption weaker, or make backdoors into 00:40:19.099 --> 00:40:21.290 things so they can defeat it. 00:40:21.290 --> 00:40:26.980 All this does sound bad and scary and I certainly don’t like it when the NSA overreaches on 00:40:26.980 --> 00:40:29.450 what they’re legally allowed to do. 00:40:29.450 --> 00:40:33.050 If anyone at the NSA is doing this kind of stuff, it’s naughty. 00:40:33.050 --> 00:40:34.050 Stop it. 00:40:34.050 --> 00:40:37.490 Privacy is important to me; please don’t try to ruin it. 00:40:37.490 --> 00:40:43.380 But I’m gonna put all that aside for this hour because in this case, in this specific 00:40:43.380 --> 00:40:49.540 course of action they’re doing, by decimating ISIS media, I can get behind this and I can’t 00:40:49.540 --> 00:40:53.940 think of many times where hacking to destroy someone’s computers is a good idea. 00:40:53.940 --> 00:40:59.590 At the same time, I’m excited to peek behind the curtain to see how US Cyber Command executes 00:40:59.590 --> 00:41:04.280 these missions and there’s a little part of me that kind of likes to watch chaos and 00:41:04.280 --> 00:41:05.280 destruction. 00:41:05.280 --> 00:41:10.930 Here’s a moment where I get to see the full force of US Cyber Command unleashing a devastating 00:41:10.930 --> 00:41:12.030 blow to ISIS. 00:41:12.030 --> 00:41:14.810 Doesn’t it get you excited too? 00:41:14.810 --> 00:41:19.660 I just feel so lucky to hear this firsthand from a commander within USCYBERCOM. 00:41:19.660 --> 00:41:21.180 These people are extremely tight-lipped. 00:41:21.180 --> 00:41:25.690 In fact, they’ve never claimed responsibility for any cyber-attacks like this, ever. 00:41:25.690 --> 00:41:29.849 Now, for the first time, you get to hear what operations are like inside there. 00:41:29.849 --> 00:41:31.010 This is crazy. 00:41:31.010 --> 00:41:33.170 Sorry, sorry Commander. 00:41:33.170 --> 00:41:34.170 Continue. 00:41:34.170 --> 00:41:36.460 What are we looking at here? 00:41:36.460 --> 00:41:37.460 What’s going on? 00:41:37.460 --> 00:41:41.500 COMM.: What they did have from the public view and in open-source intelligence, you 00:41:41.500 --> 00:41:48.720 could see they had over ten different languages of publication for their magazine. 00:41:48.720 --> 00:41:54.829 They had ten different websites at various locations with new domain names every day. 00:41:54.829 --> 00:42:01.780 They had domain names, they had web servers that were static IPs that they were spinning 00:42:01.780 --> 00:42:08.589 up for each specific language, they had magazines that were posted at accounts at free file 00:42:08.589 --> 00:42:12.590 upload sites where they would push all this stuff out, and the videos to download, and 00:42:12.590 --> 00:42:13.590 things like that. 00:42:13.590 --> 00:42:18.130 We all know that they had tons and tons of social media accounts that they were constantly 00:42:18.130 --> 00:42:19.359 pulling together. 00:42:19.359 --> 00:42:25.260 It’s already been publically reported; they had tons of telegram groups and tons of telegram 00:42:25.260 --> 00:42:29.099 accounts, so they have phones and they have e-mail addresses to set up those accounts 00:42:29.099 --> 00:42:30.329 all across the board. 00:42:30.329 --> 00:42:36.369 As they’re buying servers, you can assess that they have accounts at those specific 00:42:36.369 --> 00:42:38.250 providers. 00:42:38.250 --> 00:42:44.480 They had servers, they had domain names, they had e-mails, they had – you could look at 00:42:44.480 --> 00:42:49.080 the source code on a web page and see the file sharing server that served up the content 00:42:49.080 --> 00:42:50.869 for that web server. 00:42:50.869 --> 00:42:54.880 They had all of this laid out at a global scale. 00:42:54.880 --> 00:43:00.790 They didn’t care where it was in the world; they just wanted it to be cheap, fast, and 00:43:00.790 --> 00:43:02.730 readily accessible. 00:43:02.730 --> 00:43:07.070 JACK: The team spent months gaining access to the network and learning what was in there. 00:43:07.070 --> 00:43:11.580 He couldn’t go into detail about the techniques used but he did give me a clue that it all 00:43:11.580 --> 00:43:12.580 starts with e-mail. 00:43:12.580 --> 00:43:20.839 COMM.: [00:45:00] ‘Cause I can’t be specific to us but if you look at cyber-operations 00:43:20.839 --> 00:43:27.670 at large – I think this is in the Hacking Humans Podcast; over 90% of cyber-attacks 00:43:27.670 --> 00:43:32.170 today start with e-mail and it’s not just a spear phishing link. 00:43:32.170 --> 00:43:35.650 It’s access to that e-mail account. 00:43:35.650 --> 00:43:38.290 The username, the e-mail address, and the password. 00:43:38.290 --> 00:43:42.609 That’s where you can start and you can pivot everywhere from that. 00:43:42.609 --> 00:43:47.270 JACK: I’ve looked into a lot of hacks and whether it’s an APT or just a bunch of teenage 00:43:47.270 --> 00:43:51.280 hackers, yeah, they love getting into e-mail accounts to poke around. 00:43:51.280 --> 00:43:55.710 This is common for hackers and effective for getting more information and to move further 00:43:55.710 --> 00:43:57.210 into the network. 00:43:57.210 --> 00:43:58.741 Getting into an e-mail account is golden. 00:43:58.741 --> 00:44:04.562 COMM.: You can pivot from the e-mail account into the other accounts associated to that 00:44:04.562 --> 00:44:09.670 e-mail, anything that’s tied to that e-mail for a password reset. 00:44:09.670 --> 00:44:14.339 You can pivot from that e-mail address into the AWS account, into the Cloudflare account, 00:44:14.339 --> 00:44:16.420 whatever that may be. 00:44:16.420 --> 00:44:21.030 The e-mail is the key that is the core piece to pivot through. 00:44:21.030 --> 00:44:22.780 JACK: Whoa, that makes sense. 00:44:22.780 --> 00:44:26.500 Yes, of course; if you have access to my e-mail address you could go to another service I 00:44:26.500 --> 00:44:30.790 have like my web hosting and tell them I lost my password, and they’ll send a link to 00:44:30.790 --> 00:44:35.930 my e-mail account with the password reset, and if you had access to my e-mail, then you 00:44:35.930 --> 00:44:37.850 could see that and reset the password. 00:44:37.850 --> 00:44:41.430 Yeah, getting access to someone’s e-mail account can open the doors to tons of other 00:44:41.430 --> 00:44:43.650 things that person has access to. 00:44:43.650 --> 00:44:44.800 Take note on this. 00:44:44.800 --> 00:44:46.030 Protect your e-mail access. 00:44:46.030 --> 00:44:48.180 Make it a high priority to secure it. 00:44:48.180 --> 00:44:52.260 First, give it a long, complex password, then enable two-factor authentication on it. 00:44:52.260 --> 00:44:57.210 Make it hard for anyone to get into your e-mail because if someone does get in, they get access 00:44:57.210 --> 00:44:59.020 to almost everything. 00:44:59.020 --> 00:45:04.250 If Operation Glowing Symphony was getting into their e-mail accounts, this was getting 00:45:04.250 --> 00:45:08.770 them access to a ton of stuff and once they got in, they needed to establish persistence. 00:45:08.770 --> 00:45:13.050 This is where they can stay in the network, hidden, unseen, even if how they got in got 00:45:13.050 --> 00:45:14.710 fixed or patched. 00:45:14.710 --> 00:45:19.460 This might be enabling a rootkit or opening a backdoor, or leaving some program running 00:45:19.460 --> 00:45:21.400 that lets you connect back in later. 00:45:21.400 --> 00:45:28.950 COMM.: We had multiple access vectors into the whole system. 00:45:28.950 --> 00:45:36.460 There wasn’t just one piece of software or exploit or something. 00:45:36.460 --> 00:45:41.020 It was a whole suite of things that gave us the understanding and the access into the 00:45:41.020 --> 00:45:42.020 network. 00:45:42.020 --> 00:45:45.130 JACK: During this time, they learned about what’s in the network and they spent time 00:45:45.130 --> 00:45:48.180 pairing the infrastructure with the exploits they needed to use. 00:45:48.180 --> 00:45:51.589 They had a lot of meetings on what the best course of action was to take it all out. 00:45:51.589 --> 00:45:57.650 COMM.: Yeah, if you make it on their list, it’s not a matter of if; it’s just when. 00:45:57.650 --> 00:46:03.170 I was amazed working there that any challenge that would come to the folks at NSA or any 00:46:03.170 --> 00:46:07.420 of the developers, it was just a matter of time before they figured it out. 00:46:07.420 --> 00:46:12.810 There was nothing that I saw them throw their hands up and say it’s impossible. 00:46:12.810 --> 00:46:18.570 It might not be the way that you thought but they would find a way to answer your question. 00:46:18.570 --> 00:46:19.980 Forget where you wanted to go. 00:46:19.980 --> 00:46:23.200 JACK: They assembled all the people into teams and were getting them ready. 00:46:23.200 --> 00:46:27.030 COMM.: We had four or five of those teams because we had so many targets and they each 00:46:27.030 --> 00:46:36.880 got ten to fifteen targets because we had to do the whole operation as quick as we could 00:46:36.880 --> 00:46:42.050 because we didn’t want the enemy to know once part of the network was being taken down 00:46:42.050 --> 00:46:47.370 or locked out, and then they start to – they kind of shut us off from getting to the rest. 00:46:47.370 --> 00:46:50.260 We had to do it all at the same time before they could catch on. 00:46:50.260 --> 00:46:55.330 JACK: I’m gonna assume targets are servers, social media accounts, e-mail addresses, bank 00:46:55.330 --> 00:47:01.220 accounts, mobile accounts, let’s try to completely delete as much as possible. 00:47:01.220 --> 00:47:05.599 COMM.: Yeah, all of those targets were on the docket. 00:47:05.599 --> 00:47:18.160 It was lock out, delete, misconfigure, reroute, seize, anything that you could do to stop 00:47:18.160 --> 00:47:20.700 the network from functioning. 00:47:20.700 --> 00:47:28.001 We had to come up with who had which targets and then which ones – it was planned out 00:47:28.001 --> 00:47:33.599 to a T, down to the keystroke of this is the one that I’m talking to, this is the one 00:47:33.599 --> 00:47:38.319 that I’m going after first, and then second, third, fourth, fifth. 00:47:38.319 --> 00:47:41.710 They were pivoting and they were all dependent upon each other. 00:47:41.710 --> 00:47:45.500 The other team had their same list of starting with this one and then going down the list 00:47:45.500 --> 00:47:49.960 and moving and pivoting and working their way through. 00:47:49.960 --> 00:47:55.990 We planned that out in detail and rehearsed it in detail prior to the operation. 00:47:55.990 --> 00:47:57.310 That was the next step. 00:47:57.310 --> 00:48:00.680 JACK: That’s amazing ‘cause when I was a network engineer, I would get my scripts 00:48:00.680 --> 00:48:06.870 approved by other people before making a change and I never imagined hackers also getting 00:48:06.870 --> 00:48:10.869 their scripts approved before – and then practicing it as well. 00:48:10.869 --> 00:48:12.349 That’s really something. 00:48:12.349 --> 00:48:18.750 COMM.: Oh yeah, [00:50:00] we would – you had your plan drawn out to a T and we scripted 00:48:18.750 --> 00:48:24.710 it in a test environment to make sure that it worked all the way through, to automate 00:48:24.710 --> 00:48:26.130 some things. 00:48:26.130 --> 00:48:29.960 We automated as much as we could but then you still had to do some hands-on stuff but 00:48:29.960 --> 00:48:31.230 we tested it. 00:48:31.230 --> 00:48:37.270 We had developers and technical directors review before we went to go and do it. 00:48:37.270 --> 00:48:43.540 We had an extensive amount of rehearsals before anything was actually executed on the real 00:48:43.540 --> 00:48:44.540 target. 00:48:44.540 --> 00:48:45.839 JACK: Everyone’s got their practice on. 00:48:45.839 --> 00:48:47.280 This is their primary focus, right? 00:48:47.280 --> 00:48:50.540 This is the one operation everyone was working on and focused on? 00:48:50.540 --> 00:48:51.540 COMM.: Yeah. 00:48:51.540 --> 00:48:56.880 When you woke up to when you went to bed at night, this team was – it was OGS all day, 00:48:56.880 --> 00:48:58.080 every day. 00:48:58.080 --> 00:49:02.109 JACK: [MUSIC] OGS is Operation Glowing Symphony in case you were wondering. 00:49:02.109 --> 00:49:06.829 It’s the name of this operation and yeah, the people on the team would come in on nights 00:49:06.829 --> 00:49:11.589 and weekends to conduct a lot of this preparation because there are certain things you want 00:49:11.589 --> 00:49:15.750 to do when nobody’s around to reduce your chances of being caught. 00:49:15.750 --> 00:49:20.250 Certain tools and software had to be custom-built to get it just right. 00:49:20.250 --> 00:49:24.720 People were working really hard to get everything ready for this cyber-strike. 00:49:24.720 --> 00:49:29.089 The last thing they needed to do was pick a time window on when they can do this operation 00:49:29.089 --> 00:49:30.089 in. 00:49:30.089 --> 00:49:36.360 COMM.: The ten-minute window was picked because that’s when we knew they weren’t gonna 00:49:36.360 --> 00:49:38.099 be there. 00:49:38.099 --> 00:49:45.369 We had profiled everything and knew that this two-hour window was gonna be the timeframe 00:49:45.369 --> 00:49:50.810 and we wanted – or at least, I wanted everything executed within ten minutes and as quick as 00:49:50.810 --> 00:49:53.020 we could, at least getting the first foothold. 00:49:53.020 --> 00:50:00.320 Once you hit the domain controller, you’re good to go but we had to get the domain controller 00:50:00.320 --> 00:50:02.310 within ten minutes, kinda thing. 00:50:02.310 --> 00:50:06.080 JACK: Okay, the plan is ready, the people are ready. 00:50:06.080 --> 00:50:07.690 After the break, it’s go-time. 00:50:07.690 --> 00:50:11.190 Stay with us. 00:50:11.190 --> 00:50:16.059 They set up the window, they rallied the troops, literal troops, and they got everyone ready 00:50:16.059 --> 00:50:18.150 because this was the big day. 00:50:18.150 --> 00:50:20.960 All the teams assembled in what they called the Operations Room. 00:50:20.960 --> 00:50:25.900 COMM.: It’s a pretty big op floor, is what they call it. 00:50:25.900 --> 00:50:26.970 It does look like a movie. 00:50:26.970 --> 00:50:34.810 There are a lot of screens facing down the command of the USS Enterprise or something 00:50:34.810 --> 00:50:35.810 like that. 00:50:35.810 --> 00:50:43.020 Everybody’s got two keyboards, four screens, chairs lined up, TVs all across the walls 00:50:43.020 --> 00:50:49.910 and the front and on the sides with different – what you would see in a SOC, like infrastructures 00:50:49.910 --> 00:50:56.750 up or down, stoplight charts, world map, rosters, all of that’s up. 00:50:56.750 --> 00:50:57.810 The lights are dim. 00:50:57.810 --> 00:50:59.819 JACK: Looks like everyone is ready. 00:50:59.819 --> 00:51:02.160 Time for one last phone call to headquarters. 00:51:02.160 --> 00:51:09.640 COMM.: We were waiting for approval, for final approval, from headquarters over the phone 00:51:09.640 --> 00:51:17.630 and once they said clear it hot, [MUSIC] then I turned to all the teams on the op floor 00:51:17.630 --> 00:51:21.810 and then I say let’s go. 00:51:21.810 --> 00:51:29.940 They put their heads down and then they hit Shift + Enter on the scripts and the scripts 00:51:29.940 --> 00:51:31.119 started running. 00:51:31.119 --> 00:51:36.819 They started moving through parts of the network, moving through accounts, moving through servers, 00:51:36.819 --> 00:51:41.559 moving through everything, and executing according to plan. 00:51:41.559 --> 00:51:46.130 JACK: The task unit immediately got to work, running through the checklist exactly as they 00:51:46.130 --> 00:51:48.430 practiced it over and over in training. 00:51:48.430 --> 00:51:53.349 But this was not training; this was live fire on the enemy’s infrastructure. 00:51:53.349 --> 00:51:56.839 You could hear the teams talking; click this, go into that directory. 00:51:56.839 --> 00:51:58.839 That’s it. Jackpot. 00:51:58.839 --> 00:52:02.960 They were running their scripts and conducting their operations, deleting virtual machines, 00:52:02.960 --> 00:52:07.230 taking over domain controllers, and this would give them access to key infrastructure that 00:52:07.230 --> 00:52:08.520 they were also destroying. 00:52:08.520 --> 00:52:11.299 They were raining down a symphony of cyber-destruction. 00:52:11.299 --> 00:52:19.500 COMM.: We had a large printout probably three feet by six feet tacked up on the wall. 00:52:19.500 --> 00:52:22.820 [00:55:00] It had every target printed on it. 00:52:22.820 --> 00:52:25.940 JACK: Every time somebody on the team would accomplish one of their objectives, they’d 00:52:25.940 --> 00:52:30.819 run a little piece of paper up to the Commander to let him know what’s been done. 00:52:30.819 --> 00:52:32.710 These pieces of paper had little codes on them. 00:52:32.710 --> 00:52:37.370 COMM.: They’d bring me a piece of paper and it’d say like, 1 Delta and then it would 00:52:37.370 --> 00:52:44.000 say like, hackers or browns and I would know what that meant. 00:52:44.000 --> 00:52:51.260 Then I would write it up on the board and report it up on the radio to higher headquarters 00:52:51.260 --> 00:52:54.020 ‘cause everybody was tracking everything across the board. 00:52:54.020 --> 00:53:01.359 Everybody was dialed in from all across the enterprise to listen in ‘cause this was 00:53:01.359 --> 00:53:02.850 such a big event. 00:53:02.850 --> 00:53:05.090 JACK: Things were going great. 00:53:05.090 --> 00:53:10.000 The teams were systematically destroying one thing after another within the ISIS media 00:53:10.000 --> 00:53:11.000 network. 00:53:11.000 --> 00:53:15.589 They were hitting targets all over the place, deleting accounts, wiping hard drives, destroying 00:53:15.589 --> 00:53:21.540 systems in any way they could, rerouting traffic, taking control of accounts, locking out accounts, 00:53:21.540 --> 00:53:23.840 and wrecking everything in their path. 00:53:23.840 --> 00:53:27.250 But then, one of the teams announced they have a problem. 00:53:27.250 --> 00:53:30.990 COMM.: The Operator’s on the keyboard, everybody’s there, we’re moving. 00:53:30.990 --> 00:53:32.490 We hit a roadblock. 00:53:32.490 --> 00:53:33.780 What’s your pet name? 00:53:33.780 --> 00:53:38.260 You’re logging in from a different IP; you need to authenticate with a security question. 00:53:38.260 --> 00:53:42.770 We’re like oh man, we don’t know this. 00:53:42.770 --> 00:53:44.799 [MUSIC] What’s your pet name? 00:53:44.799 --> 00:53:51.440 How are we gonna figure out this guy’s pet name? 00:53:51.440 --> 00:53:56.600 It was one of the core places that we were trying to go. 00:53:56.600 --> 00:54:00.329 Everybody’s heart stopped. 00:54:00.329 --> 00:54:03.980 We were like oh, we’re done. 00:54:03.980 --> 00:54:06.640 We’re not going anywhere. 00:54:06.640 --> 00:54:12.200 One of the analysts who’d been on the team with me for three years stands up and is like, 00:54:12.200 --> 00:54:14.839 1515. We’re like, what? 00:54:14.839 --> 00:54:17.589 No way, it says pet’s name. 00:54:17.589 --> 00:54:22.549 It’s gotta be Spike or Bob or something like that. 00:54:22.549 --> 00:54:24.420 He’s like no, 1515. 00:54:24.420 --> 00:54:27.180 It’s always 1515 with this guy. 00:54:27.180 --> 00:54:29.220 We’re like, okay, man. 00:54:29.220 --> 00:54:34.230 Try 1515. Boom, we’re in. 00:54:34.230 --> 00:54:39.150 Then we continued to move onto the target. 00:54:39.150 --> 00:54:47.609 The analysts get to know these guys down to such detail that they can anticipate what 00:54:47.609 --> 00:54:51.990 these guys are going to do before they actually do it in the technical realm. 00:54:51.990 --> 00:54:55.210 JACK: Whoa, this kind of trips me out. 00:54:55.210 --> 00:54:59.990 This kind of highlights the power of what NSA and US Cyber Command has, right? 00:54:59.990 --> 00:55:05.079 They can infiltrate someone’s life so much that they understand their secret question 00:55:05.079 --> 00:55:07.770 to all the accounts that they’ve ever set up. 00:55:07.770 --> 00:55:13.780 That’s some pretty deep burrowing into someone’s network or even their mind. 00:55:13.780 --> 00:55:18.100 After that, the task force continued to walk through their objectives, hitting target after 00:55:18.100 --> 00:55:21.750 target, taking things down, and they had a lot of different types of targets. 00:55:21.750 --> 00:55:25.119 An interesting one to me are the financial accounts. 00:55:25.119 --> 00:55:29.100 The Commander said these were not the focus of the operation but I’m going to assume 00:55:29.100 --> 00:55:32.480 that these did exist and they ran into them sometimes. 00:55:32.480 --> 00:55:33.829 COMM.: We’re not the FBI. 00:55:33.829 --> 00:55:40.940 We can’t seize funds and then hold it but if you just get locked out of your PayPal 00:55:40.940 --> 00:55:45.050 account and there’s $1,000 in there, that money is essentially gone. 00:55:45.050 --> 00:55:46.970 You’re not going to be able to get it back. 00:55:46.970 --> 00:55:50.900 JACK: This wouldn’t be a temporary lock because if the PayPal address was linked to 00:55:50.900 --> 00:55:55.369 an e-mail and then that e-mail gets taken over, then you can change backup passwords 00:55:55.369 --> 00:56:00.410 and recovery passwords, and PayPal passwords and everything so that there’s no way to 00:56:00.410 --> 00:56:03.020 get back into that PayPal account, ever. 00:56:03.020 --> 00:56:08.309 But besides that, ISIS media had some crypto-currencies but with this, you could just delete the private 00:56:08.309 --> 00:56:12.869 keys to those wallets and you’re never getting back in there, essentially destroying whatever 00:56:12.869 --> 00:56:14.320 crypto-currency they had. 00:56:14.320 --> 00:56:19.970 COMM.: Yeah, there was a lot of deleting going on so if they were in there, they were gone. 00:56:19.970 --> 00:56:26.810 If you delete the private keys for – even if you deleted the private keys – if they 00:56:26.810 --> 00:56:31.520 were storing the stuff on a virtual server and you deleted the private keys to the virtual 00:56:31.520 --> 00:56:33.020 server, you’re not getting it back. 00:56:33.020 --> 00:56:37.319 JACK: It sounds like some money was lost during all of this and at this point they have successfully 00:56:37.319 --> 00:56:39.910 accomplished all of their primary objectives for this mission. 00:56:39.910 --> 00:56:45.210 COMM.: We did it in about ten minutes that we – we got all over our key nodes and targets 00:56:45.210 --> 00:56:47.109 down in the first ten minutes. 00:56:47.109 --> 00:56:52.910 We had control and we knew at that point that they couldn’t stop us and we stayed on for 00:56:52.910 --> 00:56:57.880 the next two to four hours going through the rest of the target list but at that point 00:56:57.880 --> 00:57:03.420 in time, we could take our time and we knew that they couldn’t take it back from us. 00:57:03.420 --> 00:57:09.230 It was like, they were totally pwned after ten minutes. 00:57:09.230 --> 00:57:16.480 We did have a brief high-five moment of, we got into all of the main core places we needed 00:57:16.480 --> 00:57:18.480 to go to. High-five. 00:57:18.480 --> 00:57:22.339 [MUSIC] Then it was hey, we still got [01:00:00] to keep moving through the rest of the targets 00:57:22.339 --> 00:57:28.540 so after our brief moment of happiness we stayed on and kept going, and going, and going. 00:57:28.540 --> 00:57:35.710 We found more targets, more domains, more servers, more parts of the network, more files, 00:57:35.710 --> 00:57:37.430 everything that we could find. 00:57:37.430 --> 00:57:43.780 If it was within the approved plan that we had approved, or our left and right lateral 00:57:43.780 --> 00:57:46.460 limits, then we had effects. 00:57:46.460 --> 00:57:52.230 If it wasn’t, we wrote it down, catalogued it, and then put it on the target list for 00:57:52.230 --> 00:57:54.160 the next day. 00:57:54.160 --> 00:58:00.010 We worked until we knew that they were coming back and we stopped. 00:58:00.010 --> 00:58:02.080 Then we waited. 00:58:02.080 --> 00:58:07.619 JACK: Put yourself in ISIS media’s shoes for a second, here; imagine you just got knocked 00:58:07.619 --> 00:58:10.930 out big time with hacks like you’ve never seen before. 00:58:10.930 --> 00:58:14.740 All your servers are offline, all your accounts are locked out. 00:58:14.740 --> 00:58:16.030 Everything’s just gone. 00:58:16.030 --> 00:58:17.740 What do you do? 00:58:17.740 --> 00:58:21.180 You don’t just say oh, well, that’s that. 00:58:21.180 --> 00:58:22.470 Let’s be done. 00:58:22.470 --> 00:58:24.900 No; you work on trying to restore it. 00:58:24.900 --> 00:58:27.430 That’s what the IT team is there for, right? 00:58:27.430 --> 00:58:29.349 They’re not just like, fired immediately. 00:58:29.349 --> 00:58:32.150 They’re called in to come help right now. 00:58:32.150 --> 00:58:34.280 Let’s get everything stood back up. 00:58:34.280 --> 00:58:39.480 Immediately, the IT team started trying to stand up their servers again and rebuild their 00:58:39.480 --> 00:58:44.010 websites and relaunch their e-mail applications because they couldn’t even get the e-mails 00:58:44.010 --> 00:58:48.430 anymore and they were rebuilding file servers and then having to re-issue new accounts for 00:58:48.430 --> 00:58:49.430 everyone there. 00:58:49.430 --> 00:58:55.329 It’s kind of like building an entire network from scratch all over again or trying to restore 00:58:55.329 --> 00:58:57.200 from backups. 00:58:57.200 --> 00:59:04.140 While this was effective right away, they did see ISIS coming back online slowly and 00:59:04.140 --> 00:59:05.940 with a lot of trouble. 00:59:05.940 --> 00:59:10.309 This made some people wonder whether or not Operation Glowing Symphony was a success or 00:59:10.309 --> 00:59:14.039 not since ISIS came back online just after. 00:59:14.039 --> 00:59:18.619 COMM.: I’m obviously biased to the whole thing but I think it was very effective. 00:59:18.619 --> 00:59:23.030 JACK: He can’t get into the specifics about how effective this was but if we step back 00:59:23.030 --> 00:59:28.039 and look at what public information we do know, we see that ISIS was very chatty on 00:59:28.039 --> 00:59:32.869 Twitter before Operation Glowing Symphony but that number of tweets drastically got 00:59:32.869 --> 00:59:36.550 reduced right after Operation Glowing Symphony went into effect. 00:59:36.550 --> 00:59:42.750 COMM.: If you don’t have a file-sharing server to pass the photos from the front battlefield 00:59:42.750 --> 00:59:48.040 lines back to the mid-level office, back to the high-level office so they can edit the 00:59:48.040 --> 00:59:53.680 photos and then use them in the video, or from a field video of a battle where ISIS 00:59:53.680 --> 01:00:00.799 is winning, getting that video back to somebody at another location to edit it to then upload 01:00:00.799 --> 01:00:08.819 it, to then put it into a Photoshop editor and make it into a sexy video; if all that 01:00:08.819 --> 01:00:13.230 takes more time or you break that chain at any point, it’s gonna make your whole production 01:00:13.230 --> 01:00:14.490 cycle longer. 01:00:14.490 --> 01:00:21.839 If you start missing deadlines your brand isn’t as good. 01:00:21.839 --> 01:00:30.099 Nobody likes a news outlet that has bad logos, bad videos, and delays in releases. 01:00:30.099 --> 01:00:36.350 When you impose that on them, it erodes what ISIS media was seeking to be. 01:00:36.350 --> 01:00:41.410 People didn’t like it as much and they didn’t want to do attacks or go fight for them in 01:00:41.410 --> 01:00:42.410 Syria. 01:00:42.410 --> 01:00:46.750 JACK: One other thing that you would notice if you were following this space at the time, 01:00:46.750 --> 01:00:54.270 is that after this initial attack from OGS, only 40% of the ISIS websites came back online 01:00:54.270 --> 01:00:55.280 afterwards. 01:00:55.280 --> 01:00:58.320 Those other websites just never showed back up. 01:00:58.320 --> 01:01:04.420 But when these new websites came back online, this meant that JTF-ARES had to attack again 01:01:04.420 --> 01:01:06.190 and so they did. 01:01:06.190 --> 01:01:10.809 COMM.: Once you found a target, submit it up, get it approved, go take it down. 01:01:10.809 --> 01:01:12.890 Target; take it down. 01:01:12.890 --> 01:01:14.970 Target; take it down. 01:01:14.970 --> 01:01:21.369 We stayed on for – OGS continued from that day on for seven months. 01:01:21.369 --> 01:01:27.440 JACK: After taking down ISIS’s websites over and over and over, again and again for 01:01:27.440 --> 01:01:34.280 seven months, they effectively took out 90% of ISIS’s websites that just never showed 01:01:34.280 --> 01:01:35.280 back up. 01:01:35.280 --> 01:01:42.190 COMM.: We didn’t have ops every day but for the first thirty days or so, we almost 01:01:42.190 --> 01:01:43.260 had ops every day. 01:01:43.260 --> 01:01:47.660 JACK: Oh, and another thing you can look at to see how effective this was is the ISIS 01:01:47.660 --> 01:01:49.270 media magazines that they were putting out. 01:01:49.270 --> 01:01:54.960 COMM.: If you look at – the Rumiyah and the Dabiq magazines were ISIS’s flagship 01:01:54.960 --> 01:01:55.960 magazine. 01:01:55.960 --> 01:02:01.559 They came out, they were fifty to sixty pages, high-quality video, great stories, instructions 01:02:01.559 --> 01:02:07.770 on how to do attacks, recaps of old attacks, they did excerpts with leadership; other ISIS 01:02:07.770 --> 01:02:11.210 fighters to try and inspire people. 01:02:11.210 --> 01:02:15.099 They were very good magazines and productions. 01:02:15.099 --> 01:02:18.130 They had them in all the different languages and they were very professional. 01:02:18.130 --> 01:02:25.420 When Glowing Symphony [01:05:00] came into play, the Rumiyah magazine was the new magazine. 01:02:25.420 --> 01:02:30.550 That was coming out every thirty days, between twenty-eight and thirty days, and it was based 01:02:30.550 --> 01:02:32.330 off of the Islamic calendar. 01:02:32.330 --> 01:02:36.910 At the time, we didn’t know that this happened but when I was looking back, we could definitely 01:02:36.910 --> 01:02:38.099 see the impact. 01:02:38.099 --> 01:02:44.670 They wanted it to come out on the first of each day of the month for the Islamic calendar. 01:02:44.670 --> 01:02:48.180 The 5:00 news comes on at 5:00, not 5:05, right? 01:02:48.180 --> 01:02:54.609 When we looked back at the impacts of Glowing Symphony, the November Rumiyah came out on 01:02:54.609 --> 01:02:55.619 day thirty-six. 01:02:55.619 --> 01:03:01.849 Their average was twenty-eight to thirty and it came out on day thirty-six. 01:03:01.849 --> 01:03:05.839 It was very late, almost a week late. 01:03:05.839 --> 01:03:07.450 Then they were back on track. 01:03:07.450 --> 01:03:12.920 Then other destruction ops and continued operations from OGS came into play. 01:03:12.920 --> 01:03:16.260 When we would knock them back, we would see that date be longer. 01:03:16.260 --> 01:03:21.720 Then we would see it be longer and if you plot those dates out, the dates get longer 01:03:21.720 --> 01:03:26.960 and longer until a point where the Rumiyah had been discredited with other operations 01:03:26.960 --> 01:03:31.859 and effects to a point to where they decided not to do it anymore, that it was unsustainable. 01:03:31.859 --> 01:03:35.300 The brand had been damaged and they abandoned it. 01:03:35.300 --> 01:03:43.910 It took time for them to give up and for the brand to be fully damaged but the operations 01:03:43.910 --> 01:03:51.770 to slow down the production, to make it harder, to delete the files, to disrupt the coordination, 01:03:51.770 --> 01:03:58.329 to do all of that had an impact over time to a point to where they abandoned it. 01:03:58.329 --> 01:04:02.779 JACK: Now as far as I know, the US government has never taken credit for any cyber-attacks 01:04:02.779 --> 01:04:04.730 like this, ever. 01:04:04.730 --> 01:04:08.809 This is the first time ever that they’ve publically said they have destroyed computers 01:04:08.809 --> 01:04:10.170 using cyber-attacks. 01:04:10.170 --> 01:04:17.690 COMM.: Now that you say that, I think it is that they’re saying we have conducted offensive 01:04:17.690 --> 01:04:21.410 cyber-operations against a target. 01:04:21.410 --> 01:04:25.210 I think this is the first time. 01:04:25.210 --> 01:04:31.540 In the past, the public mission for MARFORCYBER says we conduct offensive cyber-operations 01:04:31.540 --> 01:04:33.810 in support of the US government. 01:04:33.810 --> 01:04:38.049 The mission says offensive cyber and it said that for a long time but I think you’re 01:04:38.049 --> 01:04:45.410 right; nobody said we did this, we deleted this, we locked out this. 01:04:45.410 --> 01:04:49.309 I never thought of it that way but I think you’re right. 01:04:49.309 --> 01:04:53.770 JACK: It’s still fascinating to me to see that the military trains hackers but I guess 01:04:53.770 --> 01:04:58.339 this is the natural progression of how the world has become because historically, the 01:04:58.339 --> 01:05:02.619 military had four domains of warfare; land, sea, air, and space. 01:05:02.619 --> 01:05:07.339 But in 1995, they added information as the fifth domain of warfare. 01:05:07.339 --> 01:05:12.180 The military has to be ready to battle on this front because if they aren’t, the enemy 01:05:12.180 --> 01:05:13.849 will be attacking us there. 01:05:13.849 --> 01:05:20.329 COMM.: In the military and all services, they’re building out cyber-branches and cyber-specialities 01:05:20.329 --> 01:05:25.289 at an entry-level on the enlisted side and at an officer’s side. 01:05:25.289 --> 01:05:29.760 Kids from high school with computer skills that want to get into hacking or after you 01:05:29.760 --> 01:05:36.220 go to college, you want to get into hacking as an officer, there are paths to go right 01:05:36.220 --> 01:05:40.050 into a cyber-career field in the military. 01:05:40.050 --> 01:05:48.329 They have the Blue Team side with the cyber-protection teams and they have the offensive side with 01:05:48.329 --> 01:05:54.349 the Combat Mission Teams so whichever hat you want to wear; you can go right into those 01:05:54.349 --> 01:06:01.619 positions with training and begin to execute on target and defense or in offense of the 01:06:01.619 --> 01:06:02.619 nation. 01:06:02.619 --> 01:06:08.619 JACK: While that’s the story of Operation Glowing Symphony and JTF-ARES, the story isn’t 01:06:08.619 --> 01:06:09.619 over. 01:06:09.619 --> 01:06:13.589 JTF-ARES is still going strong, conducting a lot of missions, even today. 01:06:13.589 --> 01:06:16.590 COMM.: Yeah, JTF-ARES is still rocking and rolling. 01:06:16.590 --> 01:06:18.920 They’re moving onto new targets every day. 01:06:18.920 --> 01:06:22.829 JACK: Other people involved with JTF-ARES today have said that the attacks still go 01:06:22.829 --> 01:06:28.430 on and they do things like just annoy their targets, like lock them out of their accounts, 01:06:28.430 --> 01:06:32.370 or slow down their computer, or slow down their network, or do something to drain the 01:06:32.370 --> 01:06:34.940 cell phone battery of their target. 01:06:34.940 --> 01:06:39.490 The harder that they can make it for their target to get anything done in the day, the 01:06:39.490 --> 01:06:42.230 more of a success it feels like for JTF-ARES. 01:06:42.230 --> 01:06:50.589 COMM.: The first push was a solid six, seven months of day-on, stay-on, but the ground 01:06:50.589 --> 01:06:55.849 forces have obviously taken back Syria from ISIS so it’s a lot smaller than what it 01:06:55.849 --> 01:06:58.210 was in 2016. 01:06:58.210 --> 01:07:01.590 But they’re still in the fight every day. 01:07:01.590 --> 01:07:06.940 JACK: Oh, and as for Mosul; because Iraq didn’t have a strong enough army to take back their 01:07:06.940 --> 01:07:13.059 own town, the US helped invade it and together they kicked out ISIS which put an end to the 01:07:13.059 --> 01:07:14.059 caliphate. 01:07:14.059 --> 01:07:18.680 It’s a stretch to say that Operation Glowing Symphony helped take back Mosul but if you 01:07:18.680 --> 01:07:22.580 look at the series [01:10:00] of events, Operation Glowing Symphony probably would have never 01:07:22.580 --> 01:07:26.950 happened if ISIS didn’t take Mosul over in the first place. 01:07:26.950 --> 01:07:31.079 You might be thinking the US has conducted destructive cyber-attacks like this all the 01:07:31.079 --> 01:07:36.140 time, like with Stuxnet but the thing is, is the US has never admitted to doing Stuxnet. 01:07:36.140 --> 01:07:38.730 They refuse to talk about it at all. 01:07:38.730 --> 01:07:42.790 Whether or not this is the first attack like this, one thing that’s alarmingly clear 01:07:42.790 --> 01:07:48.680 now is that the US is in the fight and not just doing signals collection but causing 01:07:48.680 --> 01:07:51.190 destruction through cyber-attacks. 01:07:51.190 --> 01:07:56.750 It just makes me think that now that OGS was successful and JTF-ARES is still conducting 01:07:56.750 --> 01:08:00.470 these attacks today, I wonder what else this paved the way for. 01:08:00.470 --> 01:08:03.349 What other doors got opened because of this? 01:08:03.349 --> 01:08:08.790 What other missions have been given the go-ahead to degrade and disrupt enemy networks? 01:08:08.790 --> 01:08:14.230 With the connected modern world we live in, a lot is possible such as remotely disabling 01:08:14.230 --> 01:08:19.910 a car or draining a crypto-wallet, or shutting off the power to a missile silo. 01:08:19.910 --> 01:08:23.910 The NSA and Cyber Command have sometimes been accused of going over the line on what they’re 01:08:23.910 --> 01:08:27.410 legally allowed to do, like surveilling innocent American people. 01:08:27.410 --> 01:08:33.060 But one thing is clear; if someone celebrates the death of Americans or threatens Americans, 01:08:33.060 --> 01:08:37.060 these are the people who will take full notice of this and go after them. 01:08:37.060 --> 01:08:41.990 The general goal and mission of the NSA and Cyber Command is to protect the US from threats 01:08:41.990 --> 01:08:42.990 like that. 01:08:42.990 --> 01:08:47.730 It’s just fascinating to see what happens and how they go after these people. 01:08:47.730 --> 01:08:50.790 You might be wondering how did I really get this interview? 01:08:50.790 --> 01:08:56.230 How did I get a mission commander from USCYBERCOM to come tell the story about that time he 01:08:56.230 --> 01:08:57.230 hacked ISIS? 01:08:57.230 --> 01:08:59.160 Well, it’s interesting, actually. 01:08:59.160 --> 01:09:02.380 Last year, I think it was some journalists from VICE’s Motherboard who heard about 01:09:02.380 --> 01:09:06.549 Operation Glowing Symphony; they submitted a freedom of information request to the government 01:09:06.549 --> 01:09:11.690 to learn more and to all our surprise, the government sent them tons of information about 01:09:11.690 --> 01:09:13.089 OGS. 01:09:13.089 --> 01:09:17.210 It was really incredible to peek behind the curtain for the first time and then in the 01:09:17.210 --> 01:09:21.630 last few months, a reporter from NPR actually asked the generals and commanders that were 01:09:21.630 --> 01:09:26.640 involved in this to speak on the record to hear more and again to everyone’s surprise, 01:09:26.640 --> 01:09:28.070 approvals were given. 01:09:28.070 --> 01:09:33.790 It was around this time that I just happened to bump into the Commander at Defcon while 01:09:33.790 --> 01:09:35.230 I was there. 01:09:35.230 --> 01:09:39.839 We started talking and I heard this story and I was like, oh my gosh, if you are able 01:09:39.839 --> 01:09:45.560 to speak on NPR about this, is it possible that you could come on my show, Darknet Diaries, 01:09:45.560 --> 01:09:47.770 and tell me this story? 01:09:47.770 --> 01:09:54.560 He went back to US Cyber Command and requested to be on this show and he was given approval. 01:09:54.560 --> 01:09:55.790 Unbelievable. 01:09:55.790 --> 01:09:59.650 Once I had this episode all done and ready to go, I had to get one last approval from 01:09:59.650 --> 01:10:00.830 the US government. 01:10:00.830 --> 01:10:06.590 People in US Cyber Command or MARFORCYBER had to listen to this to verify that nothing 01:10:06.590 --> 01:10:08.679 was said that shouldn’t have been said. 01:10:08.679 --> 01:10:12.590 There were even some generals that had to approve this, too, which is just incredible 01:10:12.590 --> 01:10:18.210 to me because I thought I would never hear a story from within US Cyber Command about 01:10:18.210 --> 01:10:24.530 this time that they hacked into anything, much less ISIS so yeah, this is a story that 01:10:24.530 --> 01:10:29.790 I never thought I would ever get to do. 01:10:29.790 --> 01:10:37.200 JACK (OUTRO): [OUTRO MUSIC] A big thank you to the Commander for sharing this story with 01:10:37.200 --> 01:10:38.200 us. 01:10:38.200 --> 01:10:41.120 This one really, truly, is unbelievable to hear firsthand what you went through. 01:10:41.120 --> 01:10:42.350 Thank you again. 01:10:42.350 --> 01:10:45.690 Thanks to Major General Glavy for approving him to be on the show. 01:10:45.690 --> 01:10:49.890 This show is made by me, cadet Jack Rhysider, reporting in from the darknet division. 01:10:49.890 --> 01:10:52.330 Editing help by the sanguine guard, Damienne. 01:10:52.330 --> 01:10:56.800 Our theme music is by the sonic assaulter, Breakmaster Cylinder. 01:10:56.800 --> 01:11:02.100 Even though someone from the DoD starts following me on LinkedIn every time I say it, this is 01:11:02.100 --> 01:11:09.770 Darknet Diaries.