The Israel Security Agency (ISA) has recently reported the uncovering of a network that attempted to recruit individuals in Israel, in the Judea and Samaria district and even in the Gaza Strip, to assist Iranian intelligence. In this case, the network was controlled by a Syrian element and attempted to establish contact with those individuals through social media. The idea was to establish initial contact and then deepen the relationship between the element in Syria and the people here on the ground. After a while, when the network controllers have established that the individuals recruited were willing to act or deliver information, the element in Syria had them transferred to a communication channel utilizing messaging apps, so as to maintain contact with them directly and personally.
It should be stressed that the investigation by the ISA and other security agencies established that many of those contacted during the initial contact stage, especially Israeli Arabs, suspected that the approach was associated with some illegitimate activity, and did not maintain the connection. This method for establishing contact, known in the professional jargon as "raising a connection," is a well-established, familiar method that has been perfected over the years with the advent of new technology.
The objectives of "raising connections" are diversified and include communication for the purpose of recruiting a spy within an objective like an organization or a country; recruiting a person for the purpose of staging terrorist attacks; recruiting individuals for the purpose of collecting general information – "positive intelligence" – regarding infrastructures, the social characteristics of the country, the political situation, and so forth.
Today, the same activities performed by states through social media can also be performed by a small terrorist organization, provided it has a team or unit specializing in this activity, and that team or unit possesses the basic knowledge required. The knowledge, the capabilities, and the tools are readily available through the internet as well as through the Darknet – the "the web's underworld."
The History of Raising Connections
In the early 1990s, while serving as an ISA field coordinator in the Southern Mount Hebron area, before cellular vendors started operating in Israel, we invested substantial efforts in "raising connections." The objective was very clear and consistent with the primary goal – preventing terrorist attacks in due time.
The method was radically different. In order to "raise a connection," we had to work on the ground and establish a direct/physical contact with the elements we had marked as worthy of maintaining contact with, whether this activity was intended to recruit agents or reach the operatives of a terrorist organization.
Before the capabilities created by cyberspace, which includes social media and dozens – if not hundreds – of communication and messaging applications, I was required, as a field operative, to develop a structured plan, examine how I should establish contact with the marked objective and determine the methods of operation required to establish the initial contact and the identity of the individuals who would operate opposite the objective – yourself, an agent, or some other field element.
When you were required to approach a person known to maintain contacts with terrorist organizations, or known to have an intention to do so, the level of threat imposed by that person was high, and you had to extract as much intelligence information from him as possible. For this purpose, we developed structured plans. Our methods included an initial approach, conveying a message that the objective had to believe so as to agree to cooperate with the callers (who were agents trained for this activity beforehand). Additionally, a contingency plan had to be devised, including extrication, support, and so forth.
From Physical to Technological Contact
Then, with giant steps, technology and cyberspace started to dominate the world. Geography did not matter anymore, and you could reach anyone, anywhere and maintain any required operational interaction with them. As the world evolved, the ability of organizations and states to approach dozens if not hundreds of individuals simultaneously, on an extensive range of subjects and while separating and "differentiating" between each and every approach, established a new, different, and challenging reality.
Social media and other networks, as well as various websites, currently provide fertile ground for "raising connections" with relevant segments of the public. Some of the connection-raising activities are carried out in a fairly simple and unsophisticated manner, like "casting a large net" intended to "fish" as many individuals as possible, opposite which connections should be established. Eventually, from hundreds or thousands who had been approached in some way, only a handful will remain who would constitute high-value objectives for a terrorist organization or a state attempting to acquire espionage assets.
The advantages of this method are clear: the cost is low, execution is simple but clever, and the level of risk associated with being uncovered and affected by the implications of having the field level exposed is far lower than it was in the days when we had "raised connections" in the Judea and Samaria district. On the other hand, the results are less valuable in most cases, and the effort invested by the hacker unit and content specialists might be washed down the drain.
Simple as That
In recent years, as a result of the dominant control of Google, Facebook, Telegram, and other diversified applications used for mass communication and messaging, it has become very easy to utilize these platforms to mark a more limited population group for contact and communication purposes.
The idea is to target groups, use segmentation – subdivision into groups possessing common denominators which constitute a broad locator, then use personalization – customizing the messages in every approach to specific individuals. If it is effective for marketing and advertising, it will be equally effective in espionage operations, and the tools, locators, and method are very similar.
An enemy country like Iran can easily mark bachelor's degree graduates at an Israeli university, spot the students residing in the area of a certain confrontation front, mark the job hunters among them and sometimes even their political views and so forth. Opposite such a group, a plan of action is developed and tools are employed to "raise a connection," especially through Facebook, Instagram, LinkedIn, and other well-known apps.
The conflicts between the cutting-edge technology that performs these operations online, which the leading technological giants often attempt to spot and eliminate, mainly when they identify free-of-charge advertising-style approaches or problematic campaigns, lead to daily "battles" between the hackers and the programmers of the leading companies who make it a point, especially in recent years, to delete and destroy any traces of illegitimate activity on the web.
The HUMINT & Cyber Combination
It should be noted that beyond the technology that conveys the message to anyone I want to convey it to, the HUMINT way of thinking is very important. It is not enough to be a technological power or an organization that has a high-quality hacker group (and there are such groups in Iran, in the Gaza Strip and within Hezbollah). In-depth understanding of the field is also required – understanding how to approach and what to say. In other words, it is necessary to connect between the world of the people, the HUMINT world, and the cyber world. You must be able to speak the language of the organization, command the jargon and the marks and characters that constitute contents in the worlds of the instant messaging apps.
While serving as the Head of the ISA's Cyber Division, I did my best to bring together the specialists from the various intelligence worlds. The attack operator from the Technology Division, the field coordinator from Jenin or the production unit (SigInt/Cyber) operator, who are familiar with the language, the customs, the codes, and the characteristics of the various organizations, and the people of the Information Technology & Access Division. In this way, we can succeed in "raising connections" while retaining a high degree of authenticity and credibility in the opponent's eyes.
Going back to the ISA's recent report, it stated that the defense establishment had monitored the activity from Syria for some time, without making any move except after a certain period. The reasons for it are very clear. The system studies the opponent's Modus Operandi, attempts to identify who stands behind the codenames and the fictitious photographs, and spots additional technological "identifiers" that point to the profile of the writer, his location, and so forth.
The intelligence effort attempts to understand who has been approached in the Judea and Samaria district or here in Israel, and what the people who had been approached are doing, if anything. Many of those who were approached were, as stated, members of the Arab community of Israel, and the overwhelming majority among them did not cooperate with the approach, as it had seemed suspicious to them.
Wearing the Enemy Down using his Own Tools
It is important to note that the capabilities notwithstanding, deterrence still exists. You can never know who is actually approaching you, and there are serious concerns about cooperating with technological activity. Every one of us creates a digital signature, and in the age of Big Data, many databases are being monitored and mark irregularities and abnormal web activities or contents.
In conclusion, it may be stated that terrorist organizations, and enemy countries most definitely, use cyberspace extensively and diversely for numerous purposes, notably collecting information, disrupting, influencing, and damaging the State of Israel. The need to continue to constitute a country with the technological capabilities of a world power, to integrate the classic worlds of intelligence, to intensify the activity on the web, to develop offensive and defensive cyber tools as well as cutting-edge monitoring and identification capabilities – these provide the recipe for countering terrorist or espionage activities aimed against the State of Israel.
Arik Brabbing ("Harris") has served as the Head of the ISA Cyber Division and as the Commander of the ISA Jerusalem, Judea and Samaria district