ISIS Keeps Getting Better at Dodging U.S. Spies

On Thursday, around the same time ISIS leader Abu Bakr al Baghdadi announced that he had survived a U.S. airstrike and promised in a recorded message to “erupt volcanos of jihad,” American officials were meeting to discuss just how hard it was to track the militant group.

Baghdadi and his followers have proven exceptionally difficult to track and kill because they’re encrypting their communications and taking steps to avoid being detected by U.S. surveillance, according to several current and former officials. Without American intelligence operatives on the ground in ISIS’s home base of Syria—and with only a limited number of surveillance planes in the air—those communications are one of the only surefire ways to keep tabs on ISIS.

In addition to encryption that American officials say has proven very difficult to crack, ISIS is also using a commercially available service that permanently deletes messages sent via the Internet, making them nearly impossible to intercept, according to an individual who was briefed on the issue Thursday. This person didn’t name the service, but one application widely used in Iraq is called FireChat, which allows users to send messages to each other without connecting to the Internet. 

U.S. intelligence and counterterrorism officials told The Daily Beast that ISIS has adjusted its communications patterns because it knows that the group is constantly being watched. Fighters have been taking extra precautions for months, but the length of time that it took the U.S. to target Baghdadi—six weeks after airstrikes began in Syria and more than three months after they began in Iraq—and the fact that he wasn’t killed in the attack suggests that ISIS is practicing tight controls on their communications, especially at the top of the organization.

“These guys have a level of discipline. They will enforce through the ranks not using cellphones,” said the individual who was briefed on ISIS counter-surveillance techniques. The group has also used couriers to convey some messages in order to avoid digital communications altogether.

Testifying before the House Armed Services Committee on Thursday, Defense Secretary Chuck Hagel acknowledged that ISIS is ducking U.S. spies, particularly now that the military is bombing the group. “ISIL fighters have been forced to alter their tactics—maneuvering in smaller groups, hiding large equipment, and changing their communications methods,” Hagel said, using the government’s preferred acronym for the militant group.

A former U.S. official said that another factor has been complicating efforts to find ISIS members: the lack of combat troops on the ground to follow up on any leads collected by intelligence agencies or drones, which are monitoring the battlefield from the air. “When you literally have a force on the ground, you’re in a better position to take advantage of these communications,” the former official said.

In 2007, the National Security Agency tracked the computers and cellphones of members of al Qaeda in Iraq—ISIS’s predecessor—and then told ground forces where to find the fighters. That cycle of intelligence-gathering and capturing or killing fighters helped turn the tide of combat operations. But no such cycle exists now in Iraq or Syria.

“The easiest day of the air campaign against ISIS was the first day,” said Christopher Harmer, an analyst with the Institute for the Study of War. U.S. pilots knew the locations of ISIS command and control facilities and storage depots, and to an extent the group was taken at least partially by surprise, since it didn’t know the precise time the strikes would begin. “Past that first day or two of easy targets, ISIS predictably dispersed into the civilian population. They quit using high-power radios, satellite and cellphones, starting moving to a dispersed command and control model,” Harmer said.

With ISIS proving an elusive target, the intelligence agencies have taken to monitoring communications of Assad regime officials to find out what they are saying about ISIS. The Wall Street Journal reported that intelligence analysts have treated the Assad communications cautiously, however, because private conversations among regime officials have proven difficult to verify.

ISIS members may be harder to track, but on the flip side, persistent U.S. electronic surveillance, as well as overhead monitoring by drones, has constrained the group. “At the end of the day, an intelligence organization [conducting surveillance] forces two choices: Communicate and be at risk, or don’t communicate and fail to coordinate,” said the former U.S. official. “Should I encrypt my communications? Should I use onion routers? Should I use cut-outs?” Those would be the kind of questions this former official said he would ask if he were on the militants’ side.

Onion routers refers to the TOR network, a system that allows users to mask their location and communicate anonymously online. But the number of users connecting from Iraq is low, around 2,000, down from a high of more than 15,000 in June, according to the TOR Project, which helps with the ongoing development the system. Connections from Syria are also down, with only about 2,500 users are connecting from there, the group said. It’s unclear whether ISIS is using the routing system, which has also been used by Syrian rebel groups fighting to overthrow the regime of Bashar Al-Assad.

ISIS isn’t new to the counter-surveillance game. But current and former officials debated whether disclosures by Edward Snowden about the massive reach of the NSA tipped the fighters off and led them to be more cautious when communicating with each other.

One U.S. intelligence official said ISIS has “likely learned a lot from recent unauthorized disclosures, and as many of their forces are familiar with the U.S. from their time in AQI [Al Qaeda in Iraq], they have adapted well to avoiding detection.”

The former U.S. official also blamed Snowden for revealing surveillance secrets. There have been “demonstrable changes” in how militants do business as a result of leaked documents that detail U.S. surveillance practices, the former official said, declining to elaborate. But, he added, “It doesn’t pass the laugh test that an organization as sophisticated as ISIS would not pay attention to that gold mine.”

Still, others said it was laughable that ISIS was oblivious to the fact that the U.S. tracks terrorists by monitoring their communications. “It’s wrong to say because of Snowden our fight with ISIS is harder,” said one U.S. defense official with extensive experience battling al Qaeda and other militant groups. For more than a decade, intelligence agencies have been using electronic surveillance to locate terrorists, a fact that obviously hasn’t eluded ISIS, he said. “I’m not in any way defending Snowden. But I think our intel agencies need to grow up.” 

Even top lawmakers are skeptical that ISIS went to school on U.S. surveillance thanks to Snowden’s leaks.

“There’s certainly knowledge that they’ve changed almost everything they’re doing to avoid being seen, being heard,” Sen. Bob Corker, expected to soon be chairman of the Senate Committee on Foreign Relations, told The Daily Beast. But as to whether there’s any connection to the Snowden leaks, “There’s been no indication,” Corker said. “I just think [even] people who aren’t particularly knowledgeable understand we have extreme capabilities in multiple areas.”

Indeed, researchers who track the militant group note that long before U.S. airstrikes began, the group was employing encryption to protect its communications. If anything, they say, the Snowden disclosures told ISIS not to start using encryption and other obfuscating tools, but to stop talking about the fact that they were. 

“Post-Snowden, they took a lot of the opsec [operational security] discussions off of the public forums,” said Christopher Ahlberg, the CEO of Recorded Future, a data analysis firm backed by the investment arm of the U.S. intelligence community, among others. Those public forums included websites and chat rooms where ISIS members exchanged ideas for strategy and shared tactics.

In November 2013, well before U.S. bombs started falling, “ISIS did launch a Web-based encryption tool,” Ahlberg said. “But it disappeared right away.” More recently, the group has exhorted its followers to strip from their tweets and other social-media posts any information that might give away the geographic location from which the message was sent. Judging by the frustration of U.S. officials attempting to track ISIS, the militants appear to have heeded that call.

CORRECTION: An earlier version of this story stated that ISIS has been known to use the application FireChat. While that application has been used in Iraq, ISIS has not been confirmed to have used it. We regret the error.