Pages

1 February 2016

*** Hacking the Israeli Drones

Spies in the Sky: Israeli Drone Feeds Hacked By British and American Intelligence
Cora Currier and Henrik Moltke, The Intercept, January 28, 2016
AMERICAN AND BRITISH INTELLIGENCE secretly tapped into live video feeds from Israeli drones and fighter jets, monitoring military operations in Gaza, watching for a potential strike against Iran, and keeping tabs on the drone technology Israel exports around the world.
Under a classified program code-named “Anarchist,” the U.K.’s Government Communications Headquarters, or GCHQ, working with the National Security Agency, systematically targeted Israeli drones from a mountaintop on the Mediterranean island of Cyprus. GCHQ files provided by former NSA contractor Edward Snowden include a series of “Anarchist snapshots” — thumbnail images from videos recorded by drone cameras. The files also show location data mapping the flight paths of the aircraft. In essence, U.S. and British agencies stole a bird’s-eye view from the drones.
Several of the snapshots, a subset collected in 2009 and 2010, appear to show drones carrying missiles. Although they are not clear enough to be conclusive, the images offer rare visual evidence to support reports that Israel flies attack drones — an open secret that the Israeli government won’t acknowledge.
“There’s a good chance that we are looking at the first images of an armed Israeli drone in the public domain,” said Chris Woods, author of Sudden Justice, a history of drone warfare. “They’ve gone to extraordinary lengths to suppress information on weaponized drones.”
The Intercept is publishing a selection of the drone snapshots in an accompanying article.
Additionally, in 2012, a GCHQ analyst reported “regular collects of Heron TP carrying weapons,” referring to a giant drone made by the state-owned Israel Aerospace Industries, known as IAI.
Anarchist operated from a Royal Air Force installation in the Troodos Mountains, near Mount Olympus, the highest point on Cyprus. The Troodos site “has long been regarded as a ‘Jewel in the Crown’ by NSA as it offers unique access to the Levant, North Africa, and Turkey,” according to an article from GCHQ’s internal wiki. Last August, The Intercept published a portion of a GCHQ document that revealed that NSA and GCHQ tracked weapons signals from Troodos, and earlier reporting on the Snowden documents indicated that the NSA targeted Israeli drones and an Israeli missile system for tracking, but the details of the operations have not been previously disclosed.
“This access is indispensable for maintaining an understanding of Israeli military training and operations and thus an insight to possible future developments in the region,” a GCHQ report from 2008 enthused. “In times of crisis this access is critical and one of the only avenues to provide up to the minute information and support to U.S. and Allied operations in the area.”

Map: Stéphane Elbaz, The Intercept

GCHQ documents state that analysts first collected encrypted video signals at Troodos in 1998, and also describe efforts against drones used by Syria and by Hezbollah in Lebanon.

A 2009 document notes that “no tip-off exists for Hezbollah UAV [Unmanned Aerial Vehicle] activity;” apparently the spies had few signals that they were sure were associated with Hezbollah’s drone program. Another report recounts that Troodos had captured video from an Iranian-made drone flying out of a Syrian air force base in March 2012, resulting in “presidential interest in further samples of the Regime launching attacks upon the general populous [sic],” presumably referring to U.S. President Barack Obama, whose administration had first called for Syrian President Bashar al-Assad to step down the year before, a few months after his regime began a crackdown on Arab Spring protests. Indeed, also in March 2012, unnamed U.S. officials told the press that Assad had been suppliedwith Iranian drones.

But much of Anarchist’s focus was on Israel. The drone-watching documented in the GCHQ files covered periods of Israeli military offensives in Palestine, and also indicates that the intelligence agencies monitored drones for a potential strike against Iran.

The documents highlight the conflicted relationship between the United States and Israel and U.S. concerns about Israel’s potentially destabilizing actions in the region. The two nations are close counterterrorism partners, and have amemorandum of understanding, dating back to 2009, that allows Israel access to raw communications data collected by the NSA. Yet they are nonetheless constantly engaged in a game of spy versus spy. Last month, the Wall Street Journal reported that, although President Obama had pledged to stop spying on friendly heads of state, the White House carved out an exception for Israeli Prime Minister Benjamin Netanyahu and other top Israeli officials. Michael Hayden, former head of the CIA and NSA, told the Journal that the intelligence relationship with Israel was “the most combustible mixture of intimacy and caution that we have.”

GCHQ and the Israeli Defense Forces declined to comment. The NSA acknowledged receipt of an inquiry but did not respond to questions by the time of publication.
Drone’s-Eye View

On January 3, 2008, as Israel launched airstrikes against Palestinian militants in Gaza, U.S. and British spies had a virtual seat in the cockpit.

Satellite surveillance operators at Menwith Hill, an important NSA site in England, had been tasked with looking at drones as the Israeli military stepped up attacks in Gaza in response to rockets fired by Palestinian militants, according to a 2008 year-end summary from GCHQ. In all, Menwith Hill gathered over 20 separate drone videos by intercepting signals traveling between Israeli drones and orbiting satellites. The NSA’s internal newsletter, SIDToday, enthusiastically reported the effort, noting that on January 3, analysts had also “collected video for the first time from the cockpit of an Israeli Air Force F-16 fighter jet,” which “showed a target on the ground being tracked.” Menwith Hill had worked “closely with a GCHQ site in Cyprus for tip-offs.”

In July 2008, GCHQ ordered Anarchist technicians to look for drones flying over a number of “areas of interest,” including the Golan Heights (a region of southwest Syria seized by Israel in the 1967 Six-Day War), the occupied Palestinian territories of the West Bank and Gaza Strip, and Israel’s borders with Lebanon and Syria.

“Due to the political situation of the region there is a requirement for Israeli UAV operations in certain areas to be intercepted and exploited so that assessments can be made on what possible actions maybe [sic] taking place,” read the request, dated July 29, 2008. The memo asked for analysts to record and send video to GCHQ, along with ground plots showing where the drones had flown, and information about the signal.

Anarchist operators were able to snag the feeds of several different types of Israeli drones, according to an Intercept analysis of the snapshots and presentations from GCHQ summarizing Troodos achievements. The 20 snapshots identified by The Intercept in GCHQ files include several video stills clearly taken from Israeli drones, dating between February 2009 and June 2010.

According to one GCHQ presentation, technicians first collected signals from a Heron TP in February 2009. Intercepted images indicate that they also picked up video from other models and configurations of the Heron, and from the IAI Searcher drone. Another GCHQ presentation shows that by 2009, technicians had tapped into data from Hermes drones, manufactured by the Israeli company Elbit systems. In January 2010, Troodos reported that in the previous six months they had collected data from the Aerostar tactical drone and the Orbiter mini-drone, both made by the Israeli company Aeronautics.

In several snapshots of the Heron TP, there are objects under the wings that appear to be mounts for missiles or for other equipment such as sensors. In one image, from January 2010, a missile-shaped object is clearly visible on the left wing, while the mount on the right appears to be missing its load.

The Heron TP, which the Jerusalem Post described as “the drone that can reach Iran,” has an 85-foot wingspan — larger than that of the Reaper, the largest armed drone flown by the United States Air Force — and can carry a 1-ton payload. Israel recently reached an agreement to sell armed versions of the TP to India.



Gil Cohen Magen/Reuters/Newscom

Pieter Wezeman, a senior researcher on arms transfers with the Stockholm International Peace Research Institute, told The Intercept that the items visible under the wings in the snapshots “appear to have the kind of fins such missiles have,” but noted that “there could be other payloads that could be fitted in the same position.” Chris Woods, the drone history author, said that they could be sensor pods for intelligence gathering.

It has been widely reported that Israel launches attacks from the smaller Hermes 450s, although the GCHQ documents do not specify whether the Hermes drones recorded at Troodos were armed.

Reports surfaced of Israel launching missiles from drones in Gaza as far back as 2004, and more than a decade later, drones have become a fact of life for residents. Chris Cobb-Smith, a former British army officer who has investigated drone strikes in Gaza for human rights groups, said that “during periods of tension, you can seldom go outside without the buzz of drones overhead.” A Gaza City bar owner complained to the Washington Post in 2011 that drone patrols often interfered with his satellite TV signals. In 2014, the LondonTelegraph reported that 65 percent of Israel’s air combat operations were conducted by drones. Yotam Feldman, an Israeli filmmaker who made adocumentary about Israel’s drone industry for Al Jazeera last year, said that he has been told the figure is even higher.

During Operation Cast Lead, a three-week Israeli offensive that began in December 2008, Human Rights Watch reported dozens of Palestinian civilian deaths from drone strikes. In diplomatic cables released by WikiLeaks, an Israeli commander told a U.S. State Department official that a “UAV fired two missiles” against militant operatives outside a mosque, and that shrapnel from the strike hit civilians.

Yet the Israeli government still maintains an official stance of secrecy (a tactic akin to the United States’ refusal to formally acknowledge its drone program until 2013, despite years of reporting and commentary on it). In sanctioned interviews, Israeli military personnel are careful to describe the drones they fly as being used for surveillance and marking targets for manned warplanes to strike. Aviation and defense bloggers are left speculating about blurred photos andindustry rumors about how drones might be equipped with missiles. The Israeli media is subject to a strict censorship regime, and the military does not allow mention of armed Israeli drones, unless quoting foreign sources.

“Releasing full details about which munitions were used and how they were used can raise many other questions about these attacks — about the targets, about what the army calls collateral damage, about the command chain,” said Feldman, the Israeli filmmaker. “I think it is really the Israeli military throwing sand in the eyes of outside observers on Israeli strikes.”

The Anarchist images don’t show any drone strikes in action. It is not always clear from the images precisely where the drones were located, and it is thus impossible to tie the intercepts to specific attacks. A note on January 12, 2009, in the midst of Cast Lead, directs technicians “with the current situation … to keep a watch and report on where the majority of UAV flights are being conducted.” But the snapshots identified by The Intercept date from after Israel withdrew from Gaza in January 2009.

In several cases, the images were taken on the same day or just before reported Israeli airstrikes on Gaza, which continued after the ceasefire. For instance, on August 25, 2009, after months of relative quiet in the border area between Gaza and Egypt, Israel bombed a tunnel on the border, killing three Palestinians and wounding seven. That same day, Anarchist technicians at Troodos captured an Israeli drone signal.
Decoding the Drone

Drones communicate with their controllers on the ground via satellite; the transmission to the home station is known as the “downlink.” The antennas at Troodos grabbed that downlink by finding the right frequency for each drone.

Drone feeds are vulnerable to interception not just from the NSA — even cheap, commercially available equipment can be used to get the downlink. In a 2009article in Wired, a U.S. military official likened such interception to “criminals using radio scanners to pick up police communications.”

Indeed, in 2009, U.S. forces in Iraq discovered laptops with video from Predator drones in the hands of insurgents. It couldn’t have come as a total surprise — military officials had noted the vulnerability as far back as 1999, and a 2005 CIAreport stated that one of Saddam Hussein’s technicians had likely “located and downloaded … unencrypted satellite feed from U.S. military UAVs.”

In 1997, Hezbollah killed 12 Israeli commandos in an ambush in Lebanon. It emerged years later that Hezbollah had plotted the ambush after intercepting unencrypted drone video. The revelation caused a scandal, and led the Israeli military and drone industry to invest “significant efforts to encrypt the transmission of UAVs to their ground bases,” said Ronen Bergman, an investigative journalist with the paper Yedioth Ahronoth, who is currently writing a book on Israel’s intelligence service, Mossad.

“The broadcast was supposed to be completely secure,” said Bergman. “If the NSA and GCHQ were able to crack that, it would come as a big surprise, and might well lead to the launch of an inquiry.”

Israel appears to have since expanded encryption across its drone fleet, and many of the feeds grabbed by the Troodos analysts were encrypted or scrambled, showing up like the black-and-white snow on a TV screen.

According to GCHQ Anarchist training manuals from 2008, analysts took snapshots of live signals and would process them for “poor quality signals, or for scrambled video.”

The manuals stated that video feeds were scrambled using a method similar to that used to protect the signals of subscriber-only TV channels. Analysts decoded the images using open-source code “freely available on the internet” — a program known as AntiSky. The attack reconstructed the image by brute force, allowing intelligence agents to crack the encryption without knowing the algorithm that had been used to scramble the video.

Even when fully decoded, the images are of varying quality, often grainy, and often showing nothing but the sky or sun or the drone’s own landing gear nearing the runway.

The aim of the snapshots seemed to be simply to identify which signals belonged with which aircraft, weapon, or radar, and to demonstrate that the intelligence agencies had the capability to grab such snapshots if needed. “The computing power needed to descramble the images in near real time is considerable,” the Anarchist manual notes, but “it is still possible to descramble individual frames to determine the image content without too much effort.”

The GCHQ documents describe the mission against Israeli drones in broad terms. An “outbreak of hostilities between Israel and Hamas” occasioned the intelligence agency’s interest, and so did tension with Tehran. In reporting on flights of an armed Heron TP, a Troodos employee noted that “our ability to collect and track and report this activity is important for the initial detection and tip-off for any potential pre-emptive or retaliatory strike against Iran.”

A 2008 Anarchist memo also notes that “interest by the weapons community in Israeli UAV’s [sic] remains high,” because Israel “provide[s] many countries with their UAV’s” and is “developing large UAV’s capable of being deployed for a variety of purposes.” Another, also from 2008, describes the hunt to confirm whether a specific type of radar “has been mounted on any UAV platforms.” A GCHQ presentation listing “successes in 2009” at Troodos includes “UAV development Israel/India.”

Israel leads the world in drone exports, and capabilities Israel developed would soon be passed to other countries. Its companies aggressively market the potential attack capabilities of their aircraft. In September, India made arrangements to buy 10 armed Heron TPs. This month, Germany’s defense minister, Ursula von der Leyen, announced that the country would lease several TPs, citing the aircraft’s attack capabilities.

“This will be the standard in the future,” von der Leyen said.

By most accounts, Israel, the United States, the United Kingdom, and Pakistanare the only countries known to have used drones for deadly attacks. But dozens of countries are believed to be developing armed drones, so that club likely won’t stay small for long.
Documents published with this article:

No comments:

Post a Comment