In an operation headed by the US Federal Bureau of Investigation (FBI) and Australian Federal Police (AFP), international law enforcement agencies managed to gather 27 million encrypted messages used for criminal communications, through an elaborate operation that involved development and distribution of a custom communications application for modified phones.
Unsurprisingly, organized crime groups take extraordinary measures to avoid detection. For example, criminals will purchase customized phones that are solely modified for secure communication. The law enforcement agencies took advantage of this by creating an underground business selling communications software for these modified phones. These phones intentionally disabled normal functionality, such as making calls or texts, and instead installed the encrypted chat platform An0m which was secretly under the control of these agencies. Along with purchasing the phone, criminals had to pay a $1,500-2,000 6-month subscription to use the service.
While the app did provide encrypted communications as-advertised, as the criminals were going about their business a copy of their messages was being delivered to the security agencies “iBot” server. The system involved attaching a master key to each message so it could then be unencrypted and stored. Afterwards, it was re-encrypted and delivered to the intended contact.
The agencies began distributing the customized phones to buyers in 2018. The operations ultimately reached more than 100+ countries, over 300 criminal groups, and involved 12,000 encrypted phones.
The success of this operation was initiated through word-of-mouth and trusted relationships. An individual had previously built encrypted criminal chat platforms. They were recruited by the security agencies (in return for a reduced sentence) to create the An0m platform. The individual used their trusted distributor connections to get the phones onto the market.
Are there lessons to be learned from all of this (besides ‘don’t be a criminal’)? Distributor relationships and supply chain integrity are fraught with potential security lapses. While the distributor believed they had a good product based on experience with the seller, they fell into a reasonable trap of trusting the individual based on prior exchanges. Trust and good reputation are invaluable when navigating the black market. It is important to ensure that a trusted connection is checked on a reoccurring basis. The problem is, it is hard to have your pulse on every single update and change that comes into your security environment. Just look at the SolarWinds hack for a prime example.