The US Department of Justice has lifted the seals on a warrant detailing how law enforcement accessed and used criminals’ encrypted communications as part of Operation TrojanShield (dubbed IronSide by US forces). Australian order, and Greenlight in Europe).
The warrant reveals that the Federal Bureau of Investigation (FBI) began its investigation in 2018, with the recruitment of a source who gave it access to Anom, an encrypted communications tool used by international criminal organizations.
This source also distributed Anom devices to its already existing network of distributors of encrypted communication devices, all of which had direct links to criminal organizations.
According to the warrant, the FBI says it recruited the source shortly after the arrest of Vincent Ramos, CEO of Phantom Secure, who had sold the company’s encrypted devices to members of criminal organizations.
Better than a backdoor
Operation Trojan Shield aimed to exploit Anom by inserting it into criminal networks and working with international partners, including the Australian Federal Police, to monitor communications. In order for an Anom device to be useful for surveillance, the FBI, the Australian authorities and their source integrated into the existing encryption system a master key associated with each message, and which allowed law enforcement to decrypt and store messages as they are transmitted. Users of Anom devices were not aware of the existence of this key.
For devices located outside the United States, an encrypted carbon copy of the message was routed to an “iBot” server located outside the United States, where it was decrypted from the key transmitted by the FBI source, then immediately re-encrypted with the FBI key. The message was then transmitted to a second “iBot” server belonging to the FBI, where it was decrypted and where its content became available.
Each Anom user was assigned a particular Jabber identifier (JID) by the source, or an Anom administrator. The JID is either a fixed and unique alphanumeric identifier or, for newer devices, a combination of two English words. Anom users could choose their own usernames and change their list of usernames over time. As part of the investigation, the FBI kept a list of JIDs and corresponding screen names of Anom users.
During the testing period for the use of the Anom devices in the investigation, Australian Police Force obtained a court order to legally monitor the Anom devices that were to be distributed to individuals in Australia or those which had a clear link with Australia.
Tests in Australia
In Australia, intelligence and law enforcement can request or require assistance from communications providers to access encrypted communications, under encryption laws that were passed in late 2018. About 50 devices have been distributed as part of this test, considered a success, says the warrant.
“With the interception of these communications, Australian Federal Police have penetrated two of Australia’s most sophisticated criminal networks. Australian Police shared with the San Diego FBI the nature of the conversations that took place on Anom, which included drug trafficking activity (including talks about transporting hundreds of kilograms of narcotics), gun purchases and other illegal activities ”, details the mandate.
After the tests carried out in Australia, the FBI appealed to a third country – whose identity has not been revealed – which agreed to join the investigation and set up its own iBot servers. This third country then agreed to obtain a court order, under its own legal framework, to copy an iBot server located in that country and provide a copy to the FBI, in accordance with a mutual legal assistance treaty.
After infiltrating the Anom network, authorities translated and cataloged more than 20 million messages, from a total of 11,800 devices located in more than 90 countries. The top five countries where Anom devices were used, before services for the product were shut down on Tuesday, are Australia, Germany, the Netherlands, Spain and Serbia.
In the warrant, an example of an interception made possible by the information obtained is cited: a shipment of cocaine from Ecuador to Spain was concealed in a refrigerated fish container. The FBI and Spanish law enforcement investigated the messages which contained details of the shipment and its distribution once it arrived in Spain. Law enforcement officers in Spain then searched the container and found around 1,401 kilograms of cocaine.
In addition to decrypting messages transmitted by Anom devices, the FBI sought to seize content from certain Google Accounts, including emails and attachments, stored instant messages, stored voicemail messages, and photographs, through the mandate.
More than 800 suspects arrested around the world
The disclosure of the document comes shortly after Australian police made the operation, dubbed Operation Ironside, public. Australian Home Secretary Karen Andrews called it “the biggest operation in police history” in Australia. The police decided to make the operation public because the mandate of the third country expired on June 7, at the same time as the operation itself.
In Australia, the operation resulted in 525 search warrants, the arrest of 224 people, 525 indictments in total, the dismantling of six clandestine laboratories and the defeat of 21 death threats. 3.7 tonnes of drugs, 104 firearms and other weapons, and more than A $ 45 million in goods were also seized in connection with the operation.
Europol, which took part in the operation, indicates for its part that it would have enabled the arrest of more than 800 suspects around the world, and numerous seizures of drugs and money used by criminal groups. As for Encrochat and Sky ECC, the authorities promise other operations related to this crackdown in the days to come.