Threat intelligence

Cyber pros used OSINT and sock puppets to aid mass Afghanistan evacuation

Refugees who were evacuated from Afghanistan last August walk through Dulles International Airport, from which they were later taken to a refugee processing center. (Photo by Anna Moneymaker/Getty Images)

It was a rescue mission unlike any other: Digital Dunkirk, the mass evacuation of stranded U.S. civilians, foreign citizens and Afghanis from Afghanistan, following the sudden withdrawal of U.S. troops and the unexpectedly rapid advancement by Taliban forces.

Veterans, volunteers and government workers and officials all worked together to create a virtual global network that provided secure communications, open-source intelligence and logistical aid to usher vulnerable and endangered individuals out of the country.

Among the many contributors to this effort was a team of executives and employees at cybersecurity and IT professional services firm Echelon Risk + Cyber, which launched just last May in Pittsburgh, Pennsylvania. As it turns out, cybersecurity skills actually proved to be quite valuable to the operation, according to CEO and managing partner Dan Desko, and Dahvid Schloss, offensive security lead.

It all started with a phone call, when an old military friend requested help from Schloss, formerly an enterprise systems administrator with the U.S. Air Force and an information operations security researcher at the Joint Communications Unit. Schloss and Desko, the latter of whom is also a board member of the ISACA Pittsburgh chapter, recounted to SC Media how the rest of the story unfolded and how cyber played a key factor in rescue of people in need. (ISACA also released a video detailing the team's efforts.)

First tell me a little more about your new firm, Echelon Risk + Cyber.

Dan Desko, CEO and managing partner, Echelon Risk + Cyber.

Dan Desko (DD): One of the things that is pretty important to us and in our values is the fact that security and privacy are basic human rights. We like to always say, “Look at the human side of security.” Because that's what things boil down to. At the end of the day we're trying to protect people, their systems, their data and their privacy. So our firm is founded on those principles.

What inspired you to join the Digital Dunkirk movement?

Dahvid Schloss (DS): I got hit up by an old colleague of mine... It was an old military colleague. The one thing that’s great about vets is we just never lose touch with one another, especially when you’ve deployed and done things together.

They hit me up and they were like, “Hey man, I need your help. Here's what's going on: We don't have enough resources within the government to help 100,000 people. We need to help these people, because they helped us.”

So once that call came it was like, all right, yeah, let's do it. I went to Dan. I was like, “I'm going to take PTO” and Dan's like, “No you're not, you're just going to go do it. And work with the guys and see what they can do to help.” And ultimately that's when I went to the team and I was like, “Hey, this is what we need: sock puppets, the whole nine yards. Get some operational security in here so that we can contact individuals that are at risk down in Afghanistan.” And then it just took off from there, and then it was a week-long endeavor of no sleep. And a lot of work.

Can you give me a sense of what kinds of cyber skills were integral to the effort?

DS: I’ll start that off by saying that everything that can be used for bad can be used for good, or vice versa. Let's take open source intelligence (OSINT) gathering. The bad side of that is, you can gather information on employees and their company that could result in you gaining access through knowledge of who's their very first dog, their mother's maiden name, or where they live. It's called doxxing, and no one wants to be doxxed on the Internet because it’s breaking the anonymity of somebody.

On the flip side, you can use all that knowledge gathered up on individuals so you can fill out life-saving paperwork. Let’s say an individual is trying to get their special interest visa approved because they are the wife or the child of a former [confidential informant], or interpreter or something… that the Taliban are probably not going to be too happy about… But because they don't have access to the Internet, you need to have all their information to push that forward to a senator to say, “Hey, senator, please stamp this ASAP so we can get them on a plane.” And you can gather all that information from the Internet, minus of course passport numbers or stuff like that.

On top of that, there’s imagery OSINT… Where are the Taliban checkpoints? Also, people aren't supposed to use their phones around the Taliban, but they'll still take photos. You can correlate those photos with Google Map imagery and figure out exactly where individuals are standing. And that gives you a good idea of being able to push that intel to a contact that you have in country and go, “All right. Avoid this place because, Taliban are staying there.”

I think when you start looking at what can be used for bad and start reversing that, in a very extreme use case, it does allow for a little bit of wiggle room to say, “Okay this is good.” It's still a little terrifying, don't get me wrong, because it's that same principle that [leaves vulnerable] privacy and data but, for better or for worse, that's just how it's gonna be. Everything is there. We're connected.

Can you provide a specific example of someone you assisted through OSINT gathering and other cyber practices?

Dahvid Schloss, offensive security lead, Echelon Risk + Cyber.

DS: I'll give you one… Most of the time when we saved people, or helped them get out, that was the last we ever heard of them. The cell phones drop and you don't ever hear from them again.

This particular one, the individual was missing. We had them on our contact card. They were an American blue passport citizen. They were just in country. And the last contact time on the piece of paper that we had was two days. That's a little scary, especially considering that, as much as the Taliban said they are being civil and not hunting people down, there were plenty of reports that said the contrary. So we constantly were trying to contact this individual. And eventually we needed to use different methods.

So by looking them up online, we were able to correlate a few phone numbers that could have been associated to relatives living in the States. We gave those phone numbers a call at like 2 a.m. in the morning and it turned out one of them was a child of this person. And we're like, “Hey, have you heard from your parent?” Then they were like, “Yeah, their phone was broken by the Taliban at a checkpoint." They'd been contacting that individual via other people's phones.

So, this individual in country was asking others, “Hey, can I use your phone?” and calling back to their family in the States – and they were still okay. So we were able to direct this individual to the airport to the proper gate within Kabul Airport for them to be able to get on a plane without harassment from the Taliban. And a day later, we got a text back from that child that basically said thanks, their parent is out of the country now. That one was… a good feeling.

Can you provide a little more detail on how you also helped set up secure communication channels through which to communicate OSINT findings?

DS: We did take open source intelligence and provided it to individuals through secure communication channels to get them around places that would potentially be hazardous to their health or life.

There also was a big effort on our part to help out other people in the group that weren't directly employed by us, to protect their identity as well. We did that by creating what's known as a sock puppet – which is a fake online identity – and providing them with VMs. They’d have a phone number without actually having a phone number, so that they had a safe way of communicating. Because as we're seeing now, the people who assisted with Digital Dunkirk and did not do their own OpSec are starting to be harassed by individuals in Afghanistan. And by individuals I mean likely Taliban individuals.

Your use of sock puppets, which are often used in nation-state disinformation campaigns, is another example of what you said before about how tech can be used for good or for bad.

DS: Oh yeah. Everything has a good and bad side to it, especially in cyber.

How big was the effort within your company, and do you know how many successful evacuations your team helped facilitate?

DD: Dahvid led the efforts of but it took… a number of our teammates to jump in and assist.

DS: This was definitely not a single-person job… The direct group we worked with was maybe 15 people, and we directly helped get 50 people out. The greater group, which was closer to 50 people helped get over 200 out. (This number includes our efforts as well.)

I think there's still a photo in my Signal chat somewhere that has the tally marks of everyone that we got out… I know that Digital Dunkirk as a whole was wildly successful, considering that you had 100,000-plus people asking for asylum outside of the country. So there was this massive effort from everyone around the country that was just phenomenal to see. And it was all thanks to small groups like ours and others.

prestitial ad