Red Teams and SOF concept

Note: this is the op that will serve as an example in the proof of concept paper I'm re-writing. A slightly different version was publshed in SOFREP and in this blog last year.

The building was brighter than the sun. It was 0200, but all offices seem to be occupied, at least when peering through the night scope from 100 meters away.

The three figures moved slowly, deliberately. Placing heels first and sensing with the tip of the foot for anything that might make noise before placing the full body weight on the front foot. Each step was calculated. Each step brought them closer to the target. Total darkness and total silence. No lights allowed and the communication between the team members was via hand signals, when needed. They have been working together for a long time so each person knew what to do and what the other should do.

When they reached the final observation point the modified GPS gently vibrated on the point man’s chest pocket. He made a fist followed by a circular motion with his index finger - stop and pull 360 security. They all took a knee. The second person quietly took off his ruck and placed it on the ground in front of him. He extracted a folded antenna and a MacBook Air 11”. The screen of the tiny laptop was covered with a cammo netting and it was set to a very dim value; it was hard to read text on it, but that was on purpose. The group didn’t want the screen to give up their position. They only needed the laptop to see the stumbler program, one that will show them the different wireless signals emanating from the building. WiFi, Bluetooth and other RF signals were scanned and mapped if found. The operator plugged the antenna to the USB port on the laptop and fired up the stumbler application. Immediately the scanning program began showing the different signals. Each was assigned a different color and bold numbers. This setting allowed the person looking at the very dim screen to still be able to see the difference in signals, even without night optics.

With the laptop running and scanning, the operator touched the shoulder of the front man. He slowly rose and moved farther down, towards the building. When he found the right spot he clicked twice on the radio transmit button to let the other two team members know that he was in position.

The team was in “indian country”. They were performing reconnaissance on a suspected enemy strategic building. The more information gathered the better the chances for a successful operation to take place if one was happening.
The operator in the rear moved slowly towards the one with the laptop and touched his shoulder. The team member with the MacBook extracted from the ruck a cammo tarp and a square-shaped battery with a solar panel attached to it. He plugged the laptop to the external battery and covered the laptop, battery and antenna with the tarp. Removing his Benchmade folding knife from the front pocket, the operator then cut some of the vegetation surrounding them and placed it on top of the tarp. The only visible thing was the tip of the antenna, which was painted tan. The laptop was preprogrammed to stop the capturing of signals after 24 hours and to send an encrypted message via satellite back to the TOC with the contents of the scan. Signals intelligence, SIGINT, and communications intelligence, COMINT, was usually captured by more advanced means, however in this case a more direct and dirty approach was needed. The operator with the laptop was part of a new approach, one that employed red teams as direct support for special operations forces.

Once the laptop was set the two figures moved slowly towards the position of the front man. Again, their movement was careful, with each step probing the ground for anything that might give their position away. They found the point man in the prone position observing the target with a night scope. A Rite in the Rain green notepad was opened by the operator’s right hand. Several notes where already jotted down on the notepad. The red team member checked his watch and tapped the rear man shoulder. He then tapped his watch. The operator checked his watch and nodded. He moved closer to the point man and signaled with his right hand open twice. Ten minutes. He then moved back to cover the team rear for any surprises. He was carrying a standard M4 suppressed and an HK .40. The plate carrier was loaded with magazines for both the rifle and the pistol, med kit, grenade pouches and a mix of other tools. The red team member opened again his ruck and extracted a pair of night capable binoculars and a camera, and slowly crawled next to the point man. He placed his suppressed M4 next to him. While the point man was focusing on the men in and around the building, the red team operator focused on antennas, wiring, cameras and other digital signature the building may present. The laptop would capture the signals from the building, while a manual observation of the compound will provide a better idea of the physical aspects of the digital installation.

The two operators observed the building for the next ten minutes, taking notes and pictures about everything, regardless of how small the details were. The rear operator clicked the radio transmit twice at the ten minutes mark. The red team member replied with two clicks: everything OK here, still on recon. The rear operator then transmitted a short signal to the TOC informing that the operation was still on schedule. He would repeat this in another ten minutes.

They remained there for two hours. At 0400, with about 2+ more hours of darkness the operators slowly and quietly packed their gear and moved toward the rear operator’s location. He would be the point man now. The red team member checked the laptop once more before leaving and with the thumbs up signaled the operators that it was OK. The trio began the slow way back to the exfil point some 3 kilometers down the hill.
The movement was still slow, it was still deliberate. The exfil needed to be as quiet and stealthy as the infil, they needed to be back the next night to recover the laptop.

At the exfil location the now front man signaled to stop and pull 360 security. They remained completely still until a beaten-down white Toyota Hilux appeared. The small pickup track, so ubiquitous in this part of the world, was completely blacked-out. The three men jumped on the back and the vehicle disappeared in the darkness.
At the TOC the other 4 members of the red team were busy setting the computers and other commo gear. By the time the three men recon team returned, the red team was ready to download and analyze the pictures and notes taken by the team on the field.

While the team provided all the notes and other bits of information to one of the red team members, the other two pinged the MacBook Air left on the field to check that everything was OK. The laptop reply told the operators that the scan and capture program was still running. They would do this on one hour intervals until the 24 hour mark was reached. At that point the data would be uploaded to the TOC. The laptop would be recovered a few hours later by the field team and direct access to information would be available, however as a matter of precaution the upload of the data directly from the field was set as well.

Several hours later, already at night, the red team member that was part of the field team glanced at his watch as he was getting ready to head out again. The team member had already a plan in his mind on how to attack the digital infrastructure of the compound, however he needed to wait until the capture data was retrieved in order to finish planning with the rest of the red team members. Once this was done they would put together a powerpoint presentation with the plan for the CO of the SOF unit they were supporting. They would be in charge of the actual attack, backed by the red team.

With all the gear ready inside his ruck and on the plate carrier, the red team operator met with the two special operation team members to get something to eat and wait for their ride out.

Then, the trio was out. Now to recover the laptop.

The trip to the infil point was uneventful. The blacked-out Hilux took the rocks on the road pretty well, however the operators on the back of the small pickup truck felt every one of them.

Once they reached the infil point, the vehicle slowed down just enough for them to jump out and seek cover by the side of the road. There they stayed for half an hour, completely still. Hearing. Smelling. Sensing.

The point man signaled with his hand to the other two that it was time to move. He consulted his GPS and made a note on his map. Then the three rose and began moving slowing. Each step carefully taken, sensing the ground underneath. They needed to recover the laptop, the antenna and the solar battery. The gear was placed there the night before by the same team. One of the members of the group was a red team member. His team was tasked with gathering electronic and digital intelligence on a suspected enemy building. Once the intelligence was collected and analyzed, the red team members would then create a support digital package for the SOF unit they were attached to, and would ultimately provide real-time digital support for an attack.

At the TOC, the rest of the red team members were already dissecting the information uploaded only minutes ago from the laptop. The system was preprogrammed to capture information about RF signals, paying attention to WiFi and Bluetooth connections, for 24 hours, then it would compress everything and send it back to the TOC. This would allow the team to not only learn what was being leaked from the building, but in some cases it could allow them to break the Wireless security of any access point they might have.

The lead analyst, a very experienced hacker and cryptographer, was sorting through the information when the call from the field team was heard over the comm: Laptop retrieved, en route to TOC. The four men red team was composed of a mix of talents with different backgrounds. There was the leader, the team member on the field, a former sniper turned infosec professional. The main analyst, an MIT hacker with a talent for finding loopholes on everything. The surveillance expert, a late 50′s former LE officer with no computer experience. And finally, the young 18 year old programming genius, able to code programs for everything, from a unix box to a complete reprogramming of a PSC-5. The only members of the team going to the field were the team leader and the surveillance expert. The rest had no experience in field work and could be a liability to the SOF unit they were attached to.

When the field team arrived, they headed straight for the TOC to unload the laptop and other digital and surveillance gear there. The three men group was soaked from head to toe. It was a cold and wet night, with a combination of rain and snow falling constantly. Not a fun environment to be working on, however it suited the team, chances where the enemy were nice and dry inside their building and not paying attention to what was going on around them. They were dressed with the latest in hybrid technology, a mix of soft and hard shell clothing.

Over the next 48 hours, the red team would get no sleep. While a small team of operators maintained eyes on the target, the digital operators analyzed all the intel gathered. They checked the wireless signals and found it breakable, they carefully review guards and patrols patterns, the analyzed the radio calls intercepted during the digital recon. A plan was drafted. Once that included a digital disruption of operations at the enemy site and full control over their systems. These were not top of the line servers and network devices, yet they were sophisticated enough that could be trusted by the bad guys.

That was about to change.

After a couple hours of sleep and a good coffee, the red team leader grabbed his laptop and headed toward the CO tent. He fired up the presentation and carefully walked the CO and his top sergeants through the whole plan. Slide by slide. Some of the sergeants poke holes in the plan and a new one was drafted. At the end of the 90 minutes long meeting the CO was smiling.

The red team was assembled and the leader explained the plan. Each member now was tasked with a specific action. Each action has to be performed at the exact moment for the plan to work.

To simplify, the plan called for the complete take over of the building’s network and servers, and the main comms. These were found to be linked to one of their servers. This would start immediately. Once this was achieved, the attacking SOF team would insert and make its way towards the site. The attack would commence by ensuring complete disruption of both the terrorists comms and their network capabilities.
At that moment the two different field teams would attack from two sides. The red team, controlling the digital aspects of the site, would issue orders over the comms to the enemy sending them over to the wrong side of the compound.

The raid was successful.