I had a meeting the other day I was explaining the second book am writing. And I was saying how each book was brought to bear from small aspects of missions that I ran or led for several years in the Cyber domain.

As you know, I have been operating as a Cyber Operator for years, thats more than 20 years. Literally a veteran now. And so much so, I have led members of Cyber Ops on SIGINT missions and also Cyber Defense missions that helped shape Politics or Defend Nations and Institutions. That being so, I wrote my first book, The Confederate from those experiences.

I had to bring those feelings we get when building tools, the emotional experience during the leg work, the difficulties and the thought processes we go through when dealing with an enemy in cyber space and on the meat space.

The Missions / Without breaking classifications

Counter Amniyat on cyber bullying.    Back in 2013 and 2014 we had this girl who was the daughter of someone senior in government. The AS decided to use her name and make a Facebook page that really supported her father and the good work he was doing for the new government. After the page had millions of followers, this fake page started to launch insults and propaganda against his office and his work. Its became serious that the daughter was questioned if she owned the page. She only had an Instagram back then. So who was behind the page?

It was an intelligence branch of AS that is known as Amniyat.

Here is where the Vanessa storyline comes in. Though, I do twist a lot of stuff on the book and put some imaginations to make it more fictional and fun to read.

Call Girls as informants.    For those who have read the first seven free chapters online, you have met Aisha. She is Somalian, and as the story goes on, you will get to know her back story. Though her story as a refugee comes from other experiences. Her story draws from missions where we trained call girls on how to infect devices or run stagers into targets home networks or devices of such targeted individuals during hotel sessions. As long as they were paid well as informants, we knew they would keep the secrecy, as investigations were conducted and a threat countered.

BTW, Call-Girls make the best informants especially those that are well educated.

These ladies usually have an insane amount of information, unlike other sources like Taxi drivers.

Use of Metasploit payload that compromises a CI.    Sometimes due to politics and corruption some individuals will use shortcuts especially in GoK. I am not going to say where this happened but I had advised some of the guys targeting someone who was very, very bad, of the worst in Africa, to not to use an Open Source software because where he worked, Cyber Security was really important. Evasion to complete the objective was a requirement. They chose to ignore me, because they thought that if they pocketed the money and sent an informant with a flash disk that had that payload, then they would successfully get the data they needed without issues. How wrong they were.

The problem is that the CI was caught and he got what he didnt expect from those savages. I won't explain further due to respect and love of my nation, the sympathy I have for his parents and others that it would hurt if it gets out.

Infection Sequence with network loader, then implanting.    I have done missions in the field, both Close-access operations and Close-net operations. Both of these operations are usually risky but if you got your (Surveillance Detection Route) SDR covered, someone watching your six and good reason why you are there, you can literally walk away with anything.

On one of the missions, where Vanessa runs an infection chain against a Somalian Signals Intelligence operator via WiFi and pushes an infection stager via packetology-magic, thus having a loader execute on target box, comes from a playbook on a target that we really needed our eyes on. The building was so secure we couldn't get in. And as shown on the Vanessas story, you can tell she had set persistence the way rookies do cause she was in a hurry and in the field. Yes, she was using a long range Yagi antenna.

She had set the persist methodology on the %AppData% of the startup folder, of the current logged in user. She needed to remove that persistence as soon as possible, because if threat hunting was done, the first place any hunter would go for, would be startup folders and registry run-keys. Also note, when other attackers are on the same system, they usually check if there is another infection on the target. This helps to minimize risks of their implants from being caught. The risk would be for the attacker who came in earlier, 'cause they would capture that artefact. Not only would they upload it to a Sandbox portal like, Virus Total but they also would acquire the technology, algorithms and techniques that they are seeking by picking such toolkits apart. So this was a risk for her to leave it there overnight even though how tired she was and the distractions from her friend, James.

The problem that we usually had was running such ops in the urban areas, you would have set up across the street on another building rather than in a car and have the antenna pointed on target building for the penetration stage. But in the outskirts, a plantation across and far, was easier. Though the trees would be the only point of failure which we usually countered and manoeuvred.

Kenyan DarkWeb Servers.    These days, young people are deploying infrastructures at home. They are learning new ways to exploit the market. The internet has become faster since the Kibaki regime. We have tracked servers being used in people homes for sale of illegal substances especially in the outskirts of Nairobi. Its important that security agencies, scan and find such servers. This is because, in our current communities, there are very Evil people out there, that will do anything to make money in expense of peace and civilization.

In the story, you can tell Vanessa, Ibrahim and Alex are using a Darkweb webserver in the house that has a content management system known as PHPBB that has forums and chat applications that they used to coordinate a Computer Network Operation against Somalian Government. This was after a close friend of Vanessa’s was killed accidentally with a turkish bought UAV as she taught orphans in a school outside Mogadishu, Somalia.

We have tracked criminals over time who used Darkweb servers for criminal coordination and operational planning over the years. Also, you get to note that ransomware crews and Financial organized groups use these servers and technology, for training, operating against targets, ransomware payments and negotiations. The good thing is that most of the East African cyber criminals are low scale, and use WhatsApp and Telegram to coordinate ops which is easier to intercept. They are so low scale, they don’t mind being caught such that they use open-source stagers and python keyloggers that are so noisy, knowing corrupt LEAs in that country will certainly be paid off, and they will let them go and the case destroyed.