On the 16th of February 2020, we were asked to provide a surveillance target for a training exercise conducted by the Direwolves Airsoft Team in Ontario, Canada. For this mission, we gathered a small team and asked them if they could physically pass information between two parties with the following conditions:
The exchange would happen in a public place where both parties must come together
The receiver would be under constant observation
The sender of the message must not be identified by the observers
This article lays out their solution.
The Setup
The area for this operation was determined in advance. The lakeside park was isolated with minimal entry or exit points and only one vehicle route into the area. A small footbridge in a harbour was provided as the exchange point (the Red Star on the map below). The bridge was exposed on multiple sides and visible from a long distance. Adding to the security problems were that the observers had ID photos of the receiver and had also been provided with the description of his vehicle.
The Plan
After taking into account the various conditions listed, the team offered to try a modified brush pass. Normally, this technique is a direct and quick exchange made during a walk by, but with observation guaranteed any suspicious movements would confirm a contact. Instead, the team decided to camouflage the brush pass within an inconspicuous activity - picking up an accidentally dropped glove. This activity would be paired with static counter-surveillance and other individuals dropped into the area matching the description of the receiver.
Execution
The team inserted static observation and doppelgangers only 20-30 minutes before the receiver arrived. This prevented them from being seen too often while also providing them with an opportunity to establish their cover. When the receiver arrived, he and his small security team parked their car and began a number of large looping movements throughout the area to draw out possible tails. A few possible observers were spotted but no solid confirmation of their presence. Despite this, the team was given a go to execute the brush pass.
Step One
The sender (S) and the receiver (R) entered from opposite sides of the bridge. While approaching the sender, the receiver reached into their pocket to withdraw their phone. During this process, a glove within the pocket is 'snagged' and pulled out with the phone. The glove falls to the ground as though it was inadvertently removed. This glove drop is visible in the image below.
Step Two
The receiver focused on their phone, seemingly oblivious to the dropped glove (C). The sender continued along the bridge passing the security team and receiver without acknowledgement.
Step Three
Noticing the fallen glove, the 'good samaritan' sender moved to retrieve the glove. At the same time, the sender loaded the message into the hand they'd be using to pick it up.
Step Four
As the sender picked up the glove, the message was loaded inside using one hand. At the same time, the sender notified the receiver that they appear to have dropped a glove.
Step Five
The receiver took possession of the glove which had been loaded with the message. The exchange was completed in a simple manner with no formality.
Step Six
With the glove loaded back into the pocket of the receiver, the message had been transferred and both parties continue on their route out of the area.
Step Seven
Despite the quick and innocuous nature of the exchange, the Sender is uncertain if he remains unidentified. To verify this, his next actions included a significant surveillance detection route. This was paired with a second vehicle conducting counter-surveillance to detect any possible tails. When none were identified, all parties returned to the rally point.
Outcomes
The team was unable to spot any surveillance on the sender and it appears the exchange was not noticed by the observers. Generally, this tasking was considered a success with one caveat: the team did not consider the Receiver vehicle to be under threat during the meet. This was an incorrect assumption, as the observers noted they were able to place a GPS tracker on the underside of the parked vehicle.
This event also reinforces the general statement that 'people are weird'. A number of 'false positives' were identified by both the team and the observers including a man sitting in the bushes reading a book, and an individual openly wearing a plate carrier. As an example, all parties involved in the event confirmed the individual in the photo below was not participating.
Three key takeaways can be gathered from this experience. First, the observations above suggest that these types of events require a significant and detailed site survey in advance of any team's arrival. The survey should include detailed descriptions or photos of the regular activity and people within the site. This would allow individuals to more clearly tailor their disguises and cover for action. Second, all of the elements a team fields during the event must be secured. Simply focusing on the humans involved leaves vehicle assets open for exploitation. Finally, false positives are hard to remove without more experience. For this reason, we'd recommend more focused practice on follows and identifying surveillance. Seeing someone 'suspicious' is not enough, since the world is full of suspicious people.