The Jihadists' Digital Toolbox: How ISIS Keeps Quiet on the Web
As the world dives deeper into the digital age, jihadist groups like ISIS and the Taliban have taken increasingly diverse measures to secure their communications and espouse their actions and ideas across the planet.
Propaganda has been a key measure of any jihadist group’s legitimacy since at least 2001, when al-Qaeda operative Adam Yahiye Gadahn established the media house As-Sahab, which was intended to spread the group’s message to a regional audience throughout Pakistan and Afghanistan.
Over the years, jihadist propaganda has taken a broader and more sophisticated tone. Al-Qaeda published the first issue of its digital newsmagazine, Inspire, in June of 2010. Inspire was aimed at an explicitly Western audience, and intended to call to jihad the would-be mujahideen throughout Europe and the United States.
When ISIS first took hold in Iraq and Syria, and formally declared its caliphate in the summer of 2014, the group capitalized on the groundwork laid by its predecessors and established an expansive, highly sophisticated media network to espouse its ideology. The group established local wilayat (provincial) media hubs, and members of its civil service distributed weekly newsletters, pamphlets, and magazines to citizens living under its caliphate. Billboards were posted in major cities under its control, including in Raqqah and Mosul; FM band radio broadcasts across 13 of its provinces were set up to deliver a variety of content, from fatwas and sharia lessons to daily news, poetry, and nasheeds; and Al-Hayat Media Center distributed its digital newsmagazine, Dabiq, in over a dozen languages to followers across the world.
As the group expanded its operational capacity and declared new wilayat throughout the Middle East and South Asia, secure communications became an increasingly valued necessity. Secure messenger apps like Telegram were widely reported to be used for communication and coordination, both among ISIS fighters and the fanboys who have taken to task the mission of propagating their message. But ISIS has also embraced numerous other methods of keeping its communications secure, and hidden from the prying eyes of intelligence agencies seeking to snoop on its web traffic.
According to deep web intelligence and cybersecurity firm Flashpoint, which conducted extensive analysis on “the jihadists‘ digital toolbox”, militants have been evaluating secure browsers for use in disseminating propaganda and communicating via email since May of 2007.
During the summer of 2008, Tor’s popularity grew sharply within jihadist Deep and Dark Web forums. This time frame also marks the inception of the first proprietary jihadist encryption tool, Asrar Al-Mujahideen. Shortly thereafter, a top jihadist web forum was abuzz with deeper discussions of encryption, privacy, and naturally ― Tor. In particular, one forum member distributed guidelines describing Tor’s implications and best practices for jihadists.
The guidelines suggested that jihadists download the Tor browser on a portable flash drive, for use at internet cafes and across multiple computers – a method also embraced by journalists and activists who seek to hide their online actions.
While Tor remains the dominant browser for use among jihadists, ISIS has also taken to using the free VPN service built into Opera, a popular alternative web browser marketed to internet users for its slew of privacy and security tools. In April of 2016, an ISIS member posted on a web forum with detailed instructions for mujahideen to use the browser and hide their digital footprint.
Proxy Servers and VPNs
According to analysis by Flashpoint, VPNs and proxy servers have been leveraged by jihadists for use in securing web traffic since at least 2012, when members of a deep web forum belonging to Al-Qaeda discussed the use of CyberGhostVPN, an early freeware VPN technology. Al-Qaeda described it as “a new technology that uses (SSL/TLS) protocol through the local server you use, which makes your communication through the network create an encrypted and secure tunnel.”
In 2014, a member of a jihadist deep web forum released a detailed manual urging mujahideen to use CyberGhostVPN, but also detailed some of its downfalls and potential security risks of VPN use. VPNs, he warned, can not change the serial number of a computer’s hard disk, thus allowing authorities to maintain a footprint of the device’s digital identity. To get around this constraint, he suggested the aptly named HardDiskSerialNumberChanger, an executable which allows users to modify their HDD’s serial number.
In July of 2015, an ISIS member recommended F-Secure Freedome, a premium VPN service. And in 2016, the ISIS-aligned hacker group United Cyber Caliphate issued an advisory warning users about the dangers of relying solely on certain VPN software to secure web traffic. “Not all VPNs r as secure or private as [the] company claims, but good way to tell: Does VPN keep logs of user data? If yes, what info is stored n how long? Beware of services that keep user logs n stores data.”
ISIS operates a number of apps aimed at targeting various audiences and disseminating propaganda which may be used to further its goals. Most have been blocked from distribution by Google Play, the Apple Store, and Amazon’s app store, and can only be downloaded in the form of APKs distributed on websites and across various forums.
The most prominent of the ISIS media apps, the ‘Amaq News Agency app, was built and released in December of 2015 for the Android platform. in March of 2016, ISIS updated the ‘Amaq Agency app in both its Arabic and English forms, delivering nearly real-time updates, conflict videos, and quasi-official press statements to a global audience.
ISIS has also built and released an Android app for its radio network, Al-Bayan Radio. Al-Bayan streams across three web domains, and ISIS members regularly update the Android app with programs and news clips translated into several different languages, including in Arabic and English.
In May of 2016, ISIS launched its first widespread propaganda effort targeted specifically towards children. The group had previously held Sharia lessons and Quran recitations for children living under its caliphate, in addition to operating schools throughout its territory in Syria and Iraq. But when ISIS launched Alphabet, the group expanded its reach to children of mujahideen throughout the Arabic-speaking world. The app is designed to teach kids the Arabic alphabet and expand their vocabulary by associating letters with military equipment and ordnance, including tanks and rockets.
ISIS’ digital propaganda tools have also inspired other terrorist organizations to focus their efforts on crafting apps targeted towards their would-be adherents. In April of 2016, the Afghanistan branch of the Taliban launched Voice of Jihad on the Google Play store, and while the app was quickly removed, the Taliban regularly disseminates news, statements, and videos to users who have downloaded the APK.
Email is often one of the first forms of communication intelligence agencies monitor for potential terror activity. As such, it has become critical that ISIS members coordinating via email take all necessary measures to secure the privacy of their communications to mitigate the risk of potential compromise. In doing this, jihadists have recommended numerous protected email services for fighters to use in order to avoid tracking.
Hushmail, a web-based email service, allows users secure encryption based on OpenPGP, and provides two-step authentication and the ability to create unlimited email aliases. According to Flashpoint, various groups have used Hushmail to communicate and coordinate their activities. Ibn Taimia Media Center, a Gaza-based media branch of Al-Qaeda, began using Hushmail in February of 2013. Dagestani mujahideen from the Al-Qaeda-aligned Caucasus Emirate also use Hushmail to funnel fundraising money to PayPal accounts associated with the group.
The Swiss-based email service ProtonMail, developed in 2013 by researchers from CERN and MIT, offers end-to-end encryption using public-key cryptography and symmetric encryption to send and receive secure messages. The service is highly valued by jihadists for its inherent security features which go beyond those offered by other anonymous email services.
Tutanota, which describes itself as a “privacy-conscious email service”, encrypts email subject lines and attachments and is compatible with all Android and iOS devices, providing a highly reliable service for the outnumbered jihadists using operating systems other than Windows and Android.
The service used by AQAP in January of 2015 to upload an audio statement by cleric Harith bin Ghazi al-Nadhar claiming credit for the attack on French satirical magazine Charlie Hebdo, YOPMail offers a temporary inbox which expires and resets after 8 days.
Mobile Privacy Apps
Mobile security devices are, by default, often too insecure for use by jihadists. Third parties can gain access to information such as GPS location and IP address with relative ease, and as such it has become increasingly critical for militants to secure their data, delete their browsing history, and scrub their devices. To accomplish this, a number of security apps are put to use.
Locker automatically deletes files and data from a device upon a certain number of failed attempts to enter a lock-screen passcode. The app completely wipes a user’s phone once the specified threshold of password fails has been passed.
Like the many location spoofing apps available, Fake GPS spoofs a user’s physical location, thus circumventing collection of GPS data by social media apps such as Facebook and Twitter, and making a user harder to track.
D-Vasive Pro revokes certain apps’ permissions and stops them from using a device’s camera, microphone, BlueTooth, and WiFi, making users much harder to monitor and track.
Developed by IObit, AMC (Advanced Mobile Care) Security provides a comprehensive set of antivirus and user privacy tools critical for jihadists seeking to protect their devices from vulnerabilities.
A critical app for both terrorists and regular civilians on-the-go (and an app used personally by the author), Battery Saver disables certain background features with heavy power consumption, allowing users to significantly extend the battery life of their phone.
This app allows users to permanently delete sensitive files and data from their phone’s hard drive, which might otherwise not be deleted – even by a system reset.
Override DNS obfuscates a user’s IP address by modifying the device’s DNS. When used in tandem with a VPN or proxy service, this app can prove incredibly useful in hiding a user’s location.
A protocol which encrypts DNS data between a client and a DNS resolver. Similar to Override DNS, DNSCrypt can be used with a VPN and proxy service to provide extra user privacy.
Net Guard provides a firewall on unrooted phones, which allows users to specify which apps may be granted internet access.
Perhaps the most important tool in any jihadist’s digital toolbox is an encrypted messenger app. Like any standard messenger service, such as Facebook Messenger or Kik, these apps allow users to communicate with others across the world via the internet. They go above and beyond in providing an extra layer of security by not collecting user data, and transmitting user data over a secure and encrypted connection.
Telegram employs client-to-server encryption, and is one of the top messenger apps of choice throughout the Middle East. The app also offers a “Secret Chat” service, which employs client-to-client encryption and automatically deletes messages across both clients to provide an additional layer of security.
Threema is a Swiss-developed app which employs end-to-end encryption and a user-friendly terms of service which specifies minimal data collection. According to Flashpoint, in April of 2016 a pro-ISIS technology manual lauded Threema, saying it “does not collect your personal info like phone numbers or email addresses, as it does not request you to enter identifiable informa–
tion.” The ISIS manual also noted that Threema doesn’t fold and cede user data under government pressure, and employs virtual encryption for pictures and files, providing a layer of security against MITM attacks.
Popular throughout the United States and Europe, WhatsApp offers basic end-to-end encryption for user privacy. A prominent ISIS supporter in online forums warned against using the app, however, noting that it is owned by Facebook. “we cannot trust WhatsApp since WhatsApp is the easiest application for hacking and also one of the social messaging apps purchased by the Israeli Facebook program!”
Asrar al-Dardashah, which translates to “Secrets of Chatting”, is an encryption plugin built and distributed by the Al-Qaeda propaganda group Global Islamic Media Front. The GIMF introduced Asrar al-Dardashah in 2013, and marketed it as allowing users to encrypt live messaging across a variety of platforms. The app functions with various web-based messengers, including Google Chat, Yahoo! Messenger, and Pidgin.