the home of online investigations

The Jihadists’ Digital Toolbox: How ISIS Keeps Quiet on the Web

July 22, 2016

By Jett Goldsmith

Media_Distribution

As the world dives deeper into the digital age, jihadist groups like ISIS and the Taliban have taken increasingly diverse measures to secure their communications and espouse their actions and ideas across the planet.

Propaganda has been a key measure of any jihadist group’s legitimacy since at least 2001, when al-Qaeda operative Adam Yahiye Gadahn established the media house As-Sahab, which was intended to spread the group’s message to a regional audience throughout Pakistan and Afghanistan.

Over the years, jihadist propaganda has taken a broader and more sophisticated tone. Al-Qaeda published the first issue of its digital newsmagazine, Inspire, in June of 2010. Inspire was aimed at an explicitly Western audience, and intended to call to jihad the would-be mujahideen throughout Europe and the United States.

When ISIS first took hold in Iraq and Syria, and formally declared its caliphate in the summer of 2014, the group capitalized on the groundwork laid by its predecessors and established an expansive, highly sophisticated media network to espouse its ideology. The group established local wilayat (provincial) media hubs, and members of its civil service distributed weekly newsletters, pamphlets, and magazines to citizens living under its caliphate. Billboards were posted in major cities under its control, including in Raqqah and Mosul; FM band radio broadcasts across 13 of its provinces were set up to deliver a variety of content, from fatwas and sharia lessons to daily news, poetry, and nasheeds; and Al-Hayat Media Center distributed its digital newsmagazine, Dabiq, in over a dozen languages to followers across the world.

IslamicStateRadioInfo

As the group expanded its operational capacity and declared new wilayat throughout the Middle East and South Asia, secure communications became an increasingly valued necessity. Secure messenger apps like Telegram were widely reported to be used for communication and coordination, both among ISIS fighters and the fanboys who have taken to task the mission of propagating their message. But ISIS has also embraced numerous other methods of keeping its communications secure, and hidden from the prying eyes of intelligence agencies seeking to snoop on its web traffic.

Secure Browsers

According to deep web intelligence and cybersecurity firm Flashpoint, which conducted extensive analysis on “the jihadists‘ digital toolbox”, militants have been evaluating secure browsers for use in disseminating propaganda and communicating via email since May of 2007.

During the summer of 2008, Tor’s popularity grew sharply within jihadist Deep and Dark Web forums. This time frame also marks the inception of the first proprietary jihadist encryption tool, Asrar Al-Mujahideen. Shortly thereafter, a top jihadist web forum was abuzz with deeper discussions of encryption, privacy, and naturally ― Tor. In particular, one forum member distributed guidelines describing Tor’s implications and best practices for jihadists.

The guidelines suggested that jihadists download the Tor browser on a portable flash drive, for use at internet cafes and across multiple computers – a method also embraced by journalists and activists who seek to hide their online actions.

While Tor remains the dominant browser for use among jihadists, ISIS has also taken to using the free VPN service built into Opera, a popular alternative web browser marketed to internet users for its slew of privacy and security tools. In April of 2016, an ISIS member posted on a web forum with detailed instructions for mujahideen to use the browser and hide their digital footprint.

Proxy Servers and VPNs

According to analysis by Flashpoint, VPNs and proxy servers have been leveraged by jihadists for use in securing web traffic since at least 2012, when members of a deep web forum belonging to Al-Qaeda discussed the use of CyberGhostVPN, an early freeware VPN technology. Al-Qaeda described it as “a new technology that uses (SSL/TLS) protocol through the local server you use, which makes your communication through the network create an encrypted and secure tunnel.”

In 2014, a member of a jihadist deep web forum released a detailed manual urging mujahideen to use CyberGhostVPN, but also detailed some of its downfalls and potential security risks of VPN use. VPNs, he warned, can not change the serial number of a computer’s hard disk, thus allowing authorities to maintain a footprint of the device’s digital identity. To get around this constraint, he suggested the aptly named HardDiskSerialNumberChanger, an executable which allows users to modify their HDD’s serial number.

In July of 2015, an ISIS member recommended F-Secure Freedome, a premium VPN service. And in 2016, the ISIS-aligned hacker group United Cyber Caliphate issued an advisory warning users about the dangers of relying solely on certain VPN software to secure web traffic. “Not all VPNs r as secure or private as [the] company claims, but good way to tell: Does VPN keep logs of user data? If yes, what info is stored n how long? Beware of services that keep user logs n stores data.”

Propaganda Apps

ISIS operates a number of apps aimed at targeting various audiences and disseminating propaganda which may be used to further its goals. Most have been blocked from distribution by Google Play, the Apple Store, and Amazon’s app store, and can only be downloaded in the form of APKs distributed on websites and across various forums.

The most prominent of the ISIS media apps, the ‘Amaq News Agency app, was built and released in December of 2015 for the Android platform. in March of 2016, ISIS updated the ‘Amaq Agency app in both its Arabic and English forms, delivering nearly real-time updates, conflict videos, and quasi-official press statements to a global audience.

ISIS has also built and released an Android app for its radio network, Al-Bayan Radio. Al-Bayan streams across three web domains, and ISIS members regularly update the Android app with programs and news clips translated into several different languages, including in Arabic and English.

In May of 2016, ISIS launched its first widespread propaganda effort targeted specifically towards children. The group had previously held Sharia lessons and Quran recitations for children living under its caliphate, in addition to operating schools throughout its territory in Syria and Iraq. But when ISIS launched Alphabet, the group expanded its reach to children of mujahideen throughout the Arabic-speaking world. The app is designed to teach kids the Arabic alphabet and expand their vocabulary by associating letters with military equipment and ordnance, including tanks and rockets.

isis-alphabet-app-796x398

ISIS’ digital propaganda tools have also inspired other terrorist organizations to focus their efforts on crafting apps targeted towards their would-be adherents. In April of 2016, the Afghanistan branch of the Taliban launched Voice of Jihad on the Google Play store, and while the app was quickly removed, the Taliban regularly disseminates news, statements, and videos to users who have downloaded the APK.

Encrypted Email

Email is often one of the first forms of communication intelligence agencies monitor for potential terror activity. As such, it has become critical that ISIS members coordinating via email take all necessary measures to secure the privacy of their communications to mitigate the risk of potential compromise. In doing this, jihadists have recommended numerous protected email services for fighters to use in order to avoid tracking.

Hushmail

Hushmail, a web-based email service, allows users secure encryption based on OpenPGP, and provides two-step authentication and the ability to create unlimited email aliases. According to Flashpoint, various groups have used Hushmail to communicate and coordinate their activities. Ibn Taimia Media Center, a Gaza-based media branch of Al-Qaeda, began using Hushmail in February of 2013. Dagestani mujahideen from the Al-Qaeda-aligned Caucasus Emirate also use Hushmail to funnel fundraising money to PayPal accounts associated with the group.

ProtonMail

The Swiss-based email service ProtonMail, developed in 2013 by researchers from CERN and MIT, offers end-to-end encryption using public-key cryptography and symmetric encryption to send and receive secure messages. The service is highly valued by jihadists for its inherent security features which go beyond those offered by other anonymous email services.

Tutanota

Tutanota, which describes itself as a “privacy-conscious email service”, encrypts email subject lines and attachments and is compatible with all Android and iOS devices, providing a highly reliable service for the outnumbered jihadists using operating systems other than Windows and Android.

YOPMail

The service used by AQAP in January of 2015 to upload an audio statement by cleric Harith bin Ghazi al-Nadhar claiming credit for the attack on French satirical magazine Charlie Hebdo, YOPMail offers a temporary inbox which expires and resets after 8 days.

Mobile Privacy Apps

Mobile security devices are, by default, often too insecure for use by jihadists. Third parties can gain access to information such as GPS location and IP address with relative ease, and as such it has become increasingly critical for militants to secure their data, delete their browsing history, and scrub their devices. To accomplish this, a number of security apps are put to use.

Locker

Locker automatically deletes files and data from a device upon a certain number of failed attempts to enter a lock-screen passcode. The app completely wipes a user’s phone once the specified threshold of password fails has been passed.

Fake GPS

Like the many location spoofing apps available, Fake GPS spoofs a user’s physical location, thus circumventing collection of GPS data by social media apps such as Facebook and Twitter, and making a user harder to track.

D-Vasive Pro

D-Vasive Pro revokes certain apps’ permissions and stops them from using a device’s camera, microphone, BlueTooth, and WiFi, making users much harder to monitor and track.

AMC Security

Developed by IObit, AMC (Advanced Mobile Care) Security provides a comprehensive set of antivirus and user privacy tools critical for jihadists seeking to protect their devices from vulnerabilities.

Battery Saver

A critical app for both terrorists and regular civilians on-the-go (and an app used personally by the author), Battery Saver disables certain background features with heavy power consumption, allowing users to significantly extend the battery life of their phone.

iSHREDDER PRO

This app allows users to permanently delete sensitive files and data from their phone’s hard drive, which might otherwise not be deleted – even by a system reset.

Override DNS

Override DNS obfuscates a user’s IP address by modifying the device’s DNS. When used in tandem with a VPN or proxy service, this app can prove incredibly useful in hiding a user’s location.

DNSCrypt

A protocol which encrypts DNS data between a client and a DNS resolver. Similar to Override DNS, DNSCrypt can be used with a VPN and proxy service to provide extra user privacy.

Net Guard

Net Guard provides a firewall on unrooted phones, which allows users to specify which apps may be granted internet access.

Encrypted Messengers

Perhaps the most important tool in any jihadist’s digital toolbox is an encrypted messenger app. Like any standard messenger service, such as Facebook Messenger or Kik, these apps allow users to communicate with others across the world via the internet. They go above and beyond in providing an extra layer of security by not collecting user data, and transmitting user data over a secure and encrypted connection.

Telegram

Telegram employs client-to-server encryption, and is one of the top messenger apps of choice throughout the Middle East. The app also offers a “Secret Chat” service, which employs client-to-client encryption and automatically deletes messages across both clients to provide an additional layer of security.

Threema

Threema is a Swiss-developed app which employs end-to-end encryption and a user-friendly terms of service which specifies minimal data collection. According to Flashpoint, in April of 2016 a pro-ISIS technology manual lauded Threema, saying it “does not collect your personal info like phone numbers or email addresses, as it does not request you to enter identifiable informa
tion.” The ISIS manual also noted that Threema doesn’t fold and cede user data under government pressure, and employs virtual encryption for pictures and files, providing a layer of security against MITM attacks.

WhatsApp

Popular throughout the United States and Europe, WhatsApp offers basic end-to-end encryption for user privacy. A prominent ISIS supporter in online forums warned against using the app, however, noting that it is owned by Facebook. “we cannot trust WhatsApp since WhatsApp is the easiest application for hacking and also one of the social messaging apps purchased by the Israeli Facebook program!”

Asrar al-Dardashah

Asrar al-Dardashah, which translates to “Secrets of Chatting”, is an encryption plugin built and distributed by the Al-Qaeda propaganda group Global Islamic Media Front. The GIMF introduced Asrar al-Dardashah in 2013, and marketed it as allowing users to encrypt live messaging across a variety of platforms. The app functions with various web-based messengers, including Google Chat, Yahoo! Messenger, and Pidgin.

Jett Goldsmith

Jett Goldsmith is a journalist from Denver, Colorado. He formerly co-founded the investigative reporting and geopolitical analysis outlet Conflict News, and writes at length on Ba'athist state structures and various actors within the Syrian conflict. He has bylines in various publications, including Middle East Eye. You can follow him on Twitter: @JettGoldsmith.

Join the Bellingcat Mailing List:

Enter your email address to receive a weekly digest of Bellingcat posts, links to open source research articles, and more.

11 Comments

  1. Jihad Traitor

    The Jihad hand book for internet use.
    Watch some porn.
    See stuff you can never have.
    Realize the whole world think’s you’re all evil boogers.
    Sign yourself up as a mail order husband , marry some rich westerner , get the heck out of there.

    thats the way you betray the cause …I mean , I mean … nevermind. The West corrupts these people faster than their Imans can indoctronate them. Let them have internet.

    Reply
    • stranger

      Not so simple. Imagine a young Muslim guy near his protuberantly age, watching porn on the Internet, chewing his bubble-gum, so much inspired by the western way of living and having immigrated to Europe. Who is waiting him there? No language, no high paid job, no friends, no family, no girls. What does he do? He turns a cargo track, he is earning his pennies at, into a weapon and drives to the Nice sea-front. Then ISIS proudly claims it as their act of terr0r. I don’t defend them at all – in no way. Just that is a very grief and very difficult story and nobody really knows how to deal with it.

      Reply
        • Jihad Traitor

          “insanity of a snake , saying nothing , just happy to spread some venom”

          Ok. That’s going to need some translation.

          🙂

          Reply
      • Jihad Traitor

        The way to deal with young disaffected muslims is
        1… birth control. Unlimited population is a formula for endless war
        2… get rid of the dictators. Islam is a unifying force against dictators. Unfortunately , in many instances, it gets hijacked by a new set of dictators that are no better, and often worse, than the ones they’re fighting against.

        People who have a nice , safe life, have too much to lose by risking revolution. Only the ones who have nothing do this. So give them someting.

        Reply
        • stranger

          Besides dictators there is a tendency to decentralized Sunni sectarianism. The aggressive cults preaching extreme ideology and possibly hostile to each other’s. I believe that is what we see in Syria now, it used to be in Chechnya. Basically one can remove a dictator, but not not so simply that environment where the extremism is crystallized from the air.

          But I completely agree with the second part of your statement. The only way to address the terror1sm threat in Europe is to help the refugees and their descendants to adapt to the eastern society somehow. Because recently the terror1sm is becoming decentralized, not directly controlled by Isis for example.

          In the same way, to make the Middle East countries prosper and wealthy so that they did not think about Jihad. On the other hand Saudi and Katar are wealthy and still are believed to be terror1st sponsors. So all is complicated.

          I have a very poor understanding of islam and the Middle East though.

          Reply
          • stranger

            “adapt to the eastern society ” sorry – adaptate themselves to the European society of course

  2. Mad Dog

    Thoughtful points stranger. One thing I need to mention is the role second or later sons play in this whole thing. First sons are the winners, they get the family jewels (literally…LOL) and the girls. Second sons are generally left out and with not prospect of family wealth and a society that looks down on sexual mingling, these guys are the most vulnerable. I think you meant puberty, not protuberant (well, in a way I guess it is protuberant…again LOL), leads to some massive sexual frustration and depression, easy marks for recruiters. The promise of women either in paradise or in the sex slave markets is pretty enticing. Many Muslim societies need to get their gender policies in order to help stem the flow of terrorists. BTW, my theory above was kind of backed up by the Israeli Defense Forces in a data base of demonstrators and suicide attackers.

    Reply
  3. George Alba

    This services are importand for all people security, it is true that many terrorist take an advantage from this kind of applications but the most people using this to increase their security, me by example use a free proxy server to hide my IP address call Hidester.

    Reply
  4. Docduracoat

    I don’t hide my IP address
    Should I be doing that?
    I admitted on another forum that I bring my concealed weapon into my employers gun free zone.
    I am afraid of some Jihadi pulling out his gun and shouting aloha Akbar and blasting away
    I plan to shoot him before he finishes shouting his terrorist slogan
    Am I wrong to maintain my self defense against my employers rules?
    My guns have not harmed anyone in the 20 years I have been concealed carrying, even when I get into an argument with someone I do not shoot them
    There is a real risk of sudden jihad syndrome
    The only way to lower the body count is to have an armed citizenry as the immediate responders

    Reply

Leave a Reply

  • (will not be published)