Terrorist organizations use the Internet for a wide range of activities, including the dissemination of messages, making contact, recruitment of manpower, fundraising, propaganda, incitement, psychological warfare and intelligence. Cyber-defense activities by terrorist elements include the dissemination of information and guidebooks on the subject, the provision of guidelines regarding modes of action, encryption and transfer to the darknet, which they claim will improve the efficiency of traffic protection and anonymity on the part of the organizations themselves as well as their supporters. Such activities are designed to protect against tracking software used by intelligence agencies, activists and various Internet platforms operating against terrorist organizations on the Internet in general, and on social networks in particular.
In recent months, terrorist elements have become increasingly involved in issues related to Internet deception and imposters in two main domains.
The first domain is essentially passive and includes warnings made by Islamic State (ISIS) operatives to their colleagues about a Western campaign of forgeries designed to damage the organization and its members. This campaign includes forging of files, accounts and Websites of entities identified with the organization in order to impersonate them, and to disseminate disinformation or injecting viruses, designed to enable the gathering of information about ISIS operatives.
The second domain is active. It includes activities initiated by terrorists where text and images contained in the messages are distorted in order to “fly under the radar” of algorithms and automatic detection systems, as well as, to hinder the ability of intelligence agencies to monitor and remove jihadist content from various Internet platforms.
Recent months have seen increased defensive actions by jihadist elements, in the framework of which ISIS operatives were warned of a campaign by western countries that includes impersonations of terrorist entities on a range of Internet platforms, the dissemination of disinformation and viruses.
It should be noted that speculation regarding a “western” disinformation campaign on the Internet was already raised several years ago, and awareness of cyber defense was raised accordingly while ISIS operatives and supporters were instructed to generally avoid contact and links from unknown sources.
Screenshot from the Shumukh al-Islam forum, including a warning about a Twitter account impersonating the spokesman for the organization, Abu Muhammad al-Adnani
Sscreenshot from the Shumukh al-Islam forum, including a warning about two Twitter accounts impersonating the ISIS branch in Sinai
In 2016, speculation regarding a “western” campaign turned into real warnings, seemingly against the backdrop of the discovery of forgeries, as described above, that were put into practice. Alongside these warnings, attempts were made to increase awareness of cyber defense in general and ways to identify original accounts (as opposed to the forged accounts) in particular, such as by checking the addresses and names of the original users. Warnings about these forgeries spanned a wide range of Internet platforms (such as Telegram channels, Twitter accounts, digital magazines, blogs and Websites), as well as on the darknet.
Terrorist are aware of these forged publications, and the potential impact that they have on the functioning of the organization and on its reputation by its operatives and supporters. Moreover, a thorough examination of the jihadist discourse on the topic reveals concern that, in the framework of the disinformation campaign, “infected” files such as fake PDF files or applications for cellphones designed to infect the computers or devices of ISIS supporters, are also being disseminated. These files may contain a Trojan horse that enables the retrieval of large amounts of information about the operatives, the nature of their activities and information about additional operatives.
For instance, in June 2016 a senior member of the Shumukh al-Islam jihadist Web forum, which is identified with the ISIS, published a warning about a phony account on Telegram.
“One of the Telegram channels published suspicious links that were checked by experts and found to be rigged and intended for breaches. We call on you to be wary of these suspicious publications and links through which efforts are made to harm supporters. We ask you not to follow this channel, which published false news links. In addition, the name “The Media Front” [referring to “The Media Front for the Support of the Islamic State”, a media institution that serves the organization’s supporters] was already canceled and is no longer in use by supporters.”
Screenshot from the Shumukh al-Islam forum
The Internet campaign interferes with, among others, the distribution of ISIS messages and instructions given through its chain of command by impersonating senior members of the organization.
The following are examples of various warnings, divided according to the platforms about which the activists were warned.
Examples of warnings about fake Twitter accounts:
Screenshot from Telegram channel (Almoonaseron) with warning about a fake Twitter account
Screenshot from Telegram warning about a fake Twitter account created by Saudi intelligence officials (Mabahith)
Screenshot from the Telegram account of the Tameh al-Ghazawi organization in Gaza, announcing that its Twitter account (TamehGaza102) had been hacked
Examples of warnings about fake Telegram accounts:
Screenshot of a group of ISIS supporters, Horizins (Afāq) announcing the existence of fake accounts on Telegram and explaining how to identify the real channels
Screenshot of a group of ISIS supporters, Al-Hasad al-Murr ("The Bitter Harvest”) warning about a fake Telegram channel that uses the same name and logo
Examples of warnings about fake digital magazines:
Screenshot from Twitter that includes an announcement by an IS supporter warning about a fake copy of the digital magazine, Rumiya, which was distributed 24 hours before the original version was published
Screenshot from Twitter that includes a warning about a fake copy of the digital magazine, Dabiq
A screenshot of the cover page of the fake 8th Edition of Dar al Islam magazine
Screenshot of the cover page of the real 8th Edition of Dar al Islam magazine
An example of a warning about a fake file to download an application:
Screenshot of a publication by ISIS' news agency, Amaq, warning about a fake version of the organization’s news application for Android devices
Terrorist organizations are aware of the actions being taken against them on the Internet by security agencies, as previously mentioned, activists and key Internet players. The increasing public debate surrounding jihadist content posted on Internet and the scope of the obligation imposed on these players to prevent terrorist organizations from using these platforms for their own purposes, have not gone unnoticed by terrorists. This is evident in the declarations made by Facebook, Twitter and other key Internet players, regarding their use of groups to locate and remove “jihadist” content. Recently, Facebook, Microsoft, Twitter and YouTube announced that they are working together to establish a shared information database to be used to locate “jihadist” content, each according to its own definition of such content. An analysis of the defense features implemented by terrorist elements, and the jihadist discourse in these contexts, indicate that their main defense is directed against the monitoring of information and its analysis. These are carried out in three main areas of identification – text, sound and image – in order to enable the continued use of the Internet “under the radar” of intelligence agencies and relevant Internet platforms.
In an examination recently carried out, text distortions were discovered in a range of online publications about jihadist activities. It is difficult to determine what the reason was for these distortions and if they were done intentionally as part of terrorist organizations’ cyber-defense activities. Among the variety of incidents, it is worth noting the Website, Justpaste.it, in which various publications are presented under the name “Islamic Cyber Army” and IS-supporting groups and individuals that are mainly active in the field of offensive cyber activity are united. In recent months, several distortions were found in jihadist publications that were published on the Website. For instance, the sentence, “In the name of Allah, most gracious and most merciful” appeared in many of the jihadist publications.
Screenshot from the Justpaste.it Web site
In the post that appears in the illustrations below on the left, the word “Mercif” appears instead of the full word “Merciful”, and the right side below, the word “Merciful” is split into two parts, “Merc” and “iful”.
In addition, in the two above-mentioned cases, the name of the hacker was distorted such that the space between the word “lion” and the punctuation mark “&” was removed. It should be noted that the country name “Denmark” was written in illustration above in the French transliteration, “Danemark”, instead of the English and it is not clear if this was done intentionally.
In another incident, the name “Anonymous” was written in two parts, “Anony” and “mous” instead of the customary one word.
Screenshot from Justpaste.it
In the past, terrorist organizations made extensive use of images and icons presented in the framework of the messages that they sent, as part of their branding activities directed at various target audiences. Recently, terrorist organizations have made less use of images and icons, especially when it comes to the messages distributed by their supporters, seemingly in an effort to avoid having their messages identified as terrorism-related, which could lead to the identification of terrorism-linked distributors or the removal of messages from the platforms on which they were published.
The variety of uses made of the cyber world by terrorist elements is constantly expanding, as is their dependency on the Internet in general and on social platforms in particular.
Terrorist organizations will continue to search for a response to the actions taken against them in the cyber world. As such, they will devote substantial efforts to maintain the various channels through which they disseminate their messages, especially as long as major Internet platforms continue to remove their content and in light of the cooperation among these platforms, and between them and various countries battling terrorism.
At this stage, it seems that the American disinformation campaign has achieved only partial success and did not amount to a real change in terrorist cyber activity, even though the focus of terrorist elements on the defensive aspects of the cyber world, and the efforts that they dedicate to it, detract attention from other areas.
Nevertheless, it is reasonable to assume that the disinformation campaign, which will be coordinated with other countries and/or elements, can bear more significant fruit in terms of channeling the energies of terrorist organizations into the defensive field, causing confusion among terrorist entities, and causing significant damage to the functioning of the organizations and to the trust placed in them by their activists and supporters (specifically, their recruitment abilities). The spread of viruses can significantly contribute to intelligence-gathering capabilities or create significant damage to the functioning of terrorist organizations, especially in terms of their cyber activities.