Cyber Caliphate: What Apps Are the Islamic State Using?

As the argument goes, law enforcement agencies must protect the safety of citizens, and to do so, they must be in contact with representatives of the IT sector. This in turn compels the representatives of mail services, messaging apps, and smartphone manufacturers to contact the authorities and disclose user information. However, excesses do occur, and the founder of the Telegram messaging app Pavel Durov refused to provide the FSB with their encryption keys. Telegram was repeatedly accused of being the messaging application of terrorists, and in the context of the messaging service’s being blocked, the discussion surrounding the rights of citizens to engage in private correspondence grew more heated. The example of the Islamic State, however, only goes to show that militants shall not live by Telegram alone: they act much more competently and work to keep a step ahead of law enforcement agencies. What tools do terrorists actually use and how should we fight against the digital technologies of militants?

Different Goals, Different Weapons

The success of Islamic State militants can largely be attributed to brilliant propaganda work. Depending on their goals, militants have been able to resort to various tools for propaganda, recruitment, and communication between group members. Propaganda includes all the usual tools: videos, online magazines, radio stations, brochures, and posters designed for both Arabic and Western audiences.

Western services have played a cruel joke on Western society, facilitating the distribution of propaganda videos like, for example, one of the most popular clips, “Salil as-savarim” (The Sound of Swords) on YouTube and Twitter as well as through file sharing services such as archive.org and justpaste.it. YouTube administrators repeatedly deleted the videos, but they were simply uploaded once again from new accounts with the number of views driven up by reposting them on Twitter. The use of Twitter for these purposes is discussed in detail in the article “Twitter and Jihad: the Communication Strategy of ISIS”, published in 2015. According to the former national security adviser of Iraq, Mowaffak al-Rubaie, it was in large part thanks to Twitter and Facebook that 30,000 Iraqi soldiers lay down their weapons, removed their uniforms, and abandoned Mosul to jihadis without a fight in 2014. [1].

ISIS has taken into account the mistakes of its jihadi predecessors and has skilfully set its own propaganda up against attempts by the foreign press to portray it in a negative light. However, on a deeper, internal level, militants employ other communication tools more reliable than social networks.

Anonymous Networks

In September 2017, political scientist and member of the non-profit RAND Corporation and the International Centre for Counter-Terrorism at The Hague, Colin P. Clarke suggested that ISIS would most likely continue to use encrypted messaging to organize direct terrorist attacks abroad even if the caliphate were to become a “less centralized entity”.

However, terrorists have already resorted to using such tools for some time now. In early 2015, it became known that ISIS had developed a 34-page manual on securing communications. The document, based on a Kuwaiti firm’s manual on cybersecurity, popped up in jihadi forums. The document also listed those applications considered most suitable for use, such as Mappr, a tool for changing the location of a person in photographs. The Avast SecureLine application facilitates the achievement of similar goals, masking the user’s real IP address by specifying, for example, an access point in South Africa or Argentina in place of, say, Syria.

Jihadis have advised using non-American companies such as Hushmail and ProtonMail for email correspondence. Hushmail CEO Ben Cutler acknowledged in comments to Tech Insider that the company had been featured in the manual, but added that “It is widely known that we cooperate fully and expeditiously with authorities pursuing evidence via valid legal channels”. In turn, CEO of Proton Technologies AG Andy Yen mentioned that besides ProtonMail, terrorists likewise made use of Twitter, mobile phones, and rental cars. “We couldn’t possibly ban everything that ISIS uses without disrupting democracy and our way of life,” he emphasized.

For telephone calls, the manual recommended the use of such services as the German CryptoPhone and BlackPhone, which guarantee secure message and voice communications. FireChat, Tin Can and The Serval Project provide communication even without access to the Internet, for example, by using Bluetooth. The programs recommended by terrorists for encrypting files are VeraCrypt and TrueCrypt. The CEO of Idrix (the maker of VeraCrypt) Mounir Idrassi admitted that “Unfortunately, encryption software like VeraCrypt has been and will always be used by bad guys to hide their data”. Finally, the document makes mention of Pavel Durov’s messaging system, Telegram.

It was a massive information campaign that saw Telegram branded with the unofficial stamp of messaging app of terrorists. Foreign politicians played their part. Three days before the attack on the Berlin Christmas Fair in December 2016, senior members of the House Foreign Affairs Committee urged Durov to immediately take steps to block ISIS content, warning him that terrorists were using the platform not only for propaganda, but also to coordinate attacks. Moreover, Michael Smith, an advisor to the US Congress and co-founder of Kronos Advisory, claims that Al-Qaeda also used Telegram to communicate with journalists and spread news to its followers. Against this backdrop, Telegram reported on the blocking of 78 channels used by terrorists. It was this interest and pressure from the authorities that ultimately caused the militants to seek a replacement for this messaging service.

Monitoring Safety

Telegram representatives have repeatedly claimed that their messaging service is the safest in the world thanks to the use of end-to-end encryption. However, this is at very least doublespeak: end-to-end encryption is used only in secret chat rooms and even then possesses obvious shortcomings, as pointed out by Sergey Zapechnikov and Polina Kozhukhova in their article On the Cryptographic Resistance of End-to-End Secure Connections in the WhatsApp and Telegram Messaging Applications [2]. In particular, due to the vulnerability of the SS7 network, which manifests itself through authorization via SMS, it is possible to access chats. Secret chats cannot be hacked, but you can initiate any chat on behalf of the victim. Secondly, developers violated one of the main principles of cryptography – not to invent new protocols independently if protocols with proven resistance assessments that solve the same tasks already exist. Thirdly, the use of the usual Diffie–Hellman numerical protocol and the lack of metadata security, so that you can track message transfer on the server, add any number from the messaging service’s client to the address book, and find out the time a person came online.

In this context, WhatsApp seems more reliable since it uses end-to-end encryption for all chats and generates a shared secret key using the Diffie–Hellman protocol on elliptical curves. Many terrorists have recourse to this messenger. In May 2015, in “The Life of Muhajirun”, the blog of a woman writing about her and her husband’s trip to Germany, the author wrote about how her husband contacted smugglers by WhatsApp while in Turkey.

In the article Hacking ISIS: How to Destroy the Cyber Jihad Malcolm W Nance; Chris Sampson; Ali H Soufan, the authors recount the story of Abderrahim Moutaharrik, who planned an attack on a Milan synagogue with the intent of fleeing afterwards to Syria. He used WhatsApp to coordinate the attack. Italian police were able to identify the criminal after an audio message was sent.

However, jihadis are skeptical about WhatsApp, and not only for reasons of security. In January 2016, a supporter of jihad, security expert Al-Habir al-Takni, published a survey of 33 applications for smartphones, separating them into “safe”, “moderately safe”, and “unreliable”. WhatsApp ended up at the bottom of the rating. In defence of his opinion, the expert mentioned that the messaging service had been purchased by the Israeli Company Facebook (WhatsApp was bought by Mark Zuckerberg in 2014 for $19 billion, the messenger has 1 billion users worldwide).

In the light of complaints about Telegram and WhatsApp and as laws are tightened, terrorists have become preoccupied with the creation of their own application. In January 2016, the Ghost Group, which specializes in the fight against terrorism, uncovered online an instant messaging service created by militants, Alrawi. This Android application cannot be downloaded on Google Play – it is only available on the Dark Web. Alrawi has come to take the place of Amaq — a messaging service providing access to news and propaganda videos, including videos of executions and videos from the battlefield. Unlike Amaq, Alrawi possesses complete encryption. The Ghost report noted that after American drone strikes destroyed the prominent cybersecurity specialist Junaid Hussain in the summer of 2015, the cyber caliphate’s effectiveness declined dramatically. “They currently pose little threat to Western society in terms of data breaches, however that is subject to change at any time” a spokesperson for the hacker group said in a conversation with Newsweek.

The Game to Get Ahead

Jihadis, like hackers, are often a step ahead of the authorities and in tune with the latest technological innovations. Gabriel Weimann, a professor at the University of Haifa in Israel and the world’s foremost researcher of Internet extremism, noted that terrorist groups tend to be the first users of new online platforms and services. As social media companies lag behind in the fight against extremism on their platforms, terrorist groups become more experienced in modifying their own communication strategies. “The learning curve is now very fast, once it took them years to adapt to a new platform or a new media. Now they do it within months,” said G. Weimann.

These words can be confirmed: every popular service, like WhatsApp or Telegram, has alternatives that jihadis are more than willing to make use of. In the above-mentioned article Hacking ISIS: How to Destroy the Cyber Jihad, the authors list dozens of other services jihadis utilize. For example, Edward Snowden’s favourite application, Signal, has open source code, reliably encrypts information, and allows you to exchange messages and calls with subscribers from your phone book. Signal is community sponsored through grants. According to Indian authorities, ISIS member Abu Anas used Signal as a secure alternative to WhatsApp. Another solution, released in 2014, is the messaging service Wickr, created by a group of cyber security and privacy specialists. It was this application that first made it possible to assign a “life” to a message, ranging from a few minutes to several days. Wickr destroys messages not only on smartphones, telephones, and computers, but also on the servers through which correspondence passes. The program has a function to erase the entire history, and after it has been used messages cannot be restored by any means. Australian Jake Bilardi came across an ISIS recruitment message in Telegram and was to meet with a recruiter through Wickr, though he was detained in time.

Surespot, Viber, Skype and the Swedish messaging system Threema are also mentioned. The latter application deserves to be mentioned on its own — Threema received 6 out of a possible 7 points for security from the Electronic Frontier Foundation (a non-profit human rights organization founded in the U.S. with the aim of protecting, in the era of technology, the rights established in the Constitution and the Declaration of Independence). Jihadis have also called the Silent Circle application a preferred app. After learning of this, the developers tightened security requirements, compelled by the fact that one of the creators, Mike Janke, is a former naval officer. Silent Circle now cooperates with governments and intelligence agencies. Though the list doesn’t end there — Junaid Hussain likewise made use of Surespot and Kik.

Militants have a great number of communication tools at their disposal in accordance with the goals they happen to be pursuing.

But if applications are primarily used on smartphones, other programs exist for laptops and PCs, readily used by both Information Security specialists and jihadis; for example, the Tor browser or T.A.I.L.S (The Amnesic Incognito Live System), a Debian-based Linux distribution created to provide privacy and anonymity. All outgoing T.A.I.L.S connections are wrapped in the Tor network, and all non-anonymous ones are blocked. The system leaves no trace on the device on which it was used. T.A.I.L.S. was used by Edward Snowden to expose PRISM, the US State Program, the purpose of which was the mass collection of information sent over telecommunication networks.

It can be concluded that militants have a great number of communication tools at their disposal in accordance with the goals they happen to be pursuing. Banning or blocking these tools will not ensure victory over the terrorists, though that is not to say the methods should be abandoned altogether. The best method to employ is that of having agents infiltrate terrorist ranks to ensure constant online and offline monitoring.

First published in our partner RIAC

  1. Michael Weiss, Hassan: ISIS: Inside the Army of Terror, ANF, Moscow, 2016
  2. Sergey Zapechnikov, Polina Kozhukhova, On the Cryptographic Resistance of End-to-End Secure Connections in the WhatsApp and Telegram Messaging Applications: NRNU MEPhI, Information Technology Security, Volume 24, No. 4, 2017
Alexander Mamaev
Alexander Mamaev
PhD in Technical Sciences, CEO of Digital Forensic Laboratory