ISIS Digital Reboot
Eleanor Parker, Federico Bertola, Kaitlynn Belmont, Maaz Qureshi, Riley Hall, CICYBER
September 14, 2020
ISIS (The Islamic State of Iraq and Syria), also known as ISIL (The Islamic State of Iraq and the Levant) or Daesh, is a terrorist group and a global threat through its violent ideology and network of terrorist fighters. ISIS has strong digital capabilities that allow it to both recruit and act in cyberspace.ISIS’s cyber abilities allow its members to spread propaganda media contents across social media, and, through experienced hackers and technically-savvy individuals, deface websites especially targeting US government pages. A collective effort by the international community is required to combat the reboot of ISIS propaganda: the case of a boy aged 14 started making bombs during lockdown after watching ISIS propaganda online in Leicester, the arrest of a man in San Antonio by the FBI for providing support to the Islamic State and discussing online a possible terror attack on US soil, and the recent discovery of a giant library of the group's online propaganda, are only a few elements that suggest they have begun to re-emerge online with propaganda.
From a military point of view, in 2014, ISIS claimed the territory of Western Syria and Eastern Iraq as its “caliphate”, establishing a hardline rule over a population of 8 million people, earning money through oil production, smuggling, taxes, ransoms from kidnappings, extortion, and other criminal activities. In 2018, ISIS claimed the responsibility for at least 166 people killed in a suicide bombing in the Syrian province of Suwayda.This is only a small fraction of the total amount of attacks carried out by Daesh globally between 2014 and 2018. More recently, ISIS’s military force diminished, especially outside of its original territory. Eventually, the Syrian Democratic Forces announced that ISIS had lost its final bastion in Syria, bringing an end to the caliphate declared in 2014. Even though ISIS is not only a terrorist organization, its stronghold is its ideological foundation, and its capability to radicalize even online has increased. ISIS’s presence between 2014 and now highlights how ISIS has an enormous military and territorial control over many territories. All the attacks they carried out have contributed to the enhancement of their image and propaganda of terror all over the world, reaching their communication aims online.
Over the past several years, ISIS has expanded on several strategies to recruit foreigners for the Jihadi cause which has expanded into online ones. ISIS has targeted mostly slums, middle-class families, with an average of recruits that are between 17 and 25 years of age. Recruiters typically use the internet and social media due to its advantages: in fact, on the internet, they could impersonate anyone useful to attract their target, such as fellow students or experts in a given area; in addition, the web allows to gain anonymity in conversations and identity, enabling recruiters to reach a much larger target audience. The internet allows recruiters to pose as anyone convenient to attract their target, and with a guarantee of anonymity. Recruiters have initiated conversations with targets aiming to evaluate vulnerabilities while building a trusted relationship with them. Once recruiters advance their activity at a social, psychological, and cultural level, they begin to progressively introduce jihadist ideology in an appropriately tailored manner. With the use of different narratives, recruiters have radicalized individuals by focusing on particular vulnerabilities: the vulnerability of targeted individuals to terrorist recruitment can be affected by a multitude of factors, including their geographic vicinity to a terrorist group, economic vulnerability or economic strain, perceptions of social or political marginalization, exposure to permissive social networks, or the exposure to extremist propaganda. Even though many radicalization processes have evolved through the use of social media and the internet, it is evident that the online environment can solidify beliefs and provide support, but it is not the single cause of terrorist recruitment: in fact, offline relationships still represent a key factor, with virtual and real dynamics complementing one another. In many cases, recruiters meet targets and potential ISIS supporters through family, at school, and in local community centers. So, virtual and real relationships, still play crucial roles in radicalization processes, with a fusion between the online world and the real world that leads radicalization processes to take place in increasingly remote places and then become concrete in the real and tangible world of everyday life.
A few months after ISIS strongholds fell in Syria in October 2019, Moustafa Ayad, Deputy Director of International Technology, Communications, and Education at the Institute of Strategic Dialogue (ISD), found links embedded in bios of several pro-ISIS Twitter accounts that linked to a Dropbox with 1.5 terabytes of training material for the group. This material included detailed instructions on how to hijack planes, make chloroform, and cell structures for coordinated attacks. The material was available in a wide variety of languages, including Arabic, English, German, French, Spanish, Russian, Bangla, Turkish, and Pashto. It is reported that “the cache’s content is a blend of the official products of ISIS itself with those of often more obscure precursors, such as the Tawhid wal-Jihad Group, who fought coalition forces in Iraq, and the umbrella organization of other insurgent groups, Majlis Shura al-Mujahidin. A small amount of it – just a few percent by size – captures in screeds and sermons the ideas of key ideologies of ISIS itself.” The most concerning component is the “Mujahid’s Bag”; a folder including topics on bomb manufacturing, disabling surveillance, urban warfare, and a whole range of offensive/defensive strategies, demonstrating how ISIS is relying on motivated individuals to teach themselves.
ISIS has only had one other data leak which released the personal information of thousands of members in March 2016. The list included information on family members of the terrorists, as well as when and how they arrived in Syria. The authenticity of the information is slightly contested, with some believing that it was a fake list used as a red herring. However, some of the phone numbers of family members were verified as authentic. A lack of computer security on their part can greatly advance the fight against terrorism if counterterrorism operatives are able to uncover terrorist tactics through OSINT alone.
ISIS’s cyber capabilities have improved along with the introduction of new technology features such as social media platforms and chat forums that allow users to connect with others globally, comment, and post at their free will. ISIS has developed its cyber capabilities from posting propaganda videos on YouTube to becoming technically savvy hackers. By advancing their knowledge in cybersecurity measures, they can bypass barriers to control and promote their ideology on almost all social media networks like Facebook, Twitter, and Telegram, without being detected. As the use of technology has become an important part of everyday life, ISIS can spread their radicalized ideas of Jihad, recruit others to join their mission, and have the capability to incite attacks at any time and anywhere via the internet.
After rapidly losing their strongholds in Syria and Iraq since 2017, cyber functions have become an essential part of ISIS’s survival in the form of recruiting foreign fighters online, promoting itself to increase support, and for internal communications among members. In this sense, ISIS has been forced to improve upon its usage of the internet and social media platforms. As with the ISIS terabyte discovery by Moustafa Ayad which saw accounts discreetly post links to the content in their biographies, a report from July 2020 found that ISIS members were able to “exploit gaps in both the automated and manual moderation systems on Facebook” in order to generate more views of ISIS material. These findings would imply that ISIS’s cyber capabilities have improved since 2017, especially as they have incorporated new tactics such as mixing ISIS content with legitimate news outlet material through using the theme music from the BBC News over an ISIS broadcast.
Other evidence of ISIS’s improvement of its cyber capabilities includes their usage of media-sharing platforms such as SoundCloud and TikTok, in order to share video and music content to audiences globally. Whilst the owners of platforms such as these claim to quickly ban such accounts, there are little to no preventative measures to stop ISIS members from simply creating new accounts and re-sharing the media. This suggests that the number of social media accounts controlled by ISIS members will more than likely continue to grow in the upcoming years. ISIS members have exacerbated this problem by learning protocols to evade detection by law enforcement, such as through blurring ISIS branding, using unusual punctuation, or ‘breaking up texts’ to stop keyword searches from finding their material.
Evidence of terrorists using Facebook
In addition to using social media platforms to spread ISIS propaganda, they also allow ISIS to “internally produce malware” and “access code manufactured by hackers for hire.” Creating a ‘backup’ terabyte drive ensures that ISIS is kept at the forefront of the minds of individuals and is able to recruit new members, allowing them to develop new methods for their implementation of cyberattacks. One of these main methods is in the recruitment of experienced hackers and technically-savvy individuals to deface websites and social media accounts, ‘glorify’ the ISIS agenda, as well as enforce the targeting of US government pages. The existence of groups that work on behalf of ISIS, such as the Islamic State Hacking Division (ISHD), the Caliphate Cyber Army (CCA), and the United Cyber Caliphate (UCC), have helped to carry out DDoS attacks, use malware to determine the location of critics, and build ‘kill lists’ of military and government members. However, individuals have argued that the main functions of these groups are to ‘create impressions of power’ of ISIS’s cyber capabilities, rather than actually carry out sophisticated attacks. The Al Hayat Media Center was established in May 2014 to publish ISIS propaganda and media in a variety of languages, mainly English, suggesting that ISIS is targeting recruits from Western audiences to use in cyberattacks. Cyberattacks are also commonly intertwined with ISIS’s physical attacks, as in the case of the Charlie Hebdo attack in January 2015, whereby 19,000 French websites were also targeted alongside the physical terrorist attacks. This combining of the two methods ensures that ISIS remains at the forefront of the media and is all-encompassing in its terror.
Since 2017, ISIS has expanded its attacks in various ways. ISIS is known to use cyberattacks to flood social media with Islamic State propaganda, effective ways to make a bomb, and how to carry out attacks. In June of 2017, a cyber subgroup of ISIS, known as Team System Dz, was able to exploit a security hole in Idaho’s state treasurer websites. Although no information was said to have been stolen, they replaced the home pages with anti-Trump and pro-Islamic messages calling for the blood of Westerners’ to be shed. A more disturbing call to action in recent years was a call to action demanding the death of Americans. The pro-ISIS hacking group, UCC, released a short video containing the names and addresses of 8,786 U.S citizens including President Donald Trump. Those watching in support of ISIS were given instructions to immediately conduct lone-wolf attacks to eliminate the targets.
Recently, the COVID-19 pandemic also offered a way for ISIS to ramp up their cyber scams as they exploited the vulnerability of individuals in need of Personal Protective Equipment (PPE). An Islamic State agent, using the alias Murat Cakar, set up the website ‘FaskMaskCenter.com’, promising to deliver FDA approved N-95 masks upon payment through cryptocurrency platforms. Four other similar sites were linked to Islamic extremists that were going to use the funds for terrorism operations but the DOJ intervened and seized what was known as the largest government terrorism-related cryptocurrency seizure of one million dollars. The example of using cryptocurrency platforms such as bitcoin shows the progressive nature of ISIS’ cyber-related crimes and their ability to quickly mobilize a way to make money. Cakar was able to exploit thousands of individuals' needs for PPE by enticing what seemed like a helping hand through an anonymous platform that should have raised some suspicion.
Perhaps the most important thing that can be done to deter the threat of ISIS propaganda, is using social media’s ability to implement machine learning through artificial intelligence (AI). Due to the increase in AI capabilities, cybersecurity professionals are focusing on developing algorithms that are able to identify ISIS propaganda amongst other terror groups throughout social media. Facebook claims to have removed 99 percent of terrorist propaganda but research suggests this is unlikely. However, social media platforms are working with the D.H.S., N.S.A, and the F.B.I., sharing information between the entities in an effort to remove the content and provide intelligence on discovered terrorist threats. Additionally, a progressive effort has been made by the US Government to disrupt communication and find information to take down ISIS’s leadership. US military hackers are being enlisted to infiltrate members' computers and place malware which would allow them to acquire names, locations, and information pertaining to possible future attacks while shutting down their means of recruitment. ISIS easily bypasses weak technical barriers and disseminates propaganda based on the country and its language. With more individuals enticed by the internet with little online safety experience, ISIS can form a global network based on video, posts, Tweets, and messages without ever seeing their recruits.
Word Cloud of the most common words used by terrorist social media accounts
Although efforts by social media platforms like Facebook and Twitter have been made to filter out and delete ISIS propaganda, they still find ways to return. Their relentless efforts are backed by finding vulnerabilities in both the automated and manual moderation systems. This includes reposting current news to their page to avoid detection by bots, as well as adding hashtags and coded words into their captions to make them seem like ordinary posts. In one instance, a 30-second news clip from France 24 was placed as an introduction before ISIS’ real video played in an attempt to deter any suspicion that it was a video by the terrorist group. The Islamic State's awareness of the overwhelming number of inactive profiles in the cyber domain internationally gives them access to anonymity. They use this to their advantage by embedding training materials into profile pictures and biographies on accounts that seem relatively normal. Another vulnerability ISIS was able to exploit was hijacking inactive accounts (accounts whose users do not actively log in or use the account) and taking ownership. Here they have the ability to post Islamic calls to action and videos under an account associated with an email registered to another person. ISIS also preys on developing countries where internet access has now become more accessible. Malaysia is a primary target because of its high usage of encrypted messaging and VPNs. This is due to individuals wanting to access free entertainment, like Netflix, or desiring to conduct online activities that they do not want the government to see. ISIS easily bypasses weak technical barriers and disseminates propaganda based on the country and their language. With more individuals enticed by the internet with little online safety experience, ISIS can form a global network based on video, posts, Tweets, and messages without ever seeing their recruits.
Additionally, social listening is being used by organizations to watch social media platforms for themes and trends. Information is gathered over time and terrorist profiles are built, making it easier to identify terrorist affiliated accounts lurking throughout social media. Since 2015, the European Union’s Internet Referral Unit (IRU) has aimed its cyber strategies toward disrupting ISIS activity. Europol attacked and successfully removed 5,055 terrorist accounts and bots from Telegram in November 2019. There is no one-stop fix-all for eliminating ISIS propaganda. As long as ISIS has Internet access, CTG is nearly certain that ISIS will have the ability to post propaganda online despite their social media accounts being continually shut down.
Social media platforms grant users the option to implement Multi-Factor Authentication (MFA) on their accounts. Prior to MFA, ISIS was easily hijacking social media accounts and using them to post propaganda. Legitimate accounts with no prior affiliation to terrorist activity take social media security personnel longer to notice red flags. After MFA was implemented, some ISIS cells adapted, learning how to spoof their phone numbers, and look for a match with social media users. It is unlikely ISIS has the capability to hijack MFA enabled social media accounts in 2020. However, by implementing the use of phone number spoofing applications, MFA utilizing simple text/password combinations remain susceptible to breach.
A collective effort is required to combat the reboot of ISIS propaganda. F.B.I Director Christopher Wray has stated that the F.B.I. will continue to monitor those who join ISIS, those returning from terrorist training camps overseas, and those who seek to do harm on US soil in the name of ISIS. Law enforcement, governments, social media platforms, and civilian intelligence organizations can not successfully eliminate ISIS propaganda individually. Cyber threats primarily on social media must be analyzed in depth by each of these groups. Critical intelligence must be shared between these groups in a timely fashion to prevent the spread of ISIS propaganda. Social media platforms must perfect their AI algorithms to detect ISIS content.
CTG is currently developing training material with the help of the OSINT Research, Development, and Training team (OSINT RDT) in order to increase its footprint in terrorism analysis. CTG will continue to monitor social media accounts using its digital targeting platform to identify ISIS-related propaganda and threat actors. Finally, CTG will continue to release its intelligence reports with law enforcement and clients to promote information sharing in an effort to defeat terrorism.
________________________________________________________________________________________ The Counterterrorism Group (CTG)
 “UK action to combat Daesh”, UK Government, n.d, https://www.gov.uk/government/topical-events/daesh/about
 “Boy, 14, started making bombs during lockdown after watching Isis propaganda, court hears”, Independent, September 2020 https://www.independent.co.uk/news/uk/crime/terror-plots-uk-teenage-boy-eastleigh-bottle-bombs-isis-online-radicalisation-b693441.html
 “Florida Man Arrested for Creating, Spreading ISIS Propaganda: FBI”, NBC South Florida, September 2020 https://www.nbcmiami.com/news/local/florida-man-arrested-for-creating-spreading-isis-propaganda-fbi/2296172/
 “ISIS Fast Facts”, CNN World, September 2020, https://edition.cnn.com/2014/08/08/world/isis-fast-facts/index.html
 “ISIS Recruiting: It’s Not (Just) Ideological” Foreign Policy, September 2017 https://www.fpri.org/article/2017/09/isis-recruiting-not-just-ideological/
 Jessica Tristo Darden, “Tackling Terrorists’ Exploitation of Youth”, American Enterprise Institute, May 2019 https://www.un.org/sexualviolenceinconflict/wp-content/uploads/2019/05/report/tackling-terrorists-exploitation-of-youth/Tackling-Terrorists-Exploitation-of-Youth.pdf
 “To Stop ISIS Recruitment, Focus Offline”, Lawfare, 2016 https://www.lawfareblog.com/stop-isis-recruitment-focus-offline
 “Inside the secret plan to reboot Isis from a huge digital backup”, Wired, September 2020, https://www.wired.co.uk/article/isis-digital-backup
 “Intelligence agents study cache of leaked Isis documents”, The Guardian, March 2016, https://www.theguardian.com/world/2016/mar/10/intelligence-agents-scour-cache-isis-documents
 “The American way of cyber warfare and the case of ISIS”, Atlantic Council, September 2019, https://www.atlanticcouncil.org/blogs/new-atlanticist/the-american-way-of-cyber-warfare-and-the-case-of-isis/
 “Inside the secret plan to reboot Isis from a huge digital backup”, Wired, September 2020, https://www.wired.co.uk/article/isis-digital-backup;
 “Encounter Battle: Engaging ISIL in Cyberspace”, The Cyber Defense Review, Winter 2017, https://www.jstor.org/stable/pdf/26267403.pdf?refreqid=excelsior%3A8da8e2cafc6615ffa3f5e7f5176ebafb
 “Doxing and Defacements: Examining the Islamic State’s Hacking Capabilities”, Combating Terrorism Center At West Point, April 2019, https://ctc.usma.edu/wp-content/uploads/2019/04/CTC-SENTINEL-042019.pdf
 “Encounter Battle: Engaging ISIL in Cyberspace”, The Cyber Defense Review, Winter 2017, https://www.jstor.org/stable/pdf/26267403.pdf?refreqid=excelsior%3A8da8e2cafc6615ffa3f5e7f5176ebafb
 “Another hack of Idaho state websites, but no data taken”, Idaho Statesman, June 2017, https://www.idahostatesman.com/news/politics-government/state-politics/article158490544.html
 “ISIS-linked Cyber Group Releases 'Kill List' of 8,786 US Targets For Lone Wolf Attacks”, Newsweek, April 2017, https://www.newsweek.com/isis-linked-cyber-group-releases-kill-list-8786-us-targets-lone-wolf-attacks-578765
 “ISIS Allegedly Ran a Covid-19 PPE Scam Site”, Wired, Aug 2020, https://www.wired.com/story/isis-allegedly-ran-a-covid-19-ppe-scam-site/
 “How Facebook uses machine learning to fight ISIS and Al-Qaeda propaganda”, MIT Technology Review, November 2018, https://www.technologyreview.com/2018/11/12/139126/how-facebook-uses-machine-learning-to-fight-isis-and-al-qaeda-propaganda/
 “Can ISIS’s cyber-strategy really be thwarted?”, ESSEC BUSINESS SCHOOL SEM IDS: Applied Cybersecurity, n.d, http://blogs.harvard.edu/cybersecurity/files/2017/01/ISIS-Cyber-strategy-strategic-report.pdf
 “Hackers are spreading Islamic State propaganda by hijacking dormant Twitter accounts”, TechCrunch, Jan 2019, https://techcrunch.com/2019/01/02/hackers-islamic-state-propaganda-twitter/
 “Evolving Tech, Evolving Terror”, Center for Strategic and International Studies, n.d, https://www.csis.org/npfp/evolving-tech-evolving-terror
 “Europol disrupts Islamic State propaganda machine”, BBC News, November 2019, https://www.bbc.com/news/world-middle-east-50545816
 “The decimation of Isis on Telegram is big, but it has consequences”, Wired, December 2019, https://www.wired.co.uk/article/isis-telegram-security
 “Europol razes IS propaganda network online”, E&T, November 2019, https://eandt.theiet.org/content/articles/2019/11/europol-razes-is-propaganda-network-online/
 “Islamic State terrorist propaganda is going viral on Facebook”, Wired, July 2020, https://www.wired.co.uk/article/islamic-state-terrorism-facebook
 “Global Terrorism: Threats to the Homeland”, F.B.I., October 2019, https://www.fbi.gov/news/testimony/global-terrorism-threats-to-the-homeland-103019