A July report entitled Tech For Jihad: Dissecting Jihadists’ Digital Toolbox details and analyzes how 36 specific tools are used by various jihadist groups. While the news media has focused on how these groups leverage particular social media accounts and these are well documented (that last link has some solid suggestions on improving your social media posture too), there is actually a wide array of other tools that are used to spread propaganda, recruit new members, and launch cyberattacks. Indeed, the jihadists rely a great deal on the Internet and as they increase their digital footprint require the same kinds of security protection that any careful enterprise would employ these days.
Two security researchers from Flashpoint wrote the report: their company is a security vendor that analyzes the dark web and provides other intelligence reports about malicious actors.
At the heart of their toolkit is the Tor browser, which enables anonymous surfing and connecting to the Dark Web for various illegal activities. According to the report, Tor has been in use since May 2007 by the jihadi groups. A year later saw the creation of a custom encryption tool called Asrar Al-Mujahideen. After the Snowden revelations, a new tool was released called Amn Al-Mujahid. A full timeline, from the RecordedFuture blog, can be seen here:
The preferred access method seems to be the Opera browser, because it can connect to a free VPN service, and mostly from Android devices. Speaking of VPNs, they were first used in 2012, and the authors found early posts on dark web forums comparing the various VPN technologies and their advantages and disadvantages, just like any solid IT researcher would go about doing. This included an analysis of what kinds of logs the VPN software keeps and how these logs can be erased. The VPN chosen was the CyberGhost VPN (there are free and paid versions, and of course payments in bitcoin is accepted).
Another tool mentioned in the report is the HardDiskSerialNumberChanger, which can further obfuscate the originating device identifying information coming from the local hard drive. Another tool is called FakeGPS, which provides a false physical location to various social media clients such as Facebook and Twitter. This enables users to pick some fake location when they post social updates.
Then there is various encrypted email services, including HushMail, ProtonMail, GhostMail and Tutanota, among others. The authors document the use of these products by jihadists beginning in February 2013. This was followed with encrypted text messaging chat services, such as What’sApp and Telegram. Telegram in particular is used to disseminate official statements from Jihadi leadership to the general public. Because it offers end-to-end encryption, this makes messages difficult to read while in motion and is why the app is becoming more popular among jihadists. Taken together, what is clear is that jihadists are doing a great deal to carefully hide their locations and digital tracks.
This is just a few of the tools that are employed by these organizations. There are others, including home-grown mobile apps that are used to spread propaganda (including their own podcasts and other media streams) in both English and Arabic to supporters. These media streams have proven so popular that “culture jammers” have released their own apps that purport to be the “real” ISIS podcasts to confuse their audience. This is what Google’s Project Jigsaw has been working over the past year to target aspiring ISIS recruits and dissuade them from signing up. By using search algorithms, the program places ads alongside common search terms and keywords that link to anti-ISIS English and Arabic YouTube channels. Jigsaw hopes these links of testimonials can debunk the Jihadi narratives, and so far it seems to be working. Click through rates on Jigsaw’s curated videos were three times more than the pro-ISIS links, according to Wired magazine.
Clearly, this increasingly comprehensive outlook shows how seriously jihadists handle their operational cyber security and other online activities. But it could also be a useful example for ordinary enterprise IT workers, who travel abroad or who wish to maintain a higher level of security themselves.
There is much that can be learned from the jihadist infosec toolkit and how they make use of the Internet for recruitment.
As the authors conclude, “While jihadists incessantly adapt their behaviors to evade surveillance, we must adapt our surveillance tactics to keep up. The more we understand about how jihadists leverage digital technologies to engage in nefarious activities, the better equipped we will be to defend ourselves and mitigate risk as effectively as possible.”