ISIS Has Lost Land, But It Still Has a Giant Foothold In Cyberspace

ISIS is undeniably talented. Despite our unwavering endeavors to demolish the group, we have not. Although our efforts have significantly impeded some of ISIS’s operations, and helped drive it out of parts of Iraq and Syria, ISIS-inspired attacks persist – and at an alarming frequency. Its perpetual existence is partly due to the group’s vast support base and remaining physical holding. Above all else, however, it is due to its masterful use of the Internet. Its utilization of cyberspace keeps its radicalization global.

The group uses the Internet to spread poisonous doctrines, militant tactics, and graphics displaying their violence or their ability to govern. It maintains a comprehensive media machine, including a unit dedicated primarily to Westerners. Each of ISIS’s two-dozen operational territories across the Middle East, North Africa, Central and SE Asia houses a media team that shadows fighters in battle, records and propagates executions, publicizes upcoming local events, and then edits and distributes content according to the group’s messaging objectives.

When fighters worldwide flocked to the group’s strongholds, ISIS leveraged their linguistic skills to translate propaganda materials and leadership statements into many foreign languages. ISIS has compartmentalized the group’s video dissemination and assigned media teams to focus on various segments of the target audience, whether Western populaces, local Syrians and Iraqis, Kurdish forces, or its own fighters and supporters. The group then delivers its radical ideology to the global masses using the very technology billions of people around the world depend on.

Regardless of how much territory ISIS loses, its messaging will still reach and likely convince a massive audience that it is effectively playing “David vs. Goliath” against the world’s largest military coalition. It works through the obvious public sources like Twitter, but when it has been impeded from doing so, it has resorted to what is called the “deep web” and to a Russian-created massage service called Telegram, to elude the eyes of the intelligence agencies. It has even found a way to use the cloud services offered by Microsoft and Google.

100,000 Tweets

Twitter is integral to ISIS operations. Some reports suggested that ISIS supporters published nearly 100,000 tweets per day, on average, in 2015. This staggering number of pro-ISIS propaganda messages, download links, and grisly videos placed Twitter at the top of ISIS’s critical delivery platforms.

ISIS supporters have used Twitter for recruitment and mass propaganda reach. Once ISIS disseminates messaging to members and close supporters, the group’s massive network of followers undertakes the remaining legwork. The authorities have tried to shut down this pro-ISIS social media presence, but once Twitter bans one pro-ISIS account, another similar one rapidly rises in its place. Over the last year and a half, analysts observed one prominent ISIS account after another resurface after suspension hundreds of times. This “whack-a-mole” tactic exemplifies ISIS’s persistence in the face of increased scrutiny.

Over the last few months, however, Twitter has consistently been suspending thousands of pro-ISIS accounts every week. A June 2016 Twitter analysis revealed that pro-ISIS accounts currently tweet, on average, five times per day — a substantial decline when compared to the previous year’s reported average of 12 tweets per day per account. Meaning, an average of 9,000 pro-ISIS accounts had been active in supporting ISIS on Twitter. These numbers tell us that pro-ISIS tweets have decreased by more than 50% this year, suggesting an average of 45,000 tweets per day today. But this effort to stop ISIS’s viral reach has not succeeded in defeating the group. As it encounters difficulty on social media, ISIS has come to rely on other online media to accomplish its goals.

Plunging into the Deep Web

ISIS has developed a comprehensive and effective way to ensure its continued online domination. To deliver the group’s targeted messaging, ISIS media units clandestinely communicate with the administrators of designated Deep Web forums and, simultaneously, run encrypted channels on the lesser-known messaging platform Telegram.

“A relentless jihadist in the West does not have to go to Syria to learn bomb making. It’s all on the Internet.”

The Deep Web is the Internet’s underground. Its content is invisible to most people as its websites are not indexed by search engines like Google. This obscure cyber environment is where drug markets, financial fraudsters, and child pornographers operate. For ISIS, its Deep Web forums are similar to chat rooms, and they allow user interaction. The forums are password-protected networking sites that open by invitation only, which minimizes the risk of having unwanted individuals lurking among jihadists. Gaining access to these forums is extremely difficult – in some instances the forums only provide accounts to individuals who are vetted and accredited by trusted people.

The forums are fairly small in size, and as such are not built for mass propaganda distribution. However, they are substantially more secure than social media outlets, which is why they have become the primary point of release for ISIS propaganda. Since these forums are run by trusted members of the ISIS community and accessible only to a small number of people, the risk of network exposure is small. ISIS members can both release videos and network with hardline jihadists to gain support. The forum members can then use their publicly accessible social media accounts for further dissemination. For these reasons, the Deep Web is the primary launching pad for ISIS propaganda

Snapshots from the official ISIS propaganda channel on Telegram. Material is released directly by ISIS media

Telegram: The Best of Social Media and The Deep Web

ISIS militants also make use of message boards on Telegram, an encrypted communication platform similar to WhatsApp. Telegram, which was created by the founders of Vkontakte, the Russian version of Facebook, is considered a form of social media. However, in addition to having high encryption in place, minimizing the risk of eavesdropping, its content (unlike, say, Twitter) is not indexed by search engines, rendering it hugely more secure than most social media platforms. In essence, it carries the best features of social media and the Deep Web, as well as serving the jihadist-on-the-go with smartphone and tablet versions.

ISIS uses private, invitation-only “channels” on Telegram. A Telegram channel is similar to a WhatsApp “group chat.” The difference is that ISIS channels allow only trusted media personnel to post content, and only members of the channels are allowed to download the content. These channels are basically distribution pipes for radical videos, audio, and statements, in a way similar to an RSS feed for syndicating content. The platform became popular among jihadi supporters last summer after Facebook acquired WhatsApp, which they fear is now under the watch of the NSA. The platform also allows encrypted peer-to-peer messaging, which opens the door to a group of militants and recruits having a private chat.

Online discussions have become a virtual training camp for ISIS followers and recruits. Forum members are always suggesting unconventional attack methods to test out. Several months ago, amidst the intensifying aerial campaign against ISIS in Iraq and Syria, numerous sets of guidelines were released to counter the bombardment. One in particular suggested building a device to concentrate amplified electromagnetic waves, while another described the idea of using trainable birds to disturb jet engines. These discussions also include instructions for making bombs. A relentless jihadist in the West does not have to go to Syria to learn bomb making. It’s all on the Internet. And he also doesn’t need an explosive lab to make bombs. A garage would suffice.

Pyramidal Distribution of Propaganda

ISIS has managed to apply its impressive social media savvy across Deep Web forums and encrypted Telegram channels. Many of ISIS’s Telegram followers maintain multiple private channels with their own personal audiences. These supportive channels re-distribute the ISIS messaging and other radical content to further recipients, creating a multi-layered, pyramidal distribution structure for effectively multiplying the recipients of ISIS propaganda. It is like the universities’ online Blackboards where students receive and post assignments. Only the registered students would be privy to their classes’ material. Once the students download the documents or texts, they’d post it to their Twitter and Facebook accounts. On Telegram, jihadists follow the same methodology. This structure of propaganda logistics allows ISIS and its supporters to maintain the perception that the group is bigger, stronger, and deadlier than ever before – in spite of the decline in its public social media presence.

The Deep Web forums and Telegram are regularly targeted and even downed – sometimes for weeks at a time – especially as of late. Telegram has a policy, similar to Twitter and Facebook, against the distribution of violent material and terrorist propaganda. But ISIS has found ways to maintain its presence.

“Regardless of how much territory ISIS loses, its messaging will still reach and likely convince a massive audience that it is effectively playing “David vs. Goliath” against the world’s largest military coalition.”

ISIS releases limited-time or temporary invitation links to new or upcoming channels just prior to suspending the old ones. The new invitation links are always set with an expiration date, usually between 10 minutes to half an hour. Once channel members receive the new invitation, they post the details on the channels that they have separately created with their separate lists of followers. Before reaching further layers of recipients, the invitation expires. This method minimizes ISIS’s risk of losing Telegram channel members while constantly keeping the group steps ahead of Telegram’s policy violation measures.

Cloud Delivery a Savior for Videos

As pro-ISIS Twitter, YouTube and other social media accounts have come under attack, the group has had to find new ways to circulate its videos. Several years ago, when ISIS was simply Al-Qaida’s Iraqi branch, jihadi groups relied mostly on temporary upload services, such as 4Shared and Mega Upload, to disseminate videos. Groups’ media wings would share a password-protected compressed file (RAR or ZIP formats) containing the video or audio recording and then share the password with members of Deep Web forums. These members would then decompress the file and upload the video or audio to an online depository, such as the Internet Archive (archive.org). Jihadists would then share links to these materials throughout social media and pro-ISIS forums.

During the last several months, however, many video streaming websites have been aggressively targeting radical and violent videos for removal. In response, ISIS and its supporters have successfully expanded to using a number of cloud-based services, including Microsoft OneDrive, Google Drive, and Cloud Mail.ru. Each account on Gmail, for example, receives storage on Google’s cloud (up to 30GB free in size), allowing users to upload all sorts of files and share them with others, similar to how Dropbox works.

My team and I have analyzed the use of these services by canvassing cloud-based links distributed across two official ISIS Deep Web forums. The search results suggested a tremendous increase in interest around Google and Microsoft cloud services. In ISIS’s top forums, Shumukh Al-Islam and Al-Minbar Al-Jihadi, Google Drive and Microsoft OneDrive were used 163 times and 27 times, respectively, between June 2014 and June 2015. However, between June 2015 and June 2016, the two services were used 2,713 times and 585 times respectively. These results suggest that jihadists’ use of these services began to exponentially increase last year in response to increased efforts to combat ISIS online.

Some of the videos ISIS releases are gruesome depictions of terror and violence, and others threaten foreign governments with violence, but the majority showcase how the group runs the territories under its control. ISIS regularly releases videos featuring its Hesbah police force checking expiration dates on customer products, punishing alleged thieves and murderers, and protecting local citizens. The group strives to portray itself as a “state.” This notion is highly welcomed by the group’s supporters; they feel that they are part of the building blocks of a future global Caliphate, egging them to further support ISIS. The videos and social networking provide the group’s global followers a sense of belonging. This dynamic is paramount for ISIS’s survival, and it is reinforced via the constant flow of its propaganda on the Internet.

Top: A Snapshot from an ISIS Web Forum showing the list of releases, such as videos and statements. They are posted by the forum’s admins after receiving the material from ISIS media. Bottom: Snapshot of upload page on Internet Archive, showing a collection militant manuals and radical content.

Encrypting its Messages

To communicate with its like-minded others, pro-ISIS individuals rely on a range of encrypted messengers, secure email services and browsers, anonymizers and specialized smartphone apps. While jihadists have developed their own encrypted communication software, these tools remain relatively unsophisticated. Many jihadists have since expanded their options to include Western technologies.

For instance, the encrypted email services Tutanota and ProtonMail are jihadists’ favorites; the TOR browser is essential for private web surfing; and Threema has become popular in their secure instant messaging. ISIS supporters on Deep Web forums have begun exchanging their PGP keys. PGP, which stands for “pretty good privacy,” assigns one key for encrypting communications and another for decrypting it. This allows ISIS supporters to communicate covertly and overcome intelligence surveillance.

ISIS supporters regularly share information security manuals on Telegram channels and Deep Web forums. In fact, several ISIS-supportive, tech-savvy groups have even emerged as a “tech help desk” for thousands of jihadists. With manuals outlining detailed instructions backed with step-by-step snapshots, unenlightened jihadists can easily become self-taught techies.

Secure Jihad

Moreover, it is becoming increasingly evident that ISIS and its supporters, who are becoming technically savvy, are taking extra steps to apply comprehensive security measures. Over the last several weeks, a prominent cyber jihadist released two types of proprietary software that he claims to have built: one is for permanent deletion of files from computers, and the other is for high-level encrypted communication similar to PGP. My team and I tested this software, and we’ve concluded that, while somewhat rudimentary, they do accomplish the tasks they’re designed for.

As long as ISIS and its supporters continue to master the Internet, overcoming ISIS will not just require victories on the battlefield. It requires defeating ISIS in cyberspace. ISIS uses the internet to showcase itself as a legitimate state. Impeding its online operations would create a wedge between ISIS and its audience. It would prevent it from deflecting attention for its non-virtual battlefield losses in the Middle East and North Africa. It would show that ISIS is not a legitimate government and would-be caliphate, but like other terrorist groups, can eventually be curtailed and even eliminated.

Laith Alkhouri is Co-founder & Director of Middle East & North Africa Research at Flashpoint, a Business Risk Intelligence firm. You can follow him on Twitter here