Since the Paris attacks in November, the San Bernardino shootings in December, and the subsequent brawl between Apple and the FBI, there's been a growing obsession around the technical capabilities of terror group ISIS. How does it use encryption? Is it building a cyber warfare arm? The current answers: like the organization itself, its hacking skills and use of cryptography are patchy but developing at a trajectory that's concerning enough to cause anxiety amongst intelligence specialists.
Hints of the operational security of ISIS, or ISIL as it's often called, can be found in literature aimed at jihadis. This week saw the release of the ninth edition of the Dar Al-Islam, an official ISIS publication written in French. In a section dedicated to technology, there's a warning about using anonymizing network Tor, which sends users through a number of randomly-selected servers and encrypts traffic. Concerns were raised by Dar Al-Islam about "malicious nodes", the points at the distributed Tor network controlled by spies, often used to intercept traffic and pilfer data from users. The article recommended users not enter sensitive or personal data on any website, "in particular when accessed with Tor".
It should come as no surprise terrorists are concerned about Tor use. US law enforcement and academics have shown themselves adept at undoing protections offered by Tor. To ensnare users of Tor-hosted child pornography website Playpen, the FBI last year took control of the site's server and hacked thousands of visitors, all with a single warrant (courts across America are now furiously arguing over the legality of that operation). In 2014, Carnegie Mellon researchers were asked to provide a Tor surveillance trick that led to the shut down of a swathe of major Tor websites, including drugs bazaar Silk Road 2.
Some of the nervousness may also stem from the fact US government funds much of the Tor Project, according to Flashpoint, a group with significant intel on the Middle East. "There isn't a consensus whether Tor is the optimal way of secure browsing and communication, or not. Frequently, jihadists on top tier ISIS web forums preach the use of Tor. However, they urge users to not use in its default status. Instead, jihadists must look into the Tor privacy settings and ensure that browsing history is not recorded, cookies are restricted, etc.," said Laith Alkhouri, co-founder at Flashpoint and director of Middle East & North Africa research.
Despite the reservations about Tor, Dar Al-Islam recommends use of Tails, an operating system widely used by journalists and activists, as well as NSA whistleblower Edward Snowden. Typically, Tails is downloaded onto a USB stick and plugged into a Windows, Mac or Linux PC. It then runs an encrypted version of Linux before the main operating system of the PC loads. The OS is heavily-reliant on Tor for secure web use, but crucially it wipes any memory of its use on computers. As long as users don't lose their USB stick, and use a strong password, Tails does a good job of keeping people's data private (though malware that runs at the PC CPU level can undo that security).
Dar Al-Islam this month offered a full guide on using Tails, suggesting users could either opt to run the OS from a USB or inside a virtual machine via
The Telegram application, though only briefly mentioned in the publication this month (described as "far from completely secure"), remains a popular tool for disseminating ISIS orders and propaganda, even though some doubt its use in real-world attacks like those in Paris and San Bernardino. Telegram is also used to spread word of myriad forms of encryption, according to Flashpoint.
"Just recently, prominent pro-ISIS tech channels released several manuals urging the use of various apps," Alkhouri said. These included DNSCrypt for securing web communications over Domain Name Servers (used to route traffic from PCs to web servers, acting like a web phone book) and F-Secure Freedome, a virtual private network for hiding IP addresses of users and encrypting traffic.
Whilst there's substantial operational security advice available to individuals involved in ISIS, there's little evidence so far they end up using such encryption or do so effectively to avoid surveillance.
Hacking skills lacking
Flashpoint released its own report today, exploring the hacking capabilities of ISIS and affiliated groups. The ultimate message: there are few signs they are able to launch sophisticated espionage or damaging attacks, but threats of destructive, irksome hacks remain.
There is no official ISIS cyber arm. Instead, a hodgepodge of groups associated with ISIS have launched small-time attacks. These include a number of Cyber Caliphate collectives, an Islamic State Hacking Division and the Islamic Cyber Army. Initial attemtps to kickstart a digital division were led by Junaid Hussain, formerly “TriCk” of TeaMp0isoN, who was killed in a drone strike in 2015.
Amongst the more successful attacks were the compromises of the US CENTCOM and Newsweek Twitter accounts. If accurate, thefts of information from New Jersey and Minnesota police, US National Guardsmen and US Marines were not insignificant.
There are signs of a more coordinated approach too. On 4 April, a “United Cyber Caliphate” was announced over Telegram and Twitter, a merger of several groups, including Ghost Caliphate Section, Sons Caliphate Army, Caliphate Cyber Army and Kalashnikov E-Security Team. Earlier this week, a Michigan church had its website defaced, anti-Christian propaganda was left by the United Cyber Caliphate. Other such defacements carried out by the newly-formed crew have been spied by security analysts in recent weeks.
"The severity of cyber attacks supporting ISIS will likely not remain at this level of relative unsophistication," Flashpoint's report added. "Pro-ISIS cyber actors are demonstrating an upward trajectory, indicating that they will continue to improve and amplify preexisting skills and strategies."
ISIS' own adversaries have muddied the waters, however, by carrying out digital offensives that appear to support the Islamic State agenda, yet are part of infiltration missions. Security company FireEye this year claimed that Russian hackers were using the Cyber Caliphate name to launch attacks, only doing so to attract and identify ISIS members. "We believe it was part of a fairly sophisticated ply to gain access to ISIS members. The idea being to go out and prove how effective they are online and start to communicate with them," said John Hultquist, director of cyber espionage analysis at iSIGHT Partners, a FireEye-owned company. Russian hackers masquerading as Islamic State mercenaries were believed to have been responsible for hits on the Warsaw Stock Exchange and the French media outlet TV5 Monde.
American cyberbombs raining down?
Whilst ISIS' skills are patchy, the US government is planning heavy offensive operations against the terror group. Deputy secretary of defense, Robert O. Work, said this April the US Cyber Command was dropping "cyberbombs" on ISIS targets, without explaining what such digital munitions were.
Other defense officials told the New York Times America's military hackers may attempt to infiltrate ISIS networks to send false messages, leading terrorists into traps where they could be identified. They may also target the financial infrastructure of ISIS.
It's clear the US not only has far greater power to breach the online defences of enemies, but the Obama administration is now happy to talk openly about its plans to dismantle terrorist networks over the internet.
