SAN FRANCISCO — Abu Majad figured that when ISIS came for him, it would be with a knife on a dark street, or a bomb planted on his car. The 34-year-old had been living in southern Turkey since fleeing Syria nearly three years ago and knew that his outspoken stance against ISIS — online and in his hometown in northern Syria — had put him in the terrorist group’s crosshairs. What he wasn’t expecting was to wake up on the morning of March 29 to a virus planted by ISIS within a seemingly innocuous email attachment.
“Everything about this looked like a real email, sent from the admin of my own website. It looked safe, but it was not. They were trying to get my login information, my passwords. They were trying to get things that could have put real lives in danger,” said Abu Majad, who asked that his nickname be used instead of his real name to protect himself and his remaining family in Syria from reprisal attacks by ISIS. “It was very clever. When I saw it I thought to myself, Shit, now they are professional hackers?”
Cybersecurity experts and intelligence agencies who monitor ISIS say the malware is just one more sign that ISIS is growing more sophisticated in its use of the internet.
“I don’t think it is far-fetched to say that the internet is a major reason why ISIS is so successful, and so worrying, as far as global terror movements go,” said one U.S. intelligence officer, who spoke to BuzzFeed News in Washington, D.C., and asked not to be named as he wasn’t authorized to speak to the press. “They have always been ‘good’ at the internet, at the strategy of how they use it. Now they are smarter at the internet too.”
Many of the world’s major intelligence agencies are trying to figure out just how ISIS uses the internet. As the jihadi group continues to attract supporters around the globe, the need for them to safely communicate online has grown. While the vast majority of the group’s fighters in Iraq and Syria are probably not using the internet for much more than sending photos to their family WhatsApp groups, U.S. intelligence believe a small unit within ISIS is leading the group’s cyber ambitions, which range from working with hackers to launch cyberattacks against their enemies, to publishing manuals that help their supporters mask their online communications and defend themselves from those hunting them.
What Abu Majad found that March morning was an email that looked like it came from his own website, asking him to log in and verify his details. Within the email was something known as a “dropper” — malware that is used to plant other software onto a computer without the user’s knowledge.
“They would have had access to everything if I had opened that link,” said Abu Majad, who has sensitive information on his computer about other activists who, like him, try to oppose ISIS rule in Syria by smuggling out photos and videos that document the difficulty of civilian life under ISIS rule. Abu Majad insists he did not click the link, but he also declined to explain how he knew it was malware. “I was used to seeing ISIS fighters in cafes who barely know how to sign on and check their email. I was not expecting them to be this sophisticated.”
Dlshad Othman is a cybersecurity engineer with the ISC Project, which provides information security assistance to civil liberties groups, and also studies ISIS. He said he had recently seen malware used in attacks on Syrian and Kurdish journalists and sites that try to fight against ISIS propaganda online.
“ISIS has been targeting sites that are outspoken against ISIS,” Othman said, giving as an example the group Raqqa Is Being Slaughtered Silently, an activist group that tries to disseminate real information from within Raqqa, capital of ISIS’s self-declared caliphate. “They targeted people who are trying to reveal what ISIS is really doing in Syria, which they see as a threat to their recruitment and propaganda.”
He showed BuzzFeed one of the emails he was analyzing, which also contained malware. Othman traced the email back to IP addresses in Turkey and Qatar, another indication, he said, that ISIS was getting help from its network outside of Iraq and Syria to carry out cyber attacks.
“Malware, phishing campaigns, DDoS attacks are all things I have seen,” he said. “Now, these dropper attacks are new and are more sophisticated. What we see is the group growing and evolving their capabilities. What we are seeing is worrying.”
Here’s an example of a conversation on a private ISIS channel on the messaging app Telegram on a recent Sunday afternoon:
“brother r u use VPN for site?”
“no brother, that is shit. use tor.”
“tor is creation of CIA. avoid tor.”
“so use vpn?”
“lol, no there is something else”
These sorts of exchanges appear daily on Telegram, a Berlin-based messaging app that was founded by Nikolai and Pavel Durov, the founders of Russia’s largest social network, VK. In the fall of 2015, use of Telegram spiked among ISIS supporters, as Pavel Durov told a September 2015 panel at TechCrunch that “privacy, ultimately, and our right for privacy is more important than our fear of bad things happening, like terrorism,” a statement some saw as his announcing that Telegram would not kick ISIS channels off their platform. While dozens of channels have been kicked off in the months since, ISIS supporters still appear to operate more freely on Telegram than they do on other apps. Among the beheading videos, Quranic verses, and general thoughts on the group’s self-declared caliphate is an endless barrage of advice on how to use the internet. Guides in French, Spanish, German, English, Arabic, and Turkish have made the rounds offering step-by-step instructions on how to minimize an electronic footprint by hiding a user’s location and personally identifiable information.
The advice is meant to keep ISIS supporters safe, but for most it’s a confusing labyrinth of conflicting opinions.
Like many ISIS supporters, also known as fanboys, a man who goes by the nickname Abu Jihad online jumps between a number of networks where ISIS news is broadcast, discussed, and shared. His current staples are Telegram and Twitter, though Twitter, he says, has become less and less ISIS-friendly as they have become more proactive about shutting down accounts associated with ISIS. He has, at various times, used WhatsApp and Kik, but has since discarded those messaging programs as being “not secure enough.” He also dropped Zello, an app that allows groups to send participants/members short audio messages, similar to a walkie-talkie, when he found it too crowded with ISIS supporters reading verses of the Qur'an. He’s heard of a new app called Alwari, allegedly created by ISIS supporters, but says he can’t figure out where to download it.
“To be anonymous online is the most important thing so that we can safely help the jihad when the time comes,” Abu Jihad wrote BuzzFeed News in a private message on Telegram. He refused to give his real name or location. “The kuffars make it as hard as possible, but we always find a way to succeed,” he said, using a derogatory term for non-Muslims.
How to connect to other ISIS supporters is a near-obsession for Abu Jihad, who likely lives in a Western country given his English-language skills and waking hours. Like many others who chose the nom de guerre, which translates as “father of holy war,” or “father of the struggle,” he has never seen battle and currently only admires ISIS from the safety of his computer screen.
At least once a week, Abu Jihad thinks he has spotted a CIA agent in the Telegram channels that he monitors.
“The internet is full of American and Israeli spies,” Abu Jihad wrote BuzzFeed in a private message, before asking for more details on where BuzzFeed News is based and whether it had a political agenda. “It’s well-known that most journalists are spies.”
U.S. intelligence agencies hint that they are active in ISIS channels. During an interview with BuzzFeed News on recent efforts by Twitter to kick thousands of ISIS-linked accounts off their site, one official in the Department of Defense joked, “It’s just a shame they also got so many of our honey traps in that web.”
“Wherever ISIS is chatting, we try to have a presence,” said the official, who spoke on condition he not be named, as he wasn’t authorized to speak to press.
But according to cybersecurity experts, the U.S. is doing more than just watching those channels. Speaking to reporters last month Deputy Secretary of Defense Robert Work said, “Right now it sucks to be ISIL.”
"We are dropping cyber bombs. We have never done that before," he told reporters. "Just like we have an air campaign, I want to have a cyber campaign. I want to use all the space capabilities I have.”
The comment was seen as a reference to malware that U.S. intelligence agencies would try to plant in ISIS forums that, if installed by ISIS followers, could track or even hijack a computer.
In California this week, U.S. Defense Secretary Ashton Carter told reporters: “We will blackout, fool, and disrupt ISIL networks until we destroy them.”
“There are rumours that our forums are infected,” said Abu Jihad. “But it is impossible for us to stay off of the internet.”
Last month, Dar Al-Islam, an online magazine published by ISIS in French, released its ninth issue with a 16-page special section dedicated to online security, offering detailed instructions on using a number of programs to safely access ISIS channels and communicate with other ISIS supporters. It is hardly the group’s first guide to using the internet. But while previous instructions have been little more than translations of existing internet safety guides, the issue showed the group’s evolving understanding of online security. Whereas in the past they would simply mention the name of a program, and copy-paste a description, the French manual, and similar versions published on ISIS online forums, have detailed instructions on how to layer different programs, such as using a VPN to help hide location, while also sending encrypted emails that mask the content of a message.
The Dar al-Islam issue touts Tails, an operating system popular among privacy advocates and made famous by Edward Snowden, as the preferred means of safely going online. Tor, another favorite for its ability to anonymize traffic by passing it through a number of randomly selected servers and encrypting traffic, was bashed in the magazine, which warned that “spies” were likely working within Tor to intercept traffic. (The assessment was unsurprising considering a recent admission by Matt Edman, a former developer for Tor, that he helped the FBI create malware to unmask users of the software.)
Encryption, ranging from programs like Telegram and WhatsApp that have encryption built in to a description of how to use PGP to encrypt emails, features heavily in the magazine. A security expert who is only known online as “the grugq,” but whose blogs and tweets are widely read by cybersecurity experts, closely follows how ISIS communicates online. After reviewing the magazine, he told BuzzFeed News that he believed ISIS only had a limited understanding of how encryption works.
“The author believes encryption is a solution to every problem,” the grugq said in an email to BuzzFeed News, noting that it eschewed other techniques, such as teaching users how to be anonymous online by never revealing or entering into public forms personal details such as real names, birth dates, or countries of origin. “The author is not clear on the real threats that jihadis actually face. The faith in crypto as a panacea to all the dangers faced by online jihadis demonstrates the shallowness of the author’s security understanding.” He said he believed their knowledge was “superficial and based, as usual, on privacy manuals.”
“The main takeaway from this guide is that the author believes so strongly in encryption they think it will solve everything. It is the ignorant belief that 'going dark' is as simple as downloading TAILS. In the real world, nation state adversaries are not deterred by a little bit of crypto sprinkled here and there like OPSEC fairy dust,” he said.
Thomas Rid, a professor in the department of war studies at King's College London and author of Rise of the Machines, a book that explores why people fear digital surveillance, said he was impressed with the level of detail in the manual, though he questioned the conclusions they drew about certain programs. For instance, the group distrusts TOR, an anonymizing network that sends users through a number of randomly selected servers to help hide their identity. Despite TOR’s popularity with activists around the world, ISIS distrusts it, due to reports that it had been breached, as well as suspicions that the CIA or NSA might be secretly controlling part of the network to spy on its users.
“Generally the technical detail provided is impressive — not error-free, but remarkable for what after all is a general interest magazine for jihadis,” Rid wrote to BuzzFeed News in an email.
But while some within the Department of Justice and FBI have touted the idea that encryption is dangerous, U.S. intelligence officials from the Department of Defense and military who study ISIS think that even if advice on encryption is inundating the ISIS forums, few are using it and fewer still are likely using it correctly. One military officer said that despite fears of some security officials over militant groups “going dark” by using encryption and hiding their activities online, the process of sending an encrypted email was complicated and prone to errors.
“Even people who use these programs every day occasionally make mistakes. The processes described by ISIS are not intuitive. The more they use these programs the greater the chance someone slips up and uses them incorrectly and exposes themselves,” one U.S. military intelligence official told BuzzFeed News during a briefing in D.C. He spoke to BuzzFeed on the condition that he not be named as he wasn’t authorized to speak to press. “In a way, it’s best for us when they increase their presence online as much as possible. The more they do online the more of a digital footprint we have to follow.”
Had ISIS only chatted more online prior to the attacks in Paris and Brussels, he added, intelligence agencies might have known enough to stop them.
The attacks on Paris and Brussels ignited a global debate on encryption and terror.
On the one hand are certain intelligence agencies and governments, who say they missed signs of the attacks because ISIS was using the “dark web” to communicate, sending encrypted messages that intel agencies couldn’t crack. On the other hand are cybersecurity activists and experts, who say there is little evidence that sophisticated techniques were used by the attackers to mask their communication. (Quite the opposite, they argue: The attackers lived in the same apartment and used the old-school method of multiple burner phones.) And then there is the media, whose coverage of the issue has received intense scrutiny, with reports of ISIS sending encrypted emails scrubbed from the web just days after their publication, and unnamed sources giving conflicting evidence of how the attackers communicated.
Last month, Le Monde and the New York Times published articles based on French intelligence documents that recount the case of 29-year-old Reda Hame, a Parisian IT specialist who traveled to Syria to join ISIS but was instead put through a rapid training course and sent back to France to carry out an attack. The articles described how Hame, who was arrested last August by French police, provided details of his training, including how he was instructed to use TruCrypt, an encryption application, and how, before returning to France, he was given a USB drive containing the program.
The reports appeared to hold the first time that a Western intelligence agency confirmed encryption being used by an ISIS operative. But as cybersecurity experts began looking over the details Hame provided, questions emerged over whether the method described in the article would really work, as it would require an entire disk to be encrypted and then uploaded — leaving behind a large digital footprint and room for human error each time it is uploaded.
A subsequent story in the New York Times about the Paris attacks also left cybersecurity experts confused when a key paragraph read: “According to the police report and interviews with officials, none of the attackers’ emails or other electronic communications have been found, prompting the authorities to conclude that the group used encryption. What kind of encryption remains unknown.”
The problem, the cybersecurity experts pointed out, was that encryption leaves traces of itself everywhere. When an encrypted email is sent, it still appears in inboxes and sent folders, it is just that the text is garbled. Unless you have a key to unlock that text, (or the technology that some intelligence agencies, including the U.S., have to break encrypted emails), all you can see is the garbled gibberish. Had the Paris attackers been sending encrypted emails to their handlers in Iraq and Syria, the garbled messages should have still been there.
Because neither French nor Belgian investigators have released their findings on the attacks to the public, it’s impossible to say what evidence they might have into how the attacks were planed. Until they do, cybersecurity experts such as the grugq, who keeps a running list of various ISIS-linked attacks and whether or not reports have confirmed the use of encrypted communications to plan and carry out the attacks, continue to try to find clues in what is leaked to the press.
Google recently said that more than 50,000 people search for the phrase “join ISIS” every month.
Jordanian officials say that in an average week, more than 100 Jordanians Google the phrase. The top results in Arabic offer step-by-step instructions as detailed as when to pack a bag and what to tell your parents, according to one Jordanian intelligence official.
“What makes ISIS so dangerous is that if you were trying to join the organization tomorrow, and weren’t sure where to start, Google would have most of your answers,” said the official, who spoke to BuzzFeed News by phone on condition that his name not be used as ISIS has threatened to assassinate officials like him in Jordan. “Even if I shut down every mosque, every person who supported ISIS in Jordan, there would still be YouTube videos recruiting young men with gun fights that look like they came out of a Hollywood movie. There would still be Twitter where men tweet about how they are living in paradise with three wives and a house, and there would still be WhatsApp and Telegram and every other network for them to communicate personally with whoever they want.”
The intelligence officer said that if an online platform exists, ISIS has figured out how to exploit it.
“At the end of last year, we were approached by a family living near Zarqa who believed their daughter was speaking to dangerous people online,” said the officer, naming Jordan’s second-largest city. “I told them, 'Close her Twitter and Telegram,' but they said, ‘No, it’s the dating site she is on.’”
Through an Arabic-language dating site for devout Muslims, their daughter had been approached by a young man claiming to live in the Syrian city of Raqqa. He was was trying to lure her there.
“He told her about the big house she would have and the servants. Her husband would be a handsome fighter … he even sent her photos of the beautiful jewelry he would buy her for her wedding night,” the intelligence officer said. He said the young woman was stopped before she could reach Syria, but refused to say whether Jordanian police had imprisoned her. “Her case just shows you that even on dating sites ISIS is recruiting.”
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Got a confidential tip? Submit it here.