Terrorist use of the internet
Abstract
As a new technology the Internet has been proven to be very effective and attractive for economic developments for businesses, and to a larger extent to ease our everyday’s life. However, likewise, criminals also saw in the Internet as an opportunity to make money on a larger scale as well as allowing better communication between one another. Terrorists, extremists, and activists have also found this tool to be helpful. Though traditional terrorist groups use the internet as a means of spreading their ideas, recruiting and communicating, it is not underestimated that in the near future the use of the Internet could be used to commit a terrorist attack causing a massive impact on society through directly targeting life-threatening or critical infrastructure. This chapter will first cover the past use and the current trend followed by the potential future developments.
Terrorist Use of the Internet
This chapter is not only an attempt to describe how terrorist groups use the Internet but it also provides information on how the internet could be used in the near future taking into account the latest technological developments. Numerous articles have already been written on the subject but they have treated it partially, focusing on the propaganda side or on the hacking and “technical” side. In this chapter, the propaganda and the encryption techniques used by terrorists will be described.
Propaganda—Indoctrination—Recruitment
The use of Internet by terrorists has been described for many years as a growing trend. In reality, this phenomenon is more limited than it seems to be. In the articles provided by news media and so-called experts, there has been an attempt to provide an estimate on the number of terrorist websites (Weimann, 2008). However these statistics do not mean anything on their own; they have to be compared with the total number of websites available on the web.
Terrorist organizations generally use the Internet for propaganda purposes. The worldwide web and steady developments of web 2.0 have given an opportunity to the public to easily access and publish information. High IT skills are no longer necessary to publish and post information, photos and videos online and it is also a very cost effective method of communication.
Terrorist propaganda on the Internet is disseminated through several types of platforms; video sharing websites such as YouTube; online Social Network services such as Facebook; and through traditional online forums and blogs.
The Role of the Video
Videos play a key role in the propaganda; they show the ability of a terrorist group to carry successful operations such as suicide attacks. They also act as evidence for funders and sponsors proving that the money they have donated is well used for instance for the "Jihadi cause" concerning al-qaeda type terrorism.
According to law enforcement open source monitoring of Syrian groups, within a year, most of the moderate Syrian fighting groups that aimed at democratic elections after the fall of Bashar al-Assad have now shifted toward the jihadi ideologies which target the establishment of the Sharia law. All these fighting groups have released statements on the Internet to publicize their change of ideology—most probably to get the attention (and funds) of sponsors who are in favor of a Syria ruled by Sharia law.
Online Forums—Blogs
Forums are the most common way of promoting terrorism on the Internet since they provide a platform where people with the same way of thinking gather together; nevertheless, these forums have also some inconvenience which needs to be clarified. In the past, each terrorist forum used to be controlled by only one administrator but the success of several Law Enforcement Authorities in arresting administrators brought down or disrupted the operation of several terrorist forums. Because of those arrests, a new trend has emerged which aims at sharing the administration of a terrorist forum between several administrators. They either all share the same login/passwords or have multiple administrators and they all know how to run the forum. If one of them is arrested, the forum can continue its usual activity. This is exactly what happened when the Spanish authorities arrested an administrator of the terrorist forum “Ansar al Mujahideen” few years ago.
The main advantages for those terrorist groups to own their own forum is to have a total control over censorship, namely the communications between its members: messages and threads can be modified, deleted. They also have total freedom over the choice of the running platform, hosting location, activity logs and user access control, so members can be banned or promoted based on the way they behave.
Online Social Network Services
Online social network services used by terrorists are the latest growing trend; more and more supporters of terrorism appreciate the freedom to exchange or comment on any terrorist action without restriction from any forum administrator as described above.
The increasing number of terrorist sympathizers using Social Network services has already revealed that the terrorist community is not so united and supportive as it seemed to be. There are several disagreements about claims of attacks, or even the purpose of an attack; for instance, the dissention between the Islamic Army of Iraq who claimed that Syrian Jabhat al-Nusra is one of its affiliated groups, whilst Jabhat al-Nusra rejects this affiliation and claims that the Syrian conflict has nothing to do with Iraq is an example among many.
The increase in the number of terrorist accounts on Twitter raises the issue of identification of individuals or groups, for instance, several Twitter accounts claimed to be the official media entity of the Somali terrorist organization; al-Shabab, however it is difficult to determine who is genuine and who are impersonators. This is posing a serious issue about who to monitor for intelligence services.
In early 2012, several posts on the “Ansar al Mujahideen” forum discussed about the possibility of developing a Jihadi Social Network website (Levine, 2012). This “website” would replicate the mainstream services and functionalities offered by Facebook or Google + in a hope to increase the number of sympathizers and as a consequence the terrorist community emulate in publishing more postings.
The initial idea does not cover the following issues: the amount of work required to develop and maintain such a website; hosting such a service; or the control over users’ identity accessing this platform.
The emergence of an independent trustable Social Network service with no intrusion from Government Agencies or Law Enforcement is in reality unlikely to happen and quite difficult to materialize.
Radicalization Process on the Internet
Internet users or terrorist sympathizers are initially attracted to the terrorist environment through video sharing websites such as YouTube where videos showing terrorist attacks are displayed. The YouTube accounts refer to a URL of a terrorist forum where people can click to access the forum, and they can join the forum by sending an email to its administrators.
When the “junior member” joins the forum, they will be tested to fulfill basic tasks. They will be then assessed, and based on good results, will be granted a higher rank such as “member,” “confirmed member,” “senior member,” etc. At the same time they will also be granted more privileges, for example they could be given the task to administrate new comers on the forum. After a certain time one of the top administrators will ask the “senior member” to meet physically in order to further assess and validate that person as a good candidate. Following this crucial meeting the “new recruit” is introduced to a very small network of much radicalized individuals via VoIP such as Skype or Paltalk. This is where the candidate is entrusted with sensitive information, including where attacks are planned or targets designated.
Particular Case: Lone Wolf
By definition Lone Wolves are the most difficult individuals to detect since they act alone and do not use the Internet to communicate with peers. However, they use the Internet to prepare their attacks and also to advertise their claims in videos or emails for instance. They also use the Internet to interact with persons/groups which are having similar ideologies and sometimes express their discontent on Social Networks.
Lone Wolves can be investigated by detect browsing deviation and also the online purchase of products such as explosives, precursors in the view of building IED (Improvised Explosive Device) or weapons.
Also, some cases reported that the “insider” threat should not be neglected. Usually these are highly skilled or knowledgeable people who have access to an environment that deals with dangerous materials, or are well positioned in organization and are turned into Lone Wolves to perform a one-shot attack using their expert knowledge. The most known case to date is certainly the Ivins case and the bioterrorism Anthrax attacks in 2001 (named Amerithrax).
Motivation for the lone wolf can be twofold:
• Internal or self-motivator: Disgruntled and with the adoption of an ideology and involve a nervous breakdown or mental health issue.
• External influence: Target of social engineering and then indoctrinated.
Information Sharing
Initially, Al-Qaeda type groups were reported as using Steganography to hide messages in pictures and/or movies. Though Steganography is an obfuscation method and cannot be considered as an encryption technology, it serves the purpose of hiding a message from plain sight which in turn ensures relative privacy and is one of the aims of encryption. This Modus Operandi was highly probable but has never really been proven to be widely used. The size of the information that can be hidden in a picture is very limited as, for instance, it would be very suspicious to have a poor quality picture consisting of a high number of Mega Bites.
After the train bombings in Madrid on March 11th, 2006, the arrested suspects revealed that they were using a trick to avoid email surveillance detection. The concept was to have one single email account (such as Hotmail, Yahoo!) shared among the group members where they could write emails and then leave them in the Draft folder. In doing so, no traces were left since no emails where sent. Nowadays, this technique is less likely since the trick is now well known and having one single account accessed from several diverse locations at the same time or from very distant geographical locations within small amount of time will certainly raise alerts to the mail provider that a particular account is shared among several persons.
In the past, Al-Qaeda type terror groups have been attempting to use some encryption technologies too. However, mistrust in ready-to-use tools such as PGP which was privately developed or TrueCrypt which was a community-developed open-source tool and potential backdoors placed by governments, did not provide them total insurance of confidentiality protection. Hence, they decided to develop their own tool “Mujahideen Secrets” (or “Asrar al-Mujahedeen”) and later on Mujahideen Secrets 2. The first release was made by the Global Islamic Media Front in 2007 and quickly followed by the second version in 2008.
Of course, having their own tool has some advantages like better trust in its use but certainly brought more disadvantages. As such having a proprietary tool not thoroughly tested by a wider community makes it more prone to vulnerabilities. Once known, this tool was also the main target for reverse engineering from the different counter terrorism intelligence and law enforcement departments across the globe. Lastly, the possession of such a tool gives additional indications that a person is potentially pertaining to a terrorist group or is linked to it in some way.
In February 2013, the Global Islamic Media Front released a new encryption tool “Asrar al-Dardashah” but this time as a plugin to instant messaging client Pidgin that can be used in conjunction with user accounts on popular platforms such as Google Talk, MSN, Yahoo, AOL Instant Messenger, and Jabber/XMPP.
Though it can be seen as a shift in strategy for the use of Internet by implementing an encryption layer on top of existing services, the main disadvantage is that Public Keys have a very explicit heading “#—Begin Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit—” leading to increased difficulty to store keys on public server or exchange those keys without raising the attention of counter-terrorism units.
The very same group, Global Islamic Media Front, also released an Android application to send/receive encrypted SMS and files. Indeed, this tool cannot be downloaded directly from the official store but is available on their website and a tutorial is available for the would-be users.
Finally in December 2013, a new tool has been discovered and was released by Al-Fajr Media Centre. This encryption tool is the latest program available for Al-Qaeda-type terrorists and codenamed “Amn al-Mujahid” (secret of the Mujahid). It’s a software like PGP giving the possibility for users to choose among a set of well know encryption algorithm and to generate key pairs.
Future Developments
Cyber Terrorism
We can imagine in the near future that terrorist and/or associated type of groups will want to leverage their attacks to be able to attain an unprecedented scale of impact of fear and destruction. With this in mind, the Internet can clearly be used as a tool to directly sustain a major attack. The most obvious target will certainly be critical infrastructure systems where disruption can be life-threatening and/or having mass disruption whilst generating distrust from the wider population (e.g., a transportation system hack). It is quite difficult to assess if terrorist groups are close to performing such attacks. However, if traditional terrorist groups are willing to, it means that they will have to either recruit very knowledgeable individuals or ask for external help such as for purchasing particular skills via a platform such a CaaS (Crime as a Service) or individuals such as Hackers-for-Hire.
However, as previously mentioned, trust is the biggest issue and the amount of time requested to develop this type of attack can be quite significant. Also information leakage about an operation cannot be ignored. The attack would also need to be built (e.g., software development, etc.) and tested. The problem with testing is either it is performed “off-line” or out of the target system. In the “off-line” option, it requires reconnaissance/intelligence first but also enormous resources to reproduce the target system and most of the time this is impossible (e.g., SCADA systems). The second problem with testing, if done on the live system, is that it leaves noises (e.g., traces/logs) that can raise the attention of the targeted system monitoring capabilities. This option is too risky and very unlikely to be chosen by terrorist groups.
On the other hand, extremist or activist groups may have a different view of trust issues and may not hesitate to call for external help and purchase in the underground market the missing skills they need to perpetrate a cyber-attack.
Additionally, if we take the particular case of Hacktivism, it is groups gathering extremely skilled and IT savvy individuals who make them more likely to succeed in a cyber terrorism attack than the other type of groups mentioned so far.
Taking the example of a successful event, STUXNET, that occurred in 2010. It was a very sophisticated code that has been developed to target a SCADA system to damage centrifuge machines to slow down Iranian uranium enrichment program (see Chapter 3). After reverse engineering the code, it shows that the resources required and knowledge of the target needed to successfully complete such an operation were massive and seems not in the reach yet of terrorist, extremism, or activist groups and can only be coming from state-sponsored or state-run CyberTeams.
Financing
The main element for a terrorist group to be able to achieve its attacks is the need of funding by partners, sponsors, or peers. States and Law Enforcement communities have therefore pushed to have rules, regulations and techniques to detect suspicious financial transactions to identify potential individuals participating in terrorist activities. Considering this, we can take as an example, the US and Europe agreement, EU-US TFTP (2010) Terrorist Finance Tracking Programme, signed in August 2010 in order to deal with that issue. The European Commission is currently studying a European agreement, EU TFTS (Terrorist Finance Tracking System). Though, these agreements might be relevant and quite efficient, it does not address emerging technological issues such as the rise of Virtual currencies. Virtual currencies are alternative currencies neither endorsed nor produced by any government. They can be split into two main streams: electronic money from Internet Games like Second Life and crypto currencies (or open-source digital currency).
Internet Games-based electronic money could be used to transfer large amount of virtual money across individuals and cash them out into real money. However especially following Snowden's (2013) revelations, these kinds of games have been infiltrated by the NSA and GCHQ in search of terrorist activity (Leapman, 2007). Also, individuals playing these games are required to become acquainted with the game rules and also how to use the virtual money. For instance they need to know who is behind the character and where the money is sent to. Another disadvantage is that the type of money is of course tied to the success of the game and its future development.
The second alternative, crypto currency seems more probable and has developed quickly in the last 3 to 4 years. Among the multiple currencies available today, Bitcoin is leading the way. It consists of a system of payment organized as a peer-2-peer network based on public-key cryptography. This tool is increasingly interesting for criminals and also terrorists since wallets are to some extent anonymous and dependent of the currency provisions toward privacy and provide facilitated ways to cash-in and cash-out the virtual money into hard money without possible tracking through financial institutions and therefore current watchdogs developed are inefficient.
On the other hand, those currencies are still young in existence and regulation on the legality of use is uncertain (and future of cashing out real money). A second point, the concept of peer-2-peer networks, renders the anonymity of a wallet's owner fairly limited. In order to make the currency work, and since there is no central point of validation, all transactions are rendered public in order for each node to know what is the balance of a wallet at any time and which transactions have been performed by the wallet owner.
To receive and/or send virtual money a user has transaction address(es). So, as soon as a transaction address owner has been identified all transactions made by that person with that transaction address are known by the whole network. Obviously, to remain anonymous users tend to change transaction address frequently. Digital currencies are also highly volatile, so between the times a person injects money into the system and another individual cashes it out, the loss might be quite significant.
However, it seems that criminals find this type of currency extremely practical/attractive and are using it more and more. For instance, the take down of the underground criminal marketplace SilkRoad led to the seizure of 175.000 Bitcoins (valued $33 million at the time) by the FBI. In May 2013, the take down of Liberty Reserve, the oldest and largest digital currency service was proven to have benefited largely criminal activities by providing money laundering to an amount of 4.4 billon € ($6 billon).
Another advantage for terrorists is the possibility of switching between virtual currencies (such as Litecoin, Peercoin or Namecoin to name a few others) in order to better cover their tracks. The task of investigating and tracking transactions is becoming complex since today there are already around 70 crypto currencies (Coinmarketcap.com).
This type of currency is so attractive that criminals started to develop malware and botnets that are scanning target's computers for wallets in order to steal its content and also to use their targets' processing power to “mine” (namely generate) digital currency.
Despite those drawbacks, crypto currency will certainly be attractive to terrorist networks to transfer large amounts of money from one party to another whilst keeping a low profile. There are multiple ways of cashing-in (from real-to-virtual) and they can be done anonymously. For instance by using Western Union, MoneyGram via a platform like CoinMama (coinmarketcap.com) or by directly purchasing virtual money from person-to-person in a proximity area, for instance on LocalBitoins.com.
Similar to cashing-out, Localbitcoins.com also sell virtual money to a physical person directly in exchange of real money. It is the easiest way but not very convenient for large amounts. An alternative is to use a one-shot mule(s) to cash-out money from an official exchange such as VirCurEx. Either way, crypto currencies are opening new ground for criminals and terrorists to cash-out legal tender anonymously.
Lastly, undoubtedly after the Edward Snowden revelations (2013) and PRISM, it is very likely that the systems mentioned above will seek to evolve and implement even more privacy, and that in turn will obviously benefit its users—some of who are criminals and terrorist.
As a conclusion, crypto currencies will be very attractive to terrorist organizations when it will reach a combination of high anonymity or low traceability (to prevent identification of transaction senders/receivers), currency stability (to minimize the risk of loss of money invested into the crypto currency) and flexibility (variety of options to cash in/out the crypto currency into real money).
Darknet
In the early 2000, some developments have seen emerging alternate networks running in parallel to the Internet. The original purpose of these was to help people under oppressive regimes and without free-speech to be able to communicate—giving them increased anonymity and the ability to bypass their national surveillance.
Such networks provide traffic anonymization between a client and a server but also permit to develop/host Hidden Services such as web services, file exchange, blogging, chatting hidden from the Internet. Consequently such an opportunity has attracted not only oppressed people but also criminals and terrorist that found through those networks a new way of exchanging information, and spreading knowledge, etc.
Today there are two main anonymous network: TOR (The Onion Router) the oldest, and I2P. Unlike social networks and forums/blogs where terrorist groups use to advertise, claim attack responsibilities and recruit on the Internet, the darknet networks are used to provide specific content such as videos and training materials that can be found on TOR Hidden Services.
3D Printing
Though not a direct use of the Internet, 3D printing is becoming available to the wider public. This technology has already been proven to produce weapons such as knives and guns. The Internet in these instances is generally used to find virtual objects or 3D blueprints. Singular or multiple objects can be created. Though the weapons created are quite primitive, the advantage is that they are undetectable through current airport security check controls. For instance an Israeli reporter made a test by printing a gun and went successfully through the security of the Knesset and was able to pull it out in front of the prime minister (Egozi, 2013).
In 2013, Police found gun parts while searching houses (DeZeen Magazine, 2013). It can be expected in the near future that there will be a steep progression in the quality and possibilities of 3D printing as well as the multiplication of available blueprints. Already, some websites are providing search engines and/or torrent search for 3D blueprints. For instance, DEFCAD, a website dedicated to hosting blueprint designs has clearly decided to restrict designs that can produce harmful products like guns. Though this website has been formally asked by the Department of State Office of Defense Trade Controls to withdraw those blueprints, it is already too late as the blueprints in question where downloaded thousands of time during the time frame it was available. And inevitably, those blueprints can now been found on peer-to-peer networks and on The Pirate Bay.
Full VPN
As communication and exchange between members of a terrorist cell or organization is crucial, some existing devices can be leveraged to better enforce anonymity. For instance by having a full VPN service across the members and having all communications going through this VPN central point.
Nowadays devices such as NAS (Network Attached Storage) are now providing a number of additional services which are easy to install on top of providing storage. We can imagine having such a NAS installed in a safe or unsuspected location or in a nursing place with a broadband ADSL access. If sufficient trust is placed by a terrorist organization on the NAS device, this device can be configured to enable VPN only communications, and through this channel provide additional dedicated VoIP (Voice over IP) telephony, email servers, web server, video server, file sharing/storage, any other kind of application needed by the cell and/or group to function and prepare an attack.
This has the advantage of being accessible not only by laptops and workstations but also by smartphones that are all now supporting VPN functionalities. This allows the cell/group members to use the different services without having to actually do a real phone call or exchange of information outside the VPN and thus they remain undetectable.
From this perspective, it is quite difficult to identify that a particular VPN connection is used by a terrorist group/cell. In a case where it is identified, it would then be difficult to access the content of the exchange over the encryption implementation via electronic surveillance. Lastly, if the end-points are used solely for VPN communications, it adds a difficulty in identifying the people who are connecting to the NAS.
Unless, one or several of those members make some mistakes that can lead to identify them via electronic surveillance; Law Enforcement have to use more traditional investigation methods to identify the terrorist group.
Conclusion
As of today and seen in this chapter, terrorist organizations use the Internet mainly for spreading their ideas and communicating. However, as technology develops, the availability of a variety of offerings in the underground market, and the decreasing skills required to perform cyber-attacks will certainly attract those groups to leverage their traditional attacks into cyber ones.
We have seen that a CyberTerrorist-like attack is already possible but not yet in the reach of terrorist organizations which remains at the level of state-sponsored teams or capabilities. Though still very expansive and requiring a lot of expertise and resources, this will undoubtedly be in the reach of terrorists in a few years.
Also seen in this chapter, criminals are early adopters of new technologies not only to exploit those technologies to their advantages but also to keep ahead of law enforcement and regulations. Nevertheless, terrorist groups are more careful and will rather seek proven technologies or mimic existing one by developing their own.
Lastly, terrorist groups might not be the first in the reach of CyberTerrorist-like attack but rather extremism or activism (including Hacktivism) that are more inclined to use readily available resources in the underground market such as Crime-as-a-Service and Hacker-for-hire that can be purchased and coordinated to perform such attacks.