IOCTA 2016

The abuse of technology and legitimate online tools and services is not an exception in the terrorism landscape. Terrorists are becoming increasingly proficient in hiding their traces and activities by using anonymising and encryption tools and services. Furthermore, the anonymity provided by cryptocurrencies, and their preferential use in the trades taking place on darkmarkets, seems to be leading terrorists to invest in this currency. Goods and services offered on Darknet such as Tor are available to different actor groups, including terrorist groups. This ranges from malware, to illegal goods like stolen weapons, to crowdfunding sites claiming to support terrorist groups.

The thriving of the as-a-service industry in the digital underground provides easy access to criminal products and services that can be used by anyone, from technically savvy individuals to non-technically skilled terrorists. This allows cyber attacks to be launched that are of a scale and scope disproportionate to the technical capability of the actors involved.

Nevertheless, currently most internet usage by terrorists, reported by law enforcement, relates to the use of unsophisticated tools and a widespread use of social media for propaganda, communication, recruitment and knowledge dissemination. Europol’s EU Internet Referral Unit (EU IRU) has also reported a limited set of techniques currently used by terrorist groups online, focusing primarily on information disclosure and disruption of service.

Key threat - The use of social media

The most reported activity by law enforcement concerning terrorist activity on the internet is the use of social media. Terrorist groups use social media platforms extensively to engage in recruitment campaigns, propaganda, incitement of terror acts and for claiming responsibility for attacks.

Social media has been key to some terrorist groups’ propaganda; it is used to disseminate their objectives and their achievements and has been shown to be crucial in the process of radicalisation and self-radicalisation. It is a process difficult to control, even when the platforms are fast in removing the content, due to the speed and simplicity of information dissemination online. Some law enforcement agencies note a growing trend in the process of self-radicalisation perhaps facilitated by fast and easy access to online propaganda. This seems to simplify the radicalisation process of “lone actors”, who can be drawn to extremist ideals in front of their computer screens and led to commit attacks in their own countries without having to travel to war theatres in order to fight for the terrorist cause. This trend is enabled by the fact that the target group are usually millennials, with significant online presence for most of their lives. Some incidents suggest that terrorist groups target or appeal to individuals who are emotionally unstable and prone to violence, or have a history of criminal offences. These individuals are not necessarily affiliated with the religious ideology disseminated by some terrorist groups.

Social media is also the favoured method for dissemination of kill-lists (doxing)¹⁶⁰. This provides lone actors with opportunities to demonstrate their support and affiliation of terrorist groups without having to leave their home countries¹⁶¹. The internet plays a fundamental role in the radicalisation of foreign fighters. Terrorist groups often rely either on platforms that are slow to remove content or instead demonstrate flexibility by changing platforms as required when their content is removed on a regular basis. Their strong strategy has been proved by the swiftness with which their acts are publicised online¹⁶². Furthermore, messaging applications often offering end-to-end encryption are increasingly being used by terrorist groups, not only to exchange information, but also as an advertising channel in the sex slavery trade¹⁶³ and other illegal trades.

Social media has had a great impact in cases of rapid radicalisation which, due to its swiftness, might fall under the radar of law enforcement agencies. Many recent attacks seem to have been an individual response to terrorist propaganda campaigns without direct intervention of terrorist groups ‘leadership’¹⁶⁴, adding challenges to the work of law enforcement agencies.

The role of the internet (and social media) has become one of the major themes in the radicalisation debate. It is worth noting that, thus far, there is no empirical evidence to suggest that the internet is amongst the root causes driving people into extremism. Equally, there are no conclusive findings supporting the view that an individual can become radicalised only from the internet without any offline influence.

Nevertheless, one can say that the internet can fulfil certain functions enabling an individual to become further entrenched into the radicalisation process. Firstly, it makes a large volume of extremist and terrorist material readily available to the user. This can reinforce the user’s ideological predisposition and feed into his arguments.

In addition, the user can selectively choose among the information available online, editing out (disregarding) what is not in line with his thinking and absorbing only what corroborates his pre-existing beliefs - using the internet as an “echo chamber”.

Finally, the user may find it easier to befriend like-minded individuals online rather than offline. If, for instance, he finds it hard to share his radical views with people in his physical milieu, he may be able to find other people eager to communicate with him online.

In general, the internet and social media can be considered a place in which an individual already on his path to radicalisation can validate his views and get recognition and confirmation from others about them. In that case the internet is an enabler for the (self)radicalisation of an individual.

Europol’s ECTC, EU Internet Referral Unit, Affiliation & Capabilities of Cyber-Hacking Collectives with Jihadist Groups, 2016 footnote 160
BBC, French Police Hit by Security Breach as Data Put Online, http://www.bbc.com/news/world-europe-36645519, 2016 footnote 161
Perspective on Terrorism, Volume 9, edition 3, 2015 footnote 162
International Business Times, ISIS Selling Yazidi Sex Slaves on Telegram and WhatsApp, http://www.ibtimes.co.uk/isis-selling-yazidi-sex-slaves-telegram-whatsapp-1569132, 2016 footnote 163
Europol’s ECTC, EU Internet Referral Unit 1st year report, 2016 footnote 164

Key threat - Darknet

Criminal forums and marketplaces usually operated in the open or Deep Web¹⁶⁵. However, nowadays the Darknet is increasingly becoming host to such sites, commonly known as hidden services. Characterised by anonymity and availability of criminal tools, the Darknet is also a resource increasingly used by terrorists. Even though law enforcement is not reporting a significant trend on this matter, certain investigations on the aftermath of some attacks indicate that terrorists are aware of the potential of this environment, namely to communicate undetected by law enforcement or to purchase illegal materials. There is an increased demand for weapons that is fuelled by online markets where it is not difficult to purchase either gun parts or modified guns, demonstrating once again how online criminality is fuelling serious real world crime, such as terrorist attacks¹⁶⁶.

Even though there is little evidence of sophisticated cyber attacks by terrorists, the cybercrime as-a-service business model which drives criminal forums on the Darknet provides the access to tools and services to people with little knowledge of cyber matters, circumventing the need for expert technological skills. Furthermore, the environment also promotes exchange of information as well as “learning kits”.

There appears to be an increasing trend in the number of Darknet forums dedicated to terrorist ideals. This growth has also been reflected in the increase of technically savvy terrorist affiliated individuals who share and disseminate their ideas in these forums. This has resulted in amplified cyber attacks to Western targets even if they have been of little impact. However, this trend is indicative of growing cyber capability amongst these groups as their knowledge expands and they exchange expertise¹⁶⁷.

The term Deep Web refers to the part of the internet that is not accessible via standard search engines (e.g. password-protected sites, dynamically created or encrypted content). It is estimated that the Deep Web is considerably larger than the Surface Web. footnote 165
Time, How Europe’s Terrorists Get Their Guns, http://time.com/how-europes-terrorists-get-their-guns/, 2015 footnote 166
Flashpoint, Highlights & Trends in the Deep & Dark Web, https://www.flashpoint-intel.com/home/assets/Media/Flashpoint_2015_Highlights_and_Trends.pdf, 2016 footnote 167

Key threat - Encryption

Law enforcement agencies have reported an increasing trend in the use of encryption methods by terrorists including the use of encrypted communication apps. Terrorist groups are resorting to encryption and anonymising tools¹⁶⁸ in order to keep their identities hidden while they communicate, plan attacks, purchase illegal materials and perform financial transactions. There are strong parallels with security measures taken by CSE offenders and cybercriminals. There is also evidence of terrorist groups sharing expertise amongst themselves on how to remain untraceable online in order to better avoid the authorities. A good example of this practice is the OPSEC manual developed by a terrorist group, detailing practices on how to be secure on the web, and sharing best practices. In addition, some terrorist groups have even developed their own customised terrorist tools, such as encryption applications¹⁶⁹. Without proper training or guidance however, there is no guarantee that these will be used systematically or correctly.

Many legitimate services abused by criminals are also abused by terrorist groups; services such as DDoS mitigation tools which are being utilised to hide the real IP address of the websites that host propaganda. Terrorist groups also make use of bullet-proof hosting services located in the Middle-East in order to maintain anonymity and avoid surveillance while sharing and hosting information.

The use of multi-layered encryption, VPNs, Tor, and similar services, has been increasing amongst terrorists who are investing more and more in their online security, bringing added challenges to investigations¹⁷⁰.

Flashpoint, Tech for Jihad: Dissecting Jihadists’ Digital Toolbox, https://www.flashpoint-intel.com/home/assets/Media/TechForJihad.pdf, 2016 footnote 168
Wired, Security Manual Reveals the OPSEC Advice ISIS Gives Recruits, https://www.wired.com/2015/11/isis-opsec-encryption-manuals-reveal-terrorist-group-security-protocols/, 2015 footnote 169
Trend Micro, Dark Motives Online: An Analysis of Overlapping Technologies Used by Cybercriminals and Terrorist Organizations, https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/overlapping-technologies-cybercriminals-and-terrorist-organizations, 2016 footnote 170

Key threat - Cyber attacks

Next to the use of social media, defacement of websites by terrorist groups is the most reported cyber activity by law enforcement. By defacing websites, the terrorists aim to spread their ideals, since the content of the website is usually replaced by propaganda. This technique also aims to create the idea amongst the general public that terrorist groups are skilled at hacking. However, defacements usually exploit common vulnerabilities and are relatively easy to perform. The fact that defacement of websites is the most common technique used by terrorists demonstrates that their cyber capabilities are currently low, even though the recent fusion of terrorist affiliated cyber groups might indicate an attempt to build-up resources and develop expertise. As some terrorist groups are reaching out to recruit in the western world, they might be capable of reaching out and attracting appropriately skilled people for their hacking groups¹⁷¹.

International Business Times, ISIS Cyber Army Grows in Strength as Caliphate Hacking Groups Merge on Telegram, http://www.ibtimes.co.uk/isis-cyber-army-grows-strength-caliphate-hacking-groups-merge-telegram-1553326, 2016 footnote 171

Future threats and developments

Cyber-warfare and attacks on critical infrastructure are not usually conducted by a single individual, as it requires a high level of cyber capacity. Nevertheless some industry systems are poorly protected, which could be taken advantage of by these actors. Furthermore, the possibility of a cyber-attack with consequences in the real world should not be ignored. Terrorists have demonstrated willingness to develop their skills and can complement their existing capabilities with ready-made hacking products purchased in underground markets. The possibility of terrorist affiliated cyber groups engaging in cyber-warfare sponsored by nation states – those with the capabilities to engage in this type of attacks - should not be discounted. The availability of cybercrime facilitators, including zero-days exploits and data acquisition systems, together with the increasing possibility of locating critical infrastructure systems, which increasingly have internet facing components, might attract different types of actors.

Another potential threat to consider is a coordinated terrorist attack, where a complementary cyber-attack, even if small scale, could further amplify or exacerbate the damage of a real world attack.

Even though there is already evidence of terrorist groups using cryptocurrencies, it is expected that this phenomena will increase in the near future and that this type of currency might be increasingly used to launder money and fund terrorism. In addition, the current trend of money-making malware such as ransomware currently seen amongst ‘pure’ cybercriminals, together with the easy access to other cybercrime tools, may lead terrorists to start employing this modus operandi to fund real world attacks. Access to tools, expertise and data, together with a growing number of internet facing devices and the constant development of the IoT, 3D printing, drones and smart contracts, seem to converge to an infinite number of possible scenarios to be exploited in the near future by terrorist affiliated cyber groups, even those without a high cyber capability.

Recommendations

Member States should consider establishment of proactive referral units following Europol’s EU IRU model, in order to pass on referrals quickly, efficiently and effectively, in close cooperation with industry;
The legal framework for the removal of terrorist and extremist online content needs to be improved. The referral of such activity does not currently constitute an enforceable act, and the decision and removal of referred/identified terrorist and extremist online content is presently taken by the concerned service provider;
Member States competent authorities should increase their OSINT capacity in order to monitor the development of new technologies that have potential for abuse by terrorists and which have already been adopted, and to proactively monitor social media to detect early patterns of radicalisation;
Enhanced cooperation is needed with national security services inside the EU frameworks in order to exchange timely and effective intelligence. The swiftness of terrorist groups’ communication online and the fast patterns of radicalisation should be countered by an efficient fusion of intelligence at EU level. The EU constitutes an area where threats are shared, and where security must be provided collectively.