As attacks sponsored by the Islamic State group spread beyond its ill-defined borders, its members continue to communicate using the same types of messaging applications, forums and social media sites familiar to tech users worldwide across the globe.
And when it comes to the group’s limited cyber-attack capabilities, experts say it’s more of the same: low-tech hacks rather than elaborate network take-downs, phishing attempts instead of complex computer viruses, and offering far-flung members basic operational security advice and tech support, not code words or counterintelligence tactics.
The Islamic State group has a well-established global network in place it uses for "general organization, question-and-answer, propaganda [and] promoting certain software for on-the-ground operational planning like mapping programs," said Aaron Brantly, an assistant professor at the U.S. Military Academy who co-authored a piece for West Point's Combating Terrorism Center in May on the online communication methods employed by extremist groups. "We actually have a list of 120 different programs and their evaluation by the various members within the community."
A small group of experts helps guide other members through the do's and don'ts of clandestine communication, Brantly said. One example from his report: an aspiring jihadist being told by a more experienced forum member that "Skype is insecure, and Americans are recording every single call since 2008."
Another more recent example has been the group's shift to the Telegram app as its primary mode of communication, Brantly said. The free-to-use software offers many benefits to a group attempting to keep its messages private. Recent announcements by the group claiming responsibility for taking down a Russian passenger jet and for the Friday attacks in Paris were sent out using the 2-year-old app, according to a New York Times report.
"It's incredibly easy to use," Brantly said. "It caters to an anonymous audience. It functions both in group and person-to-person communications. It has timer settings so you can remove communications, based on time."
It also requires a cellphone number or an email address to use, but Brantly said Islamic State members have become adept at "spoofing" the system with fake accounts.
Terrorist tech support?
Brantly's CTC piece, co-authored with Muhammad al-'Ubaydi, described the "Jihadi Help Desk" — a core group of forum participants who offered advice to less-experienced members. Their actions go beyond simple software reviews: Training manuals are available, Brantly said, with "very descriptive explanations for why you should use certain platforms and why you shouldn't use other platforms."
More information becomes available as prospective members move down what Brantly called "the rabbit hole" — starting with communications over traditional communications channels before ending up in less-public forums. And unlike other social-media applications, this one doesn't encourage meetups.
"If somebody says, 'Let's meet for coffee,' that person is probably not an ISIS member or a jihadist member," Brantly said, using an alternative acronym for the Islamic State group. "They're probably a law enforcement member."
While a portion of these forums involves cyber-operations planning, Brantly said, most of them offer support for more traditional ops. While the group has attempted to develop its cyber skills, about 90 percent of its efforts in that field are at "a very low level," he said.
The cyber activities of the Islamic State group are closely watched in an effort to defend against attacks by the group. A 24-hour operations room is shown in Cheltenham, England.
Photo Credit: WPA
That may sound comforting, but such low-level attacks remain the key concerns for public-, private- and military-sector security personnel, said Robert Graham, CEO of Errata Security, a cybersecurity consulting company. A phishing attack designed to trick users into parting with their personal data does not require high-level computer training, Graham said, nor does overpowering the limited security measures offered by some small websites that require a password — hacks that can open doors in other locations.
"A lot of websites aren't terribly secure," Graham said, "and a lot of people reuse their passwords. They'll be a hack, and [a hacker] will see a dot-mil address, and they're using the same password on their military sites."
Stopping the spread
Extremists are most vulnerable online, Brantly said, in the gray area between open communication over traditional social media channels and the more secure extremist forums, Brantly said.
"The FBI, to their credit, has been very good at this," Brantly said. "We look at some of the FBI cases, and they really do a fantastic job of catching people before they fall too far down the rabbit hole. This is where you catch a large portion of people who are between tech-ignorant and tech-savvy. You kind of catch them early."
Some law enforcement agencies have suggested requiring software makers to provide governments with access to their encryption systems — a so-called back door that Graham said would find limited success.
"If you require Apple to [grant access], people will use Telegram," Graham said. "If you require Telegram to do it, people will use something else. Even if you require everybody to do it, someone will develop new software."
Extremist members who've been able to avoid detection have done so less through advance tech and more through something familiar to all service members, Graham said.
"It's OPSEC, operational security," he said. "Our military does it. It's all about avoiding eavesdropping, rather than encryption."