How ISIS Uses The Internet
They talk on Telegram and send viruses to their enemies. BuzzFeed looks at how ISIS members and sympathizers around the world use the internet to grow their global network.
Abu Majad figured that when ISIS came for him, it would be with a knife on a dark street, or a bomb planted on his car. The 34-year-old had been living in southern Turkey since fleeing Syria nearly three years ago and knew that his outspoken stance against ISIS, online and in his hometown in northern Syria, had put him in the terrorist group’s crosshairs.
What he wasn’t expecting was to wake up on the morning of March 29 to a virus planted by ISIS within a seemingly innocuous email attachment.
“Everything about this looked like a real email, sent from the admin of my own website. It looked safe, but it was not. They were trying to get my login information, my passwords. They were trying to get things that could have put real lives in danger,” said Abu Majad, who asked that his nickname be used instead of his real name to protect himself and his remaining family in Syria from reprisal attacks by ISIS. “It was very clever. When I saw it I thought to myself, Shit, now they are professional hackers?”
Cybersecurity experts and intelligence agencies who monitor ISIS say the malware is just one more sign that ISIS is growing more sophisticated in its use of the internet. “When I saw it I thought to myself, Shit, now they are professional hackers?”
“I don’t think it is far-fetched to say that the Internet is a major reason why ISIS is so successful, and so worrying, as far as global terror movements go,” said one US intelligence officer, who spoke to BuzzFeed News in Washington, DC, and asked not to be named as he wasn’t authorized to speak to the press. “They have always been ‘good’ at the internet, at the strategy of how they use it. Now they are smarter at the Internet too.”
Many of the world’s major intelligence agencies are trying to figure out just how ISIS uses the internet. As the jihadi group continues to attract supporters around the globe, the need for them to safely communicate online has grown. While the vast majority of the group’s fighters in Iraq and Syria are probably not using the internet for much more than sending photos to their family WhatsApp groups, US intelligence believe a small unit within ISIS is leading the group’s cyber ambitions, which range from working with hackers to launch cyberattacks against their enemies, to publishing manuals that help their supporters mask their online communications and defend themselves from those hunting them.
What Abu Majad found that March morning was an email that looked like it came from his own website, asking him to log in and verify his details. Within the email was something known as a “dropper”, malware that is used to plant other software onto a computer without the user’s knowledge.
“They would have had access to everything if I had opened that link,” said Abu Majad, who has sensitive information on his computer about other activists who, like him, try to oppose ISIS rule in Syria by smuggling out photos and videos that document the difficulty of civilian life under ISIS rule. Abu Majad insists he did not click the link, but he also declined to explain how he knew it was malware. “I was used to seeing ISIS fighters in cafes who barely know how to sign on and check their email. I was not expecting them to be this sophisticated.”
Dlshad Othman is a cybersecurity engineer with the ISC Project, which provides information security assistance to civil liberties groups, and also studies ISIS. He said he had recently seen malware used in attacks on Syrian and Kurdish journalists and sites that try to fight against ISIS propaganda online.
“ISIS has been targeting sites that are outspoken against ISIS,” Othman said, giving as an example the group Raqqa Is Being Slaughtered Silently, an activist group that tries to disseminate real information from within Raqqa, capital of ISIS’s self-declared caliphate. “They targeted people who are trying to reveal what ISIS is really doing in Syria, which they see as a threat to their recruitment and propaganda.”
He showed BuzzFeed one of the emails he was analyzing, which also contained malware. Othman traced the email back to IP addresses in Turkey and Qatar, another indication, he said, that ISIS was getting help from its network outside of Iraq and Syria to carry out cyber-attacks.
“Malware, phishing campaigns, DDoS attacks are all things I have seen,” he said. “Now, these dropper attacks are new and are more sophisticated. What we see is the group growing and evolving their capabilities. What we are seeing is worrying.”