Terrorists in cyberspace

Even though online terrorists, unlike cybercriminals and cyberspies, value the highest possible visibility on the Internet and on social channels, they use encryption as well as anonymization services and tools to avoid being located and caught. These include Tor for anonymous web access, Cloudfare for disguising web addresses, SIGAINT, Ruggedinbox and Mail2Tor as secure mail services, of course, but also the instant messaging services Wickr, Surespot, Signal, Threema and Telegram, with the latter seeming to be the absolute favorite among online terrorists with a 34% usage rate. For secure file exchange, they use top4top.net, Sendspace and SecureDrop, for example. So far, this corresponds to behavior that one would also expect from cybercriminals and spies.

In contrast, however, there are also deviations. These reflect the development that online terrorists seem to have to hide better on the Internet than they did a few years ago. For this reason, they are increasingly resorting to tools they have developed themselves. Apparently, this development is related to the greater search pressure and success that the investigative authorities are exerting on the cybercriminal scene internationally. The Arrests and convictions of recent times speak for themselves here.

The most important special tools used by Islamist-motivated terrorists in particular include:

• Mojahedeen Secrets: This is an encryption application for e-mail communication that is considered "professional" and has been available since 2007, apparently developed as an alternative to PGP 2.
• Tashfeer al-Jawwal: This application was developed and published by Global Islamic Media Front (GIMF) in 2013. As an encryption app, it is used to secure cell phones, one of the important means of communication for terrorists.
• Asrar al-Dardashah: This allows "instant messages" to be encrypted at the touch of a button and sent via the IM application Pidgin.
• Amn al-Mujahed: This software, available since 2013 and still under development, encrypts messages for various platforms, for email, SMS and instant messaging. The author is the Al-Fajr Technical Committee (ATC).
• Alemarah: This Android app is designed to disseminate news about terrorist attacks. Users receive news feeds, websites, and calendar entries that contain information about ongoing terror operations.
• Amaq v 1.1: This Android app is also used for propaganda, with the difference that the URL under which the app is hosted can be easily changed in the current version 2.1. Consequently, even if a website is taken offline, communication does not stop completely, but is only temporarily interrupted - a tactic that is also popular among cybercriminals.
• DDOS Tool: This is apparently the work of a sympathizer of a certain terrorist group. It allows limited denial-of-service attacks via SYN flood technology.

Even if terrorists use self-developed tools, the techniques used, such as encryption or DoS attacks, are the same. The main differences with cybercriminals therefore remain at the level of motives and their relationship with propaganda. Admittedly, this does not make the investigators' work any easier. After all, the more technical advances online gangsters and spies make, the more likely it is that terrorists on the Net will also take advantage of these developments - whether in the form of tools they have developed themselves or not. But knowing what tools and techniques they are using is certainly the first step in the right direction.

For more details on Trend Micro's findings about similarities and differences in the use of techniques and tools between online criminals and terrorists, see here.

Comment by security expert Udo Schneider, press spokesman at the Japanese IT security provider Trend Micro