kentoh - Fotolia
Islamic State supporters shun Tails and Tor encryption for Telegram
Confidential communications show terror group’s supporters are turning to simple mobile phone messaging apps to exchange messages and distribute propaganda
Supporters of the terrorist group Islamic State (Isis) are shunning sophisticated security and encryption software, including the Tails operating system and the Tor network, which could be used to cover their tracks when viewing terrorist propaganda online, communications between jihadi sympathisers have revealed.
The disclosures come as the UK government prepares to introduce new restrictions on encryption following the terrorist attacks that killed more than 20 people, including children, at a concert in Manchester, and killed eight and injured 47 at London Bridge.
Isis has claimed responsibility for the Manchester and London attacks and has also been linked to atrocities in Paris, Germany and Brussels.
Confidential messages show that Isis supporters had little interest in encryption techniques to hide their web browsing activities, or to create a secure version of propaganda websites that would be difficult for law enforcement to censor or take down.
The messages between supporters recovered by police and the FBI investigating an “internet terrorist” reveal that Isis supporters’ preferred method of communication is mobile phone apps Telegram Threema, ChatSecure and Signal, which are designed for people with little or no technical knowledge.
“Internet terrorist” Samata Ullah communicated with Isis supporters on a Telegram discussion group known as the Khayr group. Police also retrieved a guide to ChatSecure, another mobile phone chat app, from Ullah’s computer.
Encryption training videos
Ullah, who was jailed for eight years in May 2017 after posting encryption training videos on an Islamist blogsite, sent messages to an unidentified Isis supporter raising concerns that the terror group’s supporters were not using more secure communications tools.
“I don’t know Akhi [brother],” he wrote. “It seems they have some bad info. They refuse to use Wikr [a mobile phone messaging system] and tails. They say threema is the best, then signal, and in extreme case chat secure [sic].”
Ullah’s Isis contact replied: “And they say telegram with virtual sim or open vpn is enough protection.”
Another message reads: “Dawla [Isis] security groups seem to be very stubborn and not very flexible.”
It was only when one of Ullah’s contacts in Kenya was arrested on 29 April 2016 that attempts were made to persuade fellow Isis supporters to adopt stronger forms of encryption.
The Kenyan said in a letter smuggled out of prison: “Tell all KN [Khalifa News] and CCA [Cyber Caliphate Army] teams to be very careful online. It is very much advisable that phones be avoided & instead use PCs with TOR and TAILS.”
Many Isis supporters, who often refer to themselves as “fanboys”, have little technical knowledge and it is difficult to convince them to use encryption software, one counter-terrorism organisation told Computer Weekly.
“They have experimented a couple of times with ZeroNet and Onion [Tor] sites on occasions, but those sites are usually very short-lived,” a spokesman said, speaking on condition of anonymity. “While there are some tech savvy supporters, the majority of their ‘fan base’ is not very tech savvy and trying to get a newbie to not only understand ZeroNet and Tor but to actually use them consistently is a challenge.”
Isis’s policy is to saturate the internet with ideas and jihadi content, through social media platforms such as Twitter, according to a report by counter-terrorism think-tank Quilliam.
The terror group distributes daily videos and photographs, which are circulated as widely as possible through self-appointed distributors, often with no official connection to the organisation.
“Islamic State has revolutionised jihadist messaging by jettisoning operational security in the pursuit of dynamism,” Quilliam reports in a study, The Virtual ‘Caliphate’: Understanding Islamic State’s Propaganda Strategy.
Ullah proposed using ZeroNet – which uses BitTorrent peer-to-peer networking and integrates with the Tor secure internet network to create a secure version of a pro-Islamic blogsite, Ansar al Khilafah (Supporters of the Caliphate).
The WordPress propaganda blogsite had attracted interest from the UK’s media arm of Isis, according to messages recovered by investigators.
“The head of English Islamic State media wants to have the right to proofread all content before it is published on the wordpress in future,” one Isis supporter told Ullah. “If you would agree to it, they would promote the wordpress.”
Ullah replied: “Sure. that’s good.”
Isis supporters’ secret chat
Isis supporter: “First thing is, the brother almost completely dismissed the idea of zero net.”
Samata Ullah: “Why? I am in the middle of making a site, been delayed due to ramdan.”
Isis supporter: “And so you will either have to give up the idea or try and convince them in two ways, suggesting it to them when they have gained your trust or prepare a full detailed pitch and when you come across some one above them in rank, you pitch it to them.”
Ullah: “I haven’t finished the pitch yet because im waiting to finish the site. I don’t know Akhi. It seems they have some bad info. They refuse to use Wikr and tails. They say threema is the best, then signal, and in extreme case chat seucure.”
Isis supporter: “And they [say] telegram with virtual sim or open vpn is enough protection.”
Ullah: “Well wikr is bad.”
But in a series of exchanges, it becomes clear that Isis had no interest in using ZeroNet to create a version of the blog that would be difficult for law enforcement to censor or take down.
An Isis supporter told Ullah: “First thing is, the brother almost completely dismissed the idea of zero net. So you will either have to give up the idea or try and convince them.”
David Wells, a former GCHQ intelligence officer, told Computer Weekly that mobile phone apps offered a more practical alternative to ZeroNet, Tails and Tor for Isis supporters that may not have technical expertise.
“More secure technologies are rarely easy to use, and pragmatically any terrorist group would rather their networks were using something pretty secure than not communicating [at all] when needed or doing something stupid like [sending an] SMS,” he said.
ZeroNet did not work
A forensic report revealed that Ullah’s ZeroNet version of the Answar al Khilafah blog did not work in practice.
ZeroNet would have been cumbersome to use for Isis supporters who were used to exchanging news on social media. It required each user to download the blog’s contents, including the Isis magazine Dabiq, onto their own computer, putting them at risk of possession of terrorist materials.
Correspondence recovered from Ullah’s computer equipment revealed that he had struggled to find a way to update the ZeroNet version of the site without writing code for each update, and to find ways of displaying videos and other feature-rich content.
Telegram most widely used
Isis favours the mobile app Telegram as a platform for sharing propaganda and for group discussions because it has the ability to create public channels that unlimited numbers of people can view, according to the counter-terrorism specialist.
Isis members begin by creating a private distribution channel on Telegram which is restricted to a few people. These members are responsible for copying messages from the private channels to publicly advertised open channels, where teams of people then share them through “disposable” Twitter and social media accounts.
“The public channels usually have multiple backups to keep the data flowing if one of them gets suspended by Telegram administrators,” said the specialist. “Since the private channels have no links to join, they are considered private by Telegram and therefore won’t be shut down.”
How Isis communicates
Wikr: Messaging tool offering end-to-end encryption for Windows, Mac, Linux computers and Android and Apple mobile phones. A business version offers secure rooms for teams and projects, and secure file transfers. Wikr responded to 33 US law enforcement warrants in the last quarter of 2016, but claims not to be able to retrieve subscriber content and to limit the metadata it retains.
Threema: Paid-for service that offers end-to-end encrypted messaging and group chats on Apple and Android phones, tablets and desktop. It claims to offer users anonymity and to generate as little metadata as technically possible and to store it for a limited amount of time.
ChatSecure: Free open source encrypted messaging service for Apple iOS, based on the off-the-record (OTR) messaging cryptographic protocol.
Signal: Free open source phone and messaging service using end-to-end encryption. The source code is published on the internet. Uses new encryption keys for every message.
Telegram: Free mobile phone-based messaging service that can be used to conduct “secret chats” and to create self-destructing messages. The service claims to block terrorist-related channels (tools for broadcasting public messages to large numbers of people), but will not block anyone peacefully expressing personal opinions. Not trusted by some security experts because of its Russian origins.
Telegram is said to take down an average of 100 to 200 public Isis channels a day, but Isis creates multiple back-ups of each channel to “keep data flowing”.
However, the messaging service does not take down private discussion groups between Isis supporters because they are not publicly accessible, said the counter-terrorism specialist.
“Encrypted communications is pretty much all they [Isis] do. I’d say if they’re not using a walkie-talkie or a cell phone, they’re on one of the encrypted [mobile] apps.”
ZeroNet would attract attention
If Isis had taken up ZeroNet, it may have drawn the intelligence services’ attention to its activities, Wells told Computer Weekly.
“If a terrorist group chooses a bespoke or unusual communications provider or service, then this has huge challenges for the intelligence services – but it also allows them to focus their efforts,” he said.
Experimenting with unproven systems is likely be a low priority for Isis commanders in Syria, who have to deal with the day-to-day realities of civil war with the Assad regime and US drone strikes, said Ross Anderson, professor of computer security at Cambridge University.
“If I was running Daesh’s technology and some foot soldier says why don’t we use ZeroNet, I would say get lost, I have far more interesting and important things to do,” said Anderson. “Why should I spend weeks investigating this stuff and seeing if it works?”
Isis may be avoiding Tor and Tails for similar reasons. The US National Security Agency (NSA) and the UK’s GCHQ could narrow down the search for Isis supporters if the terror group started using specialist applications such as Tails and Tor.
Anderson said: “They could just harvest all the Tails users in the observable universe and de-dupe them against lists of known users, look for all the new ones and go searching for those.”
Isis has used a variety of techniques to avoid detection. During the attack on the Bataclan theatre in Paris in November 2015, terrorist teams used multiple pre-paid “burner phones”, which they instantly discarded.
Investigators found a crate’s worth of disposable phones, an investigation by the New York Times has revealed. “They used only new phones that they would then discard, including several activated minutes before the attacks, or phones seized from their victims,” it said.
Although investigators concluded that the attackers were likely to have used encryption software, no evidence of it was found.