The Snowden leaks shocked the world at the extent to which the NSA was undertaking covert electronic surveillance of American citizens. Setting aside the ethical debate around civil liberties, privacy and the role of the state, it is important to look at the other side of the electronic battlefield, and turn the spotlight on how terrorists are communicating and the challenges faced by the World’s security agencies.
The reality is, that using currently available surveillance techniques, technologies and resources, intelligence agencies are only able to intercept and monitor a fairly narrow slice of the broad spectrum of communications taking place. Wiretaps, email intercepts, network analyses and malware are now commonplace and regularly produce useful intelligence for interdicting incipient plots. However, as new technological advances bring more tools into counterterrorist toolboxes, extremists are developing countermeasures to mask their communications in order to keep ahead in the never-ending cat and mouse game. In this article, we will examine the key groupings of the most common countermeasures.
Low tech methods
Many outdated elements of espionage ‘tradecraft’ have found a new lease of life in the service of radical jihadists, having been put to bed by Cold War spies after the Fall of the Berlin Wall. First and foremost, the use of human couriers is widespread. From the days of the battle of Marathon to Al Qaeda’s vast “runner” network, this tactic has stood the test of time for being inexpensive, discrete, and reliable. There is a particular tradition of couriers serving an important function in the Islamic world which has persisted into modern Islamic extremist circles. The Umayyad and Abbasid Caliphates’ Barid service not only delivered messages, but also served as a crude domestic intelligence service, with some couriers acting as senior advisers and informants to the Caliph.
A simple runner with either a verbal message committed to memory or a written note can succeed where modern technology fails, reaching the remote bastions and the urban hideouts of jihadism. Most famously the CIA uncovered a system of couriers used to relay messages to and from a mysterious and tall hermit-like man, who lived in a secluded concrete compound in Abbottabad, Pakistan. Monitoring the courier Abu Ahmed al Kuwaiti led U.S. intelligence operators to the front door of Osama Bin Laden, culminating in the deaths of both men in Operation Neptune Spear. However, he was able to operate successfully and undetected for over a decade, including six years in the Abbottabad compound. Islamic State’s (IS) spiritual father, Abu Musab al Zarqawi, was also known for his use of couriers to pass messages around his al Qaeda in Iraq (AQI) apparatus. Whilst largely reliable, the use of couriers is also well understood by Western intelligence agencies, and has two major drawbacks. Firstly, if intercepted, couriers not only give up the message being relayed, but also may give up further information through interrogation. Secondly, couriers being followed run the risk of leading agents to those they serve. Whilst al Kuwaiti provides perhaps the strongest example of the latter risk, the former threat is best understood in the case of Hassan Ghul. Ghul was a Pakistani who acted as a courier for al Zarqawi until his capture by Kurdish intelligence officers in 2004. Because of the implicit need for strong bond of trust between a courier and his master, couriers often end up as confidantes and advisers to jihadist inner circles. After being subjected to the U.S.’s ‘enhanced interrogation’ techniques, Ghul revealed huge amounts of information about al Qaeda’s operations, including al Kuwaiti’s identity.
A simple runner with either a verbal message committed to memory or a written note can succeed where modern technology fails, reaching the remote bastions and the urban hideouts of jihadism.
Another Cold War-era method is the ‘dead drop’, where agents would leave intelligence documents or microfilm in a hidden location for colleagues to collect without the need to meet face to face and risk exposure. Terrorist groups are well versed in a modern adaptation of this tactic, where messages are left in draft form on an email account to which two or more people have access. If the email is never sent then it is less likely to be intercepted, however, it can be read by anybody with access to the account. This tactic was even used by General David Petraeus to hide his affair with his biographer Paula Broadwell, when the pair exchanged romantic messages using drafts in a shared Gmail account. Terrorists are also known to use the classic ‘dead drop’, passing information on disguised and encrypted USB sticks. One interesting example of this is Sumata Ullah, who was arrested in Cardiff with IS attack plans hidden on a USB stick disguised as a cufflink. Security analysts have also been able to recreate a theoretical system of communication involving USB sticks and encryption software , which would allow virtually risk-free and untraceable communications.
Encrypted platforms and high-tech apps
We have now reached the point where theoretically-unbreakable encryption is ubiquitous. Many civilian communication applications now encrypt messages in transit and decrypt them on receipt, making viable interception difficult. Apps such as Blackberry Messenger (BBM) and Telegram have been routinely used by extremists to organise and communicate.
Whatsapp was also considered secure for such use in the past, but having collaborated with authorities during the Bataclan massacre in Paris, it is seen as undesirable by such groups. An IS guide to operational security (OPSEC) published in September 2015 recommended against using the app due to interception risks. Whatsapp is not the only app to have fallen out of favour with terrorists – YouTube and Skype have also been abandoned following the Snowden leaks, due to fears that they collaborate with authorities.
The IS guide also recommended making use of a number of high-tech apps for masking communications. These include Mappr to hide geo-tagging traces, making it harder to track the physical location that a message was sent from. TrueCrypt and VeraCrypt, both endorsed by Edward Snowden, are recommended for encrypting files to prevent access. FireChat allows all users to form their own virtual network, connected by wifi and/or Bluetooth, although this has seen more use in short-range coordination, such as the Hong Kong Umbrella movement protests of 2014. Messages can be passed around this network even after authorities switch off mobile phone networks, allowing communication to continue even during times of security lockdown.
Security analysis firm Trend Micro carried out a study on thousands of allegedly terrorist accounts to understand how extremists communicate online. Of the accounts investigated, 34% of them used Gmail, 21% used the encrypted email service Mail2Tor, 19% used Sigaint or similar secure services. Interestingly Yahoo mail accounted for 12% of users.
Perhaps the most popular app for terrorist communication in recent times is Telegram, an encrypted instant messaging service not dissimilar from Whatsapp, but which has the helpful feature of ‘channels’, which allow information to be disseminated to a large number of anonymous accounts at once. The Islamic State used Telegram to claim responsibility for the Berlin Christmas market attack, and again to broadcast the attacker’s posthumous video following his death in a shootout with law enforcement in Milan.
When it was launched in August 2013, analysts saw a huge migration of jihadists onto Telegram, and particularly away from Twitter. In 2015 analysts witnessed astronomical growth, with a single Islamic State Telegram channel growing from 5,000 to 10,000 users in the space of a single week. As well as the Islamic State, numerous al Qaeda affiliates and other groups such as Libya’s Ansar al Sharia maintain Telegram channels.
Hiding in plain sight
The internet is a big place, with billions of people sending similar messages, browsing similar material, and interacting on an innumerable number of platforms. Such a huge crowd provides plentiful opportunities for hiding in plain sight, hiding messages and interactions in a sea of interactions throughout a cornucopia of virtual communities.
Terror groups are quickly becoming masters of steganography; the art of hiding information in plain sight. Whilst encryption is the art of making something obvious but unintelligible using cyphers, steganography is the art of hiding an easy to read message in a fashion that makes it difficult to find, with the classic example being the spy’s use of invisible ink on a postcard to hide a secret message amongst a mundane passage. Terrorists have taken this technique online, hiding messages within the code of images, audio files, videos, and webpages. Examples of use of this included posting hexadecimal and prime number codes on Reddit, coded messages in items for sale on eBay and even messages embedded in the code of pornographic images. With Reddit forming a labyrinth of millions of pages and sub-pages, eBay having as many as one billion listings live at any one time, and with pornography being just about the most abundant product on the internet, each of these provides ample opportunity to hide in plain sight.
Terrorists appear to be using the dark web for communicating, propagandising, radicalising, recruiting, fundraising, and for coordinating attacks. Not only does the dark web offer greater secrecy and anonymity for extremists undertaking such actions, they also provide fresh and new opportunities.
In 2015, Belgian Minister of the Interior Jan Jambon expressed concern that terrorists could be communicating over games consoles such as Playstation 4, which allow text messages and group voice chats to facilitate online gaming. Jambon was quoted as saying: “It’s very difficult for our services – not only our Belgian service but international services – to decrypt the communications via PlayStation 4.”
Furthermore, intelligence agents are increasingly concerned that terror organisations may be using Massively Multiplayer Online Role Playing Games (MMORPGs) such as the World of Warcraft and Second Life in a similar fashion. In 2008 the UK’s GCHQ had ‘a full-fledged network exploitation team’ for Second Life which dismantled an organised crime ring using the game to sell stolen credit card information. Within the files leaked by Snowden there was also an NSA document claiming that the agency had been gather ing intelligence on known extremists by monitoring World of Warcraft.
Deepweb and Darkweb
As well as finding unusual places to meet and talk on the conventional internet, there are many places below the surface where extremists can conspire together. The conventional internet is a network of websites mapped by, listed on, and accessed through search engines such as Google, Yahoo, and Bing. There also exists a shadow network of websites which can be accessed directly through the IP address of the computer hosting the site.
In addition to these unregistered sites, there are also private, closed networks that can only be accessed using specific software or browsers. Most prolific amongst these are Tor and Freenet, which anonymise users’ data on entry, allowing for theoretically untraceable interactions. Terrorists appear to be using the dark web for communicating, propagandising, radicalising, recruiting, fundraising, and for coordinating attacks. Not only does the dark web offer greater secrecy and anonymity for extremists undertaking such actions, they also provide fresh and new opportunities.
Darkweb sites like the Russian Anonymous Marketplace (RAMP) and the now defunct Silk Road allow users to buy and sell illicit commodities such as drugs and weapons. Because of the nature of the darkweb, it is difficult to evidence exactly who is using it and for what purpose, but it is easy to see the utility it offers to terrorist groups. Given that numerous terrorist groups have records of raising funds through drug and arms smuggling, Silk Road et al offer a lucrative opportunity to fund operations. On the demand side it also allows extremist groups to acquire firearms when planning attacks. In particular it is believed that the weapons used in the massacre in Paris were supplied by a user known as DW Guns on the dark web. Police eventually arrested a 34 year old man living in the German city of Magstadt, having found that he had sold four assault rifles – two AK47s and two Zastava M70s – to the Islamic State cell responsible for the attack. It is also well-documented that Islamic State is making significant amounts of money from people smuggling, which has been coordinated through social media apps like Whatsapp. It is easy to see how Islamic State and similar groups could tap into the already thriving market in human beings on the darkweb to generate revenue.
The darkweb can provide potent tools for fundraising. Using Bitcoin and other crypto-currencies it is possible for anyone, anywhere, to crowdfund jihad anonymously. One page was unapologetically entitled ‘Fund the Islamic Struggle without Leaving a Trace’. The PDF file ‘Bitcoin and the Charity of Violent Physical Struggle’, uploaded under the username Amreeki witness, comprised a complete guide for using cryptocurrencies on the darkweb to fundraise for jihadist causes.
Terrorist groups have made creative use of communication methods, both at the low-tech and high-tech range of the spectrum, often falling outside of the typical operating range of most intelligence agencies. As evidenced above, security services are making great inroads into understanding and interdicting these new modes of communication, but this field is a never-ending game of cat and mouse. Terrorists will continue to innovate new countermeasures as counterterrorists develop new effective security practices. The residual risk is the ease with which one such group may slip through the net.
Simon Schofield is a Senior Fellow and Acting Director at the Human Security Centre, where he researches a broad range of security issues from terrorism, weapons of mass destruction and human rights issues. He has served as a geopolitical consultant for numerous news outlets including the BBC, RTE, and the International Business Times.
Photo credit: RIA Novosti archive, image #341035 / Ivan Rudnev / CC-BY-SA 3.0