Skip links

Analysis of Cyber Trends 2016


The potential of cyberspace, including the Internet, was first recognized by terrorist organizations over a decade ago but in recent years there has been a significant increase in the scope of Internet use and in the level of sophistication with which it is used. At first, terrorist organizations operated using Internet sites only and later combined these sites with basic interactive elements. Today, through the use of social networks and various applications, these organizations operate on the Internet with full interactive features. The Islamic State is considered a pioneer in this arena and a leading player among terrorist organizations regarding innovation in the cyber world. 

The traditional hierarchical structure that characterizes terrorist organizations has undergone dynamic changes in recent years, including changes in the operation of command and control systems. As a result, in addition to the hierarchical organizational system in geographic areas controlled by the organization, a network system has also taken shape outside of this territory. The network system is made possible in light of increasing Internet use and access from anywhere to anywhere.

Terrorist activity in the cyber world is carried out in three main arenas:

The operational arena serves as the main layer used by terrorist organizations in almost every respect, including communication, propaganda, psychological warfare, recruitment and manpower training, intelligence gathering, information sharing and financing. One prominent trend in this context is the use of a wide range of platforms (social networks, applications, forums etc.) coupled with the sensible utilization of the relative advantage inherent in any platform and appeal to specific target audiences. In this context, use of off-the-shelf software is increasing as independent application development is declining. In addition, there has been a significant improvement in the quality of various products used by terrorist organizations, both visually speaking and in terms of adapting their content and visibility to various target audiences.

The offensive arena is designed to serve the operational arena, such as propaganda and psychological warfare (Web site defacement, hacking, the publication of killing lists, etc.) Terrorist players do not yet have advanced independent offensive capabilities but these can be purchased on the Internet and may be accepted by state sponsors of terrorism (like in the case of Iran and Hezbollah). In addition, there has been an increase in activities by terror-supporting external hackers as well as the recruitment of hackers to the ranks of terrorist organizations.

The defensive arena is designed to protect the anonymity of users and information security. Terrorist organizations publish guidebooks on safe and anonymous Internet use and on information security, as well as instructions on how to copy activity to the “darknet”. In addition, use of encrypted applications such as Telegram is also on the rise.

Trends in the Operational Arena


Recognition of the Internet’s potential as a tool for spreading messages, coupled with proficiency in advanced technology, software, Web sites and social networks, improve the effectiveness of terrorist organizations’ propaganda in general, and Islamic State propaganda in particular. The propaganda strategy of terrorist organizations has undergone significant changes in the past decade stemming from two main processes. First, technological advancement caused the development of new platforms in cyberspace and a shift from the traditional use of Internet sites and forums to social networks. Second, the emergence of new players, specifically the Islamic State, increased the scope of the use of cyberspace.

The Islamic State demonstrates impressive capabilities in the use of various Internet platforms and in running advanced and innovative propaganda campaigns on social networks. In the first year of its existence, the organization focused its messages on calls for “hijra” and jihad in Syria and Iraq. However, in early 2015, as the need to cope with coalition attacks grew, the propaganda discourse began to focus on the “far enemy” and on encouragement for “lone wolf” attacks and cyber-attacks against the West.

In contrast, Al-Qaeda continues to operate in Web forums and Internet sites but is not completely absent from social networks. The organization’s messages of propaganda focus on the “far enemy” and the “near enemy”, maintaining a connection between various arenas of jihad and “Al-Qaeda Central”, the need for unity among the mujahideen, and growing criticism against the declaration of the Islamic Caliphate.

The competition between the Islamic State and Al-Qaeda is also manifested in a propaganda battle that includes, among other things, “hashtag wars” and publications on ideological matters. Al-Qaeda supporters accuse the Islamic State of establishing an Islamic Caliphate in sin, killing innocent Muslims, conduct contrary to shari’a, and deviation from the principles of Islam. On the other hand, Islamic State supporters accuse Al-Qaeda of deviating from the path of Osama bin Laden and describe it as an organization that has run its course and is occupied with survival and the narrow interests of its leaders.

During 2015-2016, global jihadist organizations – especially the Islamic State – invested special organizational efforts in leading and supporting terrorist attacks in the West, both during and after the attacks. For instance, the Paris attacks in January 2015 (against the Charlie Hebdo magazine, the kosher supermarket and the shooting of a French police officer) garnered widespread media coverage and provoked panic in French public opinion. Al-Qaeda and Islamic State operatives waged psychological warfare using social networks, mainly Twitter, in order to affix the attacks in the western public’s consciousness (especially in France), and in order to plant a sense of insecurity and fear of more terrorist attacks in France. This activity included the posting of videos and articles, and the creation of various hashtags, such as “A Message to France” (el-resala el-parnaso), threatening to continue to wave of attacks in France and calling for them to be duplicated in other western countries. The publication and updates of terrorist attacks live on social networks as they unfolded, including the use of Facebook’s live streaming platform and Twitter updates, increased the public’s anxiety and spread the effects of the attacks far beyond the scene where they physically took place.

The trends that were identified in recent years in the field of operational propaganda indicate a leveraging of the power of “live streaming” the results of terrorist attacks as they are being carried out or immediately afterwards. This leveraging, which is carried out on a wide variety of platforms while the messages are adapted to various target audiences, serves as a significant “force multiplier” for terrorist organizations. Focused propaganda messages greatly improve the ability of terrorist organizations to produce additional attacks using “lone wolves” who are already located among the target population.

Recruitment and Training

Unlike in the past when the processes of mobilization, manpower recruitment and training mainly took place in the physical realm, today the Internet has become a central and anonymous arena in which these activities take place.[1] In effect, the technological focus gave terrorist organizations a free hand to recruit using an anonymous connection between the recruit and the terrorist organization through the Internet, irrespective of their physical location or standing.[2] The investment in Internet-based manpower recruitment increased in light of, among other things, the need to “import” foreign fighters to the arenas of jihad in Syria, Iraq and other places. This was accomplished through the dissemination of messages on various Internet platforms, directly and/or via secondary agents (the organization’s operatives and supporters) in order to maximize the recruitment potential (many-to-many). In addition, terrorist organizations have recently been investing efforts in adjusting the recruitment content for a specific target audience (narrow casting), such as speakers of various languages or certain professionals.[3] For example, a campaign for the recruitment of children that includes computer games, and comics[4] campaigns for the recruitment of hackers, Web designers and developers for this specific population.[5]

The Islamic State has leveraged existing technological platforms more than any other terrorist organization, with one of its prominent “flagships” reflected in a venture named “Nasher” (publisher), which is responsible for translating the organization’s official materials into various languages and distributing them on Telegram channels. Adapting the message to the target audience is not only part of recruitment, but is also part of the format in creating specialized target audiences for lone wolves on social networks, such as Facebook and Telegram.[6]

This technological development caused an increase in the use of advanced communications applications (mostly encrypted) by jihadist organizations in the advanced stages of the recruitment process, such as Telegram, Skype, WhatsApp and Kik.

The trends discovered in recent years in the field of recruitment were influenced, to a great extent, by technological developments and their adoption by terrorist organizations. These developments indicates a level of professionalization and an improved ability to find needed professionals, assess the quality of manpower and the scope of recruitment in general, especially among potential candidates in western countries. Online recruitment reduced the risk of exposing both the recruiters and the recruits.

Intelligence Gathering and Information Sharing

Intelligence gathering using the Internet is not unique to terrorist organizations but in the absence of state intelligence gathering capabilities, this field becomes all the more significant. One of the tools developed recently in the field of intelligence gathering is data mining. Terrorist organizations are investing efforts to impart knowledge in this field, and provide access to tools for intelligence gathering purposes to the widest possible circle of operatives.

Terrorist organizations are managing the accumulated information in various arenas, learning lessons from previous actions, and sharing their findings with organizational platforms and social networks. This information helps the planners of other attacks, whether they are lone wolves or operating under a command and control system. During 2015-2016, there was an increase in the sharing of the technological know-how needed for a variety of operational, offensive and defensive uses on the Internet.

Another developing trend is the publication of guidebooks on the topic of modus operandi. The most prominent guidebooks include instructions on how to perform “hijra” to battle arenas, how to prepare explosives and various weapons, and specific modus operandi with emphasis on lone wolves, such as “how to carry out an assassination”. 

These trends significantly improve the operational capabilities of terrorist organizations in the physical world, especially in areas where the planners of attacks are not physically present, and simultaneously reduce the potential for exposure during information-gathering field excursions.

Terrorism Financing

The field of terrorism financing has undergone a significant change in parallel with technological development, both in terms of fundraising and the transfer of funds. The trends presented above were also evident, and perhaps even more so, in the world of terrorism financing.

The Internet has enabled the practice of fundraising and the transfer of funds from any location to any location in the world. In this way, it has expanded the circle of fundraisers and the ability to raise capital through them and/or directly from the potential target. The network organizational structure has also enabled the independent mobilization of funds by terror cells and foreign fighters on their way to battle arenas, eliminating the need to find ways to transfer money from country to country.

The Internet also serves as a preferred arena for fundraising due to the sense of security that it gives the donor who tends to believe that his identity remains anonymous, even if this is not always the reality. This sense of anonymity is reinforced when potential donors are directed from social platforms to encrypted applications.

One method of financing that exists today, which is liable to affect the increased willingness of donors to transfer money to terrorist organizations, is the world of digital currency and pre-paid cards that serve as a kind of “secure space” that provides anonymity for both the donor and the recipient. Today there is not enough information to confirm or refute the visibility and anonymity of this method of financing.

The network structure of the Internet significantly contributes to the scope of fundraising potential, as a sense of anonymity is one of Internet’s features. Encrypted applications, which are used during later stages of fundraising, create anonymity in practice and hamper the intelligence capabilities of those who seek to track sources and methods of financing. These technological changes have reduced the need to physically transfer money through classic, supervised channels and, in its place, new methods have arisen such as digital currencies and pre-paid cards, transfers on encrypted platforms, etc.

Use of Off-The-Shelf Software

The last two years have seen an increase in the use of “off-the-shelf” software[7] in addition to continued efforts to self-develop software by and for the use of the terrorist organizations and their supporters.

In addition, there has been growing use of cloud services as an off-the-shelf product for content storage needs. Off-the-shelf software are mostly considered quality products due to the many resources invested in their development by commercial companies, which is not necessarily the case with terrorist organizations.

It seems that the decision as to which off-the-shelf software to use is based on, among other things, an analysis of the advantages of each platform or application, the level of security (including anonymity of the user and encryption), and convenience and efficiency. For instance, one of the notable trends identified during the past year was the move from the widespread use of social networks such as Facebook and Twitter to encrypted applications (especially Telegram[8]), which enables increased safeguarding of privacy and anonymity.

It should be noted that attempts were made in the past to use custom-made, independent encryption software, which required the user to keep track of encryption keys. Terrorist organizations even tried to implement independently-managed platforms that included communications applications and social networks (albeit without significant success). The Islamic State, for example, independently developed applications and software for distribution among operatives, including an application named AMAQ for Android devices, which gathered news about Islamic State activities.

Terrorist organizations, by virtue of the fact that they are constantly learning and innovating, and as a result of their failed self-production of software and applications, learned to realize the benefit of using off-the-shelf software and services. This improves the management of terrorist organizations in general, and the preservation of user anonymity and information security in particular.

Trends in the Defensive Arena

Guides to Information Security and Anonymity

Over the last two years, public and political pressure have increased on leading Internet players (Internet giants such as Facebook, Google and Microsoft) to increase their monitoring of the content distributed through their platforms. At the same time, there was an increase in independent activity, such as that of “Anonymous”, to shut down Web sites, forums and accounts identified with terrorist organizations. In light of this activity, terrorist organizations are investing even greater efforts to increase the anonymity and security of the accounts and Web sites identified with them. One of the actions taken in this context is the systematic distribution of manuals and basic rules of protection for maintaining user anonymity and information security while using applications and software on the Internet, and in the context of the information stored in equipment (servers, computers, cellular devices, etc.). In this field, extensive emphasis is placed on the use of applications and software on the “darknet”.

Activity on the “Darknet”

Recent years have seen a constant increase in the use of the “darknet” by terrorist organizations as part of the trend to increase the level of information security and anonymity. For example, in 2015 several Twitter accounts were discovered that were attributed to Cyber Khilafah, which disseminated a link to a Web site operating on the “darknet” using TOR’s hidden service protocol, which enables anonymity to the Web site owner and the user visiting the site. In addition, there has been an increase in attempts to operate Internet sites and mirror sites (sites that are similar in their content) on the “darknet”, with the intent to increase the security of the sites that are hacked and removed from the network by ‘Anonymous’ operatives and other activists.

A screenshot from Cyber Kahilafah’s Twitter account providing the address of a site on the darknet using TOR 

A screenshot from Cyber Kahilafah’s Twitter account providing the address of a site on the darknet using TOR 

Increased information security and user anonymity, coupled with an only partial response from leading Internet players to cooperate with the monitoring and removal of terrorism-related content, leaves the stage open for the widespread activity of terrorist organizations and causes problems for security agencies.

Trends in the Offensive Arena

Cooperation between Crime and Terrorism

The connection between the virtual criminal world and global jihadist organizations has remained unchanged over the past two years. Nevertheless, the existence of such a connection in the physical world, coupled with the availability of tools and offensive cyber capabilities at a relatively high level and at a reasonable price for criminal organizations, may provide terrorist organizations with much greater offensive capabilities beyond their current independent abilities. Recently (2016), IS fighters were found to have been involved in a terrorist attack on European soil in which they purchased a weapon via a site on the “darknet”.

It can be assumed that terrorist organizations are tracking cyber-attacks carried out by criminal organizations, acquiring knowledge and learning lessons. These organizations are liable to adopt a similar attack pattern in the future, or interface with criminal organizations through joint operations or by hiring them as “subcontractors”.

One indication of the increased activity in this arena is the growing number of hackers who support terrorist organizations and are joining the offensive effort in cyberspace, which is also expressed in the increasing number of attacks. Some prominent hackers who operated in the past under various names joined the Islamic State and began to operate under the name of the organization and for the sake of promoting its ideas. Despite the increase in the number of attacks, their quality is not yet high enough to significantly damage critical infrastructure. Nevertheless, there is cooperation between Islamic State operatives and known hackers, as well as attempts by the former to hire mercenaries for pay.

In April 2016, four IS-supporting hacker groups (Ghost Caliphate Section, Sons Caliphate Army, Caliphate Cyber Army, and Kalachnikv E-Security Team) merged and began to operate together under one ordered structure called United Cyber Caliphate. Despite the difficulty in estimating the number of hackers included in this organization, it is reasonable to assume that the potential damage of a united group is higher than that of the individual groups that compose it.[9] The Islamic State is also active in the arena of “spam wars”, in the framework of which it launched offensive campaigns on Twitter in which its operatives reported opponents as “hostile” users distributing spam messages and thus caused the removal of their accounts from Twitter.

The interface between terrorist organizations and the criminal world is liable to advance their offensive capabilities in the immediate term. It is reasonable to assume that by joining forces, IS-supporting hackers have improved the organization’s capabilities although it is difficult to determine to what extent and whether the level of danger posed by the united group is significantly higher than other cyber groups belonging to global jihadist organizations.

Damage to Critical Infrastructure

Terrorist organizations have a special interest in attacking the critical infrastructure of countries, including those that use SCADA systems. This is not a new phenomenon. Information about SCADA systems, especially those that operate dams, was found on computers used by Al-Qaeda members in Afghanistan, seemingly as part a planned mega-attack on the Hoover Dam in an attempt to flood the area and impair the ability to produce electricity in the hydroelectric power plant located at the bottom of the dam. In light of this, it should be taken into account that Islamic State operatives who are exposed firsthand to systems related to the operation of oil producing infrastructure in Iraq will use the knowledge that they have to try and attack similar infrastructure.

Breaches of Web Sites and Accounts

The offensive operations of terrorist organizations in cyberspace include the hacking of Web sites that they deem “quality targets”, such as those of government agencies, security and army agencies, news channels and businesses, as well as “trivial” sites such as small businesses. These breaches are carried out against servers, personal computers, social network accounts, cellular devices, etc. In the majority of cases, the breach was designed to serve a larger purpose. For instance, a breach may include the planting of a Trojan horse in order to steal information from social network accounts, databases on servers, or to gather intelligence in preparation for a cyberattack or an attack in the physical world (pre-operation intelligence and counter-terrorism intelligence such as a killing list). Hezbollah and Hamas gather information by spreading malware such as a Trojan horse or advanced data mining techniques.

There are cases in which a breach is likely to serve propaganda needs, whether by defacing Web sites or publishing propaganda materials on user accounts on the social networks that were hacked. These messages include, among other things, emphasis on the cyber-attack capabilities of the attacking organization, threats of future attacks (cyber or physical), or information leaks.

 A screenshot of the Facebook page of the Korean airline, Air Koryo, which was hacked by CyberCaliphate

A screenshot of the Facebook page of the Korean airline, Air Koryo, which was hacked by CyberCaliphate


 A screenshot of Newsweek’s Twitter account after it was hacked, containing a threat against the First Lady of the United States

A screenshot of Newsweek’s Twitter account after it was hacked, containing a threat against the First Lady of the United States 


Beginning in 2015, there was a marked increase in the number of Web site defacement attacks. This increase was discovered mainly among Islamic State operatives and supporters but considerable signs were also first noted among Al-Qaeda operatives and supporters. It should be noted that the technological level needed to carry out such an attack is not especially high and the damage caused is mainly promotional.

An analysis of the characteristics of these attacks indicate that in most cases the attacks were carried out against Web sites that were built using “open code” platforms, such as Word Press, exploiting  known vulnerability that has not yet been addressed. According to data from the site, Zone-h, which documents Web site defacements, over 7,500 sites reported having been breached by the Islamic State, and it is reasonable to assume that there are more sites whose attacks were not reported and that were tagged under the same nickname.

 A screenshot from a cyber-attack on an American government Web site[10]

A screenshot from a cyber-attack on an American government Web site[10] 

Web site defacement is considered part of the propaganda and psychological warfare by terrorist organizations against the West. This activity is an integral part of the efforts being devoted by terrorist organizations in general, and by the Islamic State in particular, to physically attack targets in those countries.

Distributed Denial of Service (DDoS) Attacks

The use of tools and methods to carry out DDos attacks continues as before without significant change. Nevertheless, there seems to be an increase in the scope of these attacks, including multiplayer coordination, as in the framework of the DDoS attacks that were carried out in OpIsrael, which targeted government and public servers in Israel. It should be noted that there is no clear indication that global jihad organizations are involved in these attacks.

Killing Lists

During 2015, Islamic State operatives began to publish “killing lists” of individuals, including calls on “lone wolves” to attack the people who appear on the lists. At first, they published lists containing tens or hundreds of names of army and security forces. Recently, larger lists containing up to thousands of names, including civilians, are being disseminated. It should be noted that some of the lists were attained through breaches of databases (independently or through purchase/receipt from a third party), while the rest of them were attained through the work of informatics, including the pointed collection of personal details from social networks or by locating existing databases on the Internet.

At first, the killing lists were published in order to achieve cyber-attack capabilities and to position the Islamic State as a leading player in the cyber arena (even though a large portion of the leaked lists were not attained through a breach but rather through informatics work). Lately, these lists have served also the purpose of motivating lone individuals to take initiative and attack people who appear on the lists. At this stage, it seems that the “killing list” phenomenon has not succeeded in creating panic among the public and does not constitute a real threat to human life. Nevertheless, it is likely that the phenomenon does have some effect, at least on those people whose names appear on the lists themselves.[11]

Killing lists serve as another level to the psychological warfare being waged by the Islamic State against the West. Recently, efforts have been made to encourage “lone wolves” to carry out real attacks against the people who appear on these lists in the physical world.

Financing Terrorism through Cyber-Attacks

During 2015-2016, the use of ransomware spread. These malware, which attacked hundreds of thousands of users around the world, operate by preventing access to services or to computers, or by encrypting information and demanding a ransom payment in order to re-open the files. The success of this type of attack encouraged the development of ransomware for a wide range of computers, cellular devices and operating systems, including: Windows, Linux, OsX (darknet), and the Android operating system that is used to operate cellular devices.

At this stage, there is no indication that terrorist organizations are using ransomware to attain financing for terrorist activity. Nevertheless, it is possible that the wide use of these malware and their media exposure is likely to encourage terrorist organizations to adopt these tools.

Trends in Countering Cyber-Terrorism

In recent years, many countries have begun to understand that there is a real need for the establishment of specialized units for dealing with cyber threats, including those related to terrorism.  In addition, it is becoming understood that the cyber world does not leave much room for independent counter-terrorism activity by security forces due to the absence of geographical borders in this world, its high traffic load and the rate of technological development. For instance, the recent wave of terrorist attacks in Europe emphasized to Europeans the growing need to tackle the issue of cyberspace. The issue was discussed in the European Union, in the framework of which it examined increased counter-terrorism cooperation between EU countries, including the overseeing of terrorism financing using anonymous electronic means such as bitcoin, as well as the monitoring of other illegal activities on the Internet.[12]

The need for cooperation is not limited to state players in the global realm, but also includes non-state players such as the network giants, Google and Facebook, which have significant specific technological advantages due to their access to technological systems and their users. The above-mentioned efforts usually encounter an inherent conflict of interest between governments and security agencies working to maintain public security, and the business entities that seek to maximize profits. The varied regulations recently proposed by legislative bodies in various countries also hit a wall in the absence of territorial authority regarding the network giants who operate from various locations around the world, and due to pu