This report covers the period of October – December 2015.
This report covers the period of October – December 2015 and covers two main subjects: cyber-terrorism (offensive, defensive, and the media, and the main topics of jihadist discourse) and cyber-crime, whenever and wherever it is linked to jihad (funding, methods of attack).
The following are among the issues covered in this report:
During this period, jihadist organizations continued to mobilize Telegram software activity. As previously stated, this application enables encrypted and secure communication between two users or between groups. Through this application, users exchange reports and files, including PDF documents, video files and audio files. Although the data traffic is encrypted and makes it difficult for security services to monitor and decrypt traffic between users, the information itself contained in groups and channels is visible and exposed to anyone who joins that channel.
Jihad activists continued to distribute software and applications to increase information security. These applications are mainly used to encrypt information on a device and/or to traffic information, maintaining anonymity of user activity on the Internet (including VPN use). In addition, jihadist organizations regularly distributed guidebooks explaining proper computer and Internet use.
During this period, Islamic State members and supporters continued to attack Web sites and social networks, and to leak information. It seems that more players were working under the Islamic State and cooperating with the organization by sharing and transmitting information, such as attack techniques, and by engaging in the joint planning and execution of cyber-attacks. Efforts continued to locate and leak information about security and government officials as part of the threats and psychological warfare being waged by the organization. In addition, an incident was noted in which the Delhi police in India arrested a group of alleged supporters of the Islamic State who managed to steal and transfer approximately 700,000 dollars to an account in Turkey.
The Islamic State attacks in Paris again demonstrated the need to thwart the organization’s online activities. In this framework, discussions were held in the EU with the objective of increasing cooperation and the transfer of information between countries in order to improve their ability to counter the organization’s activities in Europe. In this framework, it is reasonable to assume that EU countries will invest efforts in monitoring the discourse of activists online, as was shown in Russia and demonstrated by the US announcement that it would increase its attacks against jihadist organizations in cyberspace in December 2015, without elaborating on the nature or characteristics of the attacks to be carried out in this arena.
During 2015, the use of ransomware expanded and garnered a lot of media exposure. Hundreds of thousands of users around the world fell victim to such malware and were forced to pay. The success of this pattern of operation encourages the development of ransomware for a wide range of computers, cellular devices and operating systems, including: Windows, Linux, osX (Macintosh) and the Android operating system used to run on mobile devices. During this period, several collaborations involving law enforcement agencies and information security companies were carried out in order to disrupt the activities of ransomware operators, and they even released a number of tools to help decrypt encrypted files. Nevertheless, it seems that the wide range of malware, coupled with the limited use of security programming, continues to make it difficult to reduce the magnitude of the phenomenon.
During the month of November, Islamic State activists copied the servers of the Isdarat Web site, which distributes the organization’s content, to the darknet. They distributed the onion address of the Web site on social networks, including Telegram and Twitter, and simultaneously distributed a link that operates via the Onion.link server (this server provides direct access to Web sites on the TOR network without having to install the software).