Are terrorists really any different from cybercriminals? We stumbled upon terrorist content during our investigations on cybercriminal activity in the underground, and after a thorough analysis of it, we uncovered parallels in the way these two distinct groups operate online.
So yes, cybercriminals and terrorists are more similar than we think – they use similar platforms and services online, but also with some key differences.
Clamor for Anonymity
Unsurprisingly, remaining anonymous is of utmost importance to cybercriminals and terrorist organizations alike. Cybercriminals have been known to leverage the Deep Web and use TOR or personal VPNs to avoid being tracked, and the case appears to be the same for terrorist organizations.
For example, underground email services used by cybercriminals are now increasingly being adopted by terrorist organizations. Services such as SIGAINT, RuggedInbox, and Mail2Tor are often recommended in forums, with the motivation of keeping off nation states’ prying eyes.
Figure 1. SIGAINT service
It should be noted that these services are not specifically meant to be used by cybercriminals or terrorist organizations, but have been favored by both groups because of the anonymity they offer. Another example of this is seen in the messaging platforms we saw linked to terrorists’ accounts. Telegram, a messaging platform known for its strong encryption, is the most commonly listed contact detail.
Figure 2. Terrorist account on Telegram
It’s challenging to fight this since it’s the same tools that are also being used by journalists or dissidents in countries or organizations with an oppressing regime. Anonymity on the internet is of great value to protect the privacy of users, but it can also be used to hide criminal or terrorist behavior.
One key difference in the online activities of cybercriminals and terrorist organizations and their supporters is the latter’s usage of the Internet to spread propaganda messages.
Figure 3. Propaganda videos being spread online
While communications among cybercriminals are often limited to those they are interested in doing business with, terrorist organizations are more inclined to sending out messages towards the public in general. This is most likely done in order to attract supporters for their cause. We saw terrorist organizations use file sharing services and even social media to disseminate their content. By actively monitoring these accounts, we can get more insight in the structure of terrorist organizations.
Customized Terrorist Tools
While we saw terrorists taking tools from the cybercriminals’ toolkit for most of their needs, we also saw some applications that have been specifically developed for their purpose. We were able to uncover several tools that are commonly used among terrorist organizations. The said tools are used to encrypt communication as well as distribute information among contacts.
Terrorist targeting companies
Terrorists are not only targeting governments or citizens but they are also using companies’ resources to support their cause. Breaking into computers, mobile phones and company networks to abuse them for a terrorist attack is a genuine threat. Hence it’s very important that you as a user or organization are aware that your computer or datacenter can be used in a terrorist attack.
The details of our findings can be found in our article, Dark Motives Online: Analyzing Overlaps between Technologies Used by Cybercriminals and Terrorist Organizations.