Capteurs Ouverts is launching a new serie of articles in between open-source research pieces called The Interview.
Because we strongly believe the OSINT community is in fast expansion and made of very different people, different approaches, we are giving the floor to those who fell into the rabbit hole to understand what they are doing and how.
For this special interview, Capteurs Ouverts has been chatting for several months with different French and interntional actors to understand their work. This discussion has been translated into a different format to include all the different elements captured and not attributed for security reasons. Many thanks to those who have shared with us and given their trust.
2015 saw the birth of a new type of online actors: a mix between the digital version of Sherlock Holmes and 4chan trolls with the same determination as those they track down: the hunters of cyber jihadists. They combine open search on social networks, the art of dissimulation to blend into chat rooms, dynamic network analysis, data mining, in addition to the implementation of counter-message techniques. While the emergence of social networks has broken the information hierarchy of the old generation forums, it has especially created the conditions for unparalleled message amplification. A chamber of echoes that has been invested by advertising to state apparatus but also several extremist groups. One of them – the Islamic State – has quickly become a front-runner in using that amplification dimension. Almost four years after the start of the hunt by these cyber-hunters, what is their return on experience and taking a step back what can be learnt on identification techniques and approach of extremist networks of all kinds in the wider context of general online influence and disinformation?
Born after the attacks in France against Charlie Hebdo newspaper and the campaign launched by Anonymous against the Islamic State in 2015, Katiba des Narvalos (KDN) is one of the 100% made in France collective to have organized to fight against the propaganda of the terrorist group. Easily spottable on Twitter by their avatars mocking the jihadist imagery dear to Daesh, this collective gathers very diverse profiles (Arabic speakers, technical, detail-oriented, hunters, etc). One of the members of this group says that the KDN is « a citizen approach: many people found themselves on social networks at that time and observed, saw that the bearded guys were the kings on Twitter. Anonymous has launched the reaction side that agglomerates and federates around. We gathered ourselves in parallel with French speakers. We have distanced ourselves and we have tried to structure in order to project ourselves in the long term ». The main goal of all the collectives that emerged from Anonymous is the same: to prevent the spread of the Islamic State message of to the greatest number. KDN states that its objectives were to « scramble ISIS propaganda, break the myth of jihad, its romantic side and image. Especially scrambling the machine of communication and everything around »
Using the internet as a communication tactic in spreading the ideas of Islamic terrorist groups is not new. In 2003, cyber jihad is mentioned in the manual of Muhammad bin Ahmad Al-Jalim, 39 ways to serve and participate in Jihad. In 2005, some research centers have identified more than 4500 active jihadist forums. The use of the internet by these groups progressed in parallel with the evolution of the tools: file / media sharing platforms which allow mass diffusion of the communication material, emergence of social networks on which the information becomes decentralized and the emergence of mobile apps allowing messages to reach users and start conversations anywhere, anytime. Taking advantage of these technological catalysts, the Islamic State has made cyber jihad one of its strategic pillars for 1) its multiplier role regarding its true size and tool of psychological warfare with its activities on social networks , 2) its recruitment lever thanks to the marketing effect of these tools, 3) the phenomenon of acceleration of the messages, recruitment and encouragement of solitary actions thanks to its presence on multiple platforms.
Faced with this, KDN first established a public window with parody of IS jihadist accounts in order to « deconstruct messages. Not talking about it at all [ ISIS and jihadism] participates to the mystery, the romantic side, to create an aura. Conversely, we try to be in a process of resilience, to rationalize, to deconstruct the discourse ». Distorted photos, dark humor about the lifestyles of new recruits gone for jihad abroad, everything is good to mock the organization. This counter-messaging is aimed primarily at those tempted to join the group in Syria but also to shake the strategy of the organization. It is also intended to avoid a political and partisan misrepresentation of the debate following an attack. It finally balances a media treatment that sometimes creates an additional echo chamber to the terrorist movement at its expense « If we rationalize the image of Sham (the Islamic State) it is not only to take the piss out of them, but also to show the reality: they are not invincible. Some journalists, analysts participated to the construction of this mythology because they had no distance. What was the point of relaying pictures of jihadists eating ice cream in Raqqa? There was certainly a lack of perspective, a kind of normalization. So yes Daesh is very strong but our French jihadists are not that smart. When the threat of some French jihadists like Rachid Kassim was strong, the media did add to it so much it was part of their legend. We tried to break Rachid Kassim’s legend for example by making parodies like the Muppet Show with real audios remixed in a ridiculous way. It was a parody to counterbalance the image that the media had built of him without being aware of it and that had created a form of resilience to avoid psychosis even if our reach was rather limited. It’s LOL but not free LOL. There is a calculation behind, some thinking« .
Beyond parody, KDN reports several more operational campaign periods. In 2015, the mass cyber jihad was already well established while CtrlSec collective got created. The visible part of KDN’s work is obviously the messaging deconstruction with parody and trolling on Twitter. Most of their work involves the reporting of Twitter and Facebook supporters accounts and propaganda that is conducted mainly through online research. End of 2015, the extremist groups migrate on to Telegram, a platform on which hunting collectives develop activities of infiltration, small manipulations and doxxing – identifications – of the most active propagandists by a work combining open sources research and discussions with their targets. According to another well-known collective, a great amount of patience is required for identification: « One day they make a mistake. They forget to remove meta data from a photo. They go on a website and their VPN will be off which will reveal their location« . Displayed goals are: identifying people behind their computers, using the information learned on one side to get new one on the other side, sowing discord among the members of chatrooms. More pro-active operations are described in mid-2016-2017 on Twitter where the goal is to force most jihadist accounts to switch from public mode to private mode. The creation via scripts of more than 8,000 accounts at the same time allows a massive subscription to jihadist accounts for the purpose of harassment and saturation of their communication space. The cyber-supporters end up locking the access of their account « It did not put their propaganda within the reach of the first kids coming on Twitter and did not allow supporters to interfere in any new Twitter conversations« . 2018 finally marks the year of regular and sustained channels reporting on Telegram with the aim of disrupting network nodes and interconnections to limit the flow of information and better understand their networks. Despite attempts by these groups to switch platforms: Viber, TamTam, Rocket, Riot, Yahoo more recently, « The goal is not to make them leave Telegram. They are very good where they are because it is a platform well mastered. We just want to weaken them and fragment the jihadosphere« . In addition to this, they are working on cleaning up platforms by collecting online video material in batches per web host and sending these batches to them for deletion: « the goal is not to completely eliminate this propaganda, moreover it will not really disappear, neither in an hour. But we have a guerrilla strategy to reduce visibility« . But KDN warns – especially compared to the massive suppression of Telegram channels a few weeks ago – that the harder you hit, the more it will push them to go even deeper and it will be difficult to follow. The advantage of Telegram is that the platform is not within the reach of everyone compared to Twitter: « We must go down to the rabbit hole to access Telegram« , which does no longer provide any excuse to discover extremist propaganda by chance.
In technical terms the hunt for extremism online is ultimately within the reach of all, no need to have hacking skills. Establishing a secure work environment was the key starting point for KDN with the implementation of basic security hygiene for its members: anonymous phone numbers, VPN use, maximum anonymous account. Those who go further and interact on Telegram channels with potential jihadists report their accounts to the authorities to avoid being woken up in the morning by the police and not wasting their time. Reporting suspicious accounts is conducted through an open source investigation and observation to recognize Twitter, Facebook or Telegram behavioral patterns and analyze the network of one of the identified accounts to see who are his members, what tweets he does respond to in order to gain visibility, what his cross subscriptions are and the links he shares. Obtaining links to new online materials also allows you to do a reverse url lookup on Twitter to see which accounts are retweeting it and then follow the networks. Knowing how to use python scripts and Twitter / Telegram APIs save time to identify suspicious accounts and treat them manually in order to avoid false positives. Threat or propaganda account tracking is more about experience and knowledge of the circles in which they operate: « They are identified by their circle of friends. At one point a guy disappears for 6 months. One of his mates suddenly starts retweeting a new person and discussing with him about the same topics as before. He has reappeared under another name. These are people who have been able to go under the radar of automated searches because they are not openly campaigning but were rejoicing about attacks or made insider jokes. Establishing relations within these circles using « fake beards » makes it possible to know this ». So there is no open source magic tools, usable at all levels and affordable to carry out information gathering, filing and archiving according to KDN which recommends « screen shots, directories, text files, the most portable possible, organization, methodology, scripts connected to APIs, python, ruby and encrypted emails« . Finally, the archiving process and evidence gathering for justice procedure are a critical point. Accounts containing information that can be used as evidence are not reported for suspension by KDN: the French authorities are informed notably via Pharos platform and messages are archived in a non falsifiable way because screenshots are not valid in a court process in the absence of an official title as judicial police officer. Finally the hunt for cyber jihad is a strange object that sometimes requires some technical work with bot interfacing, scripting, data mining – but little offensive hacking -, open source research and knowledge of the jihadosphere but also of the cyberspace. In summary « a single geek will have a geek approach and miss half of the subject. A jihad research enthusiast will miss technical aspects. An expert/analyst will apply his knowledge of jihad to the cyberspace but he will not be able to qualify the specifics for cyber jihad operations« . Neither in its digital practices nor in its offensive dimension with the ghazwa – website attacks – as a result of Charlie Hebdo attacks with more than 19,000 sites defaced by supporters of the terrorist group. Several hacking groups with various skills have emerged at different times such as the Cyber Caliphate Army, the Ghost Caliphate Section, the Sons of the Caliphate Arms and Kalashnikov E-Security grouped under the banner United Cyber Caliphate or IS « IT department » of Electronic Horizon Foundation.
Since 2015 KDN has been witnessing the evolution of the jihadosphere going from quite traditional dangerous profiles before 2016 more in the radars of intelligence services to very active profiles on social networks falling into the core work of the collective from 2016 to the end of 2017. In 2018 French pro-Daesh supporters became very discreet, are rare and remain now silent. Those who take action as in the case of the latest attack in Strasbourg are below the KDN radars: little visibility online, radicalization that does not appear ostensibly and more familiar profiles to territorial authorities. Even if there is still progress to be made, the terrorist group’s propaganda has also largely decreased online: one does not fall over it by chance anymore and must go to the trouble of finding it now, which can become useful as well during legal proceedings. Finally, another group of well-known hunters confided that they used to make cheat sheets before infiltrating certain groups, there were tests, distrust. Today the fragmentation has decreased the level of precaution taken.
While Western governments have invested heavily in programs to combat extremist propaganda and have begun to fully invest the cyberspace, KDN is drawing positive conclusions on its volunteer contribution to the fight against terrorism. The most visible effect of its action is undoubtedly the drastic reduction of terrorist propaganda visible on social networks. KDN also participated at its level of the fragmentation of the online jihadosphere, the identification of dangerous and threatening individuals, the collection of information that helped to prevent some attacks. Moreover, and despite a lack of partnership with the public authorities since 2015- KDN is not a registered association or officially recognized by the French authorities – it, like the other collectives, has shown the civil society capabilities to seize the topic of terrorism. A small anti-cyber jihad guerilla laboratory, KDN and the others have been able to test various methods to counter extremist messaging faster, in a more advanced and freer way than public authorities. How to professionalize this know-how and take advantage of these initiatives on a larger scale? How to recognize and transfer the skills and experience of collectives like KDN to more organized public actors to deal with the issue of cyber-jihadism? How lessons learned about the fight against cyber-jihad can serve the wider topic of fighting against extremism, but also against disinformation networks?