ISIS bot army adapts to survive online cyberslaughter - report

Both West, Iranian proxies have constantly been hacking terror groups’ accounts.

 A man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. (photo credit: REUTERS/KACPER PEMPEL/ILLUSTRATION/FILE PHOTO)
A man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017.
(photo credit: REUTERS/KACPER PEMPEL/ILLUSTRATION/FILE PHOTO)

ISIS’s digital presence is under constant attack by the West, Iranian proxies and others, but its army of bots is learning to adapt even to aggressive attempts to shut it down, a new report by the International Institute for Counter-Terrorism (ICT) at Reichman University said.

Authored by ICT researcher Danielle Haberfeld and Research Director Dr. Eitan Azani, the report details both the waves of new cyber attacks mounted by the West and Iranian proxies on their rare common enemy, ISIS, as well as how the terror group is morphing to stay relevant in the cybersphere.

After ISIS lost its hold on territory in 2017-2018, it migrated much of its influence to the online world.

However, eventually the West, Iranian proxies and the “traditional” social media giants caught up with ISIS on traditional platforms like Facebook and Twitter and started to systematically and massively close their accounts.

At first, ISIS was too fast for those hunting it digitally, and closing one account merely led to a new account.

However, the report said that eventually Facebook, Twitter and some others improved their detection game and timing so that ISIS had to escape to newer and even less regulated platforms like Telegram, Element and “Rocketchat” and on to a variety of smaller, unofficial and decentralized chat rooms, instead of larger centralized accounts.

An ISIS logo posted on one of the StandWithUs administered Facebook accounts after it was hacked (credit: STANDWITHUS)An ISIS logo posted on one of the StandWithUs administered Facebook accounts after it was hacked (credit: STANDWITHUS)

Rocket. Chat is a communication hub which facilitates team collaboration and organizes conversations for a variety of groups.

On the positive side, it allows its users to choose a variety of methods for communicating, either by chat, video conference, audio messaging, file sharing or other omnichannel tools.

On the negative side, ISIS has established Techeaven as its sub-platform on the Rocketchat platform.

ISIS has also formed many WhatsApp and TamTam groups.

The report said that on one side ISIS’s official digital footprint has dropped dramatically, yet on the flip side, its unofficial footprint has expanded exponentially with dozens if not hundreds of digital meeting places.

In some ways, driving ISIS off even “traditional” social media and into smaller decentralized spaces has already limited its future potential reach.

On the other hand, the report makes it clear that ISIS seems to have now found a formula for digital survival even in the face of concerted combined efforts by the West, Iranian proxies and social media giants to wipe it out.

ISIS manages to continue to send out its official magazine Al-Naba once a week, messages from Amaq media and a variety of videos.

According to the report, ISIS has now positioned itself and trained its supporters to be ready to jump to a new platform or digital staging area on practically a weekly basis.

ISIS bots send out information to guide followers to the next meeting spot after the most recent one is shut down and continue to stream its propaganda messages.

The terror group then continues to use its meeting spots to maintain morale, seek out new recruits, continue to indoctrinate and promote incitement to followers and encourage, raise funds for, and otherwise facilitate, new terror attacks, said the report.

A range of Western, pro-Iranian Iraqi Shi’ite sites and the Anonymous hacktivist international collective, noted the report, have also hit ISIS’s digital presence with DDOS and scrubbing, or information-erasing, attacks.

In May 2021, the pro-Iranian Iraqi Shi’ite hackers hit ISIS especially hard.

In September 2021, the report said that an enormous volume of ISIS digital accounts were erased.

The report described several techniques for systematically catching and immediately eliminating such accounts, including: “vetting” – creating keywords, or address black lists which easily identify ISIS, “shielding” – manipulating search results away from ISIS material and accounts, and active deradicalization messaging to counteract ISIS’s ideology.  

To cope with this latest attack, ISIS has shifted in recent months to using closed Telegram groups like Annajiyah where those who want to join must apply and undergo a background check before getting access.

While this might give ISIS some more security it also could slow down their recruiting efforts and general reach.

Still, ICT reported that in recent months the volume of ISIS’s calls in the digital sphere for attacks specifically on France, Italy and the US has spiked considerably.

Some posts have portrayed attacks on Paris’ Eiffel Tower, while others have depicted attacks on the Colosseum in Rome.

As in the past, various posts give instructions about how to prepare explosives and maximize the harm of a lone wolf attack.

The report said that there was a jump in calls for attacks over the Christmas and 2022 New Year’s holidays.