Institute for Security Technology Studies at Dartmouth College
Please address comments or questions to: Technical Analysis Group Institute for Security Technology Studies 45 Lyme Road Hanover, NH 03755 Telephone: (603) 646-0700 Fax: (603) 646-0660 Email: itb@ists.dartmouth.edu
March 2004 © Copyright 2004, Trustees of Dartmouth College. All rights reserved
This project was supported under Award No. 2000-DT-CX-K001 from the Office for Domestic Preparedness, U.S. Department of Homeland Security Points of view in this document are those of the authors and do not necessarily represent the
official position of Dartmouth College or the U.S. Department of Homeland Security
Terrorism is the Nation’s primary security issue in the post September 11th world. Significant time and resources are being expended daily to determine our vulnerabilities and harden our infrastructure. During the past five years, the world has witnessed a clear escalation in the number of politically-motivated cyber attacks. As the most technologically advanced country in the world, the United States is a particularly attractive target to cyber attackers. The Department of Homeland Security secretary Tom Ridge commented that since the September 11, 2001 terrorist attacks the United States has created new plans to protect our critical physical and cyber infrastructure from terrorist attacks.
Islamic terrorist groups have used combinations of ancient guerrilla warfare tactics and advanced technologies to carry out their goals. They have shown themselves to be practitioners of unconventional warfare by staging operations around the globe against high-visibility, high-value targets, using very small teams, producing dramatic result s with relatively little expenditure, all without ever engaging in direct battlefield attacks against an opposing military force.
While there has been much discussion in the public realm regarding terrorist groups’ use of centuries-old means of communications (use of human couriers) and financial transactions (such as “hawallah” a form of unlicensed money transfer business) to avoid detection in their operations by global intelligence services, there are clear indications that terrorist groups are willing to use and manipulate the conveniences of Western technology when it makes sense for them to do so. Discussions in the public arena between law enforcement and terrorism investigators and the private sector revealed that there is a lack of authoritative unclassified materials concerning the use of cyber technology by Islamic terrorist groups.
This briefing is the result of research specifically designed to meet this need. Examining the Cyber Capabilities of Islamic Terrorist Groups details how cyber technologies are exploited by these hostile entities. The open source materials used in this report include court testimony, indictments, government reports, academic reports, actual information from websites associated with terrorist groups (both from the organization itself and from sympathizer and affiliated groups), Congressional testimony, and the open media. This document uses these materials to present a clear picture for those who require awareness-level training in this domain, and provides a starting point for further research and analysis.
*** There are multiple spellings of the anglicized versions of the Arabic names and terms used throughout this presentation. We have made a best effort to choose a commonly accepted version of any word used more than once in the presentation and use that version consistently throughout. If a direct quotation uses a spelling different from the one we have chosen, we have used the spelling as given in the quotation.
The global “War on Terrorism” is very different from wars fought in the past. Allies in this war are fighting against enemies who are in many cases without a nation state. These new enemies are seeking not to protect their homelands, but to overthrow existing governments and (in many cases) to establish radical new government and even new nation states. Because elements of this enemy are spread across the globe, united primarily by broad Islamist ideology but with localized agendas, the U.S. and its allies must strive to understand the very different ways that these groups are organizing and acting.
*** Nation State is defined for this report as a political organization where relatively homogenous people occupy sovereign territory.
Although the War on Terrorism is not explicitly restricted to Islamic terrorism alone, Islamic terrorism is arguably the greatest current direct threat to our national security. The terrorist groups that collectively constitute the global Islamic jihad want the reduction or elimination of Israeli and American geopolitical influence on Islamic nations and (in many cases) the establishment of governance by Shariah law (a strict interpretation of Islamic religious law).
Separate Islamic fundamentalist terrorist groups have become in many ways a loose, global network of terrorist entities. These entities sometimes work together and sometimes in isolation. They embrace the concept of asymmetric warfare: the use of unconventional tactics to counter overwhelming conventional military superiority. The hallmarks of their operations are surprise, scale, and drama. They use both human couriers and encrypted satellite phones. Further, the C.I.A has already identified two known Islamic terrorist organizations, Hizballah and HAMAS, with the capability and greatest likelihood to use cyber attacks against our infrastructures.
Testimony of John A. Serabian, CIA Information Operations Issue Manager before the Joint Congressional Economic Committee, February 30, 2000.
Examples of Islamic terrorist groups and descriptions of their activities may be found in the State Department’s annual Patterns of Global Terrorism report is submitted in compliance with Title 22 of the United States Code, Section 2656f(a). This law requires the Department of State to provide Congress a full and complete annual report on terrorism for those countries and groups meeting the criteria of Section (a)(1) and (2) of the Act. This presentation cites examples from groups such as al-Qaeda, Hamas, Hizbollah, Palestinian Al Aqsa Martyrs Brigade, and Chechen Groups.
The Patterns of Global Terrorism report is available at the State Department’s website
The authors of this report have found five areas where there is clear, factual evidence that Islamic terrorism is flexing its muscles in the cyber realm. These areas are:
The following slides provide examples and analysis for each area.
The cycle of engagement in a ideology-driven cause begins with getting the attention of like-minded individuals. This is often accomplished by broad campaigns of propaganda and possibly disinformation, often leveraging the involvement of third parties who are sympathetic to, if not directly involved in, the organization’s cause. Islamic terrorists have clearly embraced this approach, and use Internet communications to pique interest and draw supporters in. They claim to speak for the masses, and in doing so also lay claim to impossible levels of popular support. The use of the Internet to spread propaganda speaks to the terrorists’ and sympathizers’ desire to target certain audiences, such as the educated but disenfranchised and the intelligentsia in Islamic countries, and the well-educated expatriates residing in Western countries.
*** NOTE: It is possible that legitimate religious groups and web-sites may be included in the general description of terrorist propaganda and websites we analyzed. Given that terrorist sites may attempt to disguise themselves as "legitimate" religious groups, we do not attempt to distinguish which sites may be legitimate or contain some legitimate content.
It is very clear that Islamic terrorists and their sympathizers make extensive use of the Internet to disseminate propaganda. Islamic fundamentalist websites are far too numerous to list comprehensively,but a very small sampling of some of the most active and well-known includes:
Intelligence community
Some of these sites include notations w/links to partial or full mirror sites (example: the Supporters ofShariah website -run under the direction of Omar Bakri al-Masry, religious leader of London’s notoriousFinsbury Park Mosque -is partially mirrored at
The network of fundamentalist sites sharing news and information is vast. In many regards, the networkof Islamist sites mirrors the amorphous organization of the global Islamic jihad concept. As in its physical structure, the Islamic terrorist web presence encompasses a wide range of direct and indirectconnections, with some sites directly attributable to the highest levels of leadership while others arefavorably inclined brother entities w/specific geographic agendas, right down to lone individuals whomight at best be termed “fans” of organized terrorism.
Of note: since this research was completed earlier this year (2003), a substantial number of these websites have moved to new web addresses.
Testimony of Federal Bureau of Investigation Director Louis Freeh, Senate Select Committee on Intelligence, May 10, 2001.
One of the websites most consistently identified with al-Qaeda has been the Alneda site, which means – roughly – “the call” or “the calling”*. It was run under the auspices of an entity calling itself the Islamic Studies and Research Center, which is really a communications group within al-Qaeda or a joint effort between al-Qaeda and the Taliban. The site is extremely text-heavy. Through early 2003, this site was consistently one of the primary outlets of “official” statements from senior members of al-Qaeda, including bin Laden, Ayman al-Zawahiri (UBL’s right hand), and Sulemein Abu Gaith (the “official” AQ spokesman). It was on this site that al-Qaeda appears to have first directly claimed responsibility for the nightclub bombing in Bali, the attacks in Mombasa on an Israeli hotel and an Israeli commercial airliner, and the attack on the U.S.S. Cole, among other operations.
The dogged persistence with which this particular site has been perpetuated, retaining the same look, structure, and style of rhetoric – despite being thrown off from various web hosting services and being hacked by pro-American activists and hackers time and time again – strongly suggests that this has been an authentic outlet for al-Qaeda. There have also been reports in the media that U.S. intelligence professionals believe that this site (and others) may be used to transmit secret messages to al-Qaeda operatives, either through coded messages, encrypted file-sharing, password-protected areas of the site, or possibly even steganographic message transmission.
Since the summer of 2002, this site has not operated under its original domain (www.alneda.com). It has been kept alive by a technique of “parasiting” itself onto apparently unknowing legitimate domains, with its keepers burying its file structure deep in seemingly innocuous subdirectories of the legitimate site. Because this information resource existed only in cyberspace, it was ideally suited to AQ’s post-Afghanistan operational needs. Once AQ was largely deprived of the base of operations that Afghanistan previously provided, members scattered around the globe. Al-Qaeda’s use of the internet through web sites, email, message boards, and chat rooms allows dispersed members to stay in touch constantly, while maintaining the operational security and compartmentalization demanded by their work, under cover of the Net’s anonymity. Sidenote: there is an elite group of troops in Iraq (formerly under the command of one of Sadaam Hussein’s sons – Uday), charged w/ special operations including – reportedly – information operations, which is called al-Nida, also meaning “the calling”.
The world wide web is already in heavy use by Islamists and sympathizers. There are hundreds of “jihadi” sites online – some news-oriented, some rhetorical, some theological, some militant. The more formal sites provide news articles regarding the fundamentalists’ version of unfolding events in the Middle East and throughout the world, editorials and commentary from religious leaders, photographs of alleged atrocities, and links to other sympathizer sites. These sites are frequently in Arabic, although there are a number of jihadi sites in English, as well. The Arabic-language sites seldom offer an English translation. The ones that do offer a translation sometimes offer different content in the English-language section. That English content mainly focuses on philosophical and theological discussions or attempts to convert the viewer to Islam, and almost always excludes the most inflammatory and violent rhetoric that is pervasive in the Arabic-language portions.
*** Only ~25% of Muslims speak Arabic. Source: NYT article, 10/29/02, citing a Georgetown professor of religion and international affairs, John Esposito
Additional forms of propaganda used to spread both Islamic fundamentalism and the cult of the suicide bombers are the “fan” and martyr sites created by admirers and sympathizers.
These sites are generally home-grown in nature, and look much like what a fan of a celebrity might create in homage to the celebrity in question.
A good example of this type of site is the represented by the screen shot here for Mr. Bin Laden
Overall the trend by Islamic terrorist groups is the use of information technologies, often invented in the West, to deliver an anti Western messages.
Once the organization has gotten the attention of potential followers, the next step is to draw them into the hands-on activities of the group.
The next series of slides focuses on online Recruitment and Training.
The video clip on this slide is of an individual from England who says he was recruited to fight with the mujahideen in Bosnia.
He urges “true Muslims” to join the fighting in places such as Bosnia, Chechnya, and Kashmir.
In this video he remarks that at that time (the Bosnian conflict took place between 1992-1995), the mujahideen could readily telephone and fax anywhere in the world from the battlefield, just like any military force.
In addition to using the web for propaganda purposes, many of the same websites are used as a recruiting tool for would-be jihadi.
The sites may include bios on famous mujahideen, photos, interviews, and video footage of jihadi training (over-dubbed with inspirational music andmessages) conducted at various terrorist training camps.
The footage of the training camps is not dissimilar to U.S. military recruitmentads, with a “Be all that you can be” feel to them, much of it shot in a stylereminiscent of western music videos.
The video footage in this slide is also available, along with analysis from
To further engage potential recruits, many sites and message boards provide links to downloadable videos of current and past conflicts.
In the Chechen separatist struggles, for example, the videos are used to provide independent evidence that the mujahideen continue to carry out attacks against the Russian military forces (despite periodic claims to the contrary by state-controlled media) and to serve as a documented history of the jihadi struggle, as well as to emphasize the image of the mujahideen as fierce defenders of the faith.
Message boards are also used to debate jihad, incite and perpetuate anti-American sentiment, and exchange links to other information sources.
The message boards frequently are visited/invaded by decidedly pro-American participants, and profanity-laced, name-calling arguments often break out between the jihadists and those opposed to them. As a result, a number of the more heavily used forums have changed from unmoderated to moderated formats in an effort to keep out pro-American activists or to keep arguments between the two camps from dominating the discussions.
Islamic jihad groups also use the Internet to disseminate training materials, either for those who can not attend the training camps, or to get new recruits and sympathizers excited about what they could learn. The manuals, as seen above, are sometimes in Arabic, and sometimes in English.
One of the most infamous of these is the “Encyclopedia of Jihad” [a page of which is on this slide], a 1,000+ page PDF. Many of the sketches in the document appear to have been taken from 1960’s-era U.S. military manuals. Most of the text is hand-written in Arabic. This is one of the means used for memorization in the madrassas (religious schools) and in the training camps – transcribing large volumes of information by hand. These manuals are posted in many places on the Internet, amongst the jihadi community. They sometimes borrow liberally from “self-defense” manuals such as “The Poisoner’s Handbook” and other volumes favored by Western anti-government advocates.
These manuals include information on encryption and avoiding detection while sending electronic communications.
Individuals throughout the Islamic jihad, especially at the highest operational levels, show knowledge that indicates a strong technological proficiency. Many of these individuals have technical degrees or training, and use of computer technology is routine. For example, a 1999 report by the Library of Congress’ Federal Research Division states, “Osama bin Laden also recruits highly skilled professionals in the fields of engineering, medicine, chemistry, physics, computer programming, communications, and so forth. […] the terrorists of the 1990s who have carried out major operations have included biologists, chemists, computer specialists, engineers, and physicists.” [1] A number of reports indicate that recruits proceed to specialized training camps and after an initial assessment, receive specific training in the use of computers for communications, surveillance, and operational support at a minimum. At least some reports have suggested that, at least for a time, a safe house in Pakistan was an AQ “cyber academy”, used to train select recruits to conduct overt and covert cyber attacks for multiple purposes.
[2]
[3]
Khalid Shaikh Mohammed, captured on March 1, 2003, was one of the FBI’s “Most Wanted Terrorists”. [1] The U.S. intelligence community believes that Khalid became AQ’s top operations strategist prior to his capture. He was indicted for having masterminded a plot to bomb U.S. airliners flying southeast Asian routes, and he is probably the mastermind behind the September 11 attacks. Some news accounts [2] say that one of the Pakistanis involved with the kidnapping and murder of WSJ reporter Daniel Pearl claims that it was Khalid who actually cut Pearl’s throat, on video. He is also reportedly Ramzi Yousef’s uncle. Khalid is multi-lingual and well-educated, including a degree in engineering from North Carolina Agricultural and Technical School (which he completed in only 2½ yrs.). He is said to have trained Mohammed Mansour Jabarah (Canadian citizen of Kuwaiti heritage recruited as AQ lead in multiple disrupted Indonesian operations) and other high-level AQ operatives in use of encryption, among other espionage skills.
[1]
[2]
Also, generally
Websites used for propaganda are often set up to recruit as well.
The sites may include bios on famous mujahideen or videos of jihadi training (over-dubbed with inspirational music and messages) conducted at various terrorist training camps.
Message board used for recruitment and communications.
How-to manuals are readily available to any who wish to learn. These manuals have included information on encryption and avoiding detection while sending electronic communications.
As the examples in this section show, highly technical operatives have and continue to play key roles in Islamic Terrorist organizations. As we have seen in the propaganda section of this report the trend is the use of information technologies to recruit and propagate training materials.
Islamic terrorists are using cyberspace and cyber technology to raise money in a number of ways.
A common approach for terrorist organizations is to channel funds from legitimate charities, but there is evidence that they are raising funds through other means as well, including criminal activities.
For example, on the Council on Foreign Relations’ “Terrorism: Questions and Answers” website, the question “How is al-Qaeda funded?” is answered (in part): “… [UBL] established companies to provide income and charities that act as fronts. In addition protection schemes, credit-card fraud, and drug smuggling are other possible sources of money.” [1] Legitimate businesses, charities, credit-card fraud, and drug smuggling today all rely heavily on computer technology to operate, and any organization active in any of these activities must be computer-savvy.
This slide illustrates an appeal for funds to support an Islamic news organization.
[1]
Islamic news viewers are often asked to send contributions to support the mujahideen and/or the “victims of oppression”.
These requests generally include, at minimum, a mailing address and an email account.
Often these solicitations including wire transfer account information, including instructions on how to do the wire transfer.
The news sites may also solicit advertising from faithful Muslim businesses.
Islamic terrorist groups have been using credit card fraud since the late 1990’s to finance their activities. Richard A. Rohde, Deputy Assistant Director -Office of Investigations, U.S. Secret Service, before the Subcommittee On Technology,Terrorism And Government Information Of The Senate Committee On The Judiciary, on February 24, 1998 that an organized group of Lebanese nationals are responsible for counterfeiting credit cards that were found with Middle Eastern terrorist group members.[1]
A journalist for the Christian Science Monitor recounted last year (2002) an incident of how he was the victim of credit card fraud during a trip to Amman, Jordan in late 2001.[2] Although he never lost his card or any receipts during his trip, “Transaction records reveal that the first attempted fraudulent purchase was made on the same day that I returned to the U.S. The $3,100 transaction for two Russian-made night-vision rifle scopes and a more high-tech miniature night-vision scope was refused because it exceeded the single-purchase limit on my card. Roughly a month later, however, someone submitted a scaled-down version of the same order and it was accepted. According to my credit card company's fraud investigators, the order included one Russian night-vision rifle scope, and a US-built range finder, an instrument that calculates the distance to a potential target.” The purchases and shipping were made in the reporter’s name, and the items were shipped to anaddress in Riyadh. Shortly after the journalist discovered the fraud, he found that a colleague at the same paper had the same thing happen to her, a few weeks later. The point in common? The restaurant of the hotel where both stayed in Amman. Although the incident cannot conclusively be specifically tied to Islamic terrorists per se, it is just one example of the level of activity and trafficking in stolen credit cards in the Middle East (jihadists’ recruitment base), tied to logistics and the purchase of military-style equipment.
[1]
[2]
The Somalia Internet Company, Somalia’s only ISP, was effectively shut down in 2001 after its assets were frozen under U.S. and U.N. Security Council sanctions.[1] The sanctions were ordered on the belief that the company is a source of either funding or money laundering for al-Qaeda. The company denies links to terrorism, but as of February 2003, they remain under sanctions.
Infocom – in 2002, a Federal indictment was issued against a suburban Dallas-based computer company called Infocom. The indictment was against the company and four brothers who were executives and professional staff there, including the CEO. [2] A fifth brother, plus an acknowledged Hamas leader and his wife – who is cousin to the brothers – were also named. The brothers are accused in the indictment [3] of using Infocom to export computer equipment and programs to countries banned from possessing them (specifically, Libya and Syria) and of using Infocom to launder money for Hamas, by accepting “investments” in Infocom in their cousin’s name that really came from her husband, a high-ranking Hamas member. Payments were then made back from Infocom to the cousin.
[1]
[2]
[3]
According to testimony by Dennis Lormel (Chief, Terrorist Financial Review Group, FBI) before the Senate Judiciary Subcommittee on Technology, Terrorism and Government Information (July 9, 2002), “… an Al-Qaeda terrorist cell in Spain used stolen credit cards in fictitious sales scams and for numerous other purchases for the cell.
They kept purchases below amounts where identification would be presented.
They also used stolen telephone and credit cards for communications back to Pakistan, Afghanistan, Lebanon, etc.
Extensive use of false passports and travel documents were used to open bank accounts where money for the mujahadin movement was sent to and from countries such as Pakistan, Afghanistan, etc.” [1]
[1]
After September 11, 2001, one of the most important actions undertaken internationally was the introduction of sanctions against large numbers of businesses and charities that the Allies have linked to terrorism. [1] The sanctions have been initiated under the premise that choking off funding sources of terrorism is potentially one of the most effective ways to limit terrorist activities. Among the list of hundreds of entities, Benevolence International Foundation stands out. Based in Chicago, Benevolence International Foundation (BIF) was run by Enaam Arnaout [2]. qoqaz.net, the Chechen jihadi site with ongoing links to the global Islamic jihad, was used to solicit funds to support the mujahideen in Chechnya, funneling the funds through BIF in 2000. The leader of the Chechen mujahideen at that time was Ibn al Khattab (deceased, early 2002).
Khattab, through the Qoqaz website, told supporters to wait until a “trustworthy aid organization” to work with them could be identified. The Qoqaz site has posted that “There is one trusted agency that has set up operations in the region and we will be posting their contact and bank details, etc. on the Internet very soon insha-Allah. This is the only aid agency that the Qoqaz web-sites trust and recommend the people to give their donations to.”
Shortly after this posting, the Qoqaz site created active donations links to two charities. One was BIF.
[1]
[2] AP photo, located at
Between January and April of 2000, BIF wire transferred nearly $700,000 to Chechen separatist-linked bank accounts in Georgia (FSU), Azerbaijan, Russia, and Latvia.
Arnaout was indicted, along with BIF, in 2002 on a number of charges, including perjury and racketeering.[1]
Prosecutors said they had proof, in the form of correspondence and photos, of ties between Arnaout and Usama bin Laden.
In February 2003, Arnaout reached a plea agreement with prosecutors [2]. Arnaout plead guilty to one count of racketeering conspiracy, related to directing BIF donations to purchase clothing and equipment for “fighters” in Bosnia and Chechnya, without disclosing this use of funds to donors.
[1]
[2]
As shown in the previous examples radical Islamic web sites and the individuals and organizations that run them are fundraising online.
Islamic terrorist groups understand how to raise funds over the internet.
Clearly information technologies facilitating the easy transfer of funds are of benefit to Islamic terrorist groups.
With no easy solution to the policing of these activities incidents of credit card fraud and other crimes used to fund or facilitate terrorist groups will continue to grow.
While many in the military, law enforcement, and intelligence communities disagree about the ability and likelihood of Islamist terrorists conducting cyber attacks on the West, there is no doubt that terrorists are harnessing the Internet and computer technology in general as communications tools.
Numerous indictments in terrorism cases cite the use of emails, sometimes coded or encrypted, by alleged operatives and associates to communicate across the globe [1].
Certainly it is well-established that Islamic terrorists use computers as a part of their normal routines, since media accounts abound of the seizure of laptop and desktop computers containing evidence of alleged terrorist activities in locations around the world where terrorist suspects have been arrested or sought.
[1] Examples: United States. v. Ramzi Yusef; Atta et al; United States v. Zacarias Moussaoui aka Shaqil, aka Abu Khalid al Sahraw …
Ramzibin al-Shibh was captured on September 11, 2002. He is an AQ member who was indicted, along with others, as a co-conspirator with Zacharias Moussaoui in plotting and carrying out the September 11, 2001 attacks onNYC and Washington, D.C. [1] It is believed that bin al-Shibh was originally supposed to be among the hijackers, but he was unable to gain entry to the U.S. When he was captured, the location of the apartment where he and four other AQ members were hiding was traced by U.S. FBI agents by tracking to that building a satellite phone call made by someone in the group [2]. Bin al-Shibh was captured after a reported three-hour gun battle with Pakistani police and intelligence officers. In the apartment were, reportedly, three satellite phones, five laptops, and a CD burner, along with over 500 CDs.[3] He had apparently been living there for months, communicating w/other AQ members on the Internet via a satellite phone linkup.[4]
One of the FBI’s "Most Wanted Terrorists", Abu Anas al-Liby, is said to be one of al-Qaeda’s top computer experts and that he trains others in the organization on how to use computers. According to testimony from the Nairobi embassy bombing trial, al-Liby worked closely with Usama bin Laden (and was indicted along with him by a Federal Grand Jury) during the years bin Laden based his operations in the Sudan, and provided training to would-be al-Qaeda members on the use of computers in relation to their work:
Q. You mentioned a person by the name of Abu Anas al Liby. Did he ever have any special expertise?
A. Could you repeat the question?
Q. Abu Anas al Liby, did you have any specialty within al Qaeda?
A. Yes.
Q. What was that?
A. He's --he run our computers. He's a computer engineer.” [5] The witness went on to say that al-Liby provided training to individuals on computer-aided surveillance techniques.
The red circle on this slide highlights an example of an Islamic web site providing a link to a service that teaches users how to communicate securely over the Internet.
[1]