Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/9/2016
07:07 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Terror Groups Using Legit, Home Grown Tools To Communicate, Proselytize

Trend Micro says its research shows that terror, cybercrime groups often use same tools to operate

Terrorist organizations are leveraging a slew of legitimate and home grown applications and services—some of them sophisticated, some less so—to communicate with each other and to spread propaganda, a new report from Trend Micro shows.

The security vendor’s report is based on research into how cybercriminals and terrorists are abusing online technologies and tools to conduct their activities. The research showed that while the motivations in each case are different, there is considerable overlap between the two groups as far as their use of certain technologies are concerned.

For instance, both cybercriminals, defined in the report as those motivated by financial gain, and terror groups, defined as entities labeled as such by at least seven nations, heavily use encryption and anonymizing tools such as Tor to hide their tracks.

Similarly many of the communication tools that both groups use are the same. Terror groups and cybercriminal frequently tap secure email services, underground forums and social media forums like Facebook and Twitter to stay connected with members of their respective groups, the Trend Micro report said.

The only difference is that while cybercrooks use these platforms more for conducting commerce and negotiating price, terror groups use it to proselytize and to spread propaganda.

The Trend Micro report offers a glimpse at some of the other tools and services favored by terror groups. For example, the vendor’s research showed that groups labeled as terror organizations heavily favor secure email services such as SIGAINT, Mail2Tor and RuggedInbox for cloaking their communications. All three are so-called darknet email services that hide the identities and location of people sending or receiving emails.

Trend Micro’s research showed that instant messaging service Telegram Messenger is a popular choice among terror groups. More than a third of some 2,300 terror-group affiliated accounts that the security vendor studied listed a Telegram address as their primary contact info.

The report does not offer any explanation on the reasons for Telegram’s popularity. But it is more than likely it has to do with Telegram’s claims of being more secure than services like WhatsApp, and also its use of strong server-side encryption and client-side encryption to protect text, media and other data types. Telegram’s support for secret end-to-end encrypted chats and a self-destruct feature that causes messages, video, images and files to be wiped clean after a specific period also might help explain its apparently popularity in terror circles.

In addition to such tools, groups labeled as terror organizations also use a collection of home-brewed technologies in daily operations, Trend Micro’s research showed. The company’s report lists six such tools, which it says are commonly used.

Among them are Mojahedeen Secrets, an encryption tool released in 2007 as a PGP alternative. “This application encrypts email and file transfers using RSA public/private encryption systems. In addition to allowing users to create private keys to use when sending emails, the application also supports messaging and a file shredder feature to delete files safely,” the Trend Micro report said.

Three of the other tools listed in the report—Tashfeer al-Jawwal, Asrar al-Dardashah, Amn al-Mujahed—are also encryption applications for messaging and mobile platforms.

Two of them are Android applications—Alemarah and Amaq—that are being used for information dissemination. The remaining application listed in the Trend Micro report is a DDoS tool of what appears to be of dubious quality. The app was initially thought to be a fake but later tests confirmed that it could be used to launch limited, DDoS SYN flood attacks, the security vendor said. “While this application is not particularly advanced, it shows that there is active exploration into disruptive technology,” among terror groups, Trend Micro said.

Related stories:

 

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7843
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Insufficient input validation vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.
CVE-2019-7846
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper error handling vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.
CVE-2019-7847
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper Restriction of XML External Entity Reference ('XXE') vulnerability. Successful exploitation could lead to Arbitrary read access to the file system in the context of the current user.
CVE-2019-7848
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Inadequate access control vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.
CVE-2019-7850
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have a Command injection vulnerability. Successful exploitation could lead to Arbitrary Code Execution in the context of the current user.