CyberWire Daily - Islamic State propaganda persistence. [Research Saturday]
Episode Date: June 2, 2018Researchers from Flashpoint recently explored ISIS' ability to distribute propaganda across the internet, and their use of major internet service providers to help them achieve persistence. Ken Wolf ...is a Senior Analyst at Flashpoint, and he describes what they learned. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Major tech companies, the kind of tech giants, as it were, are undertaking initiatives to try
to eradicate extremist content from their platforms.
That's Ken Wolfe. He's a senior analyst at Flashpoint.
The research we're discussing today is titled,
An Analysis of Islamic State Propaganda Distribution.
And we know that historically, a lot of these big-name platforms have been abused
by these actors to upload and distribute their propaganda materials.
So our expectation going into this research was that by conducting a frequency analysis
of the domains that have been used for these distribution purposes, we would be able to start to identify new platforms or spaces that these actors might
be moving into as, you know, kind of the big name platforms become more difficult for them to
either access or abuse in the way that they have in the past.
So can you sort of take us through and give us a little bit of a lay of the land here? I mean, what extremist groups are we talking about and what platforms did they frequent?
You see a lot of the same platforms among different groups.
But in this research, we focus specifically on ISIS and the platforms that they're using for content distribution.
and the platforms that they're using for content distribution.
Some of the major platforms that we've seen over time are, you know,
they include big names like YouTube, Google, Twitter.
The Internet Archive has been a big one, as well as kind of maybe some lesser-known sites, paste sites like justpaste.it.
Now, what are the elements that attract them to one platform over another?
So that's a good question.
We didn't specifically look into that in the course of this research.
There were some assumptions that kind of went into it and went into the analysis that was
derived from the research.
You know, you have to think about the resources that these guys have available to them and
the opportunity costs of using one platform over another. The platforms that are most commonly used, the assumption on our part was that those
platforms either are easy for these propaganda distributors to either establish accounts,
or they're kind of favorable in other ways, such as the longevity of the content that they upload to those platforms.
Yeah, one of the things that caught my eye in your research was the use of archive.org.
I hadn't really thought about it before, but that sort of natural tension that's there,
where part of Archive's mission is to, well, archive the things
that were posted online. So they would have a tendency to not delete things. Right. That's a
tricky space. The archive.org's mission, you know, essentially to preserve the historic record of the
internet. And there's certainly value in that. And even when it comes to these types of materials,
you know, accessibility to researchers and academia,
military historians, you know,
you can think of different scenarios and groups along those lines
that would have, you know, kind of a net positive value
from having access to this material.
But we have seen, or at least the data here, the trends suggest that these actors are
deliberately abusing the platform to their advantage.
So take us through what was the process that you went through for your research,
and what were some of the key findings.
Sure. We chose to look at these two forums that are the membership of the forums are composed of ISIS members and ISIS supporters. through our monitoring that when new propaganda materials
are produced and uploaded to any number of hosting platforms,
the links to those materials are shared within these forums,
both for the membership to view those,
but also to reshare outside of these platforms.
So with that understanding, we decided to look at a three-year period beginning in January
of 2015 and going through the end of December 2017.
The process involved harvesting all of the URLs that had been shared within the forums during that period of time, kind of cleaning the data a bit.
A lot of these URLs have been either reshared or the original posts in which they were shared have been reposted,
things along those lines.
So we had to do some deduplication so that we could be sure, you know, we're only counting each one one time.
There was also a concern about shortened links and how they might distort the
data.
So had to employ some scripts to kind of go through and expand all the shortened links and also, you know, deduplicate those.
And once we'd gone through those steps, we basically had the set of URLs that we wanted to work with. From there, we extracted the domain names from each of those URLs
and then built out a frequency analysis going month by month through that three-year period.
And so what were some of the trends that you saw?
One of the most surprising findings was actually a trend that didn't exist, which was that we didn't really see new platforms emerging, especially moving into early and late 2017.
What we do see is a lot of the same platforms in the top 10 that have been used across this entire period of time.
And those include some of the biggest names, YouTube, Google.
There were some others that started creeping up.
We see a little bit of Dropbox and some other similar platforms.
Dropbox and some other similar platforms.
But for the most part, the top 10 in 2015 were the same top 10 in 2017.
One of the other interesting trends that we saw in the data was we could actually identify a point in time during which
these actors began to actively archive the materials that they had been uploading
to paste sites.
We saw that emerge in around April of 2016, and the evidence for that is, I think, pretty
clear. You can see in the same posts in which a URL from a Pace site were shared,
there was also an accompanying URL from
the Wayback Machine where they had
what it looks like is uploaded material,
generated the Pace page, immediately archived it, and then shared
both links.
So they're effectively achieving persistent content that way.
Taking advantage of archive.org to immediately have, I guess, what they're hoping is a permanent archive.
Exactly.
Yeah.
Now, one of the things I noticed in your research was how
Twitter made a brief appearance. It appears in 2015, but then kind of dropped off the list. And
your research included a little chatter about that. Yes. So Twitter, you know, in the past, it was a big platform for these guys to use.
It makes sense in a lot of ways.
Materials, unless an account on Twitter is private,
people, even without having an account,
can typically view tweets and content of tweets.
So that really gives, creates a platform in which it's easy to
distribute materials and reach, you know, multiple and broad target audiences.
But Twitter has also taken very active measures to both eradicate the extremist content from the platform and suspend
the accounts that are associated with spreading that. And we don't know enough about the actual
programs that Twitter has put into place or the timelines when those were done to really draw a correlation between the decrease that we see in these numbers.
But there is anecdotal evidence that suggests their efforts have been effective.
And some of these are, as you mentioned, the discussions that we referenced in the report.
in the report. We actually pretty often see different members, whether it's within the forums or on Telegram or in other spaces, people calling for ISIS supporters to establish
Twitter accounts and, you know, kind of do their part for the cause by distributing,
kind of do their part for the cause by distributing ISIS materials through those accounts.
But I think this one quote that we included in the report kind of helps put into context the difficulties that they face.
And this was a forum member who was writing in Arabic, responding to another member who was calling upon forum members to join Twitter. And this member said, this task is impossible. I alone have had more than 120
accounts closed on Twitter. Sometimes three accounts were closed in the same day, even though
I was not as active as other accounts? What is the benefit of accounts that
are closed an hour after they are opened? And I think that kind of embodies the frustrations
that ISIS and their supporters are facing in, you know, continuing to try to use Twitter as a
platform for propaganda distribution.
Yeah, another thing that your research noted that caught my eye was the use of services that are using blockchain,
I guess for both the permanence of it and the distributed nature of it.
Yes, so that was an interesting thing we came across a few months ago. Fairly common to see these four members discussing alternate platforms and trying to find other ways to establish a presence and get their
materials out there. This service specifically came up, I think we said in January of this year, looking at a video hosting service called DTube, which uses a decentralized model.
Some of the benefits that they mentioned were because of the distributed model, there's not necessarily an admin who can delete materials the way that can be done on YouTube.
So they were looking at this as an alternative, basically, to YouTube and a way to maintain permanent distribution of their videos.
of their videos. Now, in terms of the take-homes for you, the conclusions that you all came to,
and then practical applications of your research, what can you share there?
That's a really great question. I think that, you know, it was really insightful to see the way or the extent to which the same platforms continue to be used, especially big-name platforms,
which have been in the news a lot
and have received a lot of attention
for the way that their own platforms
have been abused by these actors.
But they continue to be the most commonly used.
We can't really use that to evaluate how effective
their programs are without also taking into account how long materials stay active on those
platforms, which is not something that was included in this research. So, you know, that gives us
was included in this research. So, you know, that gives us some different avenues for follow-on research that might help shed some better light on that. You know, overall, it really highlights
the complexity of this problem and how difficult it might actually be to tackle.
Yeah, I mean, we often, you know, sort of talk about this game of whack-a-mole,
knocking things down and they pop back up
again, but
it seems like there's
a real evolution
here in these
people's tactics
for, I guess,
even just the duplication
of information so that
they're uploading the main version, but then immediately having a backup as well.
Yeah, I think that's right.
They have shown themselves to be pretty resourceful and adaptive to a lot of the hurdles that they themselves have faced.
to a lot of the hurdles that they themselves have faced.
And in addition to kind of immediately archiving and creating backups of the materials,
any given piece of propaganda is typically uploaded
to five, ten, sometimes more sites at the same time.
So they're uploading to many sites at once with the assumption that at least some of those are probably going to flag it pretty quickly and delete it,
but it'll still be available on other platforms.
Yeah, they're definitely, I think, adaptive and resourceful.
Definitely, I think, adaptive and resourceful.
And I know that your research doesn't directly cover this, but what's your sense in terms of discoverability of this stuff?
Is it easy? If this is what you're looking for, is it easy to search for and find it?
I think that really depends upon the platform that it's been shared on. on, it is kind of easy to go to a search engine and combine certain keywords with some of
these domains and actually find a lot of the material.
You know, paste sites, even with archive.org, you can find a lot of the material pretty
easily.
Stuff that's being distributed over Google Drive or Dropbox or something along those lines,
not as easy to find just because that stuff's not indexed.
Our thanks to Ken Wolfe from Flashpoint for joining us.
The title of the research paper is
An Analysis of Islamic State Propaganda Distribution.
You can find it on the Flashpoint website.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.