Encryption Threats

How Telegram turned into a Terrorist Platform?

21 January 2018


Terrorist organizations and their operatives resorted to the instant messaging application, Telegram, and other encrypted platforms due to the application’s key advantages, most importantly its encryption power which makes messaging more secure, not to mention that it allows the user to accurately identify the targeted audience.

Why Telegram?

The concept of operational security is an essential approach to understand how terrorist organizations have been using cyberspace over the past years. According to Ellen Zhang, operational security is a risk management process that forces the organization (which applies to all terrorist organizations) to analyze operations, review them from the standpoint of adversaries in order to protect important information and prevent them from falling into the hands of such adversaries. This is linked to the notion of encryption, one of the main concerns of terrorist organizations to avoid exposure to security services. In the years following the September 11 attacks, Western intelligence agencies have been able to thwart some of al-Qaeda’s attacks. These failures prompted al-Qaeda to move quickly towards encrypted communications and software, which is why it developed in 2007 “Mujahideen Secrets”, an encrypted program used for secure communications among its members.

Encrypted platforms gained increasing momentum with the rise of ISIS. During its early beginnings, ISIS members preferred several communication networks, chiefly Twitter, but over time the organization’s presence on these networks faced challenges, due to the closure of some accounts of its members.

These problems led ISIS to become increasingly reliant on Telegram. Thanks to the application’s high levels of protection, ISIS encouraged its followers on Twitter and other social networking sites to communicate with its coordinators and recruits on Telegram to discuss sensitive issues such as travelling to areas under its controlled. Moreover, it established public channels on Telegram to broadcast news updates on its activities and disseminate propaganda materials through its news agencies.

Telegram, which was launched in 2013, uses end-to-end encryption, which denies anyone -except sender and receiver- access to the exchanged messages. Besides, its encryption technology depends on the user’s phones, not an intermediary server, which makes spying on conversations more difficult.

The app provides a secure medium for terrorist organizations to share and upload large files directly through the application without having to open external links. In addition, the self-destruct timer of messages enables the user, before sending the message, to specify the period in the self-destruct timer, which means that after a certain time of reading the message it automatically and permanently disappears from both devices. Therefore, security agencies, even if they have access to the communication devices of terrorist elements, they will not be able to access credible evidence, as they would already have disappeared from the devices.

Multiple Usages

Telegram has become the favorite application of terrorists in recent years, as the imprint of the app has appeared in many terrorist attacks on various countries, such as the Paris 2015 attacks, the Christmas market attack in Berlin 2016 and the New Year’s Eve 2017 attack on Reina nightclub in Istanbul. 

In general, terrorist organizations use Telegram mainly for the following purposes: 

1- Social media raids: In his study on ISIS usage of cyberspace, Nico Prucha states that Telegram has become a platform for the organization in coordinating, broadcasting its news and attacks, converting them into hashtags and tweets to be quickly circulated within other social media such as Facebook and Twitter.

This pattern appeared, for example, in the Brussels March 2016 attacks when ISIS media operatives on Telegram prepared tweets in French accompanied by hashtags concurrent with the attacks, to garner as much support as possible for the organization. 

2- Planning for terrorist operations: Telegram is used in the pre-phase of terrorist attacks as a means of communication between elements in the preparation and planning of terrorist operations. In this context, French security sources indicated that ISIS operatives, who carried out the Paris 2015 attacks, relied somewhat on Telegram and WhatsApp in coordinating and planning their attacks. Also, Russian security services said that terrorist elements used Telegram to plan the St. Petersburg terror attack in April 2017.

3- Image industry: In the post-attack phase, there appears to be an urgent need to publicize the attack and commend the perpetrators. The aim of such praise is to promote the message of terrorist organization, improve the organization’s image in the terrorist arena and its competitiveness versus other organizations. It further aim to cause confusion in the state through instilling fear in society. Thus, Brian Jenkins assumes that “Terrorists want a lot of people watching and a lot of people listening and not a lot of people dead.”

ISIS-run media agency, Amaq, uses the application to celebrate terrorist attacks. In March 2017, for example, ISIS used Telegram to announce its responsibility for the terrorist attack in London. Through Telegram also, ISIS claimed its responsibility for the attack in Manchester Arena, in May 2017, and provided analytical content for terrorist operations, as part of power projection.

4- Support for lone-wolves: Telegram is one of the platforms that is used in supporting lone- wolves, especially in Western societies. Perhaps an example of this is the “Mujahideen Secrets” channel on Telegram, which before its closure in May 2016, was used to provide military guidance and training to lone-wolves. Among the topics broadcasted by the channel, is gathering information from cyberspace on chemical weapons storage sites. In addition, the channel published manuals on how to manufacture explosives from materials at home.

In July 2017, another channel on Telegram, named “Lone Mujahid” called for launching a terrorist attack on Wimbledon similar to the attack on Manchester Arena. Along with this call was a map of Wimbledon championship events, which was held in July 2017 

5- Funding and human resources: Like other apps and social media networks, Telegram has played a role in promoting the ideas of terrorist organizations, whether ISIS, through its media agencies and its presence on the Telegram, or al-Qaeda, which has also presence on Telegram, for example through broadcasting episodes from the series called “Verily the only acceptable religion to Allah is Islam”, which has served as a propaganda for its ideas.

This pattern of promoting the ideas of terrorist organizations aims primarily at recruiting new members and obtaining more funding. A report by the Counter Extremism Project in December 2017 indicated that:

    “Terrorist and extremist groups use encrypted application Telegram to recruit new members, fundraise, incite to violence, and even coordinate terrorist activity. Telegram’s messaging application has both public-facing and private components. This flexible interface enables extremists to do everything from self-promotion, brand  development and propaganda dissemination, to secret plotting of attacks outside detection or interference from law enforcement.” 

Security Challenges

Terrorist organizations’ usage of the encrypted applications led countries to exert pressures on their developers to cooperate by decrypting these applications to allow governments track terrorists. Meanwhile, some countries tended to block these apps. Indonesia, for example, announced in July 2017 that it had blocked Telegram, for fear of being used to spread extremist terrorist propaganda in the county.

Despite these security efforts, governments are facing major challenges, which may complicate countering terrorist organizations on encrypted platforms. These challenges can be divided into two fundamental dimensions: 

1- Terrorist innovation: Martha Crenshaw assumes that innovation is a mechanism for solving problems and addressing the failures of terrorist organizations. Hence, exerting pressures on terrorist organizations on Telegram and other encrypted platforms may push them to develop new encrypted software similar to the “Mujahideen Secrets” program, developed by al-Qaeda in 2007. In addition, there are reports that ISIS already has its own encryption programs. Terrorist organizations also have the option of encrypted language and concealing information to mislead security services.

Terrorist attacks over the past years reveal the sophisticated level of terrorist innovation with regard to operational security, particularly as terrorists rely on fully encrypted cell phones, not to mention using them for a very short period that does not allow security devices to monitor them, or the so-called “burner phones.” This tactic was clear in Paris terror attacks, where the attackers used new cell phones for short period before carrying out the attacks. When the security services raided the residences of some of those involved in the attacks, new unused cell phones were found.

2- Obsession with individual security: It is true that Telegram has shown some cooperation with Western governments by closing a number of ISIS-affiliated channels. Yet, the company does not wish to go any further, i.e. respond to security services’ pressures to provide information about the personal accounts of users and provide backdoors in the application for intelligence agencies to access encrypted messages.

Pavel Durov, the founder of Telegram, believes that the user’s individual security is much more important than decryption of the application. In his interview with CNN in September, Durov stressed that “the provision of such kind of private communication to those who have not been connected to terrorism, who represent about 99, 99 percent of users, are more importance of the threat that we can see from the other side.”

Thus, penetration of encrypted platforms and creating vulnerabilities in cyberspace, used by millions of private individuals, will likely expose the wider community to increased security risks that will not be limited to terrorist threats only. In a study on the risks of encryption, Aaron Brantley believes that eliminating the notion of encrypted messages will create a security threat to Western communities. In addition, the American companies will incur exorbitant costs on the long-term, as the users will abandon the products of these companies because they do not respect their privacy.

To conclude, the pressures facing terrorist organizations will prompt terrorists to lie low in cyberspace and operate inside encrypted platforms.