ISIS Activity on Messaging Apps

May 21, 2024

The Islamic extremist group formerly known as ISIS (Islamic State of Iraq and Al-Sham) or IS (Islamic State), a designated terrorist group, came to prominence in 2014, formed from al-Qaeda linked groups, declared itself a caliphate and occupied territory in Iraq and Syria. IS is a transnational Islamic extremist movement that now has more widespread support today in parts of Africa and Asia than at the time of its formation in 2014. The group has been responsible for and inspired terrorist attacks throughout the world, killing and injuring thousands.

Figure 1: ISIS Flag

The group has remained active and strengthened despite losing most of its territory in 2019 and receiving less attention in Western media headlines. They have continued to operate in a clandestine fashion and continue to have operations in Iraq, Syria, Africa, Asia, and Europe.

When Hamas attacked Israel on October 7, 2023, IS saw this as an opportunity to increase their exposure and began to release propaganda to more mainstream media outlets. Although the groups are not affiliated, they share some common ideals. Western Intelligence chiefs have warned that the threat from Islamic extremists is increasing.

In this blog, DarkOwl analysts review recent terrorist attacks from IS and the groups activity on Telegram and Rocket.Chat.

Recent Attacks

In March 2024, the IS affiliated group Islamic State in Khorasan (ISKP) claimed responsibility for a deadly attack in Moscow. This came after they had conducted two bombings in Iran in January. The attack in Moscow targeted a concert venue, as had previously occurred at the Bataclan in Paris in 2015 and the Manchester arena bombing in the United Kingdom in 2017, highlighting a continued modus operandi.

Lone wolf attacks have also been reported. In October 2023, an individual claiming to be a member of IS, shot dead two Swedish football fans in a reported response to the burning of the Quran in Sweden.

France raised its domestic threat level, after a suspected Islamic extremist stabbed and killed a teacher and wounded three others at a school in the north of the country in October 2023. Authorities stated at the time that they believed this attack was linked to the Hamas attack in Israel. In reaction to this, France deployed 7,000 soldiers to the region. The terror alert remains at the highest level in France, having been raised after the attacks in Moscow. As France prepares to host the summer Olympics, and recently hosted the UEFA cup final, they are a prime target for IS attacks.

Figure 2: Propaganda released by ISIS highlighting its recent “successful” attacks on RocketChat and other chat applications

DarkOwl analysts have also observed IS propaganda which boasts about recent “successful” attacks. A staple of their weekly productions since 2016, the poster named “Harvest of the Soldiers” details the numbers of those killed and injured, property damaged, and vehicles destroyed. The most recent publication identified by DarkOwl analysts on a Rocket.Chat server, claimed 39 operations in a single week.

ISIS Propaganda on Messaging Apps

DarkOwl analysts regularly monitor Telegram and other messaging apps for extremist activity, identifying new channels, and monitoring for threats. As well as Telegram, DarkOwl have identified extremist channels on Rocket.Chat and a newer platform known as TeleGuard. These channels are mainly used to promote propaganda and radicalize new members rather than strategically planning operations and attacks.

IS accounts are regularly banned from Telegram, this came after pressure from countries that claimed Telegram was a breeding ground for terrorist activity. However, this is one of the only topics that Telegram bans, with users regularly discussing criminal and right-wing extremist activity. Despite this, they are diligently removing IS linked channels, which are often shut down shortly after their creation. There are also channels on Telegram which purport to “hunt” IS related channels, presumably reporting these to Telegram for removal as they are discovered.

Despite this, Telegram channels reportedly controlled by IS members for disseminating propaganda continue to appear. DarkOwl analysts have observed invites to these channels being shared on other messaging apps that are not so quick to remove accounts allegedly associated with IS.

RocketChat

While they struggle with Telegram, this religious extremist group seems to have found a haven on Rocket.Chat. Rocket.Chat is a messaging app that was founded in 2015. It describes itself as a fully open-source communications platform which has been developed for organizations to enable team communications, discussion with other companies, and customers with privacy and security top of mind.

However, other users have also adopted this platform, including IS, where they can communicate securely. The group has multiple channels within a server for different topics, some of which are read-only and others with which users can chat together. Images, pdfs, and mp4s are commonly shared depicting recent operations, violent attacks, and other propaganda messages.

DarkOwl are increasing our coverage of this messaging platform to ensure that we are able to identify any threats that are being discussed.

TeleGuard

DarkOwl analysts recently identified a relatively new messaging app which is also being utilized by ISIS affiliated users to share propaganda and communicate.

TeleGuard is a messaging platform which has been developed in Switzerland, claiming to be developed with privacy in mind. The developers claim that all transmitted data is encrypted, data is located in Switzerland and there is no need to connect to a telephone number and no user identification data is collected. These anonymity features make the platform very attractive to those wishing to communicate about nefarious topics.

Figure 5: Official ISIS server on TeleGuard

DarkOwl analysts were recently invited to the above channel linked to ISIS. We will continue to monitor for new and emerging threats using this messaging platform.

As messaging apps become more focused on privacy and security, often encrypting all messages, they will continue to be a popular vehicle for terrorists and criminals to communicated. As some apps develop and become more discerning about what information should be shared on their systems, actors will move to other apps which are more sympathetic to their cause or simply do not care about what information is shared.

Threats Against the UEFA Cup Final

In early April 2024, through the monitoring of IS affiliated Telegram and Rocket.Chat channels and servers, DarkOwl analysts identified posts calling for lone wolf attacks at the UEFA Champions League Quarterfinal7 matches which were to take place between April 9 and April 17 2024.

Five identified images have been shared across Telegram channels and Rocket.Chat servers that pledge both official and unofficial support for the Islamic State. These images call for Islamic States supporters to target the four stadiums hosting the UEFA Champions League Quarterfinal Competition in Madrid, Paris, and London.

Figures 6 and 7: Images naming the stadiums to be targeted

More information was provided in another image which gave individuals instructions on how they should target the stadiums. The below image suggests potentially targeting the three entrances of the Emirates Stadium in London, England.

Figure 8: Image encouraging lone wolf IS sympathizers to strike the 3 entrances at Emirates Stadium in London

A further post aimed to invoke sympathy for the cause of the Islamic State and to “recreate the glory of the 2015 Paris” attack. Rhetoric of this kind heightens the threat to France, given previous attacks and upcoming events. It is a common tactic to evoke previous attacks and the “martyrs” they claim are associated with them.

Figure 9: Image encouraging sympathizers to target Stadion Parc de Princes in Paris

Meanwhile, another post also called for IS supporters to target these gatherings with IEDs (Improvised Explosive Devices) and “decoy devices,” again providing followers with ideas for how they could successfully target the event. These are tactics that could also be used at other events in the future.

Figure 10: Image encouraging sympathizers to target Santiago Bernabeu in Madrid

Fortunately, no attacks occurred at the Quarterfinal match or the subsequent Semi-Final. The final is due to take place on June 01 in London, England. Our analyst team continues to closely monitor ISIS primarily on Rocket Chat for any further threats or calls to arms, and will post any updates on our social channels: LinkedIn and X.

It is assessed that the threats at the UEFA Quarters were an attempt to obtain media headlines and to cause panic in the West. Analysts expect similar lone wolf calls to arms will emerge and increase as we approach 2024 Summer Olympics in Paris, France. France remains on high alert.

Counterterrorism experts have noted that IS does not always announce their targets. For instance, the attack in Moscow was not highlighted as a target prior to the attack, although western intelligence agencies did warn Moscow of a heightened risk. The appeal to target the Champions league appears more like a propaganda exercise, likely in part motivated to cause fear and spark a reaction from the West. However, these threats should not be underestimated, and caution is advised as lone wolf actors have been incited towards violence by these groups in the past and the lone wolf attacker is usually one of the harder targets for law enforcement to intercept.

Conclusion

Recent events have highlighted that IS and their affiliates remain active and deadly. While they continue to conduct attacks in many different countries, it is important that we monitor their communications to identify potential threats and targets, so organizations can be on alert.