Category Archives: Terrorism

1.9 million+ records from the FBI’s terrorist watchlist available online

A security researcher discovered that a secret FBI’s terrorist watchlist was accidentally exposed on the internet for three weeks between July 19 and August 9, 2021.

The security researcher Bob Diachenko discovered a secret terrorist watchlist with 1.9 million records that were exposed on the internet for three weeks between July 19 and August 9, 2021.

In July, Diachenko discovered an unsecured Elasticsearch cluster containing 1.9 records of sensitive information on individuals, such as names, country citizenship, gender, date of birth, passport details, and no-fly status.

The list is extracted by the e FBI Terrorist Screening Center (TSC), a database used since 2003 by US feds and other agencies to track individuals who are “known or reasonably suspected of being involved in terrorist activities.”

 The copy of the TSC database was discovered by the expert on a Bahrainian IP address.

“The exposed Elasticsearch cluster contained 1.9 million records,” Diachenko wrote on LinkedIn. “I do not know how much of the full TSC Watchlist it stored, but it seems plausible that the entire list was exposed.

Each record in the watchlist contained some or all of the following info:

  • Full name
  • TSC watchlist ID
  • Citizenship
  • Gender
  • Date of birth
  • Passport number
  • Country of issuance
  • No-fly indicator”

At the time of this writing is not clear if the unsecured server was operated directly by the a U.S. government agency, a third-party, or in the worst case by a threat actor that obtained it.

Diachenko immediately reported his discovery to the U.S. Department of Homeland Security (DHS) and the instance of the database was taken down about three weeks later. It is a long period a circumstance that suggest that the server was not directly operated by the FBI.

“On July 19, 2021, The exposed server was indexed by search engines Censys and ZoomEye. I discovered the exposed data on the same day and reported it to the DHS.” continues the expert.

“The exposed server was taken down about three weeks later, on August 9, 2021. It’s not clear why it took so long, and I don’t know for sure whether any unauthorized parties accessed it.”

The exposed DA was also indexed by search engines Censys and ZoomEye, this means that other people could have had access to the secret list.

“It’s not clear why it took so long, and I don’t know for sure whether any unauthorized parties accessed it,” adds Diachenko.

This data leak could have a serious impact on the homeland security, the watchlist includes individual who represents a potential threat for the US even if they have yet to be charged of terrorism and other crimes.

“In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families.” says the researcher. “It could cause any number of personal and professional problems for innocent people whose names are included in the list,”

Cases, where people landed on the no-fly list for refusing to become an informant, aren’t unheard of.

Diachenko believes this leak could therefore have negative repercussions for such people and suspects.

“The TSC watchlist is highly controversial. The ACLU, for example, has for many years fought against the use of a secret government no-fly list without due process,” concludes the researcher.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FBI)

[adrotate banner=”5″]

[adrotate banner=”13″]

Islamic imprisoned hacker Ardit Ferizi ordered to be deported

The Islamic hacker Ardit Ferizi, who is serving 20 years for giving his support to Islamic State group has been granted compassionate release.

Ardit Ferizi, aka Th3Dir3ctorY, is the hacker that supported the ISIS organization by handing over data for 1,351 US government and military personnel.

Ferizi is the first man charged with cyber terrorism that was extradited to the US early this year.

He was charged with hacking crimes and providing support to a terrorist organization. The 20-year-old man was accused of supporting the ISIS terrorist organization, he was the subject of extradition from the Malaysian government, where he lived. The man of Kosovar origin was studying computer science in Malaysia.

He was arrested in Malaysia in September 2015 and transferred to the US to face trial. Ardit Ferizi has been sentenced to 20 years in a U.S. prison. According to the US investigators, he provided the data to the popular IS militant Junaid Hussain, which disclosed it on the web. The collaboration between the IS hackers Hussain and Ferizi started in April 2015, according to the US authorities.

Now the hacker has been granted compassionate release because of the COVID-19 pandemic and will be placed in ICE custody for prompt deportation, a federal judge ordered Thursday.

U.S. District Judge Leonie M. Brinkema in Alexandria signed the order to the Bureau of Prisons to immediately place Ferizi in a 14-day quarantine before releasing into the custody of Immigration and Customs Enforcement so he can be deported to Kosovo.

“U.S. District Judge Leonie M. Brinkema in Alexandria signed the order reducing the sentence of Ardit Ferizi to time served. Brinkema also ordered the Bureau of Prisons to immediately place Ferizi in a 14-day quarantine to ensure he’s not infected with the coronavirus. At the end of the quarantine, Ferizi will be released into the custody of Immigration and Customs Enforcement so he can be deported to Kosovo, the judge ordered.” states the Associated Press.

The 2016 sentence ordered that Ferizi (24) will remain on supervised release for 10 years. Ferizi explained in a motion written from the prison that his asthma and obesity placed him at greater risk for COVID-19.

Ferizi explained that the special restrictions at the prison require him to check in with staff every two hours, exposing him at the risk of being infected due to the contact with guards.

“Brinkema initially rejected Ferizi’s request at a hearing in October, citing concerns that he might resume hacking if released, among other issues. Prosecutors had opposed Ferizi’s release.” concludes AP News.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ISIS)

[adrotate banner=”5″]

[adrotate banner=”13″]

Hacker who helped the ISIS will remain in US prison

The hacker who shared with the ISIS personal data of more than 1,300 U.S. government and military personnel will remain in a federal prison.

Ardit Ferizi, aka Th3Dir3ctorY, is the hacker that supported the ISIS organization by handing over data for 1,351 US government and military personnel.

Ferizi is the first man charged with cyber terrorism that was extradited to the US early 2016.

The man was charged with hacking crimes and providing support to a terrorist organization. The 24-year-old man was accused of supporting the ISIS terrorist organization, he was the subject of extradition from the Malaysian government, where he lived. The man of Kosovar origin was studying computer science in Malaysia.

He was arrested in Malaysia in September 2015 and transferred to the US to face trial.

Now Ardit Ferizi has been sentenced to 20 years in a U.S. prison. According to the US investigators, he provided the data to the popular IS militant Junaid Hussain, which disclosed it on the web. The collaboration between the IS hackers Hussain and Ferizi started in April 2015, according to the US authorities.

The details of the Ferizi’s case are described in s court filings [PDF].

Leaked data included names, e-mail addresses, passwords, locations and phone numbers of 1,351 U.S. military and other government personnel.

The ISIS-linked hacker obtained the data by hacking into the US web hosting company’s servers on June 13, 2015.

The US authorities suspected that Ferizi is a member of a Kosovan hacking team known as KHS, he used the pseudonym of “Th3Dir3ctorY”. The KHS breached a database of a US retailer was able to identify the records belonging to military and government personnel.

The Kosova Hacker’s Security (KHS) hit numerous organizations across the world, including Serbian Government websites, Israeli websites under the #OpIsrael campaign, The Interpol, IBM Research, Hotmail, US National Weather Service Website and numerous targets in Ukraine.

I wrote about Ferizi in October 2015, when the man was arrested by Malaysian authorities because for the first time ever the US Justice Department has charged a suspect for terrorism and hacking (cyber terrorism).

Ferizi was pleaded guilty on June 15, 2016, now is serving a 20-year sentence at a federal prison in Lewisburg, Pennsylvania, and is scheduled for release in 2032 if he gets credit for good behavior.

Ferizi asked a federal judge in Alexandria to release him from prison due to his health status.

“In a handwritten motion from prison, he said his asthma and obesity place him at greater risk of contracting COVID-19.” reads the post published by Associated Press. “He also said special restrictions at the prison require him to check in with staff every two hours, increasing his contact with guards and his risk of contracting the virus.”

Now prosecutors refused the request of hacker and opposed his release. The U.S. District Judge Leonie Brinkema rejected Ferizi’s request at a hearing Tuesday, the authorities believe that the man could teiterate his criminal activity.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ISIS)

[adrotate banner=”5″]

[adrotate banner=”13″]

OP Glowing Symphony – How US military claims to have disrupted ISIS ‘s propaganda

US military claims to have disrupted the online propaganda activity of the Islamic State (ISIS) in a hacking operation dating back at least to 2016.

In 2016, the US Cyber Command carried out successful operations against the online propaganda of the Islamic State (ISIS), this is what emerged from declassified national security top-secret documents released on Tuesday.

The documents have been release under a Freedom of Information Act request.

According to the documents, the US Cyber Command “successfully contested ISIS in the information domain,” its operations had a significant impact on online radicalization and recruitment of the terrorist organization.

The first offensive hacking operation dated back 2016 and dubbed “Operation Glowing Symphony” was detailed in the documents released by the National Security Archive at George Washington University.

“Today the National Security Archive is releasing 6 USCYBERCOM documents obtained through FOIA which shed new light on the campaign to counter ISIS in cyberspace.” reads a post published by the National Security Archive at George Washington University. “These documents, ranging from a discussion of assessment frameworks to the 120-day assessment of Operation GLOWING SYMPHONY, reveal the unprecedented complexity of the operation, resulting challenges in coordination and deconfliction, and assessments of effectiveness.”

The offensive Operation Glowing Symphony was carried out in November 2016 by Joint Task Force Ares (JTF-Ares), it mainly aimed at disrupting ISIS propaganda efforts by hacking or hijacking online social media accounts, and taking down websites used by the terrorist organization to spread propaganda.

The documents reveal the result of a 120-day assessment US Cyber Command conducted after the completion of Operation Glowing Symphony.

The assessment pointed out problems faced by the US cyber units, including the challenges of storing a huge amount of data contained in the hacked ISIS servers and accounts and the difficulty in coordination with other coalition members and US government agencies.

The Operation Glowing Symphony was approved in 2016 by president Barack Obama. It was initially approved for a 30-day period in late 2016, but it was later extended.

Operation GLOWING SYMPHONY is considered an important mileston in the counter-terrorism efforts and demonstrates the efficiency of the US offensive cyber capability against online propaganda of the Islamic State (ISIS).

“Operation GLOWING SYMPHONY was originally approved for a 30-day window, but the a July 2017 General Administrative Message reported the operation’s extension to an unknown date. Whether the operation is currently ongoing or not, it is public knowledge that JTF-ARES continues to operate.” continues the post. “It is also increasingly apparent that the counter-ISIS mission, JTF-ARES, and Operation GLOWING SYMPHONY are viewed within the US military’s cyber-warfighting community as not just a chapter in counter-terrorism and ‘low-intensity conflict’, but as demonstrations of the nation’s offensive cyber capability and a model for conducting an “American way” of cyber warfare.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – OP Glowing Symphony, ISIS)

[adrotate banner=”5″]

[adrotate banner=”13″]

Chicago student charged with writing code to spread ISIS propaganda

US authorities arrested Thomas Osadzinski, a student at DePaul University, because he allegedly built a custom Gentoo Linux distro for ISIS.

Thomas Osadzinski (20), a student at DePaul University, Chicago, was arrested because he allegedly built a custom Gentoo Linux distro for ISIS, he could now face up to 20 years in prison.

The Chicago student is suspected to have provided propaganda content that supports the Islamic State terrorist group (ISIS).

Osadzinski developed a Python script to that allows supporters and members of the organization to automatically save ISIS propaganda material shared through social media.  The student shared his script with members of the organizations in order to help spreading the ISIS’ propaganda, he also offered them the use of bots to automate the process on a large-scale.

Osadzinski also began developing a lightweight Gentoo Linux distro for the terrorist organization.

“I will began a new and very valuable project, I will be developing a custom Gentoo Linux version designed for ansar [ISIS supporters] it can run on any computer and will be very lightweight, fast and secure.” the student told to an undercover FBI agent in an online discussion in March .

The student aimed at hardening the Linux Gentoo distro to prevent hacks from the intelligence agencies that he defined as “crusader intelligence agencies.”

Osadzinski provided another FBI undercover agent a screenshot of the Gentoo Linux distro he was preparing, promising that it would be “available for the ansar [ISIS supporters] very soon.”

“It will be very secure, in sha allah it will only browse [Social Media Platform 1]. When there are less things installed the operating system is harder to hack,”

The student was not able to complete his work because of the difficulty in studying for hardening the Linux distro.

According to Cyberscoop, to Osadzinski also worked for two months as a software tester for Blackberry Cylance.

The student, if will found guilty for distributing propaganda material to support ISIS, will dace up to 20 years in prison.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – ISIS, Gentoo Linux)

[adrotate banner=”5″]

[adrotate banner=”13″]

Domestic Kitten – An Iranian surveillance operation under the radar since 2016

CheckPoint uncovered an extensive surveillance operation conducted by Iranian APT actor and tracked as Domestic Kitten aimed at specific groups of individuals.

Researchers at security firm CheckPoint uncovered an extensive surveillance operation conducted by Iranian APT actor and tracked as Domestic Kitten aimed at specific groups of individuals.

Cyber spies used malicious mobile apps that collect sensitive information on the target device and implements specific features to spy on the victims, such as recording the surrounding voices.

The attackers are spying on Iranian individuals that are Kurdish and Turkish natives, and ISIS supporters.

“Through the use of mobile applications, those behind the attack use fake decoy content to entice their victims to download such applications, which are in fact loaded with spyware, to then collect sensitive information about them.” reads the analysis published by CheckPoint.

“Interestingly, these targets include Kurdish and Turkish natives and ISIS supporters. Most interesting of all, though, is that all these targets are actually Iranians citizens.”

The list of information collected from the compromised devices is long and includes:

  • contact lists
  • call records
  • text and multimedia messages
  • browser history and bookmarks
  • geographical location
  • photos
  • recordings of nearby conversations
  • list of installed apps
  • clipboard content
  • data on external storage

The threat actor uses decoy applications which are believed to be of interest to the targets. The researchers discovered ISIS branded wallpaper changer, “updates” from the ANF Kurdistan news agency and a fake version of the Vidogram messaging app.

All the applications used in the campaign have the same certificate that was issued in 2016, the researchers confirmed that the extensive and targeted attacks are going on since 2016 and, until now, have remained under the radar due to the artful deception of the attackers towards their targets

The wallpaper changer aimed at the ISIS supported is designed to lure them by offering ISIS-related pictures to set as the screen background.

Data exfiltrated from the victim’s device are transferred to the C&C server via HTTP POST requests, it is encrypted with the AES algorithm and can be decrypted with a device ID that is unique for each victim.

One of the applications connects firmwaresystemupdate[.]com that is a newly registered website that was seen initially to resolve to an Iranian IP address but that later switched to a Russian address.

CheckPoint published the victim distribution, the cyberspies infected devices of at least 240 users most of them are Iranians (97%), the remaining are from in Afghanistan, Iraq and Great Britain.

“Indeed, these surveillance programs are used against individuals and groups that could pose a threat to the stability of the Iranian regime. These could include internal dissidents and opposition forces, as well as ISIS advocates and the Kurdish minority settled mainly in Western Iran,” CheckPoint concludes.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Domestic Kitten, surveillance)

[adrotate banner=”5″]

[adrotate banner=”13″]

European and US police hit the Islamic State propaganda machine

A coordinated effort of law enforcement agencies (law enforcement authorities of the European Union Member States, Canada, and the USA) hit the Islamic State propaganda machine.

European law enforcement agencies coordinated by Europol conducted an unprecedented multinational cyber operation against the Islamic State’propaganda machine.

Authorities have “punched a big hole” in Islamic State’s propaganda machine, they targeted news agencies and radio stations in a two-day takedown operation.

“On 25 April 2018 law enforcement authorities of the European Union Member States, Canada and the USA launched a joint action against the so-called Islamic State (IS) propaganda machine in order to severely disrupt their propaganda flow.” read the press release published by Europol.

“The takedown operation was coordinated by the European Union Internet Referral Unit (EU IRU) within the European Counter Terrorism Centre (ECTC) at the Europol headquarters.” 

The operation hit Islamic State media outlets, including the Amaq and Nashir news agencies and al-Bayan radio.

The authorities seized the servers and are analyzing data to identify the administrators behind principal media outlets.

“With this groundbreaking operation we have punched a big hole in the capability of IS [Isis] to spread propaganda online and radicalise young people in Europe.”  said Rob Wainwright, executive director of Europol.

This isn’t the first time Europol and other agencies target Islamic State propaganda machine since 2015 they have conducted numerous operations to shut down the infrastructure used by the terrorists.

“This shows that by working together we can stamp out the poisonous propaganda Daesh [Isis] has used to fuel many of the recent terror attacks in Europe. For too long the internet has been open to terrorists and those who seek to do us harm. Those days are coming to an end thanks to this type of co-ordinated global work.” said the EU security commissioner, Julian King.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Europol, online terrorist propaganda)

[adrotate banner=”5″]

[adrotate banner=”13″]

UK GCHQ director confirmed major cyberattack on Islamic State

GCHQ director Jeremy Fleming announced this week that the U.K. has launched a major cyberattack on the Islamic State (IS) terrorist organization.

According to the spy chief, the GCHQ the attack was launched in collaboration with the U.K. Ministry of Defence and has distributed operations of the Islamic State.

The UK intelligence believes this is the first time it “systematically and persistently degraded an adversary’s online efforts as part of a wider military campaign,”

Source BBC

Fleming explained that UK cyber experts have operated to disrupt online activities and networks of the Islamic State, and deter an individual or group.

“These operations have made a significant contribution to coalition efforts to suppress Daesh propaganda, hindered their ability to coordinate attacks, and protected coalition forces on the battlefield,” GCHQ chief told an audience at the Cyber UK conference in Manchester.

“In 2017 there were times when Daesh found it almost impossible to spread their hate online, to use their normal channels to spread their rhetoric, or trust their publications. Of course, the job is never done – they will continue to evade and reinvent. But this campaign shows how targeted and effective offensive cyber can be,” 

Mr. Fleming did not reveal details of the cyber attacks because it was “too sensitive to talk about,” he praised the success of such kind of operations against a threat that is abusing technology to spread propaganda.

“Much of this is too sensitive to talk about, but I can tell you that GCHQ, in partnership with the Ministry of Defence, has conducted a major offensive cyber campaign against Daesh.” added Mr. Fleming.

“These operations have made a significant contribution to coalition efforts to suppress Daesh propaganda, hindered their ability to coordinate attacks, and protected coalition forces on the battlefield. But cyber is only one part of the wider international response. This is the first time the UK has systematically and persistently degraded an adversary’s online efforts as part of a wider military campaign.”

The US CYBERCOM and Europol have also been conducting cyber operations against online activities of the Islamic State.

Mr. Fleming has also spoken about Russia defining its cyber activity as an “unacceptable cyber-behaviour” that was a “growing threat” to the West.

“We’ll continue to expose Russia’s unacceptable cyber behaviour, so they’re held accountable for what they do, and to help Government and industry protect themselves. The UK will continue to respond to malicious cyber activity in conjunction with international partners such as the United States. We will attribute where we can.” added Flaming.
“And whilst we face an emboldened Russia, we also see the tectonic plates in the Middle East moving. We see Iran and its proxies meddling throughout the region. The use of Chemical Weapons in Syria. We’re watching the dispersal of Daesh fighters. Serious Crime Gangs smuggling people from Eastern Europe and Northern Africa.”

Flaming also cited the NotPetya ransomware attack on Ukraine that both UK and US attributed to Russia.

“They’re not playing to the same rules,” Mr Fleming concluded. “They’re blurring the boundaries between criminal and state activity.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Islamic State, terrorism)

[adrotate banner=”5″]

[adrotate banner=”13″]

European Commission requests IT firms to remove ‘Terror Content’ within an hour

The UE issued new recommendations to tackle illegal content online, it asked internet companies to promptly remove terror content from their platforms within an hour from notification.

On Thursday, the UE issued new recommendations to internet companies to promptly remove “harmful content,” including terror content, from their platforms.

“As a follow-up, the Commission is today recommending a set of operational measures accompanied by the necessary safeguards – to be taken by companies and Member States to further step up this work before it determines whether it will be necessary to propose legislation.” reads the fact sheet published by the European Commission.

“These recommendations apply to all forms of illegal content ranging from terrorist content, incitement to hatred and violence, child sexual abuse material, counterfeit products and copyright infringement.”

It is a call to action for the tech firms and social media giants to take down “terrorist content” within an hour of it being reported, the recommendation is directed to major services including YouTube, Facebook, and Twitter.

These platforms are daily abused by terrorist organizations like Islamic State group, the EU’s recommendations follow the demands of the nations participant at the 2017 G7 Summit held in Taormina, Italy, that urged action from internet service providers and social media giants against extremist content online.

The European Commission is teaming up with a group of US internet giants to adopt additional measures to fight web extremism, but at the same time, it warned it would adopt consider legislation if the Internet firms will not follow the recommendations.

“While several platforms have been removing more illegal content than ever before — showing that self-regulation can work — we still need to react faster against terrorist propaganda and other illegal content,” said the commission’s vice-president for the Digital Single Market Andrus Ansip.

“This content remains “a serious threat to our citizens’ security, safety, and fundamental rights,” 

The European Commission recognized the results achieved by internet firms in combatting illegal content, but the adversaries are very active and there is still a lot of work to do.

“significant scope for more effective action, particularly on the most urgent issue of terrorist content, which presents serious security risks”.

The European Commission pretends that terrorist content should be taken down within one hour of being reported by the authorities, it also urges more strictly monitoring and proactive actions against the illegal content.

The EU suggests the adoption of automated detection systems that could support tech firms to rapidly identify harmful content and any attempt to re-upload removed illegal content.

The new recommendations specifically address also other types of harmful illegal content such as hate speech and images of child sexual abuse.

“Illegal content means any information which is not in compliance with EU law or the law of a Member State. This includes terrorist content, child sexual abuse material (Directive on combating sexual abuse of children), illegal hate speech (Framework
Decision on combating certain forms and expressions of racism and xenophobia by means of criminal law), commercial scams and frauds (such as Unfair commercial practices directive or Consumer rights directive) or breaches of intellectual property rights (such as Directive on the harmonisation of certain aspects of copyright and related rights in the information society).” continues the EC.
“Terrorist content is any material which amounts to terrorist offences under the EU Directive on combating terrorism or under national laws — including material produced by, or attributable to, EU or UN listed terrorist organisations.”

According to the commission, internet firms removed 70 percent of illegal content notified to them in the preceding few months.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – European Commission, terror content)

[adrotate banner=”5″]

[adrotate banner=”13″]

ISIS & Al Qaeda: What’s Coming Down the Line for the U.S. in 2018

ISIS & Al Qaeda: What’s Coming Down the Line for the U.S. in 2018. From drones to chemical attacks, which are the major risks?

Last month, the Department of Homeland Security (DHS) warned that, “our enemies remain focused on attacking the United States, and they are constantly adapting. DHS and its partners are stepping up efforts to keep terrorists out of America and to prevent terrorist recruitment and radicalization here at home, and we urge the public to remain vigilant and report suspicious activity.”

The DHS also indicated the U.S. is facing a significant, ongoing terror threat and the agency’s website displayed an “Elevated” alert level (second from the most severe), which means a credible threat of terrorism against the U.S. exists.

Guess Who’s Back

Al Qaeda never really went away, of course. The 30-year-old terrorist organization had just, for the most part, receded to the background while the Islamic State took center stage. While ISIS has been driven out of Iraq and Syria, they are alive and well in Africa and Europe. ISIS supporters can be found in the U.S. as well, as evidenced by recent activity by the group’s devotees.

Al Qaeda has reemerged as stronger now than they were when Bin Laden was killed. While the world was focused on ISIS, al Qaeda was quietly amassing power, planning, strengthening alliances and fundraising.

Earlier in the year, Stratfor reported that some are concerned that al Qaeda and ISIS may reunite:

“The idea of the global jihadist movement’s two major poles joining forces is certainly a troubling one. The combined capabilities of the Islamic State and al Qaeda could pose a significant threat to the rest of the world, making them a much more dangerous enemy together than divided.”

Though both groups follow Salafist ideology, it might be difficult to merge the two groups’ divergent goals. The Islamic State seeks global conquest in the establishment of Caliphate, while Al Qaeda is focused on the demise of the United States. Al Qaeda boasts a sophistication gained from years of experience, selectivity in recruiting and an assortment of well-educated scholars, including scientists and engineers.

Viewed as crude, by al Qaeda, ISIS also lacks the restraint exercised by al Qaeda.

Some collaboration, between these two terrorist groups, has already occurred in Syria, where fighters with Hayat Tahrir al-Sham (HTS), also known as al Qaeda in Syria, and ISIS were found to have a somewhat cooperative relationship. Additionally, al Qaeda emir Ayman al Zawahiri has been attempting to build bridges among groups with similar enemies. And, al Zawahiri reiterated the fact that the U.S. is al Qaeda’s number one priority.

In comparing the two groups, Critical Threats points out that, “while ISIS had used conquest and bombastic proclamations to capture popular support and gain momentum, al Qaeda worked quietly with a softer approach to securing support.”


“The strengthening of al Qaeda is more dangerous than the success of ISIS. Al Qaeda’s softer approach to building popular support at the grassroots level evoked little, if any, reaction from the West. The West bought al Qaeda’s line that its local focus is a local issue. Al Qaeda further managed the reactions of the communities into which it was insinuating itself by permitting outbursts of local resistance and adjusting its time line to avoid generating backlash. ISIS’s conquest, by contrast, resulted in the West mobilizing a military effort against the group and harsh reaction from its conquered communities over time. ISIS’s coerced popular support in the Muslim world will collapse. Al Qaeda is positioned to absorb the remnants of ISIS, benefit from ISIS’s global mobilization, and sustain its own momentum within Sunni communities to strengthen the Salafi-jihadi movement.”

Al Qaeda does have sleeper cells, within the U.S., who are responsible for planning and launching attacks. But, there are also “lone wolf” supporters of Al Qaeda, in addition to ISIS proponents, in the U.S., who are preparing to launch attacks on their own.

There has also been found to be increasing collaboration among various terror groups in the Maghreb- particularly in Libya. They have been exchanging ideas for training, military tactics, PR, recruitment, and financing.

AEI reports:

“Libya is a key node for the global Salafi-jihadi movement.7 The Libyan base provides the global movement with a destination for jihad, a transit and training zone, and a key node for global foreign fighter flows. It is already an important enabler for the global Salafi-jihadi threat against the United States, Europe, and American interests.

Al Qaeda and ISIS are consolidating a safe haven in Libya from which they will directly threaten the West over the long term.”

Add to that the fact that al Qaeda in the Maghreb (AQIM) has managed to turn a profit of around $100 million through ransom, drug trading, taxing locals and donations from around the world, according to a study by the Foundation for Defense of Democracies.

The global Salafi-jihadi movement was and remains more than just al Qaeda—or ISIS, however. The American Enterprise Institute cautions that, “the need is urgent. Al Qaeda, the Islamic State, and the global Salafi-jihadi movement together are stronger today than they have ever been.”

Holiday season threats have been issued primarily to Europe, but to New York City, also:

  • The Hill reports: “An ominous poster of Santa Claus standing next to a box of dynamite in Times Square appeared in a pro-ISIS forum earlier this week with the headline ‘we meet at Christmas in New York soon.’ A picture of a masked jihadi, with a rifle in the front seat of a car driving toward the Vatican marked with the banner ‘Christmas Blood so wait’ appeared a few days before that.”
  • A new series of threatening images posted on social media and messaging apps, with ISIS imagery, is being shared. These graphics call for terror attacks on New York City, Paris and London.
  • Other posters include images of London’s Regent Street and the Eiffel Tower in Paris, with images of jihadists and blood superimposed on them. A chilling message in English, German and French is included: ‘Soon on your holidays.’
  • According to, “a propaganda poster emerged showing a terrorist in the Vatican with a rocket launcher. The message warned that ‘the crusaders feast is approaching’, suggesting they are planning to attack the Catholic church’s holy city. Another was shared online showing a masked figure driving towards St Peter’s Basilica with a gun and a backpack inside his car, with the message ‘Christmas blood’ written in red underneath.”

Potential Terror Threats to the U.S. in 2018

  • Hezbollah – “While I’m not here today to speak publicly about any specific, or credible, or imminent threat to the homeland, we in the intelligence community do in fact see continued activity on behalf of Hezbollah here inside the homeland,” National Counterterrorism Center Director Nicholas Rasmussen said. Rasmussen went on to say that it is the center’s, “assessment that Hezbollah is determined to give itself a potential homeland option as a critical component of its terrorism playbook.” He pointed out the recent arrests of alleged Hezbollah operatives in Michigan and New York.
  • The two alleged operatives that were arrested are Ali Kourani and Samer el Debek. Charged with providing material support to Hezbollah’s Islamic Jihad Organization, Kourani described his role as a “sleeper.” And, according to the complaint, El Debek was trained in making landmines and other explosives.
  • Dirty Bombs – Terrorist could use drones to drop dirty bombs or poison on U.S. cities. Security officials have said that it may just be a matter of time before such schemes could come to fruition in America. In August, Australian federal police disrupted an ISIS plot to construct an “improvised chemical dispersion device,” which they planned to deploy in urban areas. Hydrogen sulfide, a poisonous gas, would have been spread over the urban areas had the plot not been foiled.
  • Possible Backlash – Some Muslim leaders have said they view the plan to move the U.S. Embassy to from Tel Aviv to Jerusalem as “a declaration of war.”  
  • Also, Jihadists across the ideological spectrum have beseeched Muslims to take physical action instead of merely protesting the planned move of the U.S. Embassy to Jerusalem.
  • For its part, al-Qaeda has urged followers all around the world to target U.S. interests, its allies and Israel in response to the U.S. Embassy plan. “A statement posted Friday on al-Qaeda’s media arm as-Sahab, in both Arabic and English, urged holy war or jihad and described America as a modern-era ‘pharaoh’ oppressing Muslims. Branches of the global terror network, including the North Africa branch known as Al-Qaeda in the Islamic Maghreb and also al-Qaeda in the Arabian Peninsula, issued similar statements.”
  • Then too, Sheikh Hamza bin Laden, son of Osama bin Laden, has called for the group’s supporters to “embrace the kinds of ‘lone wolf attacks’ used by Islamic State, its bitter rival, in which jihadists execute terror operations acting largely on their own and without direction.”
  • Attacks on the US Government & Critical Infrastructure – Some experts anticipate that in 2018 a major attack on U.S. critical infrastructure will occur. “Additionally, tension between the U.S. and other countries could escalate to online cyberattacks. In October, the FBI and DHS warned of advanced persistent threat activity targeting energy, nuclear, water, aviation, construction, and critical manufacturing sectors. Critical infrastructure companies are behind in preparing their operational facilities to confront cyberattacks – making them an easy target for politically-motivated attackers – Adi Dar, CEO, Cyberbit
  • On social media and encrypted messenger apps, training materials are being produced and shared at an alarming rate and volume. This includes an astonishing assortment of bomb-making instructions and recipes for a whole host of gases and volatile compounds.
  • Of late, in these online forums, a lot of emphasis is placed on bioterrorism, with detailed training materials being provided on how to execute attacks on “kuffars” using substances such as anthrax, ricin and botulism.
  • Regarding bioterrorism, former White House biodefense aide Robert Kadlec said that, “the trends indicate more terrorist groups are interested in conducting such attacks.”
  • In 2016, ISIS operatives planned to contaminate water sources in Turkey with bacteria causing tularemia, which is a potentially fatal human illness. In another ISIS-linked ploy, an anthrax attack in Kenya was thwarted by the police. And, in yet another instance in Nigeria, the army intercepted poisoned fish believed to have been brought into the country by Boko Haram operatives.
  • Both al Qaeda and ISIS have threatened public transportation in the U.S., but online, al Qaeda has been heavily promoting its train derailment tool, providing detailed instructions on how to use it and the best routes across the country to use it on.
  • On the Telegram app, there are channels in which collaboration among the supporters of ISIS, al Qaeda and other Salafist terrorist groups, such as Ansar al Sharia, is taking place. Shared on these channels is a seemingly endless array of tools for lone wolves, including remote control detonators, a device that explodes when one opens a door, car bombs, hidden bombs and much more. Very detailed instructions are given for all of these explosive devices. The channels generally have hundreds of participants and the channels get reported and shut down frequently, but are back up again shortly afterwards. Channel administrators simply continue distributing materials to those who desire to be a well-equipped, adequately trained lone wolf.

The massive cache of Islamic State propaganda videos found on the cellphone of Sayfullo Saipov, the man accused of using a truck to mow down pedestrians and cyclists recently in New York City, provided a glimpse of the vast amount of jihadist content on the internet.

Along with 90 videos and 3,800 images found,were depictions of beheadings and bomb-making instructions.   

The amount of jihadist content on the internet is staggering. The efforts of law enforcement, intelligence agents and private intel agencies around the world are not sufficient to thwart every planned attack, though many have been thwarted.

One way individuals can help is by always being aware of their surroundings. People should report any suspicious behavior potentially related to terrorism to law enforcement.

And, since many terror attacks are closely linked to online activity such as planning attacks, garnering materials and instructions on how to carry out attacks, warnings about attacks and gloating immediately following an attack, be sure to also report suspicious behavior you see online.

Written by: CandiceLanier

Author Bio:

Candice Lanier is Chief Operations Officer at Ghost Cyber Intelligence, a private intel agency specializing in counterterrorism, Darknet operations, black ops and cybersecurity. Candice also writes for RedState, The Christian Post and Medium.


[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – bioterrorims, ISIS)

[adrotate banner=”5″]

[adrotate banner=”13″]