ISIS has long taken full advantage of secure communication tools, and utilized mainstream communication platforms in unexpected ways. Extremist groups even develop their own software at times to tailor things like encrypted messaging to their specific needs. One such project is the clandestine, unfortunately named communication tool MuslimCrypt, which uses an encryption technique called steganography to spread secret messages. And while many of these homegrown tools don’t live up to their promised protections, a new evaluation of MusilmCrypt by the Middle East Media Research Institute reaches a basic, but crucial conclusion: MuslimCrypt’s steganography works.
MuslimCrypt was first released by unknown actors on January 20 in a private, pro-ISIS Telegram channel, and like other steganographic tools, it hides information in plain site. Think of writing in invisible ink, except instead it’s encoding a digital message in an otherwise unremarkable piece of software. And while steganography has of late been linked to malicious hacks, MuslimCrypt brings the technique back to its clandestine communication roots. (In fact, Osama bin Laden was apparently a regular practitioner.)
Specifically, MuslimCrypt hides information in images that can be shared or posted freely because only the recipient will know to check it for the secret message. MuslimCrypt doesn’t come with a manual or provenance, so MEMRI researcher Marwan Khayat worked to trace the tool’s history on Telegram, look into the users who talked about and posted it, vetted the tool in an attempt to confirm that downloading it wouldn’t be dangerous, and then examined it in a software sandbox to determine how to use the tool. He then focused on testing its ability to actually encode information in image files—JPEGs and TIFs—and then facilitate extraction of that data on the receiver’s end. Given that ISIS and its sympathizers use active multimedia propaganda campaigns, there are a lot of places for messages to hid.
‘It’s really fascinating actually that they’re using steganography.’
Marwan Khayat, MEMRI
“It’s really fascinating actually that they’re using steganography,” Khayat says. “I found random pictures online, checked that you can embed a message and checked that you can extract it, and compared the two images visually. Someone online who sees the resulting image, there’s no way to tell. So to me it is working.”
Though the algorithms driving MuslimCrypt remain mysterious, the fact that the tool works in any capacity is a significant first step. But Khayat notes that just because the tool is functional doesn’t necessarily mean that its users have actually leaned on it for clandestine communication yet. “Think about it as a jihadi,” Khayat says. “I hid a message inside and then I have it on my computer then what? Where do I send it?”
Steganography’s value as a secret communication tool makes it unsurprising that jihadis would eventually adopt the technique, says Simon Wiseman, chief technology officer at the British network security firm Deep Secure, which works on malicious steganography defense. “Trying to communicate covertly is the traditional view of steganography, and MuslimCrypt is a standard application intended to do the encoding and decoding,” Wiseman notes. Meanwhile, “detection through analysis is very difficult to do accurately so [investigators] may try to spot the distribution of the tool. I guess the next phase of the operation for MuslimCrypt would be to disguise that and create covert distribution.”
Analysts point out that once a group discovers steganography’s benefits, they’ll naturally evolve and refine their techniques. But MuslimCrypt’s murky origins pose the biggest barrier to understanding more about its intended uses and the real goals behind the project. “Part of the issue is we don’t know who released it,” Khayat says. He tried to trace the digital personas who talked about and posted MuslimCrypt in the Telegram group “MuslimTec DE/EN 2,” including admin Mahed Razzul/@DrAlman and user Bayyi Almani/@BayyiAlmani. The names all indicate a German-speaking origin or affiliation, and the users sometimes write in German, but Khayat emphasizes that all of this could easily be a false flag. And when he tried to trace the personas, he instantly hit a dead trail.
“They know they’re being monitored on Telegram, they know people are watching them,” Khayat says. “They could be actual jihadis or the whole thing could be some intelligence agency or anything else, I have no clue.”
Fear of spy-agency influence could also itself be the motivation for the creation of MuslimCrypt, though. Diwakar Dinkar, a research scientist at the security firm McAfee who monitors steganographic advances, points out that countless steganography tools are available online precisely because it’s difficult to know which ones have been cracked by security agencies. “Just as a safeguard people build their own,” Dinkar says. “In fact, designing your own steganography algorithm isn’t difficult. Anyone who has sound knowledge of coding and a bit of mathematics can do it.” Dinkar analyzed the MuslimCrypt binary himself and saw some potentially suspicious attributes, like a possible key logger. But there was nothing that made Dinkar definitively conclude that the tool is malware. “It seems to be just a legitimate software tool which is used for secure or hidden communication,” he says.
MEMRI’s Khayat plans to investigate MuslimCrypt further, but the findings so far reinforce to him that the tool represents an important step in jihadist communication technology. “Steganography is not really just a science, it’s like art and science together. And it seems like it’s working.” After all, as Khayat puts it, “You can’t examine every image everywhere all the time.”