Al Qaeda's Webmasters Wage a Cyber Jihad

July 15, 2004 -- Below a stark black banner featuring a medieval sword and the Muslim proclamation of faith, the caption on the Web site was terse and chilling.

"The tape recording of the execution of the Korean hostage," it said in Arabic script.

Below were links to a graphic video clip hosted on a variety of sites around the world — many of them "piggybacked" without their owners' consent. Four photographs gave a preview of what was on the clip: the beheading of a South Korean contractor in Iraq last month.

The Internet has increasingly become a means for al Qaeda and its affiliates to publicize their actions and broaden their support base. Difficult — or impossible — for governments to regulate, the Internet offers a way for terrorist groups to transmit their message on their own terms, directly to their potential supporters.

Josh Devon, a senior analyst at the SITE Institute — a Washington, D.C.-based terrorism research group that monitors the Web — believes that by its very nature, the Internet complements al Qaeda's modus operandi.

"The Internet in many ways parallels al Qaeda operations," says Devon. "Like the Internet, al Qaeda is a loose, decentralized, network of independently operating cells."

The decentralized nature of the Web makes it hard to track or block terrorists' postings. Once a video has surfaced, it proliferates across the Web, with users sending links to the video's latest locations via message boards, chat rooms and e-mail. Even established pro-terror Web sites hop from URL to URL, apparently trying to keep one step ahead of authorities who might close them down. Sympathizers who post messages to the sites' chat rooms use pseudonyms that conceal their identity.

Read more about al Qaeda sites' "piggybacking."

Needles in Haystacks

Law enforcement officials who track cyber crimes say that determining who originally posted something online can be like seeking a needle in a haystack.

"The problem is that people who really want to do something bad won't do it on their own address," says Mark Rasch, a former Justice Department computer crimes prosecutor.

Even if investigators succeed in tracing a poster's Internet Protocol address, Rasch notes that cracking down on cyber militants also depends on the level of cooperation between governments. And sometimes, he says, investigators have to weigh the advantages of pulling down militant sites over gleaning intelligence leads from simply monitoring them.

The fact that many of the militant messages are in Arabic or Urdu also poses a challenge. "Both the intelligence and law enforcement community now has significant capacity in Middle Eastern languages," says Rasch. "On the other hand, they're also stretched thinner than they were three years ago."

But while it may be difficult to overcome language, diplomatic and cultural barriers, Rasch maintains that investigators can trace IP addresses on the Internet. "Even when people are trying to hide their tracks, there is a chance they will screw up and leave some trail and that's where you get lucky," he says.

Tech-Savvy Terrorists

Militant use of the Internet is not a new phenomenon. Since the mid-1990s, rebel groups in the Middle East, Chechnya, Europe and Latin America have been exploiting the Web.

But in the past few years, cheaper and better chat software, along with digital cameras and graphic and multimedia processing tools, have enabled al Qaeda-linked groups to dramatically enhance their use of the Internet, according to security experts.

"The Internet is used to carry messages, to threaten, to launch a very sophisticated form of psychological warfare," says Gabriel Wiemann, a terrorism and communications expert at the federally funded United States Institute for Peace. "It is sometimes also used to fund-raise and to recruit supporters."

The release of recent hostage videos seems designed to produce the maximum psychological effect. In the cases of the Korean Kim Sun-il and Americans Nick Berg in Iraq and Paul Johnson in Saudi Arabia, videos were first released showing the hostages as masked men made threats and set deadlines. A few days later, follow-up videos were released — to Arab TV networks as well as on the Web — showing the victims' executions in gory detail.

Al Qaeda's Official Webmaster

Internet security experts trace the current generation of al Qaeda sites to a Saudi militant named Yusuf al Ayiri, who ran alNeda.com (The Call), a now defunct Web site that was widely regarded as al Qaeda's online mouthpiece.

Controlled by the Center for Islamic Studies and Research, widely believed to be al Qaeda's media branch, alNeda regularly carried messages from top al Qaeda figures.

Hosted on a number of different URLs to escape law enforcement officials, the site posted messages claiming responsibility for a number of attacks in recent years, including the 2002 Bali bombings and an attack on a synagogue in Tunisia.

While alNeda extensively piggybacked on host sites, the official al Qaeda site was itself subjected to hackings, including a hijacking by Jon David Messner, a U.S. hacker who runs porn sites.

Although it was hacked and shut down several times in the past few years, alNeda managed to survive until April 2003 by hiding files on a host of sites, including a mountain-biking site and a Web site for a Dutch soccer team.

When Ayiri was killed in a shootout with Saudi security forces in June 2003, sympathizers mourning his death in chat rooms lamented that it would deal a severe blow to al Qaeda's technical prowess.

The Voice of Jihad

But far from being crippled by the loss, a year after Ayiri's death, al Qaeda continues to exploit the Internet for its ends.

The Saudi branch of al Qaeda operations in particular has succeeded in posting fairly technically sophisticated content on the Internet over the past few months.

Sawt al Jihad — or Voice of Jihad — for instance, is a biweekly online magazine dedicated to "issues concerning the mujahideen in the Arabian Peninsula."

Since its launch earlier this year, the online magazine has featured interviews with high-ranking militants, articles on a host of issues — from the extent of U.S.-Saudi intelligence cooperation to women's role in jihad — and has posted so-called al Qaeda "communiqués" on official 'Sawt' letterhead.

While the magazine's URLs frequently change, the editorial content is distinctive and often features a resplendent, multicolored promotion for one of Ayiri's most prominent books, The Legitimacy of Killing a Prisoner.

Its latest issue offers a number of articles deal with the killing of Abdulaziz al-Moqrin, the self-described Saudi al Qaeda chief who allegedly masterminded the kidnapping and beheading of Paul Johnson.

Moqrin was killed by Saudi security forces after Johnson's beheading and a photograph of the al Qaeda militant's body aired on Saudi TV can be found on several Islamist Web sites.

Many experts believe Sawt al Jihad took over as al Qaeda's online mouthpiece in Saudi Arabia after alNeda.com was hijacked.

Missing the Real Threat?

The American "war on terror" since 9/11 has mostly focused on the threat of "cyberterrorism," the prospect of tech-savvy terrorists hacking into government computer systems and derailing military, aviation, power and other infrastructural systems.

But many experts believe that while U.S. counterterrorism agencies have focused on the cyberterror threat, they have largely ignored the uses militants make of the Internet.

"The term cyberterrorism emerged about 10 years ago," says Wiemann. "But the fact is that in the last 10 years, there has been no single case of real cyberterrorism. There has been hacking of private systems, but none of the sensitive government and military systems have been hacked."

On the other hand, Wiemann adds, there has been a "very dramatic increase" in militant use of the Internet "to carry messages, to threaten, to launch a very sophisticated form of psychological warfare."