Introduction

On January 6, 2017, the Islamic State (ISIS) released Issue 5 of its online magazine Rumiyah. The issue, which included, inter alia, the usual threats to the West and advice for carrying out attacks there,[1] was picked up by Western media outlets and widely reported. Much less attention, however, was given to two other purported issues of the same magazine, which were released a few hours prior to the official Islamic State release of Issue 5.

Each of the two fake issues of Issue 5 of Rumiyah appears to have a different purpose. While the first was reportedly a rogue PDF file packed with malware aimed at infecting the devices of anyone downloading or opening the file, the content of the second was surprisingly well crafted content in what appeared to be a malware-free PDF file, making the point of its release not entirely clear.

This is not the first time that a jihadi magazine or other release is comprised, especially in light of the fierce cyber warfare being waged against terrorist groups. The most prominent example of this is the 2010 operation that aimed to undermine the first release of the Al-Qaeda in the Arabian Peninsula (AQAP) English-language magazine Inspire. That attack resulted in the release of two modified PDF versions of the magazine, and has had a negative impact on one of the magazine's distribution channels as well.[2] In another incident in 2013, which also targeted AQAP, a video of the group was purposely sabotaged and a segment calling for the killing of the U.S. ambassador to Yemen at the time was removed prior to its official release.[3]

Terrorist groups' distribution chains and channels have evolved in the last decade. What was once a single download link posted on a password-protected top-tier jihadi forum, is now a widely distributed URL to jihadi content posted on the San Francisco-based Internet Archive (archive.org)[4] that goes viral on Twitter, Telegram, and elsewhere within minutes of its initial release. Jihadi response to suspicious content, on the other hand, has been relatively consistent during that same period, with overly cautious and even paranoid behavior characterizing many members of online jihadi circles. In fact, social media has in many ways made it more difficult to "trick" jihadis into consuming dubious jihadi content, since warnings about such content are now generated and disseminated faster and easier than ever before.

The following report examines the two recent suspicious releases of issue 5 of the ISIS magazine Rumiyah, and attempts to draw conclusions from the event. The report discusses three items: The official legitimate Rumiyah 5 issue, which ISIS released in many languages (henceforth "R1"); an English-language issue of Rumiyah 5 that supposedly did not contain any malware (henceforth "R2"); and a purportedly French-language issue of Rumiyah 5 that allegedly contained malware (henceforth "R3"). The contents of the PDF files of R1 and R2 were obtained and reviewed for this report, but R3 was not. Claims of R3's suspicious content, thus, remain unverifiable; however, various arguments in support of those claims will be presented.



Clockwise from top left: Front cover of R1, front cover of R2, and a promotional banner for R3

Timeline Of 'Rumiyah' Releases

R1 was released on Friday, January 6, 2017, on Telegram. R2 and R3 were released on Twitter approximately two hours earlier. R2 may have also been released on Telegram, but was removed shortly thereafter. The timing of R2 and R3's release shortly before the official R1 release is no coincidence. Rumiyah is a monthly magazine, and has been released on a fairly regular schedule by ISIS. Issue 4 of Rumiyah was released online on December 8, 2016, issue 3 on November 11th, issue 2 on October 4th, and issue 1 on September 6th. Further, Rumiyah is generally released online without any prior notice or promotional banners, like the ones used to promote speeches by ISIS leader Abu Bakr Al-Baghdadi, for example. This suggests that whoever posted R2 and R3 online had prior knowledge regarding the release of and did not act randomly.

Distribution Channels

R1 appears to have been initially released on Telegram. It should be noted that determining the initial publication channel of an ISIS release can sometimes be difficult due to the rapid rate at which these releases are shared across different platforms, coupled with the rapid disappearance of their original URLs as a result of reporting and flagging. R2 and R3, on the other hand, were released on Twitter. R1 was hosted on the Internet Archive (IA), as was R2. R3 was hosted on dropfile.to, a service providing anonymous file sharing.[5]

Despite both being posted on Twitter, R2 and R3 exhibited some distinct features that are worth noting: R2 was first published on the Twitter account of Khadim Al-Ikhwa. The account is a known disseminator of ISIS content, and is believed to be a human/bot hybrid.[6] "Khadim" means "servant" in Arabic, but, in computer science jargon, it also means a server. However, it is believed that the Khadim Al-Ikhwa account that published R2 was an imposter account. The real Khadim Al-Ikhwa account, which is repeatedly removed from Twitter (likely since it acts as both a spam bot and a pro-ISIS account) and forced to resurface using a slightly altered username, consistently features a distinct sentence written in Arabic in the profile's description, as an identifying feature; however, this sentence was missing from the account that published R2. Additionally, unlike the real Khadim Al-Ikhwa account, the alleged imposter account that posted R2 managed to stay operational for a relatively long time on the day of R2's release. Finally, Khadim Al-Ikhwa rarely operates more than one account at a time on Twitter; meaning that a new account is opened only after a previous one is suspended. At the time of R2's release, two Khadim Al-Ikhwa accounts (i.e. a real and a fake one) operated simultaneously on the platform.

The image below shows R2 being promoted on the suspicious Khadim Al-Ikhwa Twitter account along with an IA download link.



"#Urgent, #Issue_Five_Rumiyah_Magazine" (Source: twitter.com/k4jvtdt1, January 6, 2017)



Suspicious Khadim Al-Ikhwa account with the missing (red arrow) line in Arabic



The real (top) and suspicious (bottom) Khadim Al-Ikhwa accounts coexisting simultaneously on Twitter on January 6, 2017

R3 was also posted on Twitter but had different characteristics than R2. It appears to have been released first on the Twitter account of Abou moussa (@aboumoussa270), an account posing as a French pro-ISIS account, and was allegedly a French-language version of Rumiyah 5. Similar to R2, R3 was also released prior to the official R1 release.



Promotion and download link to the alleged French-language version of Rumiyah 5 (Twitter.com/aboumoussa270, January 6, 2017)

As previously noted, the content of R3 could not be examined. Nonetheless, some observations can be made regarding the dubiousness of its release: First, R3 was not released via official ISIS channels. Unlike previous Rumiyah issues (and the majority of ISIS content, for that matter), which were hosted on the IA, R3 was hosted on Dropfile.to instead. Additionally, at least one Twitter account warned about the presence of malware in R3.



Warning in French about R3 allegedly containing a virus (Twitter.com/SefuAlQattal, January 6, 2017)

R3 was supposedly delivered as a 22.3MB file containing a 38-page PDF document.[7] A virustotal.com scan (image below) of the file revealed it was infected with malware.[8]



Sample malware found in R3. Due to the risk of malware infection, the actual R3 file was not downloaded. Instead, virus analysis of the file's content on Virustotal was obtained by searching for the R3 secure hash algorithm (SHA256), which was posted on the Twitter account of SefuAlQattal on January 6, 2017

The Content Of R1, R2, And R3

Content-wise, R1 featured an assortment of articles, including calls for attacks in the West,[9] justifications for killing women and children,[10] and more.[11] R1 was delivered as a 32.8MB, 44-page PDF file.

On the other hand, R2 was delivered as a 57.0MB, 33-page PDF file. R2 was also supposedly free of malware.[12] Content-wise, R2 included an assortment of well-written and well-presented articles, with similar themes and language as used in previous Rumiyah issues. This was very surprising considering previous attempts to compromise jihadi magazines typically resulted in corrupt files or files containing detectable malware. Thus, the purpose of R2 is unclear, but most importantly, R2 begged the question – why would someone invest this much effort to create a magazine that closely resembled the original, but was in fact fake?



Sample articles appearing in R2

Nonetheless, close inspection of R2 revealed inconsistencies and an overall lack of attention to details in its design.

R1 and R2 – detailed analysis below



Zoomed in view: R2 (top) features altered spelling, font, and color schemes



R2 (right) with altered spacing and font size

On the other hand, despite the fact that its content was not reviewed, there is an interesting observation to be made about R3: Its promotional poster that appeared on the Twitter account of Abou moussa prior to the release of R1 featured the actual front cover and forward of R1. This is unlike R2, which had a different front cover. This suggests that whoever posted R3 had somehow gained early access to R1. However, if such an individual or body obtained access to R1 ahead of its official release, why weren't additional measures taken to better disguise it as a legitimate ISIS release?



(Top) Front page and Forward of R1, (bottom) R3 promotional banner showing R1's front page and forward

Conclusion

The cyber war being waged against the Islamic State is critical to undermining it. Operations launched as part of these efforts have many purposes and are carried out in a multitude of vectors. The end goal of any attack, however, should be proportional to the efforts put in to carry it out. Assuming the release of R2 and R3 was in fact part of an intelligence operation, regardless of the entity behind it, its goals should be evaluated. And while R3 supposedly aimed at infecting anyone downloading or viewing the file with malware, the true purpose of R2 remains unclear. The planning, execution route, and overall amount of effort put into releasing R2 and R3 varied in each case. Yet, a very important lesson to consider in that regard was the jihadi response, or lack thereof, to the release of R2 and R3. Generally speaking, jihadis were not fooled by either version, as is evident in the lack of chatter about R2 and R3 and the significantly low number of users reposting download links to R2 and R3.[13] With jihadis being mindful of the trusted release channels used by ISIS, its release methods, and other characteristics associated with it, the release of R2 and R3 in the above format was doomed to fail. But even if R2 and R3 were released under perfect conditions, that is to say, the release utilized (compromised) official ISIS channels, and included legitimately-looking magazines in multiple languages, and perhaps also had undetectable malware embedded in it – it would not have stopped ISIS from quickly realizing what was happening and issuing warnings about it.

*M. Khayat is a research fellow at MEMRI.