Virtual Caliphate: How Russia is fighting IS* online

Virtual Caliphate: How Russia is fighting IS* online

In February 2015, ex-lieutenant-colonel of FAGCI and creator of Avalanche content analytics system Andrey Masalovich touched down in Kazan: a matter of national importance was waiting for him there. In four months, the republic was to host the World’s Water Sports Championship. The Special Services were concerned about terror attacks. People who had left to build the caliphate under the banners of IS* were coming back home from Syria. Some had had a chance to be in a battle, others have just undergone training. Avalanche was supposed to trace the extremists’ online and social media connections and warn security officials about any threats in advance. “We wanted to conduct a full inventory [of the extremists] to clean up the field before the spring was over”, says Masalovich.


The “Clean-up” was going on all over the country at the time. About 2,400 Russians had left for Syria, according to the American Soufan Group, which specializes in strategic intelligence (see report "Foreign fighters. Updated estimates of the influx of foreign fighters into Syria and Iraq"). Criminal cases were opened in the Motherland against 650 of them. Not everybody returned. “More than 2,000 Russia-born bandits, including 17 field commanders, were killed in Syria,” Defense Minister Sergei Shoigu reported to Vladimir Putin on the day the decision was made to withdraw troops. The war was going on not only in Syria, but also in cyberspace.


According to Group-IB estimates, Islamist hackers from the Global Islamic Caliphate, Team System Dz, and FallaGa Team groups have attacked about 600 Russian websites of government agencies and private companies.

A single Turkish hacker ZoRRoKiN, in the course of a signle week in January 2015, has launched a series of DDoS attacks on 22 sites: Prime Minister Dmitry Medvedev’s, Ministry of Justice’s, Ministry of Defense’s, Federal Customs Service’s, Ministry of Finance’s, Rosatom’s, Aeroflot’s, VTB’s, etc.

Social networks were actively being used to raise funds for the war against infidels and recruitment of new jihad warriors. “IS invests a lot of money in highly professional targeted propaganda - this allows them to recruit new fighters,” Senator Dmitry Sablin, First Deputy Chairman of the “Battle Brotherhood” tells Forbes. Last summer, he sent a statement to the government and the State Duma on the activity of IS on the Internet. “Terrorists are recruiting a significant portion of new supporters through social media. And for now, they are in the lead, we are merely reacting”.

Private companies are now actively participating in the fight against Islamists. Battles are fought on all cyber fronts: blockage of terrorists’ accounts and electronic wallets, hunt for recruiters, monitoring of suspicious employees in offices. Forbes has decided to find out how it works.

Recruitment failed

Varvara Karaulova, an 18-year-old MSU student with top marks, went to Syria to marry a man whom she knew only through the Internet: first, through a Vkontakte group of CSKA FC fans, and then through Viber and WhatsApp. The IS recruiter had made the girl convert to Islam, change her name to Aminah, abandon her family and get on a flight to Istanbul. But they didn’t get a chance to meet. Pavel Karaulov, the fugitive’s father, roused the press, Ministry of Foreign Affairs, FSB and the Turkish police. Varvara was detained in a border town of Kilis together with a group of fugitives. Karaulov is a man with connections. He was a managing partner of the Divizion network, in 2011 he became a general director of the “Informzaschita” group of companies which was developing information security tools under contracts from special services and government agencies. Could the terrorists have been using the girl as a tool to put pressure on her father? “I’m not ruling that out”, Karaulov admits to Forbes. “A victim’s social standing is of significance to the recruiters too – the price tags [for ransom] vary”.

The name of the recruiter, who had managed to infatuate Varvara Karaulova, was Airat Samatov. He is a native of Tatarstan. And together with him, 59 people had left the republic in 2014-2015, according to the regional Ministry of Internal Affairs, to join the IS. Out of those, six have returned. “These are people with training, with combat experience. It could very well have been “sleepers” - agents who are waiting for a signal to “wake up” and carry out an order”, says Andrey Masalovich.

In February 2015, he arrived in Kazan to set up the work of Avalance, his content analytics system, on the spot. By that time, Masalovich as a former officer of FAGCI had had a lot of counterterrorism and counter-Internet-terrorism experience. After the Biryulevo pogroms in 2013, “Lavina Pulse” – an early-warning system based on Avalanche – was used by Department of Operational Investigation Information of the Ministry of Internal Affairs (UVOI). In 2014, Avalanche was functioning at the Sochi Olympics: reference materials were prepared for the administration of Ministry of Internal Affairs about Internet threats – kompromat, provocations. In Tatarstan, Masalovich was contracted by the law enforcement agencies to conduct an analysis of terrorist and extremist activity.

Five years ago, the republic resembled North Caucasus. “Forest Brotherhood”, who called themselves “the Mujahedeen of Tatarstan” (“Chistopol Jamaat”) emerged in the south, in the Nurlat region rich with oil. In 2012, the “Forest Brotherhood” launched an attack. A Muslim theologian Valiulla Yakupov was shot at the entrance of his own house. An hour later, the car of mufti Ildus Fayzov is blown up. Seven Orthodox churches have burned down in the republic in 2013. Somebody opened fire from a homemade grenade launcher on the territory of OJSC “Nuzhnekamskneftekhim”. By the middle of 2014, the security forces had defeated the Chistopol Jamaat, but suddenly, IS has made an appearance.

It took a week for Masalovich’s team to deploy Avalanche. Initially, the analytics “shot” the sources of immediate threats – “Radical Islam”, “People from North Caucasus”, etc. manually. Then, the search robots begin working on these targets; they comb through “white” Internet – the media, social networks, forums, blogs. The information found is automatically sorted into subjects (“smart files”) and forms the basis of dossiers, reports or forecasts.

At the same time, Avalanche worked on social media: it analyzed and built the structure of relations between members of the “Chistopol Jamamat” (see screenshot) and IS fighters: recruiters, opinion leaders and support groups were identified. For the purposes of visualization, Masalovich transfers the collected information to Gephi (visualization and graphing program) - a tree of connections. Masalovich does not disclose details of the investigation - an operational secret – but as an example he demonstrates the HalifatNews group on VKontakte. “At first glance, the audience is not very large - 146 men and 32 women,” notes Masalovich. “But it includes preacher Ibada Lillahi, who coordinates the activities of Muslim women’s groups.” Look at her peers. Impressive, isn’t?”


Recruiting through social media would never happen in the open; nobody directly tells someone to join the IS, an Avalanche developer notes. Neutral groups like “Hijab lovers”, or more aggressive ones like “We are against the USA” are created, and recruiters come into contact with those who actively like or comment on posts. “A recruiter needs two things: for you to talk to him, and interest him with your views on a situation,” Masalovich says.

According to him, recruiters choose children from poor families, give some money, work them, then start to scare them that the intelligence agencies are already looking for them.

Recruitment usually ends with “blood tying” - the candidate is forced to commit a crime. It’s different for girls – fate of a military wife or a suicide bomber is what awaits them.

Your money or your life?

A man in a kaffiyeh is pointing a gun directly at my chest. A bloody blaze is behind him. Below is a caption: “He who equipped the warrior on a campaign on the path of Allah himself took part in it, and who replaced a participant in such a campaign in the care of his family took part in it”, and the details of the QIWI wallet and Yandex money. This post is on Vkontakte on the page of one of Ufa residents If these are not online scammers, then the funds will most likely go to finance terrorists.

Electronic payment systems aren’t ready to risk their reputation. In the summer of 2014, QIWI, in addition to its existing anti-money laundering and counterterrorism financing tools, hired Sidorin Lab agency to monitor social networks and search for extremist posts with QIWI wallet details. “This subject is a high priority,” confirms QIWI corporate risk payment service manager Denis Persanov. “We have a popular service, with about 16 million active customers, and we always harshly suppress the occasions when extremists or scammers try to use it.”

At the start, Sidorin Lab had been finding a lot of suspicious wallets. “It was the peak, then the amount began to decline,” Persanov recalls. Sidorin Lab sends screenshots and addresses of suspicious wallets to QIWI, and they block them in accordance with the requirements of internal policies and the Anti-money Laundering and Counterterrorism Financing Act. “The company works closely with law enforcement,” Persanov says, without elaborating on details. This means that the investigators subsequently try to unravel the financial web and find the trace of not only the intended recipients, but also those who had transferred the funds.

The simplest task was to find groups or posts on VKontakte, in which the IS supporters called to chip in for the war with infidels, said Nikita Prokhorov, deputy general director and co-owner of Sidorin Lab. When moderators began to delete such groups and posts, requests for financial assistance started to appear in the comments and chats. "The extremists are trying to disguise themselves: they embed the details directly in photos or in videos – that way, they are harder to detect”.

In the summer of 2015, Sidorin Lab has acquired another customer interested in the subject of extremists- “Battle Brotherhood”. “Our intelligence services are systematically engaged in the search and blockage of accounts associated with IS. And we are assisting them to the best of our ability” explains Senator Dmitry Sablin. “The second direction is ideological opposition to the terrorist recruitment. IS propagandists take advantage of distrust of bureaucracy, loneliness, disappointment, a thirst for justice, which is so natural among young people. There are excellent psychologists among them.” According to Sablin, the “Combat Brotherhood” has a special group that counteracts recruiters - it includes experts on anti-terror, Internet security, Arabists and Syrian spiritual leaders.

Last summer, Dmitry Sidorin at Sablin’s request participated in preparation of an analytical note on IS activity in the Russian Internet segment. “We were stunned by the sheer numbers: in those days the amount of mentions of the IS in social networks reached 10,000 mentions per day,” recalls the founder of the company Dmitry Sidorin. According to him, the distribution of news and messages about the IS was mainly carried out by VKontakte and Facebook.

A contact in a relevant FSB department confirms that cooperation between special services and private contractors does take place, but it’s most likely unofficial. “We are not officially allowed to use third-party software,” says a Forbes source. “Of course, we have our own developments - in the social media search and analysis. Tools may change, but such work has never stopped”.

According to him, the greatest interest of the authorities now lies in the secure communication channels through which coordination takes place - Zello Internet radio, or Pavel Durov’s Telegram messenger. “The encryption level is very good here, but it’s often important for field investigators to establish the fact that a person is communicating with another person using secure communication channels,” Masalovich confirms. Chats of popular online games also fell under suspicious. For example, in the game Clash of Kings, says one of the special services agents, there was an Arab group where calls were constantly made to join the IS.

“Under the hood”

Head of a central warehouse was arrested in a large electronics store with a network all over Russia. He was using company trucks that transported goods to the regions to traffic drugs. Drug trafficking is one of the main sources of terrorists’ income, said Lev Matveev, chairman of the board of directors of SearchInform. So, under the guise of legitimate work, a drug dealer has created a whole network, but he gave the game away - he discussed all issues on Skype.

A DLP system was installed in the company, which allows you to track every click of an employee in the office - to monitor and intercept corporate and personal mail, messages on social media, Skype conversations, queries in search engines, using applications, etc. According to SearchInform information for March 2016, 1688 client companies have already requested installation of policies to identify terrorist threats. First of all, such a service is of interest to companies from the oil and gas sector, industrial, state and defense enterprises, companies from the financial sector, and retail.

To find “strangers among friends” in an office, the program uses special dictionaries. For example, the IS policy includes dictionaries containing special terms: fatwa, shahada, ummah, kaafir, kafir, munafiq; synonyms, for example, of the word “Muslim”: muslim, muslik, true believer, druse, haji, khaji, Islamist; slang expressions: Kalash, thumper (grenade launcher), box (BTR), samovar (mortar), bra (unloading vest). When one of these target words surfaces in the correspondence of an employee, this immediately becomes known to a security officer.


In one company, correspondence of employees in a corporate chat got intercepted - they were discussing the war in Syria. One of them spoke negatively about the role of Russia. The system reacted to the “negativity”, security officers “dropped” an unreliable employee and saw that this person was downloading and printing religious brochures at work. He was not fired but was included in the “risk group”. If a security officer finds evidence of violation of the law, he is obliged to notify the authorities. Business plays it safe: if terrorist accomplices are found within the company, they will also have problems – it would be a huge stain on their reputation.


The demand for such services – extremist sayings’ monitoring technology – has emerged about 5 years ago, according to InfoWatch sales director Constantine Levin. “Today, client business want to protect themselves against the risks associated with the fact that their employees might be members of organizations banned in Russia,” Levin notes. InfoWatch's Kribrum uses linguistic technology to monitor social media and analyzes more than 60 million messages from 250 million accounts and 20,000 media daily. “This allows us to think that we at least see the big picture,” says Levin. According to him, our state is still acting as a defending side in the information war, and only responds to threats, at best: “Technologies developed by our company, as well as others, can help Russia - at least to even the score and proceed to attack within the Runet”.

Levin gives the most typical recruitment example that InfoWatch has seen in Russian companies: a handsome oriental-looking man meets a girl from Russia online, makes her fall in love with him and invites her to live in Finland, Sweden, or Norway. And that’s where the religious cultivation begins.

“The girl then ends up in Syria, alone in a foreign country, fully under the influence of her beloved, and can become a suicide bomber”.

It can go in a different direction, too. After the Varvara Karaulova story, management of one company decided to control the Internet activity of employees in the office: communication in forums, chat rooms, visits to extremist sites and reading religious literature. Among the queries found, for example, there was this: “Who are the infidels?” Or “We all belong to Allah, and we all return to him.” And two female employees were discussing via a chat room a new Facebook acquaintance - he was a true Muslim, was asking one of the girls to get married and offering to buy a ticket to Turkey. “The security guards immediately held a workshop where they talked about recruitment and social engineering methods,” says Matveev from SearchInform. “They didn’t fire the girl, but it seems that they put her off Internet dating.”

IS* - a terrorist state banned in Russia.

Request a training session