Da’esh Move to ZeroNet

December 2016 No Comments

Question (Follow-up QL3): The response to QL5 (see Appendix A) noted that ISIL is moving to ZeroNet platform for peer-to-peer messaging, which is extremely robust to distributed denial-of-service (DDOS) attack/other counter measures. What effect could this have on Intel efforts?

Author | Editor: Robinson, S., Perez, E., Derrick, D. & Ligon, G. (University of Nebraska, Omaha).

Through our research into Da’esh cyber messaging (Derrick et al., in press), we have identified an emerging trend in Da’esh forum, propaganda, and fundraising websites: the use of the ZeroNet application. ZeroNet, a peer-to-peer application, uses the same technology as Bitcoin or other cryptocurrencies using shapeshift.io. As Da’esh users begin publishing their websites off servers using this ZeroNet application, visitors are then only able to visit that website (e.g., blogs, chat forums) using that ZeroNet application. This facilitates/mandates that visitors then seed that content to other viewers, as the website is distributed to and from many locations and from multiple small servers. When the website is updated, the update is pushed out to all seeders. Each website visited is also served/seeded by the visitors, thus creating a distributed publishing system that permeates more than just one physical site owner.

Implications

The use of this application is another instance of Da’esh as an early adopter of IT Innovation (Ligon, Derrick, Logan, Fuller, Church, Perez, & Robinson, 2016). ZeroNet is built for hosting all types of dynamic websites, and any type of file can be distributed on it (e.g., VCS repositories, databases, etc). Creating ZeroNet websites is facile and instructions can be located on a variety of open source websites1 and easily installed. Implications we have identified are 1) DDOS is no longer an option for technical interdiction unless all seed accounts can be hit at one time, 2) taking down a website that violates user terms (e.g., suspicious content, hate speech) is no longer an option, 3) social engineering will play a larger role to gain access to protected sites, and 4) cyber interdiction may need to focus on heavier preventative measures rather than post hoc take-downs/removal. However, one positive implication is that Blue could also use the seeding to find supporters of Da’esh in the following ways. First, by seeding real or other content, analysts can become part of the network that hosts these websites. This can allow them to monitor who seeds the content to identify other potential supporters. However, this technique is limited if the other seeders use an anonymizer, such as an anonymous VPN or tor. The ability to find other seeders will often (not always) be limited to the organizations ability to analyze the tor network. Finally, as with other Da’esh endorsed applications (e.g., Dawn of Glad Tidings, monitoring who downloads the ZeroNet application in months following its 1 Websites such as https://zeronet.readthedocs.io/en/latest/faq/ walk users through the pros and cons of ZeroNet and are available in at least 22 languages. Endorsement on Da’esh communication channels (circa October 2016 and weeks following, one could track IP addresses for those who do not use TOR to mask their identity (this instruction was not included on the initial post about downloading ZeroNet . Second, because the content is secured in same manner as bitcoin wallet, bitcoin hacking and identification techniques would also be effective on this application. Finally, an innovative way to take down content is to infiltrate creator accounts and make updates with blank content to disrupt files of seed accounts.

Conclusions

Our assessment indicates that site destruction of user content employing ZeroNet will be more difficult due to its crowdsourced, distributed platform. However, collection of data may in fact be easier. Moreover, using the techniques we recommended and others developed to harvest data from bitcoin users, it may in fact be easier to identify other seeders and downloaders than it has been from 2014-present.