Cyber jihad loosely refers to Islamic extremist terrorists’ use of the Internet as a communications, fundraising, recruitment, training, and planning tool in their war against their enemies. Some of their most commonly cited enemies include the U.S., Western European countries, secular Arab governments, and Israel.

As far back as 2016, a 20-year-old was sentenced to 20 years in prison for hacking into a U.S. government database to obtain the personally identifiable information (PII) of military members and other employees for ISIL.

A recent WhoisXML API threat research that sought to expand the publicly available list of indicators of compromise (IoCs), specifically 67 domains, connected to cyber jihad attacks uncovered these additional artifacts:

• 228 IP addresses to which the domains identified as IoCs resolved
• 38 unredacted email addresses used to register the domains tagged as IoCs
• 545 additional possibly connected domains since they shared the IoCs’ registrant email addresses or IP hosts, two of which have been dubbed “malicious” by various malware engines

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Initial List of IoCs

Over time, researchers have collated several domains hosting sites supporting ISIL/ISIS efforts. Our research team obtained 67 domains, which we used to conduct an IoC list expansion study.

First, however, we subjected the IoCs to screenshot lookups to see which of them currently host live content. A third of the IoCs (26 to be exact) remain live to this day. Here are four of them.

Most if not all of the domains that continued to host live content look like news sites or personal blogs.

A bulk WHOIS lookup for the IoCs revealed that they were created between 1996 and 2022. It also showed that only one domain—kiblat[.]net—was owned by what seems to be a news agency. The WHOIS records of all the remaining digital properties were either privacy-protected or left blank.

IoC List Expansion

To expand the current list of IoCs, we used the domains as DNS lookup search terms, which gave us 228 IP address resolutions. A bulk IP geolocation lookup for these showed a majority were based in the U.S., followed by Netherlands, Germany, the U.K., and Denmark.

We then ran the IoCs through historical WHOIS searches, which uncovered 38 unredacted email addresses. These could belong to the owners of the websites believed to have ties to cyber jihad activities. A majority of them (24 to be exact) looked like personal Gmail addresses.

Using the email addresses as reverse WHOIS search terms and the IP addresses as reverse IP lookup terms led to the discovery of an additional 544 domains that could be connected to the threat. Of these, 67 hosted live content that looked similar to that seen on the IoCs, including the four shown below.

A bulk WHOIS lookup for the additional domains showed that they were relatively newer than the IoCs, with creation dates ranging from 2016 to 2022. None of the registrant organization names indicated in the records also pointed to legitimate businesses.

A comparison of the IoCs’ and additional domains’ registrant countries showed that most of them (around 60% for both categories) were based in the U.S. Also, Canada and China joined the top 5 geolocations for the two sets of domains.

Finally, a bulk malware check for the 545 possibly connected domains showed that two—douglaskemp[.]com and jhuf[.]net—were malicious according to several malware engines.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.