Islamic State-Khorasan Province’s Virtual Planning

Editor’s Note: The Islamic State’s caliphate was ended five years ago, but the group and its various provinces continue to conduct and plot terrorist attacks. Rueben Dass of the S. Rajaratnam School of International Studies describes how the group now uses virtual planners to direct and inspire attacks around the world and notes the limits of virtual planning as well as its dangers.

Daniel Byman

***

On March 22, four Tajik nationals perpetrated an attack on the Crocus City Hall in Moscow that resulted in the deaths of more than 130 people and left scores more wounded. The Islamic State claimed the attack. The involvement of Central Asian nationals and the method of attack pointed further to the involvement of the Islamic State in Khorasan province (IS-K), the Islamic State affiliate based in Afghanistan.

The Moscow attackers were alleged to have been recruited and guided via the online messaging app Telegram. In an interrogation video that surfaced online, one of the attackers revealed that an online preacher had reached out to him via Telegram and enticed him to carry out the attack in exchange for remuneration. Several of IS-K’s (and before that, the Islamic State’s) plots have involved individuals being recruited and guided using online messaging apps. If the Moscow attackers were indeed recruited and guided in this way, it demonstrates the continued and evolving role that virtual planning plays in current terrorist modus operandi.

The Islamic State’s Virtual Planning Model

Virtual planning refers to the method of one or more planners providing guidance via virtual means to operatives located in target countries to carry out attacks. Guidance may be provided to varying degrees in the form of target selection, method of attack, and ideological and/or logistical support.

During the height of the Islamic State’s activity, virtual planning played a key role in the group’s external operations playbook. A 2016 study noted that at least 16 of the 38 Islamic State-associated terror plots in Europe from January 2014 to October 2016 involved some level of “online instruction from members of [the Islamic State’s] networks.” Similarly, eight out of the 38 Islamic State-inspired plots that targeted the United States between March 2014 and March 2017 involved an online component. Some plots involved a more active role on the part of the planner while others involved relatively limited communication, but the extent of their involvement can be difficult to discern in some instances given the encryption of online communications.

In the past, the Islamic State’s virtual planning was alleged to have been under the purview of a division called the Amniyat al-Kharji (AAK). The AAK was one of the four units of the Islamic State’s security apparatus, known as the Emni. AAK was believed to have been led by Islamic State chief propagandist Abu Muhammad al-Adnani. His role, however, was largely strategic in nature and limited to providing approvals for operations. The actual day-to-day operations of the unit were suspected to have been carried out by a French national named Abu Sulayman al-Firansi, who was believed to have been directly involved in the 2015 Paris and 2016 Brussels attacks.

The AAK was divided into several regional theater commands, where leaders were tasked to recruit, guide, and train potential operatives according to their regional and linguistic capabilities. In some cases, operatives would travel to Syria, receive training, and be sent back to carry out attacks. In others, operatives in target countries would be guided solely through virtual means by planners who were in conflict zones. Examples of key planners include British national Junaid Hussain, Frenchman Rachid Kassim, and Tajik national Tojiddin Nazarov.

Based on analysis conducted by the author, in at least 44 percent of the 57 virtually directed Islamic State plots between 2014 and 2020, Telegram was used as a method of communication. The number of virtually planned Islamic State plots decreased drastically post-2016, which can be explained by two factors. First, the decrease coincided with the killing of key planners, which mostly took place between 2015 and 2017. Second, the Islamic State lost most of its territory in the Middle East around 2018.

While virtual planning does not require the group to hold territory, the group’s declining image and reduced glamor as it lost ground may have reduced its appeal among prospective operatives. The constant counterterrorism pressure that the group was facing in the Middle East may also have led to the Islamic State not having the temporal and strategic bandwidth to continue planning these sorts of attacks.

However, the virtual planning modus operandi remained and has evolved with the rise of IS-K, which has developed its external operations capabilities and planned attacks outside of Afghanistan.

IS-K’s Use of Virtual Planning

The Washington Institute for Near East Policy has noted that at least 15 IS-K plots, nine of which were in very advanced stages, have been discovered in foreign countries, which include India, Iran, Germany, Qatar, and Turkey. A January 2024 UN Security Council report also noted “the existence of current and unfinished operational plots on European soil” linked to IS-K. Despite lacking territory, IS-K maintains a reasonable external operations capability and is believed to have around 80 foreigners who plot overseas attacks within its organizational structure.

Nationals from Central Asian countries seem to have played key roles in many of these plots. The Security Council report noted the increasing appeal of IS-K among Tajik networks and highlighted the role of an individual named Khukumatov Shamil Dodihudoevich (who uses the kunya Abu Miskin), a key recruiter and moderator of the IS-K Telegram channel “Mustakim Khurasan.”

Remote direction has played a key role in the planning of some of IS-K’s identified foreign plots. A case in point was the December 2023 plot in Kyrgyzstan involving two 16-year-old teenagers who had planned on attacking the central square of Jalal-Abad and a church. The teenagers were alleged to have been “remotely recruited via the Internet,” and authorities had found instructions for making explosives and “correspondence with recruiters” on their smartphones.

There are previous examples, as well. In December 2022, two Central Asians were arrested in Turkey for plotting an attack on New Year’s Eve celebrations in Istanbul. The duo was alleged to have received instructions from Islamic State members in Afghanistan. In July 2023, nine individuals from Central Asia, arrested in Germany and the Netherlands for plotting attacks and fundraising for the Islamic State, were found to be in contact with IS-K members in Afghanistan. A key Islamic State operative and facilitator based in Turkey was also found to be in communication with the group’s leadership in Afghanistan via Telegram.

Similarly, in April 2020, a four-man Tajik Islamic State cell was arrested for plotting to attack U.S. and NATO bases in Germany. The cell was in contact with and had received instructions for the attack from an Islamic State operative called Abu Fatima via Telegram. Abu Fatima and Tojiddin Nazarov had also guided another Tajik national, Rakhmat Akhilov, to carry out the 2017 Stockholm attack via online messaging applications.

Iranian government reports have noted that one of the January 2024 Kerman suicide bombers was a Tajik national named Bazirov Bozrov, who had formed links with the Islamic State through Telegram. He was alleged to have received operational training in an Islamic State camp in Badakhshan province, Afghanistan, before being dispatched to Kerman for the attack. Similarly, the 2023 Shah Cheragh shrine attacker—Rahmatollah Nowruzof, who was also Tajik—was alleged to have linked up with the Islamic State through “the internet” and had trained in Afghanistan for three months before carrying out the attack. Although the nature of the recruitment and the planning of the operation is unclear in both cases, social messaging applications were probably involved.

The Evolution of Virtual Planning

The Islamic State’s virtual planning seems to have evolved from a central, systematic tactic to one that is more decentralized and diffused. From having well-known planners that were associated with the AAK—the likes of Junaid Hussain and Rachid Kassim during the Islamic State’s heyday—the methodology seems to have been adopted by a diffused network of individuals and sympathizers who are attempting to rally fellow sympathizers online and motivate them to carry out attacks. These new recruiters fill important roles, but their work falls short of formal planning.

IS-K seems to be one of the entities that has been making use of virtual planning in its attacks. In the Moscow case, one of the attackers was alleged to have been in contact with individuals who went by the names “Abdullo” and “Muhammad,” whose identities remain unknown. Other reports suggest that the attackers were recruited by a Telegram group linked to IS-K and were directed by an individual called “Sayfullo,” who was the main architect of the attack.

Similarly, in the Kerman attacks, the identities of the individuals who were in touch with the attacker are unknown. Unlike some previous Islamic State plots, in which the details of virtual direction were evident, the role of virtual direction in the Moscow attacks (and others, such as the 2024 Kerman and 2023 Shah Cheragh attacks) is not completely clear possibly due to information being withheld by security services and a lack of reporting. Nevertheless, the online connection is still noteworthy.

Apart from IS-K and Afghanistan, instances of virtual planning have also come out of Iraq. In September 2021, reports emerged of an alleged Islamic State explosives expert based in Iraq called “Abu Harb.” He was alleged to have been linked to two 16-year-olds of Syrian nationality in Germany who were arrested for plotting bomb attacks in the country. Abu Harb was found to have acted as a virtual guide providing at least one of the boys with instructions on manufacturing explosives and guidance on selecting targets and carrying out attacks via Telegram and WhatsApp.

Limits to Virtual Operations

Although the role of virtual planning in external operations is one that demands attention, a few caveats must be highlighted. Most of the Islamic State attacks that involved virtual planning failed and were foiled by the security services before they were carried out. For example, based on analysis by the author, 89 percent of the Islamic State’s virtually directed plots between 2014 and 2020 resulted in failure. This may be due to the susceptibility of online communications to interdiction and the lack of experienced operatives on the ground. Out of the ones that were successful, most involved simple attack methods, such as knives and vehicles as opposed to explosives.

Additionally, the more recent, more successful IS-K plots that allegedly involved online communications between attacker and recruiter/planner, including the Kerman and Moscow attacks, were in fact detected by intelligence agencies. U.S. intelligence warned both the Iranians and the Russians of possible attacks prior to the incidents. Whether these plots were detected solely because of the online communications or other types of intelligence remains unclear. However, their detection demonstrates that these plots could have been stymied and that virtual direction is not as foolproof as some may claim it to be.

Also, IS-K’s external operations machinery is not solely dependent on virtual planning. The existence of a web of external networks of Afghans and Central Asians in Russia and other countries in Europe plays a key role in the group’s external operations capabilities. For example, the Moscow attackers were believed to have been linked to a wider network that was based in the Kaspiysk and Makhachkala regions of Dagestan. Raids by the Russian security services in the latter case led to the discovery of explosives and other weapons. The attackers are also believed to have wider links in Turkey and Tajikistan.

A Comprehensive Counterterrorism Approach

Owing to its ease of access and the proliferation of internet connectivity worldwide, virtual planning is likely to remain an attractive tool in the modern-day terrorist playbook. The increasing use of the internet and the proliferation of various new encrypted social messaging platforms will only increase the threat. Groups like IS-K with external operations capabilities and intent will likely capitalize on these approaches.

However, virtual planning often falls short of leading to large-scale attacks without physical coordination and logistics. While the Moscow attacks hinted at the role of virtual planning, existing networks are also likely to have contributed significantly to the attacks. Though virtual planning is relatively easy and accessible, it is also susceptible to interdiction. This demonstrates the importance of comprehensive counterterrorism strategies that address both virtual and physical aspects of terrorist operations.