Moscow Attack Requires Renewed and Coordinated Focus on Islamic State-Khorasan

Tech Against Terrorism's analysis confirms with high certainty that the Moscow concert hall attack was carried out solely by Islamic State-Khorasan. The confusion and disinformation in attributing the perpetrators could force the terror group to conduct deadlier attacks to solicit greater attention. 

Key Points 

• Following competing perpetrator claims, Tech Against Terrorism investigates the digital fallout and identifies Islamic State-Khorasan (IS-K) as the likely perpetrator of the Moscow attack. 
• Even though President Putin has begrudgingly attributed the correct perpetrators, the prior confusion risks strengthening the terror groups’ resolve.
• Telegram singled out as a primary channel for the terrorists, once again emphasising with renewed urgency the need for action against the poorly regulated messaging app. 

Investigators at Tech Against Terrorism have used a variety of intelligence assessment techniques to analyse the likely perpetrators of the Moscow concert hall attack on March 23 that claimed at least 137 lives. The exercise aimed to provide an objective view for a range of stakeholders including policymakers and tech platforms.  

To inform this analysis, Tech Against Terrorism have investigated the claims and counterclaims about the perpetrators’ identity and motivation. Analysts have scrutinised the digital fallout from the attack to confirm that the Islamic State-Khorasan is highly likely solely responsible for the attack. 

Tech Against Terrorism’s analysis of the group following the Moscow attack raises several urgent considerations for policymakers.  

1. The attack once again emphasises the threat posed by IS-K. Established as a regional competitor and antagonist of the Taliban, the group now strikes well outside the Taliban’s field of operation; IS-K declared geographical reach now extends to central Asia and Russia. Since 2022, IS-K has intensified its efforts to implement a more aggressive propaganda strategy aimed at attracting recruits and funding from new regional audiences, particularly ethnic Uzbeks and Tajiks. The group has already attacked Iran in a bombing in Kerman earlier this year. Following the Moscow attack, both France and Italy have increased their threat levels.  
2. The attack sheds light on how IS-K has developed a highly effective recruitment and propaganda network online and relies on the internet for attack planning as well as recruitment and fundraising. To disseminate its propaganda, IS-K exploits social media, messaging, and file-sharing platforms, archiving services, and dedicated websites.  
3. The attack exposes the appeal of messaging platforms such as Telegram and WhatsApp. Telegram has been a particularly indispensable tool for terrorist and violent extremist actors around the world. For the Moscow attack, there are reports that the app was used to recruit the assailants. The app has been instrumental in providing a platform for IS-K to share its official claim of the attack and for IS-K supporters to discuss the attack. Telegram poses a particular counter-terrorist challenge and has demonstrated an inconsistent approach to removing terrorist content. 
4. After the attack, Tech Against Terrorism analysts observed disquiet among online IS-K supporter channels due to the Russian authorities initially failing to acknowledge the group’s involvement in the Moscow attack. In one forum, supporters decried the Kremlin’s initial insistence to attribute the atrocity to anyone but IS-K. In another, a meme was shared apparently mocking Russia’s insistence on Ukrainian involvement.  The denial of an international consensus in acknowledging the group’s responsibility may serve to fuel the group’s adaptation in planning and publicising future attacks. It is likely that there will be some form of update to the group’s tactics, techniques, and procedures to ensure it can benefit from the infamy and even prestige resulting from a clear consensus on its force projection capabilities. 

Adam Hadley, Executive Director of Tech Against Terrorism said:

“Effective counter-terrorism requires swift investigation, unencumbered by politics. Sadly, in the aftermath of the Moscow attack, we witnessed a great deal of confusion to attribute the identity of the assailants correctly. We are now at risk of Islamic State-Khorosan undertaking deadlier attacks in order to prove its force projection capabilities. With ongoing geopolitical turmoil, we are not surprised that the Islamic State-Khorasan is exploiting the perceived and actual fragmentation of global counter-terrorism efforts. The terror group is exploiting vulnerabilities that we have spent years attempting to address by building a strong international coalition against terrorism, and an ever-vigilant online space that seeks to limit the digital footprint of terrorist and violent extremist actors.”