Propaganda images reveal how terrorists think

Researchers have used artificial intelligence to analyse over 30,000 propaganda images produced by the Islamic State (IS) between 2014 and 2022. 

17. October 2024
A group of IS soldiers with weapon and an IS flag.
From Diyala, Iraq, in the spring of 2022: a group of IS soldiers swears Bay’ah – an oath of allegiance to the new IS caliph. This is one of the 30,000 IS images that have now been analysed. 

Propaganda is an important part of the operation of a terrorist organisation. They use text, video, audio, and images to not only spread fear, but also to recruit and build their image internationally. By using the internet and social media, even terrorist groups with limited resources can reach a global audience.

Read more

Nærbilde av en antenne i fjellet over Bleik på Andøya. Antennen består av flere hvite antenner som peker mot Bleik.
News

Jamming – a technological cat-and-mouse game

In Russia, most mobile base stations are equipped with jamming equipment. Norwegian authorities could learn from this, says FFI researcher Anders Rødningsby. September 9-13th the world’s largest open jamming test was conducted at Andøya.

For researchers studying terrorist groups, propaganda material is an important source in understanding who the actors are, what they want, and how they operate. The challenge for researchers is the sheer amount of propaganda that is being produced, which makes it almost impossible to get an overview through manual means. 

FFI-Report 2023

Maskinlæring for tematisk inndeling og analyse av propagandabildene til IS (Den islamske staten)

Mathias Bynke, Vidar Benjamin Skretting, Bernt Ivar Utstøl Nødland
Read more
Download

Because IS controlled a large area in Syria and Iraq for several years, they gained more resources and more members who could work as ‘journalists’ or content producers. Propaganda was clearly a prioritised area in the organisation, and the battles they were involved in provided them with plenty of raw material. 

‘IS stood out because their propaganda was better than the content of earlier terrorist groups. They managed to create a “brand” and a linguistic and visual expression that appealed to the youth, combined with extremely brutal content where close-ups of killings were almost a given,’ explains Skretting. 

Although the group is now marginalised in its original core areas in Syria and Iraq, its branches in other parts of the world have made significant progress – especially in Africa. IS still maintains a unified and substantial propaganda apparatus. 

Read more

News

Tested new defense technology during Arctic Strike 2024

The armed forces cannot spend years acquiring and putting into use new equipment in the current situation, says Chief of the Norwegian Army, Lars Lervik. He wants less talk and more action.

IS – a pioneer in terrorist propaganda 

The researchers have based their work on the extensive image material published on IS’s official channels over the years. The dataset, consisting of 30,000 images, was fetched from an IS bot on Telegram. 

‘IS has revolutionised how non-state actors and terrorist groups conduct propaganda. This is considered one of the keys to the group’s success,’ says researcher Vidar Skretting. He co-authored the report with colleagues and AI researchers Mathias Bynke and Bernt Ivar Nødland.

The rise and fall of IS 

In 2013, a group called the Islamic State in Iraq and the Levant (ISIL), managed to occupy large parts of Syria and Iraq. In 2014, they seized Mosul, Iraq’s second-largest city. Shortly thereafter, ISIL declared that they had established a new caliphate, to which all Muslims were obliged to submit. At the same time, they removed the geographical reference from their name and adopted ‘the Islamic State’ as their designation, or IS for short. 

From 2014 to 2018, IS gained international notoriety for its brutal conduct. They implemented a reactionary form of Islamic law and carried out executions and amputations of prisoners, genocides against minorities, public slave trading, and numerous terrorist attacks on civilian targets in the Middle East, Asia, Africa, and Europe. 

At the same time, they wanted to show that they had established a true Islamic ‘state’. The group emphasised creating a civil state apparatus and established institutions for law and order, tax collection, education, and healthcare. In addition to violence and brutality, the ‘civil’ side of IS became a recurring theme in the group’s propaganda production. 

IS reached its territorial peak in 2015, when the group controlled about one-third of both Iraq and Syria. After this, IS was gradually pushed back by an international coalition. The last IS-controlled area was captured by Kurdish forces in early 2019. Thus, IS went from being a state-like entity back to an underground organisation.

A dedicated IS social media 

Initially, IS used established social media platforms like Twitter (X), Facebook, YouTube, and, later, the Telegram app to spread their content. 

‘The spread of propaganda on social media is one of the reasons so many foreign fighters from around the world joined IS,’ says Skretting. 

‘Today, it’s much more difficult for IS to reach out. Major social media platforms remove such content almost immediately after it’s posted. However, IS still manages to disseminate its content effectively through other channels, and it’s relatively easy for sympathisers to find them,’ Skretting adds. 

IS spreads its propaganda through three main channels: ‘private’ social media platforms that they run on their own servers, bots on Telegram, and regular indexed websites. 

‘The private social media platforms IS runs have been active for years. Telegram bots and the indexed websites are regularly taken down by administrators and authorities but are usually reopened by IS under different names shortly thereafter,’ says Skretting. 

Two researchers present at an FFI event.
Mathias Bynke (to the left) and Vidar Skretting (to the right) present their report during an FFI event on 12th of December 2023. Photo: FFI / Anders Halvorsen Fehn.

Sorting 30,000 images 

In their work, the researchers used a machine learning model from OpenAI called Contrastive Language-Image Pre-training (CLIP). The model is trained to compare images with text. 

CLIP has been trained by collecting enormous amounts of images and corresponding captions from the web. By comparing millions of images and captions, the model has gradually learned how images can be described in words and, conversely, how an image might look based on the text describing it. 

By running the 30,000 images through CLIP, the researchers could, for example, ask the model to find all images showing a ‘person praying’ or ‘combat action.’ However, instead of manually defining the categories in which the images should be sorted, the researchers used a clustering algorithm to group the images by theme. 

‘We didn’t know in advance which descriptions would suit various themes. When you provide the CLIP model with a limited number of categories, an image of a man diving into a river could easily end up in the category “image of someone praying”,’ explains Mathias Bynke.

Illustration of the Clip model.
The Clip model.

The CLIP model translates an image into an embedding vector, that is, a sequence of numbers. It also translates the image captions into a sequence of numbers. If you have an image of apples, the number sequence for the image should be approximately the same as the number sequence for the text ‘image of apples.’ 

The number sequence that CLIP generates for each image can be converted into coordinates in a coordinate system. This gives each image a position on a map. Then, an algorithm can cluster these points into groups. You can choose how many clusters you want, and the algorithm organises the images for you. 

When the researchers asked the algorithm to create two clusters, one group was dominated by military images, and the other by civilian images. 

In the end, they settled on 14 different named clusters: combat scenes, soldiers outside combat, enemy bodies, executions and killings, close-ups of individual fighters, weapons, civilian crowds, peaceful scenes, collapsed buildings, civilian casualties, food, public works, crafts and industrial production, and burning cigarette packets.

What have we learnt about IS from the images? 

Once the images were sorted, the researchers wanted to answer the following question: How has IS’s image propaganda evolved from 2014 to 2022, and what does this development tell us about IS as a group? 

‘The images IS publishes, the number of images published, and where they are published give us an indication of what IS is doing, how active they are, and in which areas they’re active,’ says Skretting. 

He believes that insight into the development of terrorist organisations can be important in predicting their direction and strategies: By looking at the images from the African provinces where IS is on the rise, we might gain insight into where IS is heading in the future. 

The analysis shows that in the early years (2014–2018), IS presented itself as both a military organisation and a civil state apparatus. This is linked to their attempt to build a ‘real’ Islamic state. 

Since 2019, the focus has shifted. IS now presents itself almost exclusively as a military movement and insurgent group. 

Two men working.
An example of one of the ‘civil’ images of IS’s Iraq and Syria branch, in the ‘public works’ cluster.

2015 was the year IS was most active in terms of propaganda. Nearly half of all the images in the dataset are from this year, which coincides with the time when IS was at the height of its power in Syria and Iraq. Thus, most of the images in the material are from Syria and Iraq. 

‘The group has been defeated in their previous primary areas but is rebuilding in Africa. We also see this trend in the image material,’ says Skretting. 

Activity was at a low point in 2020 but has since increased. The majority of images are now published in West and Central Africa. These differ from those produced in the Middle East in several ways. 

‘There is much less focus on individual jihadists and martyrs. At the same time, the propaganda images are generally more brutal. They’re dominated by military content, reflecting the fact that they are most active as a military organisation,’ says Skretting. 

Further development of the methods is needed 

The researchers conclude that the combination of CLIP and clustering algorithms is an effective method for quickly analysing large amounts of propaganda images. 

‘The division into clusters was not perfect. A certain proportion of the images appeared misclassified, and we had to implement mechanisms to filter these out. But the method helps to speed up the analysis,’ says Skretting. 

He emphasises that the combination of CLIP and clustering algorithms can be used for more than analysing terrorist images. 

‘The method is relatively simple and scalable. You can easily use it to sort image collections far larger than 30,000 images into thematic clusters. The method is particularly useful if you don’t know a lot about the content of the image material in advance.’ 

The researchers believe we should further develop machine learning methods to map propaganda from state and non-state actors. 

‘This type of method is not only relevant for image analysis but also for getting an overview of large text, audio, and video materials,’ stresses Mathias Bynke. 

Av Espen Hofoss

Terrorisme
Propaganda
Islamic State
FFI-Report 2025

Forsvarsindustrien i Norge – statistikk for 2024

We have studied key figures for 2024 from companies in the Norwegian defense industry. The industry has collectively reported a continued growth in defense-related revenue of 34 %. Revenue from the Armed Forces, other Norwegian customers, and foreign customers all increased. The four largest companies accounted for 70 % of the total defense-related revenue. Revenue from foreign customers grew by 34 % from 2023 to 2024. This consists of exports and revenue from foreign subsidiaries, which increased by 40 % and 27 %, respectively. Defense-related research and development (R&D) increased by 87 % from 2023 to 2024. This includes both self-financed R&D and R&D funded by others, which increased by 77 % and 92 %, respectively. The defense-related order backlog continued to grow—by 71 % in 2024. The order backlog was more than three times the total defense-related revenue. The number of defense-related full-time equivalents (FTEs) in the companies was 42 % higher than in the previous measurement. Norwegian FTEs and FTEs in foreign subsidiaries contributed roughly equally to the increase. The statistics are based on data from 91 companies, 21 more than in 2023.
FFI-Report 2025

AInception scenario and storylines

Modern military operations across the entire spectrum of war are highly dependent on Information and communication technology (ICT) infrastructures and services. This dependency is also a target for adversary state and non-state actors who are developing advanced offensive cyber capabilities. These capabilities pose a serious and constant threat to friendly military operations and place a great demand on the defending side to hinder, stop or mitigate advanced adversarial activities. Techniques for incident management, detection and response using Artificial Intelligence (AI) are particularly promising for enhancing defensive capabilities, with sophisticated detection and response that can learn and adapt to dynamic changes in the cyber environment. The EDF project AInception seeks to exploit such approaches, conducting research and development of novel AI-based tools and techniques for cyber defence of military operations. The project covers three fundamental areas: establishment of a military context to ensure sufficient realism and relevance; development of novel AI-based tools and techniques; and simulation and collection of data required to develop and evaluate the tools and techniques. This report documents the core work in AInception related to the scenario-based aspects of the military context. Its purpose is to provide an unclassified, publicly available source for this material to support future work. The content has been extracted from AInception deliverables without significant modifications. The material includes: • A scenario consisting of the geopolitical strategic situation of multiple countries on a synthetic (artificial) continent. One set of countries are designated Blue (friendly) and others Red (adversary or opposing). • A story focusing on two specific countries and their partners, with a main timeline split into different phases ranging from peacetime to crisis and armed conflict. • Six storylines covering the use of military forces in one or more tactical situations, with their own internal logic and dynamic, set along the main timeline. The storylines have military operations or activities taking place across the air, land and maritime domains. The storylines cover the strategic intent and military objectives of Red and Blue forces, the Blue order of battle, the Blue IT/OT/IoT infrastructure in use and Red cyber operations. Discussions of possible cyber incidents and simulation aspects are also included. Taken together, this material can serve multiple purposes in research and development. For instance, it can function as a tool for engaging with military experts and eliciting information and assessments; provide operational settings for the development of tools and techniques; and in general inform a recognizable, realistic and relevant context for military users and experts.
FFI-Report 2025

Rammeverk for forsvarlig sikkerhetsnivå for IKT i Forsvaret – bruk for et taktisk kommunikasjonsnettverk

The Armed Forces are an organization critical to national security and therefore subject to the Norwegian Security Act. As a result, the Armed Forces are required to establish and maintain an adequate level of security for the assets that enable them to fulfill their function effectively. The Armed Forces’ information and communication technology (ICT) is one such asset. According to the Security Act, an appropriate level of security should be based on a functional approach and be risk-driven, but implementing this in practice has proven to be challenging. The Norwegian Defence Research Establishment (FFI) has been working on developing a framework to address this issue by offering a structured and verifiable methodology for risk assessments related to the Armed Forces’ use of ICT. This report provides an overview of the framework’s components developed so far and introduces a fictional, but concrete, example of a tactical communication network to demonstrate its application. The results presented here, bar the fictional example, have been published previously in peer-reviewed articles but are compiled here for the first time in a more comprehensive and consistent manner. The framework consists of two main parts. The first is an approach to break down and model the Armed Forces’ functions and the ICT systems and infrastructures that support these functions in a way that highlights their interconnections. The second is a method that uses this functional model to carry out the necessary risk assessments in a traceable, holistic, and verifiable manner. The aim is to provide a better basis for evaluating potential security measures while considering both regulatory and functional requirements related to risk assessments and making it possible to determine what an adequate level of security should be. The example addresses the assessment of a network infrastructure intended to connect several different tactical networks and enable seamless information flow in combat-related situations. The purpose is to demonstrate how the framework can be used to derive a better risk-based decision-making foundation for security-related evaluations—not to propose specific technological solutions for an actual tactical communication network. Our conclusion is that the framework is approaching a maturity where it can be applied in practice, and it does indeed provide more structured and traceable assessments in line with the intention in the Security Act. However, the lack of a more granular functional breakdown of the Armed Forces’ tasks and of well-defined operational scenarios prevent us from conducting more comprehensive assessments. Additionally, some digital tools are needed to manage the large and complex models required to use the framework.
FFI-Report 2025

A global energy interconnection? – exploring China’s strategic ambitions and security implications for Norway

This report investigates China’s Global Energy Interconnection (GEI) initiative, a proposed global power grid designed to accelerate the green energy transition through ultra-high-voltage transmission lines and smart technologies. While the GEI promises significant sustainable benefits − such as enhanced energy reliability and reduced emissions − it also raises security concerns. The potential benefits of GEI include increased technical and operational reliability, strengthened cross-border cooperation and greater societal stability and welfare. Perhaps most significantly, it offers a means to accelerate the green transition whilst meeting globally rising energy demands. The GEI may also raise security concerns for small states like Norway. Through the lens of strategic competition, and drawing on theorisations of structural realism, liberal institutionalism, power distribution and weaponised interdependence, Chinese renewable initiatives may accommodate Beijing’s strategic interests, thus challenging world order and liberal institutions. Whilst disregarding Beijing’s potential intentions, this report utilises Norway as a case study to explore how small states may be challenged by intensifying great power competition and rivalry. Our report highlights how cross-border energy infrastructure and dependencies may develop strategic vulnerabilities, thus increasing the risk of adverse incidents or opening avenues of exploitation. We attribute these vulnerabilities to the following aspects: • Dependency on Chinese technology may make Norway more susceptible to indirect and non-coercive influence from China. • The increasing complexity of the energy system may challenge system safety. • Dependencies may be weaponized, possibly being used to coerce or for surveillance and espionage.
FFI-Report 2025

Nukleær elektromagnetisk puls (NEMP) og moderne infrastruktur

This report covers vulnerabilities in the wake of a nuclear electromagnetic pulse (NEMP, or nuclear EMP) events. The report describes typical damage mechanisms related to NEMP, the legal framework for protection, requirements, and possible mitigation. Since the end of the Cold War, the risk of nuclear war has seemed low, and the Norwegian Armed Forces has put less emphasis on threats such as electromagnetic radiation from nuclear detonations and NEMP. The war in Ukraine, however, has brought nuclear threats back on the agenda, and North Korea and other states have developed nuclear weapon capabilities. Accordingly, protective measures against NEMP and other nuclear weapons effects should be prioritized higher going forward. In the Norwegian civil context, there are legal requirements for NEMP protection of critical infrastructure like electrical power distribution and telecom. Within the NATO alliance, the requirements and specifications for NEMP immunity are defined in military standards. When physical testing of materiel against realistic simulated threats are required, Norway holds facilities to handle test objects up to medium-sized vehicles. Testing of larger objects must be performed abroad. The digitalization of the Armed Forces’ materiel and infrastructure follows the civilian technology developments. This means that the modernization of the military sector mirrors the developments in the civil society. Consequently, there are increased possibilities and more need for interaction with entities within the civilian service providers, materiel, and digital infrastructure. This is beneficial from an economy perspective, but challenging with respect to military requirements for resilience against extreme threats, such as NEMP. From both practical and economical points of view it would be beneficial if the approach to requirement specifications and practical approaches to NEMP protection were more unified and holistic. Ideally, a corresponding regime should also cover important civilian entities.
FFI-Report 2025

Simulation of multi-domain operations for experimentation and analysis – requirements and available tools

The future operating environment is expected to become increasingly complex, lethal, and ambiguous. The operational tempo in high-intensity operations is expected to increase, and effects will be increasingly cross-domain and contemporaneous. An essential question is: How can our forces conduct successful military operations in this envisioned future operating environment? The proposed solution is multi-domain operations (MDO). MDO is an overarching concept for future operations where the underlying idea is seamless integration of capabilities and activities across all the operational domains (land, maritime, air, space, and cyberspace) to present the enemy with multiple simultaneous dilemmas and achieve overwhelming local superiority in time and space on the battlefield. MDO will, however, be inherently much more complex to execute than current operations of the same scale, due to a higher diversity of combat elements and capabilities (from all operational domains), higher requirements for synchronization of capabilities, activities, actions, and effects, and higher requirements for operational tempo. Experimentation and analysis are key enablers for concept development and provide the ability to iteratively explore, test, refine, and validate concepts. Modelling and simulation (M&S) and wargaming will be essential in experimentation with, and further development and detailing of, the MDO concept. However, M&S of the future operating environment and MDO will also be correspondingly more complex. In addition, very few, if any, of the simulation tools currently available can represent combat elements and capabilities in all operational domains at a sufficient and balanced level of fidelity throughout the combat model. In a simulation for experimentation and analysis, the specific requirements for the synthetic environment will ultimately depend on the objective of the simulation – for example, answering a specific research question. Nevertheless, at FFI we need a holistic synthetic environment as a basis for experimenting with, and analysing, combat across all operational domains in an operating environment five to twenty years into the future. Furthermore, we envisage that we need to provide insight into both detailed research questions at the tactical/engagement level and more overarching research questions at the operational level. In this report, we outline a set of overall requirements for simulation of the future operating environment and MDO for concept development, experimentation, and analysis. We then evaluate a set of available entity-level, constructive simulation tools against these requirements. Our preference is to have one simulation tool that supports all domains, instead of connecting two or more simulation tools that only support a subset of the five domains. None of the evaluated simulation tools meet all our requirements. We recommend that the way forward is to test these simulation tools more thoroughly in relevant scenarios at FFI, to see how well they work in practice.