“We beat them through their own app; all they can do is delete our IDs,” an Islamic State (IS) supporter from Qawqaz, the Arabic name for the Caucasus region, boasted in a closed chat room on the Darknet. He was live-updating other IS members about the attack that killed more than 140 people at a concert hall near Moscow in March — the worst attack to hit Russia in years.

Soon after, the militant Islamic State’s Khorasan Province (ISKP) claimed responsibility for the attack. While there was no official word on the motive, security analysts have pointed out that for at least two years preceding the attack, the ISKP had been fixated on Russia, frequently criticising Putin in its propaganda.

In fact, this is hardly the first attack carried out by an affiliate of the militant Islamic State in Russia. In October 2015, a plane carrying Russian tourists from Sharm el-Sheikh in Egypt to St Petersburg crashed. According to investigators, an explosive device had been placed in the hold, and IS claimed responsibility. Two years later, a bomb attack in St Petersburg metro killed 15 and left 45 others injured. While no group claimed responsibility for the attack, the perpetrator was believed to be inspired by IS.

In recent years, the militant group’s regional affiliate, the ISKP, appears to have grown both in capabilities and the intensity of the attacks it has carried out. Months before the Moscow attack, the ISKP claimed responsibility for the twin-bombing that killed 84 people in Kerman, Iran, during a memorial procession for Maj Gen Qasem Soleimani.

The latest attack on Moscow’s Crocus Hall has further raised concerns about the group’s capabilities, sophistication in operations, recruitment, planning, and execution of large-scale attacks in areas considered most secure in the world. This incident has heightened perceptions of the group’s ability to strike at the heart of seemingly impenetrable targets, manifesting their ability to outsmart even the most technologically advanced adversaries.

What is the ISKP?

Since its inception in 2014, the militant Islamic State (IS) has resurrected archaic geographies and distributed itself into quasi-regional demarcations known as wilayah (provinces). There are currently 23 wilayah of the militant group active across the globe, with the Khorasan chapter considered the most lethal, and the Eastern and Western African chapters deemed the most lucrative.

ISKP takes its name from an old Persian term for the region, Khorasan, that included parts of Iran, Turkmenistan and Afghanistan, as well as areas of Tajikistan and Uzbekistan. The group’s formation was announced in January 2015 by the then-IS spokesman Abu Muhammad al-Adnani. The militant outfit attracted most of its initial recruits from splinter factions of the banned Tehreek-i-Taliban Pakistan (TTP) as well as other parts of Central Asia such as Uzbekistan and Tajikistan, with former TTP commander Hafiz Saeed Orakzai, serving as its first leader.

Today, the extent of the group’s capabilities and reach can be gauged from the testimony of General Michael Kurilla, the chief of US Central Command (Centcom), during two hearings with US lawmakers. In March 2023, General Kurilla warned lawmakers about the growing threat posed by ISKP, stating that the group had become a global threat with sophisticated operational planning, capable of executing global operations against the US or Western interests within six months “with little to no warning”.

A year later, in March 2024, General Kurilla reiterated the same concern during a US Senate committee hearing, emphasising that “IS-Khorasan retains the capability and will to attack US and Western interests abroad”.

Elusive terrorist entity

Of all the militant Islamic State’s affiliates, the ISKP stands out as its most dangerous and operationally potent regional franchise, growing a rapidly expanding transnational reach and a robust presence in the cyber realm. Unlike its other regional counterparts, the ISKP has strategically advanced its cyber capabilities by transitioning from a territorial presence to a largely virtual one since 2018, making it an exceedingly elusive terrorist entity to track and hunt.

Moreover, ISKP is the only IS affiliate to have developed an independent media architecture via its al-Azaim Media Foundation, which produces content in Arabic, English, Farsi, Pashto, Tajik, Urdu, and Uzbek. This content is not only used to disseminate propaganda against its foreign targets, but also used to plan, coordinate and carry out attacks.

According to interviews with former ISKP affiliates and Pakistani officials who monitor the group’s activities, the banned outfit outsources and assigns operations, logistics, and religious authorisation for attacks through encrypted communication channels, which shows the group’s sophistication and adaptability.

At present, the group heavily utilises encrypted communication channels such as Telegram, Matrix, Element, Threema, Rocket Chat and TeleGuard for recruitment, financial transactions, planning attacks, and tasking terrorists for execution, with almost minimal physical interaction. The vast majority of this correspondence is anonymous, with neither the sender nor the receiver ever knowing each other’s real identity.

Hence, when ISKP terrorists are caught, they can only reveal faceless and traceless encrypted channels as their point of contact. Furthermore, the group has established multiple digital communication channels to attract and recruit individuals from various regional ethnicities including Tajiks, Uzbeks, Afghans, Pakistanis, Turks, Iranian Sunni Arabs, Baloch, and Uighurs.

It is for this very reason that the ISKP poses a grave challenge for investigators seeking to learn more about the group’s capabilities and future intentions. Even senior ISKP members in custody tend to demonstrate limited knowledge of the group’s future operational plans.

“Arrested members of the group will only disclose information to a limited extent,” noted a senior Pakistan official, who wished not to be named. “They would be privy to a certain amount of the group’s operational information, but beyond that, they would be blank.

“Efforts to extract deeper insights from them have largely been unsuccessful, making it difficult to stay ahead of the group’s plans,” the official added.

It is also this very tactic that makes the terror outfit a global threat, with operational planning that surpasses the reach of many regional countries. “The group has exceeded its capabilities beyond the traditional scope of other jihadist groups,” said a senior US counter-terrorism official.

The official, speaking on condition of anonymity, pointed out that “there is a clear pathway to neutralising the group, but it requires global cooperation and Pakistan has a crucial role to play in this effort”.

Fueling mistrust

The ISKP has long sought to instigate a war between neighbouring countries or, at the very least, fuel mistrust among them. To some extent, it has succeeded in its efforts, as Pakistan, Afghanistan, and Tajikistan are now engaged in a war of words, accusing each other of harbouring the group’s operatives.

Soon after its inception in 2015, the militant group established bases in Afghanistan, referred to as “Tamkin” or “base”. Meanwhile, Tajikistan has also become a significant source of manpower for the group, with Tajik affiliates playing increasingly prominent roles in recent terror attacks across the region.

Over the past year alone, Tajik members of the ISKP have been involved in complex attacks in Russia, Iran, and Turkiye, as well as foiled plots in Europe. This intricate dynamic, where the group draws manpower from one country, uses another as a base, and a third as a corridor, has pit the three neighbouring countries against each other.

In doing so, the ISKP appears to be following a pattern similar to that of Al-Qaeda when the latter, as pointed out by analysts, carried out the 9/11 attacks to lure the US into a protracted guerrilla war in Afghanistan. Based on its modus operandi and propaganda monitoring, the ISKP seems intent on using the region as a staging ground for large-scale attacks in the US or Europe. This would likely draw Western forces into the region, trapping them in another prolonged and bloody conflict.

The ISKP’s pattern of attacks reveals a consistent strategy: launch an extensive propaganda campaign against the target — which could be a state, international organisation, Islamic sect or religious-political party — before striking it.

Subsequently, the group issues a “fatwa” (religious decree), authorising the attack followed by accumulating resources and then executing the operational plan to carry out the attack.

This pattern has been observed in several instances, including the attacks on the Russian Embassy and a Chinese hotel in Kabul, the attack on the Pakistani Charge d’affaires in the Afghan capital, the suicide attack in the Bajaur tribal district of Khyber Pakhtunkhwa targeting Pakistan’s largest religious-political party, the Jamiat Ulema-i-Islam-Fazl, the twin attacks in Iran’s Kerman and the recent attack on western tourists in Bamyan.

Negligence in countering the ISKP threat

The militant landscape in Pakistan is becoming increasingly complex due to the emergence of new outfits and the formation and consolidation of alliances between various factions.

Authorities have long prioritised the TTP threat over the ISKP, which is understandable given the latter’s long history, larger public presence, greater ideological appeal and prominent public propaganda efforts.

In contrast, the ISKP has an almost non-existent public presence, limited ideological appeal and secretive nature, as the group’s ideology is marginalised and its propagandists use pseudonyms or remain anonymous, with no public faces or identifiable names. However, despite these differences, the ISKP has demonstrated an alarming capability to carry out attacks of greater magnitude than the TTP or other regional militant entities.

The government’s failure to effectively counter the ISKP’s threat is evident in Bajaur where the group has carried out several targeted assassinations and large-scale attacks. Meanwhile, the authorities’ reactionary approach, focused solely on kinetics, only responds to the ISKP after large-scale attacks, allowing the group to continue its operations under the radar.

The lack of a comprehensive strategy to counter the ISKP, which relative to the TTP is still its nascent stages, enables the group to grow its tentacles in Pakistan, both operationally and ideologically. Currently, the group is heavily utilising Central Asian nationals for operations and revenue generation, but if it begins to use Pakistani soil or nationals for regional or global attacks, it could pose significant diplomatic challenges to the country, which is already battling insurgents on several other fronts.