The concept of cyber-terrorism, or extremists utilizing offensive cyber techniques, is one that gains wide publicity and grabs attention; but what is the reality of this threat? There is often very little detail associated with these reports and even less about how these threats may develop in the future. The fact is that extremist groups have always used the internet to great effect, from the dissemination of propaganda, securing communications and radicalization, through to direct assistance with operational planning, recruitment and facilitation.
The internet continues to be a key enabling technology for terrorists but it is important to make the distinction between terrorist use of the internet as an enabler and the use of cyber-techniques as an offensive asymmetric capability. Offensive cyber-tactics can be considered as instances where a computer system or network is exploited to obtain information or to disrupt, degrade or destroy computer endpoints or network infrastructure.
Social Media Hijacking, Website Defacements and DDoS
The utilization of offensive cyber-capabilities by terrorist groups, or individuals inspired by their ideology, is a relatively new phenomenon. To date, the majority of these attacks have involved the hijacking of social media accounts, website defacements and Distributed Denial of Service (DDoS) attacks.
The Cyber Caliphate, a group inspired by, but not directly linked to ISIL, has been associated with well-publicized operations of this nature in recent times. This includes the hijacking of Twitter and YouTube pages to coincide with a speech by President Obama on cybersecurity and DDoS attacks against various French websites in the wake of the Charlie Hebdo attacks. Other extremist groups have defaced web sites, including those belonging to news organizations and western government agencies. In some of these attacks, vulnerabilities in WordPress, the Content Management System, were exploited
Even though these types of attacks are not technically sophisticated or devastating, they can cause disruption and reputational damage. They also demonstrate how the utilization of relatively simple techniques can serve as a means to cause a disproportionate effect.
With minor enhancements, these types of attacks could rapidly advance into more concerning threats. Malicious software is becoming increasingly more accessible, with DIY Trojan builder kits widely available on the Darknet. We could see web site defacements evolve into strategic ‘watering-hole’ compromises. The hijacking of social media accounts could be used in the same way.
Cybercrime to fund terrorist activity
Younis Tsouli, jailed in 2005 for distributing bomb making materials and extremist propaganda, utilized cybercrime to fund his activities. Tsouli and his associates established an online network of propaganda websites and forums hosted on compromised servers. These enabled Tsouli and his associates to gather 37,000 stolen credit card numbers, along with personally identifiable information, reportedly through phishing operations and via the distribution of malicious software. In a separate case, other such actors have used social engineering to scam pensioners out of £160,000.
These examples display a realistic and achievable way in which cybercrime is a means to generate additional revenue. The barrier to entry with regard to cybercrime is becoming lower and the return on investment is high; making it an increasingly accessible and low risk option.
Spear phishing
Distribution of malware via spear phishing is another area in which cyber-tactics can be applied as an effective means. The most likely use of this technique would be to distribute basic malware to obtain information on an individual or organization for intelligence collection purposes, which could ultimately result in physical targeting.
Indeed a recent report from Citizen’s Lab, malware was deployed in a spear phishing attack against anti-regime critics in Syria. This differed from attacks previously used by likely state-sponsored actors with the attack displaying low technical sophistication. No exploits were used and there was no code obfuscation or techniques to frustrate reverse engineering. However, the attack did employ sophisticated social engineering techniques, in that the content of the spear phishing e-mail was extremely targeted and contained relevant decoy documents. It appears as though the purpose of the operation may have been to reveal the physical location of the recipients, possibly for physical targeting.
It is possible that we may start to see similar techniques from terrorist groups or individuals inspired by their ideology to distribute malware-like ransomware, but with the intention to never decrypt files. If this technique was deployed as part of a campaign targeting a particular sector or group, it could generate widespread disruption and publicity.
The insider threat
The insider threat poses the most viable means by which a terrorist group could have a sizeable impact attacking IT infrastructure, as it requires only limited capability and direct access to their target. This almost became reality in the UK in 2010 in a thwarted insider attack which if realized would have likely resulted in severe financial consequences for a major airline, causing a significant amount of disruption. Similar attacks targeting other elements of national infrastructure, like finance or telecommunications could have significant consequences.
Although high profile physical attacks remain the priority for terrorist groups, if this same level of access was offered with the increasing profile of cyber as an attack vector, would the response have been the same?
The End Game and Challenges
There is little credible information openly available to indicate how much emphasis extremist groups are placing at a strategic level on embedding offensive cyber techniques into their operational practices. And although this is likely to be an intention, it is probable that they will face a number of challenges in doing so.
Some of these challenges may include difficulties in recruiting and retaining individuals with sufficient skills. In addition, within theatres of conflict, maintaining a stable internet connection in remote locations is likely to be problematic. This could inhibit a centralized and coordinated group’s ability to maintain effective operations.
Much more likely is the continuing prospect of individuals removed from the conflict seeking to participate remotely; with the possibility of some loose direction from a core terrorist group. An obvious benefit with offensive cyber operations is that geography is not a limiting factor.
This means that a terrorist group’s offensive cyber- capabilities are likely to be fluid in nature. It is likely that the pool of individuals from which they can recruit or gain support from may increase or decrease in relation to specific geopolitical events; for example if the West enters into a new conflict in the Middle East or if the tempo of drones strikes increases.
In the short-term it appears as though a large-scale cyber-terrorism attack, which sabotages infrastructure, is unlikely. This view is based on the sophistication of previous and openly documented operations. However, this cannot and should not be ruled out as a possibility in the medium to long-term.
In my view, any future operation of this nature would involve insider activity as a core component. A well-placed insider would provide an unparalleled level of access and knowledge of complex systems for conducting a successful and disruptive attack against well secured IT infrastructure.
Beefing Up Security across All Domains
It is likely that we will see the continuing use of cybercrime as a means to raise finances. And although this is unlikely to be a core stream of funding, its prominence may rise as the barrier to entry with regards to cybercrime continues to be lowered or if other more valuable funding sources are disrupted or lost.
As a result it is important that your organization takes a holistic approach when building your defenses across the physical, personnel and information security domains.
In the short-term a more concerning development may be the use of spear phishing techniques to obtain data for reconnaissance related to physical targeting. Or, the blending of more simplistic cyber operations like DDoS, web defacements or social media hijacking with physical attacks, in order to increase impact and perceptions of capability.