The Cyber Threat and Terrorism

The Cyber Threat and Terrorism

The concept of cyber terrorism, or extremists utilising offensive cyber techniques, is one that gains wide publicity and grabs attention; but what is the reality of this threat? Russian-based Islamic Extremists claimed responsibility for the recent breach at Talk Talk[1].

By Tom Williams

Investigative Consultant

02 Nov 2015

In addition, other recent reporting suggested that Islamic Extremists were responsible for ‘hacking’ government ministers’ e-mail accounts. However, there is often very little detail associated with reporting of this nature[2];most likely due to the information’s sensitivity. This piece seeks to examine the use of cyber tactics as a means to aid and conduct terrorist activities, exploring how this threat may develop in the future.

The Distinction Between ‘Use of the Internet’ and ‘Offensive Cyber Techniques’

Extremist groups have historically utilised the internet to great effect - from the dissemination of propaganda, the securing of communications and radicalisation, through to direct assistance with operational planning, recruitment and facilitation - the internet continues to be an enabling technology for much of their activity.

A good example of terrorist use of the internet as an enabling technology would be the attempted bombing of Times Square in 2010. Central to this plot was Faisal Shahzad. Shahzad used public web cameras to conduct reconnaissance of his targets. In addition, Shahzad and his associates utilised file sharing websites in order to share operational details and used remote conferencing software as a method for communication. A proxy server was also used in order to conceal the online presence of the group, and they planned to use YouTube as a means by which to claim the attack [3].

However, it is important to make the distinction between terrorist use of the internet as an enabler and the use of cyber techniques as an offensive capability. For the purpose of this piece, offensive cyber tactics will be considered as instances where a computer system or network is exploited in order to obtain information, or to disrupt, degrade or destroy computer endpoints or network infrastructure.

Social Media Hijacking, Website Defacements and Distributed Denial of Service

The utilisation of offensive cyber capabilities by terrorist groups, or individuals inspired by their ideology, is a relatively new phenomenon. To date, the majority of these attacks have involved the hijacking of social media accounts, website defacements and Distributed Denial of Service (DDoS) attacks.

The Cyber Caliphate, a group inspired by but not directly linked to ISIL [4], have been associated with well-publicised operations of this nature in recent times. This includes the hijacking of CENTCOM’s Twitter and YouTube pages (the attacks coincided with a speech by President Obama on cyber-security)[5], and DDoS attacks against various French websites in the wake of the Charlie Hebdo attacks [6]. Other extremist groups, claiming an affiliation with ISIL, have defaced various web sites, including those belonging to news organisations and western government agencies. In some of these attacks, vulnerabilities in WordPress, the Content Management System, were exploited [7].

Whilst these types of attacks are not technically sophisticated or devastating, they do cause disruption, reputational damage and promote extremist activities. They demonstrate how the utilisation of relatively simple techniques can serve as a means to cause a disproportionate effect. Further, these types of operations illustrate how a collection of individuals inspired by a terrorist group’s activities and ideology can remotely enhance the profile and perceived capabilities of a terrorist group.

With minor enhancements, these types of attacks could rapidly advance into a more concerning threat. Malicious software is becoming increasingly more accessible, with DIY Trojan builder kits widely available on the Darknet. We could see web site defacements evolve into strategic watering-hole compromises. These types of attacks could be utilised in order to gather intelligence on targets of interest, which may assist in the facilitation of physical operations or extremist funding. In the same way, the hijacking of social media accounts could be utilised to gather information on potential targets, instead of spreading propaganda [8].

Cyber-Crime as a Means to Fund Terrorist Activity

In 2005 Younis Tsouli, a Morrocan immigrant living in London, who was jailed for distributing bomb making materials and Al Qaeda propaganda, utilised cyber-crime in order to fund his activities. Tsouli and his associates established an online network of jihadist propaganda websites and forums hosted on servers that Tsouli had compromised. Tsouli and his associates also had in their possession 37,000 stolen credit card numbers, along with personally identifiable information from the victims. It is reported that this data was obtained through phishing operations and via the distribution of malicious software [9]. In a separate case, ISIL supporters in the UK used social engineering to scam pensioners out of £160,000. It was believed that the proceeds of this operation were intended to be used to fund their travel to Syria and Iraq in order to join and fight with ISIL [10].

These examples display a realistic and achievable way in which terrorist groups could seek to increase the utilisation of cyber-crime as a means to generate additional revenue to fund their activities. This would be an attractive prospect for lone wolf attackers or isolated terrorist cells in order to self-fund activity, by sympathisers for passing on to core groups, or as a centralised method for a core group to generate alternate sources of funding. This could become particularly attractive if other more lucrative revenue streams are lost or disrupted, as funds could be obtained in relatively short order. The barrier to entry with regard to cyber-crime is becoming lower and the return on investment is high, making it an increasingly accessible and low risk option.

Spear Phishing

Distribution of malware via Spear Phishing is another area in which terrorists could utilise cyber tactics as an effective means to aid their operations. The most likely use of this technique would be to distribute basic malware in order to obtain information on an individual or organisation for intelligence collection purposes that could ultimately result in physical targeting.

Although attribution was not confirmed, a recent report from Citizen’s Lab suspected that ISIL were responsible for a spear phishing attack targeting Syrian based critics of the group [11].

Citizen’s Lab reported that malware deployed in the attack differed from that previously used by likely state-sponsored, pro-regime actors in Syria. The attack displayed low technical sophistication in that no exploits were used and there was no code obfuscation or techniques to frustrate reverse engineering. However, the attack did employ sophisticated social engineering techniques, in that the content of the spear phishing e-mail was extremely targeted and contained relevant decoy documents. It appears as though the purpose of the operation may have been to reveal the physical location of the recipients, possibly for physical targeting.

It is possible that we may start to see similar techniques utilised by terrorist groups or individuals inspired by their ideology in order to distribute malware-like Ransomware; but with the intention to never decrypt files. If this technique was deployed as part of a campaign targeting a particular sector or group, it could generate widespread disruption and publicity.

The Insider Threat

In my view, the insider threat poses the most viable means by which a terrorist group could have a sizeable impact attacking IT infrastructure, as it requires only limited capability and direct access to their target.  In the UK, this almost became reality in 2010 when Rajib Karim, an IT expert employed by British Airways (BA), was in contact with Anwar Al Awlaki, the former head of Al Qaeda in the Arabian Peninsula (AQAP), about the prospect of conducting an attack in the West. Karim told Awlaki that he had access to BA’s servers and that he could erase all of the data that resided on them, causing substantial damage. However, Awlaki dissuaded him from conducting this activity in favour of pursuing options to smuggle an improvised explosive device onto a US bound flight [12]. Although it is unclear exactly what systems Karim would have been able to access, if this attack had been realised it would have likely resulted in severe financial consequences for BA and caused a significant amount of disruption. Similar attacks targeting other elements of national infrastructure, like finance or telecommunications, could have significant consequences.

Although high profile physical attacks remain the priority for terrorist groups, if this same level of access was offered to a terrorist group today, with the increasing profile of cyber as an attack vector, would the response have been the same?

Conclusions

There is little credible information openly available to indicate how much emphasis extremist groups are placing at a strategic level on embedding offensive cyber techniques into their operational practices.

And, although this is likely to be an intention, it is probable that they will face a number of challenges in doing so. Some of these challenges may include difficulties in recruiting and retaining individuals with sufficient skill, as over time they could be arrested, withdraw participation or even be killed. In addition, within theatres of conflict, maintaining a stable internet connection in remote locations is likely to be problematic. This could inhibit a centralised and coordinated group’s ability to maintain effective operations.

Much more likely is the continuing prospect of individuals removed from the conflict seeking to participate remotely, with the possibility of some loose direction from a core terrorist group. An obvious benefit with offensive cyber operations is that geography is not a limiting factor.

This means that a terrorist group’s offensive cyber capabilities are likely to be fluid in nature. It is likely that the pool of individuals from which they can recruit or gain support may increase or decrease in relation to specific geopolitical events; for example if the West enters into a new conflict in the Middle East or if the frequency of drone strikes increases. Adding to this is the potential for external influences to enhance a group’s capability or conduct activity on its behalf. For example, there may be situations whereby state-sponsored actors or cybercriminals could seek to collaborate with extremist groups, if the desired outcome of their actions is seen to be mutually beneficial, for either financial or political reasons. Therefore, it will continue to be difficult to accurately assess the actual capability and skill level at the disposal of extremists.

In the short-term it appears as though a large-scale cyber-terrorism attack which sabotages national infrastructure is unlikely. This viewpoint is based on the sophistication of previous and openly documented operations. However, due to the fluid nature of their cyber capability, this cannot and should not be ruled out as a possibility in the medium to long-term. In my view, any future operation of this nature would involve insider activity as a core component. A well-placed insider would provide an unparalleled level of access and knowledge of complex systems which would be core factors in conducting a successful and disruptive attack against well secured IT infrastructure. Therefore, it is important that organisations continue to take a holistic approach when building their defences across the physical, personnel and information security domains.

Much more likely is the continuing use of cyber-crime as a means to raise finances. And although this is unlikely to be a core stream of funding, its prominence may rise as the barrier to entry with regard to cyber-crime continues to be lowered or if other more valuable funding sources are disrupted or lost. In the short-term a more concerning development may be the use of spear phishing techniques to obtain data for reconnaissance purposes related to physical targeting.

Contact and Follow-Up

 Tom is a part of our Response team in Context's London office. See the Contact page for how to get in touch.


[1]http://www.independent.co.uk/news/uk/crime/talktalk-cyber-attack-russia-based-islamic-jihadists-claim-responsibility-for-hack-a6705366.html

[2]http://www.telegraph.co.uk/news/politics/11859005/Cabinet-ministers-email-hacked-by-Isil-spies.html

[3]http://www.ticklethewire.com/tag/times-square/

[4]http://www.isightpartners.com/2015/01/threatscape-media-highlights-update-week-january-12/

[5]http://techcrunch.com/2015/01/12/cyber-caliphate/

[6]http://www.net-security.org/secworld.php?id=17832

[7]https://www.ic3.gov/media/2015/150407-1.aspx

[8]http://abcnews.go.com/International/isis-threat-home-fbi-warns-us-military-social/story?id=27270662

[9]http://www.washingtonpost.com/wp-dyn/content/article/2007/07/05/AR2007070501153.html

[10]http://www.dailymail.co.uk/news/article-3072294/Phishing-gang-plundered-elderly-vulnerable-victims-accounts-fund-jihadists-travel-Syria-join-Isis-extremists.html

[11]https://citizenlab.org/2014/12/malware-attack-targeting-syrian-isis-critics/

[12]http://www.bbc.co.uk/news/uk-12573824

Subscribe for more Research like this

About Tom Williams

Investigative Consultant

CREST
CREST STAR
CHECK IT Health Check Service
CBEST
Cyber Essentials
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor
NCSC CCSC - Assured Service Provider