ANALYSIS OF ISIS AS A CYBER THREAT
In Information Security, a threat actor is an adversary who has the motive, means, and opportunity to impact an organization by exploiting a vulnerability in such a way that a risk is transformed into a measurable loss or harm. Of the aforementioned jihadist groups, ISIS appears the best situated to become a Cyber Jihadist group. Within the next few years, the group may grow into a major cyber threat. Tom Boyden (GRA Quantum) observes, “Though the cyberattacks launched by cyber jihadist groups to date have lagged far behind those of state-sponsored hacking collectives and politically-motivated hacktivists in both sophistication and scale, the potential threat they could pose should not be flippantly dismissed. Just as ISIS has shifted the cyber jihadist paradigm from low-tech distributed networks of fighters to tech-savvy administrators of vast territories and populations, so too could aspiring cyber jihadist groups or their sympathizers learn to master the toolsets needed to wreak havoc on our critical infrastructure.” Since ISIS structure, strategies, and brand have begun to set the standard for other groups, much of the rest of this publication will use their group as an analog for qualitative analysis; however, it is important to recognize that other cyber jihadist groups could form or develop a similar potential for cyberterrorism.
Motive:
Extremist groups such as ISIS aspire to create chaos, inflict harm, and disrupt services in the nations and organizations that they oppose. In many cases, small attacks that incite panic and fear in many members of the population are just as effective as large attacks that embarrass or undermine opposing geopolitical powers. cyber Jihadist groups are increasingly motivated to adopt cyber-defensive capabilities, such as encryption applications and anonymity tools, so that their members can remain undiscovered within the general population and so that their activities remain unknown to opposing intelligence and counterintelligence entities. By developing cyber-offensive capabilities, extremist groups can raise funds, inflict harm from across the globe, gather information about targets, disrupt or dissuade opposition efforts, divert the resources of their enemies, inspire a sense of fear or fame in global populations to establish a brand, and recruit new members through coverage of their activities. cyber Jihadist group such as ISIS operate in regions where information security may not be built into the culture; as a result, they can use offensive cyber-attacks to identify local dissidents, create economic pressure in target regions, or precede physical incursions.
ISIS and the organizations that support it, have been expressing increasing interest and capacity to conduct cyber-attacks against the Western world. On September 10, 2015, the “Islamic Cyber Army”, a predecessor to the United Cyber Caliphate, tweeted, “the hackers Supporters of the Mujahideen configure under the banner of unification in the name of Islamic Cypher [sic] Army to be …[the] working front against the Americans and their followers to support the ISLAMIC STATE Caliphate with all their forces in the field of e-jihad … we also announce for RAID soon targets the Crusader coalition forces electronically, targeting everything…ranging from accounts of recruited, to their banks and their airports. To their nuclear bases.” Similarly, on May 11, 2015, Rabitat Al-Ansar, the media department of ISIS, released a video titled, “Message to America: from the Earth to the Digital World,” that promised persistent hacking attacks on American and European electronic targets. In the video, the group added that, “…the electronic war has not begun yet. What you have seen before is just a preface for the future. [We] were able until this moment to hack the website of the American leadership and the website of the Australian airport, and many other websites despite paying billions to secure your electronic websites; however, it became easier to hack your websites in a short time. Thus, your security information is in our hands; you do not have the power to fight the Islamic State.” The following September, the division tweeted plans to penetrate banks and American government sites on September 11, 2015; though, there it is unclear whether attacks were attempted. Other tweets and qualitative reports of attacks indicate that as of May 2016, the cyber collectives that support ISIS predominantly target websites and systems belonging to government entities, media outlets, financial institutions, and critical infrastructure facilities.
Means:
ISIS Resources:
In June 2014, ISIS leadership declared the formation of a caliphate. Since then, the Soufan Group and others estimate that over 27,000 foreign jihadists, from over 86 countries, have travelled to Iraq or Syria to join the extremist group. More than half of the migrant militants originated in the Middle East or North Africa. The recruited extremists were predominately from Tunisia, Saudi Arabia, Russia, Turkey, Jordan, France, Morocco, Lebanon, Germany, and the United Kingdom. In June 2014, ISIS also seized the city of Mosul in northern Iraq and proceeded to push Iraq’s army southwest, towards Baghdad, while attacking ethnic and religious minorities in the areas. The United Nations estimates that ISIS killed more than 18,800 civilians in Iraq between January 2014 and October 2015. ISIS is believed responsible for the deaths of at least 4000 Syrians between June 2014 and January 2016. In an attempt to stymie ISIS influence, the United States began launching airstrikes on the Iraqi regions occupied by ISIS in August 2014. So far, over 8277 airstrikes have been launched against ISIS targets in the region. The U.S. led coalition strikes include the efforts of the United Kingdom, Australia, Belgium, Canada, Denmark, France, Jordan, and the Netherlands. In September 2014, a multinational coalition, led by the United States, began airstrikes on the occupied regions of Syria. Approximately 3,791 coalition airstrikes have been conducted against ISIS targets thanks to the efforts of the United States, Australia, Bahrain, Canada, France, Jordan, the Netherlands, Saudi Arabia, Turkey, United Arab Emirates, and the United Kingdom. Russia began conducting separate airstrikes in 2015, targeting terrorist groups such as ISIS, the al-Nusra Front, and other extremist groups; however, some have alleged that Russian strikes have also affected rebel groups who violently oppose ISIS and its allies. The airstrikes have killed at least 25,000 ISIS jihadists in Iraq and approximately 3,914 militants in Syria. As a result of the collaborative multinational efforts, ISIS has lost approximately 40 % of the territory that it held in Iraq and 10-20 % of the occupied territory in Syria. As of April 2016, ISIS controlled territory was approximately the size of Belgium and its leadership is believed to be based in Raqqa, Syria. In January 2016 interview, Colonel Steven Warren remarked “We estimate there’s between 20,000 and 30,000 members of [ISIS] operating inside both Iraq and Syria.” In 2014 Fuad Hussein, the chief of staff of the Kurdish Presidient Massoud Barzan, gave a more generous approximation of around 200,000 militants. It is likely that including militants in foreign nations across the globe, the number is somewhere between these two predictions, albeit closer to the former estimate. As of May 2016, an estimated 10 -12 million people still live under the control of ISIS forces. An additional 4.8 million Syrians and 3 million Iraqis have fled the region or have been displaced within the countries.
ISIS funds itself with captured Syrian and Iraqi oil infrastructure. Additional funds are drawn from looting, property confiscation, taxes, banks, gains made from grain silos, and the exploitation of other ISIS resources of the occupied regions. In October 2015, the U.S.-led coalition conducted airstrikes on vehicles used for pumping and transporting oil at the extraction facilities as part of “Operation Tidal Wave II”. Due to the airstrikes and due to ISIS’s inability to service aging equipment, it is believed that oil production decreased. On April 7, 2016, the Telegraph estimated that ISIS drew a daily revenue of £1.8 million (~$2.6 million). At an April 26, 2016 press briefing at the Pentagon, Air Force Major General Peter Gersten, revealed that recent airstrikes against ISIS cash sites may have wiped away $300-800 million of ISIS estimated wealth. An additional $150 million was destroyed a month previous, when an airstrike was conducted against the home of the ISIS finance minister. Targeting ISIS resources causes fractures in the leadership of the group and cripples recruitment and expansion efforts. As a result of the growing internal tensions, ISIS may actually be more dangerous because it may innovate under pressure.
ISIS predominately uses social media and the internet to recruit fresh militants for little to no fiscal investment. Its barriers to enter other realms of cyber are low. Given a few laptops, a few thousand dollars, and a few disgruntled technology professionals, ISIS could begin to conduct ransomware or other cyber-attacks to generate additional funds. Software solutions to real world problems are remarkably efficient because software can be infinitely replicated and deployed once purchased. Malware is a software solution that cyber-adversaries employ to raise funds, disrupt services, infiltrate systems, or steal sensitive information. Even if ISIS dedicated some of its resources to recruiting or hiring only a handful of skilled hackers, the damage to critical infrastructure and global financial institutions could be devastating.
ISIS predominately uses social media and the internet to recruit fresh militants for little to no fiscal investment. Its barriers to enter other realms of cyber are low. Given a few laptops, a few thousand dollars, and a few disgruntled technology professionals, ISIS could begin to conduct ransomware or other cyber-attacks to generate additional funds. Software solutions to real world problems are remarkably efficient because software can be infinitely replicated and deployed once purchased. Malware is a software solution that cyber-adversaries employ to raise funds, disrupt services, infiltrate systems, or steal sensitive information. Even if ISIS dedicated some of its resources to recruiting or hiring only a handful of skilled hackers, the damage to critical infrastructure and global financial institutions could be devastating.
Consider the Carbanak group, a small criminal advanced persistent threat group whose attacks against hundreds of global financial institutions between December 2013 and June 2014, resulted in an estimated $1 billion in losses in the first half of 2014. According to Kaspersky Labs, each victim bank lost $2.5 million to $10 million. Overall, Carbanak is believed to have stolen over $1 billion in less than 6 months. Depending on the choice of targets, a localized loss of $10 million to $1 billion to financial institutions in developing countries could result in economic instability and geopolitical unrest favorable to ISIS. The Cyber Jihadists could destabilize regions prior to invasion or disrupt far-off regions in an attempt to redirect the resources of opposing forces, such as Russia.
Like most APT groups, Carbanak attacks began with a spear phishing campaign. The malicious emails appeared as legitimate banking communique accompanied by attached Microsoft Word (97-2003) documents and Control Panel Applet (.CPL) files. Based on ISIS’s multilingual publication, Dabiq, ISIS is already capable of crafting very convincing spear phishing emails. Carbanak’s attachments infected victim systems with malware and with a backdoor based on the Carberp malware or contained URLs that redirected the victim to a landing page that delivered the malware in the background before forwarding the user to a familiar financial site. After successful exploitation of an often publically available vulnerability, the shellcode decrypts and a backdoor is installed on the victim host.
The Carbanak backdoor installs and then it re-installs itself into “%system32%com” as a copy of “svhost.exe” with the system, hidden, and read-only attributes. The initial version (delivered by the exploit) is then deleted. After installation, the backdoor connects to its C2 server through HTTP (with RC2+Base64 encryption) and downloads a file (kldconfig.plug) which details which process to monitor. The kit sets the Termservice service execution mode to auto to enable Remote Desktop Protocol (RDP). The backdoor provides access to the intranet of the victim organization and allows the adversary to probe the intranet for other vulnerable targets and specifically for critical financial systems. Typically, Carbanak infected tens to hundreds of computers before an admin system, with the necessary access, is compromised. If banking applications such as BLIZKO or IFOBS are discovered, then the malware sends a special notification to the C2 server. Attackers then deployed keyloggers, tools to hijack video capture, and screen capture tools to learn as much information as possible about the environment. Often, toolkits log keystrokes and takes screenshots over 20 seconds intervals. Carbanak captures videos at low bandwidth and it uses them to help the attackers develop an operational picture of typical workflow, tool usage, and practices. In addition to training the adversary to transfer money, the monitoring also reduces the likelihood that the adversary will set off behavioral analytic systems. Their remote administration tool, Ammyy Admin, might also be installed on victim systems to ease remote access (the tool is whitelisted by legitimate system administrators in some corporate environments). Carbanak studies the financial tools and applications installed on the victim hosts in order to maximize the potential gain from the compromised system. Rather than searching for exploits and flaws in the security and financial applications, they monitor the activity of administrators to learn how to transfer money. Currently, ISIS lacks the technical proficiency to conduct an attack of the same sophistication as Carbanak; however, ISIS has some advantages over the small criminal group. Carbanak, as a small APT, must carefully select targets and determine on which systems to spend time. Every wasted hour is a loss to the campaign. The Cyber Jihadists have more people and more time to spare. ISIS can train dozens or hundreds of members to use malware, infiltrate systems, learn financial tools and procedures, and probe victim networks. Unlike Carbanak, ISIS does not have to worry as much about being caught by authorities. Their members are already wanted by most law enforcement agencies and geolocation attributing cyber-attacks to the occupied region may only promote the fear and paranoia that ISIS publically seeks. In summary, if ISIS acquires a sophisticated enough piece of malware and recruits or hires a small cadre of hackers, it could conduct attacks against critical global institutions with catastrophic cascading impacts.