EVOLUTION OF THE CYBER CALIPHATE THREAT
Cyber terrorists / Cyber Jihadists group, such as the UCC face extraordinary opposition from organizations, government entities, and other hacking groups. Twitter, Facebook, and many other social media and messaging services actively takedown recruitment pages or work with intelligence agencies to disrupt operations or locate members. Governments dedicate resources such as personnel, computing power, funds, and even sophisticated Advanced Persistent Threat (APT) groups to crippling jihadist critical infrastructure such as communication channels, intangible assets, or monetary transfers. Opposing hacker collectives, such as Anonymous, take down social media accounts, expose members, and otherwise hamper operations. So far, ISIS has responded to its resounding digital opposition by increasing its cyber defensive capabilities and its operational security. However, as efforts to hamper its operations escalate, such as the United States declaration of Cyber War on Cyber Jihadists or the sudden decrease of available funds within the organization that resulted from recent airstrikes, the militant group will be forced to adapt under pressure. It could fracture into decentralized factions, or it might rapidly develop new capabilities in retaliation. Though the loss of funds resulting in some alleged internal strife within ISIS, the group is known among terror organizations for having a surprisingly resilient structure. In the event that factions form, it is possible that one of the subgroups will develop cyber offensive capabilities to acquire funds and increase its notoriety and influence. Danyetta Magana (Covenant Security Solutions) explains, “It is a fallacy that extremist groups are not computer smart, in fact to the opposite. As history repeats itself over and over again, all armies have gone from bow and arrows to cannons, from cannons to machines guns, and to ballistic missiles and fighter jets in the air. This is referred to as a revolution of military affairs across all domains. Being able to overcome your adversaries offensive and defense is simply the art of war, and the same holds true for the cyber domain.” The increased pressure on cyber terrorists could cause members to seek new weapons to level the playing field.
Under the tutelage of Junaid Hussain, ISIS developed a wide proficiency on a diverse collection of secure messaging applications, social media, and anonymity tools. Usage of these tools as well as operational security measures fueled by paranoia, were propagated to ISIS members through their publications, recruitment manuals, and internal communications. The adoption of these cyber capabilities confounded counterintelligence efforts to monitor communications and analyze signal intelligence. The increasing opposition to ISIS has pushed them into using more obscure, more secure communication applications (such as Wickr instead of WhatsApp), and has caused them to retreat further into the unindexed portions of the internet known as the dark net or deep web. ISIS members are familiar with encryption techniques, anonymity methods, online tracking mechanisms such as cookies, tokens, and beacons, and other information security topics. This basic knowledge means that the extremists can understand how to conduct attacks, how to use basic malware, and how to deploy ransomware, even without sophisticated technical capabilities. The group understands the necessity of using cheap or disposable devices and of remaining paranoid as a matter of operational security. While digital opposition to the group was necessary, it had the adverse effect of instigating an internal education initiative that taught members to use the exact tools, techniques, and procedures that can enable them to rapidly acquire cyber offensive capabilities. Black Hat security professionals pander their wares and services on deep web markets and forums. These hackers communicate with one another using many of the applications already familiar to ISIS members. Given ISIS’s diverse membership, they are unimpeded by language barriers that might limit the browsing and purchasing power of other groups. The adoption of anonymous currencies such as Bitcoins enables the group to transfer assets across the globe to members or sellers, in a matter of seconds, with near absolute anonymity. In fact, some online personas claiming affiliation with the Islamic State have already attempted to illicit Bitcoin donations for ISIS from social media users. Another supporter released a guide detailing how to donate Bitcoins and support ISIS, along with the benefits of digital currencies. The author, who assumes the name “Taqi’ulDeen al-Munthir,” argues that digital currencies such as Bitcoin are the best option for militant Cyber jihadists because adoption frees them of reliance on a currency backed by the global market or an enemy nation state. He continues that anonymous currencies allow foreign supporters to donate to ISIS even though banks and financial institutions will not allow the transfer of funds to the group. The author suggests the formation of Bitcoin backed “Shari’ only” markets that transcend all borders and nation state regulations. The adoption of anonymous currency could hasten ISIS’s ability to hire hackers or purchase complex exploit kits.
Even in its current state, ISIS already has the resources and capability to recruit or hire sophisticated cyber professionals on the dark web. It is possible, and even probable, that ISIS has already been purchasing attacks on Western organizations and critical infrastructure for years. Groups like ISIS might hate Western culture and practices, but they have no qualms about appropriating and weaponizing material and assets developed in those regions. They use guns manufactured in the United States and Russia and vehicles from Japan, so why would they refuse to use malware or hackers from foreign nations. To the zealots, the cyber assets are just more weapons to use in their battle. In all likelihood, the cyber mercenaries hired would not know if they were conducting attacks on behalf of the terrorist organization. As a result of the anonymity that the hackers themselves rely on, they would unknowingly infect systems, steal data, or otherwise cause chaos for a terror organization. Given a fiscal asset portfolio at a very conservative estimate of over $1 billion, ISIS can hire many hackers to conduct many attacks. If those attacks result in stolen data, intellectual property, or other intangible assets, then the organization can sell the data to perpetuate the cycle.
Malcolm Harkins (Cylance) adds, “While Cyber Jihadists will undoubtedly be driven to exploit vulnerabilities in our industrial control systems to inflict physical harm on our nation, terrorist organizations have already used cybercrime to raise millions of dollars to fund ‘traditional’ attacks like the 2008 bombings in Mumbai. As Cyber Jihadists grows, it is safe to assume that we will most likely see a spike in both physical and digital attacks from these groups.” ISIS may lack the ability to conduct sophisticated cyber-attacks without help, but it has exceptional operational planning capabilities. It can conduct large, sophisticated cyber-attacks against critical infrastructure systems or organizations by compartmentalizing the stages of the attack and hiring different hackers to conduct different layers of the overall attack. By doing so, ISIS increases the likelihood of remaining anonymous and it increases the likelihood that the attack will succeed along at least one vector. Some sophisticated collectives, such as Carbanak, may even be willing to conduct the entire attack with a guarantee of success, for a high enough reward. If ISIS acquires cyber-capable personnel, it can realize equivalent success by outsourcing components of an attack toolkit and then combining the tools into a more formidable asset.
Cyber terrorists can use layered attacks to devastating effects. For instance, a group could hire a hacker to cause chaos in a city by disrupting its traffic system or water flow or it could conduct a physical attack to inflict losses and incite panic. After emergency services were burdened with casualties and the injured, the terrorists could launch DDoS and ransomware attacks against hospital and emergency response services. The extremists could use malware to steal confidential information from the infected systems while law enforcement attempted to respond to the attacks. Next, attacks against the SCADA and ICS systems supporting the local electric grid could further plunge the target city into turmoil. Finally, physical militants could invade the city and utilize the sense of panic and burden to overwhelm its defenses. After the city was conquered, the group, or its hired help, could cease the attacks. Through this basic and possible scenario, the group could capture entire regions without destroying the underlying infrastructure.
Opportunity:
Insider Threats :
ISIS can use recruitment infrastructure and any PII or EHI collected from attacks, to recruit and place insider threats at organizations and government agencies. Not all ISIS recruits are the stereotypical Middle Eastern men. They have also recruited Caucasian teenagers from Wisconsin and African American adults from Minnesota to become insider threats . ISIS keeps meticulous records and all new recruits must complete a data sheet recording their entry date, nationality, blood type, date of birth, education level, and former employment. According to 4000 records leaked to journalists by defectors, 63.3% of recruits originate in the Middle East or North Africa, 15.7% came from countries near the Middle East including Russia, 10.6% originated in Europe, 3.4% were from Asia, and 1.15% were from the Americas or Australia. ISIS lures in troubled and lonely individuals and slowly persuades them to adopt its ideology by engendering a sense of purpose and community in their minds. Of those 4000 recruits, 87.4% were born between 1980 and 1999, with an average birth year of 1988. Outside of science fiction, there is no way to know what ideology an individual cherishes in their mind. Insider threats might install backdoors or malware on networks as part of layered attacks or they might collect information about operations, systems, or facilities to enable the extremist group to conduct cyber, physical, or cyber-physical attacks. Unlike the initial ISIS fighters, the new recruits are educated enough to fill positions in organizations. The leaked data reveals that 61.2% of the militants had at least a high school education and 29.2% had at least one semester of post high school education. Approximately 15.6% of the sample batch was current college students. Students open their minds to new avenues of thought and perception when they attend college. They are also the primary users of social media. Consequently, college students are extremely vulnerable and extremely valuable recruits for Cyber jihadist such as ISIS, who are desperate for educated recruits to fill technical positions within the organization. Any number of the militant recruits, who abandoned their studies to join ISIS could be sent back to school to finish their degrees, to recruit other students, or to graduate and infiltrate organizations and government entities.
In early May 2016, the Islamic State Hacking Division released a tweet claiming, “In our next leak we may even disclose secret intelligence the Islamic State has just received from a source the brothers in the UK have spent some time acquiring from the Ministry of Defence in London as we slowly and secretly infiltrate England and the USA online and off.” Law enforcement authorities did not comment on the authenticity of the claim. Since past information releases have been gathered from publically available information, there is some inherent doubt to the claim. Nevertheless, the potential for insider threats within organizations must be treated as a serious threat before it actually happens. According to the “IBM 2015 Cyber Security Intelligence Index,” 45% of attacks are the result of the actions of threat actors who are external to the network, malicious insider threats carry out 31.5% of all attacks and 23.5% of attacks occur due to mistakes of inadvertent threat actors, who are also categorized as insider threats .
Social media, personnel devices, cloud applications, mobility and big data are making insider threats harder to identify while also providing more ways to pass protected information. Insider threats can often be categorized as: disgruntled employees who leave the company but retain access to old privileges or create back doors before leaving; malicious insider threats taking advantage of expired or orphan accounts to attack valuable resources or with privileged access who sell information for financial gain; and the inadvertent insider threats who do not mean harm but fall prey to social engineering schemes that grant access to outside attackers. Trusted third-party contract workers may be “quasi-insiders” if their actions or inaction results in an inadvertent breach of the network or in the breach of a supporting network.
Cyber Jihadists organizations heavily recruit “troubled individuals,” such as disgruntled employees, social outcasts, and misguided youths. Further, they have the capital to entice resentful personnel to sell data or commit actions that compromise the integrity of the network. Unlike nation-state intelligence and counter intelligence entities, ISIS, and similar organizations, assumes immense risk every time they contact a potential recruit; as a result, they are more adapt at perceiving the disposition and needs of a target and at organically convincing that individual to bend to their will. What would an employee at a supporting organization like an HVAC or a background check firm do for a sizable paycheck if they felt malice towards their employer and they were offered an untraceable fortune of Bitcoins? Would they plug in a USB? Would they intentionally click a phishing email? The OPM breach may have also been the result of the compromise of supporting organizations. Hacking into intelligence databases or remote controlling military drones is currently outside the capabilities of Cyber Jihadists because they lack the sophisticated tools, techniques, and procedures to bypass sophisticated security mechanisms; however, if they can compromise tangential networks, then they can laterally move onto those networks and establish a persistent presence. Essentially, terrorist organizations can compensate for their lack of cyber capabilities by exploiting vulnerable humans within the organizational network.
Media
Cyber Jihadists regularly deface websites and blogs belonging to media outlets because traffic is already directed towards their websites, channels, and publications. In the future, media outlets may experience more compromising attacks from extremist organizations who desire advance knowledge of breaking stories, confidential sources, and internal information about public figures. ISIS in particular believes that every journalist is a spy; consequently, they are known for executing media personalities in the region.
In April 2015, the Cyber Caliphate supposedly attacked the French media outlet Tv5 Monde. The attack resulted in temporary control of the website, social media accounts, and the disruption of 11 stations for a few hours. At the same time, the group published threats to a list of names of French soldiers and family members. The attack may have been facilitated by poor cyber security practices on behalf of Tv5 Monde. Even though ISIS claimed responsibility for the attack, alternate theories suggest that the attack may have been perpetrated by the Russian APT 28 and then attributed to ISIS to cover their tracks because the Sednit malware was found on the infected systems. It is possible both APT 28, who is known to rely on the Sednit malware, and ISIS maintained a foothold in the same system and that one exploitation may have facilitated or revealed the other. It is also possible that ISIS purchased and deployed a copy of the malware.
ICS and SCADA Systems:
The ICS and SCADA systems upon which American critical infrastructure depends are antiquated and vulnerable. Systems in facilities supporting sectors ranging from energy production to nuclear defense, have recently been the focus of discussions about modernization efforts. The aforementioned Russian BlackEnergy malware can be used to compromise critical systems such as electrical grids. Variants, which are less sophisticated, are available for purchase on dark web forums. The same malware can be used to target financial and healthcare systems. Some organizations rely on their antiquated systems because they incorrectly believe that the systems are protected by the obscurity of their programming. Even if sophisticated malware cannot operate on some systems, threats remain. Any system that can process code is vulnerable to ransomware because the simple malware relies only on an encryption algorithm. Ransomware is simple to use and most variants cost less than a few thousand dollars on dark web markets. ICS and SCADA systems are renown among hackers for being easy and available targets. Hackers used to earn their first bragging rights by compromising systems belonging to a water treatment or electrical facility. Most who compromise these networks seek online recognition or fiscal reward. Danyetta Magana (Covenant Security Solutions) cautions, “A Cyber Jihad will use cyber offensive tools to adversely affect many things Americans value in everyday life and use the internet to achieve, such as running water, agriculture, highways, traffic lights, electric, postal service, gas, banks, and healthcare.” Cyber Jihadists may aim to disrupt operations or to overwhelm systems into shutting down or behaving abnormally. Even if the collective lacked the skills necessary to compromise a particular critical infrastructure facility, some mercenary black hats or insiders might consider the task an easy assignment for a meager financial reward. Kevin Chalker (GRA Quantum) remarks, “Today’s Cyber Jihadists are unskilled outsiders, able to accomplish little remotely from the shadows beyond temporary website defacements or service interruptions. However, if groups like ISIS could ever recruit agents working inside of critical infrastructure facilities, say power plants or water treatment facilities, our perception of the threat they pose would be catastrophically changed overnight.”
In October 2015, U.S. law enforcement officials revealed that hackers tied to the Islamic State were actively attempting to breach ICS and SCADA systems in the Energy sector. Caitlin Durkovich, the assistant secretary for Infrastructure Protection at the Department of Homeland Security confirmed to company executives at a conference on American energy that,” ISIL is beginning to perpetrate cyberattacks.” Specific details were not provided other than that the attacks were not successful. Law enforcement also expressed concern about the growing capabilities of other domestic and foreign hate groups. Thankfully, even successful attacks on the United States Energy Sector would not have the same impact as those against Ukraine in 2015, because the grid is much larger and minutely segmented.
Financial Sector
The financial sector is most vulnerable to insider threats and to poor cyber hygiene. Bank customers and employees often rely on outdated browsers, often reuse weak passwords, and often lack the training necessary to recognize phishing emails and malicious attachments. Regulators rigorously monitor banks’ vulnerabilities, but undertrained personnel undermine their efforts. Extremists or mercenary hackers could easily send out phishing emails containing malware in malicious attachments to obtain personal or financial information from infected systems. Cybercrime is the largest threat to the banking sector. According to a Congressional hearing from June 2015, a major U.S. bank suffers a cyberattack every 34 seconds. According to Christopher Finan, who worked at the Pentagon on cybersecurity issues with the White House when the Nasdaq was hacked in 2010 and later served as President Barack Obama’s cybersecurity adviser, in the financial sector, security systems have been applied at the end of the design process instead of at the start, resulting in a “hodgepodge of systems that have been cobbled together.” Any hacker with enough time and resources can crack into the system. Stock exchanges focus on ensuring the integrity of the financial data under the assumption that hackers are bound to gain access to their system somehow. They want to make transactions indelible so that trades are intentional and validated. In response, cyber adversaries just target brokerage accounts to appear legitimate before initiating unauthorized trading. Neither cyber terrorists nor more sophisticated APT groups are capable of toppling the global stock market. To do so, an attacker would have to simultaneously hack and manipulate data in numerous separate systems. Finan comments that such an attack would have “Extraordinarily low probability but extraordinarily high consequence.” Instead, threat actors can disrupt specific markets, cause chaos, harm the reputations of target organizations, and illicit financial gains by manipulating stocks and accounts of individual firms.
RESPONSE TO THE CYBER CALIPHATE / ISIS / CYBER JIHADISTS / CYBER TERRORISTS THREATS
Organizations need to act now to protect their reputation and their systems from harm before Cyber Jihadists develop more sophisticated offensive capabilities. John Miller (Cylance) warns, “Regardless of proactive response, ISIS will gain the ability to attack, compromise, and disrupt national and international critical infrastructure within the next 24 months, giving them the ability to disrupt communications, utilities, and transportation in a coordinated global attack. It would require the coordinated effort of multiple attackers and a level of skill and funding that would allow access to the technologies used in critical infrastructure networks, but this could be easily overcome with under $100,000 in funding and a team smaller than the average baseball team.” Organizations should begin by hiring an information security team and by conducting a risk assessment of their assets. The assessment should systematically identify potential adversaries, threats, critical assets, the short-term and the long-term impact of stolen data, how stolen data can be used, and the likelihood of different scenarios. Facilities and assets should be physically secured against insider threats and compromise. Next, the organization should patch, update, and secure its website. Pictures of the facility, online maps, and any other information that could be used to determine physical security or network infrastructure should be removed from the online profile. The information security teams that work with the organization should segment the network, protect information according to its value, and assign user access according to a principle of least necessary privilege and least access. Employees should follow a basic cyber hygiene program that includes training to recognize phishing emails and suspicious activity. The information security team should secure the network with a minimum of a firewall, IDS/ IPS systems, and antivirus/ anti-malware applications. These controls will minimize the risk of stolen user credentials and recognized malware. More sophisticated security systems, such as multifactor authentication, a User Behavior Analytics (UBA) system and a User Access Control (UAC) system, can be added to reduce the success rate and impact of insider threats. All systems and network traffic should be logged in case incidents need to be forensically investigated. All systems should be separately backed up to prevent ransomware attacks from crippling the organization. Systems should be regularly updated and patched against known threats, to prevent unsophisticated attackers from breaching the network. Organizations can further confound attackers by deploying honeypots, jump boxes, and virtual system on the network. A honeypot is a fake system and data that appear real to the adversary. Adversaries, who mistakenly attack honeypot systems, reveal their activity to the victim and exfiltrate useless data. Jump boxes are virtual airgaps that segment the network by instituting an additional layer of multifactor authentication and by restricting the number of authorized users. Virtual systems can be used to reduce internal costs and they can be configured to periodically self-terminate and redeploy from a saved disk image so that malware cannot remain on the system. The information security team can use beacons, tokens, or even malware to weaponize data against internal and external adversaries. These tools can also be used to trace exfiltrated data and to conduct network forensics after an incident. Finally, information about suspicious activity or active threats should be safely shared with law enforcement and with the community at large.