ISIS pushes for offensive cyber capability
1 Jun 2015|

The nature of ISIS’s online presence is intended to do three things. Firstly, and most importantly for the longevity of its existence, it’s intended as a mechanism to attract and recruit members to its ranks. Secondly it’s a means through which ISIS aims to strike fear into the hearts of all that come across its frequently gruesome propaganda. Both objectives are well documented, but a third dimension to the ISIS presence online is emerging: their attempts to use cyberspace for offensive purposes.

By ‘offensive’ I don’t mean delivering cyber attacks that involve some kind of kinetic impact, but rather I refer to attempts to use the cyber domain to disrupt services, damage reputations and reveal sensitive data.

Over the past five months we’ve seen an uptick in offensive cyber activities by groups claiming an association with ISIS. In January US CENTCOM Twitter and YouTube accounts were suspended after  CyberCaliphate—a group claiming to support ISIS—had hacked into both, defacing them with pro-ISIS messages. While the hacks didn’t have a direct impact on CENTCOM’s operations, they were certainly embarrassing and akin to acts of ‘hacktivism’ we’ve seen from groups like Anonymous. Following up in February, the same group hacked into Newsweek and, of all things, Taylor Swift’s twitter account, defacing both with pro-ISIS messages and sending threatening messages to President Obama.

In March a group claiming to be the Islamic State Hacking Division published on JustPaste.it a list of photos, names, addresses and branch of US service personnel, which it claimed was taken from US military data servers. Accompanying the data was a statement from the group:

With the huge amount of data we have from various different servers and databases, we have decided to leak 100 addresses so that our brothers in America can deal with you…Kill them in their own lands, behead them in their own homes, stab them to death as they walk their streets thinking that they are safe.

In April we saw the most significant effort from a group purporting to be part of ISIS. The group managed to orchestrate a complete three-hour blackout of the French channel TV5Monde. They hacked into all 11 channels run by the company, along with its website and social media outlets. While the attack took place, the hackers placed documents on TV5Monde’s Facebook page, which they claimed were identity cards and CVs of relatives of French soldiers involved in fighting ISIS, accompanied by threats against the troops themselves. The Islamic State Hacking Division again claimed responsibility.

What this attack illustrated was the group’s increased degree of sophistication. There had clearly been an amount of pre-attack planning, including a degree of social engineering that had gone on in order to completely shut down the stations computer systems.

This isn’t the first time we’ve seen terrorist groups utilise the power of online systems and networks in their operations. In February 2010 Rajib Karim, an IT employee for British Airways (BA), was arrested for terrorism offenses. Having been in contact with radical preacher, Anwar al-Awlaki, he explained that he had access to BA’s servers and could erase all the data, causing massive disruption and financial loss of £20 million per day. Luckily he was arrested before he was able to carry out any kind of nefarious activity. Giving evidence at a UK House of Commons hearing on Cyber Security in 2013, Thomas Rid was asked the question, ‘Why hasn’t al-Qaeda carried out a cyber attack on a national infrastructure delivery point?’ He replied that ‘al-Qaeda are too stupid… You need skills and intelligence. Right now militants don’t have that.’ But ISIS, or at least those claiming to support the group, are now looking to take their cyber offensive to the next level.

Should we be worried about the self-styled CyberCaliphate and the potential for ISIS to launch highly sophisticated attacks against sensitive networks, similar to the STUXNET virus that was unleashed on Iran? At present, despite a clear elevation in capability, the answer would be ‘not yet’. Attacks of the magnitude of STUXNET require a level of financing, highly-skilled personnel and human intelligence gathering that an organisation such as ISIS simply can’t . The more likely scenario is that we continue to see websites defaced and social media accounts hacked.

But that’s no reason to be complacent about ISIS’ capabilities and its intent. The cyber domain provides the group with a low-cost means of harassing their enemies and publicising their cause. They’ve demonstrated an ability to utilise modern technology and unleash effective propaganda; and they’ve proven attractive to ‘tech savvy’ youngsters. With their successful take down of a major television company, confidence will have increased and the next attack will be planned with greater ambition. There’s no reason that ISIS won’t work to mature what has so far been a successful strategy and capability. In many ways this reflects what we’re seeing in the broader cyber threat environment: the cyber domain is becoming a key part of offensive operations for any group, be it a government, criminal organisation or terrorist group. Over the last five months ISIS have shown us that they are pushing to close the knowledge and capability gap when it comes to offensive cyber operations. We’d be wise to keep a close watch.