The internet is a vast and untapped ocean of possibilities that provides opportunities to all. Thanks to this indispensible technological tool, knowledge and information flow more freely. But like any other technology it can be abused to cause irreparable and devastating damage on the world. Extremist terror groups for instance, have now taken to hacking and creating 'cyber armies' to arm themselves and cause widespread damage.
IBTimes UK spoke to James Scott from the Institute for Critical Infrastructure Technology (ICIT) about the paper The Anatomy of Cyber Jihad he co-wrote with Drew Spaniel, which analyses how extremist terror groups, be it al-Qaeda, al-Shabaab, Boko Haram or Islamic State (Isis) have taken to educating themselves about hacking to function better in this age of technology.
How it all began
"The chaos and religious extremism in the Middle East has spun the cyber jihadist into existence. These actors possess select characteristics of each of the above while injected with the religious fervour of the Crusades. This new actor uses technological means, to bring terror, chaos, and attack to the doorstep of every American, European, and global infidel. Cyber-jihadists are the newest threat facing the US and our allies," said the papers' authors.
Terrorist groups' internet activity
"According to cloud security firm, BatBlue, al-Qaeda has used technology and the internet to distribute officially sanctioned propaganda since the 1980s," the ICIT states. Al-Shabaab "predominantly uses the internet in a limited capacity to disseminate propaganda, to recruit from external Somalian communities, and to sporadically antagonise its opposition on platforms like Twitter.
"Prior to its association with Isis, Boko Harem used the internet to distribute propaganda and to conduct unsophisticated online scams to raise funds. The group's social media presence remains inconstant and poorly aligned with its other propaganda. After allying with Isis, its published videos and photographs began to mirror that of Isis," ICIT specified.
"Isis has a strong online presence that heavily recruits and promotes 'lone-wolf' actions through social media. Their radical beliefs are spread by a diverse, unregulated band of digital zealots across conventional social media such as Twitter, Facebook, and Tumblr, and on less conventional channels such as forums and message boards," ICIT highlighted.
Isis (Daesh) has recently been very active, be it uniting various hacking divisions into one central group, spreading propaganda via online videos or stepping up recruitment strategies by having a dominating presence on Twitter and Facebook.
"Isis poses an active cyber threat by working with lone hackers, hacker groups, and by appropriating open source online materials," ICIT said.
MaaS and RaaS
MaaS (malware as a service) and RaaS (ransomware as a service) are software programs or codes that are specifically designed by cybercriminals to be user friendly, such that even those with limited cyber capabilities can deploy them with ease.
The code for the malware or ransomware can be purchased or rented on the dark web and used fairly easily to infect victims' systems.
Once victims pay up the demanded ransom, the author of the malware and/or ransomware is given his/her cut, while the buyer makes off with the rest of the money.
In case of extremist hacker groups, MaaS and RaaS can come in handy, in providing those with rudimentary knowledge of coding to deploy attacks against specific targets.
Commenting on the organisational structure of IS's hacker groups, Scott said, "The groups were disparate prior to the formation of the United Cyber Caliphate in April 2016. It remains unclear how integrated their operations have become since then. Isis is well known among jihadist groups for having meticulous organisation and a formal operational structure. While the inter-communication of the UCC groups is hampered by US cyberattacks against their channels, if the groups have united under Isis's structure, then their coordination and sophistication will increase in the near future.
"Isis has already launched unsuccessful attacks against the energy sector, they already claim to have insider threats inside government agencies, and they already possess the resources to conduct sophisticated attacks. ISIS is a current threat whose potential will only increase in the future."
When asked about the level of sophistication of pro-IS hacker groups, Scott explained, "Many members of Isis are not sophisticated attackers. The majority of members do not have a technical background. Nevertheless, in a group as large as Isis, there are bound to be a handful of technical individuals who can or could learn to, conduct sophisticated attacks. Even if there are not, Isis has the resources to hire hackers or to outsource layers of sophisticated attacks. In any case, many successful attacks do not require sophistication and the rise of GUI based malware, MaaS, and RaaS, means that an attacker does not need a technical background or even a complete understanding to launch an attack."
The evolution of Isis cyberwar
British militant and hacker Junaid Hussain aka Abu Hussain Al Britani was believed to be the driving force behind IS's cyber and social media growth and strategies. The hacker who went by online pseudonym "TriCk" was the founding member of a relatively unknown hacktivist group called "TeaMpOisoN" before he graduated to becoming one of the most prominent members and recruiters for IS.
"The series of forums, communication channels, and appropriated cyberdefensive instructional materials, referred to as the 'ISIS help desk', was devised under his suggestion. Even though he was not a key member of the leadership, Hussain's contribution to the cyber capabilities of the terrorist organisation made him the third most valuable target in IS," ICIT explains.
Isis as a cyber threat
"The success of the Isis propaganda campaign is influencing how other groups use the internet. In much the same manner that newspapers' popularity declined in favour of online media, static propaganda publications are declining in favour of robust, dynamic multiplatform campaigns," ICIT stated.
When asked if IS-affiliated hacker groups have capabilities beyond merely using social media to create fear, Scott pointed out, "Creating fear and chaos is a desirable outcome for the group. It increases their recruitment power and their notoriety. That said, script kiddies [inexperienced hackers] can learn to launch meaningful attacks, such as ransomware campaigns, from YouTube. There is no barrier to entry preventing the UCC from conducting more harmful attacks."
ISIS and United Cyber Caliphate – are they the same?
It is important to note that the ICIT's research reveals that while UCC actively affirms its connection to IS, the reverse is not the case. "Isis has never claimed ownership of the Cyber Caliphate," ICIT pointed out.
When asked what this may signify, Scott responded: "It could signify that the UCC supports Isis, but that the UCC is not internal to Isis. It is also possible that Isis just never felt the need to outright claim ownership of the group.
"The UCC has a social media presence, but it is much smaller than IS'. The UCC mostly announces its activities when it claims to hack systems or when it releases lists for lone wolf attacks. Its visibility is meant to draw foreign members of IS to attacks. If the affiliated groups have actually integrated, then it may start drawing in fresh talent. If the group grows more sophisticated, it is likely that its social media presence will decrease to better obfuscate its activities."
Dropping ransomware bombs
Social media is not the only area of the internet that IS is interested on capitalising. Given the recent alarming increase in DDoS (distributed denial of services attacks), malware, ransomware attacks, extremist groups, including ISIS may find it convenient in both financial terms as well as in carving out a more fearsome image in utilising such tools to deploy cyber attacks against their enemies.
What is a DDoS attack?
During a denial of service (DoS) or a distributed denial of service (DDoS) attack, hackers attempt to overload a website by sending in data requests from multiple sources. Most often hackers use a 'botnet' – internet-connected PCs that are compromised by malware – to send in the requests to visit the site without the users' knowledge.
The huge number of requests, which can reach thousands per second, overload the ability of a website's server to respond, eventually causing an error message to appear instead of the site's pages.
Executing a DDoS is relatively simple. Botnets are available to hire on websites not reachable via search engines (deep web) or on encrypted websites (the dark web).
"Ransomware is the current trend among sophisticated and unsophisticated groups alike. Dridex and script kiddies both use it to disrupt systems, build botnets, and generate fast revenue. It is effective because there is not yet a reactive solution for victim systems (except restore from backup)," added Scott. "Sophisticated malware is also being simplified and sold on dark net markets. Isis is already attacking the energy sector. If the UCC continues to exist, it will adopt an easy to use sophisticated malware or ransomware in future attacks."
The future of cyber terrorism
"The UCC is predominately capable of hacking soft targets, such as Twitter accounts, and spreading propaganda or defacing websites. While none of the groups incorporated possessed sophisticated capabilities, their unification has resulted in an increased interest in coordinating and conducting cyber attacks against governments and organisations. It is possible that the shared coordination will enable the collective to learn more skills and increase their sophistication; however, it is more likely that the cyber jihadists will purchase malware, will rely on malware-as-a-service, or will outsource stages of an attack to mercenary hackers," ICIT predicted.
While international law enforcement agencies, and even hacktivist collectives such as Anonymous, actively target IS social media posts, such is the nature of the internet that new accounts appear almost as rapidly as they are taken down. According to the ICIT, unlike other well-known and functioning terrorist groups, IS already has the "motive, means, and opportunity to acquire the personnel and code necessary to begin launching devastating cyber campaigns."
However, as the group grows and garners more attention, it also becomes a major target for international law enforcement agencies to take down. "The US Cyber Command is DDoSing Isis servers, taking down social media accounts, disrupting financial transfers, and compromising communications where possible," disclosed Scott. "It would be beneficial as the group grows, to infiltrate it and measure their actual cyber capabilities and operations."