Key Judgements
To date, no observable destructive cyber incidents have been achieved by terrorist groups and monitored chatter does not indicate the behaviour of an organisation marshalling their resources around cyber physical destruction. The past six months have seen the field complicated and crowded by new actors and ambitions, however. Terrorist groups have adopted simplistic nation state techniques in plotting cyber attacks and gaining access to systems but have been thus far unsuccessful in carrying out attacks which aspire to be anything more disruptive. The intensified geopolitical situation in the Middle East, however, hints that a future collaboration between terrorist groups and nation states may suddenly accelerate cyber capabilities for an initially limited number of cells. Continued monitoring of this situation is a requirement.
Additional Key Judgements will be derived from information throughout the report and impart a high-level summary of the main conclusions of each section. These judgements should be viewed as a conclusion, estimate or trend to the analysis rather than a pure data source. Key Judgements will be presented in bullet form.
Terrorist Related Cyber Incidents and Terrorist Chatter
Proscribed terrorist groups and organisations continue not to significantly increase their capabilities in the cyber field, although a small number of more ambitious cyber incidents have occurred. These incidents demonstrate terrorist entities copying or adopting nation state methodologies rather than establishing novel or creative schemes of attack. In each of the cases described, a high degree of success was not achieved, demonstrating that, for the time being, reaching success in the cyber realm still exceeds terrorist groups’ grasp. Overall, however, events in the past six months show an understanding of what can be achieved using cyber means, if not a meaningful development of the engineering and programming skills needed or how plots can be carried out once access is secure.
There persists some potential for a convergence of interests between terrorist, non-state, and state groups, particularly in the Middle East. Such a series of events would like lead to a distribution of intelligence and tools between groups which would accelerate related terrorist groups up the cyber value chain.
For the most part, terrorists continue to focus on real-world attacks and damage and does not advocate for the development of cyber capabilities. Chatter in this regard is becoming limited due to crackdowns on apps and websites. Indeed, the online activity so far associated with known terrorist threat actors use of social media, website defacement, release of propaganda materials is in decline.
Non-terrorist Activity Relating to Disruptive or Destructive Events
The major developments in nation state activity and abilities continue to be informed by the major cyber events of 2017; the use of the EternalBlue exploit and discovery of the TRITON malware at Petro Rabigh. This two-year reporting lag in the changing landscape demonstrates how deep the roots of successful attacks may reach and the speed at which anything can be said for certain in sophisticated cyber attacks. Indeed, complicated political and somewhat irresponsible reporting has complicated the view of what cyber attacks have occurred and who is irresponsible; this issue is likely to exacerbate as incidents continue. The likely strategic decision by some nation state cyber groups to adopt the toolsets used by cyber criminals further complicates questions of attribution and forensic timelines, contributing greater risk to any unsecured declarations by media or government.
Although EternalBlue and the related exploits published by ShadowBreakers in 2016 have been patched by Microsoft, nation states have been observed historically using latent vulnerabilities to access industrial control systems. The use of this exploit by nation states contributes to the understanding of how much foreign presence may exist in ICS globally.
Overall, the past six months has seen nation states dedicate themselves substantially to explicit cyber strategies, not limited to espionage, surveillance, and pre-emptive attack. This was most notably seen in the restructuring the US cyber strategy to Defend Forward, striking against adversarial states and teams before more destructive actions can be taken.
Miscellaneous Cyber crime, penetration testing and vulnerabilities
Cyber crime continues to take the major part of publicity for major events and step changes. The trend in holding whole companies and cities to ransom with tenacious strains of ransomware has driven significant losses, if not actual gains. Among these incidents is shutting down of the city of Baltimore by an unknown exploit, resulting in $18 million in damages, and the LockerGoga infection of Norsk Hydro, which slowed production at the company’s aluminium plants for weeks for a loss of more than $46 million.
Cryptojacking has emerged as a damaging competitor to ransomware, allowing actors to ‘poison’ networks and siphon off processing power and energy for mining cryptocurrencies, slowing systems and machinery for weeks before detection. Incidents of cryptojacking in the past six months have badly affected industrial facilities production rates, raising large funds for those responsible for the infection. In a notable incident, the commodification of cyber access demonstrated vulnerability in China’s rail network, presenting a real risk to civilians.
Additionally, the release of patches for two more zero-days found in Microsoft Windows systems raises concerns about future attacks. Given the delay on discovery of attacks demonstrated by reporting in nation state cyber activity, and the lapse in patching for many computers and industrial systems, these vulnerabilities may provide a foothold for future, highly disruptive and costly cyber attacks.
The full review can be downloaded here.