Conrad Prince, Senior Cyber Terrorism Advisor to Pool Re
Pool Re is continuing to assess terrorist use of cyber, working with our partners at the Centre for Risk Studies at Cambridge University’s Judge Business School. Our focus is on the potential for terrorists to use cyber for destructive effect to property. This is not an easy area to assess. Terrorists are hard targets to penetrate even for the best intelligence agencies, and there is a lot of chaff to wade through in open source material, the truth of which is often hard to assess.
That said, there remains little or no evidence of terrorists developing cyber capabilities that have destructive effect. Terrorist use of digital technology continues to be primarily in traditional areas like communications and propaganda. Indeed, there are some indications that the use of the internet for sophisticated propaganda by Islamist terrorists is on the decline, perhaps in part as a result of disruption operations by Western agencies. A few references to cyber have been noted in extremist publications, but these are not prominent. And there is some suggestion of Islamist terrorist groups seeking to hijack dormant Twitter accounts for propaganda purposes, but this is not very sophisticated stuff. However, recent evidence suggests that Daesh sympathisers are planning to mount more disruptive attacks[1].
However, the potential to exploit cyber will always be present. And various factors could rapidly increase terrorists’ capabilities. These might include specialist support from a hostile nation state, the appearance of destructive malware on the open market (either as a result of unauthorised disclosure of nation state capability, or the development and release of malware by an independent actor), or the availability of a sympathetic insider whose job might make a particular cyber-attack more achievable.
One factor to keep an eye on is any evidence of terrorists using cyber for more sophisticated purposes, which might stop short of disruptive or destructive effect, but which get them along that path. At present there is little sign of this. However, there is arguably at least one exception, in the shape of the Palestinian group, Hamas.
Precise attribution is always going to be difficult, as is saying for sure whether particular cyber activity is truly directed by a specific group. However, there is good evidence to show Hamas moving up the cyber value chain over the last few years. At least a decade ago, they were conducting website defacements and sporadic denial of service attacks. More recently, however, analysts have concluded that Hamas has been undertaking more sophisticated cyber espionage operations.
In 2017 the Israeli Defence Force (IDF) detailed an alleged Hamas cyber espionage campaign targeting IDF soldiers by initiating chats through fake on-line profiles. These culminated in persuading the soldier to download a fake video chat app, which was in fact malware infecting their mobile device, reportedly stealing data and geolocating it. The cyber company Kaspersky reported on the same campaign. Then in Summer 2018 there was reporting of a further Hamas cyber espionage campaign, along similar lines, followed a few weeks later by allegations that Hamas had released mobile malware that imitated the Israeli rocket warning app.
The story of Hamas cyber operations reached a dramatic culmination in May this year. During a period of intense fighting in the Gaza Strip, the IDF reported it thwarted an unspecified Hamas cyber-attack, which they described as aimed at harming the quality of life of Israeli citizens. The IDF then launched an air strike on the building reportedly housing Hamas’s cyber team. Following the strike, the IDF announced that Hamas no longer had cyber capabilities.
We can only speculate as to the details here, but it is possible that the cyber-attack the Israelis say they defeated was of a more aggressive kind than the espionage activities previously undertaken by Hamas. The fact that it took place during a period of conventional kinetic operations – and was perhaps co-ordinated with them – may also be relevant.
It is unclear whether this has put paid to Hamas cyber capabilities. Ten days after the IDF air strike, media reporting indicated that unspecified hackers had briefly interrupted an Israeli webcast of the Eurovision song contest semi-final by replacing the broadcast with a fake warning about an attack on Tel Aviv. The Israeli national broadcaster blamed Hamas, though there is no hard evidence for this.
The Hamas example is interesting in that it seems to demonstrate terrorists using cyber for more sophisticated purposes than simply propaganda and deploying a range of capabilities in doing so. It is impossible to say how far Hamas may have got with this progressive increase in the scale of their cyber operations. But the fact it culminated in Israeli military action is striking.
That said, this is still a long way from the use of cyber-attack for serious destructive purposes. There are relatively few examples of destructive attack taking place, but it has happened. The most striking cases include Stuxnet, the cyber sabotage of centrifuges at an Iranian uranium enrichment plant of around 2007; an attack on a German steel mill reported by the German authorities in 2014 which prevented a blast furnace from being shut down, causing significant damage; and the 2015 attack on the Ukrainian power system which took around 30 substations off line denying power to a quarter of a million people for several hours.
And concerns are growing about hostile nation state use of offensive cyber for destructive effect. In June 2019, Chris Krebs, Director of the US Department for Homeland Security’s Cybersecurity and Infrastructure Security Agency stated that his agency was aware of a recent rise in malicious cyber activity directed at US industries and government agencies by Iranian regime actors and proxies. Krebs noted that Iranian actors were increasingly using destructive wiper attacks, looking to do much more than just steal data and money.
Meanwhile, there has been continued reporting from cyber security experts relating to threat actors associated with the TRITON malware. This malware was used in a 2017 attack on a Saudi chemical and refining facility during which it apparently successfully moved from the facility’s administrative IT systems onto its operational technology or industrial control systems. Researchers have suggested that the purpose of this attack was not to steal data but to enable the disruption of the facilitys operations. In June this year, a cyber threat company that has been studying the threat actor associated with TRITON reported repeated reconnaissance attempts targeting electric utilities in North America, Europe and Asia Pacific, asserting additionally that multiple industrial control system vendors had also been targeted, perhaps to enable supply chain attacks. There are different views as to the identity of the threat actor, with cyber security company FireEye suggesting it is associated with Russia.
So there are continuing indications of hostile nation states exploring cyber capabilities with potentially destructive effect. And the West is responding. In 2018 the US Department of Defence issued its new cyber strategy, setting out the defend forward doctrine. The tone is striking. Specifically calling out Russia and China as strategic threats, the strategy states that the USA will conduct cyberspace operations to prepare military cyber capabilities to be used in the event of crisis or conflict and that the DoD will persistently contest malicious cyber activity in day-to-day competition.
This more assertive tone may be being reflected in actual action. In June this year the New York Times reported current and former US government officials as stating that the USA was stepping up its cyber incursions into Russia’s electric power grid, placing implants on the electricity network that could be used for disruptive purposes when needed. It is impossible to judge the truth of this report, which the DoD described as inaccurate.
Meanwhile, there was widespread reporting shortly afterwards that the USA had launched a cyber-attack on Iranian rocket and missile associated command and control infrastructure, against the backdrop of escalating tension in the region including the downing by Iran of an American UAV.
In the UK, there has been press speculation suggesting the impending creation of a national cyber force, further developing the UK’s own offensive cyber capabilities. This would reportedly combine resources from GCHQ and MoD, potentially with a significant uplift in funding, GCHQ’s Director, Jeremy Fleming, has spoken publicly of UK offensive cyber operations against Daesh, and of the need for nations to have the ability, in extremis and in accordance with international law, to project cyber power to disrupt, deny and degrade.
Taken together, these developments might be seen to reflect an increasing normalisation of offensive cyber. An acceptance that cyberspace is inevitably a domain of destructive action, not just propaganda or espionage, and that all nations with serious aspirations will develop and potentially deploy destructive capabilities. At a time where there is little by way of accepted cyber norms of behaviour or deterrence doctrine, this will be a cause of concern for some.
We may still be a long way from terrorist groups using these capabilities. But as they become more widely developed and adopted, the potential for terrorist use increases, not least through the kinds of factors described earlier, such as support from a state sponsor. For this reason alone we need to retain a clear focus on this potential threat and how it develops in our unstable international environment.
[1] https://ctc.usma.edu/doxing-defacements-examining-islamic-states-hacking-capabilities/