Cyber terrorism
Case studies
Abstract
This chapter discusses the threat of terrorism in cyberspace and examines the truth of the perceptions of this threat that have formed in recent years. It examines the capabilities that a non-state actor can achieve and whether this can constitute a real threat to the national security of states. For an analysis of the main threats facing a state from a multi-year perspective and in light of anticipated changes in a state’s strategic balance, the factors that threaten the state are presented and the roots of the threat are identified. The chapter thus examines whether terrorism, whose impact is generally tactical, could make (or perhaps has already made) the transition to a cyber-weapon capability with strategic impact, that is, a weapon that could inflict widespread damage or damage over time, of the sort that brings states to their knees and causes critical systems to crash.
Introduction
If we examine one of the key concepts in cyberspace—namely, dealing with terrorist threats—we find the rationale underlying the concept (which emerged, among others, after the formative events at the beginning of the twenty-first century, such as the Y2K bug and the September 11, 2001 terrorist attacks) in the world appears to be at the peak of a process belonging to the post-modern and post-technology era, an era with no defensible borders, in which countries are vulnerable to invasion via information, ideas, people, and materials—in short, an open world. In this world, the threat of terrorism takes a new form: a terrorist in a remote, faraway basement having the potential ability to cause damage completely changing the balance of power by penetrating important security or economic systems in each and every country in the world and accessing sensitive information, or even by causing the destruction of vital systems. No one disputes non-state actors, like terrorist organizations are using cyberspace as a field enabling small individual players to have influence disproportionate to their size. This asymmetry creates various risks that did not attract attention or provoke action among the major powers in the past. The question is whether the activity of these players in cyberspace constitutes a threat with the potential to cause major and widespread damage, with the ability to operate cyber weapons with strategic significance—weapons that can inflict large scale or lasting damage of the sort causing critical systems to collapse and “brings countries to their knees.” And if so, why such damage has not yet occurred?
Can the reality of September 11, 2001—when a terrorist organization planned an attack for two years, including by taking pilot training courses, eventually using simple box-cutters to carry out a massive terrorist attack—repeat itself in cyberspace? Is a scenario in which a terrorist organization sends a group of terrorists as students to the relevant courses in computer science, arms them with technological means accessible to everyone, and uses them and the capabilities they have acquired to carry out a massive terrorist attack in cyberspace realistic or science fiction? In order to answer this question, we must examine the few case studies of cyber-attacks by terror organization and then consider what capabilities a non-state actor can acquire, and whether these capabilities are liable to constitute a real threat to national security.
This chapter assesses whether attacks in cyberspace by terrorist organizations, whose effect until now has usually been tactical, will be able to upgrade (or perhaps have already upgraded) their ability to operate cyber weapons with strategic significance—weapons that can inflict large scale or lasting damage of the sort causing critical systems to collapse and “brings countries to their knees.”
This chapter focuses on the activities of non-state organizations with political agendas and goals, even if operated or supported by states. A distinction is drawn between these activities and those conducted directly by countries, which are beyond the scope of this chapter, as are the activities of organizations whose aims are mainly of a criminal nature. For the purpose of this chapter, a terrorist act from a non-state organization in cyberspace will be defined as an act in cyberspace designed to deliberately or indiscriminately harm civilians (see Chapter 2 for other definitions of cyber terrorism).
In order to assess the activities of terrorist organizations in cyberspace, the first stage is the identification of motives for using cyberspace as part of the political struggle being waged by the terrorist organizations. Two principal motives were identified. The first is the use of cyberspace supporting terrorist activity, mainly the acquisition of money and recruits or money laundering in order to finance the activity. The second is the use of tools in cyberspace providing the actual strike against the targets terrorist organizations set for themselves, as well as its use for other violent means. In this context we will analyze the cooperation between non-state organizations and the states operating them supporting their terrorist activity.
The second stage of this study required an examination of terrorist operations in cyberspace, that is, operations whose purpose is to cause deliberate or indiscriminate harm to civilians through action in cyberspace by non-state organizations with political agendas and goals, even if operated or supported by states.
The third stage is an assessment and understanding of the capabilities terrorist organizations can obtain, and by them to generate an effective and significant terrorist attack.
Case Studies—Activities in Cyberspace Attributed to Terrorist Organizations
One of the first documented attacks by a terrorist organization against state computer systems was by the Tamil Tigers guerilla fighters in Sri Lanka in 1998. Sri Lankan embassies throughout the world were flooded for weeks by 800 e-mail messages a day bearing the message, “We are the Black Internet Tigers, and we are going to disrupt your communications systems.” Some assert this message affected those who received it by sowing anxiety and fear in the embassies (Denning, 2000). Several years later, on March 3, 2003, a Japanese cult name Aum Shinrikyo (“Supreme Truth”) conducted a complex cyber-attack including obtaining sensitive information about nuclear facilities in Russia, Ukraine, Japan, and other countries as part of an attempt to attack the information security systems of these facilities. The information was confiscated, and the attempted attack failed before the organization managed to take action. An attack through an emissary took place in January 2009 in Israel. In this event, hackers attacked Israel’s Internet structure in response to Operation Cast Lead in the Gaza Strip. Over five million computers were attacked. It is assumed in Israel the attack came from countries that were formerly part of the Soviet Union and was ordered and financed by Hezbollah and Hamas (Everard, 2008). In January 2012, a group of pro-Palestinian hackers calling itself “Nightmare” caused the Tel Aviv Stock Exchange and the El Al Airlines websites to crash briefly and disrupted the website activity of the First International Bank of Israel. Commenting on this, a Hamas spokesman in the Gaza Strip said, “The penetration of Israeli websites opens a new sphere of opposition and a new electronic warfare against the Israeli occupation” (Cohen and Rotbart, 2013).
The civil war in Syria has led to intensive offensive action by an organization known as the Syrian Electronic Army (SEA)—an Internet group composed of hackers who support the Assad regime (see Chapter 9 for a case study of the SEA). They attack using techniques of denial of services and information, or break into websites and alter their content. The group has succeeded in conducting various malicious operations, primarily against Syrian opposition websites, but also against Western Internet sites. SEA’s most recent action was aimed mainly against media, cultural, and news websites on Western networks. The group succeeded in breaking into over 120 sites, including The Financial Times, The Telegraph, The Washington Post, and Al Arabia (Love, 2013). One of the most significant and effective attacks was in April 2013, when the Syrian Electronic Army broke into the Associated Press’s Twitter account, and implanted a bogus “tweet” saying the White House had been bombed and the US president had been injured in the attack. The immediate consequence of this announcement was a sharp drop in the US financial markets and the Dow Jones Industrial Average for several minutes (Foster, 2013). The SEA is also suspected of an attempt to penetrate command and control systems of water systems. For example, on May 8, 2013, an Iranian news agency published a photograph of the irrigation system at Kibbutz Sa’ar (Yagna and Yaron, 2013). SEA has also hacked entertainment websites twitter handles outside of their target such as E! Online and The Onion, many surmising it as SEA relishing in the publicity and attempting to broadcast there platforms outside of their spectrum. In January, 2014, SEA hacked and defaced 16 Saudi Arabian government websites, posting messages condemning Saudi Arabia of terrorism, forcing all 16 websites offline (see Chapter 9).
During Operation Pillar of Defense in the Gaza Strip in 2012 and over the ensuing months, the Israeli-Palestinian conflict inspired a group of hackers calling itself OpIsrael to conduct attacks against Israeli websites in cooperation with Anonymous. Among others, the websites of the Prime Minister’s Office, the Ministry of Defense, the Ministry of Education, the Ministry of Environmental Protection, Israel Military Industries, the Israel Central Bureau of Statistics, the Israel Cancer Association, the President of Israel’s Office (official site), and dozens of small Israeli websites were affected. The group declared Israel’s violations of Palestinian human rights and of international law were the reason for the attack (Buhbut, 2013).
In April 2013, a group of Palestinian hackers named the Izz ad-Din al-Qassam Cyber Fighters, identified with the military section of Hamas, claimed responsibility for an attack on the website of American Express. The company’s website suffered an intensive DDoS attack continuing for two hours and disrupting the use of the company’s services by its customers. In contrast to typical DDoS attacks, such as those by Anonymous, which were based on a network of computers that were penetrated and combined into a botnet controlled by the attacker, the Izz ad-Din al-Qassam attack used scripts operated on penetrated network servers, a capability allowing more bandwidth to be used in carrying out the attack. This event is part of an overall trend toward the strengthening of Hamas’s cyber capabilities, including through enhancing its system of intelligence collection against the IDF and the threat of a hostile takeover of the cellular devices of military personnel, with the devices being used to expose secrets (Zook, 2013).
In contrast to the recruitment of terrorist operatives in the physical world, in cyberspace it is possible to substantially enlarge the pool of participants in an activity, even if they are often deceived into acting as partners by terrorist organizations using the guise of an attack on the establishment. This phenomenon is illustrated by the attacks by hackers against Israeli targets on April 7, 2013, when some of the attackers received guidance concerning the methods and targets for the attack from camouflaged Internet sites. The exploitation of young people’s anti-establishment sentiments and general feelings against the West or Israel makes it possible to expand the pool of operatives substantially and creates a significant mass facilitating cyber-terror operations. For example, it has been asserted during Operation Pillar of Defense over one hundred million cyber-attacks against Israeli sites were documented (Globes, 2013) and it was speculated the campaign, was guided by Iran and its satellites (Globes, 2013b).
Analysis of Capabilities
As a rule, a distinction should be drawn among three basic attack categories: an attack on the gateway of an organization, mainly its Internet sites, through direct attacks, denial of service, or the defacement of websites; an attack on an organization’s information systems; and finally, the most sophisticated (and complex) category—attacks on an organization’s core operational systems for example, industrial control systems. Cyber terror against a country and its citizens can take place at a number of levels of sophistication, with each level requiring capabilities in terms of both technology and the investment made by the attacker. The damage caused is in direct proportion to the level of investment.
An Attack at the Organization’s Gateway: The most basic level of attack is an attack on the organization’s gateway, that is, its Internet site, which by its nature is exposed to the public. The simplest level of cyber terrorism entails attacks denying service and disrupt daily life but do not cause substantial, irreversible, or lasting damage. These attacks, called “distributed denials of service” (DDoS), essentially saturate a specific computer or Internet service with communication requests, exceeding the limits of its ability to respond and thereby paralyzing the service. Suitable targets for such an attack are, among others, banks, cellular service providers, cable and satellite television companies, and stock exchange services (trading and news). Another method of attacking an organization’s gateway is through attacks on Domain Name System (DNS) servers—servers used to route Internet traffic. Such an attack will direct people seeking access to a specific site or service toward a different site, to which the attackers seek to channel the traffic. A similar, but simpler, attack can be conducted at the level of an individual computer instead of the level of the general DNS server, meaning communications from a single computer will be channeled to the attacker’s site rather than the real site which the user wishes to surf. Damage caused by such attacks can include theft of information; denial of service to customers, resulting in business damage to the attacked service; and damage to the reputation of the service. The attacker can redirect traffic to a page containing propaganda and messages he wants to present to the public.
One popular and relatively simple method of damaging the victim’s reputation at the gateway of the organization is to deface its Internet site. Defacement includes planting malicious messages on the home page, inserting propaganda the attackers wish to distribute to a large audience and causing damage to the organization’s image (and business) by making it appear unprotected and vulnerable to potential attackers.
An Attack against the Organization’s Information Systems: The intermediate level on the scale of damage in cyberspace includes attacks against the organization’s information and computer systems, such as servers, computer systems, databases, communications networks, and data processing machines. The technological sophistication required at this level is greater than that required for an attack against the organization’s gateway. This level requires obtaining access to the organization’s computers through employees in the organization or by other means. The damage potentially caused in the virtual environment includes damage to important services, such as banks, cellular services, and e-mail.
A clear line separating the attacks described here from the threat of physical cybernetic terrorism: usually these attacks are not expected to result in physical damage, but reliance on virtual services and access to them is liable to generate significant damage nevertheless. One such example is the attack using the Shamoon computer virus, which infected computers of Aramco, the Saudi Arabian oil company, in August 2012. In this incident, malicious code was inserted into Aramco’s computer system, and 30,000 computers were put out of action as a result. Even though the attack did not affect the company’s core operational systems, it succeeded in putting tens of thousands of computers in its organizational network out of action while causing significant damage by erasing information from the organization’s computers and slowing down its activity for a prolonged period.
An Attack on the Organization’s Core Operational Systems: The highest level on the scale of attack risk is an attack on the organization’s core operational and operating systems. Examples include attacks against critical physical infrastructure, such as water pipes, electricity, gas, fuel, public transportation control systems, or bank payment systems, which deny the provision of essential service for a given time, or in more severe cases, even cause physical damage by attacking the command and control systems of the attacked organization. This is the point a virtual attack is liable to create physical damage and its effects are liable to be destructive. Following the exposure of Stuxnet, awareness increased of the need to protect industrial control systems, but there is still a long way to go before effective defense is actually put into effect. Terrorist groups can exploit this gap, for example, by assembling a group of experts in computers and automation of processes for the purpose of creating a virus capable of harming those systems (Langner, 2012) (see Chapter 9).
Technological Capabilities, Intelligence Guidance, and Operational Capacity
Development of attack capabilities, whether by countries or by terrorist organizations, requires an increasingly powerful combination of capabilities for action in cyberspace in three main areas: technological capabilities, intelligence guidance for setting objectives (generating targets), and operational capacity.
Technological Capabilities
The decentralized character of the Internet makes trade in cyber weaponry easy. Indeed, many hackers and traders are exploiting these advantages and offering cyber-tools and cyberspace attack services to anyone who seeks them. A variegated and very sophisticated market in cyber products trading for a variety of purposes has thus emerged, with a range of prices varying from a few dollars for a simple one-time denial of service attack to thousands of dollars for the use of unfamiliar vulnerabilities and the capabilities to enable an attacker to maneuver his way into the most protected computer system.
The tools of the cybernetic underworld can be of great assistance in DDoS attacks and in stealing large quantities of sensitive information from inadequately protected companies (for example, information about credit cards from unprotected databases), which will almost certainly arouse public anxiety. Terrorists still have a long way to go, however, before they can cause damage to control systems, which is much more difficult than stealing credit cards, and toward which cybernetic crime tools are of no help. With respect to the intermediate level described above concerning attacks on an organization’s information systems, it appears the underworld possesses tools capable of assisting cyber terrorism. Some adjustment of these tools is needed, such as turning the theft of information into the erasure of information, but this is not nearly such a long process, and the virus developers will almost certainly agree to carry it out for terrorist organizations, if they are paid enough.
Intelligence-Guided Capability
One of the key elements in the process of planning a cyber-attack is the selection of a target or a group of targets, damage to which will create the effect sought by the terrorist organization. Toward this end, a terrorist entity must assemble a list of entities constituting potential targets for attack. Technology providing tools facilitating the achievement of this task is already available free of charge. It is also necessary to map the computer setup of the attacked organization, and to understand which computers are connected to the Internet, which operating systems and protective software programs are installed on them, what authorizations each computer has, and through which computers the organization’s command system can be controlled.
Organizations with critical operational systems usually use two computer networks: one external, which is connected to the Internet, and one internal, which is physically isolated from the Internet and is connected to the organization’s industrial control systems. The Internet census does not include information about isolated internal networks because these are not accessible through the Internet. Any attack on these networks requires intelligence, resources, and a major effort, and it is doubtful any terrorist organizations are capable of carrying out such attacks.
Operational Capability
After collecting intelligence and creating or acquiring the technological tools for an attack, the next stage for planners of cybernetic terrorism is operational—to carry out an actual attack by means of an attack vector. This concept refers to a chain of actions carried out by the attackers in which each action constitutes one step on the way to the final objective, and which usually includes complete or partial control of a computer system or industrial control system. No stage in an attack vector can be skipped, and in order to advance to a given step, it must be verified all the preceding stages have been successfully completed.
The first stage in an attack vector is usually to create access to the target. A very common and successful method for doing this in cyberspace is called spoofing, that is, forgery. There are various ways of using this method, with their common denominator being the forging of the message sender’s identity, so the recipient will trust the content and unhesitatingly open a link within the message. The forging of e-mail is an attack method existing for many years. Defensive measures have accordingly been developed against it, but attackers have also accumulated experience. Incidents can now be cited of completely innocent-looking e-mail messages tailored to their recipients, containing information relating to them personally or documents directly pertaining to their field of business. The addresses of the senders in these cases were forged to appear as the address of a work colleague. As soon as the recipients opened the e-mail, they unknowingly infected their computers with a virus.
The forgery method can be useful when the target is a computer connected to the Internet and messages can be sent to it. In certain instances, however, this is not the case. Networks with a high level of protection are usually physically isolated from the outside world, and consequently there is no physical link (not even wireless) between them and a network with a lower level of security. In this situation the attacker will have to adopt a different or additional measure in the attack vector—infecting the target network with a virus by using devices operating in both an unprotected network and on the protected network. One such example is a USB flash drive (“Disk on Key” or “memory stick”), used for convenient, mobile storage of files. If successful, the attacker obtains access to the victim’s technological equipment (computer, PalmPilot, smartphone), and the first stage in the attack vector—creating access to the target—has been completed. Under certain scenarios, this step is the most important and significant for the attacker. For example, if the terrorist’s goal is to sabotage a network and erase information from it, then the principal challenge is to gain access to the target, that is, access to the company’s operational network. The acts of erasure and sabotage are easier, assuming the virus implanted in the network is operated at a sufficiently high level of authorization. Under more complex scenarios, however, in which the terrorist wishes to cause significant damage and achieve greater intimidation, considerable investment in the stages of the attack vector is necessary, as described below.
Within the offensive cyber products market, terrorists will find accessible capabilities for a non-isolated target. In the same market, they will also find attack products, and presumably they will likewise find products for conducting operations on the target network (similar to the management interface of the SpyEye Trojan Horse; MacDonald, 2011). Despite this availability, Internet-accessible tools have not yet been identified for facilitating an attack on an organization’s operational systems. Access to these tools is possible in principle (Rid, 2013), but the task requires large-scale personnel resources (spies, physicists, and engineers), monetary investment (for developing an attack tool and testing it on real equipment under laboratory conditions), and a great deal of time in order to detect vulnerabilities and construct a successful attack vector.
Conclusion
The low entry threshold for certain attacks and the access to cybernetic attack tools have not led the terrorist organizations to switch to attacks with large and ongoing damage potential. Until now, the terrorist organizations’ cyber-attacks have been mainly against the target organization’s gateway. The main attack tools have been denial of service attacks and attacks on a scale ranging from amateur to medium level, primarily because the capabilities and means of terrorist organizations in cyberspace are limited, and to date they have lacked the independent scientific and technological infrastructure necessary to develop cyber tools capable of causing significant damage. Given terrorist organizations lack the ability to collect high quality intelligence for operations, the likelihood they will carry out a significant cyber-attack appears low.
In order for a terrorist organization to operate independently and carry out a significant attack in cyberspace, it will need a range of capabilities, including the ability to collect precise information about the target, its computer networks, and its systems; the purchase or development of a suitable cyber tool; finding a lead for penetrating an organization; camouflaging an attack tool while taking over the system; and carrying out an attack in an unexpected time and place and achieving significant results. It appears independent action by a terrorist organization without the support of a state is not self-evident. The same conclusion, however, cannot be drawn for organizations supported and even operated by states possessing significant capabilities.
There is also the possibility of attacks by terrorist organizations through outsourcing. A group of hackers named Icefog concentrates on focused attacks against an organization’s supply chain (using a hit-and-run method), mainly in military industries worldwide. This is an example for outsourcing cyber-attacks (Kaspersky, 2013). Another development is the distribution of malicious codes using the crime laboratories of the DarkNet network, which has increased access to existing codes for attack purposes. Criminal organizations are already using the existing codes for attacks on financial systems by duplicating them and turning them into mutation codes.
On the one hand, the array of capabilities and means at the disposal of terrorist organizations in cyberspace is limited because of its strong correlation with technological accessibility, which is usually within the purview of countries with advanced technological capabilities and companies with significant technological capabilities. On the other hand, access to the free market facilitates trade in cybernetic weapons and information of value for an attack. One helpful factor in assembling these capabilities is countries that support terrorism and seek to use proxies in order to conceal their identity as the initiator of an attack against a specific target. In addition, the terrorist organization must train experts and accumulate knowledge about ways of collecting information, attack methods, and means of camouflaging offensive weapons in order to evade defensive systems at the target.
This study reveals to date terrorist organizations have lacked the independent scientific and technological infrastructure necessary to develop cyber tools with the ability to cause significant damage. They also lack the ability to collect high quality intelligence for operations. The ability of terrorist organizations to conduct malicious activity in cyberspace will, therefore, be considered in light of these constraints.
The ability to carry out an attack includes penetration into the operational systems and causing damage to them is quite complex. The necessity for a high level of intelligence and penetration capabilities, which exists in only a limited number of countries, means any attack will necessarily be by a state. For this reason, no successful attack by a non-state player on the core operational systems of any organization whatsoever has been seen to date. Although no such attack has been identified, there is a discernable trend toward improvement of the technological capabilities of mercenaries operating in cyberspace for the purposes of crime and fraud. Presumably, therefore, in exchange for suitable recompense, criminal technological parties will agree to create tools carrying out attacks on the core operational systems of critical infrastructure and commercial companies. These parties will also be able to put their wares at the disposal of terrorist organizations.
There is a realistic possibility in the near future, terrorist organizations will buy attack services from mercenary hackers and use mutation codes based on a variation of the existing codes for attacking targets. This possibility cannot be ignored in assembling a threat reference in cyberspace for attacks on the gateway of an organization or even against its information systems. It is, therefore, very likely terrorist organizations will make progress in their cybernetic attack capabilities in the coming years, based on their acquisition of more advanced capabilities and the translation of these capabilities into attacks on organizations’ information systems (not only on the organization’s gateway).