Will the next terrorist attack occur in cyberspace?
As the Western world becomes increasingly concerned about ISIS and the potential for homegrown terrorist attacks by its adherents, governments and their publics have focused their concerns more on traditional physical attacks, while overlooking the potential for cyber-based assaults.
Cyberwarfare is now largely seen as an integral part of modern warfare by most developed nations, and countries like the US, Russia, and China spend hundreds of millions of dollars per year developing these capabilities. Until now, however, we have yet to see sophisticated cyber tactics be used by jihadist groups like al-Qaeda or ISIS.
But that could soon change.
For several years, jihadist militants have boasted in online forums that it is only a matter of time before they execute a highly disruptive attack on the US infrastructure or its financial systems. In spite of what certain skeptics might say, such attacks are feasible, for several reasons. First, it has been documented by countless security researchers that industrial control systems -- these are the specialized computer systems used to run machinery at nuclear power plants, oil refineries, pipelines, electric grids, water treatment plants, etc. -- are weak, outdated and vulnerable to attack. A report released this summer by the Center for the Study of the Presidency and Congress found that the electric grid is vulnerable to cyber attacks that could shut off power to critical public utilities and important sectors of the economy. Already, a number of cyber-espionage campaigns have successfully infiltrated these supervisory control and data acquisition (SCADA) systems, from the Russian-sponsored "Energetic Bear" to Telvent's breach that was reportedly traced to Chinese hackers. A considerable amount of private sector research has gone into SCADA vulnerabilities with some of this knowledge becoming publicly available to security researchers and criminal groups alike. With an estimated net worth of $2 billion, ISIS has the financial means necessary to develop sophisticated, customized cyber attacks.
One of the greatest dangers we can make is to underestimate this threat. After all, it's not as if successful cyber attacks haven't already been carried out in the name of terrorism:
With this in mind, there are at least five different tactics terrorist hackers could use the to target the US:
1. Denial of Service (DoS) - This is one of the easiest types of attacks to attempt and does not take much technical ability. But for those who would say this is just an annoyance, not a real threat, consider this: DoS attacks on retailers during the holiday shopping season could affect holiday sales figures and corporate earnings of everyone from Best Buy to Apple, leading to potential stock price declines. DoS attacks on public utilities, such as energy and water treatment plants, could disrupt services and cause public panic. DoS attacks on state and federal election authorities and voting equipment could disrupt the electoral process and cast election results in doubt. And those are just a few examples. DoS has been used successfully by Middle Eastern hacktivist groups like al Qassam and Syrian Electronic Army. Other groups like Anonymous, LulzSec and Lizard Squad have used DoS to disrupt the websites of major US banks, Western government agencies and major corporations.. There are a variety of tools readily available on hacker sites designed to launch such attacks.
2. Cyber-Crime and Business Extortion - Right now the majority of organized cyber-crime is run by Russian and Eastern European groups with no real political agendas, just a desire to make money. But what if jihadist groups played a more active role in this? For one, they could raise a ton of money to finance their terrorist operations - to the tune of millions of dollars per year just by selling "crimeware" kits, renting "botnets," and extorting businesses with DoS attacks or "ransomware" (one type of ransomware, called CryptoLocker, is estimated to have earned $30 million for criminals). And let's take this last point even further. Suppose cyber extortion became a more widely used tactic by jihadists, not just to raise money for themselves, but to disrupt the US economy, achieve political goals or limit freedom of speech?
3. Cell Phone Targeting - For less than $25,000 anyone can track cell phone users around the globe using products like Stingray, SkyLock, and others. Cell phone tracking products, which exploit the SS7 protocol, can be used by terrorists to target high-profile individuals for assassination or kidnapping. Given the ease with which hackers have compromised celebrities' cell phones in the past, it's not too far-fetched to imagine a more dire potential here.
4. Wiping Bank Records - In 2012, Mideast hackers infected 30,000 computers at Saudi Aramco with the Shamoon virus. What made this attack particularly frightening is that the virus carried an additional type of malware inside of it, known as a "wiper," which completely destroyed all the data on the computers' hard disks and rendered them unbootable, thereby making them unusable again. What if this attack had instead been used against Bank of America, JPMorgan Chase or Wells Fargo to destroy account records? Or how about the IRS? Imagine the chaos such an attack would cause for the US financial system. Wipers are a unique type of malware that are focused solely on destroying computers and sabotaging operations. As such, they aren't well-suited for cyber-criminals or cyber-espionage. They do, however, make the perfect weapon for a hacktivist group or cyberwarfare operation, which jihadist groups could adopt. Wiper attacks used to be rare, but they're becoming more common lately. In addition to Saudi Aramco, these attacks have targeted South Korea and Mideast countries like Iran. A number of wiper strains have been discovered, including Flamer, Disstrack and Narilam.
5. Targeting Critical Infrastructure - Even more frightening to consider is the potential for terrorists to attack critical facilities in the US by exploiting well-known (but so far largely unfixed) vulnerabilities. Industrial control systems like SCADA are what control the mechanical processes at power plants, electric grids, water treatment plants, oil refineries, etc. - basically any large-scale industrial operation. However, these systems were created decades ago before security was a real concern. Because these systems are sometimes now connected to the Internet, they can be remotely accessed and are easily penetrated. Stuxnet is an example of a SCADA attack and was used successfully to disrupt Iranian nuclear enrichment facilities. It would not be hard for a well-funded group, such as ISIS, to pull off this type of attack -- in fact, industrial control systems are easier to penetrate than traditional corporate computer networks. There's even a search engine that specializes in finding unprotected access points on critical infrastructure systems, and hacking tools available that criminals can purchase. This type of attack could be used to cause a regional power outage, disable a water treatment plant, disrupt an oil refinery, pipeline or fracking operation, all of which could be done in such a way as to disrupt a major city, endanger public safety for millions of people, cause a public health crisis and widespread panic, and even cause fatalities.
Cyberterrorist attacks on U.S. firms and infrastructure pose a serious threat to America's national security and economic health. In the end, this is not a threat that we can underestimate.
As the Western world becomes increasingly concerned about ISIS and the potential for homegrown terrorist attacks by its adherents, governments and their publics have focused their concerns more on traditional physical attacks, while overlooking the potential for cyber-based assaults.
Cyberwarfare is now largely seen as an integral part of modern warfare by most developed nations, and countries like the US, Russia, and China spend hundreds of millions of dollars per year developing these capabilities. Until now, however, we have yet to see sophisticated cyber tactics be used by jihadist groups like al-Qaeda or ISIS.
But that could soon change.
For several years, jihadist militants have boasted in online forums that it is only a matter of time before they execute a highly disruptive attack on the US infrastructure or its financial systems. In spite of what certain skeptics might say, such attacks are feasible, for several reasons. First, it has been documented by countless security researchers that industrial control systems -- these are the specialized computer systems used to run machinery at nuclear power plants, oil refineries, pipelines, electric grids, water treatment plants, etc. -- are weak, outdated and vulnerable to attack. A report released this summer by the Center for the Study of the Presidency and Congress found that the electric grid is vulnerable to cyber attacks that could shut off power to critical public utilities and important sectors of the economy. Already, a number of cyber-espionage campaigns have successfully infiltrated these supervisory control and data acquisition (SCADA) systems, from the Russian-sponsored "Energetic Bear" to Telvent's breach that was reportedly traced to Chinese hackers. A considerable amount of private sector research has gone into SCADA vulnerabilities with some of this knowledge becoming publicly available to security researchers and criminal groups alike. With an estimated net worth of $2 billion, ISIS has the financial means necessary to develop sophisticated, customized cyber attacks.
One of the greatest dangers we can make is to underestimate this threat. After all, it's not as if successful cyber attacks haven't already been carried out in the name of terrorism:
- In 2011, the FBI and Philippine law enforcement officials arrested four individuals who were allegedly paid by terrorists to hack into AT&T's Philippine networks.
- In 2012, a hacker group known as RedHack was prosecuted for taking down the central Turkish police website while simultaneously attacking 350 additional police websites across the country.
- In 2013, the Syrian Electronic Army launched a denial-of-service attack against the Washington Post and the New York Times, and just this year, Lizard Squad tweeted out a bomb threat and carried out an attack against Sony's Playstation network.
- In 2014, other groups such as AnonGhost carried out cyber operations against Israeli websites and Jewish businesses.
With this in mind, there are at least five different tactics terrorist hackers could use the to target the US:
1. Denial of Service (DoS) - This is one of the easiest types of attacks to attempt and does not take much technical ability. But for those who would say this is just an annoyance, not a real threat, consider this: DoS attacks on retailers during the holiday shopping season could affect holiday sales figures and corporate earnings of everyone from Best Buy to Apple, leading to potential stock price declines. DoS attacks on public utilities, such as energy and water treatment plants, could disrupt services and cause public panic. DoS attacks on state and federal election authorities and voting equipment could disrupt the electoral process and cast election results in doubt. And those are just a few examples. DoS has been used successfully by Middle Eastern hacktivist groups like al Qassam and Syrian Electronic Army. Other groups like Anonymous, LulzSec and Lizard Squad have used DoS to disrupt the websites of major US banks, Western government agencies and major corporations.. There are a variety of tools readily available on hacker sites designed to launch such attacks.
2. Cyber-Crime and Business Extortion - Right now the majority of organized cyber-crime is run by Russian and Eastern European groups with no real political agendas, just a desire to make money. But what if jihadist groups played a more active role in this? For one, they could raise a ton of money to finance their terrorist operations - to the tune of millions of dollars per year just by selling "crimeware" kits, renting "botnets," and extorting businesses with DoS attacks or "ransomware" (one type of ransomware, called CryptoLocker, is estimated to have earned $30 million for criminals). And let's take this last point even further. Suppose cyber extortion became a more widely used tactic by jihadists, not just to raise money for themselves, but to disrupt the US economy, achieve political goals or limit freedom of speech?
3. Cell Phone Targeting - For less than $25,000 anyone can track cell phone users around the globe using products like Stingray, SkyLock, and others. Cell phone tracking products, which exploit the SS7 protocol, can be used by terrorists to target high-profile individuals for assassination or kidnapping. Given the ease with which hackers have compromised celebrities' cell phones in the past, it's not too far-fetched to imagine a more dire potential here.
4. Wiping Bank Records - In 2012, Mideast hackers infected 30,000 computers at Saudi Aramco with the Shamoon virus. What made this attack particularly frightening is that the virus carried an additional type of malware inside of it, known as a "wiper," which completely destroyed all the data on the computers' hard disks and rendered them unbootable, thereby making them unusable again. What if this attack had instead been used against Bank of America, JPMorgan Chase or Wells Fargo to destroy account records? Or how about the IRS? Imagine the chaos such an attack would cause for the US financial system. Wipers are a unique type of malware that are focused solely on destroying computers and sabotaging operations. As such, they aren't well-suited for cyber-criminals or cyber-espionage. They do, however, make the perfect weapon for a hacktivist group or cyberwarfare operation, which jihadist groups could adopt. Wiper attacks used to be rare, but they're becoming more common lately. In addition to Saudi Aramco, these attacks have targeted South Korea and Mideast countries like Iran. A number of wiper strains have been discovered, including Flamer, Disstrack and Narilam.
5. Targeting Critical Infrastructure - Even more frightening to consider is the potential for terrorists to attack critical facilities in the US by exploiting well-known (but so far largely unfixed) vulnerabilities. Industrial control systems like SCADA are what control the mechanical processes at power plants, electric grids, water treatment plants, oil refineries, etc. - basically any large-scale industrial operation. However, these systems were created decades ago before security was a real concern. Because these systems are sometimes now connected to the Internet, they can be remotely accessed and are easily penetrated. Stuxnet is an example of a SCADA attack and was used successfully to disrupt Iranian nuclear enrichment facilities. It would not be hard for a well-funded group, such as ISIS, to pull off this type of attack -- in fact, industrial control systems are easier to penetrate than traditional corporate computer networks. There's even a search engine that specializes in finding unprotected access points on critical infrastructure systems, and hacking tools available that criminals can purchase. This type of attack could be used to cause a regional power outage, disable a water treatment plant, disrupt an oil refinery, pipeline or fracking operation, all of which could be done in such a way as to disrupt a major city, endanger public safety for millions of people, cause a public health crisis and widespread panic, and even cause fatalities.
Cyberterrorist attacks on U.S. firms and infrastructure pose a serious threat to America's national security and economic health. In the end, this is not a threat that we can underestimate.