ISIS Cyberthreat: Puny but Gaining Power

The Islamic State group’s cyberwar capabilities are unsophisticated, but they won’t be that way for long.

That was the conclusion of a 25-page report released last week byFlashpoint.

The report, “Hacking for ISIS: The Emergent Cyber Threat Landscape,” found that the Islamic State’s “overall capabilities are neither advanced nor do they demonstrate sophisticated targeting.”

However, the severity of the attacks by the groups supporters isn’t likely to remain unsophisticated, it added.

“Their capability of hacking military or NSA servers in the United States is far-fetched, but it’s not completely impossible,” said Laith Alkhouri, Flashpoint’s director of Middle East and North Africa research and one of the authors of the report.

“Concern is high, not because they have sophisticated hacking skills but because they’re utilizing multiple ways of bringing in new talent, utilizing all the freely available tools online, trying to utilize malware that’s already available and building their own malware,” he told TechNewsWorld.

Script Kiddie Assassins

ISIS lacks the organization and skills of other cyber adversaries of the United States, noted another author of the report, Flashpoint Director of Security Research Allison Nixon.

“Chinese and Russian hackers are organized criminal gangs or nation-state supported groups,” she told TechNewsWorld. “They’re highly educated, highly skilled. They use custom malware and custom tools.”

“On the other hand, ISIS supporters are more like script kiddies or hactivists. They have a low level of sophistication and engage in behavior patterns and use toolsets that we would see in any other attention-seeking group,” Nixon continued.

“They’re using open source tools and very old public exploits,” she said. “They’re only capable of hacking sites that aren’t very well maintained in the first place.”

Although ISIS hackers have some similarities to hactivists, they differ from them in at least one very important way. “Hacktivists don’t threaten physical violence,” Nixon said. “Physical violence is an important part of ISIS hackers.”

“They’re interested in translating these online threats into physical attacks,” she added.

Attacks of Opportunity

The hacking tools of ISIS cyberwarriors are almost invariably going to be taken from publicly available open source projects because of the ease of obtaining such tools along with the fact that they can often be used successfully, the report noted.

Developing proprietary tools would require significant effort and resources to create a completely private toolset that is on par, or better than, what is already available publicly, it said.

Of course, actors may modify this publicly available software or write simple scripts, but it is unlikely these groups are building software from the ground up for their supporters to use, the report said.

“As pro-ISIS cyber attacks and capabilities have gradually increased over time but remained relatively unsophisticated, it is likely that in the short run, these actors will continue launching attacks of opportunity,” it noted.

“Such attacks, include finding and exploiting vulnerabilities in websites owned by, for example, small businesses, and defacing these websites. Other attacks may include DDoS attacks,” the report continued.

Hacking Powerhouse

Pro-ISIS cyberactors are demonstrating an upward trajectory, indicating that they will continue to improve and amplify pre-existing skills and strategies, the report said.

Such a trend was exemplified by the recent merger of multiple pro-ISIS cybergroups under one umbrella: the United Cyber Caliphate.

“We’re starting to see these groups coalesce their brand. They’re increasing their ranks in number. They’re increasing their ranks in skill. They’re increasing their ranks in languages, which means they’re increasing the channels on which they operate and which they distribute their claims of responsibility,” Alkhouri noted.

“That means they have a much more powerful message and a more robust structure than before,” he continued. “They are coalescing their ranks to become a hacking a powerhouse.”

U.S. Responds

The United States isn’t ignoring the growing threat of ISIS in cyberspace. A new campaign was designed to disrupt the ability of the Islamic State to spread its message, attract new adherents, circulate orders from commanders and carry out day-to-day functions, like paying its fighters, according to a news report published last week.

While the Pentagon hasn’t been shy about letting ISIS know U.S. cyberforces will be gunning for it, details have been in short supply.

“There doesn’t seem to be any specifics on what they intend to do or how they intend to carry it out,” said Lawrence Husick, co-chairman of theForeign Policy Research Institute’s Center for the Study of Terrorism.

“It may be as something as simple as finding some servers and executing an automated attack on those servers,” he told TechNewsWorld, “or it may be something more complicated, like the use of directed malware or the disruption of encrypted channels used by ISIS on the dark Web.”

Given how the military likes to keep its cyber cards close to its BDUs, it’s a bit unusual that it’s saying anything at all about its plans for ISIS. “I’m not sure why they chose to talk about it,” said Richard Stiennon, author of There Will Be Cyberwar.

“It’s better to take advantage of your ability to intercept and spoof messages without telling your adversary about it,” he told TechNewsWorld.

Psych Op

However, there could be a domestic angle to the Pentagon’s bravado about its cyberwar efforts. “There’s a desire by the branches for more dollars from Congress for their cyber programs,” Stiennon said.

On the other hand, prying money from Congress for cyber initiatives doesn’t seem to be a problem. “For many years, Congress has pretty much given the military everything that it wants in the way of cyber,” Husick said. “That’s one area of the budget where they have really not had any problem at all.”

The Pentagon’s announcement of a cyber campaign could be an effective weapon against ISIS. “Deception and disruption are part of the game of warfare,” he said. “There are times when you say something and do nothing, and there are other times when you do something and say nothing.”

“They may be trying to get into the head of ISIS,” said retired Rear Adm. James Barnett, head of the cybersecurity practice atVenable.

Nevertheless, he doesn’t think the Pentagon is bluffing when it says it’s going to escalate the cyberwar with ISIS.

“We may not hear about the operations for months, but at some point we’ll hear about a coordinated strike, either in combination with conventional forces or something significant in cyberspace,” he told TechNewsWorld.

Breach Diary

  • April 25. Bloomberg reports Ben Lazimy sued HSBC Holdings in Paris employment tribunal for unfair dismissal for sending a 1,400 page spreadsheet containing all the bank’s equities transactions in 2010 to his personal email account.
  • April 25. Spotify denies reports a data breach has compromised numerous accounts on the service. It says data from a breach at another service was used to compromise the Spotify accounts.
  • April 25. First Choice Federal Credit Union sues Wendy’s in a federal court in Pittsburgh over a malware infection of its point-of-sale system, saying it put millions of customer payment cards at risk.
  • April 26. Hackers post some 1.4 GB of sensitive data leaked from the Qatar National Bank to whistleblower site Cryptome.
  • April 26. Motherboard reports more than 7 million accounts belonging to members of the Minecraft gaming community have been compromised. It says breach occurred in January but users were not informed of it.
  • April 26. alerts members who submitted data to the site before mid-July 2015 that sensitive information about them is at risk from a data breach. As many as 1.2 million people could be affected by the breach.
  • April 26. KPIX-TV reports that tax information for as many as 3,000 employees at the Academy of Art in San Francisco is at risk after it was emailed to someone posing as a senior executive at the school.
  • April 27. Verizon releases 2016 data breach report, which includes finding that 89 percent of cyberattacks involve financial or espionage motivations.
  • April 27. Daily Dot reports hackers have posted to the Internet 14.8 GB of data from breach at Goldcorp.
  • April 27. SC Magazine reports LuckyPet has announced that a malware infection of its online shopping cart provider resulted in an unauthorized third party intercepting customer information submitted to the site while making purchases. The company didn’t disclose the number of customers the breach affected.
  • April 28. Solano Community College in California announces tax information for 1,200 employees is at risk from an email phishing scam.
  • April 28. Reuters reports that online activists claiming affiliation with Anonymous have begun posting to the Internet documents from a trove of one terabyte of data obtained from a data breach of Kenya’s foreign ministry.
  • April 29. The campaign of presidential candidate Bernie Sanders withdraws lawsuit against Democratic National Committee over data breach at DNC.
  • April 29. Sheriff’s office in Piscataquis County, Maine, is investigating a case involving a school employee emailing W-2 information to a fraudster posing as the superintendent of schools.
  • April 29. The National Bureau of Investigation arrests Joenel de Asis, 23, in connection with a data breach that exposed information of 55 million registered Filipino voters.
  • April 29. Gumtree notifies its users that personal information they’ve given the site is at risk because of a data breach.

Upcoming Security Events

  • May 7. B-Sides Chicago. Concord Music Hall, 2047 N. Milwaukee Ave., Chicago. Free.
  • May 11. SecureWorld Houston. Norris Conference Centre, 816 Town and Country Blvd., Houston. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
  • May 17. Securing ICS/SCADA Networks. 5 a.m. ET. Webinar by Fortinet. Free.
  • May 18-19. DCOI|INSS USA-Israel Cyber Security Summit. The Marvin Center, 800 21st St. NW, Washington, D.C. Hosted by George Washington University. Free.
  • May 19. Cyber Security for the Power Grid: Securing DNP3 Communications. 2 p.m. ET. Webinar by Belden. Free.
  • May 20-21. B-Sides Boston. Microsoft NERD, 1 Memorial Drive, Cambridge, Massachusetts. Tickets: $20.
  • May 21. B-Sides Cincinnati. University of Cincinnati, Tangeman University Center, Cincinnati. Tickets: $10.
  • May 21. B-Sides San Antonio. St. Mary’s University, One Camino Santa Maria, San Antonio. Tickets: $10.
  • May 24. PCI DSS: Preventing Costly Cases of Non Compliance. 1 p.m. ET. Webinar by VigiTrust, HPE Data Security, Aberdeen Group and Coalfire. Free with registration.
  • June 1-2. SecureWorld Atlanta. Cobb Galleria Centre (Ballroom), Atlanta. Registration: conference pass, $325; SecureWorld plus $725; exhibits and open sessions, $30.
  • June 6-9. Cloud Identity Summit. New Orleans Marriott, 555 Canal St., New Orleans. Registration: $1,695.
  • June 8. B-Sides London. ILEC Conference Center, 47 Lillie Rd., London SW6 1UD, UK. Free.
  • June 9. SecureWorld Portland. Oregon Convention Center. Registration: conference pass, $325; SecureWorld plus $725; exhibits and open sessions, $30.
  • June 10. B-Sides Pittsburgh. Spirit Pittsburgh, 242 51st St., Pittsburgh. Free.
  • June 11-12. B-Sides Latin America. PUC-SP (Consolao), So Paulo. Free.
  • June 15. Federal Trade Commission’s Start with Security — Chicago. Northwestern Pritzker School of Law, 375 E. Chicago Ave. (corner of Lake Shore Drive), Chicago. Free.
  • June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: until April 15, $2,950; after April 15, $3,150; public sector, $2,595.
  • June 20. Center for New American Security Annual Conference. 9:30 a.m.-5:30 p.m. J.W. Marriott, 1331 Pennsylvania Ave., Washington, D.C. Free with registration.
  • June 22. Combatting Targeted Attacks to Protect Payment Data and Identify Threats. 1 p.m. ET. Webinar by TBC. Free.
  • June 29. UK Cyber View Summit 2016 — SS7 & Rogue Tower Communications Attack: The Impact on National Security. The Shard, 32 London Bridge St., London. Registration: private sector, Pounds 320; public sector, Pounds 280; voluntary sector, Pounds 160.
  • June 30. DC/Metro Cyber Security Summit. The Ritz-Carlton Tysons Corner, 1700 Tysons Blvd., McLean, Virginia. Registration: $250.
  • August 25. Chicago Cyber Security Summit. Hyatt Regency Chicago, 151 E. Wacker Drive, Chicago. Registration: $250.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels