The Islamic State group’s cyber-war capabilities are unsophisticated, but they won’t be that way for long.
That was the conclusion of a 25-page report released last week by Flashpoint.
The report, “Hacking for ISIS: The Emergent Cyber Threat Landscape,” found that the Islamic State’s “overall capabilities are neither advanced nor do they demonstrate sophisticated targeting.”
However, the severity of the attacks by the groups supporters isn’t likely to remain unsophisticated, it added.
“Their capability of hacking military or NSA servers in the United States is far-fetched, but it’s not completely impossible,” said Laith Alkhouri, Flashpoint’s director of Middle East and North Africa research and one of the authors of the report.
“Concern is high, not because they have sophisticated hacking skills but because they’re utilizing multiple ways of bringing in new talent, utilizing all the freely available tools online, trying to utilize malware that’s already available and building their own malware,” he told TechNewsWorld.
Script Kiddie Assassins
ISIS lacks the organization and skills of other cyber adversaries of the United States, noted another author of the report, Flashpoint Director of Security Research Allison Nixon.
“Chinese and Russian hackers are organized criminal gangs or nation-state supported groups,” she told TechNewsWorld. “They’re highly educated, highly skilled. They use custom malware and custom tools.”
“On the other hand, ISIS supporters are more like script kiddies or hactivists. They have a low level of sophistication and engage in behavior patterns and use toolsets that we would see in any other attention-seeking group,” Nixon continued.
“They’re using open source tools and very old public exploits,” she said. “They’re only capable of hacking sites that aren’t very well maintained in the first place.”
Although ISIS hackers have some similarities to hactivists, they differ from them in at least one very important way. “Hacktivists don’t threaten physical violence,” Nixon said. “Physical violence is an important part of ISIS hackers.”
“They’re interested in translating these online threats into physical attacks,” she added.
Attacks of Opportunity
The hacking tools of ISIS cyberwarriors are almost invariably going to be taken from publicly available open source projects because of the ease of obtaining such tools along with the fact that they can often be used successfully, the report noted.
Developing proprietary tools would require significant effort and resources to create a completely private toolset that is on par, or better than, what is already available publicly, it said.
Of course, actors may modify this publicly available software or write simple scripts, but it is unlikely these groups are building software from the ground up for their supporters to use, the report said.
“As pro-ISIS cyber attacks and capabilities have gradually increased over time but remained relatively unsophisticated, it is likely that in the short run, these actors will continue launching attacks of opportunity,” it noted.
“Such attacks, include finding and exploiting vulnerabilities in websites owned by, for example, small businesses, and defacing these websites. Other attacks may include DDoS attacks,” the report continued.
Pro-ISIS cyberactors are demonstrating an upward trajectory, indicating that they will continue to improve and amplify pre-existing skills and strategies, the report said.
Such a trend was exemplified by the recent merger of multiple pro-ISIS cybergroups under one umbrella: the United Cyber Caliphate.
“We’re starting to see these groups coalesce their brand. They’re increasing their ranks in number. They’re increasing their ranks in skill. They’re increasing their ranks in languages, which means they’re increasing the channels on which they operate and which they distribute their claims of responsibility,” Alkhouri noted.
“That means they have a much more powerful message and a more robust structure than before,” he continued. “They are coalescing their ranks to become a hacking a powerhouse.”
The United States isn’t ignoring the growing threat of ISIS in cyberspace. A new campaign was designed to disrupt the ability of the Islamic State to spread its message, attract new adherents, circulate orders from commanders and carry out day-to-day functions, like paying its fighters, according to a news report published last week.
While the Pentagon hasn’t been shy about letting ISIS know U.S. cyberforces will be gunning for it, details have been in short supply.
“There doesn’t seem to be any specifics on what they intend to do or how they intend to carry it out,” said Lawrence Husick, co-chairman of the Foreign Policy Research Institute’s Center for the Study of Terrorism.
“It may be as something as simple as finding some servers and executing an automated attack on those servers,” he told TechNewsWorld, “or it may be something more complicated, like the use of directed malware or the disruption of encrypted channels used by ISIS on the dark Web.”
Given how the military likes to keep its cyber cards close to its BDUs, it’s a bit unusual that it’s saying anything at all about its plans for ISIS. “I’m not sure why they chose to talk about it,” said Richard Stiennon, author of There Will Be Cyberwar.
“It’s better to take advantage of your ability to intercept and spoof messages without telling your adversary about it,” he told TechNewsWorld.
However, there could be a domestic angle to the Pentagon’s bravado about its cyberwar efforts. “There’s a desire by the branches for more dollars from Congress for their cyber programs,” Stiennon said.
On the other hand, prying money from Congress for cyber initiatives doesn’t seem to be a problem. “For many years, Congress has pretty much given the military everything that it wants in the way of cyber,” Husick said. “That’s one area of the budget where they have really not had any problem at all.”
The Pentagon’s announcement of a cyber campaign could be an effective weapon against ISIS. “Deception and disruption are part of the game of warfare,” he said. “There are times when you say something and do nothing, and there are other times when you do something and say nothing.”
“They may be trying to get into the head of ISIS,” said retired Rear Adm. James Barnett, head of the cybersecurity practice at Venable.
Nevertheless, he doesn’t think the Pentagon is bluffing when it says it’s going to escalate the cyberwar with ISIS.
“We may not hear about the operations for months, but at some point we’ll hear about a coordinated strike, either in combination with conventional forces or something significant in cyberspace,” he told TechNewsWorld.