The Terrorist Hacker: At The Intersection of Terrorism and Cybercrime

“The nations, of course, that are most at risk of a destructive digital attack are the ones with the greatest connectivity.”[1] - Kim Zetter

With clicks and swipes, we are embedded in the fabric of borderless human connectedness. And so are terrorists and cybercriminals; they are entrenched in our digitized world. We often think of terrorists as weapon-wielding militants eager to join the battlefield trenches or plotting attacks in crowded cities. Seldom do we practically envision the damage they could wreak on digital networks or sensitive databases. And the cyber battleground is increasingly becoming the main arena of adversarial confrontations. With cyberspace ever more ubiquitous, and countless tools, apps and online tutorials at our fingertips – coupled with opportunism and perseverance – we are very likely to observe terrorists inculcating offensive cyber technology in their toolbox to achieve political ends in the near future.

From Fancy Bear[2] to the Sony hacks[3], state-sponsored cyber actors – be it Iranian, North Korean, or Russian – have been involved in disrupting and influencing the public discourse by targeting networks, breaching databases, and exposing confidential information to advance their political objectives. Unlike militant groups, state-sponsored actors have the means, funds and state-of-the-art complex operational capabilities to launch damaging cyberattacks against protected digital infrastructure. Contemporary terrorist groups like ISIS have rarely, if ever, exploited digital transformation to pursue advanced offensive cyber skills, be it cyberattacks like DDoS[4], phishing or spamming, or obtain access to exploit and cyber infection tools. Nor did intelligence analysts observe overt signs that terrorists have aggressively joined hacking-as-a-service markets – the darkweb marketplaces where hackers sell tools and services to essentially anyone who pays.

Where terrorists thrived is in exploiting the eclectic availability of cyberspace to connect, recruit and reach the farthest corners of the globe with hard-hitting propaganda. ISIS has effectively contributed to the expansion of the “cyberterrorism” definition: to no longer mean electronic attacks by non-state actors to advance political objectives only, but also their persistent utilization of cyberspace to strengthen and reinforce violent ideological agendas.

So, what prevents groups like ISIS and Al-Qaeda from pursuing cyberattacks? The simple answer is nothing.

Analysts have observed signs that terrorist groups and their supporters have been attracted to offensive cyber means for years. After the US took out Usama bin Laden in May 2011, Al-Qaeda’s central media wing, as-Sahab Media, released a lengthy two-part video entitled “You’re Responsible Only for Thyself,” urging supporters to focus on so-called lone-wolf attacks including electronic attacks against Western targets – counting in “the electrical grid.”[5] The group had hoped that this message would urge supporters to improve their cyber skillset to become cyber warriors. Ten years later, while the group is in disarray and its supporters aren’t actively engaged in electronic attacks, some are trying to recruit hackers online. For instance, Jaish Al-Malahem, a cybergroup supportive of Al-Qaeda, issued an online message in March 2021 via its Telegram channel to recruit hackers, amongst other roles, to join its cyber ranks.[6]

Similarly, and even more aggressively, cybergroups supportive of ISIS emerged on the scene since 2014. Collectives like “United Cyber Caliphate” and “Caliphate Cyber Shield” have portrayed themselves as capable, but mostly focused on harvesting personally identifiable information (PII) and exposing them online. Other smalltime successes include web defacements of outdated sites; when hackers find a common web vulnerability that enables them to hijack a domain or subdomain and upload content – in this case, ISIS propaganda.

And with opportunities comes the grab. The COVID19 pandemic has now provided terrorists a tremendous opening to jump on the wagon of cybercrime and potentially achieve virtual victories that would enable them to raise the bar in their confrontation with the West. This is what financially-motivated cybercriminals have done over the past year. At the outset of the COVID19 pandemic, cybercriminals struck gold as various organizations witnessed a disconcerting spike in cyberattacks that exploited the abrupt rush toward remote work environments around the globe. The multitude of structural network defenses that have been reinforced over the years to mitigate cyberattacks became inefficient in properly protecting home-bound employees – most of whom became reliant on their personal devices and WIFI connections.

The prospects of downgraded network defenses basically provided hackers a spacious targeting surface as numerous reports highlighted these misfortunes. For instance, in April 2020 – in the early stages of the COVID19 pandemic – the World Health Organization (WHO) indicated that it experienced a staggering “fivefold increase” in cyberattacks targeting its networks and employees[7]. And, in August 2020, Interpol released an advisory[8] indicating “an alarming rate of cyberattacks during COVID,” including phishing, spamming, and disruptive malware attacks. Even at the individual level, intelligence agencies observed a clear increase in cyberattacks, notably underscored in a September 2020 report by the UK’s spy agency GCHQ’s National Cyber Security Center (NCSC), namely a one-fifth increase in attacks targeting individuals, one-fourth of which were COVID-themed.[9]

In other words, the globe has turned into a massive virtual dart board. For terrorists, access to off-the-shelf cyber technology has been a means to an end; to recruit, propagate and fundraise. However, with the ease at which cyberattack tools in the netherworld of the Internet can be accessed today, in large part due to the COVID-related upsurge of cybercrime, terrorists are now able to weaponize cyber tech beyond propaganda dissemination. And one type of cyberattacks in particular serves as both a bankrolling and notoriety-elevating stream: ransomware. The attack method entails hackers gaining access to databases and encrypting the data, which prohibits organizations from retrieving it until a specified sum of money is paid, usually in cryptocurrency.

Organizations in all verticals – healthcare, legal, manufacturing and public sector – heavily rely on databases to conduct business as usual. Without access to people’s information, contracts, financial records, blueprints, and commercial transactions, organizations are left incapacitated. They simply wouldn’t function. Indeed, over the past several years, hackers realized that databases are more valuable to take hostage than to steal…and this has paid off in significant ways. BitDefender, a global cybersecurity firm, released a report in 2020 indicating that year-over-year, global ransomware reports increased by an astounding 715.08%, “potentially suggesting that threat actors upped their ransomware campaigns to capitalize on both the pandemic and the work-from home context and the commoditization of ransomware-as-a-service.”[10] Not only did the volume increase, but so did the payments. According to TripWire, “attacks in 2020 became…more damaging; the average ransom amount demanded increased from ~$110,000 in Q1 of 2020 to ~$170,000 in Q3.”[11]

For terrorists, the prospects of compensating for the territorial losses and shrinking ranks are categorically unambiguous and extensive. With the right financial resources and access to illicit cyber marketplaces, their fingers can switch from the gun triggers to the computer mice, creating an avenue to effectively reinsert themselves into the global spotlight as an evolved threat and get paid handsome sums of money to fund physical attacks, all the while remaining anonymous by creating online avatars for buyouts, using untraceable cryptocurrency for payments, and contacting illicit darkweb vendors.

We previously observed ISIS-related hackers and cyberattacks, if amateurish, emerge. The hijacking of the US CENTCOM Twitter account in January 2015 is probably the most infamous incident[12]. Some self-proclaimed ISIS supportive hackers have dabbled in offensive cyber operations since then, most of whom focused on repurposing publicly available information (PAI) into so-called “hitlists.” One case in particular grabbed the spotlight when the personally identifiable information (PII) of some one thousand US military servicemen became public and released by the so-called Cyber Caliphate, leading investigators to Kosovar Ardit Ferizi, a hacker who targeted a third-party company’s database, stole the information, and shared it with Junaid Hussain – a hacker who’d joined ISIS in Raqqa, Syria and ran the one-man-show of Cyber Caliphate, then later killed in a US airstrike.

The damage the Cyber Caliphate caused, while not striking, is noteworthy specifically because it showcases what one determined tech-savvy radical could accomplish, instantaneously highlighting ISIS as a potential cyber nemesis. This incident was on the cover of newspapers and reported by global media outlets for weeks on end. It raised major concerns that terrorists might resort to offensive cyber means to wreak havoc, from infiltrating the systems of drones and self-driving cars, to targeting industrial control systems (ICS). The US Department of Justice indicated that the Hussain-Ferizi case represents “the very real and dangerous national security cyber threat that results from the combination of terrorism and hacking.[13]” That is, terrorists don’t need a “cyber 9/11” to cause lasting damage.

There are numerous hacking-as-a-service virtual marketplaces, and one could obtain methods to hack Facebook profiles, WhatsApp groups, and email accounts. For as low as $500[14], virtually anyone could hire a hacker to launch a variably customized attack for corporate espionage. Even more damaging is what hackers could do once they’ve hijacked the right corporate email accounts, or what is known as Business Email Compromise (BEC). Once an employee’s account has been overrun, it can send email-borne malware impersonating the employee to company-wide colleagues. From there, hackers could take control of the entire company network. For instance, the hacker-for-hire group “DeathStalker” uses proprietary malware to target the financial sector, among others, on behalf of “nation-states, companies interested in corporate espionage, or other criminal groups looking to resell what the hackers steal.”[15] The so-called cyber mercenaries are not ideologically motivated, but they’ll sell their services for a price.

From the standpoint of price-lists, the cost of hacking for hire services is comparable to the cost of improvised explosive devices (IEDs). In 2013, USA Today laid out the cost of IEDs in Afghanistan, indicating that “the most-common IED, the type triggered by a person's weight or a vehicle, cost $416 to build” and “an IED triggered by wire is even cheaper: $386,” while radio-signal detonation increases the cost to as much as $478.”[16] Even with the marginal increase in IED costs since then, obtaining hacking services remains relatively analogous. Essentially, price is not much of a concern.

Hence, we can logically assume that the cost of clandestine recruitment of hackers to do the evil bidding of terrorist groups, or the price of malware, isn’t much of an issue. Terrorists would be more concerned with the recruitment vehicle and obtaining the technical aptitude to find the right source and skillset. The “how” becomes a matter of learning the tactics and techniques of joining darkweb cybercriminal communities, masking their identity, obfuscating their location and making bids to recruit hackers or purchase malware. It will be a trial-and-error pursuit; not every advertisement by hackers-for-hire, or blackhats, is authentic. The probability of success is a matter of volume: every engagement with underground hackers reinforces terrorists’ learning curve, ultimately becoming proficiently knowledgeable regarding the ins-and-outs of the hacking communities.

Terrorists don’t have to look far. A plethora of instructional manuals on how to safely access the darkweb are available online, with some websites listing hundreds of links to prominent hacking forums and cybercriminal marketplaces. Though in an unstructured fashion, everything that terrorists need to obtain hacking tools and recruit hackers is available online. Even at the cradle level, hacking websites offering tutorials in Arabic, English, Russian and others are available with a simple google search. For instance, the largest Arabic-language hacking forum “Muntada Jyyoush Al-Hackers” has been online for years with thousands of active members, and it entails content that empowers beginner and intermediate hackers to advance their skillset.

As one of the world’s most renowned hackers, Kevin Mitnick, once noted, “hacking is big business” – and it is evidently growing. The cybercriminal world is big enough for terrorists of all types of capitalize on. Still, the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) indicates that traditional terrorist groups are “less developed in their computer network capabilities to pursue cyber means,” but cautions that the intelligence community anticipates “more substantial cyber threats are possible in the future as a more technically competent generation enters the ranks.”[17] One can reasonably say that over the past several years, contemporary terrorist groups have focused on the touch-screen generation; the same generation that is cyber competent and tech-forward to incorporate offensive cyber means in their agenda. This very generation is here and now, and we must be vigilant.

[1] https://medium.com/@KushanJanith/cyber-weapons-stuxnet-4f2fa4502c55#:~:text=%E2%80%9CThe%20nations%2C%20of%20course%2C,live%20in%20a%20glass%20house.%E2%80%9D

[2] A hacking group largely believed to be sponsored by the Russian government, specifically the Russian GRU Unit 26165The group, also known as APT28 and Sofacy, has targeted, amongst others, the US Federal Government.

[3] The hacking group “Guardians of Peace,” largely believed to be tied to the North Korean government, launched a cyberattack against Sony Pictures Entertainment in November 2014 and stole a massive amount of proprietary information.

[4] Distributed Denial of Service attacks, which occur when attackers overwhelm a network with massive internet traffic using a network of computers (known as bots, or Zombie bots) and creating a botnet, which can take down websites.

[5] https://worldview.stratfor.com/article/al-qaedas-new-video-message-defeat

[6] https://twitter.com/MENAanalyst/status/1370357288687525897

[7] https://www.who.int/news/item/23-04-2020-who-reports-fivefold-increase-in-cyber-attacks-urges-vigilance

[8] https://www.interpol.int/en/News-and-Events/News/2020/INTERPOL-report-shows-alarming-rate-of-cyberattacks-during-COVID-19

[9] https://www.ft.com/content/f3d638f1-ff3c-4f8c-9a78-b96eec9c2cb8

[10] https://www.bitdefender.com/files/News/CaseStudies/study/366/Bitdefender-Mid-Year-Threat-Landscape-Report-2020.pdf

[11] https://www.tripwire.com/state-of-security/security-data-protection/review-of-ransomware/

[12] https://www.washingtonpost.com/news/checkpoint/wp/2015/01/12/centcom-twitter-account-apparently-hacked-by-islamic-state-sympathizers/

[13] https://www.justice.gov/opa/pr/isil-linked-kosovo-hacker-sentenced-20-years-prison

[14] https://www.businessinsider.com/things-hire-hacker-to-do-how-much-it-costs-2018-11#6-break-into-a-cell-phone-2160month-or-more-6

[15] https://www.csoonline.com/article/3573780/11-types-of-hackers-and-how-they-will-harm-you.html

[16] https://www.usatoday.com/story/nation/2013/06/24/price-list-for-ieds-shows-how-insurgents-fight-on-a-budget/2447471/

[17] https://us-cert.cisa.gov/ics/content/cyber-threat-source-descriptions#terror