Cyber terrorism: Waging war through the net

The collection of compromised devices used to perform these forms of attack are easily accessible to anyone (such as nefarious individuals, groups, nation states) who know where to obtain them and who have the funds. There are no other requirements or restrictions.

This denial of service capability is used to target political sites, social causes, gaming and gambling sites, and a smattering of other issues or causes in which the attacker can collect money or damage someone. In fact, in 2017, we saw DDoS attacks more and more frequently used as a tool for political struggle. The Qatar crisis was accompanied by an attack on the website of Al Jazeera, the largest news network in the area. Le Monde and Le Figaro websites were targeted in the heat of the presidential election in France, and in Great Britain during the Brexit voter registration process, some citizens were excluded from the referendum because of continuous attacks on the website.

No skill required
In today’s cyber climate, attacks can be launched by almost anyone without any level of skill required – other than being able to access the ‘dark web’. Cyber crime has become commoditised and almost any element of an attack chain can be found for purchase or hire. Of the many pure criminal level services available on the ‘dark web’ and the true cyber underground, several easy to acquire services are hacking for hire, compromised server access, and harvested credentials.

These three services alone can be used to gain enough access to further your way into a specific targeted organisation. To illustrate this, during one of my intelligence efforts in the past, I had revolving access to targeted control panels, servers which were used to collect information from systems compromised by various criminal groups. One particular server contained information from a few hotel business centre computers. These computers were used by a handful of NASA JPL employees, while at an offsite conference, who accessed their work webmail, then their private email accounts, allowing me to be able to harvest enough personnel information on several scientists to target them individually and likely expand my access into their personal devices, and very likely their office computers; including the credentials to both their personal and work email account. As a ‘bad guy’ this would be the ultimate objective in obtaining a foothold inside a strategic target. I could do this simply by acquiring access to a run-of- the-mill criminal control panel for malware harvesting random credentials.

To illustrate the potential reward of cyber attacks, the web application used by the US government to collect and process security clearances was hacked and all individual background investigations packets were stolen for a significant period of time. These packets contain all the derogatory information on each applicant, their entire work history, their associates and friends at each stop and very private personal information. This level of information on a single individual or office would take a significant amount of time and resources to acquire by another nations espionage effort – and even longer or near impossible for a terrorist group or fringe nation. With one flaw in the web application design, decades of traditional efforts were overcome.

A solitary defence
Although awareness of the cyber threat has grown, many institutions do not fully recognise the evolving threat of cyber actors as the techniques, tools, and methods are moving targets and advance quickly, making it difficult to rely on ‘static security’ as we have in the past, such as lock it and forget it. The cyber world has truly become the next geo-political battleground and regardless of whether you are a government or financial institution, commercial entity, or individual, everyone is a target and currently we all stand apart, on our own to defend ourselves. Something to consider, are the superpowers drunk on the information they collect through their own cyber capabilities to the point that they allow commercial and personal cyber damages from other nations as a cost of doing business?