When we think about America’s adversaries in cyberspace, we think of large, near-peer nation-states with sophisticated militaries’ incredibly capable cyberwarriors at their disposal. We think of countries like Russia, China, and North Korea. But the threat against America extends beyond our largest adversaries and could, in fact, emanate from a much less likely, but equally deadly source – terrorist and extremist groups.
We’ve long known that these organizations have been leveraging the Internet to recruit, intimidate, and communicate. So, according to Evan Kohlmann of Flashpoint, it really shouldn’t come as a surprise that they’re also leveraging it to attack their targets.
Evan Kohlmann serves as the Chief Innovation Officer at Flashpoint and has an incredible resume when it comes to counter-terrorism. He has fifteen years of experience tracking Al-Qaida, ISIS, and other terrorist groups, and has consulted for the U.S. Department of Defense and Department of Justice.
During our discussion, we asked Evan about the threat that terrorist groups pose in cyberspace, the types of attacks that they perpetrate, and the tools that they use to carry out their attacks. We also asked about their motivation, the level of sophistication of their cyberwarfare capabilities, and how organizations also need to safeguard themselves from terrorist cyberattacks.
Here is what Evan had to say:
GovCyberHub (GCH): When we think of global terrorism, we often think of improvised explosive devices and physical attacks. How much of a threat are terrorists when it comes to the cybersecurity of our organizations?
Evan Kohlmann: There is this pervasive disbelief that terrorists, or extremists, are capable of using the Internet in a very sophisticated way. Unfortunately, they are very capable. At this very moment, you have insurgent groups in Iraq that are launching cyber-attacks on the U.S. military.
I know it’s very common to think that – outside of the West – there is this lack of understanding about technology regarding the Internet. There is huge democratization in cyberwarfare around the world. Even in rogue, failed states, you see the ability for these actors to carry out major attacks and cause major damage.
An example of that would be Syria. When you think about major military threats, Syria is one of the last threats on the list. We’re not looking for them to invade the United States. And yet, the Syrian Electronic Army has the technique and skill it takes to carry out major attacks. You also have Lebanese Hezbollah, which has state sponsorship but is labeled a terrorist group, who have very sophisticated cyber actors working for it. They are able to go after naval targets and are able to do real damage.
We need to be careful to avoid underestimating our adversaries no matter how small or insignificant they may seem – with the tools of cyberwarfare, they can carry out attacks that are just too disruptive to ignore.
GCH: What kind of organizations are these groups attacking? Is it strictly military and government? Are they also targeting private companies or smaller government entities such as state/local municipal organizations, or educational institutions?
Evan Kohlmann: They’re not just going after military targets or government targets. It’s much broader than that. They are going after everything that is within their grasp – everything from major drug companies, media companies, to Twitter and Facebook. They’re going after religious institutions. They’re going after private companies that they feel have insulted their faith or culture. They’ll go after the oil companies and defense contractors. There’s not really a limit.
They’re looking for soft targets. They may not have the equivalent of the NSA in skills, but they have enough to go after soft targets – especially ones that cause a splash or make a scene. For example, they could go after a university. The university maybe isn’t their number one adversary, but they make their point. They cause damage. They get their headline. That’s what they are doing here.
The other problem is, we often talk about cyberwarfare and the idea of hacking a network and destroying it. They’ve also learned to use cyberwarfare to gather information that could help them to avoid being caught by law enforcement and to help them disguise their attacks in the future.
GCH: What are these terrorist groups looking to with their cyber-attacks? Obviously, intelligence gathering is part of that, but how are they intending to do damage to an organization? Are they attempting to prove that they have the capabilities to do this? Or, are they possibly doing ransomware attacks to help generate money to fund other activities? Is it all of the above?
Evan Kohlmann: It started off small, like with the Syrian Electronic Army. They began with Facebook campaigns and graduated to the level of social engineering where they were looking to try to manipulate or seduce someone into giving over their password by accident.
Similarly, in the beginning, the attacks they would carry out were mostly about propaganda and making noise. It used to be getting a headline in the New York Times that said, they just defaced a major website was as useful to them as blowing up something. The problem is that there is this evolutionary timeline. These guys are progressively getting more skilled and better at what they do because of the democratization of the practice. More people are learning how to do this. They are going to school. They are learning online.
The Syrian Electronic Army worked their way up to malware, espionage, you name it. They got very sophisticated. They recognized that they have the skillset to do this for more than propaganda value. They made this part and parcel of what they are doing.
GCH: What other kinds of attacks are these groups perpetrating? Have they evolved to ransomware attacks, DDoS attacks, and using multiple different attack vectors?
Evan Kohlmann: We haven’t seen ransomware yet. At least we haven’t seen it from a terrorist group. Mostly it’s been malware and spyware. But it’s evolving and likely the direction that we are going. We haven’t seen any serious DDoS attacks because I think it requires a significant amount of resources.
They are definitely using cryptocurrency. They are using it to smuggle cash, to launder money, and doing so quite effectively.
Prior to the flourishing of cryptocurrency, terrorist financing was very difficult. It’s difficult to move large amounts of money around the U.S. borders without being noticed. Cryptocurrency is a huge development for terrorist networks.
GCH: Are they paying for other more sophisticated people or groups to help attack targets?
Evan Kohlmann: We have seen that pop up. An Iranian group popped up last year that offered cyberwarfare for hire to attack large water treatment plants or other systems.
Mostly though, we’ve seen it in the realm of stolen credit cards. We haven’t seen them outsourcing a major attack. There is a lack of trust and confidence in these “for hire” groups. The terrorist groups are inclined to develop these skills in-house or recruit university students with skills into the group. They can trust those individuals more than they can trust “for hire” groups.
GCH: In your estimation what should organizations be doing better to defend themselves from the kind of attacks that they’re getting from these groups? Are there any solutions or technologies that should be implemented, any cultural or organizational changes that they need to implement to help protect themselves?
Evan Kohlmann: There are a number of basic things. It’s not a revolutionary approach. Number one – two factor authentication. Social engineering and breaking into accounts are both problems. It’s almost always a part of what is going on.
Number two, having employees and all personnel avoid using affiliated/organization email to register for third-party sites or services. Very often these terrorist groups are looking to compromise a third-party network, then they have emails and passwords which act as a doorway to begin their disruptive work. Ceasing the use of these emails would reduce the risk of being compromised. People at all levels use organizational emails for third-party services, and it’s a bad practice. These two steps would stop more than 90 percent of the problem.
In terms of cultural organizational changes, if you get an email with a link in it, and you don’t recognize the sender, don’t click on it. If you get an email, and it looks weird, make sure the sender is who you think it is. Often, you get an email that looks similar to a real contact, but it will have minor differences. Someone may have created a fake domain.
That’s how the Syrian Electronic Army got access to the U.S. Executive Office at the White House. They created an account that looked like an account of real people but were not. The group sent a link that was clicked on that gave them access to the information. People in all of these organizations and agencies need an understanding of the kind of climate that we live in and that there are people out there seeking to do harm. You never know who you are running into. It’s called a security first approach.
GCH: So, it’s the end of the fiscal year. A lot of the things that you just mentioned were kind of cyber hygiene things that don’t really require the purchase and implementation of any solutions technology services. But, is there something with the fiscal year-end coming up that would be a quick transactional service, technology or solution that you think agencies should be spending some of those year-end dollars on that would fundamentally make them a little bit more resistant to these kinds of attacks from terrorist organizations?
Evan Kohlmann: If there was some kind of magic firewall off the shelf, you could buy that. But basic cyber hygiene is the best practice. You should also be using an intelligence provider who provides you information about the way these bad actors are going about their work – their methodologies. You want to make sure that if there is a third-party breach, that if one of your employees is impacted, that you know about it. You need to make sure that you are using an intelligence provider that will alert you when there is stolen data. And you need to know what the general outlook is and what kind of threats your specific organization should be looking at.
If you are paying for an intelligence service that does not give you access to information about stolen credential data, and to alert you to this, you are flying blind through the Alps at five hundred feet. You can have all the secure information in the world, but if a senior officer or official has their credential stolen, you are sunk.
Also, leveraging a threat intelligence service to learn more about your organization’s specific threats will help to understand your vulnerability. Trying to catch every single vulnerability is not possible. It’s essential to know which vulnerabilities criminals are exploiting and how to patch these specific vulnerabilities. And they need to look for criminal actors from all around the world, not just big nation-states. Threat intelligence providers need to be savvy enough to make you aware of these things otherwise you will be chasing your tail all day long.
