The Islamic State hasn’t quite proven its mettle in the digital world so far thanks to poor coding skills and hopeless encryption tools in its possession, but experts warn that the group is always on the lookout for new tools to carry out cyber-attacks on critical infrastructure organisations.
A former GCHQ operations chief has warned that ISIS hackers are now indulging in ‘low-grade cyber vandalism’ to gain access to sophisticated tools using which they will be able to launch attacks on vulnerable targets.
With the Dark Web infested with a large number of cyber weapons and sophisticated tools using which criminals can cripple large organisations and critical infrastructure firms alike, ISIS hackers are now looking to gain access to these tools, having failed to create specialised cyber weapons on their own.
Conrad Prince, the UK’s Cyber Security Ambassador and former Head of Operations for GCHQ, recently warned that if they gained access to such tools, ISIS hackers could launch attacks on the UK’s critical infrastructure in the coming days.
‘As Daesh lose more and more control of physical territory it seems likely that they will increasingly focus their efforts on cyber space. The cyber conflict with Daesh has a long way to run yet,’ he said.
He noted that while ISIS hackers have experimented with denial of service attacks and have also tried to deface targeted websites in the past, they currently lack the capacity to deliver seriously destructive attacks.
‘The tools needed for cyber attacks are being increasingly commoditised – available for purchase or hire on the dark web from criminals happy to provide their services to the highest bidder. Terrorists are as capable as anyone of purchasing these capabilities. So the ability to deliver destructive cyber attacks, particularly at the cruder end of the spectrum, will increasingly be within reach of those with the ability to pay. And even crude attacks have the potential to create real world impact.
‘Furthermore, terrorists may be able to exploit sophisticated tools and techniques developed by nation states, should they become available on the open market as a result of an unauthorised disclosure,’ he added.
Mr Price also spoke about how the Islamic State can leverage industry insiders to conduct crippling attacks on critical organisations. For example, a British Airways IT worker named Rajib Khan was jailed for 30 years in 2011 after he tried to blow up an aircraft and crash BA’s IT systems.
‘A well-placed insider can go a long way to simplifying the work involved in delivering a destructive cyber attack,’ he warned.
Back in September, Kyle Wilhoit, senior security researcher at DomainTools, revealed a long list of ISIS’ digital failings, including their failure to hide their activities from their foes, inability to create bug-free malware, and their inability to protect their own servers from their enemies.
“ISIS is really really bad at the development of encryption software and malware. The apps are sh*t to be honest, they have several vulnerabilities in each system that renders them useless,” he told The Register.
“As it stands ISIS are not hugely operationally capable online. There’s a lack of expertise in pretty much everything,” he added.
However, he did admit that if ISIS managed to get savvy hackers to join their organisation or managed to steal or purchase powerful cyber weapons, then a true online terrorist incident could really occur.