When a chubby Birmingham teenager went on trial in 2012 for hacking Tony Blair’s personal address book, and taking down an anti-terror hotline, defence lawyers described him as “shy and unassuming” and dismissed the online exploits as a childish prank.
“They weren’t terrorists in any way, shape or form,” his barrister argued in court. Less than two years later, Junaid Hussain was in Syria, apparently on his way to join Isis, one of its most dangerous new recruits.
The group transfixed the world with its ultraviolent ideology, as it swept through Syria and Iraq in a frenzy of bloodshed and destruction. But its leaders’ enthusiasm for medieval barbarity is matched by an equally fervent embrace of modern technology. They know that a hacker like Hussain, behind his laptop, is as intimidating to some of their distant enemies as the gunmen terrorising people on the ground.
“Isis has been recruiting hackers for some time now. Some are virtual collaborators from a distance, but others have been recruited to emigrate to Syria,” said JM Berger, co-author of Isis: The State of Terror. “Activity targeting the west is just part of their portfolio. They’re also responsible for maintaining internet access in Isis territories, for instance, and for instructing members on security.”
The group’s skill at manipulating social media, for recruitment and projection of power, has been acknowledged even by enemies and rivals, who have poured resources into trying to dismantle, defuse – or in the case of other jihadi groups, emulate – its online success.
Perhaps its most dramatic publicity coup came in January, when the Twitter and YouTube accounts of the US Central Military Command (Centcom) were hacked by a group calling itself the “CyberCaliphate”. Intelligence experts suspect Hussain was the mastermind.
The hackers scrawled “I love you Isis” across the page and sent out tweets including pictures showing US personnel in a command outpost and military documents, suggesting Isis sympathisers had somehow infiltrated military servers and installations.
In fact, although the attack was deeply embarrassing, it was more like the digital equivalent of graffiti in an entrance hall than a theft of sensitive files from the Pentagon. The information shared was widely available and non-official, and Central Command said that no classified information was divulged or operational networks affected, and it viewed the hack as “purely an act of vandalism”.
That reflects a wider online strategy apparently focused more on publicity than damage so far, but internet security experts and analysts who have studied the rise of Isis warn that its enemies should not be complacent about its capacities or intent.
“They have not yet been extremely visible carrying out more sophisticated activities such as high-level cybercrime or more destructive attacks, but I suspect this is just a matter of time,” Berger said. “This is a very low-cost way to publicise their cause and harass their enemies.”
None of the risks posed by Isis is unique to the group. They are part of a fast-growing vulnerability as we rush headlong to put our lives and our businesses online, and our security and justice systems struggle to keep up. There have always been connections between criminal and terrorist networks and the online world is no different.
But the dangers posed by Isis may be more acute because of its embrace of modern technology, mastery of the difficult art of online propaganda and its appeal to young, computer-literate foreigners, including known hackers.
What rival organisations can only dream of attempting in a distant future, Raqqa’s rulers may be able to pursue now. Skilled recruits like Hussain can reach into our increasingly interconnected western cities and potentially bring them to a standstill, just as effectively as sympathisers armed with knives and guns have done over the last year.
“We have seen many politically motivated hackings in recent years, emanating from terrorist and militant groups, or on their behalf … and, so far, the damage they have done has mainly caused inconveniences rather than serious damage,” said Professor Gabriella Blum, author of The Future of Violence: Robots and Germs, Hackers and Drones. “Why haven’t we seen more or worse? Is it a matter of lack of capability, a lack of motivation, or just constricted imagination? Probably a combination of the three. But at least the first factor – capability and access to materials and knowhow – is growing rapidly. This is bound to affect the incidence and magnitude of attacks that will utilise new technologies.”
Hacking attacks on our basic infrastructure may seem the stuff of sci-fi nightmare, interconnected cities held hostage to a malign genius. But it is already reality, security expert Marc Goodman argues in his book Future Crimes, where he details a string of such attacks. A Brazilian power station shuttered by mafia hackers after their demands for protection money were not met, a Polish tram derailed by a bored teenager, and in Australia the sluice gates of a sewage station opened to pour waste over fields and parks – all masterminded by people behind screens.
Attackers often share their success or what they have learned from failure, raising future vulnerability to other hackers, regardless of their affiliation. “One well-known hacker database, Shodan, provides tips on how to exploit everything from power plants to wind turbines,” Goodman writes. “It is searchable by country, company or device, providing detailed how-tos and greatly lowering the technical bar and knowledge for any rogue individual to hack our critical infrastructures.”
Vulnerability only gets worse as the world goes further online, with an “internet of things” designed for convenience that could also be used for intelligence gathering and attacks. Smartphones and TVs can already be turned into microphones that listen in on their owners. Facebook even promotes digital eavesdropping as a useful feature, for subscribers who want friends to automatically know what music they are listening to, or what programmes they are watching.
More dangerous everyday items have become hackable too, including cars. “Security researchers have proven it is entirely possible for criminals 1,500 miles away to seize control of your car when you are driving 65mph down the highway,” Goodman writes. “What they do with your hacked vehicle is limited only by their imaginations.”
Britain’s new spy chief warned last month that the country was now in a “technology arms race” with enemies “often unconstrained by consideration of ethics and law … terrorists, malicious actors in cyberspace and criminals”. “[The technology] allows them to see what we are doing and to put our people and agents at risk,” Alex Younger told an audience in London, adding that traditional human espionage was becoming increasingly intertwined with “technical operations”.
For now, a key deterrent to planning a spectacular hacking attack coordinated out of Raqqa may be a simple question of resources, as Isis deals with heavy military pressure on the ground, according to Hassan Hassan, analyst and author of Isis: Inside the Army of Terror. His book details the group’s technical agility at exploiting everything from the Zello app, which turns phones into walkie-talkies, to drones, to the hackers they tempted to Syria.
“Isis targets this kind of people [hackers], tries to recruit them … but maybe it is not their priority at the moment,” he said. “They did the attack on Centcom, and when they were in full control of their territory in Iraq and Syria, they were using drones and other things, but now they are focused on military operations.”
Isis is now battling to hold territory under assault from a motley coalition including the US, Iran and conventional Iraqi forces.
An online offensive may also be distracting members of the “cyber caliphate”. Western governments, the companies whose social media platforms they use and even some fellow hackers, from the Anonymous collective, have declared war on their internet presence. After months of rampaging through cyberspace as they swept through Iraq and Syria, the members are now lamenting the “devastating” impact of these efforts to shut down their propaganda machine, Berger says.
Even without the distractions of a game of online cat and mouse, Isis hackers would likely find attacking a specific physical target more challenging than the propaganda hits that have been their focus so far, security experts say, because they require more time and skills.
Perhaps the most famous and dramatic cyber-attack the world has seen so far was the stuxnet worm, a virus that went unnoticed for years, and baffled experts even after it was found. Eventually it became clear that it was a meticulously designed program with just one aim, knocking out the centrifuges at Iran’s nuclear enrichment plant.
It took a large team months, perhaps years, of work to develop both the sophisticated coding and the social engineering needed to get the virus into a system not connected to the internet. Once in place, it took years to have full effect.
Stuxnet is an extreme example, because it targeted what was probably one of the most heavily guarded systems in the world. But almost all institutions now have some form of digital security, and its creation underlines the patience usually needed to go after a physical target.
“If you are talking about defacing a website probably one person could do that,” said David Emm, principal security researcher at the Kaspersky lab. “If you want to get more serious and talk about infiltrating an organisation you probably need some more people to do the research – who works there, what are their email addresses, what are their interests. It’s typically going to mean exploiting a human weakness, framing an email to them that is going to make them click [on something containing malware], so there is more legwork, if only because of the intelligence.”
Once inside any system, the hacking itself would also be much more challenging. Most commercial attacks involve effectively sneaking into a system to gather sensitive information unnoticed, while an attempt to sabotage infrastructure would be far more likely to set off digital alarms.
“If on the other hand you don’t just want to blend in and gather information, you want to subvert a physical process, you have much more work to do to mask your presence,” Emm said.
The relative ease of hacking for cash rather than for sabotage might tempt Isis hackers to focus on that instead, especially as the group is reportedly struggling with the expensive business of trying to run a state.
Last year its coffers were flush with cash from oil wells, looting and hostage ransoms, but the oil price has crashed, the rapid expansion that made looting so profitable has slowed, and the captives are mostly dead or gone now.
There is a template for using online robbery to fund real-world attacks. Mobile phone fraud helped pay for the 2004 Madrid train bombings, Goodman says, and the terrorist group that attacked Mumbai in 2008 got $2m from a hacking gang in the Philippines, routed through intermediaries in the Gulf. The money can be extremely hard to trace, once it has been skimmed from bank accounts, phones or other online transactions. Even for supporters based outside Isis territory, the risks are fairly low; the chance of ending up in court is only around 0.01%, Goodman says.
Still, Isis has drawn in elite hackers, a group that often thrives on a challenge. The risk they might venture beyond propaganda or cyber-theft to substantive attacks on cities and infrastructure may be small, but it is certainly real. Far too little is being done to analyse and prepare for the threat, by governments or the companies that run our power and our water, our transport, our banks.
“The quality of protection is always measured in outcomes: the fact that so far, we haven’t suffered major harms is reassuring,” Blum said. “If, however, you believe that the frequency and ease with which these attacks are conducted is a trend that is likely to grow worse in the future … there isn’t enough protection.”
View all comments >
comments (48)
Sign in or create your Guardian account to join the discussion.
This discussion is closed for comments.
We’re doing some maintenance right now. You can still read comments, but please come back later to add your own.
Commenting has been disabled for this account (why?)
Competent Governments and commercial organizations run their own private and secure networks which are isolated from the Internet. If a gateway/firewall is provided it is only for carefully vetted outgoing connections. Anyone who connects a power station control network directly to the Internet should be flipping burgers.
The NSA tend to use a diode where only incoming traffic is allowed. A firewall allowing all outgoing traffic is a recipe for disaster.
A simple phishing attack via email could then open up the doors. Perimeter security is just a very basic start to operational security.
Terrorism is such a small threat, even if you look at 911 that is equal to a months road traffic accidents.
If you look at the Boston Marathon bombing, and compare that to the regular murder, in the 4 hours of the marathon that happened before the bombing, twice as many people would have been murdered with regular murder than were murdered by the terrorist attack.
With many tens of thousands of people dying in road traffic accidents across the US each year that is something to be feared.
With the US police murdering US citizens that's bad PR but the numbers are still small but even so that's still worse than your getting from the terrorists.
Fear things that are killing people now, don't fear some fantasy of what might kill you.
Terrorism is like a shark attack...a brutal image to instill fear. All this fear-mongering is generating paranoia and the media moguls publishing propaganda hide the truth anyway. Isis makes for fascinating viewing and has taken reality TV to a new level. Both sides are losing massively and engaging in more violence to topple violence adds to the lunacy. Many of today's leaders appear certifiable and that adds to the dramatic quality while thousands lose their lives. This debacle is surreal and distressingly dark. Humanity keeps regressing while technology captures the descent into bronze age barbarity.
Evil masquerading as good is the current lie we are being coerced to condone. This situation has become too murky to resolve. Hacking merely adds a new dimension as supposed anti-modernists show that they too just want power and do not truly believe the ideology they claim motivates their carnage.
" ... Isis makes for fascinating viewing and has taken reality TV to a new level ... "
God help us if that's true. We should be focussing maximum force on these medieval barbarians. Why aren't Imams out on the street with loud-hailers denouncing these utter, utter animals?
With the first four episodes of the new season of Game of Thrones leaked online before the much hyped premiere, potentially costing millions to an American company, will the FBI seek to blame it on ISIS, or will North Korea get the blame again?
Whatever, Winter is coming, but for many, Christmas came early.
With 'early releases' like that, the biggest threat comes to those who are so eager to grab the data before thier mates do they will either leap for an infected version or just get pwnd by clicking on a few links.
( I see GoT as a rehash of of Martin's earlier 'cowboys and indians in space' sagas and they were shite. I ain't rushing.)
Hodor.
Hodor!
Someone in Russia or the Middle East taking control of me driving my 1.0 litre engine city car on the M1? I'm not so sure about that. Interesting article though.
You may need to read a bit more -- if you can cheaply buy the kit that captures your car door key signature then finding holes in one of the many protocols used for car comms isn't too hard for some.
Fortunatley, most of those eager to find holes, openings or even huge barn doors ae the 'good guys' the White Hats.
Those holes exist already - it just depends on whether the company that makes the device concerned is too eager to pile on the pounds to pay attention and cost towards tryng to break in to their own devices.
Bollocks. The spooks are behind ISIS. The best frenemies an empire could have.
So just what are our armies of NSA and GCHC spooks up to if not defending us against cyber attacks ? With the billions of $ and £ at their disposal how come these ISIS-loving amateurs are getting through ?
armies of NSA and GCHC spooks up to if not defending us against cyber attacks ?
Making thier own tools to use in cyber attacks on 'our enemies'.
The cyber-spooks aren't doing a very good job are they ?
Amateurs, O'RLY?
How bizarre, and telling, that you don't mention who created the Stuxnet virus.
I think anyone with half a brain could work that out, and still not face libel charges.
Libel charges?
It had fingerprints all over it.
/foil hat on
Okay, not libel but why include the details when the piece so obviously has an anti-Islam thread going through it. I expect the CIA, NSA, FBI or MI6 just wanted a nice, scary piece with 'Us Good', 'Them Bad' in it to keep the terror levels up. No point in muddying the water with actual facts, eh?
/tin foil hat off
I think the 'Internet of Things' is what bothers me, personally, the most. If your electrical appliances and heating/cooling, lights and home are all hackable, what's to stop a group with knowledge of electronics from getting things to break down and then posing as local engineers and 'fixing' the problem?
They get a fee for 'fixing' something they broke, and get to check out what valuables you have in your house. Maybe, while they're their, they also bug your home.
Of course this could happen now - if your freezer's compressor dies - but being able to target you is what I'm more concerned about.
I don't believe they'll ever be able to control my car or a power station, that just sounds like hyperbolic scaremongering click bait.
If your electrical appliances and heating/cooling, lights and home are all hackable,
I wish people would keep up with things -- your router/modem may well have pretty much hardwired access . Most people do not change Admin default names or passwords and some BIG manufacturers are very lazy.
Those apps you download - where and who do they talk to? --lazy humans donlt check, they just want the sweeeties.
Most takeovers are NOT the result of ANYONE hacking - just sloppy. greedy humans.
The meatware is far, far easier to get round than software. If it wasn't then there wouldn't be the number of 'helpdesks' that ring up to tell you your computer is faulty and sending out error messsages to a fault centre.
Humans trust humans more than they do machines but conveneintly forget that humans built the machines, the networks, the software -- and are the weakest link in it all.
If it's a tin-foil hat you are after, you are looking in the wrong direction -- there is no neeed for any real technical ability to buy all you need to set up a 'helpdesk' suite. Derren Brown, by now, ought to have demonstrated that the easiest things to fool are US.
I get your point, I think. So inviting even more technology into your home is going to increase the risks of hardware being susceptible, isn't it? I may be still looking in the wrong direction, but having more hardware in your house doesn't correlated with you being safer.
I understand people are the weakest link in security, which is why I'm bringing this up. I have many, many different passwords and use encrypted software to store them - I only have one 16 digit master password for that, and I have no idea what the other 40 are.
I think most slightly tech-savvy people understand if anyone cold calls or emails you, it isn't for your benefit.
This coming "Internet of Things" could be one of the biggest problems. That together with "social engineering" attacks on people. It will mean plenty of potential for remote "help desk" calls from people claiming to be support engineers. Self driving cars are going to be a bonanza for terrorists if we aren't careful.
One of the biggest risks is simple password security. 2 or even 3 level authentication helps, but the big problem is password fatigue of users. What happens when we reach a stage where practically every electronic item in the home demands its own unique password - combination of letters, upper and lower case, plus numbers and special characters etc?
The whole thing is unworkable. It becomes the weakest link and the easiest thing to crack.
Maybe iris and fingerprint recognition will be needed just to be able to open your own fridge.
Hackers/Attackers/Crakers
Or complacent security that's not properly tested?
As if our 'allies' are not also trying to break in to each others systems or joining forces to produce something like Stuxnet.
They're all at it -- poking and prodding away to try and find an tiny opening or - usually- a stupid human who is as gullible as hell.
That 'found' USB stick, the email with a link that is clicked on, the 'amazing video' that 'needs a specific Codec - these are all ways used to lever a way in to western systems.
Humans are so easily conned, it seems.
(though the man from 'Windows helpdesk" yesterday wasn't too pleased when I eventually told him to fuck off - 'just start your computer and I can fix it from here')
This is a poorly written article that conflates several issues.
First, it tries to equate hacking or hacktivism with terrorism, which is nonsense. Hacking lacks the element of violence, which differentiates terrorism from other types of crime.
Second, it does not make clear whether the incidents outlined (derailing the tram etc) are real are threatened. The event in Australia was a dam - not a sewage plant - and was a threat made by a former employee in an act of revenge.
Third, the paragraph on Stuxnet was coy: it did not mention that it is widely believed that the countries behind the worm were the US and Israel.
Lastly, using "online robbery" to fund attacks is nothing new or different. Terrorist groups have frequently used criminal acts (robbing banks, kidnapping, extortion, etc) to fund their activities.
Welcome to British Sunday journalism, where sensationalism trumps sense every time.
Hacking into power stations and water systems could potentially cause untold damage but a bigger danger is having sympathisers for the ISIS cause working in key areas such as these.
Bingo
I didn't get past 'chubby'...what the hell has the boy's size got to do with this article, which I will now read.
a) it's a physical description
b) it suggests he is a harmless individual - spoiler - relevant, a few syllables later.
c) do you go through Dickens novels wondering why so and so is described in such and such a way? Could it not be that your sense of political correctness is so keenly developed that it hinders your ability to understand the world around you?
Tell me when ISIS becomes an international tax bludger (like most major multinational companies), then I will be worried..........
It is an Oil bludger which is worse...
I think the one most important measure is to mandate all IT vendors to have a procedure to accept and reward new zero-day vulnerability reports from ethical hackers. Some obviously already do this, but others try to criminalise ethical hackers rather than admit to their own shortcomings (and thereby reamining more insecure).
If you find a vulnerability and the vendor is more likely to try to charge you than thank you, there are others who would be more than happy to pay for the zero-day vulnerabilities. This incentive needs to be removed by ensuring it's legally and financially worth your while informing the vendor.
I'm far more worried about spying and government data collection and misuse than a couple of hackers vandalising a site who in all likelihood have no connection to Isis and are just doing it for the kicks and to stir up shit, cue the overhanded response to crack down on the internet and sanitize its content
Blair and Bush assured us Iraq was a terrorist state and needed invading and dismantling. Now they have helped create one and we are all suffering the consequences. When will those two, and everyone else who conspired with them be prosecuted for the hell they cuased? I am sick of living in a permanent state of existential threat which they created with their lies.
Iraq wasn't a terrorist state - but it sure as hell is now.
Don't be naive. Iraq obviously was full of terrorists being overruled by a bigger terrorist: Saddam Hussein. Removing him did not resolve the problem, but he had refused to comply with the bigger potential terrorist, albeit a relatively benign terrorist by our standards: the West. The West is not to blame for the insurgence of terrorists in the Middle East. These oppressed and disenfranchised groups were merely being capped by dictatorial leaders.
Politics today is ruled by tyrants projecting their own pathology abroad, and civilians throughout the world are paying a massive price. While leaders like to point the finger at the West for all internal chaos, they simultaneously expect the West to enter and resolve disputes. Instead of embarking on a "War on Terrorism", the West needed to re-evaluate why so many nations were outraged after decades of exploitation, violation of basic rights and veiled corruption. We are appalled by the images transmitted about the carnage caused by Isis, forgetting that they mirror the invasion and desecration of Baghdad. What is wrong with our world leaders using human lives in their international power games? Some serious introspection is needed to find a way to resolve violence without using greater violence as a deterrent. The planet cannot cope with this level of greed, violation and blood lust.
Create a power vacuum and someone will fill it, usually someone worse than what went before. We have witnessed this time and time again in every conflict or 'regime change' instigate by the west. We did even worse in Iraq because we dismantled the whole security structure and left them without an effective army. Where do you think some of those trained personnel ended up, especially after witnessing the west demolishing half the country and killing hundreds of thousands? Do you think they may have a grudge against the west coupled with expertise and training?
The only way to prevent further disasters like this is to prosecute the idiots who did it last time. Blair lied to parliament!
IT, and its spinoffs, by their nature often attract the introvert, the social inadequate, the geeky "shy" guy. They may be wizards in computing but retards in everything else humans get up to. Perfect auxilliaries for the modern anti-civilisation that is Islamic (satanic) State.
ultraviolent ideology
No you me literal interpretation. Isis are not making this stuff up its in the Quran.
Isis hackers will always be little more than enthusiastic amateurs
The hackers of GCHQ will always have access to more hardware, the backdoors to proprietary mainstream software, and an established cooperative spy network as part of the 5 eyes network
Let's keep our eye on the real ball
I seriously doubt they will always be amateurs. That is a naïve belief. They will become more sophisticated. It is only a matter of time.
Oh, and of course, the isis hackers will always be useful idiots for a convenient casus belli or disinformation nodes
There is a chip in your Bank Card! Privacy is dead!