Season 2 - The Invisible War / Episode 18
What governments and powerful organizations regularly use, others will find ways to use as well. Cyber activity fits so incredibly well with terrorism. Actors can remain hidden, or reveal themselves to the world; Create propaganda campaign, or aim for real damage. Join us on this episode of Malicious Life, as we learn the story of ISIS, and its cyber warfare activity.
Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 10 million downloads as of Aug. 2017.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
ISIS vs. U.S.
0:06-0:17 – Terrorist information
What you’re listening to now is a 16 year-old prankster calling Britain’s Mi6.
0:17-0:30 – “You’re being phone-bombed right now, mate.”
In a vacuum, this interaction seems pretty insignificant. Prank calling the government is one of the oldest tricks in the book. The kid even sounds kind of cute–fading in and out of a broken New York and Australian accents, clearly having come in with no script, just thinking of things to say on the spot. He sounds like any other teenage internet troll.
2:34-2:45 – Are you mad?
This phone call was placed in April, 2012. There’s a reason I’m now talking about it in 2018. If this call had at once seemed unimportant–a mischievous kid annoying a U.K. government phone operator–what would happen later would put it in a much more heavy light. Listen again to this person’s voice…
1:45-1:55 – Nonsense
You’re witnessing the young man who, in the span of only three years following this prank call, would grow up to walk among the highest ranking officials of the Islamic State, one of the most murderous terrorist organizations in history. He will become a leader of the “Cyber Caliphate”, number 3 on the United States’ kill list and, short of Jihadi John himself, perhaps the most infamous English recruit to ISIS.
4:23-4:33 – Laughing outro
Where once the most extreme views in politics and social issues were relegated to underground collectives, or that one crazy guy on the bus, they now seem louder than even the most popular, moderate voices. Celebrities that used to be born and developed through movie and music studios are now made overnight on the basis of a single smartphone video. It’s a 21st century phenomenon we’ve all come to know by now: smaller entities are disproportionately louder in cyberspace. Could it be that this same principle applies to war?
Hi, I’m Ran Levi, and this is the Malicious Life podcast. Today I’d like to explore the question of whether the world’s greatest military superpowers are necessarily going to rule in cyber warfare as well, or whether the nature of the medium gives disproportionate advantage to otherwise weaker enemies. On one hand, if you were to tally it up, the world’s most cyber-capable powers are generally considered to be the United States, China, Russia, Israel and Great Britain–aside from Israel, a pretty conventional list of those nations with the strongest kinetic powers of warfare as well. And yet, we often hear stories about lone hackers and small groups that manage to wreak havoc on huge corporations and government bodies. In just the first two seasons of this podcast we’ve covered any number of those instances.
So this won’t be a terribly straightforward question to answer. However, we do have some good case studies to go on. Junaid Hussain–our prank-caller-turned-terrorist-mastermind–has personally waged a lifelong cyber-offensive against the governments of England and the United States that ran the gamut from silly to deadly, small-scale to international fearmongering. Similarly, his umbrella organization, ISIS, is really the first example in history of an international startup entity taking upon itself a mission to wage cyber warfare with the established powers of the world. In the Wild West that is cyberspace, who wins: ISIS or the West?
In March of 2015, a list of names for 100 American military personnel was published online, including accurate personal information ranging from email addresses to phone numbers and more. The person who posted that information, also put out a call to sympathizers and members of the Islamic State: go out and kill anyone from the list they could find.
As is the case with most terrorism, ISIS already achieved their goal simply for having called their shot. The “Islamic State Hacking Division” claimed to have culled their information from hacking the U.S. Department of Defense.
So this was a big deal on two fronts. The first: They were threatening the lives of a hundred people. As we have learned over the last decade, there are always those who answer ISIS’s calls, even in the US itself: The Boston Marathon bombing and the 2015 San Bernardino attack are just two examples.
The second is that if ISIS had managed to breach the U.S.’ most protected defense infrastructure, there’s no telling what sort of destruction they could be capable of enacting next. Could they still be inside U.S. systems? What else do they know? This was a power play; ISIS planting their flag on America’s cyber-military corpse. And the mastermind behind it all? You guessed it.
Junaid Hussain wasn’t always so intimidating, but he has, since the age of 16, been both angry and effective at attacking national and corporate cyber infrastructures. He may have just sounded like a naughty kid in that prank call which opened this episode, but even at that young age he was conducting ideologically-driven internet attacks. Codenamed “Trick” in a blackhat group of only a few members called “Team Poison”, they had already made news in England plenty before, most famously for exploiting a zero-day vulnerability in Facebook to wipe 130 Zionist, right-wing and anti-Islam pages.
Junaid Hussain was an effective hacker long before hitting legal drinking age, carrying out less violent iterations of the sorts of things he’d later do for ISIS. His transition wouldn’t take long, though: Hussain was arrested and jailed for a year following his incident with Mi6 and Tony Blair, and soon after being released, made his way to Syria.
Hussain is believed to have reached Syria in 2013, and a year later, became a leader of the planned ISIS offensive into the cyber world. They’d come to name themselves the “United Cyber Caliphate”, and by early 2015, their operations were up and running, taking virtual action to supplement their kinetic warfare.
The height of ISIS-driven cyber attacks occurred in the first quarter of 2015. It was during this period, the Cyber Caliphate was, in a way, developing a character to its attacking style.
Their preferred method of cyber warfare was first introduced to the world at large in the most audacious hacking effort of their short history.
In the week of the terrorist attack on the satirical magazine Charlie Hebdo, and the related raid of a Parisian kosher supermarket, ISIS decidedly was not finished with the French people. In a matter of days, an estimated total of around 19,000 French websites all, methodically, went under; government-military and private sector domains alike. According to investigating authorities, the outages were occurring, at the height of the wave, at a scale of over 1,000 websites per day. And, just for good measure, the YouTube and Twitter accounts for America’s Central Command got hacked as well. The message was clear: ISIS was unleashing their newfound cyber strength against national cyber powers. This would be the culminating act of the Cyber Caliphate.
For anyone sitting and having a cup of tea in a Parisian cafe that fateful November week, it must have come totally clear: despite France’s huge advantage in infrastructure, funding and technical experience, ISIS hit right where it hurts, and seemed to have achieved whatever goals they may have had in intimidating both the government and people.
But for all the damage that was done, could there be more to this story? That perhaps, like any other act of terrorism, the optics far outweigh the real-life impact of the act? Security experts and military officials who spoke to the press in the aftermath of those events generally all stressed the same point: the threat is real, and possibly growing, but not yet significant, or comparable to the other major cyber threats to the Western world.
Some experts have gone even further, suggesting that ISIS’ demonstrated technical capabilities don’t even surpass what you’d expect from any other run-of-the-mill hacking group. Kyle Wilhoit is a security researcher for DomainTools who, at a cybersecurity conference in Kentucky last September, made news when he called the Islamic State’s hacking skills “garbage”, categorizing their overall coding skills as novice-level.
To figure out who’s right–whether their cyber command is real and growing, or pathetic and weak–we’ll have to get into the nuts and bolts of how ISIS runs their operation. Luckily for us, terrorists tend to be loud and lacking in subtlety, so we’ve been able to glean a thing or two about how they operate in cyberspace.
ISIS’ Cyber Command, structurally, resembles something closer to, say, Russia, rather than America or Britain, and it’s a pretty confusing web. The so-called United Cyber Caliphate is the umbrella organization–reportedly formed on April 4th, 2016, to coalesce related jihadi hacking groups which, like ISIS more broadly, exist in varying degrees of relatedness to the greater organization. For example, many of the hackers shutting down those French websites were operating from Northern Africa–allied forces outside of the Islamic State itself.
Like Russia’s Fancy Bear and Cozy Bear, these groups tend to answer to the same authorities and attack familiar targets for the same sorts of reasons, but somewhat differ in their methods. There’s the Cyber Caliphate Army, the Sons of the Caliphate Army, Kalacnikov.TN, the Islamic State Hacking Division, the Islamic Cyber Army, and others. For purposes of brevity, and because the lines between these subdivisions tend to get blurry, suffice to say that each group has its own, vaguely-defined focus–whether it be defacing websites, publication of kill lists, attempting to take down national power grids, and other sorts of evildoing.
We also now know a great deal about the sorts of cyber weapons the United Cyber Caliphate has at its disposal. Their modus operandi–the one made most extreme use of in the France incident–seems to be the standard denial of service attack. The level of depth to their DoS capabilities, however, are relatively low. By tracking pro-ISIS online hacking forums, U.S. Defense and other private sector cybersecurity groups have come across, among other things, an app developed in-house–notably, around the time Junaid Hussain joined the cause–called “Caliphate Cannon”. Scary name, right? Turns out, it’s just a rip-off: the Anonymous group calls their popular DDoS program the “Low Orbit Ion Cannon”. More to the point, ISIS’ tool in many ways copies Anonymous’ in its structure: members and sympathizers download the application, and their machines are used to overwhelm websites with too many packets. Of course, worse than the poor performance of Caliphate Cannon itself is the fact that an organization trying to take on the major cyber powers of the world would be plagiarizing well known software from a pop hacking group.
On one hand, there’s a reason why DDoS attacks keep coming up in our show: they work. Caliphate Cannon was used successfully, for instance, against multiple Middle Eastern government regimes as ISIS expanded their territory in 2015. On the other hand, DDoS also tends to be a pretty standard-fare, and surface-level cyber weapon. The impact of downing tens of thousands of websites must feel gargantuan to anyone feeling the effects in the moment. In the end, though, websites going offline isn’t the biggest deal in the world. They eventually come back on.
Most crucially, denial of service is a separate matter entirely from data hacking. Anyone with a discerning eye tracking the French hacks would’ve noticed that not a single known instance of data corruption, gathering or otherwise tampering occurred during that period of time. So for as much scare as it caused, all ISIS managed to accomplish was a short-term stunt, alerting the world to its capabilities but managing to win nothing more, nor damage France’s military-intelligence infrastructure even in the slightest.
So between copycat DDoS and buggy malware, the Cyber Caliphate really hasn’t produced much more than what Junaid Hussain alone, or for that matter any other everyday hacker, couldn’t. The only other piece of software they appear to have developed for their followers is another knock-off product: this time of the PGP communications encryption software, called Mujahadeen Secrets. Of course, the mere concept of Mujahadeen Secrets was problematic from the start. Using an ISIS-built encrypted messaging software to hide your ISIS-related communications from the NSA is kind of like drinking a beer can out of a paper bag so the cops won’t notice you: if anything, the fact that you’re openly trying to hide something is the red flag investigators would otherwise be looking for in identifying their targets.
This, then, was the state of ISIS’ cyber strength as of early 2015. You’d be right to assume that, as compared with the conventional Western powers–the omnipresence of the NSA, the technical skill of the IDF and others–ISIS really isn’t in the same weight class when it comes to infrastructure, weaponry or intelligence. A more apt comparison would be ISIS against internet collectives, like Anonymous. However, to dismiss them as weak simply on this basis would be to use conventional notions of warfare to judge the nonconventional space of modern cyber warfare. In ways that don’t manifest as code, or machine infrastructure, ISIS is arguably just as knowledgeable, capable, and deft as any of their foes, if not more so.
More than anything, the Islamic State has redefined terrorism where the social component takes even more precedence than the kinetic destruction itself, and the effort is driven even more so by social media than guns and ammo. For whatever it is that appeals so greatly to their recruits and sympathizers around the world, ISIS’ loud media presence–their systematic outreach and targeting of the vulnerable, the glossy video advertisements, and the violent ideological dogma–leaves a large online footprint. Every inspired lone wolf attacker is evidence to the West’s inability to stamp them out.
f there’s one other cybertool as necessary to ISIS’ functioning as social media, it’s encrypted communications. Aside from investing into the failed Mujahadeen Secrets project, the group has often opted for conventional apps like Telegram and WhatsApp, which allow the content of their messaging to go essentially unseen by anyone peeking in. So much of ISIS’ organizational and recruiting structure is built on communications between group members from Syria, and agents in Western countries, who in turn speak with potential recruits and other proponents of the movement. The value of keeping closed the information shared in these channels cannot be overstated–not just to keep terror plots and personal information about members secret, but also to provide a sense of security to new recruits yet to be brought in. Recruiters communicating with vulnerable Muslim teens must be able to ensure that their conversations aren’t being tapped by their local, liberal Western democracies, or else those young people won’t feel comfortable having that line of communication, and both parties will be subject to criminal liability. For this reason, ISIS has poured great resource and know-how into proper setup of encrypted communications infrastructure.
One of the ways ISIS deals with infosec is through specialized groups like “Horizons” within the organization, who write manuals to help members get better acquainted with concepts like encryption, virtual private networks and the dark net, and provide guides for effective use of social media (including best practices for having your page not taken down). One user, “Caliphate Technologist”, began writing content and helping users in ISIS forums on his own, becoming popular enough that he’d opened his own channel where others could come to ask for technical advice. This is a very valuable service, for aspiring jihadis aren’t a group best known for their technical expertise, and new members have been known to leave themselves wide open for surveillance in cyberspace. There’s also the IS “Supporter’s Bank”, providing thousands of social media accounts to ISIS members previously taken offline by censors on Twitter and Facebook.
Communication is, of all aspects of the ISIS machine, by far the most sensitive, and their opponents know it. It’s why in 2016, members of the U.S. Defense administration openly spoke to the New York Times and other outlets about their new plan to attack the Islamic State’s cyber presence, by cutting their lines of communication. In addition to tried-and-true methods of taking down social media pages, the plan was made to push an all-out assault on ISIS’ comms network. This initiative doubled as a historic moment: the first time the U.S. government had ever made its stated goal to use cyber as the battlefield against its foes. The Deputy Secretary of Defense, Robert O. Work, cheekily characterized the initiative as “dropping cyber bombs”.
The results of America’s quote-on-quote “cyber bombings” were, as tends to be the case in cyber warfare, complicated. Where that New York Times piece came out in April of 2015, already by July The Washington Post reported that no tangible results had been had, due to slow movement within Cyber Command. In response to growing pressure from Defense Secretary Ashton Carter, NSA Director Michael Rogers initiated “Operation Glowing Symphony”, successfully infiltrating ISIS’ propaganda machine by penetrating their servers, accessing and then changing login passwords, and deleting all those stylized videos and graphics IS is known for. The effect was short-lived, though: before long, all that same data was back up, and doing the rounds once again.
ISIS’ effectiveness in quickly rebounding from cyber attacks has proven particularly difficult for American officials. General Edward Cardon was head of Cyber Command at the time, and was asked why the greatest cyberpower in the world wasn’t making mincemeat of their enemy. “We’re definitely having an impact on them, but it’s a dynamic space” he replied, because of course it is: playing cyber tag with ISIS is one big game of Whack-a-Mole.
So here we’ve got this whole, big mess of a thing. There’s the world’s greatest cyber superpowers fighting a comparatively small terrorist outlet without nearly the same resources or manpower at their disposal. And yet, somehow, we still don’t really, fully know who’s been winning here. How is that possible?
Even for an entity so small as one person, our answers aren’t clear cut. Junaid Hussain’s lifelong criminal history is evidence to the capability of entities even so minor as a single individual to take on the world’s great cyber powers, and also the faults that come with it. From the age of 16, he’d already caused enough havoc to embarrass the U.K.’s prime minister, and in his twenties, managed to help build a somewhat worthwhile international cyber threat, within an organization known for its medieval preferences (as in, not necessarily the type of crowd to know how to write in C++).
It’s also possible that, rather than his skill level, Hussain’s high rise in rank could have more to do with ISIS’ otherwise weakness in the cyber field. Remember that kill list of 100 U.S. military members? ISIS claimed to have hacked the U.S. Defense Department, which would’ve been an amazing feat. They probably didn’t. Officials from Defense were quick to note, following the event, that all of the data published in the list would’ve been publicly available already: through online directories, articles and other internet sources. Further to the point, the only rhyme or reason to the choosing of those specific military personnel seemed to be that their names had made appearances in online news articles about ISIS-targeted bombings. So for all their braggadocio, all Hussain and his organization managed to do was, basically, Google stuff…
And for all his purported genius, Junaid Hussain was ultimately taken out by the oldest trick in the book: a classic spear phishing link.
Two weeks after the U.S. first tried and failed to drone him, Hussain clicked on a link sent to him through the Surespot messenger app. Much like ISIS’ orchestrated hack of RSS, the sender turned out to be an undercover agent, and the link pinned his location to American and English officials. He was targeted and killed promptly thereafter.
Perhaps, then, we can say that cyberspace really does level the playing field between bigger and smaller ballplayers. Despite all its shortcomings, ISIS is really the first-ever “viral” terrorist group, with powers of communication and propaganda dissemination unheard of before the internet era.
Not only that, but in many instances, they’ve even managed to turn their cyber weaknesses into cyber strengths. Mujahadeen Secrets failed, perhaps for their better: the NSA has to walk a far thinner line to walk when spying through legitimate, popular apps like Telegram and WhatsApp. For all the disorganization within the United Cyber Caliphate, they’re a much more difficult target to aim at online since they come from all different parts of the world. For all of America’s capability to destroy ISIS’ cyber presence, any attempt to do so dually means losing their channel for spying. For all the countless ISIS and ISIS-related pages taken down from Facebook and Twitter, the unwinnable debate between anti-terrorism and First Amendment rights will continue to bind both government and the companies themselves. And perhaps most ironically, ISIS’ complete lack of cyberwar infrastructure has, in fact, had somewhat of the opposite effect you’d predict. In 2016 the New York Times revealed “reports from officials in the Pentagon that [Barack] Obama had asked — quite pointedly — in the fall[sic] why the arsenal of cyberweapons that had been developed at a cost of hundreds of millions, if not billions, of dollars was not being used in the fight against the terrorist group.” Obama’s frustration was understandable, but the cause is also clear: how can you attack an enemy with nothing to defend? ISIS has no nuclear plant to infect with a Stuxnet, no missile systems to tamper with until the launches fail.
As a small, startup organization, ISIS has proven beyond doubt some of the qualities that worry larger, established countries about cyber warfare.
Today Junaid Hussain is long dead, and ISIS a fraction of the organization it once was. For all the challenges they presented, ultimately ISIS couldn’t have ever really won out: the NSA is watching them constantly, and the terrorist outlet has earned a few too many powerful enemies to make this a fair fight. It’s difficult to draw the lines exactly, but there’s no doubting U.S. cyber, in collaboration with European governments, has played a key role in clamping down what once was a major, growing, international threat. Though we’ll have to wait and see whether a future malicious entity with greater capabilities, knowhow, infrastructure could really give the world a run for its money–perhaps even some group out there right now, just under our noses…