Wilson Briefs l May 2015

Confronting
Terror-affiliated Hacktivists
By Meg King and Grayson Clary

SUMMARY
The cyberthreat posed by terror groups today looks less like war than
hacktivismthe use of online subversion or sabotage, often by loosely
networked actors, to boost a political agenda. Within these opportunistic
webs of affiliation, whether a hacker has an operational link to a terrorist
organization is largely irrelevant. Any sympathizer can use digital tools to
deface websites for propaganda value, encourage acts of violence, or cause
economic disruption. In response, firms and governments can do more to
improve defenses, educate users, and monitor hacktivist capabilities.

Cyberattacks traditionally have required significant financial and technical resources available only to
nation-states, their proxies, or major criminal syndicates. Terrorist digital arsenals remain immature by
comparison. However, the rise of loosely organized hacktivist groups illustrates a new dimension to
the cyberthreat posed by prominent terrorist organizations, from al-Qaeda to the Islamic State of Iraq
and al-Sham (ISIS). A cyber 9/11 is unlikely in the near future, but we are witnessing an important
shift: terror groups increasingly benefit from the ad-hoc support of digital sympathizers.

Even without an operational link to a designated group, these supporters can cause
substantive damage. They can deface prominent web platformsand this kind of
cybervandalism scores propaganda points while attracting attention
and new recruits to a cause. They can disrupt online services to
cause real economic pain, through either sabotage (direct digital

We have every reason to

suspect that electronic jihad is
can defraud individuals for their own financial benefit, potentially
funding the next lone wolf plot. And they can carry out kinetic-plus a leaderless movement.
interference) or subversion (the distribution of misinformation). They

attacks, where intelligence gathered via cyberespionage contributes

to the impact of a real-world act of terror.
To date the concrete impact of terror hacktivism has been small. So why worry?
1)

These threats are easy to scale: with more money, more talent, and more time.

2)

These threats are asymmetric: they do damage but conserve terrorist resources.

3) The targets are very soft: most Americans practice terrible cybersecurity.
4) The talent pool is growing: well-known, capable figures (e.g., ISISs Junaid
Hussain) have set their sights on recruiting digital natives within Western
governments and firms.

Loose connections
Terror groups unambiguously seek cyberassistance. In 2011, As-Sahabal-Qaedas media
armreleased a video calling talented coders to its cause: In todays world, there is
room for covert Mujahideen who operate innovatively out of their own homes, villages
and cities this is the field of electronic Jihad. But the relationships that connect selfidentified jihadist hackers with the groups they support, as well as the ties between
hacktivists themselves, remain largely unclear. Responsibility for intrusions has been
claimed under many names, including CyberCaliphate, the Islamic State Hacking Division,
Team System Dz, Global Islamic Caliphate, FallaGa, and Z Company Hacking Crew.
We know little about the set-up of any of these groups; there may be hardly any there
there. One factor distinguishing hacktivism from cyberwar is a lack of command-andcontrol. We have every reason to suspect that electronic jihad is at present a leaderless
movement: lone wolves and wolf packs cooperate as opportunities arise, affiliating
often but forming few permanent commitments. Some of these hackers have no doubt
connected in Syria, where both ISIS and al-Qaeda affiliates enjoy safe haven. Some of
them, by contrast, probably meet only online. Others may never have had contact with a
known jihadist at all, and instead are self-radicalized and digitally armed.

WILSON BRIEFS

The example of other decentralized Internet movements suggests how difficult it is to

map, let alone disrupt, these loose webs. The worlds best known hacktivists, the vigilante
collective Anonymous, are still an organizational mystery after more than a decade of highprofile nuisance attacks. As reporter Chris Landers put it, Anonymous is a group, in the
sense that a flock of birds is a group. How do you know theyre a group? Because theyre
travelling in the same direction. Terror hacktivism seems to follow a similar dynamic: a
fluid collection of digital-native fellow travelers.

Basic and advanced attacks

Most terror hacktivism has involved basic techniques that require
relatively little technical expertise: phreaking, an older capability
that exploits phone system vulnerabilities; distributed denial-ofservice (DDoS) attacks that obstruct the use of a site or service,

The integration of
cyberespionage with
conventional terror activity is
a new frontier for hackers.

often by overwhelming it with traffic; brute force attacks, which

gain access to computer systems by cycling rapidly through possible usernames and
passwords; and spear phishing, which uses targeted emails to steal personal information.
These approaches, alone or in combination, are often enough to gain entry into corporate
systems for purpose of economic sabotage, or to penetrate the accounts of target
individuals and dox themexpose their personal data for the purpose of harassment or
violence.
Recently, more sophisticated operations have highlighted likely next steps for terror
hacktivism. In December 2014, the University of Torontos Citizen Lab reported on a
piece of custom malware apparently developed to target anti-ISIS activists within the
groups claimed territory. The piece of code would identify the IP address of its victim and
send it, along with other system information, to an email address chosen by the hacker,
thereby revealing the identity and location of the computers owner. This program was
likely designed to target dissidents for harassment, violence, or death. That integration of
cyberespionage with conventional terror activity is a new frontier for hackers.
The April 2015 hack of Frances TV5MONDE by ISIS supporters, which brought the
network entirely offline, was another milestone. Measured in terms of disruptive ambition,
this was likely the most advanced example of terror hacktivism to date: a stark reminder
that communications and emergency networks we rely on daily can easily be disrupted,
and could be disrupted on a much larger scale.

WILSON BRIEFS

Defenses and countermeasures

Most successful acts of cybercrime or hacktivism start with human error. Use of
discoverable passwords, nonuse of two-factor authentication, ignorance of common spear
phishing tactics: all of these oversights make it easy for even novice adversaries to infiltrate
sensitive networks. As threats evolve, a variety of leversbetter incentives for cybersecurity
insurance, better threat information sharing, and above all better public awarenesscan
contribute to a more secure world Internet.
Governments must monitor closelyand make publicthe increasing
sophistication of terror-affiliated hacktivist activities. Because of the fluidity of the
threat, crowd-sourced intelligence can make a key contribution. Think more like
Wikipedia, less like the CIA.
Businesses must ensure that sensitive information is adequately quarantined.
Whole-of-government efforts should push strong standards, especially for critical
infrastructure.
A functioning market for cyber insurance would incentivize adoption of best
practices; a concerted campaign to support cybersecurity grading systems can
boost that effort.
Government, business, and civil society groups must routinely assess, test, and
improve the digital hygiene of network users. More public educational resources are
desperately needed.

Meg King is director of the Wilson Centers Digital Futures Project. Grayson Clary is
assistant to the director, president, and CEO of the Wilson Center.

The Wilson Center

@TheWilsonCenter

facebook.com/WoodrowWilsonCenter

www.wilsoncenter.org

Woodrow Wilson International Center for Scholars

One Woodrow Wilson Plaza
1300 Pennsylvania Avenue NW
Washington, DC 20004-3027

WILSON BRIEFS