Transcript No Slide Title

The Jihadi Cyberterror Threat
SUMIT 07
Dorothy E. Denning
Naval Postgraduate School
http://www.nps.navy.mil/da/faculty/DorothyDenning/index.htm
[email protected]
1
Outline
• What is cyberterrorism?
• Paths to cyberterrorism
• Model for assessing cyberterrorism threat of a
particular terrorist group or network
• al-Qa’ida and jihadi cyberterrorism threat
• Precursors to cyberterrorism
2
What is Cyberterrorism?
• What is terrorism? [Webster’s 1991]
– The use of violence and threats
– To intimidate or coerce
– Especially for political purposes
• Adding prefix “cyber” could be used in 2 ways
– A terrorist attack that uses cyber weapons
• Akin to “bioterrorism” and “nuclear terrorism”
• Then what is violence in cyberspace?
– Use of cyberspace to support terrorism
• Akin to “narcoterrorism”
• Term “cyberterrorism” coined by Barry Collin in 1980’s
– Refer to convergence of physical and virtual worlds where cyber weapons
produce physical consequences – i.e., the terrorist act is committed with
cyber weapons (1st interpretation above)
3
Barry Collin’s Scenarios
•
•
•
•
•
Cyber attack alters processing control system of cereal manufacture,
introducing lethal levels of iron
Cyber attack on air traffic control system causes planes to collide
Cyber attack alters drug formulas of pharmaceutical manufactures, resulting in
unfathomable loss of life
Cyber attack changes pressure in gas lines, causing valve failure, and then
explosions (similar attack against electrical grid)
Cyber attack disrupts banks, international financial transactions, and stock
exchanges – results in lost confidence in economic system
– But is it terrorism if there is no violence?
•
Deployed bombs communicate through cyberspace – when one stops
transmitting, the rest explode
[Barry Collin, “The Future of Cyberterrorism: The Physical and Virtual Worlds Converge,”
Crime & Justice International, March 1997]
4
Virtual Terrorism ≠ Cyberterrorism
• Second Life terror campaign
– Bombed ABC headquarters
– Flew helicopter into Nissan
building
– Shot customers in apparel store
• 3 jihadi terrorists registered
• 2 jihadi terrorist groups
– Second Life Liberation Army
• SL can be used to launder
money across borders
Weapons shopping in Second Life
Natalie O’Brien, “Virtual Terrorists,” The Australian, July 31, 2007
http://www.theaustralian.news.com.au/story/0,,22161037-28737,00.html?from=public_rss 5
Paths to Cyberterror
• Evolution of existing terrorist groups
– Tech-savvy members or new recruits develop cyber capability, or
– Group hires hackers to conduct attacks
• Emergence of new terrorist groups
– New group has interest in cyberterror – develops skills or hires
hackers
• Individuals or groups with hacking skills
– Operate independently
– May align themselves with terrorist networks and objectives
– May have insider help
6
Model for Assessing Cyberterror Threat
•
•
Assessment based on indicators/evidence of capability and intent
Indicators grouped into five areas:
1.
2.
3.
4.
5.
•
Conduct of cyber attacks
Cyber weapons acquisition, development, and training
Statements about cyber attacks
Formal education in IT
General experience with cyberspace
Populations considered
1.
2.
3.
Active terrorists associated with a given group or network
Supporters and sympathizers, especially hackers
Potential recruits, especially hackers and IT specialists
[Dorothy E. Denning, “A View of Cyberterrorism 5 Years Later,” Chapter 7 in Internet Security: Hacking,
Counterhacking, and Society (K. Himma, ed.), Jones and Bartlett, 2006.]
7
1. Conduct of Cyber Attacks
• Objectives
– Cause damage and intimidate vs make money or support
organization
• Targets
– Critical infrastructures or control systems vs public websites
• Sophistication of attacks
– Tools, methods, coordination
• Results and impact
• Prevalence
8
2. Cyber Weapons
Acquisition, Development, Training
• Cyber weapons
– Hacking tools and methods
– Acquired from others or developed in-house
• Terrorist cyber training facilities
– Akin to terrorist training camps
• On-line education and training in hacking
– Within open or restricted forums
9
3. Statements About Cyber Attacks
• Types of statements
–
–
–
–
–
–
Exploratory discussion of cyber attacks
Advocacy of cyber attacks
Forecast of cyber attacks
Threats of cyber attack
Call to action to conduct cyber attack
Claim responsibility for cyber attack
• Objectives
– Cause disruption or severe harm vs
– Make money or support organization
• Credibility of statements
– Who from?
10
4. IT Formal Education
• General IT education
– Computer science
– Computer engineering
– Information science, etc
• Security studies
– Information security
– Network security
11
5. Cyber Experience
• Internet availability
• Technologies used
– Email, chat, IM, web, blogs, forums, groups, etc
– Network security: encryption, steganography, web security
• Internet use
–
–
–
–
–
–
Distribution of news, documents, videos, etc
Communications, coordination, command and control
Intelligence collection
Recruitment
Training
Fund raising
• Jobs in IT
– Own ISPs, host websites, operate organization networks, etc
– Insider with critical infrastructure
12
Al Qa’ida and the Global Jihad
1.
Conduct of cyber attacks
–
–
2.
Cyber weapons acquisition, development, and training
–
3.
Statements of forecast, advocacy, and calls for action
Formal education in IT
–
5.
Acquiring, developing, and distributing hacking tools and information
Statements about CNA
–
4.
Hacking for money and organizational support
Disruptive hacking by cyber jihadists against websites
A few with formal education
Cyberspace experience
–
–
Extensive Internet experience
Development and use of cyber tools, including network and data
security tools
13
1. Conduct of Cyber Attacks
• Few attacks attributed to al-Qa’ida
– Allegedly broke into diplomats e-mail account and retrieved bank
statements using simple hacking tools like L0phtCrack
– Irhabi 007 (Terrorist 007) exploited anonymous FTP sites
• Numerous disruptive attacks from cyber jihadists aligned with alQa’ida and Islamic hackers who might be potential recruits
– Denial of service (DoS) attacks, often coordinated from jihadi websites
– Web defacements
• Cyber attack goals
– Support the jihad (e.g., by stealing credit cards or hijacking websites)
– Eliminate/damage websites that harm or are offensive to Islam (under
their interpretation)
– Inflict damage on Western economy; bring about collapse of West
– Revenge
14
15
Irhabi 007 (Terrorist 007)
•
Used FTP site of Arkansas Highway and
Transportation Dept. to post 70 terroristrelated files, including audio & video files,
in July 2004
– David McGuire, Washington Post, 7/13/04
– Also used GWU & other sites
•
•
•
•
Active on Jihadi forums
Posted 20p “Seminar on Hacking Websites”
Younis Tsouli, 23, sentenced July 2007 10
yrs for inciting terrorist murder on Internet
In UK trio that stole & used credit cards
Links to Arkansas Highway Department website posted
on Al Ansar forum by Irhabi 007 [Internet Haganah]
16
Coordinated Cyber Attacks
• Examples
– Danish cartoon attacks
– Attack against Vatican website
– Electronic Battle of Guantanamo
• Web forums used for coordination and to deliver
attack tools
17
Danish Cartoon Attacks
• Response to publication of cartoons
satirizing Prophet Mohammad in Danish
paper Jyllands-Posten
• Web defacements [Zone-h.org]
– 2,817 Danish websites [1/21/06 - 2/22/06]
– Roberto Preatoni, Zone-h, said that it was
about 10-20 times more than normal and “the
biggest, most intense assault” he’d seen
• Denial of Service (DoS) attacks
– Jyllands-Posten website primary target
– 3asfh.com released video purportedly
documenting their attack
• Video and still shots at
http://haganah.org.il/harchives/005456.html
– Republishers also hit, including Michelle
Malkin’s blog
• Coordinated through al-Ghorabaa website
18
ISLAMIC
SECURITY
GUARDS
Defaced 14
.dk websites
1/29/06
Protesting
Danish
Cartoons
http://www.zone-h.org/en/defacements/mirror/id=3281674/
19
3ashf.com DoS Attack
Still shots posted at http://haganah.org.il/harchives/005456.html
20
Attack Against Vatican Website
• Response to Pope Benedict’s
statement about the Prophet
Mohammad
• DoS attack planned for October,
2006
• Call for volunteers posted on
jihadi forums:
– “We ask all our brothers to be
present at the hour of the attack
for a joint action, because they
(Catholics) have struck our
religion”
• Attack had little impact
• Newsmax, Nov 28, 2006
Benedict XVI
“Show me just what Muhammad brought
that was new and there you will find
things only evil and inhuman, such as his
command to spread by the sword the faith
he preached.”
21
Electronic Battle of Guantanamo
• Planned DoS attack against websites of American stock exchanges and
banks
• Announced on jihadi forum Nov 27, 2006 with call for participants
• Attack to run from Dec 1 through end of month
• Revenge for incarceration of Muslims at Guantanamo Bay
• Volunteers advised to use anonymity services
• Attack cancelled because banks had been warned
• Grant Ross and Robert McMillan, “al-Qaeda ‘Battle of Guantanamo’
Cyberattack a No-Show,” IDG News Services, Dec 1, 2006; E.
Alshech, Cyberspace as a Combat Zone
22
Al-Jinan
• Web forum at www.al-jinan.org
• Forum to plan, organize, and support electronic jihad on
behalf of all Muslims to defend Islam
– Claims electronic jihad can inflict “financial damage that may
reach millions”
• Software downloads to simplify DoS attacks
– Electronic Jihad Program 1.5 (Silver Edition) – designed by Saudi
national
• Chat room to plan and coordinate attacks
• Forum lists websites attacked and impact
– Claims to have shut down Internet Haganah
• Source - Terrorism Research Center, August 31, 2006
23
Electronic Jihad Program
• Targets websites critical of Islam
– Claims they have had anti-Islamic
websites pulled off web
• Version 2.0 features
– Handles different Internet speeds
– Use proxies to override website
blocking
– Sets up account for each user with
al-jinan.org
– Awards to those who spend most
time attacking targets and have
most “successful attacks”
Version 1.5
Forum Users Improve Electronic Jihad Technology, Terrorism Focus, Vol IV, Issue 20, June 26, 2007,
http://jamestown.org/terrorism/news/article.php?articleid=2373496 .
24
Al-Firdaws Forum
• Al-Firdaws at www.alfirdaws.org
• Credit card theft
– Forum discusses program that generates and validates credit card
numbers, suggesting it could be used to “strike the infidel’s
economy” [Terrorism Research Center, Jan 8, 2007]
• Ansar Al-Jihad Hackers Team for Electronic Jihad
–
–
–
–
Irhabi 11 posted statement May 10, 2007, identifying group
Claimed group had hacked a “crusader website”.
Urged jihad sympathizers to visit group’s website to participate
Sites at logic90.jeeran.com and www.al-ansar.virtue.nu
25
26
More Cyber Jihadists
• Prominent groups identified by MEMRI
– Hackboy*
– Ansal Al-Jihad Lil-Jihad Al-Electroni*
– Munazamat Fursan Al-Jihad AlElectroni
– Majmu’at Al-Jihad Al-Electroni*
– Majma’ Al-Hakar Al-Muslim*
– Inhiyar Al-Dolar
* maintain own websites for recruiting
volunteers for and coordinating attacks
E. Alshech, Cyberspace as a Combat Zone:
The Phenemenon of Electronic Jihad,
MEMRI, No. 329, Feb. 27, 2007
27
More Muslim Hackers
•
•
•
•
•
•
•
•
Al Qaeda Alliance Online
OBL Crew
Abu Syf3r
Hilf Al-Muhajirin
Q8Army
Cyber Jihad
Hackers for Palestine
Arab Electronic Jihad Team
–
•
•
Sought to bring down all US websites
Arabian-Fighterz Team
–
About 3,000 defacements
–
http://www.zone-h.org/en/defacements/mirror/id=3672421/
Muslim Hackers Club
–
–
–
Active in 1998-99
Goal: “a nonstate capability in information warfare, err, research.”
Provided training to local chapters on hacking and network admin
28
Al-Qaeda Alliance Online
• Formed post Sep 11, 2001
– Disappeared shortly thereafter
• Three Pakistani hacker groups:
• GForce Pakistan
– 212 defacements in alldas.org
– Last recorded 10/27/01
– Said they weren’t “cyber
terrorists”
– Said “all we ask for is PEACE
for everyone”
• Pakistan Hackerz Club
• Anti India Crew
Oct 17, 2001 Gforce Pakistan defacement of
National Oceanic & Atmospheric Administration
29
OBL Crew
• Osama Bin-Laden Crew
• Aka Cyber Army of Allah (CA)
• Members came from Islamic
hackers / Afghan Hackers
• Threatened Internet Haganah &
Anti-Terrorism Coalition in 2004
– Tried to recruit 600 Muslim
hackers for attacks
• Threatened ATC again in 2007
http://www.jihadicastle.com/e-jihad.htm
30
Hilf Al-Muhajirin
• “Pact of the Immigrants”
– Agreement to stand united under the banner of the Muhajirun
Brigades in order to promote cyber warfare and allegiance to
leadership
– Goal to wage media jihad and attack websites harmful to Islam and
Muslims
• Initiative launched Jan 3, 2007 on Islamic websites
• Mujahideen operating on Internet invited to sign
• Source: E. Alshech, Cyberspace as a Combat Zone
31
'Abu Syf3r'
Defaces
Internet Haganah
And brags about it
on April 6, 2007
Internet Haganah helped
remove over 1,000 jihadi
Websites using legal means
http://haganah.org.il/haganah/
32
Q8Army
• Operated botnet
• Computers compromised via IM-borne adware that delivered malware
rootkits
• Software stole credit card information
• Software served up pop-ups that carried URLs of militant Arabic Web
sites endorsing violence to achieve “world domination”
• Stolen funds used to buy mobile communications gear and used PCs
• Group’s origin traced to Middle East by researchers at FaceTime
Communications
• Source: Matt Hines, Botnet Stalkers Share Takedown Tactics at RSA,
Feb 8, 2007, www.eweek.com
33
2. Cyber Weapons
Acquisition, Development, Training
• Hacking tools developed by jihadists and acquired
from other hackers
• Terrorist training centers
– al-Qa’ida safe house in Pakistan reportedly used for
training in computer hacking and cyber warfare, and
cyber reconnaissance of infrastructure and SCADA
systems [Magnus Ranstorp, “Al-Qaida in Cyberspace,”
in Terrorism in the Information Age, 2004]
• Documents on how to hack
• Numerous web forum
34
“Hacking, Why Not?”
• By Imam Samudra
– Sentenced to death for 2002 Bali
bombings
• Book chapter in Me Against the
Terrorist!, 2004
– Written in prison
• Advocates cyber attacks to raise
money, especially via credit card
fraud, and “bring America and its
cronies to its knees.”
• Rudimentary guide to hacking
(mainly “carding”) methods and
resources
• Credit card numbers found on his
computer
35
Cyber Weapons & Training Websites
• Minbar ahl al-Sunna wal-Jama (“The Pulpit of the People of the
Sunna”) forum
– Article posted in fall 2005 on how to become a hacker
– Three categories of hacking
• Intrusions into corporate and government networks
• Intrusions into personal computers to steal personal information
• Interception of sensitive information, e.g., credit cards, in transit
• Al-Ghorabaa website
– Site used to coordinate attacks against Jyllands-Posten
– Offered an encyclopedia on hacking websites and a 344-page book on
hacking techniques, with step-by-step guide for “terminating pornographic
sites and those intended for the Jews and their supporters.”
– Source – Jamestown Foundation
• Al-Firdaws and al-Jinan forums (earlier slide)
36
al-Qa’ida University for Jihad Studies
• First announced late
2003 with “college” on
electronic jihad
• Announced again in
Oct 2005 on al-Farouq
web forum
• Forum offers library of
hacking tools and
instructions for cyber
attacks
Keylogger Jihad
37
3. Statements About Cyber Attacks
• After 9/11, OBL allegedly told Hadmid Mir (ed. Ausaf newspaper)
“… hundreds of Muslim scientists were with him and who would use their
knowledge in chemistry, biology and (sic) ranging from computers to
electronics against the infidels.”
• Mohammad Razzak, suspected member of al Qaida, said in Dec 2001
– Terrorists had penetrated Microsoft (by gaining employment) and
attempted to plant Trojan horses and bugs in Windows XP. [Newsbytes]
• Sheikh Omar Bakri Muhammad, London-based head of alMuhajiroun, told Computer World in Nov 2002
– “… would not be surprised if tomorrow I hear of a big economic collapse
because of somebody attacking the main technical systems in big
companies.”
• Principle 34 (electronic jihad) of The 39 Principles of Jihad, 2003
– Directs computer users to use their skills and experience in destroying
American, Jewish and secular websites
38
Statements About Cyber Attacks
• Fouad Hussein, al-Zarqawi–al-Qaeda’s Second Generation, 2005, in
Arabic
– Describes 7 phases of al-Qa’ida’s long-term war based on interviews of
top lieutenants
– Phase 4, 2010-2013, includes cyberterrorism against US economy
• jihadi al-Farouq web forum, www.al-farouq.com/vb - 2005
– Postings call for cyber attacks against US and allied government websites
– Participant “achrafe” proposed forming an operations unit within the
Islamic Hacker Army (Jaish al-Hacker al-Islami)
• Al-Ekhlaas web forum posting on Sep 11, 2006
– Proposals to counter “Crusader media campaign in Iraq”
– One proposal is for a group of young hackers to disable websites that
attack Islam, jihad, etc, including www.noterror.info
• Statements about inflicting economic damage
– Numerous postings about using cyber attacks to achieve this
39
Statements About Attacks on
Critical Infrastructures
• Massive DoS attack to disable 13 root name servers
– Posting on jihadi forum discusses possibility, but got no response
– Claims it “would help destroy all of the west” and cause fall of the global
economy
– Source – Terrorism Research Center, Jun 26, 2006
• Attack against Telehouse hub in London
– Proposal to infiltrate hub and blow it up
– Source – The Sunday Times, Mar 11, 2007
• Disabling all electronic networks around the world
– To include military nets that control radars, missiles, and communications
– Claims that disabling for a day will bring about total collapse of the West
and breakdown of world economy and stock markets
– Source – Alshech, Cyberspace as a Combat Zone, MEMRI, Feb 27, 2007
40
Suggestions for Electronic War
• Posting on jihadist website
• Objective: provide logistical support to mujahidin on the ground
• Admits lack of technical knowledge in viruses and programming
languages
• Suggestions include
– Disable and paralyze communication devices for battlefield C2 networks,
GPS, GPRS, GSM
– Disrupt enemy banks, oil control grids, navigation techniques
– Target enemy’s data flowcharts to paralyze life in country – but “do not
ask me what flow charts are”
– Disable American missile attack or redirect missiles to go back to where
they came from
41
4. IT Formal Education
• A few members/supporters with
CS/CND education
• Some recruits from countries offering
CS/CND education
• Sami Al-Arian
– Professor, CSE, U of S. Florida, Tampa
– Met with Bush (photo right)
– Charged with raising money for
Palestinian Islamic Jihad (PIJ)
– Jury found not guilty
– Pled guilty to engage in conspiracy to
aid PIJ
– In prison as of Oct 2007
President Bush and Sami Al-Arian
42
Computer Science/Security Education
• Sami Omar Al-Hussayen
– Saudi CS grad student at U. of Idaho studying
computer security
– Charged with operating websites used to
recruit terrorists, raise money, and
disseminate inflammatory rhetoric
– Acquitted 2004 and deported to SA
• Ali S. Marri
– Went to Bradley U. on 9/10/2001 for grad
degree in computer information systems
– Assigned by al-Qa’ida to explore hacking
– Seized computers contained 1,000 credit card
numbers and bookmarks for hacking sites,
hazardous chemicals, and fake IDs
43
5. Cyber Experience
•
Technologies used
– Email, chat, IM, etc
– Websites, blogs, forums, groups, etc – thousands of sites, many hosted in US
– Network security – methods, tools, training
•
Software development
– Hacking and security tools
– Jihadi video games
– Jihadi web browser – to restrict user to jihadi websites
•
Internet activities
–
–
–
–
–
–
Distributing news, documents, electronic magazines, videos, etc
Discussing, planning and coordinating attacks
Recruiting and cultivating support
Training – manuals, videos, software, virtual worlds
Fund raising
Collecting intelligence
44
Jihadi Electronic Magazines
•
Sawt al-Jihad (Voice of Jihad)
–
–
•
Sada al-Jihad (Echo of the Jihad)
–
–
•
Oct 2006 Focus so far on infosec technologies
Mu’askar al-Battar (Al Battar Camp)
–
–
•
Jan 2006 By Global Islamic Media Front
Al-Muhahid al-Taqni (The Technical Mujahid)
–
–
•
Oct 2003 – (with lapses)
AQ in Arabian peninsula
Jan - Nov 2004
Military training manual
Al Khansa
–
–
Aug 2004 only
For female mujahidin
45
On-line Distribution of Videos
• Recruitment
– MTV-quality rap video
inspiring viewers to take up
jihad against West (right)
• Recordings of terrorist acts
– Bombings, hostages,
beheadings, etc
• Recorded statements by
– Leaders
– Suicide bombers
• Weapons training
– Videos and manuals on mixing
explosives, making dirty
bombs, using Stinger missiles,
etc
46
IRHABEAT Blog
http://www.irhabeat.blogspot.com/
Some videos posted:
– Attack on Iraqi police convoy
(posted 9/21/07)
– IED attack on Americans
– IED attack in Baghdad
– Martyrdom against Iraqi
National Guard
– Using stinger missiles
– Attack in al-Anbar
47
On-line Training
• Al-Battar Training Camp
– 6th issue (cover left) discusses cell
organization and command structure
• The Technical Mujahid
• al-Qa’ida University for Jihad
Sciences
– Colleges for e-jihad, media jihad
• Training manuals and videos
– Explosives of all types
– Surface-to-air missiles
– Flying planes
• 18 videos on flying 747’s
48
Training with Web Videos
http://www.msnbc.msn.com/id/6746756/
49
Talking About Flight Simulator Software
Post #23489 on mohajroon.com
Internet Haganah, 1/28/06, http://haganah.org.il/harchives/005435.html
50
Network Security Methods & Tools
• Encryption
– Global Islamic Media Front developed
“Mujahideen Secrets” with encryption,
compression, and file shredding
• 256 bit symmetric (AES)
• 2048 bit asymmetric
– Software can be used from thumb drive
• Anonymous accounts
• Dead drops
– Draft messages in shared e-mail accounts
• Web security
– Password-protected websites and forum
• File hiding
• Code words
• Steganography
Mujahideen Secrets [MEMRI]
51
Security Education and Training
• The Technical Mujahid
– Issue 1 (Dec 2006 – at right) discusses
• Password-protected web forum
• ChaosMash – free encryption tool with
45 methods
• Alternative Data Streams (ADS) –
conceal one file in another
• Hacker Defender – Windows rootkit
• Pretty Good Privacy (PGP) – not good
enough
– Issue 2 (Mar 2007)
• Reviews Mujahideen Secrets
• Discusses steganography
– Sources – Global Issues Report; TRC
• Numerous other articles and manuals on
hiding data, identity, and activity
52
AQ/Jihadist Cyberterror Summary
• Cyber attacks will continue and cause economic harm
– To disrupt websites
– Make money through online fraud
• There is some desire to conduct more damaging attacks, but there are
no plans or capability to conduct devastating attacks against critical
infrastructures or digital control systems
• Terrorists and jihadists make extensive use of Internet to further their
strategic and operational objectives
– Does not translate into a hacking capability
– But does provide opportunity for monitoring and disrupting their activities
• Caveats
– Information is based on open sources
– This is a fast moving field
53
Precursors to Cyberterror?
• Failed cyber attacks that would be characterized as
cyberterror if successful, e.g., against SCADA systems
• Extensive discussions and planning relating to cyber
attacks against such – not just vague wishful thinking
• Research and training in methods and tools for attacking
such systems, preferably within labs
• Distribution of methods and tools in general
hacking/security research community for use against
control systems like SCADA
– SCADA vulnerabilities are now being disclosed
54