Earlier this month, at the RSA Conference in San Francisco, Andre McGregor, director of security at endpoint protection company Tanium, provided several examples demonstrating the effectiveness of unsophisticated cyberterrorist operations.
Prior to joining Tanium, McGregor worked for the FBI, where he was involved in the investigation of several major cyberattacks believed to be launched by governments and their supporters. McGregor initially served as an FBI Cyber Special Agent in New York City and was later promoted to Supervisory Special Agent at the FBI headquarters.
In his presentation at RSA, the expert focused on cyber terrorism, where state and non-state actors attempt to create fear and threaten lives by targeting critical infrastructure systems, and cyber warfare, where nation-state actors attempt to gain a tactical advantage by sabotaging military and critical infrastructure systems.
Cyberterrorist attacks
According to McGregor, it’s often easy to determine if an attack is part of a cyberterrorism campaign because the attacker makes their intention known and boasts about the results of their activities.
The former FBI agent said the law enforcement agency has teams tasked with monitoring the activities of each country of interest. One of the countries whose cyber activities have been observed by McGregor is Iran.
The expert said the country had no cyber capabilities in 2010, when its nuclear facilities were hit by Stuxnet, a worm allegedly created by the U.S. However, Iran has evolved a great deal over the past years, starting with some Iranian students defacing websites and escalating to more disruptive attacks, such as the one launched against Saudi Arabian oil company Saudi Aramco and distributed denial-of-service (DDoS) attacks launched by the group known as Izz ad-Din al-Qassam against United States banks. McGregor noted that the DDoS attacks aimed at banks made the U.S. realize that they had to take Iran seriously.
Iran, whose main enemies are the United States, Israel and Saudi Arabia, went from simple website defacements to using remote access Trojans (RATs), DDoS, spear phishing, and various tools, including ones developed by its own hackers.
In addition to the DDoS attacks on banks and the campaign aimed at Saudi Aramco, Iran is also believed to be behind a 2013 attack on a small New York dam. According to McGregor, the attackers found one of the Windows XP machines within the facility using the Shodan search engine and brute-forced its password, which was “666666.”
The expert said the attackers believed the dam was much bigger than it actually was, and they even managed to access its control systems, but they couldn’t cause any damage because the facility was not functional (i.e. its power was shut down). A group that acted as a front for the Iranian Revolutionary Guard Corps took credit for the attack only after the U.S. made the incident public.
Another cyberterrorist attack attributed by U.S. authorities to Iran is the one aimed at the Sands Casino in Las Vegas, whose CEO suggested launching a nuclear attack on Iran.
One of the adversaries that kept McGregor up at night during his time at the FBI was the Islamic State of Iraq and Syria (ISIS), which sees all western countries and all Shiite Muslims as its enemy. The terrorist organization, which is believed to have only 5-6 fairly skilled hackers, focuses on social media hacks and website defacements, often targeting unpatched WordPress websites.
One of ISIS’s most notable hackers was Junaid Hussain, a former member of the Team Poison hacktivist group, who was killed in a US airstrike in Syria in August 2015.
A related group is the Syrian Electronic Army, whose members hijacked numerous high profile social media accounts and defaced many websites in support of Syrian president Bashar al-Assad.
North Korea is also believed to be behind some successful cyber terror campaigns, most notably the attack on Sony Pictures Entertainment. The attack resulted in theaters cancelling the premier of the movie “The Interview,” which poked fun at dictator Kim Jong-Un, in response to terrorist threats.
According to McGregor, North Korea’s cyber capabilities have evolved since the Sony attack. The country has since been blamed for several attacks, including a recent operation aimed at South Korean government officials.
Cyberterrorist attack attribution
Attack attribution is not easy and experts have often pointed out that threat actors can plant false clues to throw investigators off track.
For example, in the case of the Sony hack, US officials claimed they had been certain that North Korea was responsible. However, many experts remain skeptical, arguing that it’s difficult to accurately attribute an attack to a certain actor.
McGregor noted during his talk at the RSA Conference that it’s easy to determine if an attack originates from North Korea because there are only a dozen computers not controlled by the government, which provides deep visibility into the country’s activities.
In an interview with SecurityWeek, the former FBI agent explained that the US intelligence community uses two methods for attribution. On the domestic side, the source of an intrusion is determined based on the analysis of the breached network — an FBI agent goes to the victim organization and analyzes affected machines to determine if they are the target of the breach, or if they’re abused by the attackers as a pivot point to get somewhere else.
The FBI also works with intelligence community partners involved in cyber intelligence collection outside the United States, such as the CIA, the NSA and the Department of Defense.
While some security experts believe attribution is not as important as determining the cause of the intrusion and ensuring that future malicious attempts are prevented, McGregor noted that attribution is important as it can allow the victim entity to determine if they had been a target of opportunity.
Cyberterrorist attacks are efficient, despite lack of sophistication
Many of the aforementioned attacks were unsophisticated and they did not require target analysis, a command and control (C&C) infrastructure, or advanced learning capabilities. The former FBI cyber special agent believes Iran is the only threat actor that has launched complex and structured attacks which required a high degree of planning, elementary target analysis, a C&C infrastructure, and learning capabilities.
North Korea, ISIS, the Syrian Electronic Army, and even some of Iran’s attacks fall into the “simple-unstructured” attack category, McGregor said.
On the other hand, despite their lack of sophistication, many of these cyberterrorist attacks have managed to achieve their main goal, namely to create fear.
McGregor believes it’s unlikely that we’ll witness a cyber 9/11 as a result of a terrorist attack. The expert noted that there are some countries — such as China, Russia and Israel — which have advanced cyber capabilities that can be used for digital warfare.
However, the expert believes these countries are unlikely to launch destructive attacks against the United States. For example, China’s economy is closely attached to the western economy and the country would not want to disrupt American consumerism. While Russia’s leadership is more unstable, they recognize that the United States could retaliate, which means they are unlikely to launch a cyberattack without being provoked, McGregor said.
McGregor says he is more concerned with a country like Iran, which has a history of such attacks and has a visceral anger towards the United States. That makes them unpredictable, very much like a terrorist, and something of concern because they have the required skillset.
However, Iran is also unlikely to cross the line because it knows that the United States has a powerful influence on its youth, and it doesn’t want a US-led movement that could cause disruption in the country. “I think Iran will get to a point, but they’ll never go beyond that,” McGregor told SecurityWeek.
Security controls and management education
Attacks launched by terrorist hackers will likely continue to be successful as long as many organizations fail to properly secure their systems. McGregor pointed out that it has become increasingly easy for threat groups to launch attacks against low-hanging fruit as they have readily available tools and documentations, in many cases in their native language.
The expert believes cyber terrorists could hack any system that a cybercriminal can — the difference is that a cybercriminal is likely after information that can be turned into a profit and they don’t want to get caught, while cyberterrorists are not financially motivated and they want their target to know that it has been breached.
The United States government has started to realize that it has large data repositories and sensitive information that needs to be properly protected, particularly after the Office of Personnel Management (OPM) breach which affected millions of federal workers. Steps have been taken to protect government data, but these efforts focus on top-tier agencies, such as the Department of Defense, the FBI and the Department of Justice, McGregor said.
However, he believes other organizations that don’t have the reach and resources of these top-tier agencies will continue to remain unprotected. The expert said one of the reasons why he joined Tanium is because his belief that there has to be a way for all organizations to implement simple security controls.
“We have to get our leaders — whether it’s on the government side or private industry — to respect the cyber threat for what it is,” McGregor told SecurityWeek. “I think in some ways we’re getting there, and we see that with our Fortune 100, Fortune 500 companies, and we’re definitely seeing that with the top-tier agencies, the military and the intelligence community. But how do we get that through to the governors, the mayors [...]?”
McGregor believes the problem can be addressed by focusing efforts on management education.
“If a company’s CEO doesn’t buy in on the fact that they need better security controls, then it doesn’t matter how much effort workers put in at the lower level to ‘put out fires’ every time they see them,” he said. “Either they are going to miss one — and it’s going to light the building on fire — or they’re going to get frustrated and leave.”