Sixty people are in the control room, waiting for one word to be uttered: “Fire”. These are not just any people: they are in charge of ensuring that Islamist terrorism doesn’t make any headway by carrying out cyberwar in any part of the world.
They are National Security Agency (NSA) experts, and are in a meeting with members of the Joint Task Force ARES, the cybercommand created by the United States Armed Forces to combat Islamic State. The USA is fully aware of the fact that, even though ISIS has lost a lot of physical terrain in various territories, the battle is now taking place on a much more global stage—cyberspace—and its attack methods have now morphed into something quite different.
A multi-stage cyberattack_
When the word “Fire” is heard, most of the terrorists are asleep. Meanwhile, the American team made the most of this fact to launch a cyberattack. This is not a one off: even though it happened in 2016, they have been carrying out continuous cybersurveillance for over a year, analyzing their movements, hacking their accounts and intercepting all their communications.
The US operation unfolded in several phases. It all began with a simple phishing attack to get hold of the credentials for several accounts, including the administrators’. Once on the system, the members of ARES impersonated the Islamist organization’s technical team and managed to gain access to back doors in the IT system’s servers, which they used to upload several malware files. Meanwhile, they gathered new credentials and several folders full of sensitive ISIS material. Of course, this had to be done with the utmost care: the cyberterrorists’ systems were on servers shared with companies and all kinds of civil organizations. This meant that they had to take care not to affect private information that had nothing to do with the operation.
When the terrorists woke up and tried to access their accounts, they saw that they had been locked out. Like the average employee, to begin with, they didn’t think too much of it: they had probably just written the password wrong. Minutes later, the fact that they could be dealing with a cyberattack began to dawn on them. But by then, it was already too late—the ARES Joint Task Force had already accessed their accounts, stolen their information, and even deleted files and folders belonging to the organization. The result was that ARES caused ISIS to lose a quantity of highly valuable information, as well as its capacity to make financial transactions and roll out its external media plan.
What can we learn from these cyberattacks?_
The operation carried out by the US provides several valuable lessons for any company when it comes to cybersecurity.
1.- Employees are the weakest link Despite ISIS’s organizational structure, worthy of any large company concerned about its cybersecurity, it was the ‘employees’ that ended up facilitating this attack, since they were the targets of the phishing that set led to the later actions. As such, even if an organization has the best technology, it makes no difference if its members are letting possible threats in.
2.- Automation. ARES took advantage of a time when most ISIS members were asleep to attack. This demonstrates the imperative need to automate certain advanced cybersecurity processes. This way, even if there is no one watching over the processes, technology such as artificial intelligence and machine learning can automatically analyze and detect any attempted attack or suspicious activity.
3.- Automation. ARES took advantage of a time when most ISIS members were asleep to attack. This demonstrates the imperative need to automate certain advanced cybersecurity processes. This way, even if there is no one watching over the processes, technology such as artificial intelligence and machine learning can automatically analyze and detect any attempted attack or suspicious activity.
4.- Cyberresilience. Cybercriminals often change their attack tactics, and these changes increase exponentially in cyberwar contexts, where nation states can be behind attacks. It is therefore imperative that every organization stay alert to how cybercrime is evolving.
In cyberspace, where borders are blurred and, at times, things are seemingly lawless, cyberwar offensives are increasingly sophisticated and leave little room for reactive actions. Identifying the exact origin of a cyberattack is a complex process. It is therefore a good idea to adopt a proactive approach, analyzing the possible enemy and getting ahead of their actions.