The Ghost Caliphate
In 2007, the Idaho National Laboratory ran an experiment to demonstrate how a cyber attack could destroy the physical devices connected to the national electrical grid by inserting malicious code into a power management computer. In what is known as the Aurora Generator Test, White Hat hackers developed the code that sent a 2.25 megawatt diesel generator out of control; it was destroyed when it exploded within three minutes. The video, which can be found on the Internet, is dramatic, but had this generator been attached to an actual power grid, the effect would have been traumatic.
The cyberwarfare developments of the early twenty-first century were not lost on the Russian intelligence agencies, the FSB and GRU. They captured a set of malware known as BlackEnergy1, created by a private Russian hacker, that was designed to stop web traffic through Distributed Denial of Service (DDoS) attacks. The FSB upgraded this malware into a version called BlackEnergy2. In 2008, they launched it and carried out a DDoS attack that took down the entire Internet system of the nation of Georgia during a military operation by Russian forces. Another variant of the malware, BlackEnergy3, also called Sandstorm, successfully disrupted physical energy infrastructure through the introduction of malicious code. It knocked out three Ukrainian power plants simultaneously, removing power to 80,000 customers.
In 2012, Saudi Arabia’s oil company Aramco was hacked by suspected Iranian intelligence agencies in what is considered to be the single largest hack in history. Some 35,000 computers connected to Aramco’s Intranet went off-line in one fell swoop. A shadowy group named “Cutting Sword of Justice” claimed responsibility and installed on each computer the image of a burning American flag.1
The attack was technically a Fire Sale, the virtual destruction of all aspects of Aramco’s internal communications Internet email and removing their ability to process 10 percent of the world’s oil sales. The method of malware infection was through a spearfishing virus email sent to an Aramco employee who clicked the link that unleashed the malware.
Between 2012 and 2013, seven hackers connected with the Iranian Revolutionary Guard Corps (IRGC) conducted increasingly disruptive DDoS attacks on the New York-based heart of the US financial industry before they were stopped, but not before the FBI discovered that they attempted to hack and hijack the controls of the Rye Brook dam sluice gate in Westchester County. Local authorities believe that the hacking may have been a test run for attacking the far larger Bowman dam on Crooked River, Oregon. Had either dam been commanded to release its water, there would have been an environmental disaster on an enormous scale.
THE CYBER CORSAIRS
The power of real hacking capability shows the potential of a group, even one with rudimentary capability, to learn lessons and grow. Despite the fact that none of the ISIS hackers or their malware have risen to the level of being an Advanced Persistent Threat (APT), that day will come. ISIS and its E-Mujahideen may be amateur, but with just a bit of technical skill and the ambition to become hacker famous, they could become as notorious as the 9/11 hijackers.
At this point, however, ISIS and other jihadist group are capable of causing a nuisance in comparison to the capability of real advanced threat groups like the FSB and IRGC. They aren’t yet capable of hacking industrial infrastructure or doing more than the distribution of propaganda and the dissemination of their dark media.
Yet new hacker technology emerges every day. In August 2016, an NSA subcontractor, Equation Group, was hacked by suspected Russian intelligence hackers who stole terrifying hacker tool kits with names like Epicbanana, Egregiousblunder, and Buzzdirection. These tools could bore through security Firewalls, seize controls of computers, and watch and capture the keystrokes of security officers. They were stolen from the most elite hackers in the world by a group calling itself “Shadow Brokers.” It was selling these tools for $500 million in bitcoins. Should any tool kits like these fall into the hands of one or a collective of ISIS supporters, then the attacks on the West would be devastating.
By devolving back into an underground and web-based terror organization, ISIS will be communicating more directly with ambitious young people who have deep cyber knowledge and may acquire exceptional hacking skills.
If there is anything that has been learned about ISIS, it is that it is committed to waging asymmetric warfare, using electronic and propaganda judo to confound their opponents. The future E-Jihadists will do the same. They will form very small groups and adopt the tactics of the Arab pirates of old—a legion of Cyber Corsairs. Like the original corsairs, their platforms, computers, and mobile phones will be used for everyday tasks till they sight a target of opportunity. They will then band together swiftly and harness the fastest, simplest technology to hack with whatever tools they can muster until the older, slower objective is raided, looted, and left a hulk. It worked for centuries off the coast of Arabia, and it can work again in the cyber coast between the Deep Web and the Surface Web. The Internet is a sea of Islands and makes every wired-in device a treasure ship to be raided. We won’t know if they have this capability until the start to strike.
A nascent group of Cyber Corsairs may already be working with a collective. These ISIS hackers, the fanboys and young wannabees, are derided as “script kiddies” because they cannot write really malicious code but use programs from other hackers. They may seem harmless today, but if they get their hands on tools such as those stolen from NSA, they will lack only direction and leadership. The global cyber security world must prepare for higher-quality weaponized tool kits in the hands of the seemingly least capable hacker who has big dreams. Imagineering is the single greatest vulnerability we have in anti-terrorism and cyber security. If Russia or China decided to empower some of their young corsairs with real tools, or if they themselves somehow acquire the capability, they could move from being minor players into a renowned and feared global hacker force that could shut down power plants, disrupt airplane flight controls and destroy oilfield industries.
The strength of ISIS is it has have created a structure of communications, coordination that operates out of the view of the news media and most IT researchers operating on the Surface Web. ISIS cyber capability has always been sounder in the development of its Deep Web IT infrastructure, because it created a secure network of contact points that has allowed it to communicate and disseminate propaganda and establish long-term covert communications pathways between their operatives world-wide. This infrastructure may be the salvation of what remains of the protostate itself.
Make no mistake: ISIS is presently on a path to its ultimate physical destruction. It will lose its capital Raqqa and its suicidal combat forces deployed in several nations besides Syria and Iraq. They will all be destroyed. The caliphate’s physical treasury will be looted, and its global financial capital will be stolen by its members or seized by coalition forces. ISIS will be left bereft of its earthly fortune—except for one cash cow that has heretofore remained undetected. Advertising fraud.
THE ISIS ADWARE FRAUD NETWORK
In 2014, an American cyber defense firm discovered, while conducting banking fraud tracking, that for the last three years ISIS has been collecting as much as $100 million through the establishment of a constellation of advertising fraud networks and websites. This network was established by ISIS’s supporters in the Gulf States operating within legal web distribution companies in Dubai, Saudi Arabia, and other Arab states. These, along with other ISIS Deep Web operations, were established by former Jordanian, Palestinian, and Russian criminal cyber operatives who set up the same advertising fraud networks across Asia and the Middle East.
Adfraud works by conducting typo-squatting, also called Water Holes—false websites with a only a spelling mistake to distinguish them from the sites they are impersonating. It looks and acts like the original. For example, Quran.com is legitimate but slips up on the spelling—Qiran.com—and it leads you to an identical site that is actually owned by the typo-squatter hacker. This false site can collect credit card information, be a portal for malware, or is just filled with links and pop-up boxes that pay the typo-squatter every time you click on a link or close a pop-up box. Typo-squatting relies on a person to make a mistake when putting in a legitimate URL that takes them to a fraudulent website that is populated with legitimate web advertising links. Once an innocent victim goes to this website via any of the links that they click (or that is clicked for them), the visited site will legally pay a small amount of money to the typo-squatter—from as low as a penny to as high as $25 per click, depending on the site visited. All of the money goes into the bank accounts of ISIS.
The ISIS AdFraud servers also harbor a constellation of self-regenerating advertisement bots that spray out new links onto other legitimate websites. As they are clicked, or closed, they generate revenue. Closing the bots requires one to visit the links, so even experienced cyber attackers or researchers with good intentions manage to directly contribute to the ISIS coffers.
The websites and links of ISIS are arrayed in such a way that legitimate searchers of news and information will misdirect researchers to ISIS Adfraud sites—where they will find links to the legitimate news sites. Again, once any of those links are clicked or closed, ISIS gets paid. However, also embedded within the sites may be links to ISIS terrorism video media, propaganda, and secret pathways to web forms and secure communication portals. In fact, many researchers, intelligence officials, members of the news media, and just the curious who go to many of the web storage sites that have ISIS media embedded are in fact paying the organization for every click they make within these sites. The more people track these Surface Web sites, the more ISIS gets paid. The visitor is materially contributing to the financial future of a terrorist group.
When the caliphate falls the question will be what form the disparate followers of this group will take. Anyone who survives can probably leave the battlefronts of Libya, Syria, Iraq, Yemen, and Afghanistan in an attempt to return home. For a while, they may be out of touch with their Jihadi brothers at home. Those who successfully return to their homeland, particularly Europe and the United States, will have to face a level of scrutiny from national and international intelligence agencies never seen before. But this doesn’t matter if they can still inspire, coordinate, and finance operations though the Deep Web. ISIS will live on, and the role of the cyber Jihadis will become the face of the average member.
That said, the ISIS Deep Web communications structure will have to survive, at least initially, on cash rolling in from Internet advertising fraud networks.
The future of ISIS is that it will reform in the shape of a Ghost Caliphate.
On its face, the destruction of ISIS will be a historic achievement, but the by-product will be a less centralized terror group that will rely much more on inspiring terror attacks rather than planning them and deploying cells. For the next decade or more, ISIS-inspired terrorists such as the husband and wife suicide team in San Bernardino, the truck driving murderer in Nice, and the mass murder at the gay night club in Orlando, Florida, will become the norm. These types of attackers, who dream up a plan and then execute it without saying a word or leaving a deep digital footprint, are extremely difficult to detect. Once an inspired attacker finds the right target and acquires a weapon, be it a bomb or a tractor trailer, they can kill with impunity and claim ISIS loyalty after the fact. This is future model of ISIS’s global disruption campaign. Conversely, ISIS-directed attacks from a central Cyber Caliphate will decrease or disappear as the bases of operations are physically destroyed; the Ghost Caliphate will take its place and remain devoted to terrorism—by proxy.
The Ghost Caliphate will be broader, more covert, surreptitious, and much harder to detect. ISIS will essentially devolve back into the original model al-Qaeda used between 1988 and present day—it will become a covert terror organization that is 100 percent underground—leaving evidence of its activities only after the fact.
To establish the Ghost Caliphate, some of the surviving leadership of ISIS must find a safe haven to have any chance of reconstituting the terror network. Their best chance is to find a small remote area in Yemen, the central Sahara, or a hidden corner of Somalia. There, they can attempt to reestablish communications pathways using satellite Internet or regional mobile phone technology and basic operational security in an effort to connect with other surviving members. Only then can they reestablish a central command that will give the current cyber warriors the support and direction they need. Without some form of leadership, the Ghost Caliphate will be equivalent to trolls on comments sections of digital editions of newspapers.
The Ghost Caliphate will not direct individuals on precisely what to do but will become a completely inspirational organization that will call upon its attackers to join, secretly swear allegiance, and attack wherever, whenever, however. The future battle strategy of the failed Islamic state will essentially abandon all attempts to seize land like they did in Iraq, Syria, Libya, and Egypt.
With this strategy, there will also be an increase in attacks claimed by or attributed to ISIS even when there is no evidence that ISIS was ever in communication with or inspired those who carried out the attack. That would be expected as they break up and dissolve from a solid into a gaseous state of ideology.
The ghost hackers will use advanced tools rather than Kalashnikovs, propaganda in place of bombs, and, like the 9/11 hijackers, they will someday be poised to conduct an asymmetric war at the place, time, and with the methodology of their choosing.