How real is the threat of cyberterrorism?
Former FBI agent Andre McGregor says Iran and Islamic State pose the greatest danger
North Koreans attend a rally held to gather their willingness for a victory in a possible war against the United States and South Korea in Nampo, North Korea – the country is a state actor of some concern
Cyberterrorism: in the public mind
Casino owner Sheldon Adelson: hacked by Iran
Saudi Aramco oil company, which was hacked by an Iranian group
Sony: hacked by North Korea. Photograph: Getty Images
Cyberterrorism features high in the public mind. In a recent Gallup poll, 79 per cent of Americans ranked a cyberterrorism attack on essential infrastructure third in a list of the greatest threats facing the US.
But a former FBI special agent with particular expertise in cyberterrorism has said real cyberterrorists are so rare they might be considered unicorns in the ranks of more typical cyber-attackers, such as hacktivists, disgruntled insiders, criminals, spies or nation states engaged in cyber-warfare.
“I’m not too concerned that were going to have a cyber 9/11 tomorrow,” says former agent Andre McGregor, now working in the private sector as head of security at security consultants Tanium. While in the FBI, he focused on China, Russia, Iran, Al-Qaeda and Islamic State (and, these days, is also the FBI adviser to the television series Mr Robot).
He told an audience last month at the RSA Security Conference in San Francisco that the FBI has teams dedicated to monitoring each country of concern. His familiarity with such monitoring, and his work investigating attacks perpetrated by such groups and states, would indicate that almost none has the capability, at least at this time, to carry off a true cyberterrorism attack.
In addition, almost all existing attacks that are popularly viewed as cyberterrorism actually are not, he says.
Often, they are hacktivist attacks that can be destructive, but are not really terrorism. “Hacking to promote a cause is different from hacking to incite terror and fear,” he says.
People also tend “to associate all attacks against infrastructure as cyberterrorism, when it’s really not”. He classifies many such attacks as cyber-warfare, something many countries will unofficially engage in behind the scenes.
McGregor says a basic definition of cyberterrorism is that the attack has to be claimed by a terrorist organisation – generally, groups will boast about the attack. In addition, the attack must involve dangerous acts against life and safety, influence government policy, or have a similarly dramatic and forceful effect.
He believes Iran has the only hackers that could potentially pose a cyberterrorism threat, because of the rapid growth in sophistication and capability of Iranian attacks.
These started with a number of basic web-defacement attacks, considered the very low end of hacking, done by a number of students.
Nonetheless, they caused fear and led people to believe the attackers were inside infrastructure even though they weren’t, he says.
“At first, no one gave them any credit,” notes McGregor. Initial phishing emails were easy to identify as coming from the hackers and the English in the emails was poor. But the group quickly improved their skills.
Before long, the group’s capabilities evolved to where they could develop their own software and destructive malware, and engage in spearphishing and denial of of service attacks (in which servers are bombarded with so many requests that they become paralysed).
McGregor says a major attack by the group on the oil conglomerate Saudi Aramco was believed to be revenge for Stuxnet, a worm believed to have been developed by the US, which caused significant damage to Iran’s nuclear facilities.
The attack affected oil production and was the first major attack for Iran. Denial of service attacks against a number of US banks followed in 2012. These attacks caused “mass confusion” because up until then, law enforcement agencies had focused more attention on Russia and China, not believing Iran capable of such destructive attacks.
“We were absolutely wrong . . . they were able to have a major impact on these industries. It really taught us that we had to take Iran seriously,” he says. “As a result we had to completely shift and develop squads focused on Iran – all because a group that we gave no credit to has, in two years, caused significant damage to infrastructure.”
An odd attack came next, in 2013, when the Iranian group hacked into the controls of a dam in New York state.
“We call this the biggest littlest hack in America, because we believe from our intelligence that Iran thought this was a much bigger structure.”
The group was able to get in, gain control, and “fiddle around, but not do any damage” to what was essentially just a sluice gate in Rye, New York. The station was powered down at the time.
In 2014, Iranian attackers went after Sheldon Adelson, owner of the Sands hotel and casino in Las Vegas, after he made “disparaging remarks about Iran and how he would go after them with weapons of mass destruction”. They managed to destroy databases and overwrite files for his casino network.
But the threat from Islamic State, also known as Isis, is what keeps McGregor awake at night.
“I lost sleep with Isis, and what they were doing and what they want to do.”
He says the group have perhaps half a dozen hackers who are skilled and effective, who mainly focus on getting “a lot of mileage out of social media hijacking and web defacement. It’s a very simple attack . . . but works and scares people.”
Islamic State hacker Junaid Hussain – believed killed in a US airstrike last year – was of greatest concern.
“He really wanted to be on the front line, but Isis at the top level said no, you’re good with technology, we’re going to have you do recon, encryption, hacking,” McGregor says.
Hussain was hacking into Facebook accounts, getting intelligence on military service members and then creating kill lists that were sent on to Islamic State supporters, he says. When he posted the name of the director of special forces on the kill list, he was targeted in a drone strike, “the first time we ever used a drone strike against a hacker.”
Islamic State are recruiting people with computing capabilities to hack into systems and do damage, McGregor says, including students in the US and UK.
North Korea is another state actor of some concern, he says, having gained international profile after the hack on Sony and consequent leak of embarrassing emails. North Korea’s abilities have improved since that attack, and the country is believed to be behind several attacks, including some against South Korean officials.
Considering all the possible state actors, McGregor said that Iran was the only country he would credit with having the ability to develop potentially dangerous hacking capabilities.
“I am not super-scared that tomorrow we’re going to have a major cyber-attack,” he asserts nonetheless. “Will there be a coordinated, complex attack that will take down our infrastructure by any of the groups that have done these attacks? The answer is no.”
The only countries currently capable of carrying out a complex, coordinated cyber-attack are the US, UK, Canada, New Zealand, Australia and Israel. But he is worried by Iran, and the “lone wolf” threat.
“There’s always the possibility that someone with skills, knowledge and reach could join one of these groups and change the narrative I’ve gone through today.”