Terrorist Cyber Threat

Terrorist Cyber Threat Headline Assessment

• Cyber-attacks against UK businesses take a number of forms and vary significantly in scale and complexity. Ransomware is currently the most significant cyber threat facing the United Kingdom, with the potential to be as harmful as state-sponsored espionage.

• In 2017 the “WannaCry” ransomware attack afflicted 200,000 computers across 150 countries. In the UK, it significantly impacted the National Health Service and affected over 1 in 3 health trusts in England, resulting in over 19,000 appointments delayed or cancelled as a result. The attack was attributed to a state actor.

• We assess it is likely terrorist cyber activity against the UK is broadly limited to social media and website defacement, in which they have shown a relatively sophisticated degree of knowledge.

• It is highly likely that should a UK business website be targeted for defacement, there will be short-term reputational consequences. Therefore, UK businesses are advised to take steps to ensure their information systems and social media channels remain secure from penetration by malicious actors.

• With the Internet becoming even more integral to the success and growth of UK businesses, it is highly likely this will create more vulnerabilities for hostile cyber actors to exploit.

• There is difficulty in attributing hostile cyber activity to specific named terrorist groups or their supporter networks. The nature of online activity and the ability to anonymise or obfuscate one’s identity means unless a specific group openly claims to have conducted an attack, terrorist cyber activity is not always identifiable.

What is a Cyber-Attack?

Cyber-attacks are malicious and deliberate attempts by individuals or organisations to breach the information system of another individual or organisation. Usually, the attacker seeks some type of benefit from disrupting the victim’s network. The motivation for such attacks can vary significantly, but often include the desire for monetary gain or ideological motivations.

There are a broad range of cyber-attacks, which include:

• Backdoor Trojans: Backdoor Trojans are malicious software programs designed to give unwanted access to an individual. Once activated the individual can send commands or leverage full control over a compromised computer. Backdoor malware and viruses bypass authentication procedures to access systems and to prevent their presence from being detected.

• Cross-site scripting (XSS) attacks: Cross-site scripting attacks occur when attackers execute malicious code within a victim’s browser. Upon the initial execution of code, the site usually isn’t fully controlled by the attacker. Instead, the attacker attaches their malicious code on top of a legitimate website, essentially tricking browsers into executing their malware whenever the site is loaded.

• Denial-of-service (DoS): This is where an attack floods a system’s resource, overwhelming it and preventing responses to service requests, which reduces the system's ability to perform. An attack becomes a 'distributed denial of service', referred to as “DDoS”, when it comes from multiple sources, compared to just one.

• DNS tunnelling: Domain name system (DNS) Tunnelling is a method of cyber-attack that encodes the data of other programs or protocols in DNS queries and responses. It is a method that provides attackers a back channel to extract or steal data.

• Phishing: Phishing is a method whereby attackers attempt to trick users into doing 'the wrong thing', such as clicking a link that will unknowingly download malware. Although commonly associated with email, this method can be utilised by other means such as text message or social media.

• Ransomware: Ransomware is a form of malicious software that freezes or takes control of the victim’s data, with control only being released back to the victim once they have paid the attacker a nominal “ransom” fee.

• SQL injection: Structured Query Language (SQL) injection is one of the most common web hacking techniques. It works through the injection of malicious code in SQL statements via web page input. It usually occurs when users are asked to enter a username and instead give a SQL statement that attaches and runs itself on the SQL database.

Impact on UK Businesses

Cyber-attacks against UK businesses are common as highlighted in the Government’s Cyber Security Breaches Survey 2022, which found that 39% of UK businesses had suffered from a cyber-attack, with the most common methodology being phishing attempts.

Social Media and Website Defacement

While cyber-terrorism has captured the public imagination (largely due to the impact it has in the media’s depiction of the activity), it is almost certain most terrorist groups and their supporters lack the sufficient knowledge and technical capabilities to conduct significantly disruptive cyber-attacks against UK businesses. In the absence of the ability to cause widespread damage to UK business and infrastructure, terrorists and their supporters have adopted more limited goals – such as social media and website defacement. For example, in 2017 a hacking group associated with supporters of Daesh conducted a website defacement campaign targeting NHS websites in the UK. This was a separate event to the aforementioned ransomware attack, which severely disrupted NHS systems and their capability to function. In these more limited activities, terrorists and their supporters have shown a relatively sophisticated approach.

ISIL supporter network social media defacement 

In 2020, research by the Institute of Strategic Dialogue identified a decentralised network of ISIL supporters exploiting vulnerabilities in Facebook to spread ISIL propaganda. The network used a number of relatively sophisticated techniques to ensure their content evaded detection. This included: 

• Account Hijacking: seizing accounts from other users, using applications to intercept password reset text messages from the platform. 

• Content Masking: overlaying ISIS content with the branding of mainstream media outlets to prevent identification and bypass Facebook’s hashing technology. 

• Link Sharing: sharing links to Jihadi websites en masse in comment threads on Facebook. 

• Coordinated Raids: members of the network organised and carried out “raids” on other Facebook pages to hijack comment threads and trending hashtags. 

• Exploiting Text Analysis: making use of “broken text” format or specialised fonts to evade detection from Facebook’s automatic text analysis.

Zoombombing

“Zoombombing” is a type of cyber-harassment in which a group of unwanted and uninvited users interrupt online meetings over the video conference applications.15 With the Covid-19 pandemic and the move to remote working, the use of the Zoom application to facilitate meetings became increasingly popular, leading to an increase in this type of harassment. “Zoombombing” has been a notably popular methodology amongst the extreme right wing terrorists (ERWT) to harass individuals and communities, aiming to cause fear and distress.

African, Caribbean and LGBT* Edinburgh University Students attacked in Zoom meeting.

On 14th February 2021, a Zoom meeting hosted by the University of Edinburgh’s African and Caribbean Society was hijacked by individuals shouting racist abuse and sharing to the presenters screen during the meeting. During the incident, the individuals made racist comments and threatened the attendees. The link to the meeting had been shared to the wider student body, allowing the perpetrators to join multiple times even after being removed by organisers of the meeting.

To minimise such events occurring, it is recommended the following precautions are taken:

• Turning off the chat function for participants.

• Setting the screen-sharing facility to "host only".

• Using a moderator who does not take part in the conversation but can block people quickly.

• Using the app's Webinar function so only the panel can talk or show videos.

• Close sign-ups 12-24 hours before the event.

*Lesbian, Gay, Bisexual and Transgender

Ransomware

The National Cyber Security Centre (NCSC) currently assesses Ransomware is the most significant cyber-threat to the United Kingdom. Ransomware is a form of malicious software used by criminals or those that seeks to extort money from victims. The software is used to freeze or take control of the victim’s data, often with a threat of said data being made publicly available, and will only be released back to the control of the victim once they have paid the attacker a nominal “ransom” fee. Though the precise costs to UK businesses from ransomware are hard to determine, the methodology is assessed as significantly profitable, with attacks targeting the UK as a whole doubling in 2021.

2017 “Wannacry” Ransomware attack 

In 2017, the “WannaCry” Ransomware attack affected 200,000 computers across 150 countries. In the UK, it was the largest cyber-attack to impact the National Health Service. Taking place between the 12th and 19th May 2019, the attack succeeded in disrupting at least 34% of trusts in England. The attack resulted in a number of trusts being locked out of their own IT systems, while others shut down their email and IT systems out of an abundance of caution. The impact of the attack was significant, with thousands of appointments and operations cancelled. The attack was eventually stopped by a member of the public activating a “kill-switch”, preventing the malware from locking further devices. The attack was attributed to a state actor.

Probability and Likelihood in Intelligence Assessments 

When describing threats in intelligence assessments, Counter Terrorism Policing utilises the Probabilistic Yardstick. 

The Probabilistic Yardstick is a tool created by the Professional Head of Intelligence Analysis (PHIA), in the UK government, to standardise the way in which we describe probability in intelligence assessments. For example, if we use the term ‘likely’ what we mean is ‘a 55-75% chance’. 

Use the scale below as a reference when reading ProtectUK Insights.