The links between cyber-warfare and terrorism are well-established. Terrorist organizations such as ISIS have been attacking targets they perceive as unfriendly nearly since their inception.
Now, researchers at Cytegic report that they have discovered a link between terrorist attacks, such as the deadly attacks on the Brussels airport and metro system on March 22, and cyber-terror activities immediately before and after those attacks.
According to the activity graphs in its March 23 report on the link between the terrorist attacks in Paris last November and the related cyber-terrorist activity, cyber-attacks increase dramatically shortly after the attacks took place.
Those attacks were aimed in large part against government and media activities on the Internet, and took the form of denial-of-service (DoS) attacks, defacements, phishing attacks including email social engineering and malware injection. Financial service organizations and critical infrastructure were also high on the target list, but not as high as the first two.
Perhaps most surprising of all, there appears to be a reduction in activity immediately preceding the terrorist attacks in both Paris and Brussels. This “quiet period” isn’t a cessation of all cyber-terrorist activity, but rather a reduction in intensity. Some attackers seem to continue at their normal level, while others, who are identified by Cytegic as being cyber-terrorists, show a significant decrease until the attacks take place.
It's worth noting that cyber-attackers are comprised of several types. There are the attackers that are directly sponsored by the terrorist organizations; there are sympathizers and activists that may be inspired by the terrorists, but don’t work directly for them; and then there are cyber-attackers who are unrelated to terrorist organizations.
After a terrorist attack, the cyber-attack activity picks up markedly. Within a day or so after an attack the cyber-terrorists ratchet up their activity, but so do government-sponsored attackers who are fighting the terrorists, and independent groups such as Anonymous, which have begun fighting the terrorists on their own.
The activity both by and against the terrorist organizations continues for a period of about three weeks, according to the Cytegic study, after which it returns to whatever passes as normal these days.
Cytegic CEO and co-founder Shay Zandani told eWEEK that his researchers gather their information from public sources plus a number of sources on the Dark Web. The data that they gather is processed by what Zandani calls a thesaurus engine to reveal the specific patterns in the attacks. The engine analyzes key words in the data to determine how the attacks are taking place and who is carrying out the attack.
“We think that if one can isolate specific geopolitical data and industry sectors for specific information, one can identify a pattern of behavior,” Zandani said. By discerning a pattern of behavior, he said it’s possible to proactively protect against the attacks.