Hobart airport’s hacking debacle highlights the ways extremist groups are becoming more cyber-savvy. By Martin McKenzie-Murray.
Islamic State’s online strategies
In this story
The response came flat and automated: “Thank you for your email.” The platitude was generated not by the website of my local council, but by the Islamic Emirate of Afghanistan: the Taliban. I was inquiring about the group’s public relations strategy. Were they not being hopelessly outmatched by the Islamic State? I didn’t fail to apply my own empty politeness to the correspondence either, surrendering to the beige abstraction of online contact forms. I didn’t want to jeopardise the possibility of a response with anything other than affected neutrality. Then I waited.
This week, Hobart airport’s website was hacked by Team System DZ, a group loosely affiliated with the IS (also known as ISIS) but suspected to be a gang of giggling misfits in Beirut. The site was shut down for more than 24 hours, but not before DZ’s signature graffiti – jihadist boilerplate and images of Saddam Hussein – had replaced departure times and glossy snaps of the Tasmanian capital.
Outside Hobart, it generated more bemusement than fear, as the incongruity of the IS and the Apple Isle settled, though airport administrators scrambled to erase the graffiti, strengthen a hopelessly insecure site and contemplate the presumed discomfort of passengers who happened across declarations of violent martyrdom as they awaited their flights.
But mere graffiti it was. Team System DZ has, by some estimates, similarly defaced thousands of websites. Junior rugby teams in Britain; vineyards in Spain. Now it was an airport in Tasmania. But none of these is an example of discrimination. They were not personally targeted, they were simply low-hanging fruit for the malicious hacker. This week’s breach revealed the insecurity of the airport’s website, and little else. Not the work of an individual’s intent, the site fell prey to the automated hacking software of DZ. It was a discriminatory attack only in the sense that the malicious program crawls the web in search of vulnerable sites.
“If it wasn’t an airport website,” information security expert Stilgherrian tells me, “and if it didn’t have a message supporting Islamic State, this simply wouldn’t rate as news in the information security community. It was just one of the hundreds of website defacements that happen every single day, and there wasn’t anything unusual about how the hackers broke in.
“Website defacements are really just the internet/political equivalent of throwing a brick through a shop window and daubing graffiti on the wall. They’re about attracting attention. For ISIS, any website will do, so long as it’s vaguely associated with ‘The West’. The hack of an airport website was a bonus, because we associate airports with security – and there was indeed a security failure, but only of the public-facing website. It got the political message in front of people, and it annoyed travellers who wanted to use the website, but it wasn’t anything that would affect aircraft safety or the security of the airport.”
While the Taliban ran Afghanistan in the 1990s they attempted to outlaw modernity. Television was banned; women were condemned to domestic servitude while men tilled opium crops. Music was blasphemous; the Buddhas of Bamiyan were decreed idolatrous and dynamited. But there were certain pleasures and practicalities of modernity that were selectively enjoyed. Taliban leaders cherished their Soviet weapons, taken from the repelled army. They used modern communications systems, ultimately establishing their own website.
A fracture emerged: how to wage war against the West’s decadence without adopting its tools? It was an impossible task to assume both austerity and global ambition, and the Taliban began taking its propaganda very seriously. So much so that Time magazine published an article in 2009 under the headline “Why the Taliban Is winning the propaganda war”, and wrote: “The same Taliban that once banned television now boasts a sophisticated public relations machine that is shaping perceptions in Afghanistan and abroad.”
This is no longer the case. Not by a long way. IS is far more adept technologically, and has had no hesitation in adopting the infidel’s tools. In fact, among Western supporters there’s a happy deployment of encouraging emojis on Facebook pages carrying images of beheaded enemies. Much has been written about the IS’s “slick” use of social media, but it is staggering to see how effortlessly and unapologetically it’s been integrated into a mediaeval project. The IS operates at the bizarre crossroad of ancient barbarism and modern ingenuity – the restoration of the caliphate via Silicon Valley.
“ISIS has a very slick social media strategy indeed,” Stilgherrian says. “They understand precisely how to get a topic trending on Twitter, and they’ve automated that through the Dawn app, so that their images and their videos are right at the top of searches. As J. M. Berger wrote in The Atlantic, ‘ISIS does have legitimate support online – but less than it might seem. And it owes a lot of that support to a calculated campaign that would put American social-media-marketing gurus to shame.’ ”
It is the recruitment power of social media that poses the real threat, not low-level hacks as we saw this week. Plus, as Stilgherrian tells me, “the truly dangerous hackers don’t leave a visible calling card. They work as quietly and as carefully as they can to infiltrate data networks without being detected.”
The IS busies itself designing social media apps, creating recruitment memes and filming its atrocities in high definition. Its latest film is called the Clanging of the Swords IV, which openly apes Hollywood action films. Meanwhile, its latest video, released this week, features a montage of beheadings and immolation, with incitements to attack Western cities made in that quintessentially American art form, rap. The rapper is believed to be Abu Talha Al-Almani, a German formerly known as Deso Dogg. In the video, he raps: “Mutilated soldiers are coming back to your homeland, close to desperation, eyes are being lost, bodies without legs, we want your blood, it tastes so wonderful.”
The video appeals to homegrown “war”, and lists a number of Western targets, including Australia. In one scene, the rapper’s voiceover urges a man, nominally living here, to wage jihad by turning his car into a bomb.
The propaganda being consumed by young Australians and Britons reveals the movement’s glibness. One IS recruitment meme shows a blood-spattered Glock and the words: “YODO: You Only Die Once. Why Not Make it Martyrdom?” Another meme posted on Facebook shows the silhouette of a man, his back turned and an automatic rifle slung over his shoulder. The caption reads: “Sometimes people with the worst pasts create the best future.” The comments beneath are filled with young British jihadi wannabes, bantering excitedly. The meme, in fact, resembles nothing so much as a poster for a Jason Statham action movie as, say, some unbearably witless paean to football hooligans. You know the stuff: boozy thugs pinned to a thin plot, whose bravado is meant to signify something or other about class and loyalty, but any sincere exploration of masculinity is jettisoned in favour of piss and weaponised fire hydrants. They know which side their bread is buttered.
And so does the IS. It’s about glamorising violence and leveraging youth’s fetishisation of it. They know this instinctively. And it’s working. But crediting the IS’s social media team with startling acuity would be like concluding that the producers of Green Street Hooligans 3 possess genius. The IS recruitment strategies have little to do with piety. And the question isn’t how to repel automated software – it’s a quick solve for a small problem – but rather how to retard the siren call of violence in our suburbs. And that question is a lot trickier.
For now, the IS’s hacking abilities are limited and their attention is elsewhere. But those in the info-sec industry wonder if the IS’s malevolent talents might improve. “So far ISIS has been fighting a ground war,” Stilgherrian says. “And their digital skills have been applied to social media for propaganda purposes. But starting in around September 2014, we started to see reports from some of the information security companies that run counterintelligence against these sorts of hacker groups that ISIS-affiliated hackers were trying to get hold of more sophisticated tools, from the Eastern European criminal underground and elsewhere. Now that’s not necessarily an immediate threat, because they have to learn to use those tools effectively without being defeated on the electronic battlefield, as it were. The nation-state hackers are well ahead of them, we can assume. But it’s something to keep an eye on.”
Another thing to ponder is what cyberterror might look like in the future when increasing amounts of infrastructure are integrated with the web. The so-called “Internet of Things” would increase the number of systems and machines vulnerable to hacking, from smart electricity grids to traffic lights and home security. “The Internet of Things we keep hearing about is going to be the Internet of Stupid, Broken, Insecure Things,” Stilgherrian tells me. “Once more, we’re rolling out all the cool technology without really thinking about how it can be subverted. We have enough trouble getting people to install security patches on their computers and smartphones. The one saving grace is that the bad guys are still doing quite nicely hacking the things they’ve already hacked; they won’t need to bother with all these smart devices just yet. So maybe we’ll have a year or two, and a version or two, to get it right.”
And, no, I never did hear back from the Taliban.
This article was first published in the print edition of The Saturday Paper on Apr 18, 2015 as "Daesh-top computing".
A free press is one you pay for. In the short term, the economic fallout from coronavirus has taken about a third of our revenue. We will survive this crisis, but we need the support of readers. Now is the time to subscribe.