It is believed that a smartphone application called the IS Amaq Agency app might be responsible for a major attack on the core infrastructure of the internet which occurred earlier this month. The app is typically used by the Islamic State to spread news and propaganda throughout their terrorist network.
An analysis of the app revealed that it might have been the source of a botnet that was created to conduct a large-scale DDoS attack on root name internet servers. If a successful attack of this nature were to be launched, it could cause major disruption to the internet, possibly even taking the internet down entirely on a temporary basis.
The attempted cyber attack took place between November 30 and December 1. It targeted the 13 root name servers of the internet that support virtually the entire internet. According to cybersecurity experts, a smartphone application was most likely used to conduct the botnet attack. At the peak of the attack, the botnet flooded servers with five million queries per second. Estimates show that it took at least 18,000 mobile devices running the application through Wi-Fi networks to create this kind of traffic.
An analysis of the IS Amaq Agency application showed that it contained a suspicious encrypted packet that contained the addresses of the 13 root name servers. The app is not available in app stores, so it is unknown how many people use the app. Those in charge of the root name servers have not commented on who they believe is responsible for the attack, although a report was issued on the website of the root name servers.
Cybersecurity expert John McAfee said, “I feel certain that the IS news app was the source of the DDoS attack. One of my researchers has discovered encrypted packets being sent to the Amaq Agency news app. We found the 13 Root Server Addresses in the app memory while the app was running. The addresses did not appear inside the static app. The addresses therefore had to be decrypted at run time. Why would they encrypt the addresses inside the app unless they were trying to hide the true purpose of the app? This is the smoking gun we were looking for."
Additionally, some security experts believe that more waves of attacks could be unleashed in the near future. An official investigation still needs to determine that ISIS really was responsible for the attack. Meanwhile, the Verisign root name server released a blog post that provides its perspective on the attack. Verisign believes that the source addresses of the attackers were spoofed, but McAfee believes that this cannot be true.
McAfee argued, “This is utter nonsense. If someone is going to write a script to do a DDoS attack, why go to all of the trouble to write a set of different spoofing algorithms? More telling yet is that the bulk of the blogpost was dedicated to giving us a sense of relief and trust in Verisign. If they admitted that the IP addresses were real, there would be panic because there are no safeguards for such an event."
If ISIS was responsible for the attack, it shows that the cyber capabilities of the terrorist group have improved tremendously in recent times. The Islamic State had declared a cyberwar against the Western world, but no major attacks have been attributed to the terrorist organization.
That being said, digital strategy consultant Lars Hilse has said that major vulnerabilities in the infrastructure of the West make the internet an easy target for ISIS. It is believed that ISIS has already spent millions of dollars in recruiting powerful hackers to essentially destroy the internet.
A report from the Kronos Advisory read, “We assess with high confidence that Daesh has recruited individuals who possess technical skills required to conduct sophisticated cyber offensive operations," the report states. "It is assessed with low confidence that an absence of cyber attacks targeting critical infrastructure is an indicator this terrorist group is not intent upon expanding its cyber terrorism capabilities."
While a successful attack on the root name servers would be very troubling, there are still thousands of secondary servers throughout the world that could function as temporary replacements. However, most of these secondary servers consist of cached systems that can only store data temporarily. If that data were to be lost, the results would be catastrophic. With the West’s heavy reliance on the internet, everything from emergency services to air travel would be affected. Most troubling is that security experts believe that ISIS has access to the resources to conduct such an attack, and it is highly likely that one will be attempted again in the near future.
Information security expert Eddie Mize said, “Imagine if the internet went down for several days, I believe we would see significant power grid failure and potentially loss of emergency services. This could mean the failure of dams and flood controls, power and water distribution, natural gas distribution and control failure, and more. Perhaps the most alarming aspect would be to the financial sector. I believe that loss of the internet for even a two week period could cause enough disruption to financial institutions that consumers would lose confidence and this could be catastrophic to the markets. All of this could set up a chain reaction that could send the public into a panicked tailspin."
Indeed, ISIS may have found a way to bring the Western world to its knees. If the terrorist group can actually manage to bring down the internet, the world would experience a disaster on a level that has never been seen before.