Weapons systems are refined most quickly in the crucible of conflict. It’s no surprise, therefore, that digital techniques are evolving fast in the Middle East, hinting at the possibilities for when cyberwar moves beyond propaganda and disinformation to something a little … hotter.
Overnight Australian time, someone broke into the Israel Defence Forces’ official Twitter account, @IDFSpokesperson, and issued a fake alert: “#WARNING: possible nuclear leak after 2 rockets hit Dimona nuclear facility.”
Sign up for a FREE 21-day trial and get Crikey straight to your inbox
The fakers were soon kicked out, but not before tweeting a second time: “Always via @Official_SEA16 Long live #Palestine.” That act of bravado effectively gave the game away. Without confirmation from other official sources, it’s unlikely that Israeli citizens took the brief nuclear scare seriously. But with better organisation, it could have been leveraged into something bigger. What if the warning had been issued via a number of official Israeli sources simultaneously, not just one, and supported by a flood of fake witness reports?
It’s not yet entirely clear who’s responsible for this hack, but the most likely candidate is the Syrian Electronic Army, the SEA referred to in the tweet. As Crikey reported last year, they’re smart, well organised, and strategic. The SEA’s false report of explosions at the White House injuring President Obama, tweeted via the Associated Press Twitter account after the SEA had taken control, caused the Dow Jones to drop 150 points.
Another candidate, though less likely in my view, is the Islamic State (IS), formerly the Islamic State of Iraq and Syria (ISIS). The group is already using a smartphone app to automate massive Twitter propaganda campaigns — peaking at 40,000 tweets one day. The tweets appear to come from the individuals who’ve installed the app, because it’s logged into their Twitter accounts and they’re tweeting normally, but extra tweets can be issued directly by IS — coordinated centrally and paced to avoid triggering Twitter’s anti-spam defences.
The IS app is installed voluntarily by supporters, but it’s not that big a step to orchestrating a mass hacking — organised criminals do this sort of thing all the time — covertly installing an app that uses the smartphone’s location service to narrow the focus to users in Israel, say, and issuing a flood of images of car-packed roads and panicky drivers taken during some other incident.
For bonus points, you could identify the hacked users’ closest social media contacts and send more personalised disinformation, perhaps by an email as well as social media.
For even more bonus points, you could hack into live TV and radio to make it really scary. Czech art group Ztohoven successfully inserted an atomic bomb into morning TV back in 2007. In the era of smart TVs it could be even easier: smart TVs are riddled with security holes. I’ve watched a hacker pop fake news scrollers over whatever’s being broadcast.
Scaremongering isn’t the only possibility, of course. A network of smartphones can be used for intelligence-gathering as well. Even something as basic as tracking a phone’s location, without even knowing whose it is, can tell you where people are gathering — a demonstration to contain, a troop concentration to interdict. Google Maps uses precisely this technique to provide its live traffic reports, tracking the location of the many, many smartphone users in moving vehicles.
Edward Snowden’s trove of documents has revealed the possibilities of digital surveillance and, as security megastar Bruce Schenier wrote in May, “the NSA is not made of magic. Its tools are no different from what we have in our [information security] world, it’s just better-funded … The NSA’s collection and analysis tools are basically what you’d expect if you thought about it for a while.”
Better-funded in the NSA’s case, perhaps just better-organised in the case of an organisation whose members are driven by passion and ideology — such as SEA or IS. None of these things require any new technology. It’s just a matter of thinking through how you could connect up existing capabilities, which are already highly modular, then planning and organising.
Whatever possibility you or I might think up, chances are that others have, too — and have already built it.