January 2022

Taliban takeover swells across cyberspace

As regional countries vie for influence in Afghanistan, Matthew Bey predicts a surge in cyberespionage and the exploitation of databases and hardware left after the US withdrawal

In August, Facebook disabled the accounts and blocked the internet domains of a group of Pakistani state-backed hackers that targeted the former Afghan government, military and law enforcement, Meta (the company formerly known as Facebook) announced in a Nov. 16 statement. The Pakistani advanced persistent threat group Side Copy created fictitious personas on Facebook, operated fake app stores and compromised legitimate websites to host malicious phishing pages aiming to harvest Facebook log-in credentials in its attacks. Side Copy sought to convince targets to install Trojanised chat apps containing malware to compromise devices on which the apps were installed. 

Although Facebook pulled the plug on Side Copy’s campaign prior to the Taliban takeover of Afghanistan, Pakistan’s cyberespionage campaign highlights how many regional countries will seek to surge intelligence collection now that the United States has withdrawn and the Taliban government is in power. Four significant cyber trends are likely to continue deep into 2022, if not longer, which could affect Western organisations and individuals in Afghanistan: 

  • A general increase in foreign cyberespionage targeting Afghanistan.
  • Cyber influence and information campaigns in and out of the country trying to shape narratives about the Western withdrawal. 
  • The Taliban’s domestic crackdown on cyber freedoms using information and databases inherited from the previous government and Western states.
  • Cybersecurity challenges due to equipment left by the United States and NATO.

Cyberespionage will be a key vector to collect intelligence

Regional governments’ need for intelligence-gathering

Side Copy’s attempt to gather information in Afghanistan during the US exit from the country highlights the need for all regional countries to increase intelligence collection to better understand what is happening on the ground and attempt to sway events in their favour. While human assets, signals intelligence and other sources and methods will all play a role, cyberespionage will be a key vector to collect intelligence. Among other advantages, cyberespionage has become an important method because it allows perpetrators to acquire valuable information in bulk (such as emails and communications information), help find appropriate targets for source development, linger unnoticed in computer networks for prolonged periods – and do all of this remotely without fear of exposing personnel to arrest, or worse. 

China, Iran, Pakistan and Russia all have particularly able intelligence services with well-developed cyber capabilities. They also aim to play a stronger role in influencing the Taliban’s and Afghanistan’s future and managing any fallout to their countries from the recent regime change. China provides an example of what may become more routine in Afghanistan. Last September, Recorded Futures’ Insikt Group published a report accusing four different Chinese state-sponsored APT groups of targeting the mail server of Roshan, one of Afghanistan’s largest telecommunications companies, between June 2020 and September 2021. Notably, one of the APT groups increased its activity in August and September as the Taliban took over and the United States left, suggesting Chinese intelligence services were trying to collect as much information as possible amid the transition and set up a longer intelligence-gathering operation as the Taliban sought to consolidate control over Afghanistan.

As regional countries jockey for influence, there likely will be similar and increasingly successful attempts to digitally compromise the Afghan government, security services and other organisations through a myriad of cyber tactics. These include software and hardware exploits, phishing attacks and other social engineering methods, brute force attacks, and insider threats, all of which enable cyberthreat actors to compromise targets to gather intelligence. Certain APT groups are also becoming increasingly savvy at launching attacks through social media, as Side Copy tried to do. Given the further decline likely in Afghanistan’s already weak cybersecurity standards under the Taliban – whose leaders are unlikely to emphasise rigid cyber defences amid much greater competing priorities like pacifying internal dissent and combating the Islamic State Khorasan Province’s campaign of violence – cyberthreat actors will probably be more successful in their attacks. Aside from obvious government targets, the Afghan telecommunications sector is likely to be a highly coveted target for foreign intelligence services due to the valuable information (phone calls, text messages, backdoors, etc) it can provide. Among other uses, such information would help a foreign government better assess the Taliban’s intentions on various issues and determine who might be receptive to overtures to spy on their behalf.

The Afghan telecommunications sector is likely to be a highly coveted target for foreign intelligence services

CYBER-SAVVY: APT groups are becoming increasingly shrewd at launching attacks through social media, as SideCopy tried to do

Information campaigns to exploit the Western withdrawal

The chaotic final days before the United States left Afghanistan and the Taliban takeover will be a propaganda boon for US adversaries – like China, Iran, Pakistan, and Russia – that they will use in cyber-enabled influence and information campaigns globally. Already, China’s Global Times, a tabloid run by the Chinese Communist Party, ran commentaries in August titled ‘US leaves chaos, destruction in Afghanistan’ and ‘Afghan abandonment a lesson for Taiwan’s DPP [a Taiwanese nationalist party]’. These and other cyber influence and information campaigns seek to raise questions about US power and undercut its claims to protect its supposed allies. While Taiwan is an obvious target for such messaging, Chinese APTs will very likely use similar narratives in the rest of Asia, where the United States is trying to boost its influence and counter China in countries like Thailand and Malaysia.

Similarly, Russia will very likely attempt to use the narrative of Western defeat in Afghanistan to sow divisions in Europe by exploiting pre-existing fissures within NATO and seeking to generate uncertainty about NATO commitments to protect member states, especially those closest to Russia. Such messaging is also likely to target crucial non-NATO members that Russia seeks to keep outside of the bloc, such as Finland, Sweden and Ukraine. Russian APTs will also likely try to use the narrative of Western defeat to undermine France in sub-Saharan Africa, where the two countries are squaring off for influence in the Central African Republic, Mali and elsewhere. Judging from both countries’ past election-related influence and information operations, Russia (and Iran) are even likely to try to exploit the chaotic withdrawal from Afghanistan to sow social discord in the United States ahead of the 2022US midterm elections.

Inside Afghanistan, China, Iran, Pakistan and Russia will all try to shape domestic debate in their own interest through cyber-enabled influence and information campaigns, including posts on social media, misleading or outright false news stories, and fake online accounts or groups emphasising a specific narrative. Even though some of their interests overlap and they will collaborate pragmatically in certain cases, they are by no means perfectly aligned. Instead, they will constantly seek to vie for influence and outflank one another as they compete to shape Afghanistan’s future, with each country having its own potential vulnerabilities that rivals could exploit in messaging campaigns. Hypothetical narratives include exploiting concerns over future Chinese economic exploitation through potential natural resource extraction projects, Iran’s status as a Shiite power – something anathema to many Afghans – Pakistan’s complex and manipulative historic involvement in Afghanistan, and Russia’s invasion of the country during the Soviet era. And while these four countries will drive most of these online influence and information operations, even the Taliban eventually will probably start to partake in such efforts. 

China, Iran, Pakistan and Russia will constantly seek to outflank one another as they compete to shape Afghanistan’s future

SILVER LINING: The chaotic final days before the Taliban takeover will be a propaganda boon for US adversaries

Exploiting digital information to crack down

The former Afghan government left behind significant quantities of valuable digital information and databases that the Taliban is likely to exploit to quash dissent. The United States spent much of its time in Afghanistan trying to boost the strength of the Afghan state and institutions. These efforts included support in building databases, including those for voter registration, managing payrolls and human resources at government agencies and other common administrative tasks. Not only do these databases include valuable information on Afghans generally – especially as some databases have iris, face and other biometric information – but some of them housed information about Afghans who worked with the United States and its allies. It is unclear to what extent those databases were destroyed, secured or encrypted prior to the US exit. While US officials said they secured some of the key databases, at least some information is likely vulnerable and the Taliban can probably still make use of even partial information by cross-checking it against other sources, such as that provided by its robust network of human informants.

The Taliban is likely to use the data against rivals to consolidate control over Afghanistan and probably to help jump-start its own cyber strategy that is likely to involve a heavy-handed crackdown on digital freedoms. The former risk is more acute in 2022, as the Taliban will likely use any exploitable digital information to go after internal critics within their ranks, members of the former government and any sources of social dissent. But if the Taliban remain in power, the group will have access to cyber tools that were simply unavailable during its previous reign in the 1990s, potentially allowing it to shape a more organized and purposeful cyber strategy that would almost certainly focus on enforcing digital control. That said, it will take time for the Taliban to develop those capabilities and the group will likely need to work with foreign governments, potentially even using this as an area of collaboration when trying to win support from countries like China and Russia. Both already employ mass surveillance at home and would likely be sympathetic to Taliban arguments that such systems are needed to stabilise the security situation. 

Taliban Badri 313 unit soldiers walk amid the debris of the CIA base in Deh Sabz district northeast of Kabul, destroyed by US forces before the withdrawal

Leftover equipment, a trove of potential cyber (and other) vulnerabilities

Although most of their critical electronic systems have been destroyed or stripped out, the hasty US withdrawal from Afghanistan resulted in a large amount of US military (and potentially sensitive non military) equipment being left behind that could enable US adversaries to search for valuable intelligence and cyber vulnerabilities if they can acquire the hardware from the Taliban. According to US military officials, the United States left behind 73 aircraft; about 70 mine-resistant, armoured-protective vehicles; 27 Humvees; and the C-RAM air defence system used to protect Hamid Karzai International Airport. Prior to their departure, US personnel demilitarised most of this to prevent the Taliban from using it in combat operations, but foreign countries are likely to try to glean whatever of intelligence value the systems can offer.

With persistence and advanced technical skills, they may still find some vulnerabilities they could exploit in the event of a military conflict with the United States, or even potentially compromise US communications. Electronic and cyberwarfare will be a critical part of any conflict between the United States and China and Russia, making any intelligence or vulnerabilities gathered from left-behind equipment all the more important to those countries. As two ongoing practitioners of economic espionage, both could also use any recovered hardware to improve their respective military-industrial bases. While Iran and Pakistan have fewer resources to uncover potentially useful intelligence or vulnerabilities, they still present a threat, even if only by potentially facilitating Chinese or Russian access to the hardware. And perhaps most concerningly, it would be difficult for the United States even to know if a foreign rival found useful intelligence or a key vulnerability – let alone to patch one – meaning a risk might not be known until exploited in some future conflict.

Matthew Bey is a Stratfor Senior Global Analyst at RANE, Stratfor