SECTION II:  CYBER TERRORISM AND SECURITY IMPLICATION FOR CRITICAL INFRASTRUCTURE PROTECTION

        ment agencies, critical infrastructure etc.), acquisition of the necessary IT infrastructure that
        ensures the anonymity of the attacker (usually located in third states), tactics for malicious
        software implementation (fake e-mail, weblinks, an “infected” device, etc.), infection of the
        target’s ICT system and activation of malicious software in order to steal confidential data
        from the target, disable its activities, or harm the system. Due to their complexity and costli-
        ness, it is reasonable to suspect that individual states sponsor APT attacks. The attacks have
        targeted mainly protected communications and information systems of state institutions of
        NATO and the EU members, aimed at collecting intelligence on their diplomatic, military and
        economic activities. Some of these hacker APT groups are Turla and APT28/Sofacy which
        have been attacking protected communications and information systems of the members of
        NATO and the EU for years” (2018: p 26). It should be noted further that in 2019 there were
        1129 identified or reported cases of cyber-attacks in Croatia, which is a surge of 65%, mostly
        phishing, phishing URL and web defacement, and prevention of the spread of MikroTik (ma-
        licious cryptocurrency mining software) and a fake password store page (Ivezić, 2020). With
        regard to critical infrastructure, attacks were noted on banks, schools and other educational
        institutions, the Croatian Post (Ivezić, 2020), and INA (the Croatian Oil industry) which has
        been attacked by ransomware infection (INA.hr, 2020).

        It is challenging to detect the proportion of cyberterrorism within the entire spectrum of cy-
        ber threats and terrorism. This is the main reason why we take several different perspectives
        into account. ENISA states that just as European countries have raised their efforts to fight
        terrorism in recent years, they have also done the same in the field of cyberterrorism. Still,
        terrorism is much easier to detect than cyberterrorism. A great deal and more cyberterrorism
        is camouflaged behind other cyber threats, as noted in previous paragraphs, and it may seem
        more benign than it is, as was revealed when explaining spearphishing and unintentionally
        compromised insiders. For this reason we can separate cyber threat agents’ groups into in-
        siders, hacktivists (protesting political/geopolitical decisions affecting national/international
        matters), script-kiddies, and cyber-criminals, -spies, -offenders and -terrorists (ENISA, 2019:
        p 119). Europol highlights the topic of the convergence of cyber and terrorism that “[t]here
        has been much concern and speculation over the past few years that terrorists could turn to
        launching cyber-attacks against critical infrastructure. However, while the so-called Islamic
        State (IS) online propaganda appears technologically advanced and their hackers may be well
        versed in encrypted communication tools, their cyber-attack tools and techniques remain ru-
        dimentary” (2019: p 20). In its reports, Europol does not note potential cyber activities of the
        countries which could be connected via analytical methods with cyberterrorism.

        The most common differentiation between cyber-criminal and cyberterrorism is the connec-
        tion of cyberterrorism with the nation-state. Countries are more and more beginning to under-
        stand that they cannot fight cyberterrorism alone, as the cyber-sphere has no borders. Cyber-
        terrorists use legitimate services, mostly social media, to spread propaganda and hysteria via
        online trolling, bots, fake news, abuse of search engines algorithms and so on to recruit and
        to raise funds so that they can attack critical infrastructure under the guise of cyber-criminals
        (banks) and hacktivists (industries). The already-mentioned Cambridge Analytica-Facebook
        incident is a case of a misinformation/disinformation campaign which impacted the UK ref-
        erendum on EU membership, as the data of 2.7 million EU users of Facebook were used
        to micro-target and mobilize voters via propaganda and fake news (ENISA, 2019: p 127).
        Cambridge Analytica was employed by the official Leave.EU referendum campaign, which
        is being investigated for its Russian-backed financing (Wright, 2018; Kirkpatrick, Rosenberg,



       118