Unconventional Attack Methodologies

CBRN. Drones. Cyber.

Recent terrorist attacks in the UK have involved a range of methodologies. Whilst the UK is yet to directly experience a terrorist attack incorporating CBRN, drones or destructive cyber activity, many aspects continue to be promoted in extremist media or witnessed overseas.


A terrorist attack involving chemical or biological means is increasing in probability in the UK.
Despite there being no such attacks using CBRN material in Europe or the West over the past 12 months, the disrupted hydrogen sulphide (H2S) plot in Australia in 2017 demonstrates enduring intent for such attacks to take place. Islamist extremists are most likely to employ this methodology. There has not been any public indication in the UK of XRW or Northern Ireland related groups having the intention to utilise them in attacks. The topic continues to feature heavily in Islamist extremist media, providing simple, easy to follow instructions allowing extremists to construct devices with little or no previous training. With this high level of intent and instructions and material being readily available, the probability of such an attack now taking place is inevitable.
In the UK, there have been no public reports of disrupted terrorist plots involving chemical weapons (CW). The most likely CWs to be employed in the UK are either toxic industrial chemicals, which can be legitimately obtained, or H2S, the manufacturing instructions of which are readily available online. Pool Re has previously highlighted how vulnerable aviation, in particular, is to this form of attack. That threat was made explicit with the Australian and American Governments applying restrictions to quantities of powder being taken into aircraft cabins in July 2018. That change in security posture is a likely reaction to the CW nature of the disrupted Australia plot last year. Additionally, Public Health England and the emergency services have implemented the ‘remove, remove, remove’ advice campaign, offering guidance for members of the public in how to react to chemical incidents.
Andrew Donaldson's profile picture
Andrew Donaldson
Deputy Head of Risk Analysis
Pool RE
Online instructions and incitement for biological attacks are also persistent. This manifested in at least two disrupted plots in Europe, one in France and one in Germany, where Islamist extremists were in the planning stages of deploying ricin as a weapon. Whilst the intended targets of the attacks are undisclosed, it is likely they would have targeted crowded places. Despite the two plots being at different stages of maturity, the incidents illustrate the continuing intent of Islamist extremists to conduct attacks using biotoxins. The arrest in Germany also demonstrates the relative ease of manufacturing ricin. Whilst other means of biological attack remain possible, such as the weaponisation of pathogens, the most likely attack method in the UK currently appears to be the use of ricin.
The use of radiological and nuclear material in an attack remains possible but highly unlikely. The level of security around such material in the UK remains extremely high, which reduces opportunity for extremists to acquire it. Additionally, the expertise required for making such devices is limited and instruction, incitement and encouragement for lower complexity attacks remain more common across extremist media.
The topic continues to feature heavily in Islamist extremist media, providing simple, easy to follow instructions allowing extremists to construct devices with little or no previous training.
Quote style


Ricin is a poison found naturally in castor beans which looks like a white powder when extracted. It has been cited as a viable method of attack in several extremist publications with instructions and online recipes.
Only a small amount of castor beans can produce a lethal dose, but it is dependent on the purity of the ricin made, its form and the pathway to poisoning.

Hydrogen sulphide (H2S)

Hydrogen sulphide (H2S) is a colourless, flammable and extremely toxic gas. Encouragement and instructions in the use of H2S have been circulated online by Islamist extremists. It may prove to be a relatively low complex CBRN attack method by extremists in the UK.

Unmanned Aerial Vehicles (Drones)

New legislation came into effect in the UK on 30 July 2018, imposing further restrictions on the use of drones by the public. It is now illegal to fly above 400 ft or within one kilometre of airport boundaries, to protect infrastructure and aircraft from airprox incidents, 67 of which have already taken place in 20181. In 2019, drones weighing 250g or more will need to be registered with the Civil Aviation Authority. Whilst it is clear the Government has concerns about the potential malicious use of drones, the legislation does not change the likelihood of their use in a terrorist attack. It is more difficult to mitigate against airborne threats than terrestrial ones, but mitigation measures must be proportionate to the threat. Daesh and other extremists’ use of drones in theatre is well documented but they have yet to feature in attack plans within the UK.
The vulnerability of airspace and the opportunity it provides to expand targets for an attack is increasingly recognised. Airborne threats are not exclusive to terrorism: in July 2018, Greenpeace activists flew a drone shaped as Superman into the Bugey nuclear plant in Lyon, France, and during President Trump’s visit to Scotland in July 2018, a protester paraglided into restricted airspace over his golf course. The incident in Venezuela in August 2018 reportedly involving two explosives-laden drones has brought the threat of the technology back to the forefront of security discussions.
Camilla Scrimgeour's profile picture
Camilla Scrimgeour
Senior Analyst
Pool RE
The effectiveness of a drone as a weapon depends largely on the payload it carries. The most plausible use of a drone in a UK attack would be as a delivery mechanism of an IED. Whilst the drones involved in the August 2018 incident in Venezuela are easily acquired, they reportedly each carried one kilogram of military-grade C4 explosives. It is very difficult to acquire C4 explosives in the UK. A viable alternative would be the use of TATP, as seen in previous UK attacks, however the volatility of it may make it unsuitable for transportation by drone. Furthermore, the risks involved in making an explosive device may incentivise UK terrorists to utilise more conventional delivery mechanisms.
Pool Re highlighted in its Terrorism Threat & Mitigation Report January-July 2017 that regulation is only effective if adhered to or enforced. The new legislation is unlikely to prevent a terrorist from using a drone in an attack, and is more likely to deal with nuisance use of drones rather than terrorism.
Whilst it is clear the Government has concerns about the potential malicious use of drones, legislation does not change the likelihood of their use in a terrorist attack.
Quote style
The Drone code graphic

Assessing the threat of cyber terrorism

The cyber threat is growing and changing at pace. Hostile nation states are increasingly assertive in how they exploit cyber, whether by looking to influence the democratic process for malign ends, stealing intellectual property or other secrets, preparing for and conducting destructive cyber attacks on critical infrastructure, or simply taking money. Cyber criminals are becoming more aggressive and adopting more effective tradecraft, while malware and cyber attack as a service are becoming increasingly accessible on the dark web.
Terrorists are yet to use cyber for significant destructive effect, having low cyber capability and continuing to prioritise physical attacks. But the growing availability of cyber attack tools, and the continuing high global threat from terrorism, makes it essential to get as good a picture as possible of terrorist groups’ capability and intent in this area.
This is not easy. While there may be a lot of noise from extremists on line, it is not easy to disentangle the truth about their capabilities and intent from disinformation or fantasy.
We are focusing on the possibility of terrorists using cyber attack for disruptive or destructive purposes and, in particular, in the case of Pool Re’s cover, for attacks that directly cause physical destruction to property. We know that terrorist groups are highly skilled at using the internet for slick on-line propaganda, for communicating with one another and delivering command and control in a highly secure way, for information gathering on potential targets, and publishing personal details of individuals they cite as potential targets. There are also examples of terrorists and extremists defacing web sites. But while this could be described as terrorist use of cyber, it is not really cyber terrorism.
Conrad Prince's profile picture
Conrad Prince CB
Senior Cyber Terrorism Advisor to Pool Re
About the author
So far, we have not seen examples of terrorists or extremists using cyber to launch disruptive or destructive attacks. However, the intent to do so has been expressed, and there has been at least one case of an insider threat with the potential to enable or launch a cyber attack (an individual working at Heathrow who was ultimately convicted of terrorist offences).
Today, the kind of sophisticated high-end destructive cyber attacks that feature in movies, and increasingly in real life, generally need the capabilities and resources only possessed by the top tier of cyber nation states. Disrupting an air traffic control system or causing the industrial control systems in a power station to malfunction needs dozens of experts to plan and prepare, and the technical ability to achieve deep penetration of complex target IT networks for a prolonged period without detection. Such operations can take months of intensive effort to develop and execute.
But this may not always be the case. Increasingly capable cyber tools are becoming available for anyone to acquire on the dark web. And we have seen how ransomware and related attacks can have a significant global disruptive effect, impacting on networks and systems well beyond the original intended targets.
Pool Re is working with experts, including the Cambridge Centre for Risk Studies and relevant Government agencies, to track and assess the cyber terrorism threat and to gather available data on potentially relevant terrorist activity which might indicate an increase in the capability or intent to use cyber for destructive purposes
There is a growing availability of offensive cyber tools on the dark web. As the ability to deliver more complex and higher impact attacks becomes commoditised, there is no reason why terrorist groups could not purchase these capabilities or services in the same way as criminal group do. There is also the ongoing potential for offensive capabilities developed by nation states to be released unauthorised into the wild, whether deliberately or just as a result of human error. Anything that makes it easier for small determined groups to access capabilities developed by others and which are relatively easy to deploy against a desired class of target will increase the risk of successful destructive terrorist cyber attack.
We should also look for evidence of terrorist and extremist groups moving up the capability scale in their use of cyber. At the moment there is little evidence of such groups doing anything more destructive than defacing websites. But there is no reason why terrorists could not use widely-available ransomware tools just as criminals and nation states do, whether to extort money or simply to create as much havoc as possible. Were terrorists to start down this path, it might indicate a willingness to move up the cyber capability chain in a way that could ultimately lead them to destructive attack.
Also relevant would be extremist leaders advocating or endorsing the use of cyber for destructive purposes. Or an increased focus on cyber attack in on-line extremist media. These endorsements can be important in influencing behaviour.
We know Daesh and other extremist groups have counted IT experts amongst their ranks, but often such people have been used as rank and file operatives, irrespective of those skills, rather than focused on IT-dependent operations. So any indications of terrorist groups deliberately seeking to recruit IT experts, and using their expertise in some coherent way, would be significant. A well placed insider could also be a game changer.
Finally, we should look for other ways that terrorist groups might look to compensate for lack of expertise or capability. One might be to link up with a competent cyber criminal group. Even more concerning would be if a terrorist group were to ally itself to a hostile nation state with an offensive cyber capability, then the cyber terrorism threat could increase significantly.
As in all cases where cyber attack for destructive effect is considered as a possibility, it’s important to ask basic questions, like would it not be simpler just to use a bomb? Often the answer will be yes. And for terrorists in particular physical attack continues to be the method of choice, for various reasons. But we cannot bury our heads in the sand. Cyber is becoming an increasingly attractive and viable attack tool, and can potentially reach places much harder to hit today through conventional attack. That’s why Pool Re is working with UK academic and Government experts to develop a coherent approach to assessing the changing nature of the cyber terrorism threat. The results could give us a critical insight into the future shape of this threat.
Pool Re is working with experts to track and assess the cyber terrorism threat and to gather available data on potentially relevant terrorist activity which might indicate an increase in the capability or intent to use cyber for destructive purposes.
Quote style
iPad beside sink graphic

The internet of things: A sting in the tail?

There could be 20 billion internet connected devices worldwide by 2020. There’s an inexorable drive to connect everyday devices, and a major shift to new internet-connected capabilities in critical industries like health care, energy, banking and manufacturing. The benefits are obvious but the risks are significant.
  • There’s a huge increase in opportunities for hackers to find a weak point on a network and use that to conduct a wider attack. IoT compromise could enable anything from covert surveillance of a home or office, to disabling building security systems, or disrupting safety devices. And attackers can hijack multiple IoT devices to overwhelm internet connected systems and prevent them from functioning.
  • The security in IoT devices is crucial, but for cost reasons manufacturers are often not building in the security we need. The Government’s IoT ‘secure by design’ strategy aims to persuade manufacturers to address this. But it’s a voluntary approach and the challenge is how to ensure take up.
  • Underpinning all this is the infrastructure of the internet – fibre optic cables, routers, and the mobile network, where 5G is set to be a key enabler of the IoT. Chinese firms are increasingly dominant providers of internet infrastructure, with an aggressive state-backed exports strategy combined with world-beating pricing.
  • The country that ‘owns’ the internet infrastructure can affect its availability, or exploit its potential to be used as a global surveillance system. And serious doubts are being raised about the security of Chinese-provided infrastructure.
  • Poor IoT security creates new opportunities for terrorists, through better intelligence gathering to help conduct attacks, or by making it easier to launch cyber attack, maybe by using poorly-secured IoT devices to conduct major denial of service against critical infrastructure.
The IoT revolution may have a sting in the tail. And the ways of mitigating it seem worryingly limited.
internet connected devices worldwide by 2020.