Connect with us

Hi, what are you looking for?



Is the Taliban a Cyber Threat to the West?

Taliban Cyber Capabilities

Taliban Cyber Capabilities

Two decades ago, the U.S. and its allies invaded Afghanistan as retribution for the 9/11 terrorist attacks carried out by the al-Qaeda terror group. The Taliban, who had harbored al-Qaeda in Afghanistan, was forced out of government. Now, 20 years later, the U.S. has left Afghanistan, and the Taliban has returned. U.S. Defense Secretary Lloyd Austin warned this week that the al-Qaeda extremist group may attempt to regenerate in Afghanistan following the botched American withdrawal that allowed the Taliban to regain control of the country.

But the world has changed in the last 20 years. Most notably, technological advances mean that acts of terror no longer need to be kinetic. Cyberattacks against critical infrastructure can potentially do more harm than the 9/11 attacks. While there are uneasy and unofficial norms of acceptable behavior between the West, Russia and China, no such norms apply to the ‘rogue’ states ‒ most notably North Korea and Iran.

And now, perhaps, Afghanistan. We need to consider whether the Taliban is, or will become, a notable cyber threat to the West.

Does the Taliban pose a cyber threat?

The Taliban is not currently a cyber threat. There are two primary reasons. Firstly, aggressive international behavior is not high on its list of priorities. “They must stabilize their own country and establish a level of governance, security and ‘normality’ and consolidate their position as de facto rulers of Afghanistan, albeit through means unpalatable to international observers,” Brian Lord, CEO of cyber security and business intelligence firm Protection Group International (PGI), told SecurityWeek.

This may not be as easy as we believe. Russia tried and failed to control Afghanistan. The U.S. and its allies tried and failed. Why should we assume that the Taliban will automatically be successful? “In a few weeks, we will see how the power struggle that will erupt between stronger tribal leaders and the Taliban is affecting the country,” commented Dirk Schrader, global VP of security research at New Net Technologies (NNT), now part of Netwrix. “For sure it will be a constant source of unrest in parts of Afghanistan.”

There are areas of the country not under Taliban control, while ISIS ‒ an enemy of the Taliban that has killed both Taliban and al-Qaeda people in Afghanistan ‒ is still able to conduct operations in Kabul. Intelligence firm Flashpoint reported, “The ‘Khorasan’ branch of ISIS [the ‘K’ in ISIS-K] remains very active. It has claimed responsibility for at least 105 military operations inside Afghanistan since May 1, 2021.”

Advertisement. Scroll to continue reading.

Nevertheless, the Taliban is and will remain the dominant power and ‘government’ within Afghanistan. “It must present,” continued Lord, “a position that is internationally non-threatening, at least until the international attention has tired of wailing and hand wringing about Afghanistan’s fate and has turned its attention to newer problems and challenges. They have waited patiently for 20 years; another few will do no harm. They are there for the long-term.”

Religious backgrounder

The Muslim world primarily comprises 70% Sunnis and 30% Shi’ites. The Shi’ites dominate in Iran, Iraq, Azerbaijan, and the Zaydism sect of Houthis in Yemen, and there is a sizable population in Pakistan. The Taliban is an ultra-conservative Deobandi Sunni sect. It first emerged in 1876 in colonial India with the aim of revitalizing Islam based on strict conformance with Sharia law. From its origins, it has no love for any form of western imperialism. Sunnis and Shi’ites are not natural allies, but recent history has shown they can work together in the face of a perceived common enemy.

The second reason for the lack of any realistic current cyber threat from the Taliban is the group simply does not have the capability. “Currently,” Evan Kohlmann, CEO at Flashpoint, told SecurityWeek, “the Taliban’s primary existence in cyberspace comprises a few Telegram channels, and a few websites with RSS feeds where they’re putting out their propaganda. As far as we can tell, they are no more sophisticated than that. They’re not sophisticated enough to get into the more aggressive operations that we see from even small rogue states like North Korea.”

The future

Things change. Right now, the Taliban is in a tight spot. It is on the outside looking in. Without access to international banking and confronting the probability of international sanctions, it is faced with an economic crisis. All it can do is look for help and support from other nations in a similar position.

Geopolitical backgrounder

Afghanistan is not without natural resources. It has lithium, necessary for high tech batteries. It has copper, used in energy production. It has precious gems, that can easily bypass sanctions on the black market. It has borders with three more advanced nations: Iran, China and Pakistan. Pakistan will defer to China in its relationship with Afghanistan, and China will wish to include Afghanistan within its international area of influence. But the Taliban is far closer to Iran in language and culture. The greatest likelihood is that the Taliban will court a relationship with Iran, but with the added probability of Chinese influence.


“The Iranian/Taliban relationship is not good,” comments Kohlmann; “but as far as we can tell right now, the Taliban is going out of its way to meet with Iran and assure the Iranians they will protect the Shi’ites in western Afghanistan from ISIS.” In exchange, Iran could provide support in terms of food, money, weapons and oil. 

Furthermore, Iran’s Islamic Revolutionary Guard Corps (IRGC) has a history of providing cyber expertise, training, and resources to some of the groups it is encouraging, such as the Houthis in Yemen. “It is conceivable that the IRGC will provide expertise and training to the Taliban in both cyber and other areas,” he adds. “I would say that’s where any future Taliban cyber capability will develop from.”

CISO Forum - Virtual Event

A safe haven

It is also worth noting that Iran has a history of operating its foreign policy through proxies, such as Hezbollah and the Houthis. A cyber active Taliban might be an attractive possibility, supported by the probability that Afghanistan will become a safe haven for international cyber-criminal groups over the next few years.

Cyber criminals like to operate from locations where they are tolerated by the government; where law enforcement turns a blind eye so long as the focus of the activity is directed elsewhere in the world; where law enforcement has no incentive for international collaboration with other law enforcement agencies; and where there is no existing meaningful legislation such as the Computer Fraud and Abuse Act (CFAA) in the U.S. or the Computer Misuse Act (CMA) in the UK. 

“Afghanistan under the Taliban ticks pretty much all those boxes,” says Lord. “As its infrastructure grows more robust (and China may be instrumental here) it will become a magnet for Organized Crime Groups (OCGs) seeking a safe center of operations from which to conduct what they do with impunity. The ‘safe haven’ will certainly become a characteristic of Afghanistan in the cyber world.”

He does not believe the rest of the world can or will do much to prevent this. “Given we are looking at a few decades of neuralgia about getting national hands trapped in the Afghanistan mangle—the Taliban facilitating online criminality will fall way below the threshold of anything other than some angry voices. And let’s not mistake the Taliban’s ultra-conservative religious demeanor for being averse to such things. They exported opium to the West happily for years – online criminality will be well within tolerance.”


And then there’s China. Within a week of the Taliban regaining power, Lord points out that China has already leant forward to engage with the new government. “China will take the lead in flooding Afghanistan with Chinese technology and telecoms infrastructure under one of their long-term economic arrangements. There is no doubt that Afghanistan will become another piece in the jigsaw of Chinese technology proliferation. The Taliban will accept it out of an economic necessity, and they will, in turn, be able to adopt the type of oppressive international national surveillance techniques and impose the type of technology access control already established in China.”

Misinformation and disinformation

Furthermore, suggests Lord, the West needs to avoid being fooled by the Taliban. “The Taliban will need to control (and confuse) the international narrative. They are good at this. They will hit social media, media channels, and the wider internet with a flood of confusing information, misinformation, disinformation, bluff, double bluff and triple bluff. They will need to do this to create sufficient space to consolidate their position of strength while exercising the type of human rights abuses they are known for.” 

The West, he says, will need to develop the ability to unpick this narrative, to arrive at the truth and provide clarity on what is happening within Afghanistan. “That remains the key for the world to have continued visibility of the Taliban regime. To my mind, large-scale manipulation of information is a ‘cyber threat’ – even if not a ‘cyberattack’.”

With infrastructure provided by China and cyber expertise from the IRGC ‒ not to mention locally operating cyber-criminal gangs that could be hired ‒ added to an inherent animosity toward the West, Afghanistan will have everything necessary to evolve into a new international cyber threat. 

“The parallels to be drawn,” says Schrader, “are those with North Korea and Iran, where access to information, the censored use of the open Internet, the monitoring of communication (if available at all) is part of the daily life.”

The future has a history of confounding predictions. But while the Taliban provides no immediate cybersecurity threat, there is ample potential for it to develop into a major threat on a par with North Korea over the next three to five years.

Related: Line Between Nation-State, Criminal Hackers Increasingly Blurred: Report

Related: ‘World’s Leading Bank Robbers’: North Korea’s Hacker Army

Related: Leaked Files From Offensive Cyber Unit Show Iran’s Interest in Targeting ICS

Related: The United States and China – A Different Kind of Cyberwar

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...