Western Countries | Understanding pro-IS hacking capabilities

Western Countries | Understanding pro-IS hacking capabilities

Until recently, these pro-IS hackers and associated groups largely engaged in crude acts of hacking and defacement. The distribution of ‘kill lists’ of people, apparently taken from leaked data, marked a more intimidating tactical shift.

Despite the apparently limited capabilities on display in these attacks, this activity has still contributed to concerns for Western governments over what the head of MI6 has described as a ‘technology arms race’ with ‘terrorists, malicious actors in cyberspace and criminals’.

The emergence of pro-IS cyber groups

Pro-IS hacking groups have existed in some capacity since at least 2014, but their activities became more prominent in 2015 when a group calling itself ‘Cyber Caliphate’ began claiming hacks on Western government websites, and distributing propaganda videos including ‘kill lists’ and threats.

In January 2015, Cyber Caliphate claimed to have hacked the Twitter account of US Central Command. There are no indications that the group breached US government servers despite claiming to have done so. The group rebranded at least four times between January 2015 and April 2016, claimed more than 60 cyber attacks in the eight months before the formation of the newest pro-IS hacking group, the United Cyber Caliphate (UCC), in April.

The pro-IS hacking groups have tended to fabricate and exaggerate their claimed attacks. In February, a group called ‘Ghost Caliphate’ claimed to have successfully hacked and defaced Google. In fact, they had defaced the website of a small business based in India called ‘Add Google Online’.

The United Cyber Caliphate

Since the formation of UCC, the group has claimed responsibility for at least 45 cyber attacks, mostly aimed at Western governments and businesses. Despite the abundance of claimed attacks, most of them are of limited impact. These have ranged from hacking social media profiles, defacing poorly-secured small business websites, and releasing people’s personal information in ‘kill lists’ online.

There does not appear to be any consistency in the group's attack targets. It has defaced the websites of small businesses globally, including a tyre and wheel retailer, a catering company, and a natural herbalist website, among many others. A unifying factor seems to be that the websites are poorly secured and so easy to breach.

The ‘kill lists’

UCC’s activities have gained widespread media coverage despite their crudeness, particularly since it began releasing ‘kill lists’. Since April, the group has released at least 31 separate such lists collectively containing the names and personal information of more than 50,000 people.

Almost half of these were civilians in Western countries, while the majority have been Western military and government employees. Data releases in the form of ‘kill lists’ have accounted for 53% of pro-IS hackers cyber activity in 2016. In all cases, the data that was ‘leaked’ by the group was either from already publicly-available information that could easily be found online, or was information previously leaked online by various other means.

In releasing such lists, UCC has plainly attempted to spread fear by building upon repeated IS calls on followers to mount attacks in the West by any available means. But there is little evidence that these lists were anything more than low-cost high-payoff attempts to create public fear, publicity and disruption, rather than genuine threats. Following data leaks in April and May containing the names and personal information of thousands of New York and Texas residents, police were reportedly tasked with informing all of those named.

A recent ‘kill list’ posted on 12 August by UCC that Risk Advisory has seen contained the names and personal information of 1,835 US military personnel. UCC also shared seven documents purportedly taken from the Democratic National Committee (DNC) servers. Three of the documents contain the names and personal information of campaign donors and the ‘friends of Hillary Rodham Clinton’. Many of the people listed have email domains associated with major Western businesses.

More recently, a much larger release on 11 September by a UCC subsidiary called Caliphate Cyber Army contained the names and personal information of 22,000 US-based real estate workers along with the message ‘we want them dead slay them anywhere [sic]’.

UCC links to IS


Image: Screenshot from UCC's Telegram channel taken in June 2016.

How far pro-IS hacking activities have any direct connection to IS and its leadership in Syria and Iraq is not clear. The propaganda and statements that such groups have released suggest that there are few, if any, formal ties. It currently appears that groups such as the UCC are simply supporters of IS, and have no direct connection to the group.

The propaganda released by these hacking groups has never been disseminated through typical IS media channels, and their videos and images consist mostly of repurposed footage from television news reports, video games, and Hollywood movies.

IS has also outwardly attempted to distance itself from uncontrolled and ostensibly pro-IS messaging. An administrator on the pro-IS dark-web forum, Shumukh Al-Islam, warned in May that IS is ‘not represented by anyone on social networks except the official media institutions’.

All the lists that we have acquired are available for SIAS clients here.

Image: Screenshot from UCC’s Telegram channel taken in June 2016.  

Author: Risk Advisory's Security Intelligence & Analysis Service
Published: 26th September 2016
Categories: Company News