Islamic State Hacking Division
“Although America increased its internet security, we today have information on its soldiers. We are the hackers of the Islamic State and we do not turn our backs on oppression. Today the electronic fields witness our victory and soon you won’t have any control over the internet.”
Over the past year, Islamic State (ISIS) and pro-ISIS hackers, as well as hackers claiming to be associated with or operating in the name of ISIS, have been conducting cyber attacks throughout the world. The targets have included media outlets, government agencies, universities, NGOs, and businesses, from the very large to the very small.
During this time, there has also been a debate regarding ISIS cyber capabilities, about whether it seeks to wage cyber jihad against the West, and about the hacking capabilities of its members and online supporters. While some cyber security analysts have attempted to downplay the significance of these attacks by ISIS and pro-ISIS elements, and by others claiming an ISIS affiliation, the issue of cyber-attacks by ISIS elements is being taken very seriously by governments and law enforcement.
The FBI warned in a Public Service Announcement titled “ISIL Defacements Exploiting WordPress Vulnerabilities” on April 7, 2015, that “[c]ontinuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL), a.k.a. Islamic State of Iraq and Al-Sham (ISIS). The defacements have affected Web site operations and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international Web sites. Although the defacements demonstrate low-level hacking sophistication, they are disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems.”
FBI Director James Comey added, at the Cybersecurity Law Institute at Georgetown University on May 20, that ISIS was “waking up” to the idea of initiating a cyber-attack against critical U.S. infrastructure with sophisticated malware. “Logic tells me it’s coming,” Comey said, adding that ISIS is “looking into” whether it would be capable of pulling off such attacks. Over the last two years, he said, there has been more attention paid to potential cyber-attacks against the U.S., and although he hasn’t seen them yet, “it just makes too much sense” that destructive malware would end up in the hands of terrorists. “Destructive malware is a bomb, and terrorists want bombs.” He added that while it may be difficult for a terrorist to physically enter the U.S., they can do so online in an instant.
Announcement of one of the first hacks following the declaration of the Islamic State: “#Iraq #Iran #Syria The cyber mujahideen of the Islamic Caliphate have hacked the Iranian website iranefardamag.com” Source: ISIS Urdu Twitter account, July 5, 2014; see also MEMRI JTTM report Al-Baghdadi-Led Islamic State (IS) Tweets In Urdu For Audiences In Pakistan And India, July 15, 2014.
In the most recent significant hack, on August 11, 2015, the Islamic State Hacker Division (ISHD) released what it claimed was a large collection of names, emails and other sensitive information belonging to U.S. military and government personnel. Earlier this year, in March, the same group had “doxxed” 100 U.S. military personnel, and, in May 2015, Italian military personnel – tweeting “hit lists” of them that included personal addresses, phone numbers, and photos. By posting such information of U.S. military personal and their families, as well as of other Western military officials and families, ISIS and pro-ISIS hackers are facilitating – or are even encouraging and urging – lone wolf attacks on these individuals.
Specific examples of targets of ISIS and pro-ISIS hacks in the U.S. and other countries have included: military forces and bodies as well as Western government entities; major media such as France’s TV5Monde and other French entities, including military bodies; nonprofits such as U.S. military spouse organizations; the Chilean Defense Ministry; educational organizations such as University of New Brunswick, Canada; transportation hubs, such as Hobart International Airport in Australia; municipal and county government, such as Richland County, Wisconsin; Middle East media, such as MBC Arabic TV; the UAE’s Al-Ittihad daily; and Egypt’s popular Nugoum radio station, in addition to various U.S., British, Indian, Israeli, Dutch, Egyptian and Russian websites.
Pro-ISIS hackers have targeted the U.S. military multiple times for the purpose of data theft and doxxing. Additionally, these hackers have taken control of Facebook and Twitter pages; stolen credit card information from the U.S. and other “infidel” countries; hacked Western celebrities’ cellphones; exploited vulnerabilities in a WordPress plugin used by hundreds of sites; stolen data from armed forces personnel after gaining access to Facebook accounts; and threatened members of various militaries and even celebrities.
Pro-ISIS hacktivists have built their own networks, especially on Twitter, to support each other. For example, on August 13, 2015, following the August 11, 2015 claim two days earlier by the Islamic State Hacker Division that it had hacked U.S. military databases, a Twitter account offered to help pro-ISIS and jihadi elements create their own Twitter accounts to help spread the data that was obtained in the hack. This is a common occurrence; when one Twitter account is suspended, others quickly move in to take over and continue to spread the information. The tweet stated: “We repeat for the millionth time that we are ready to provide accounts for the army of [jihad] supporters [on Titter]. Al-Fateh [security software used by online jihadis to conceal their locations] is now taking a toll on Twitter. Get an account and spit on Jack [Dorsey, Twitter cofounder]. FYI Al-Fateh program [can be downloaded at (link provided)].”
Many cyber attacks by pro-ISIS hacking elements are aimed at obtaining and distributing data from American bank accounts and credit card accounts. For example, on January 30, 2015, an alleged Tunisian hacker announced that he had pledged allegiance to ISIS leader Abu Bakr Al-Baghdadi, and that he had hacked over 200 credit card accounts, both American and accounts from other “infidel” countries, in response to the anti-ISIS coalition campaign in Syria and Iraq.
Another significant aim of the cyber activity of ISIS and its online supporters and followers is to actively go after the group’s main opponents, including the Al-Raqqa-based anti-ISIS media collective Raqqa Is Being Slaughtered Silently, which exposes ISIS atrocities via Facebook and Twitter; the Syrian Observatory for Human Rights, which documents the human rights situation in Syria and reports violations; the U.S. military; and influential sheikhs and others who have taken a stand against the group. One of the aims of ISIS’s attacks on these groups and individuals is to obtain personal information about them and their families, so that they can be targeted on the ground – as were two Raqqa Is Being Slaughtered Silently activists, executed in July 2015.
Some of the hackers who appear to be pro-ISIS may have no actual affiliation with the group, even though they use pro-ISIS content and symbols in their deface messages – whether to create havoc and confusion, or as a “false flag” for other reasons. Nevertheless, their actions contribute to ISIS’s cyber-jihad reputation, which continues to grow, and all these entities are investing and advancing in their capability, some under direct control of ISIS and others by means of their legion of online followers, creating a dangerous mix.
Highlighting this is the case of the extensive April 2015 hack of France’s TV5Monde, which made international headlines and for which the CyberCaliphate claimed responsibility. Although the State Department concluded that the CyberCaliphate TV5Monde hack may not have been connected to or endorsed by ISIS, and that it may have been the work of the Russian hacking group APT28, ISIS has gained from the publicity that such hacking attacks generate. These attacks also help promote ISIS by making its cyber capabilities look more impressive than they actually may be.
Message to America – From the land to the digital world
On May 11, 2015, a group of pro-Islamic State (ISIS) hackers published a 3:30-long video, in Arabic with English subtitles, threatening the U.S. and Europe with an imminent cyberattack. The video, titled “Message to America from the Virtual World,” was distributed via Twitter by a pro-ISIS account (@is_caliphate_n), and the tweet also spread a campaign of hashtags in English and Arabic, such as: #HelloftheAmericansystem, #هكر_رابطة_الأنصار (“Ansar hacker group”) and a banner.