Hacking for ISIS: the Emergent Cyber Threat Landscape

Hacking for ISIS: The Emergent Cyber Threat Landscape

By Laith Alkhouri, Alex Kassirer, & Allison Nixon

April 2016 Hacking For ISIS

Contents Click on a title to navigate to the page

Introduction ...... 2 Cyber Caliphate ...... 3 Islamic State Hacking Division ...... 6 Islamic Cyber Army ...... 9 Rabitat Al-Ansar ...... 12 Sons Caliphate Army ...... 15 United Cyber Caliphate ...... 17 Techniques, Tactics, & Procedures (TTPs) ...... 20 The Future of ISIS’s Cyber Capabilities ...... 24 Conclusion ...... 25 Hacking For ISIS

Introduction

s the Islamic State (ISIS) has grown neither advanced nor do they over the past two years, so too has demonstrate sophisticated targeting; A its media machine, global support, however, the severity of cyber attacks and online channels. This unprecedented supporting ISIS will likely not remain at this expansion has now come to include level of relative unsophistication. capabilities to inflict damage over the Internet, which came to light when its For the vast majority of its existence, the supporters began coordinating and pro-ISIS hacking landscape was organizing cyber attacks on Western composed of at least five distinct targets. Highlighting this newfound desire groups that launched campaigns in to cause virtual harm was the brief 2014 support of the terror group. Although takeover of Twitter accounts run by US operating under different appellations for CENTCOM and Newsweek. nearly a year and a half, there was evidence that these groups, and the individuals who In the wake of the aforementioned Twitter constitute them, overlapped or coordinated takeover, which was claimed by an with one another in certain campaigns, ISIS-supportive hacking collective called pooling their resources and manpower. the “Cyber Caliphate,” two implications This culminated in the April 4, 2016, that would prove to further change an announcement of a “United Cyber already evolving jihadi landscape unfolded. Caliphate” following the formal merger Firstly, the hacking attacks launched in of several groups. However, as these support of ISIS generated global groups have operated as individual entities attention and afforded ISIS increased for the majority of their existence, this publicity. Secondly, like-minded individuals paper will reflect that history, first exploring and groups found new ways to target the most prominent actors on an individual Western interests. As such, new basis, followed by a look into the nascent concerns regarding ISIS’s cyber “United Cyber Caliphate” collective. capabilities emerged. Regarding this coordination, however, it is At the center of the conversation has been important to note that because the whether ISIS’s cyber prowess is a real pro-ISIS hacking effort is still an unofficial threat or exaggerated. Given the attacks endeavor, neither acknowledged nor that resulted in the CENTCOM and claimed by ISIS itself, it is still poorly Newsweek Twitter accounts being organized (and likely under-resourced), compromised, it appears that ISIS’s which often leads to conflicting messaging supporters maintain somewhat of an among the relevant actors. This existing coordinated cyber campaign that inconsistency is best illustrated by the way aims at launching attacks on targets of these groups identify themselves in claims opportunity, typically those that are of credit, a trend that this paper will explore considered low-hanging fruit. Nonetheless, in more detail. the group's overall capabilities are

2 Hacking For ISIS

Spearheaded by a Lone ISIS Fighter Obtaining Sensitive Documents

Efforts to launch, grow, and improve the The data provided by the hackers on the “Cyber Caliphate” brand, and thus the ISIS potential compromise of a Fusion Center community’s cyber reputation, were led by demonstrate that the actors had access to a British actor named Junaid Hussain some number of "UNCLASSIFIED//FOR (a.k.a. Abu Hussain Al Britani). Formerly OFFICIAL USE ONLY" and "LAW “TriCk” of TeaMp0isoN fame, Hussain fled ENFORCEMENT SENSITIVE" products as the UK to join ISIS in 2013, after serving a recently as November 26, 2014. It is prison sentence for hacking Tony Blair. possible that this data was stolen from Armed with the technical knowledge and associated email addresses receiving law relevant experience, Hussain utilized his enforcement bulletins. position as a member of ISIS to recruit hackers and cultivate his “Cyber Data thus far provided, however, is not Caliphate,” all while on the ground in ISIS’s sufficient enough to establish the full self-proclaimed capital, Raqqa. compromise of the Fusion Center. Hussain’s Legacy Continues Despite his background, the hacking Nonetheless, this group demonstrated at collective supporting ISIS under Hussain’s least a basic level of credibility and Further exemplifying Hussain’s legacy is direction―until he was killed in an August capability, proving to have the capacity to his wife, Sally Jones (aka Umm Hussain 2015 drone strike in Raqqa―was still launch follow-on attacks against the same Britaniya). Attempting to carry on her late unsophisticated and less productive than or similar organizations weeks after the husband’s mission, she maintains a prolific what might be expected of an effort led by original compromise. and violent social media presence; for a former Western hacking group leader. instance, she released, “the address & This is in part due to Hussain’s inability to details of US Military target no.2 also one provide the ISIS cyber community with a Post-Junaid Hussain of America's most decorated soldiers,” network of other hackers; Hussain’s prior Sgt. 1st Class Dillard Johnson on October contacts largely were unsympathetic to his Although Junaid Hussain was targeted and 8, 2015. Making very clear why she Cyber Caliphate increasingly radical ideology, leading to the killed in an August 2015 drone strike, released the information, Britaniya dissolution of his “hacking rolodex.” temporarily slowing ISIS supportive proclaimed, “Once again I leave these hacking activities, the group’s notoriety is details online to cause havoc in his life & (Caliphate Cyber Army CCA) something future jihadists will likely for my brothers and Al-Qaeda in the U.S to capitalize on to launch further cyber eventually hunt him down & kill him.” The first of the pro-ISIS hacking groups emerged after ISIS attacks. declared its Caliphate in the summer of 2014. In addition to the Proving this desire to carry on without its aforementioned hijacking of Newsweek and CENTCOM’s Twitter former leader, it is now evident that the accounts, the group identifying itself as the “Cyber Caliphate” group replaced Hussain with claimed credit for a string of attacks that generated global British-educated businessman and publicity. On January 6, 2015, for instance, the group launched computer expert, Siful Haque Sujan, a cyber attacks on a number of US targets, including the city of 31-year-old Bangladeshi whose role was Albuquerque, New Mexico; the Facebook and Twitter profiles for brought to light after he too was targeted the Albuquerque Journal; WBOC News (which serves the Delmarva and killed in an American drone strike in Peninsula in Delaware, Maryland, and Virginia); and a Fusion Center Raqqa, Syria, on December 10, 2015. in Tennessee, although that allegation was not fully substantiated. Photo: Junaid Hussain (a.k.a. Abu Hussain Al Britaini)

3 4 Hacking For ISIS

Spearheaded by a Lone ISIS Fighter Obtaining Sensitive Documents

Efforts to launch, grow, and improve the The data provided by the hackers on the “Cyber Caliphate” brand, and thus the ISIS potential compromise of a Fusion Center community’s cyber reputation, were led by demonstrate that the actors had access to a British actor named Junaid Hussain some number of "UNCLASSIFIED//FOR (a.k.a. Abu Hussain Al Britani). Formerly OFFICIAL USE ONLY" and "LAW “TriCk” of TeaMp0isoN fame, Hussain fled ENFORCEMENT SENSITIVE" products as the UK to join ISIS in 2013, after serving a recently as November 26, 2014. It is prison sentence for hacking Tony Blair. possible that this data was stolen from Armed with the technical knowledge and associated email addresses receiving law relevant experience, Hussain utilized his enforcement bulletins. position as a member of ISIS to recruit hackers and cultivate his “Cyber Data thus far provided, however, is not Caliphate,” all while on the ground in ISIS’s sufficient enough to establish the full self-proclaimed capital, Raqqa. compromise of the Fusion Center. Hussain’s Legacy Continues Despite his background, the hacking Nonetheless, this group demonstrated at collective supporting ISIS under Hussain’s least a basic level of credibility and Further exemplifying Hussain’s legacy is direction―until he was killed in an August capability, proving to have the capacity to his wife, Sally Jones (aka Umm Hussain 2015 drone strike in Raqqa―was still launch follow-on attacks against the same Britaniya). Attempting to carry on her late unsophisticated and less productive than or similar organizations weeks after the husband’s mission, she maintains a prolific what might be expected of an effort led by original compromise. and violent social media presence; for a former Western hacking group leader. instance, she released, “the address & This is in part due to Hussain’s inability to details of US Military target no.2 also one provide the ISIS cyber community with a Post-Junaid Hussain of America's most decorated soldiers,” network of other hackers; Hussain’s prior Sgt. 1st Class Dillard Johnson on October contacts largely were unsympathetic to his Although Junaid Hussain was targeted and 8, 2015. Making very clear why she increasingly radical ideology, leading to the killed in an August 2015 drone strike, released the information, Britaniya dissolution of his “hacking rolodex.” temporarily slowing ISIS supportive proclaimed, “Once again I leave these hacking activities, the group’s notoriety is details online to cause havoc in his life & something future jihadists will likely for my brothers and Al-Qaeda in the U.S to capitalize on to launch further cyber eventually hunt him down & kill him.” attacks.

Proving this desire to carry on without its former leader, it is now evident that the group replaced Hussain with British-educated businessman and computer expert, Siful Haque Sujan, a 31-year-old Bangladeshi whose role was brought to light after he too was targeted and killed in an American drone strike in Raqqa, Syria, on December 10, 2015.

5 Hacking For ISIS

Connection to External Talent and waiting.” The message also specified the Inconsistent Branding Cyber Caliphate Leader target as the “United Sates Government and Military – The Head of the Crusader The still nascent and unofficial nature of On October 15, 2015, federal prosecutors Coalition.” the ISIS cyber landscape has created unsealed a criminal complaint charging The August 11 dump included the names, inconsistent, and often conflicting, Kosovo citizen Ardit Ferizi, aka messaging. One of the primary examples “Th3Dir3ctorY,” with providing material of this is the Islamic State Hacking support to ISIS and committing “computer Division’s self-identification. Since it first hacking and identity theft violations in emerged as “the Islamic State Hacking conjunction with the theft and release of Division,” subsequent hacks supporting personally identifiable information (PII) of ISIS have identified a contributing actor US service members and federal with the different name, “the Islamic State employees.” Hack Division.” Although only a slight discrepancy, the title is nonetheless Ferizi, who is believed to be the leader of different and, without self-generated actor hacking collective “Kosova Hacker’s profiles, it is difficult to ascertain whether Security,” hacked a target located in the departments/divisions, emails, passwords, ISHD evolved into this new title since US and subsequently stole thousands of locations, and phone numbers of nearly Junaid Hussain’s death, or if it is a individuals’ personal information. He then 1,500 military and government personnel, completely different collective. So is the allegedly provided the information of more including individuals from the Air Force, case with the former Cyber Caliphate, than 1,000 American government various foreign embassies, the Marines, which assumed the title “Caliphate Cyber personnel to Junaid Hussain, representing NASA, USAID, and the NY Port Authority. Army” following Hussain’s death. ISIS, for public release. Hussain The hack also included the credit card Nonetheless, without an official statement subsequently branded it an Islamic State information of several State Department from the group, it is unclear whether the Hacking Division (ISHD) dump on August officials, as well as screenshots of private same individuals involved in Hussain’s 11. Facebook messages between US former collective rebranded themselves, or servicemen. if an entirely different group of actors assumed the group’s identity. Targeting Military Servicemen, Threatening Covert Surveillance Authenticity of “Accomplishments” Islamic State Alongside the data dump, Hussain Although the Islamic State Hacking proclaimed, “O Crusaders, as you continue Division (ISHD) claimed responsibility for your aggression towards the Islamic State the August 11 dump, maintaining that they Hacking Division and your bombing campaign against the had hacked into sensitive databases. Muslims, know that we are in your emails Flashpoint analysts believe the information and computer systems, watching and came from unclassified systems and that (ISHD) recording your every move, we have your no military servers were in fact names and addresses, we are in your compromised. The same is likely true of The Islamic State Hacking Division emerged in early 2015 and emails and social media accounts, we are ISHD’s other claimed attacks, including the appears to be inspired by, and loosely affiliated with, the Cyber extracting confidential data and passing alleged “hack” of several military servers in Caliphate. Both are linked by the common thread of Junaid on your personal information to the Italy on June 1, 2015, after which the group leaked the purported personal Hussain’s leadership. soldiers of the khilafah, who soon with the permission of Allah will strike at your necks information of 10 Italian army officers. in your own lands! ‘So wait; we too are

6 7 Hacking For ISIS

Alongside the data dump, Hussain Although the Islamic State Hacking proclaimed, “O Crusaders, as you continue Division (ISHD) claimed responsibility for your aggression towards the Islamic State the August 11 dump, maintaining that they and your bombing campaign against the had hacked into sensitive databases. Muslims, know that we are in your emails Flashpoint analysts believe the information and computer systems, watching and came from unclassified systems and that recording your every move, we have your no military servers were in fact names and addresses, we are in your compromised. The same is likely true of emails and social media accounts, we are ISHD’s other claimed attacks, including the extracting confidential data and passing alleged “hack” of several military servers in on your personal information to the Italy on June 1, 2015, after which the soldiers of the khilafah, who soon with the group leaked the purported personal permission of Allah will strike at your necks information of 10 Italian army officers. in your own lands! ‘So wait; we too are

8 Hacking For ISIS

"hacking the data of White House and this is just the beginning, And if Targeting “Crusaders” Focus on the US personnel," stating, “[We're] in your home you've killed Osama R.A its never the end Obama." The supposed data leak included of our Jihad WE ARE ALL OSAMA and The statement urged “all supporters In a ﬁnal threat, ICA declared, “O the alleged names and contact information will 9/11 you over and over again…We hackers to join us and work with us to disbelievers Your Fate will be killing, of a list of US legislative personnel. hacked many of your banks, government target Crusader alliance electronically,” homelessness and misery know that…this and military websites, serious and adding, “hurry up to support your ISLAMIC [is] only the beginning and [we] will The #AmericaUnderAttack campaign also sensitive information and we will publish STATE.” slaughter your necks over your land soon.” consisted of a list containing "300 FBI some, If you wont stop we will publish all The statement concluded by quoting Agents emails hacked.” However, as data later. FINAL Warning, we deﬁne you Discussing its targeting, the group stated, Osama Bin Laden: “America will not enjoy purported FBI emails/passwords are a 7 days notice that if you didn't stop your “we also announce for RAID soon targets security and safety until we live it…” staple of low-level hacker dumps, War we will post information would the Crusader coalition forces Flashpoint analysts cross-checked the threaten the security of your countries…- data and found that the list was a duplicate ISLAMIC CYBER ARMY.” of a LulzSec leak from 2012. This claim, as well as others, were released under the hashtag #AmericaUnderHacks. Non-Discriminatory Targeting

Photo: The Islamic Cyber Army’s ﬁrst statement following anti-American statement was included:

electronically, targeting Further exemplifying the US as its focus, “This is a message to the Islamic Cyber ICA was most active in the days preceding, everything…ranging from accounts of crusaders…WE ARE BACK, We would recruited, to their banks and their airports. and including, the 14th anniversary of the like to remind you of the holy 911 To their nuclear bases.” September 11 attacks. On September 8, Army attack…and will soon be a double…we 2015, for instance, the group issued a will not leave you alone until you leave us Directing a message to “the infidels countdown proclaiming, "Two days and 24 alone and you will not see peace until we On September 10, 2015, the self-proclaimed "Islamic Cyber Army" (ICA) America and their alliance, [we] will not hours left," with the hashtags witness it in our Muslim countries, We hacking group tweeted its first official statement proclaiming, “the forget your crimes and your war on Islam, #IslamicCyberArmy and will appear everywhere and anywhere, hackers Supporters of the Mujahideen configure under the banner of and we will not let you forget our war on #AmericaUnderAttack. you will find us everywhere you go we unification in the name of Islamic Cypher [sic] Army to be …[the] working you and the blessed Battle of 11 will hack your details websites pc's front against the Americans and their followers to support the ISLAMIC September and the hit of Under the same #AmericaUnderAttack credit cards information and even your Sheikh-ul-Mujahideen Osama that blow campaign, on the eve of the 9/11 STATE Caliphate with all their forces in the field of e-jihad.” cell phones, This is your worst you.” anniversary, ICA also claimed credit for nightmare, it started and it will never end

9 10 Hacking For ISIS

Lacking sophistication, ICA resorted to attacking any low-hanging fruit in its anti-American campaign, regardless of target relevance. On September 10, 2015, for instance, the group claimed credit for defacing the website of AmrahBank, an Azerbaijani bank. The defaced page included ISIS’s banner, ICA’s logo, a photo of Osama bin Laden, and the World Trade Center, with the symbolism attempting to tie the attack back to its US focus. The following anti-American statement was included: electronically, targeting Further exemplifying the US as its focus, “This is a message to the everything…ranging from accounts of ICA was most active in the days preceding, crusaders…WE ARE BACK, We would recruited, to their banks and their airports. and including, the 14th anniversary of the like to remind you of the holy 911 To their nuclear bases.” September 11 attacks. On September 8, attack…and will soon be a double…we 2015, for instance, the group issued a will not leave you alone until you leave us Directing a message to “the inﬁdels countdown proclaiming, "Two days and 24 alone and you will not see peace until we America and their alliance, [we] will not hours left," with the hashtags witness it in our Muslim countries, We forget your crimes and your war on Islam, #IslamicCyberArmy and will appear everywhere and anywhere, and we will not let you forget our war on #AmericaUnderAttack. you will ﬁnd us everywhere you go we you and the blessed Battle of 11 will hack your details websites pc's September and the hit of Under the same #AmericaUnderAttack credit cards information and even your Sheikh-ul-Mujahideen Osama that blow campaign, on the eve of the 9/11 cell phones, This is your worst you.” anniversary, ICA also claimed credit for nightmare, it started and it will never end

11 Hacking For ISIS

Laying Foundation as Anti-US Personal Information of Americans Hackers, Reasserting Focus Via Distributed Media “Campaign” Following its March 31 promise for an On March 31, 2015, the group issued a anti-US terror campaign, on April 10, 2015, message indicating that within ten days it Rabitat Al-Ansar released a statement would launch an online anti-American claiming credit for "pulling the data of 2000 terror campaign under the hashtag individuals, most of them are Americans." #WeWillBurnUSAgain. The campaign The group indicated that "Rabitat Al-Ansar included the distribution of Hackers" conducted the purported cyber English-language ISIS propaganda, attack and added, "The data includes their including videos showing operations names, the city in which they live, the against US forces in Iraq, the beheadings country they are from, their emails, phone of US nationals, as well as messages from numbers, and home phone numbers." Osama bin Laden and other prominent Al-Qaida leaders to America. The group released a sample dump including 400 of the 2,000 targeted individuals. It credit made by the "Cyber Caliphate." tweeted a threat saying they, “will penetrate The campaign also included English also vowed more attacks, proclaiming, Rabitat Al-Ansar’s boasting of a Cyber to the banks and US government sites on phrases and threats promising [attacks] on "What will come will be worse and more Caliphate attack further exemplifies the September 11,” warning “expect us.” The America to "terrorize its people," also bitter." The group indicated that the rest of fluidity between pro-ISIS cyber actors, tweet included an image that featured a inviting them to Islam. the data, which also included information seeing each other’s victories as an hooded, faceless individual sitting at a on Canadian, Norwegian, and Australian extension of their own. laptop that bears ISIS’ logo. The photo Continuing its preparation for what was to citizens, would be released within 24 hours. included text that read, “ELITE ISLAMIC come, the group also worked to mobilize The group added, "We send this message STATE HACKERS,” specifically including a ISIS’s online supporters and translators, via It remains unclear whether the group to America and Europe; we are the hackers hacking collective known as Hacker designated Twitter accounts. obtained the information by hacking of the Islamic State, the electronic war has Aldmar, which is part of Rabitat Al-Ansar. systems or instead was just gathered from not begun yet. What you have seen before open sources. If the group indeed conduct- is just a preface for the future. [We] were Furthermore, on July 13, 2015, Rabitat Al ed cyber attacks, the provenance of the able until this moment to hack the website Ansar’s subgroup Hacker Aldmar claimed data is unknown . of the American leadership and the to have obtained "American Visa and website of the Australian airport, and many MasterCard" accounts, asking followers to Rabitat Al-Ansar other websites despite paying billions to use the information “for whatever Allah has “Message to America” Video secure your electronic websites; however, made permissible." It is worth noting, it became easier to hack your websites in a however, that after Flashpoint analysts (League of Supporters) On May 11, 2015, Rabitat Al-Ansar short time. Thus, your security information attempted to verify the actors’ claims, the released a video titled, "Message to is in our hands; you do not have the power findings suggested that the allegedly America: from the Earth to the Digital Rabitat Al-Ansar -- which is part of a larger pro-Islamic State media to fight the Islamic State." leaked data may have been sourced from World," vowing persistent hacking attacks collective called the Media Front -- was not always known as a cyber the so-called "Scarfaze Hack Store," at on American and European electronic unit. For over a year, the group acted in support of ISIS as a jihadi scarfazehack[.]com, calling into question targets. the legitimacy of the group’s capabilities. propaganda media unit, releasing articles and jihadi material in American Banks as Targets support of the group. Nonetheless, with the a growing community of The video began with claims of Further demonstrating coordination ISIS supporters engaging in cyber attacks, Rabitat Al-Ansar followed responsibility for previous hacking attacks among pro-ISIS cyber actors, on suit, eventually claiming credit for purported hacks. that purportedly targeted American and September 4, 2015, Rabitat Al-Ansar Australian websites, including claims of

12 13 Hacking For ISIS

Laying Foundation as Anti-US Personal Information of Americans Hackers, Reasserting Focus Via Distributed Media “Campaign” Following its March 31 promise for an On March 31, 2015, the group issued a anti-US terror campaign, on April 10, 2015, message indicating that within ten days it Rabitat Al-Ansar released a statement would launch an online anti-American claiming credit for "pulling the data of 2000 terror campaign under the hashtag individuals, most of them are Americans." #WeWillBurnUSAgain. The campaign The group indicated that "Rabitat Al-Ansar included the distribution of Hackers" conducted the purported cyber English-language ISIS propaganda, attack and added, "The data includes their including videos showing operations names, the city in which they live, the against US forces in Iraq, the beheadings country they are from, their emails, phone of US nationals, as well as messages from numbers, and home phone numbers." Osama bin Laden and other prominent Photo: Opening Screen of Rabitat Al Ansar’s “Message to America” Video Al-Qaida leaders to America. The group released a sample dump including 400 of the 2,000 targeted individuals. It credit made by the "Cyber Caliphate." tweeted a threat saying they, “will penetrate The campaign also included English also vowed more attacks, proclaiming, Rabitat Al-Ansar’s boasting of a Cyber to the banks and US government sites on phrases and threats promising [attacks] on "What will come will be worse and more Caliphate attack further exemplifies the September 11,” warning “expect us.” The America to "terrorize its people," also bitter." The group indicated that the rest of fluidity between pro-ISIS cyber actors, tweet included an image that featured a inviting them to Islam. the data, which also included information seeing each other’s victories as an hooded, faceless individual sitting at a on Canadian, Norwegian, and Australian extension of their own. laptop that bears ISIS’ logo. The photo Continuing its preparation for what was to citizens, would be released within 24 hours. included text that read, “ELITE ISLAMIC come, the group also worked to mobilize The group added, "We send this message STATE HACKERS,” specifically including a ISIS’s online supporters and translators, via It remains unclear whether the group to America and Europe; we are the hackers hacking collective known as Hacker designated Twitter accounts. obtained the information by hacking of the Islamic State, the electronic war has Aldmar, which is part of Rabitat Al-Ansar. systems or instead was just gathered from not begun yet. What you have seen before open sources. If the group indeed conduct- is just a preface for the future. [We] were Furthermore, on July 13, 2015, Rabitat Al ed cyber attacks, the provenance of the able until this moment to hack the website Ansar’s subgroup Hacker Aldmar claimed data is unknown . of the American leadership and the to have obtained "American Visa and website of the Australian airport, and many MasterCard" accounts, asking followers to other websites despite paying billions to use the information “for whatever Allah has “Message to America” Video secure your electronic websites; however, made permissible." It is worth noting, it became easier to hack your websites in a however, that after Flashpoint analysts On May 11, 2015, Rabitat Al-Ansar short time. Thus, your security information attempted to verify the actors’ claims, the released a video titled, "Message to is in our hands; you do not have the power findings suggested that the allegedly America: from the Earth to the Digital to fight the Islamic State." leaked data may have been sourced from World," vowing persistent hacking attacks the so-called "Scarfaze Hack Store," at on American and European electronic scarfazehack[.]com, calling into question targets. American Banks as Targets the legitimacy of the group’s capabilities.

The video began with claims of Further demonstrating coordination responsibility for previous hacking attacks among pro-ISIS cyber actors, on that purportedly targeted American and September 4, 2015, Rabitat Al-Ansar Australian websites, including claims of

14 Hacking For ISIS

Social Media Target Emphasis The footage ended with a message that read, "To Mark and Jack, founders of Twitter In its first video release, with less than and Facebook, and to their Crusader impressive graphics and production, titled government, you announce daily that you “Flames of Ansar” – or “Flames of suspended many of our accounts, and to Supporters”– SCA claimed credit for you we say: is that all you can do? You are hacking more than 15,000 Twitter and not in our league. If you close one account, Facebook accounts. we will take 10 in return and soon your names will be erased after we delete your The amateurish video began with excerpts sites." featuring security experts that speak about existing vulnerabilities and the rise in ISIS’s cyber capabilities. The video also Threat Assessment indicated that SCA took down Twitter's official website, including media clips As Flashpoint analysts believe that this reporting that the website was unavailable group is affiliated, or synonymous, with for two hours. This service interruption what is known as the Caliphate Cyber Army allegedly took place on February 4, when (a.k.a. Cyber Caliphate), the first pro-ISIS Flashpoint analysts noticed that Twitter hacking collective to emerge, the emer- was experiencing service issues for a gence of SCA as a subgroup further short period of time. Flashpoint analysts underscores the increasing interest in closely watched SCA’s activities as the cyber capabilities among ISIS’ supporters. initial service interruptions were observed and, although it did not explicitly claim Sons Caliphate credit, SCA insinuated that it was Army responsible. Threat to Twitter and Facebook (SCA) Founders

The video, which was preceded by a teaser Further demonstrating the constantly evolving pro-ISIS cyber poster featuring images of Twitter and landscape, a group called Sons Caliphate Army emerged in early Facebook founders, Jack Dorsey and Mark January 2016. Even before a later April 4 announcement of a Zuckerberg engulfed in flames, shows the merger with the Caliphate Cyber Army (CCA), SCA appeared to be group's alleged hacking attacks on various Facebook and Twitter profiles. The group closely affiliated with CCA, especially as SCA’s establishment was claimed that it hacked and compromised first advertised on CCA’s private Telegram channel. Following that 10,000 Facebook accounts, 150 introductory message, CCA and SCA consistently shared each Facebook groups, and 5,000 Twitter other’s statements and claims of credit on their respective accounts. Telegram channels, exemplifying coordination seemingly more structured than that between other groups. This strong relationship between SCA and CCA continued, as they are two of the four groups now constituting the United Cyber Caliphate.

15 16 Hacking For ISIS

A United Front which online groups supporting ISIS, of which there are several, announced a The announcement came after CCA formal merger and subsequent creation of claimed via its private Telegram channel an umbrella organization. that it hijacked a Twitter account, which the group frequently does, to then broadcast a message. After gaining control of the First Claim of Credit and Expanding Twitter account, CCA tweeted, Focus “incorporation between Islamic State Hackers Teams #CaliphateCyberArmy United Cyber Caliphate released its first #SonsCaliphateArmy #KalashnikovTeam statement on April 5, claiming credit for new #Team. #UnitedCyberCaliphate.” defacing the website of Indonesia Embassy in France. The defacement included a Simultaneously, CCA released a message picture of a fallen Eiffel Tower as well as a on its Telegram channel saying, “After message that said, "Now our fighting has relying on Almighty Allah and by his grace, come! We don't negotiate except with incorporation between Islamic State cannon, we don't have dialogues except Hackers Teams...To expand in our with guns, we will not talk except strength. inconsistency is exemplified by the way in operations. To hit ‘em deeper. We And we will not stop the fighting until we which groups identify themselves, often announce our new #Team make Athan [call for prayer] and pray in using variations of the same name without #UnitedCyberCaliphate.” Rome by Allah's will in a conquest, as a promise from Allah, and Allah does not explanation, such as the Islamic State Hacking Division, which at times was Shortly thereafter, the newly established break his promise." referred to as the Islamic State Hack “United Cyber Caliphate” launched its own Division. Despite this apparent effort to private Telegram channel. The unification of these groups also means that the scope of the united team has coordinate, such as the creation of United Cyber Caliphate, there continues to be The statements were released in English, expanded. In addition to the focus on some remaining inconsistency. For Arabic, Russian, and French. hacking attacks launched by groups like CCA and SCA, the growing relevance of instance, in the multiple Telegram and Twitter messages announcing this merger, Given that SCA’s establishment was first other groups like Kalashnikov Team joining one of the members was called “Ghost United Cyber announced on CCA’s Telegram channel UCC demonstrates that the united group is Caliphate Section” as well as simply “Ghost and the two groups subsequently shared placing an increased emphasis on educat- Caliphate.” Another member was referred each other’s material on their respective ing the online jihadi community on encryp- Caliphate tion and other technology, including VPNs, to as “Kalashnikov Team” as well as channels, it is likely the two groups are “Kalashnikov E-Security Team.” affiliated. However, this statement is the proxies, and website vulnerabilities. (The Merger) first explicit announcement of their formal Despite this lingering inconsistency, the alliance. Evolving but Still Flawed establishment of UCC will likely create a On April 4, Caliphate Cyber Army (CCA) announced the creation of a more organized pro-ISIS hacking force. It Furthermore, there have been other signs new collective under the name “United Cyber Caliphate” (UCC) remains to be seen, however, whether the of coordination between these groups, Because today’s groups that engage in following the merger of several groups, including Ghost Caliphate individual members will continue operating and other pro-ISIS collectives, on an cyber attacks on behalf of ISIS are neither Section, which has been relatively inactive, Sons Caliphate Army on their own or if the new umbrella group individual basis in the past, primarily in the acknowledged nor claimed by ISIS itself, a (SCA), Caliphate Cyber Army, and Kalashnikov E-Security Team, a will replace all CCA, SCA, Ghost Caliphate, form of claim of credit posters in which poorly organized landscape of these actors and Kalashnikov Team specific activities. nascent group which identifies itself as an expert on "web-hacking multiple groups are mentioned. exists which has often led to conflicting techniques and exploits." Nonetheless, this is the first occasion in messaging among the many actors. This

17 18 Hacking For ISIS

A United Front which online groups supporting ISIS, of which there are several, announced a The announcement came after CCA formal merger and subsequent creation of claimed via its private Telegram channel an umbrella organization. that it hijacked a Twitter account, which the group frequently does, to then broadcast a message. After gaining control of the First Claim of Credit and Expanding Twitter account, CCA tweeted, Focus “incorporation between Islamic State Hackers Teams #CaliphateCyberArmy United Cyber Caliphate released its first #SonsCaliphateArmy #KalashnikovTeam statement on April 5, claiming credit for new #Team. #UnitedCyberCaliphate.” defacing the website of Indonesia Embassy in France. The defacement included a Simultaneously, CCA released a message picture of a fallen Eiffel Tower as well as a on its Telegram channel saying, “After message that said, "Now our fighting has relying on Almighty Allah and by his grace, come! We don't negotiate except with incorporation between Islamic State cannon, we don't have dialogues except Hackers Teams...To expand in our with guns, we will not talk except strength. inconsistency is exemplified by the way in operations. To hit ‘em deeper. We And we will not stop the fighting until we which groups identify themselves, often announce our new #Team make Athan [call for prayer] and pray in using variations of the same name without #UnitedCyberCaliphate.” Rome by Allah's will in a conquest, as a promise from Allah, and Allah does not explanation, such as the Islamic State Hacking Division, which at times was Shortly thereafter, the newly established break his promise." referred to as the Islamic State Hack “United Cyber Caliphate” launched its own Division. Despite this apparent effort to private Telegram channel. The unification of these groups also means that the scope of the united team has coordinate, such as the creation of United Cyber Caliphate, there continues to be The statements were released in English, expanded. In addition to the focus on some remaining inconsistency. For Arabic, Russian, and French. hacking attacks launched by groups like CCA and SCA, the growing relevance of instance, in the multiple Telegram and Twitter messages announcing this merger, Given that SCA’s establishment was first other groups like Kalashnikov Team joining one of the members was called “Ghost announced on CCA’s Telegram channel UCC demonstrates that the united group is Caliphate Section” as well as simply “Ghost and the two groups subsequently shared placing an increased emphasis on educat- Caliphate.” Another member was referred each other’s material on their respective ing the online jihadi community on encryp- to as “Kalashnikov Team” as well as channels, it is likely the two groups are tion and other technology, including VPNs, “Kalashnikov E-Security Team.” affiliated. However, this statement is the proxies, and website vulnerabilities. first explicit announcement of their formal Despite this lingering inconsistency, the alliance. Evolving but Still Flawed establishment of UCC will likely create a more organized pro-ISIS hacking force. It Furthermore, there have been other signs remains to be seen, however, whether the of coordination between these groups, Because today’s groups that engage in individual members will continue operating and other pro-ISIS collectives, on an cyber attacks on behalf of ISIS are neither on their own or if the new umbrella group individual basis in the past, primarily in the acknowledged nor claimed by ISIS itself, a will replace all CCA, SCA, Ghost Caliphate, form of claim of credit posters in which poorly organized landscape of these actors and Kalashnikov Team specific activities. multiple groups are mentioned. exists which has often led to conflicting Nonetheless, this is the first occasion in messaging among the many actors. This

19 Hacking For ISIS

Hacking Tools Vs. Malware incentives, we still see many nation state Nevertheless, Flashpoint analysts have Although it is difficult to ascertain what techniques, tactics, and actors who continue to use off-the-shelf observed a noticeable uptick in the procedures (TTPs) ISIS's supporters employ, based on the groups’ Pro-ISIS cyber actors are likely to malware products. Due to the differing emergence of more pro-ISIS hacking Techniques, “successful” cyber attacks thus far, the following is what Flashpoint download hacking tools from publicly barriers to entry of these categories of groups since the summer of 2014. There is analysts believe pro-ISIS hackers depend on (but not limited to): available sources and are likely to utilize attack tools, an emerging hacking group also an apparent increase in the diversifi- both off-the-shelf and custom malware. In will likely use custom malware before it cation of the desired targets of pro-ISIS Tactics, & underground markets, while malware is uses custom hacking tools. hackers, evolving from an overwhelmingly American target list to one that includes security-savvy jihadists, but not commonly sold, hacking tools are not as Integration of Technology British, Italian, and Russian targets, among necessarily hackers, using encrypted frequently available because it is widely understood in the black market that paid Targeting others. Procedures Pro-ISIS hackers appear to coordinate online platforms for communication, such malicious products cannot compete with their campaigns in private - likely using as Surespot and Telegram. the free open source products that already ISIS cyber threat actors appear to have two encrypted communications platforms - (TTPs) exist. primary macro targets - as professed by at Call to Cyber Recruits before launching a media campaign While it is difficult to ascertain the precise least one pro-ISIS hacking collective: teasing forthcoming attacks. In many methods of attack used to perpetrate One example of custom malware being "governmental and economic" targets. The example of Junaid Hussain demon- cases, the actors declare their intent to these alleged hacks claimed by pro-ISIS deployed by pro-ISIS elements occurred in According to the aforementioned claims of strates that ISIS has been successful in launch a hacking attack on social media, groups, a number of techniques and tools late 2014 when a malicious fake slideshow responsibility, financial institutions are attracting savvy hackers and will likely such as Twitter, using hashtags to could have been used, assuming these was distributed to Twitter users who were among the primary targets for ISIS cyber continue to do so. While we have not seen galvanize support for the intended actions. hacks were indeed legitimate. critical of ISIS. The executable was actors as well. ISIS explicitly call for sophisticated hackers, Deep Web forums frequented by Assessing these groups’ capabilities customized malware, yet was extremely Given the previous focus of hacking jihadists include sections containing both requires consideration of whether these simple in its function. Even though it was Patterns attacks, we assess that ISIS cyber threat beginner and advanced hacking courses, actors utilize custom-made hacking tools not complex or sophisticated, it was enough to identify and geolocate the actors will continue targeting financial hacking tools and manuals, as well as ways The timing of attacks can be pegged to developed in-house, or whether they are infected machines and their owners. In institutions in the future. to communicate with like-minded forum certain dates of significance - such as the relying on pre-made tools and software other words, pro-ISIS cyber threat actors dwellers. September 11 anniversary. These dates that are available in the Deep & Dark Web. have a record of distributing malware via are highly significant for jihadi hackers, as These types of tools can be divided into social media. Pronounced Targets they guarantee a substantial level of media two overall groups: hacking tools used to Jihadi Hacker Forum attention and security frenzy, which helps infiltrate systems externally and malware To date, ISIS cyber actors have launched to drum up support by allowing the actors used to compromise systems from the attacks on primarily government, banking, For example, the Gaza Hacker web forum, to capitalize on high social media traffic. inside. Potential Use of Malware and media targets. These entities appear to the primary 'jihadi hacking' Deep Web Malware usage has a different calculus be not only what these actors are focused forum, is frequented by all types of jihad- We believe that while private Hacking tools are almost invariably going to than hacking tools. Malware does not on, but also what generates the most ists, including pro-ISIS types. The forum communication between hackers takes be taken from publicly available open require a significant amount of effort to publicity for the groups behind them, likely offers a variety of hacking courses and place, they rely heavily on social media to source projects because of the ease of build another password stealer or remote contributing to the focus on such targets. manuals. generate support for their campaigns. obtaining such tools along with the fact access trojan (RAT). The sticking point with Pro-ISIS hackers continuously utilize that they can often be used successfully. malware is its detectability with antivirus. In addition, ISIS cyber actors have Members of the forum have previously Twitter hashtags to garner support from Developing proprietary tools would require Publicly available malware is highly detect- launched a campaign inciting similar distributed stolen credit card information like-minded jihadists. In this way, Twitter is significant effort and resources to create a able with antivirus products, and obfusca- attacks on non-American targets, including as well as manuals on hacking tools and essential in their campaigns. completely private toolset that is on par, or those in Russia. This development unfold- methods. This hub offers jihadists a better than, what is already available tion tools (i.e. crypters) may be able to ed after Russia began its military engage- one-stop shop for everything from learn- publicly. Of course, actors may modify this extend the lifetime of a sample. But to ment in Syria. ing how to hack, how to improve hacking publicly available software or writing simple ensure stealth, writing custom malware Tools Assessment skills, how to obtain certain hacking scripts, but it is unlikely these groups are and maintaining very narrow targeting is the only way to keep it out of the hands of There are currently no statistics that could software, and more. In regards to communication tools, currently building software from the ground antivirus companies. Even despite these accurately demonstrate the frequency of Flashpoint analysts have seen examples of up for their supporters to use. pro-ISIS cyber attacks on specific targets.

20 21 Hacking For ISIS Hacking for ISIS

Hacking Tools Vs. Malware incentives, we still see many nation state Nevertheless, Flashpoint analysts have actors who continue to use off-the-shelf observed a noticeable uptick in the Pro-ISIS cyber actors are likely to malware products. Due to the differing emergence of more pro-ISIS hacking download hacking tools from publicly barriers to entry of these categories of groups since the summer of 2014. There is available sources and are likely to utilize attack tools, an emerging hacking group also an apparent increase in the diversifi- both off-the-shelf and custom malware. In will likely use custom malware before it cation of the desired targets of pro-ISIS underground markets, while malware is uses custom hacking tools. hackers, evolving from an overwhelmingly American target list to one that includes security-savvy jihadists, but not commonly sold, hacking tools are not as Integration of Technology British, Italian, and Russian targets, among necessarily hackers, using encrypted frequently available because it is widely understood in the black market that paid Targeting others. Pro-ISIS hackers appear to coordinate online platforms for communication, such malicious products cannot compete with their campaigns in private - likely using as Surespot and Telegram. the free open source products that already ISIS cyber threat actors appear to have two encrypted communications platforms - exist. primary macro targets - as professed by at Call to Cyber Recruits before launching a media campaign While it is difficult to ascertain the precise least one pro-ISIS hacking collective: teasing forthcoming attacks. In many methods of attack used to perpetrate One example of custom malware being "governmental and economic" targets. The example of Junaid Hussain demon- cases, the actors declare their intent to these alleged hacks claimed by pro-ISIS deployed by pro-ISIS elements occurred in According to the aforementioned claims of strates that ISIS has been successful in launch a hacking attack on social media, groups, a number of techniques and tools late 2014 when a malicious fake slideshow responsibility, financial institutions are attracting savvy hackers and will likely such as Twitter, using hashtags to could have been used, assuming these was distributed to Twitter users who were among the primary targets for ISIS cyber continue to do so. While we have not seen galvanize support for the intended actions. hacks were indeed legitimate. critical of ISIS. The executable was actors as well. ISIS explicitly call for sophisticated hackers, Deep Web forums frequented by Assessing these groups’ capabilities customized malware, yet was extremely Given the previous focus of hacking jihadists include sections containing both requires consideration of whether these simple in its function. Even though it was Patterns attacks, we assess that ISIS cyber threat beginner and advanced hacking courses, actors utilize custom-made hacking tools not complex or sophisticated, it was enough to identify and geolocate the actors will continue targeting financial hacking tools and manuals, as well as ways The timing of attacks can be pegged to developed in-house, or whether they are infected machines and their owners. In institutions in the future. to communicate with like-minded forum certain dates of significance - such as the relying on pre-made tools and software other words, pro-ISIS cyber threat actors dwellers. September 11 anniversary. These dates that are available in the Deep & Dark Web. have a record of distributing malware via are highly significant for jihadi hackers, as These types of tools can be divided into social media. Pronounced Targets they guarantee a substantial level of media two overall groups: hacking tools used to Jihadi Hacker Forum attention and security frenzy, which helps infiltrate systems externally and malware To date, ISIS cyber actors have launched to drum up support by allowing the actors used to compromise systems from the attacks on primarily government, banking, For example, the Gaza Hacker web forum, to capitalize on high social media traffic. inside. Potential Use of Malware and media targets. These entities appear to the primary 'jihadi hacking' Deep Web Malware usage has a different calculus be not only what these actors are focused forum, is frequented by all types of jihad- We believe that while private Hacking tools are almost invariably going to than hacking tools. Malware does not on, but also what generates the most ists, including pro-ISIS types. The forum communication between hackers takes be taken from publicly available open require a significant amount of effort to publicity for the groups behind them, likely offers a variety of hacking courses and place, they rely heavily on social media to source projects because of the ease of build another password stealer or remote contributing to the focus on such targets. manuals. generate support for their campaigns. obtaining such tools along with the fact access trojan (RAT). The sticking point with Pro-ISIS hackers continuously utilize that they can often be used successfully. malware is its detectability with antivirus. In addition, ISIS cyber actors have Members of the forum have previously Twitter hashtags to garner support from Developing proprietary tools would require Publicly available malware is highly detect- launched a campaign inciting similar distributed stolen credit card information like-minded jihadists. In this way, Twitter is significant effort and resources to create a able with antivirus products, and obfusca- attacks on non-American targets, including as well as manuals on hacking tools and essential in their campaigns. completely private toolset that is on par, or those in Russia. This development unfold- methods. This hub offers jihadists a better than, what is already available tion tools (i.e. crypters) may be able to ed after Russia began its military engage- one-stop shop for everything from learn- publicly. Of course, actors may modify this extend the lifetime of a sample. But to ment in Syria. ing how to hack, how to improve hacking publicly available software or writing simple ensure stealth, writing custom malware Tools Assessment skills, how to obtain certain hacking scripts, but it is unlikely these groups are and maintaining very narrow targeting is the only way to keep it out of the hands of There are currently no statistics that could software, and more. In regards to communication tools, currently building software from the ground antivirus companies. Even despite these accurately demonstrate the frequency of Flashpoint analysts have seen examples of up for their supporters to use. pro-ISIS cyber attacks on specific targets.

22 23 Hacking For ISIS

The Future of ISIS's Cyber Capabilities

As pro-ISIS cyber attacks and capabilities have gradually increased over time but remained relatively unsophisticated, it is likely that in the short run, these actors will continue launching attacks of opportunity. Such attacks include ﬁnding and exploiting vulnerabilities in websites owned by, for example, small businesses, and defacing these websites. Other attacks may include DDoS attacks.

Furthermore, advanced targeting and exﬁltration are not far-fetched if the group is able to recruit outside experts into its fold, such as the previous examples of Hussain and Ferizi. The advancement of the cyber capabilities of pro-ISIS actors largely depends on the group’s ability to bring in a technological savvy, diverse group of people with broad technical skills. Hussain, who joined ISIS as a somewhat sophisticated hacker, given his time with TeaMp0isoN, is a good example and set the precedent.

24 Hacking For ISIS

Conclusion

n the past year, several pro-ISIS hack- Minnesota policemen, US National Guards- ing groups emerged, all of them with men, US Marines, Saudi Royal Guards, I the intention of launching electronic among others. Therefore, pro-ISIS cyber attacks on the US and other Western actors are demonstrating an upward targets, including government, economic, trajectory, indicating that they will continue and media entities. Indeed, some have to improve and amplify preexisting skills been successful, such as the hacking of and strategies. US CENTCOM’s Twitter account. These initiatives have afforded ISIS a new layer of Such a trend was exemplified by the recent notoriety and simultaneously raises merger of multiple pro-ISIS cyber groups concerns regarding its cyber capabilities. under one umbrella: the United Cyber This is especially unnerving as one of the Caliphate. This willingness to adapt and hacking group’s leaders, Junaid Hussain, evolve in order to be more effective and fought in ISIS’s ranks and attempted to garner more support indicates that while recruit overseas talent while stationed in these actors are still unsophisticated, their Syria, which he accomplished on at least ability to learn, pivot, and reorganize one occasion when he worked with hacker represents a growing threat. Ardit Ferizi to obtain information on US servicemen.

Despite the signiﬁcant amount of attention that ISIS supportive hackers are garnering, it is important to note that their skill level is still low. Nonetheless, these actors are demonstrating a desire to carry on legacy eﬀorts, such as Junaid Hussain’s call to ‘lone wolves’ by leveraging targeting information, and also building upon that foundation.

Whereas Hussain provided targeting information by tweeting the addresses of “wanted” individuals, often using the hashtag #GoForth, CCA and SCA have intensiﬁed this eﬀort, issuing “dumps” consisting of hundreds of individuals’ alleged personal information. In March 2016 alone, these groups released the alleged information of New Jersey and

25 Hacking For ISIS

About Flashpoint

Flashpoint helps companies and individuals understand the threats looming in the Deep & Dark Web in order to help mitigate and prevent both cyber and physical attacks.

We provide data, tools, and expertise to security and intelligence teams across the Fortune 500 and government to help them both obtain actionable intelligence, as well as gain critical awareness of threatening actors and their relationships, behaviors, and networks prone to malicious activity.

Contact web: www.ﬂashpoint-intel.com Email: info@ﬂashpoint-intel.com