ISIS Hackers Consistently Ineffective, Study Finds
Like its military counterpart, ISIS's cyber operations are remarkably unsophisticated
Despite claiming to have just released yet more Americans’ personal information as part of a “kill list,” an ISIS hacker “supergroup” is remarkably incompetent at hacking, a new study shows.
Exactly how much the coalition of pro-ISIS hackers that recently named itself the United Cyber Caliphate represents ISIS, a terrorist group with aspirations of statehood, is unclear. But according to a new study by intelligence firm Flashpoint, the UCC and the various ISIS-affiliated hacking groups that precede it have accomplished very little, and their highest-profile “hacks” involve taking credit for others’ work.
While such groups have dabbled in a number of hacking fields—DDoS attacks to try to temporarily knock down websites they deem enemies, or claims of taking over Twitter and Facebook accounts in bulk—their biggest claim involves periodically releasing the names and personal information of people, known as “doxing,” and calling for sympathetic jihadists to attack the people listed.
Those lists, however, are routinely full of misinformation.
A would-be kill list posted by ISIS channels on Telegram, obtained by Vocativ Monday, is an inaccurate, incomprehensible list of Americans’ personal information. An apparently repacked version of a “Wanting to be killed” list of State Department employees, it doesn’t list anyone’s physical address, just a name—sometimes just a first name—government agency they work for, city, zip code and a phone number. The numbers associated with the targets are largely wrong, however; many have too many or too few digits for an American phone number, and all but one of the eight phone numbers Vocativ tried calling were either disconnected or belonged to a person with a different name.
“That used to be my last name, but I changed it when I married,” said the one government employee named on the list, and who said no one had contacted her about being on the list. “[This isn’t] my personal number,” she added. “It’s a government phone.”
A look at the short history of ISIS’s hacked “kill lists” show they are often arbitrarily put together. Using the guise of the Cyber Caliphate, noted hacktivist-turned-ISIS fighter Junaid Hussain shared multiple kill lists of Americans in the first half of 2015. Shortly before his death by a drone strike in August, Hussain released the names of almost 1,500 members of the military and government employees, one of the largest such dumps to date, proclaiming “O Crusaders … we are in your emails and social media accounts, we are extracting confident data.” But Flashpoint’s analysis concluded that nothing Hussain had released was classified and that no military servers had been compromised.
Despite presenting himself as a hacker stealthily infiltrating American networks, Hussain actually had acquired at least one of his lists through an unaffiliated hacker from Kosovo named Ardit Ferizi, the FBI says. The exchange was captured entirely on a public Twitter conversation, and Ferizi was later arrested in Malaysia.
Like any number of hacktivists, other pro-ISIS hackers similarly falsely claim prowess. On the 14th anniversary of September 11th in 2015 the pro-ISIS Islamic Cyber Army circulated a list it said was the personal information of 300 FBI agents. But that database, Flashpoint noted, had actually come from the Anonymous spinoff group LulzSec, which released it back in 2012.
Still, that offers little consolation to the people named in such lists, no matter how unlikely it is they’ll be attacked. “I haven’t done anything to nobody,” the government employee named in Monday’s list told Vocativ. “For them to have my information is kind of crazy.”