While threats emanating from ISIS-inspired cyberattacks are of high concern, intelligence analysts have concluded that, as of now, the cyber capabilities of the Islamic State and its supporters are still relatively weak and appear to be underfunded and poorly organized.
According to a new report from intelligence firm Flashpoint, a growing pro-ISIS community of hackers is expected to expand following the formal merger of several ISIS hacking groups into a new group called the “United Cyber Caliphate”.
Announced on April 4, 2016, the United Cyber Caliphate is composed of previously disparate pro-ISIS hacking collectives.
“For the vast majority of its existence, the pro-ISIS hacking landscape was composed of at least five distinct groups that launched campaigns in support of the terror group. Evidence indicated that these collectives overlapped or coordinated with one another in certain campaigns, pooling their resources and manpower,” Flashpoint explained.
The Islamic State (also known as IS, ISIS, ISIL, and Daesh) with “even limited success could inflate their notoriety and enable them to continue to grow their capabilities and attract talent,” the report says.
In response to the terror group’s growing cyber activity, it should not be a surprise that the U.S. military has acknowledged that it is actively conducting cyberattacks against the Islamic State group.
“We have now begun to use our exquisite cyber capabilities in this fight against Daesh,” Baghdad-based Major General Peter Gersten told reporters this week.
So far, online attacks claimed by pro-ISIS hackers attacks remain relatively novice-level, Flashpoint says, with most attacks being opportunistic, such as exploiting known vulnerabilities to compromise websites and launching DDoS attacks.
Pro-ISIS hackers have also managed to compromise social media accounts of media and government organizations—again not considered a high-level hack requiring advanced skills. Financial institutions have also been a target of the groups, mainly through DDoS attacks, but Flashpoint analysts expect that as these actors mature, they will continue targeting financial institutions and other businesses.
“Given prior attacks that compromised the CENTCOM and Newsweek Twitter accounts, new concerns regarding ISIS’s cyber capabilities have clearly emerged. Until recently, our analysis of the group’s overall capabilities indicated that they were neither advanced nor did they demonstrate sophisticated targeting,” said Laith Alkhouri, Director of Research & Analysis for the Middle East and North Africa and a co-founder at Flashpoint. “With the latest unification of multiple pro-ISIS cyber groups under one umbrella, there now appears to be a higher interest and willingness amongst ISIS supporters in coordinating and elevating cyber attacks against governments and companies.”
ISIS’ Cyber Roots and Leaders
The original “Cyber Caliphate” brand was led by British-born hacker Junaid Hussain (a.k.a. Abu Hussain Al Britani). Formerly “TriCk” of TeaMp0isoN, Hussain fled the UK to join ISIS in 2013, after serving a prison sentence for being found guilty in 2012 for hacking former British prime minister Tony Blair’s accounts and posting information online.
Hussain was killed in an August 2015 drone strike in Syria. According to the Department of Defense, Hussain was actively recruiting Islamic State sympathizers to carry out lone wolf attacks in the west.
Flashpoint says Hussain “was still unsophisticated and less productive than what might be expected of an effort led by a former Western hacking group leader.”
British-educated businessman and computer expert, Siful Haque Sujan, a 31-year-old Bangladeshi, stepped in to lead the Cyber Caliphate after the death of Hussain, but was also killed in an U.S. drone strike in Syria on December 10, 2015.
Hussain’s wife, Sally Jones (aka Umm Hussain Britaniya), Flashpoint says, is attempting to carry on her late husband’s mission. The intelligence firm says that she “maintains a prolific and violent social media presence”.
Early this year, Ardit Ferizi, a citizen of Kosovo, made a court appearance after being arrested in Malaysia in October 2015 and accused of providing material support to ISIL and committing computer hacking and identity theft violations.
Also known by his hacking moniker “Th3Dir3ctorY,” Ferizi was accused of of providing sensitive stolen data to now-dead Hussain.
Critical infrastructure in its sights?
“Pro-ISIS cyber actors are certainly under sophisticated right now, but there is clear evidence that they are growing in number, coalescing in rank, and zooming in on American and other Western targets,” Alkhouri told SecurityWeek. “The more attractive the targets, the more notoriety they are gaining.”
Alkhouri says his firm has not yet seen evidence suggesting they are actively targeting critical infrastructure or SCADA systems at large, but said jihadists have discussed these aspirations over time and they will become more desirable as they become more sophisticated.
“As technology evolves and these actors become more advanced, the focus on critical targets becomes more of a reality than before,” Alkhouri said.
Flashpoint researchers shared several of the factors they studied to support their analysis, including:
Call for Cyber Recruits: While ISIS has not explicitly attempted to recruit sophisticated hackers, Deep & Dark Web forums can be used as a training ground, allowing ISIS followers with low-level technical and hacking abilities to hone their skills. Deep & Dark Web forums include sections containing both beginner and advanced hacking courses, hacking tools and manuals, as well as ways to communicate with others for support and guidance.
Techniques and Tactics: While it is difficult to assess what techniques, tactics, and procedures (TTPs) ISIS’s supporters employ, based on the types of cyber attacks the various pro-ISIS hacking groups have claimed responsibility for, Flashpoint analysts believe pro-ISIS hackers depend on coordinated campaigns, social media, use of malware, and specific technical tools.
Hacking Tools vs. Malware: Pro-ISIS cyber actors, similar to other cyberiminal groups are likely to leverage open source hacking tools from publicly available sources while also utilizing both off-the-shelf and custom malware.
While the cyber capabilities of ISIS may not be sophisticated currently, this is something that can change rapidly. Launching damaging cyberattacks does not require a large team, and by recruiting or training a group with a higher level of skill, the threat should not be brushed off.
As SecurityWeek columnist James McFarlin said, “The speed at which geopolitical conditions are changing globally and with regard to ISIS and similar groups specifically means the U.S. will need canary-like sensitivity to such developing threats and act accordingly.”
The full report (PDF), Hacking for ISIS: The Emergent Cyber Threat Landscape, explores the birth and evolution of ISIS’s cyber capabilities by first exploring the most prominent actors on an individual basis, in addition to current developments.
Related: ISIS Cyber Ops: Empty Threat or Reality?
Related: ‘IS Hacker’ Accused of Stealing US Data Arrested in Malaysia