Threat Intelligence

ISIS Cyber Capabilities

Pierluigi Paganini
May 9, 2016 by
Pierluigi Paganini


At the end of April 2015, the US Government announced the first attack conducted by the Cyber Command against online activities conducted by members of the ISIS. The war against the Islamic State also has cyberspace as a battlefield, for this reason, the US Cyber Command plans to run hacking operations and uses cyber weapons to destroy computer systems used by the ISIL, to destroy it functions (e.g. propaganda, economic support to militants) and to track its cyber hubs.

At the recent meeting held in Hanover, Germany, the US President Barack Obama discussed with other leaders about the cyber strategy to contrast the Islamic State online.

In March, Senior Pentagon officials confirmed the US Army's first use of information warfare operations against the Islamic State as part of the campaign conducted to take back the Iraqi city of Mosul.

The US military is using cyber tools to contrast the ISIS troops in the area, interfering members' operation and communication.

Figure 1 - Source MEMRI JTTM

One of the goals of the US Cyber Command is the disruption of the propaganda activities and the interference with the IS daily functions, like paying its fighters.

"Our cyberoperations are disrupting their command-and-control and communications," Mr. Obama said at the C.I.A. headquarters in Langley, Va., on countering the Islamic State.

The deputy secretary of defense, Robert O. Work, confirmed the goals of the cyber operations that were conducted by a small number of "national mission teams."

"We are dropping cyber-bombs," Mr. Work said. "We have never done that before."

According to the New York Times, US officials confirmed that ongoing operations are aiming to deploy a series of "implants" in the networks of the Islamic State to spy on its commanders.

"Now, the plan is to imitate them or to alter their messages, with the aim of redirecting militants to areas more vulnerable to attack by American drones or local ground forces." continues the NYT. "In other cases, officials said, the United States may complement operations to bomb warehouses full of cash by using cyber-attacks to interrupt electronic transfers and misdirect payments."

Lisa O. Monaco, a deputy national security adviser, and Mr. Obama's top adviser met technology executives at IT giants calling for action against the online activities of the Islamic State.

Track and block any activity conducted by members of the ISIS online is very hard, under the ISIS umbrella operate many pro-ISIS groups including the United Cyber Caliphate (UCC). I mentioned the UCC because a couple of weeks ago its members published online a 'Kill List' containing the names of 43 of US Government employees working at the Pentagon, Department of Homeland Security, State Department, and other agencies. The information disclosed includes name, phone number, city and zip code of the targets.

The members of the United Cyber Caliphate (UCC) shared the Kill List through the popular encrypted messaging app Telegram.

"Hackers with a pro-ISIS group calling themselves the United Cyber Caliphate distributed a "kill" list on Monday that appears to include dozens of U.S. government personnel, Vocativ discovered." states the Vocative that first discovered the Kill List.

"The list features 43 names of people linked to the State Department, the Department of Homeland Security and the departments of defense, energy, commerce and health and services. It also identifies the U.S. embassies in Santiago and Kathmandu—as well as the Department of the Navy in Gulfport, Mississippi—as targets. It includes someone who appears to have worked for Australia's Department of Defence."

Figure 2 - UCC shared Kill List online

The list published by the United Cyber Caliphate also includes names of US employees working abroad, like personnel in the U.S. embassies in Santiago and Kathmandu.

The United Cyber Caliphate is a newborn group composed of hackers belonging to three hacking groups, including the popular Cyber Caliphate Army.

The Vocative also reported that members of the Cyber Caliphate Army released a Kill List including current and former U.S. government officials.

This isn't the first time that ISIS hackers publish a Kill list, in March 2015 an ISIS cyber unit named "Islamic State Hacking Division" leaked online personal information of 100 members of the United States military residing in the US, inviting its followers to kill them.

Figure 3 - US Kill List (March 2015)

According to the Reuters media agency, the group posted online pictures, names and addresses of personnel in the United States military asking its "brothers residing in America" to kill them.

"Islamic State has posted online what it says are the names, U.S. addresses and photos of 100 American military service members, and called upon its "brothers residing in America" to kill them." reported the Reuters.

The "Islamic State Hacking Division" claimed to have obtained the information by hacking several military servers and obtaining access to confidential databases and emails.

US Department of Defense officials denied that military systems were hacked and speculated the ISIS hackers gathered it from publicly available sources.

The members of the US military included in the list published by the ISIS operates for the 2d Bomb Wing at Barksdale Air Force Base in Louisiana and the 5th Bomb Wing at Minot AFB in North Dakota, but it seems that they did not participate in US operations against the ISIS.

Conflicting opinions on the ISIS Cyber Capabilities

The International Intelligence community is divided in two thought currents, those who consider the ISIS a group with strong cyber capabilities, skills, and those who believe that the organization is overrated in this sense.

The popular Cyber security expert Mikko Hyppönen, Chief Research Officer for F-Secure, expressed on several occasions his concerns. He said he worries about cyber extremists that could penetrate critical infrastructure and cause serious damages. The expert explained that the ISIS is probably the first group of terrorists that has hacking capabilities to manage a major attack against a government infrastructure, and the situation is getting worse because this group is gaining greater awareness of the effectiveness of an offensive launched by the cyberspace.

"The Islamic State is the first extremist group that has a credible offensive cyber capability," said F-Secure Chief Research Officer Hyppönenspeaking last week at the Wall Street Journal's WSJDLive conference in Laguna Beach, Calif. "Clearly, this situation isn't getting better. It's getting worse."

Many cyber security experts have joined the IS, and a cyber-attack could be arranged with a limited amount of resources, compared to a conventional terrorist attack.

The preparation of a terrorist cyber-attack is difficult to trace, differently from the preparation of a bomb attack that could be spotted by the intelligence agencies.
Hypponen warns about cyber-attacks that could be moved from everywhere; the hackers are moving from Europe to Syria, where they could launch attacks that shut down critical infrastructure in every place of the world.

Asked to describe a "horror story," Hyppönen has no hesitation, the cyber-terrorists can target SCADA systems that represent the core of Western infrastructure to cause serious damages, let think of Siemens systems for example that control over 50 percent of the world's factory equipment.

"Extremists might be willing to do an attack like that," Hyppönen said.

A couple of weeks ago, the US authorities confirmed that hackers belonging to the Islamic State (ISIL) are trying to hack American electrical power companies.

Law enforcement officials reported the news during a conference of American energy firms that were discussing Homeland Security. The ISIL has the cyber capabilities to run cyber-attacks against US critical infrastructure, and the US intelligence is aware of the risks.

Last week pro-ISIS hacker group who is calling itself the Islamic State Hacking Division has published a "Kill list" of dozens of American military personnel purportedly involved in drone strikes against the IS in Syria and Iraq.

The hackers leaked online personal details of more than 70 US personnel.

"Kill them wherever they are, knock on their doors and behead them, stab them, shoot them in the face or bomb them."

The intelligence experts that analyzed the Kill list published by the Islamic State Hacking Division confirmed that its content has been gathered from publicly available sources and isn't the result of any security breach.

The hackers of the Islamic State Hacking Division claimed to have infiltrated a mole in Britain's Ministry of Defence and threatened to publish "secret intelligence" information.

"In our next leak, we may even disclose secret intelligence the Islamic State has just received from a source the brothers in the UK have spent some time acquiring from the Ministry of Defence in London as we slowly and secretly infiltrate England and the USA online and off." states a tweet published by the group.

"While we don't comment on cyber threats, Britain is a world leader in cyber security, and we are investing more than ever before in the UK's capabilities to protect our national interest. Our increasing defence budget means that we can stay ahead of our adversaries in cyberspace while also investing in conventional capabilities." said a Ministry of Defence spokesperson

In May 2015, Pro-ISIL Hackers belonging to the Cyber Caliphate hacking team threatened 'Electronic War' on US and Europe.

"ISIL is beginning to perpetrate cyber-attacks," explained Caitlin Durkovich, assistant secretary for infrastructure protection at the Department of Homeland Security.

Investigators revealed to CNNMoney that the Islamic State has launched a series of cyber-attacks that have been unsuccessful. They did not provide further information on the attacks neither cited evidence of specific incidents.

The experts described the attacks as not particularly sophisticated. Even so, they represent a serious threat to the Homeland Security. Security experts believe that members of the IS are not working to the development of custom-malware. Instead, they buy hacking tools on the black market.

"Strong intent. Thankfully, low capability," said John Riggi, a section chief of the FBI's cyber division. "But the concern is that they'll buy that capability."

Speaking about IS and hacking, we cannot avoid mentioning hacker Junaid Hussain, one of the most popular cyber security experts of the radical group.

In summer 2015, a US drone strike killed the jihadist hacker Junaid Hussain in Syria. The man was actively recruiting ISIS sympathizers, and the US intelligence believes that the jihadist hacker is behind a number of cyber-attacks, including the one that hit the Central Command websites and its Twitter accounts.

But Junaid Hussain has been just one of the hackers of the CyberCaliphate, also known as "Islamic State's Defenders on the Internet," the hacking group considered the ISIS cyber army.

The Cyber Caliphate was involved in the hijacking of social media accounts belonging to the US CENTCOM; its members released a propaganda video threatening cyber-attacks anticipating the operation of the terrorists on the Internet.

"Praise to Allah, today we extend on the land and in the internet. We send this message to America and Europe. We are the hackers of the Islamic State and the electronic war has not yet begun," the video said with a distorted voice and picture of an Anonymous member. "What you have seen is just a preface of the future. We are able until this moment to hack the website of the American leadership and the website of the Australian airport and many other websites."

In September 2015, experts at the British Intelligence GCHQ revealed that ISIS hackers intercept top secret British Government emails.

The agents from the GCHQ uncovered a serious breach; IS members targeted email accounts held by some of David Cameron's most senior ministers, including the Home Secretary Theresa May.

The hack could have exposed confidential information related to the British Government and members of the Royal family.

"It is understood that at least one of the plot's ringleaders was killed by a drone strike in an operation disclosed by the Prime Minister this week." reported the Mirror.

ISIS Cyber capabilities

A few weeks ago, researchers from Flashpoint intelligence firm published a report, titled "Hacking for ISIS: The Emergent Cyber Threat Landscape.," that detailed cyber capabilities of the ISIS.

Figure 4 - "Hacking for ISIS: The Emergent Cyber Threat Landscape." - Report

Security experts believe that hacking attacks in support of the operations conducted by the members of the Islamic are a concrete threat. In spite of the numerous cyber-attacks conducted by cells and sympathizers of the radical organizations, the overall capabilities are not advanced. The experts speculate that in the short term the members of the Islamic State will not be able to increase the level of sophistication of the attacks,

"Nonetheless, the group's overall capabilities are neither advanced nor do they demonstrate sophisticated targeting; however, the severity of cyber-attacks supporting ISIS will likely not remain at this level of relative unsophistication," states the report.

In the last couple of years, the ISIS has increased its hacking activity in a significant way, at least five different pro-ISIS hacking group launched cyber-attacks in favor of the Islamic State. In many cases, the same hackers supported the different groups in multiple attacks.

According to the Techworm website, on April 4, 2016, the Cyber Caliphate Army (CCA), the principal ISIS hacking unit, and other pro-ISIS groups like the Sons Caliphate Army (SCA) and Kalacnikov.TN (KTN) merged and formed The United Cyber Caliphate (UCC).

The experts highlighted that the pro-ISIS hacking activities are still poorly organized and likely under-resourced, and have not been neither officially acknowledged nor claimed by ISIS itself.

Figure 5 - Pro-ISIS groups merged in the United Cyber Caliphate crew

Most of the cyber-attacks conducted by the pro-ISIS hacker crews are beginner level and opportunistic such as exploiting known vulnerabilities to compromise websites.

Pro-ISIS hackers download hacking tools from publicly available sources instead developing their custom-hacking tool and custom malware.

The researchers reported one example of custom malware used by members of a pro-ISIS group in late 2014 that was masquerading as a slideshow and spread via Twitter. The analysis of the binaries detected by the experts revealed that is a very simple sample of customized malware.

"Even though it was not complex or sophisticated, it was enough to identify and geolocate the infected machines and their owners. In other words, pro-ISIS cyber threat actors have a record of distributing malware via social media," states the report.

In the past, pro-ISIS actors have launched attacks on government, banking, and media targets, but researchers at Flashpoint expect as growing to maturity, they keep targeting financial institution.

The ISIS is not explicitly attempting to recruit sophisticated hackers, but its followers can broaden their knowledge and skills through hacking courses, tools, and guidance available in Deep & Dark Web forums. Pro-ISIS cyber actors are likely to download hacking tools from publicly available sources while also utilizing both off-the-shelf and custom malware.

"The advancement of the cyber capabilities of pro-ISIS actors largely depends on the group's ability to bring in a technological savvy, diverse group of people with broad technical skills. Hussain, who joined ISIS as a somewhat sophisticated hacker, given his time with TeaMp0isoN, is a good example and set the precedent," states the report.


Skill shortage

Security experts believe that the IS could speed up the growth of its cyber capabilities by paying cyber mercenaries or recruiting young hackers.

Earlier 2016, intelligence experts reported that members of the IS were willing to pay Indian hackers to hack into government websites and gain access to sensitive documents. The members of the ISIS aim to create a database of potential Indian candidates from social media, who will hack government websites will receive up to $10,000 for every successful security breach.

"There are various underground communities online where hackers interact regularly. Our investigation reveals that for the past six months, lucrative offers for stealing government data came pouring in and hackers were offered a huge sum. Such amount has never been offered to any Indian hacker before. We found that the offers were being made to spread ISIS reach in the country," said the cyber-crime expert Kislay Choudhary.

The hack of Government systems could allow terrorists to gather intelligence on their targets; the intelligence is aware that the Dash is focusing its recruiting activity on the Indian hacking community; many hackers are based out of various parts of South India, including Kashmir, Maharashtra, and Rajasthan.

"Indian handlers are now creating local content to spread their propaganda in Hindi, Tamil, Gujarati, Urdu and other vernacular languages on cyberspace. In the past, Bangla has also been used to spread ISIS' hate propaganda, targeting vulnerable youths in Bangladesh and India," continues the post published by the DailyMail.

Intelligence agencies have already arrested twelve suspects in India, the individuals were in contact with the active members of ISIL in Syria and were planning an attack ahead of Republic Day.

"The work of Indian handlers is to identify people who tweet or share pro- ISIS and anti-West posts. Such users are potential ISIS sympathisers. Such people are contacted by ISIS members on social media and engaged in religious conversations. After assessing their mindset, pro-ISIS content and videos are shared. If they show interest, they are enrolled into the terror outfit," stated a senior officer of a central security agency.

The IS targeting its propaganda on young hackers to recruit them for the jihad.

"They spread their message with popular keywords and hashtags to reach a wider audience," a security official said.

In response to the online activity in India, security agencies have taken down IS-related content on the Internet, 94 websites that were connected with the ISIL have been already blocked according to the Maharashtra ATS.


While the current cyber capabilities of the IS are not sophisticated, it won't remain the same and could change quickly.

"There is clear evidence that they are growing in number, coalescing in rank, and zooming in on American and other Western targets," Alkhouri told SecurityWeek.

In the short period, it is likely that other hackers will join the Islamic states, including cyber mercenaries, with the intention of launching cyber-attacks on the enemies of the Caliphate.

Although the experts from FlashPoint are not so concerned about the cyber capabilities of pro-ISIS groups, I believe that hacking campaigns they will launch against the Western Targets can cause serious problems if we are not prepared to repel the offensives.


Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.