Abstract: The activities of Islamic State-affiliated hackers and hacking groups continue to garner substantial media attention and public concern. In turn, threat assessments and predictions of the capabilities of these actors frequently rely on ‘what-if’ scenarios, overestimate technical skill, and conflate multiple, separate cyber activities. Through analysis of several U.S. prosecutions of Islamic State-affiliated hackers and their networks, proficiencies, and activities, this article argues that very few of these actors demonstrate advanced hacking or cyberterrorism capabilities. Lacking the know-how, resources, and ingenuity for complex computer network operations, the entities analyzed here turned to methods like doxing, website defacements, social media account hacks, and minor intrusions. A pertinent example is the case of Ardit Ferizi, the Kosovar national arrested in 2015 for illegally obtaining personally identifiable information from a U.S. company’s server and providing it to the Islamic State.

Popular conceptions of ‘hackers’ or ‘cyberterrorists’ evoke images of inexplicably hooded figures, lurking behind laptops and coding unimaginably detrimental software. From the public conscious to political rhetoric, this misconception places a wide array of digitally coordinated terrorist-related activities into a homogenous category, making it difficult to parse the nuances of varying networks and tactics. In the case of the Islamic State, inflated perceptions of the group’s capabilities can sometimes eclipse the reality.

The digital capabilities of the Islamic State, much like the virtual efforts of competing and preceding terrorist groups, are difficult to measure yet consistently elicit a great deal of public concern. In a 2012 article titled “The Cyber Terror Bogeyman,” Peter Singer explained that fear and perceptions of the cyberterrorist threat often blur the realities of terrorist capabilities, at least in part because of elusive conceptions of the term “cyberterrorism.”1 While the Federal Bureau of Investigation offers a relatively specific definition that is predicated on select efforts that result in violence,a other discussions of cyberterrorism tend to “sweep all sorts of nonviolent online mischief into the ‘terror’ bin.”2 This appears to result in the inflation of perceptions of cyberterrorism and the dangers it invites.b

The prolific nature of Islamic State propaganda online, paired with a piqued but murky comprehension of cyber threats by the public, creates an environment where actors with ties to the group are presumed to pose a genuine threat to national security, and possibly critical national infrastructure.3 Unfortunately, this logic “conflates the ability to produce and disseminate targeted propaganda with the ability and intent to carry out destructive cyber attacks.”4 While the flow of terrorist content online and the feasibility of attack planning remain critical problems that require political and legal interventions, each threat-type is distinct and bears different degrees of risk from other methods. Since the sophistication of operations also varies, even among efforts such as hacking, doxing,c defacements, and distributed denial of service attacks (DDoS), it is useful to consider the technical capabilities each method requires, the nature of the target, the likelihood the plan comes to fruition, and the material and perceptual impact of an attack.5

Assessing cyber measures in this manner can help contextualize online threats by highlighting the gap between perception and reality while flagging strategic and operational implications for policymakers and practitioners. The well-publicized 2015 hack of the United States Central Command’s (CENTCOM) social media accounts by actors claiming links to the Islamic State offers one opportunity to leverage this approach. In short, hackers compromised CENTCOM’s Twitter and YouTube accounts, and posted threats, propaganda, and military documents.6 Although this intrusion was jarring, subsequent investigation revealed that no classified information was disseminated, and that “virtually all of the documents posted were publicly available online.”7 Even though the hacking group intended to cast its effort as a large-scale data breach, commentators suggested that compromising CENTCOM’s social media accounts required far less sophistication than hacking into CENTCOM’s computer systems.8 In the end, this event was a nuisance and public relations problem for the U.S. government, military, and law enforcement, but various analyses and a statement from the military narrowly regarded the hack as a case of web defacement and “cyber vandalism.”9

Beyond capability, intention, and impact, the genuine nature of the relationship between online operatives and terrorist groups, and the attribution of attacks, are also elements that require further consideration. Much like terrorist attacks around the world, claims of responsibility for targeted efforts in the virtual arena are not always stated or discernible. In November 2014, the email of a person affiliated with Raqqa is Being Slaughtered Silently (RSS), a Syrian media group critical of the Islamic State, was targeted with social engineering and malware designed to reveal their location.10 After analyzing the attack, researchers at The Citizen Lab assessed that “[Islamic State] can’t be ruled out” as a possible source of the malware, but were ultimately “unable to connect this attack to [Islamic State]” or other supporters of the organization.d To complicate matters more, cyber groups that appear associated with the Islamic State and conduct campaigns that benefit the Islamic State are not necessarily connected to the Islamic State and its leadership.e In February 2017, for example, the Tunisian Fallaga Team conducted a website defacement campaign that targeted the NHS websites in the United Kingdom with graphic photos of the Syrian Civil War; some media reports covering the attack described Fallaga Team as “[Islamic State]-linked.”11 Ultimately, even though Fallaga Team leverages some political imagery linked to the Islamic State in defacement campaigns, it is crucial to remember that is has “not made any official declaration of loyalty” to the Islamic State or online groups that are pro-Islamic State.12 These attacks, among others,f show that affiliation and attribution to Islamic State in the digital sphere is not always clear-cut. In practice, such nuances can dictate the courses of action viable to law enforcement authorities tasked with countering and preventing terrorism and other criminal activities.

To confront this elusive problem, it is vital for policymakers, practitioners, and scholars to tether the issue to genuine appraisals of the threat and disaggregate the capabilities and intentions of the actors involved.13 By counterbalancing speculation about the worst-case cyberterrorism scenarios with concrete examples of the actions jihadi-inspired actors take in cyberspace, this article attempts to shed light on some of the ‘hooded figures’ by examining various uses and implications of hacking and doxing tactics among Islamic State supporters. As noted earlier, the case of Ardit Ferizi, one of the better-known hackers with links to the Islamic State, is an instructive example to discuss the capabilities, methods, and networks of pro-Islamic State hackers.

Ferizi and the August 2015 ‘Kill List’
Beginning in April 2015, Kosovar national and hacker Ardit Ferizi provided support to the Islamic State by transmitting personally identifiable information (PII) of U.S. and Western European citizens to Islamic State members in Raqqa, Syria.14 Ferizi, a computer science student at a Malaysian university, led a group of ethnic Albanian hackers known as “Kosova Hacker’s Security,” which compromised over 20,000 websites throughout Eastern Europe, Israel, and the United States.15 He also managed penvid.com, an online file-sharing service that hosted Islamic State propaganda.16 g

According to U.S. court documents, the first known online interactions between Ferizi and Islamic State members occurred via Twitter in April 2015. Using the handle @Th3Dir3ctorY, Ferizi sent a direct message to @Muslim_Sniper_D, an account operated by Hamayun Tariq, a British Islamic State fighter.17 h In his message, Ferizi explains, “Brother i have 4 million data of kuffar countrys (sic) which attacking islamic state,” and attached screenshots of credit card and account information from over 60 citizens of Western countries.18

Hamayun Tariq directed Ferizi to contact another Islamic State member, Abu Hussain al-Britani, telling Ferizi that “[he] is my friend he told me a lot about u.”19 Abu Hussain al-Britani was the kunya of Junaid Hussain, a notorious British Islamic State member who directed attacks in Western countries through the use of digital communications technologies.20 Prior to traveling to Islamic State-controlled territory in 2013, Hussain, like Ferizi, was a politically motivated hacktivist. Under the pseudonym TriCK, Hussain was part of a hacker’s collective named TeaMp0isoN, which coordinated hacks against select targets, including the U.K. government.21 i After joining the Islamic State, Hussain supported some hacking-related and doxing efforts under the banner of the Islamic State Hacking Division.j In March 2015, for example, Hussain posted a ‘kill list’ comprised of the names and addresses of 100 members of the U.S. military.22

On June 13, 2015, aware of and possibly inspired by the March 2015 Islamic State Hacking Division kill list,k Ferizi illegally obtained “system administrator-level access” to the servers of an Illinois-based company and accessed customer records databases, containing the PII (including phone numbers, email addresses, physical addresses, and passwords) of approximately 100,000 store patrons.23 Refining his search to entries with a .gov or .mil email address, Ferizi compiled a list of 1,351 U.S. government or military personnel.24 The same day, Ferizi contacted Junaid Hussain on Skype and provided him links to lists of .gov and .mil email “dumps” that he pulled from the database. Hussain replied, “Akhi [brother] this will hit them hard … we will make a good message to the kuffar.”25

Two months later (in August 2015), “in the name of the Islamic State Hacking Division,” Hussain tweeted a link to the information Ferizi stole alongside the post: “NEW: U.S. Military and Government HACKED by the Islamic State Hacking Division!”26 The 30-page document contained the PII of the 1,351 U.S. persons with .gov and .mil addresses, preceded by a brief threat from the Hacking Division: “we are in your emails and computer systems … we are extracting confidential data and passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike at your necks in your own lands!”27

After Ferizi breached the company server in June 2015, an employee of the company contacted the FBI and reported a breach of access by an unknown administrative account bearing the name “KHS,” referring to Ferizi’s hacking outfit Kosova Hacker’s Security.28 After providing the account details to the FBI, the employees and server technicians tried to remove the DUBrute.exe malware, the IP scanner, and the KHS account that Ferizi used to gain top-level access to the server.29 Ferizi responded on August 19, 2015, by regaining access and emailing the company, threatening to release the full 100,000-plus user database if they deleted his files again. He also demanded payment in bitcoin.30 By that time, however, the company had already given the FBI consent to examine all contents of the server, including the IP addresses of those who accessed the server.31

The FBI found that someone using a Malaysian IP address used Structured Query Language injection (SQLi) to access the company’s server illegally. Ferizi logged into a Facebook profile, a Twitter account that he used to communicate with Hamayun Tariq, and the Skype account he used to message Junaid Hussain from that same IP address.32 While authorities prepared for Ferizi’s arrest, U.S. intelligence and military officials targeted and killed Hussain in late August 201533 as Hussain reportedly left an internet cafe in Raqqa.34

Back in Malaysia, Ferizi attempted to digitally clear evidence by reformatting hard drives and deleting files off the two laptops that he used for hacking jobs.35 On September 10, 2015, however, Ferizi used his Facebook accounts to send himself a spreadsheet titled “contact.csv” with 100,001 PII records.36 The FBI obtained a search warrant, accessed that account and file, and determined that it matched the company’s illegally accessed records. The Royal Malaysia Police arrested Ferizi at Kuala Lumpur International Airport on September 15, 2015, as he attempted to leave the country for Kosovo with two laptops.37 After his eventual extradition to the United States, Ferizi pleaded guilty to unauthorized access and material support violations in the Eastern District Court of Virginia.38

Islamic State Doxing and Kill Lists
Ardit Ferizi’s hacking efforts resulted in the publication of one of the best-known ‘kill lists’ released by Islamic State sympathizers, and to date, it remains one of the more sophisticated computer network operations on behalf of the group. Compiling the PII of U.S. persons, publishing the information (doxing), and calling for attacks is an established mode of operations for hacking groups aligning themselves with facets of the Islamic State’s agenda.39 In a 2017 interview in this publication, Lisa Monaco, former assistant to President Barack Obama for Homeland Security and Counterterrorism, discussed the Ferizi case, noting how it demonstrated that the Islamic State can sometimes “outsource” tasks like hacking to criminal actors instead of amassing such capabilities within its ranks.40 It seems, however, that sympathetic hackers range in their level of connection to central Islamic State external operations and media apparatuses, as well as their technical and tactical proficiency in hacking.41 Doxing efforts and the dissemination of kill lists may be attractive to aspiring online operatives because these measures are relatively feasible at the tactical level, even without expert-level hacking skills, and successfully instigate fear.42

The first reported ‘kill list’ distributed by individuals aligned with the Islamic State, which arguably popularized the technique, occurred in March 2015.43 Hussain and the Islamic State Hacking Division accessed information on members of the U.S. military from open-source research, tracking down addresses and emails from social media, accounts on major websites, and other publicly available sources.44 According to an FBI agent who worked on the Ferizi case, the FBI assessed that the PII on the March 2015 kill list “didn’t [come] from any type of [Computer Network Operations] attack, but [Junaid Hussain] was very good at open-source research … he even paid for some services like Lexis-Nexis to get actual home addresses.”45 The Hacking Division’s efforts resulted in the release of approximately 100 names and addresses that Hussain believed to belong to U.S. Air Force personnel at two bases in the Middle East.46 In conversations with Ferizi, Hussain claimed that the March 2015 effort was the inspiration for future efforts, including the August 2015 hitlist: “we will only release mil and gov … like u know the hitlist i made with addresses … we will make message to the kuffar and release the .mil and .gov.”47

Since March 2015 especially, other hacking collectives claiming affiliation to or supporting the Islamic State attempted to dox targets and publish kill lists. According to one study, Islamic State sympathizers released at least 19 separate kill lists, including the PII of European and American citizens, between March 2015 and June 2016.48 The majority were released by three separate groups: the Islamic State Hacking Division (ISHD), the Caliphate Cyber Army (CCA), and the United Cyber Caliphate (UCC).49 Broadly speaking, these targeted civilians, government employees, members of the military, and law enforcement.50 Evidence suggests that they varied in originality and authenticity, as further analyses discovered that some lists repackaged information from existing public sources.51 While threatening, such efforts do not require advanced cyber capabilities: “the publication of these lists only demonstrates an understanding of how to collate information and release it in such a way as to create the impressions of power.”52 Extending beyond the capabilities of these pro-Islamic State cyber groups, it is interesting to highlight the observation “that few groups appear to have explicitly expressed intent to target critical national infrastructure using cyberattacks.”53

The response to the release of kill lists of U.S. persons by Islamic State-affiliated hackers understandably evokes a great deal of concern from policymakers, practitioners, the public, and of course, the individuals on the lists.54 However, it is important to differentiate low- and medium-sophistication efforts (ranging from doxing attempts from open-source information to compromising government social media accounts and breaching the servers of private companies) from those that require drastically more resources and skills, like computer network operations targeting critical infrastructure or other large-scale cyber-enabled attacks. By recognizing the likelihood of certain attack types, and reducing the impact of low-level efforts, the counterterrorism community can proportionally respond to groups’ demonstrated abilities rather than hypothetical ones.55

Anecdotally, discerning the actual impact of these releases on attack plots in the United States is difficult. Cases involving reports of an American Islamic State sympathizer who, using the PII of individuals available on known kill lists, attempted to locate and attack them are problematic, but not especially common.56 In September 2015, for example, the now-convicted Virginia resident Haris Qamar told a confidential witness that the addresses of individuals named on one kill list were located near his home.57 Qamar told the confidential witness that he noticed undercover police cars near those residences, and based on those comments, authorities working on the case believed that “Qamar likely drove past those residences after their occupants were included on the ‘kill list.’”58 Authorities arrested Qamar in 2016, and he pleaded guilty later that year to attempting to provide material support to the Islamic State.59 Meanwhile in 2016, Maryland resident Nelash Mohamed Das was accused of plotting attacks against U.S. military personnel.60 Before receiving a fake target from an FBI confidential human source, he allegedly accessed one of the 2015 United Cyber Caliphate kill lists and selected an individual that lived nearby.61 Ultimately, the FBI arrested Das before he allegedly had the chance to carry out his plot, and a federal grand jury charged him with attempting to provide material support to the Islamic State.62 Das pleaded not guilty, and at the time of writing, his case is still pending.63

More U.S. prosecutions involve individuals who rebroadcast kill lists on social media rather than carrying out their instructions themselves. Between May and August 2015, the subsequently convicted Buffalo, Missouri, resident Safya Yassin posted the PII of several individual targets inside the United States alongside direct threats, culminating in her retweeting of the August 2015 Ferizi-Hussain list.64 In a similar case, Ohio resident Terrence McNeil solicited the murder of U.S. military personnel by reposting the March 2015 list of 100 servicemembers onto a Tumblr page he operated, alongside a direct call to murder the individuals on the list.65 Later that year, McNeil posted additional kill lists online and reiterated calls for the targeting of U.S. service members. He was subsequently convicted.66

Finally, authorities arrested Kentucky resident Marie Castelli after she distributed a five-page document containing PII onto a pro-Islamic State Facebook group in October 2015.67 Interestingly, there is evidence indicating that Junaid Hussain’s widow Sally Jones played a role in collating this document and disseminating it online, demonstrating that doxing efforts continued after Hussain’s death.68 Castelli pleaded guilty to communicating threats in interstate commerce in late 2017.69

Looking beyond their immediate results, doxings and kill lists represent a method for Islamic State sympathizers with limited cyber proficiencies, resources, technical capabilities, and direction to make an outsized impact. Sympathizers that merely repost this information require even fewer skills and resources. To date, very few of these attempts required the groups behind them to conduct advanced computer network operations; Islamic State-affiliated hacking groups instead used information that is largely available to the public to garner the information for lists. Whether Islamic State sympathizers will attempt to continue doxing operations into the future remains unclear, but it is likely that those with interest in online operations will gravitate toward efforts that create, from their point of view, a similarly high return on relatively low investment.

Other Hacking Efforts by American Jihadi Sympathizers
To further contextualize Ferizi’s acts of cyberterrorism within other manifestations of hacking-related and terrorism-oriented cases in the United States and abroad, it is productive to look to other individuals who used hacking techniques to advance their causes, with varying degrees of success.

In some instances, individuals might conduct lower-level hacks into social media accounts to achieve operational security70 with the goal of promoting pro-Islamic State materials and tactical information clandestinely. Waheba Dais, a Wisconsin woman who recently pleaded guilty to attempting to provide material support to the Islamic State, hacked into several “private social media platforms,” namely Facebook accounts, to communicate with others and share propaganda.71 l There is evidence that Dais and individuals in her network adopted this method to communicate with each other while avoiding detection by law enforcement.72 Although Dais engaged in other problematic behaviors online, including facilitating access to poison and bomb-making instructions and assisting in attack planning, the intent of her hacking efforts differs from some of the other cases discussed in this article.73 Here, hacking individual social media accounts served as a means to achieve operational security, and subsequently promote the objectives of a group. While undoubtedly troublesome, such efforts are less sophisticated and impactful than illegally accessing a company server to steal information and publish a kill list.

By way of contrast, the ongoing case of Chicago resident Ashraf Al Safoo and his pro-Islamic State online media network shows that some sympathizers may hack accounts to optimize their influence online and counteract the effects of account suspensions and removals by social media providers.m Al Safoo, who authorities charged with conspiracy to provide material support in October 2018, allegedly worked with a range of online co-conspirators to produce, coordinate, and disseminate propaganda across multiple social media platforms.74 Since such activities required regular access to active accounts, Al Safoo and other members of the Khattab Media Foundation purportedly “took steps to acquire access to as many accounts as possible” for sympathizers in their cohort.75 n These efforts included creating “account ‘banks’” and “hacking the accounts of legitimate social media users.”76 In a group chat, one contributor articulated their preference for hacked accounts, arguing that they stayed open longer than new accounts.77 Although Al Safoo and his contacts regularly emphasized the importance of operational security in their online activities, court filings indicated that the rationale behind hacking into accounts on various social media platforms appears motivated by the desire to broadcast their messages as opposed to masking their identities.78

As an entirely different illustration of how jihadi-inspired individuals may use hacking-related techniques to advance their causes, it is useful to discuss the American John Georgelas’ ventures prior to traveling to Syria and joining the Islamic State.79 While his current whereabouts are unknown, as a teenager, Georgelas joined a hacktivist group called “Global Hell,” which gained notoriety for some high-profile online intrusions that resulted in the prosecution of several of its members.80 Evidence from a formal investigation revealed that Georgelas expressed support for al-Qa`ida in private communications with a Canadian woman, and “provided technical support to a pro-jihad website, jihadunspun.com,” which served as “a propaganda vehicle to promote Osama Bin Laden and Al Qaeda.”81 As a young professional, Georgelas worked as a Datacenter Operations Technician at Rackspace, a server company with facilities in Texas. In 2006, during his time with the company, he gained unauthorized access to another computer server to identify the login credentials for the American Israel Public Affairs Committee (AIPAC.org), a client of Rackspace.82 Georgelas later admitted to investigating authorities that “he acted knowingly and intentionally exceeded his authorized access” and “intended to cause damage to the AIPAC.org website.”83 Seemingly compelled by ideological reasons, Georgelas’ aspirations for vandalizing the AIPAC site never came to fruition. Even so, Rackspace incurred more than $44,000 in damages as a result of Georgelas’ actions.84

Conclusion
Despite attracting a great deal of attention, particularly from mass media, experts largely agree that the Islamic State and the range of cyber actors and hackers that claim affiliation to the organization do not exhibit especially advanced cyberterrorism capabilities.85 In a 2017 interview, for example, Lora Shiao, then the National Counterterrorism Center’s acting director for intelligence, explained that the Islamic State “has minimal hacking skills.”86 Shiao elaborated, noting that members “are able to deface websites” and publish “‘hit lists’ of personally identifiable information on westerners, but this is primarily for intimidation.”87

In truth, while most pro-Islamic State hacking, doxing, and defacements efforts lack sophistication, these methods can effectively intimidate the public, cause reputational damage, and ignite fears about the threats posed by terrorism and cyberterrorism. Even if individual attacks have limited effects, the sum of events and the lack of clarity regarding attribution to the Islamic State inflates perceptions of cyber actors’ intent and technical aptitude. In recent years, “the omnipresence and professionalization of internet use by [Islamic State supporters] have led to a conflation of their presence online with a capability to undertake cyberattacks.”88 While matters concerning propaganda or terrorists’ use of technology for attack planning are undoubtedly serious, the Islamic State’s proficiency in strategic communications is not a good indicator of the organization’s ability to conduct offensive cyber operations. Moreover, the use of tactics like hacking, doxing, and defacements by pro-Islamic State actors does not suggest that the Islamic State or its online supporters are interested in, much less capable of full-fledged cyberattacks targeting critical national infrastructure.

To date, these tactics remain relevant to those tasked with countering terrorism in the virtual arena. In March 2019, the FBI arrested Kim Anh Vo, a resident of Georgia and a reported member of the UCC-affiliated hacking collective called “Kalachnikv E-Security Team.”89 Vo, whose case is pending, claimed to the FBI during an interview that she worked primarily as a recruiter for the UCC, but also helped translate the group’s media releases and deface websites.90 In April 2017, Vo allegedly coordinated the publication of a kill list with UCC members in several countries, including Norway, the Netherlands, and Iraq. UCC hacktivists collected the PII of over 8,000 individuals during a website intrusion into a U.S.-based business.91 Using a Telegram group to facilitate communications between the UCC members and distribute the list, the UCC published it alongside a YouTube video, which threatened the individuals identified in the list.92

Although it is difficult to quantify the impact of Vo’s contribution, the continued use of these methods, from virtual vandalism to doxing, suggests that they remain favorable tactics among cyber groups today. In subsequent evaluations of the threats posed by cyberterrorism and terrorists online, it is vital to remain rooted in how terrorist organizations and individuals leverage various technologies and the internet.93 Since the complexity of operations vary, even among efforts such as hacking, doxing, and defacements, the counterterrorism practitioners responding to these threats must work to discern the technical capabilities each attack type requires, the nature of the target, the likelihood attacks come to fruition, and the material and perceptual impact of an attack. While it is useful to stay vigilant and prepared to cope with the worst-case scenarios, focusing on terrorists’ use of the internet, along with other criminal enterprises, can help prepare for the most likely scenarios.94 Even though the Islamic State does not demonstrate extensive offensive cyber capabilities, operational security and more defensive measures to remain online are priorities for the organization and its supporters.95     CTC

Audrey Alexander is a senior research fellow at the George Washington University’s Program on Extremism. Follow @aud_alexander

Bennett Clifford is a research fellow at the George Washington University’s Program on Extremism. Follow @_bCliff

Substantive Notes
[a] The FBI defines cyberterrorism as a “premeditated, politically motivated attack against information, computer systems, computer programs and data which results in violence against non-combatant targets by subnational groups or clandestine agents.”

[b] To offer an example, a February 2016 Gallup poll found that 73 percent of Americans regarded cyberterrorism (which the poll defined as “the use of computers to cause disruption or fear in society”) as one of the most critical threats to the United States. For context, cyberterrorism ranked slightly below the development of nuclear weapons by Iran, but above the spread of infectious diseases around the world, the conflict in Syria, and the military power of North Korea. Justin McCarthy, “Americans Cite Cyberterrorism Among Top Three Threats to U.S.,” Gallup, February 10, 2016.

[c] Doxing (also spelled ‘Doxxing’) is the act of gathering and disclosing or publishing an individual’s personally identifiable information (PII) online with the intent of harming a target with acts like public humiliation, stalking, identity theft, or harassment. For more information, see “How to Prevent Online Harassment from ‘Doxxing,’” Department of Homeland Security, April 2017.

[d] In its discussion about the attribution of this particular malware attack, The Citizen Lab report identifies “at least three possible sources for this malware attack: pro-regime/regime-linked malware groups, [Islamic State-linked hackers], or other, unknown hackers.” John Scott-Railton and Seth Hardy, “Malware Attack Targeting Syrian ISIS Critics,” Citizen Lab, December 18, 2018.

[e] One article explains, “while hacking groups such as Fallaga Team, Team System Dz, and the UCC carry out cyber campaigns in support of [the Islamic State] and create an appearance of projecting cyber-power from which [the Islamic State] benefits, there is no evidence that [the Islamic State] itself is coordinating or perpetrating cyber campaigns.” Rose Bernard, “These are not the terrorist groups you’re looking for: an assessment of cyber capabilities of Islamic State,” Journal of Cyber Policy 2:2 (2017).

[f] Another possible example is the 2015 case of TV5Monde, a French television station that was reportedly compromised in an attack claimed by a group called the “CyberCaliphate,” though subsequent investigation uncovered links to another politically motivated hacking group. For more, see “Cyber Operations Tracker – Compromise of TV5 Monde,” Council on Foreign Relations, April 2015.

[g] While slightly outside the scope of this article, which focuses on Ferizi’s hacking efforts on behalf of the Islamic State, investigators found that Ferizi coordinated with Islamic State sympathizers to host the organization’s propaganda on penvid.com. His initial intention in creating the site was to create a dedicated hosting platform without terms of service (ToS) enforcement to store Islamic State media permanently. The FBI later accessed the site, which Ferizi lacked the resources to maintain, using the Wayback Machine. “Criminal Complaint,” USA v. Ardit Ferizi, United States District Court for the Eastern District of Virginia, Case: 1:15-mj-515, 2015; Erin Joe and Ammar Barghouty, “Understanding Cyberterrorism: The Ardit Ferizi Case,” presented at RSA Conference 2018, April 19, 2018.

[h] To avoid confusion, please note that U.S. court filings call Hamayun Tariq by the name “Tariq Hamayun.” These variances reference the same person. For more on Hamayun Tariq, see Shiv Malik, “Briton claiming to be former Taliban bomb expert ‘joins Isis,’” Guardian, November 20, 2014, and Aimen Dean, Paul Cruickshank, and Tim Lister, Nine Lives: My Time as MI6’s Top Spy Inside al-Qaeda (London: Oneworld, 2018): ‘My Eighth Life’ and ‘Reflections.’

[i] In 2011, after gaining access to the personal email of an advisor to former British Prime Minister Tony Blair, TeaMp0isoN posted Blair’s address book online. “‘Team Poison’ hacker who posted Tony Blair’s details is jailed,” Telegraph, July 27, 2012.

[j] The status of the Islamic State Hacking Division as an “official” outfit within the Islamic State, similar to the status of many hacking collectives sympathetic to the Islamic State, is subject to legitimate dispute. To offer examples, three interpretations exist: that the Hacking Division was part of the Islamic State’s external operations wing; that Islamic State officials permitted Junaid Hussain to manage the division but did not officially charter it; and that Islamic State officials disapproved of Hussain’s initiative to start the Hacking Division. The Islamic State’s official and unofficial media have distanced the Islamic State from several other hacking collectives, including the United Cyber Caliphate and Caliphate Cyber Army. For more on these trends, see Bernard; Laith Alkhouri, Alex Kassirer, and Allison Nixon, “Hacking for ISIS: The Emergent Cyber Threat Landscape,” Flashpoint, 2016; Catherine Theohary, Kathleen McInnis, and John Rollins, “Information Warfare: DOD’s Response to the Islamic State Hacking Activities,” CRS Insight, Congressional Research Service, May 10, 2016.

[k] Although it is difficult to discern Ferizi’s motives for accessing private information for a kill list, it is interesting to note that he was aware of the March 2015 Islamic State Hacking Division kill list and defended the approach in communications with another individual before illegally accessing the Illinois-based company and contacting Hussain about that effort. See “Attachment B,” particularly the conversation with ‘Individual A’ on May 6, 2015, in “Position of the United States with Respect to Sentencing,” USA v. Ardit Ferizi, United States District Court for the Eastern District of Virginia, Case: 1:15-mj-515 2016.

[l] Although Dais initially pleaded not guilty in 2018, she entered a guilty plea in March 2019. See “Plea Agreement,” USA v. Waheba Issa Dais, U.S. District Court in the Eastern District of Wisconsin, 2019.

[m] Al Safoo pleaded not guilty in November 2018, and his trial is still pending. USA v. Ashraf Al Safoo, U.S. District Court in Northern District of Illinois, Court Listener.

[n] According to court filings, Al Safoo and his co-conspirators online served as members of “Khattab Media Foundation,” which pledged an oath of allegiance to the Islamic State and worked to create and disseminate Islamic State propaganda online across multiple platforms. While coordinating propaganda in groups online, members of the Khattab Media Foundation acted at the “direction and control” of the Islamic State and the Islamic State’s media office. “Affidavit,” USA v. Ashraf Al Safoo, U.S. District Court in Northern District of Illinois, 2018.

Citations
[1] Peter Singer, “The Cyber Terror Bogeyman,” Brookings, November 1, 2012.

[2] Singer.

[3] Rose Bernard, “These are not the terrorist groups you’re looking for: an assessment of the cyber capabilities of Islamic State,” Journal of Cyber Policy 2:2 (2017).

[4] Ibid.

[5] “Cyber Jihadists Dabble in DdoS: Assessing the Threat,” Flashpoint, July 13, 2017.

[6] Dan Lamothe, “U.S. military social media accounts apparently hacked by Islamic State sympathizers,” Washington Post, January 12, 2015; Helene Cooper, “ISIS is cited in hacking of Central Command’s Twitter and YouTube Accounts,” New York Times, January 12, 2015.

[7] Lamothe.

[8] Brian Fung and Andrea Peterson, “The CENTCOM ‘hack’ that wasn’t,” Washington Post, January 12, 2015; David Gompert and Martin Libicki, “Decoding the Breach: The Truth About the CENTCOM Hack,” RAND Blog, February 3, 2015; Lamothe.

[9] Lamothe; Gompert and Libicki; Fung and Peterson.

[10] John Scott-Railton and Seth Hardy, “Malware Attack Targeting Syrian ISIS Critics,” Citizen Lab, December 18, 2018.

[11] Kim Sengupta, “Isis-linked hackers attack NHS websites to show gruesome Syrian civil war images,” Independent, February 7, 2017.

[12] Bernard. Additionally, as of April 22, 2019, the “About” section of Fallaga Team’s Facebook page explicitly states, “We Are not IsIs. We Are Tunisian Fallaga Team Cyber Resistance.”

[13] For more information on the history, evolution, and resilience of terrorists’ use of communications technologies and the internet, see Gabriel Weimann, “www.terror.net: How Modern Terrorism Uses the Internet,” United States Institute of Peace, March 2004; Gabriel Weimann, “Terrorism in Cyberspace: The Next Generation,” Woodrow Wilson Center Press with Columbia University Press, 2015; Aaron Brantly, “Innovation and Adaptation in Jihadist Digital Security,” Survival 59:1 (2017); Laurence Binder and Raphael Gluck, “Wilayat Internet: ISIS’ Resilience across the Internet and Social Media,” Bellingcat, September 1, 2017.

[14] “Criminal Complaint,” USA v. Ardit Ferizi, United States District Court for the Eastern District of Virginia, Case: 1:15-mj-515, 2015.

[15] Ibid.

[16] “Criminal Complaint,” USA v. Ardit Ferizi, United States District Court for the Eastern District of Virginia, Case: 1:15-mj-515, 2015.

[17] “Criminal Complaint,” USA v. Ardit Ferizi, United States District Court for the Eastern District of Virginia, Case: 1:15-mj-515, 2015.

[18] “Position of the United States with Respect to Sentencing,” USA v. Ardit Ferizi, United States District Court for the Eastern District of Virginia, Case: 1:16-cr-042, 2016.

[19] Ibid.

[20] John Carlin, “Inside the Hunt for the World’s Most Dangerous Terrorist,” Politico, November 21, 2018; Nafees Hamid, “The British Hacker Who Became the Islamic State’s Chief Terror Cybercoach: A Profile of Junaid Hussain,” CTC Sentinel 11:4 (2018); Alexander Meleagrou-Hitchens and Seamus Hughes, “The Threat to the United States from the Islamic State’s Virtual Entrepreneurs,” CTC Sentinel 10:3 (2017); Adam Goldman and Eric Schmitt, “Four Cases Connected to Hussain,” New York Times, November 24, 2016.

[21] Hamid.

[22] Erin Joe and Ammar Barghouty, “Understanding Cyberterrorism: The Ardit Ferizi Case,” presented at RSA Conference 2018, April 19, 2018; “Criminal Complaint,” USA v. Ardit Ferizi, United States District Court for the Eastern District of Virginia, Case: 1:15-mj-515, 2015.

[23] “Criminal Complaint,” USA v. Ardit Ferizi, United States District Court for the Eastern District of Virginia, Case: 1:15-mj-515, 2015.

[24] Ibid. See also “ISIL-Linked Kosovo Hacker Sentenced to 20 Years in Prison,” Department of Justice, September 23, 2016.

[25] “Position of the United States with Respect to Sentencing,” USA v. Ardit Ferizi, United States District Court for the Eastern District of Virginia, Case: 1:16-cr-042, 2016.

[26] “Criminal Complaint,” USA v. Ardit Ferizi, United States District Court for the Eastern District of Virginia, Case: 1:15-mj-515, 2015. See also “ISIL-Linked Kosovo Hacker Sentenced to 20 Years in Prison,” Department of Justice, September 23, 2016.

[27] “Criminal Complaint,” USA v. Ardit Ferizi, United States District Court for the Eastern District of Virginia, Case: 1:15-mj-515, 2015.

[28] Carlin.

[29] “Criminal Complaint,” USA v. Ardit Ferizi, United States District Court for the Eastern District of Virginia, Case: 1:15-mj-515, 2015.

[30] Ibid.

[31] Ibid.

[32] Ibid.

[33] “Iraq Progresses in ISIL Fight; Key Extremist Confirmed Dead,” U.S. Central Command, August 31, 2015.

[34] Adam Goldman and Eric Schmitt, “One by One, ISIS Social Media Experts Are Killed as Result of F.B.I. Program,” New York Times, November 24, 2016.

[35] “Criminal Complaint,” USA v. Ardit Ferizi, United States District Court for the Eastern District of Virginia, Case: 1:15-mj-515, 2015.

[36] Ibid.

[37] “ISIL-Linked Hacker Arrested in Malaysia on U.S. Charges,” Department of Justice, October 15, 2015.

[38] “ISIL-Linked Kosovo Hacker Sentenced to 20 Years in Prison,” Department of Justice, September 23, 2016.

[39] Tim Starks, “How the Islamic State Is Doing in Cyberspace,” Politico, December 7, 2017.

[40] Paul Cruickshank, “A View from the CT Foxhole: Lisa Monaco, Former Assistant to President Barack Obama for Homeland Security and Counterterrorism,” CTC Sentinel 10:9 (2017).

[41] Bernard.

[42] “Evaluating the Physical Threat from UCC ‘Kill Lists,’” Flashpoint, October 28, 2016.

[43] Joe and Barghouty.

[44] Ibid.

[45] Ibid.

[46] Ibid.

[47] “Position of the United States with Respect to Sentencing,” USA v. Ardit Ferizi, United States District Court for the Eastern District of Virginia, Case: 1:16-cr-042, 2016.

[48] “Special Report: Kill Lists from Pro-IS Hacking Groups,” SITE Intelligence, 2016.

[49] Ibid.

[50] Bernard.

[51] Ibid.

[52] Ibid.

[53] Ibid.

[54] Pervaiz Shallwani and Devlin Barrett, “Islamic State ‘Kill Lists’ Grow in Length, Targeting Ordinary Americans,” Wall Street Journal, May 10, 2016; “Are You on an ISIS Kill List?” CNBC, July 1, 2016; “Grassley Presses for Answers on FBI Handling of ISIS Kill List,” Chuck Grassley-United States Senator for Iowa, June 28, 2016.

[55] “Evaluating the Physical Threat from UCC ‘Kill Lists.’”

[56] Ibid.

[57] “Affidavit in Support of Criminal Complaint and Arrest Warrant,” USA v. Haris Qamar, United States District Court for the Eastern District Court of Virginia, 2016.

[58] Ibid.

[59] “Virginia Man Pleads Guilty to Attempting to Provide Material Support to ISIL,” Department of Justice, October 17, 2016.

[60] “Maryland Man Indicted with Attempting to Provide Material Support to ISIL,” Department of Justice, October 17, 2016.

[61] “Affidavit in Support of Criminal Complaint and Arrest Warrant,” USA v. Nelash Mohamed Das, United States District Court for the District of Maryland, 2016.

[62] “Affidavit in Support of Criminal Complaint and Arrest Warrant,” USA v. Nelash Mohamed Das, United States District Court for the District of Maryland, 2016. See also “Maryland Man Indicted with Attempting to Provide Material Support to ISIL.”

[63] USA v. Nelash Mohamed Das, United States District Court for the District of Maryland, Court Listener.

[64] “Criminal Complaint,” USA v. Safya Roe Yassin, United States District Court for the Western District of Missouri, 2016.

[65] “Affidavit in Support of Criminal Complaint and an Application for a Search Warrant,” USA v. Terrence Joseph McNeil, United States District Court for the Northern District of Ohio, Case: 5:15-mj-01176, 2015.

[66] “Ohio Man Sentenced to 20 Years in Prison for Soliciting Murder of U.S. Military Members,” Department of Justice, August 2, 2017.

[67] “Plea Agreement,” USA v. Marie Antoinette Castelli, U.S. District Court for the Eastern District of Kentucky, 2017; “Northern Kentucky Woman Arraigned on Charges of Communicating a Threat and Making False Statements to Federal Law Enforcement,” Department of Justice, September 9, 2016.

[68] Further description of the document Castelli shared, along with the chronology of events, aligns neatly with details about the information released by Sally Jones in early October 2015. See “Plea Agreement,” USA v. Marie Antoinette Castelli, U.S. District Court for the Eastern District of Kentucky, 2017. See also “Islamic State-Linked Hacker and Abu Hussain Al Britani Associate Arrested for Leak of U.S. Military and Government Personnel Information,” Flashpoint, October 2015.

[69] “Plea Agreement,” USA v. Marie Antoinette Castelli, U.S. District Court for the Eastern District of Kentucky, 2017.

[70] Brantly.

[71] “Wisconsin Woman Charged With Attempting to Provide Material Support to ISIS,” Department of Justice, June 13, 2018.

[72] “Affidavit,” USA v. Waheba Issa Dais, U.S. District Court in the Eastern District of Wisconsin, 2018.

[73] Ibid.

[74] “Affidavit,” USA v. Ashraf Al Safoo, U.S. District Court in Northern District of Illinois, 2018.

[75] Ibid.

[76] Ibid.

[77] Ibid.

[78] Ibid.

[79] For an overview of the life of John Georgelas, see Graeme Wood, “The American Climbing the Ranks of ISIS,” Atlantic, March 2017.

[80] Ibid; “Former Data Technician at Local Internet Hosting Company and Self-Admitted Supporter of Pro-Jihad Website Sentenced to 34 Months for Attempting to Cause Damage to a Protected Computer,” Department of Justice, August 15, 2006; Roberto Suro, “The Hackers Who Won’t Quit,” Washington Post, September 1, 1999.

[81] “Former Data Technician at Local Internet Hosting Company and Self-Admitted Supporter of Pro-Jihad Website Sentenced;” Suro.

[82] “Former Data Technician at Local Internet Hosting Company and Self-Admitted Supporter of Pro-Jihad Website Sentenced;” Suro.

[83] “Former Data Technician at Local Internet Hosting Company and Self-Admitted Supporter of Pro-Jihad Website Sentenced.”

[84] Ibid.

[85] Joe and Barghouty; Bernard; Catherine Theohary, Kathleen McInnis, and John Rollins, “Information Warfare: DOD’s Response to the Islamic State Hacking Activities,” CRS Insight, Congressional Research Service, May 10, 2016.

[86] Starks.

[87] Ibid.

[88] Bernard.

[89] “Sealed Complaint,” USA v. Kim Anh Vo, United States District Court for the Southern District of New York, Case: 19-mj-002334, 2019. Unsealed on March 12, 2019.

[90] Ibid.

[91] Ibid.

[92] Ibid.

[93] Singer.

[94] Ibid.

[95] Brantly.

Stay Informed

Sign up to receive updates from CTC.

Sign up