Doxing and Defacements: Examining the Islamic State's Hacking Capabilities.

• Author: Alexander, Audrey

Popular conceptions of 'hackers' or 'cyberterrorists' evoke images of inexplicably hooded figures, lurking behind laptops and coding unimaginably detrimental software. From the public conscious to political rhetoric, this misconception places a wide array of digitally coordinated terrorist-related activities into a homogenous category, making it difficult to parse the nuances of varying networks and tactics. In the case of the Islamic State, inflated perceptions of the group's capabilities can sometimes eclipse the reality.

The digital capabilities of the Islamic State, much like the virtual efforts of competing and preceding terrorist groups, are difficult to measure yet consistently elicit a great deal of public concern. In a 2012 article titled "The Cyber Terror Bogeyman," Peter Singer explained that fear and perceptions of the cyberterrorist threat often blur the realities of terrorist capabilities, at least in part because of elusive conceptions of the term "cyberterrorism." (1) While the Federal Bureau of Investigation offers a relatively specific definition that is predicated on select efforts that result in violence, (a) other discussions of cyberterrorism tend to "sweep all sorts of nonviolent online mischief into the 'terror' bin." (2) This appears to result in the inflation of perceptions of cyberterrorism and the dangers it invites. (b)

The prolific nature of Islamic State propaganda online, paired with a piqued but murky comprehension of cyber threats by the public, creates an environment where actors with ties to the group are presumed to pose a genuine threat to national security, and possibly critical national infrastructure. (3) Unfortunately, this logic "conflates the ability to produce and disseminate targeted propaganda with the ability and intent to carry out destructive cyber attacks." (4) While the flow of terrorist content online and the feasibility of attack planning remain critical problems that require political and legal interventions, each threat-type is distinct and bears different degrees of risk from other methods. Since the sophistication of operations also varies, even among efforts such as hacking, doxing, (c) defacements, and distributed denial of service attacks (DDoS), it is useful to consider the technical capabilities each method requires, the nature of the target, the likelihood the plan comes to fruition, and the material and perceptual impact of an attack. (5)

Assessing cyber measures in this manner can help contextualize online threats by highlighting the gap between perception and reality while flagging strategic and operational implications for policymakers and practitioners. The well-publicized 2015 hack of the United States Central Command's (CENTCOM) social media accounts by actors claiming links to the Islamic State offers one opportunity to leverage this approach. In short, hackers compromised CENTCOM's Twitter and YouTube accounts, and posted threats, propaganda, and military documents. (6) Although this intrusion was jarring, subsequent investigation revealed that no classified information was disseminated, and that "virtually all of the documents posted were publicly available online." (7) Even though the hacking group intended to cast its effort as a large-scale data breach, commentators suggested that compromising CENTCOM's social media accounts required far less sophistication than hacking into CENTCOM's computer systems. (8) In the end, this event was a nuisance and public relations problem for the U.S. government, military, and law enforcement, but various analyses and a statement from the military narrowly regarded the hack as a case of web defacement and "cyber vandalism." (9)

Beyond capability, intention, and impact, the genuine nature of the relationship between online operatives and terrorist groups, and the attribution of attacks, are also elements that require further consideration. Much like terrorist attacks around the world, claims of responsibility for targeted efforts in the virtual arena are not always stated or discernible. In November 2014, the email of a person affiliated with Raqqa is Being Slaughtered Silently (RSS), a Syrian media group critical of the Islamic State, was targeted with social engineering and malware designed to reveal their location. (10) After analyzing the attack, researchers at The Citizen Lab assessed that "[Islamic State] can't be ruled out" as a possible source of the malware, but were ultimately "unable to connect this attack to [Islamic State]" or other supporters of the organization/ To complicate matters more, cyber groups that appear associated with the Islamic State and conduct campaigns that benefit the Islamic State are not necessarily connected to the Islamic State and its leadership. (e) In February 2017, for example, the Tunisian Fallaga Team conducted a website defacement campaign that targeted the NHS websites in the United Kingdom with graphic photos of the Syrian Civil War; some media reports covering the attack described Fallaga Team as "[Islamic State]-linked." (11) Ultimately, even though Fallaga Team leverages some political imagery linked to the Islamic State in defacement campaigns, it is crucial to remember that is has "not made any official declaration of loyalty" to the Islamic State or online groups that are pro-Islamic State. (12) These attacks, among others, (f) show that affiliation and attribution to Islamic State in the digital sphere is not always clear-cut. In practice, such nuances can dictate the courses of action viable to law enforcement authorities tasked with countering and preventing terrorism and other criminal activities.

To confront this elusive problem, it is vital for policymakers, practitioners, and scholars to tether the issue to genuine appraisals of the threat and disaggregate the capabilities and intentions of the actors involved. (13) By counterbalancing speculation about the worst-case cyberterrorism scenarios with concrete examples of the actions jihadi-inspired actors take in cyberspace, this article attempts to shed light on some of the 'hooded figures' by examining various uses and implications of hacking and doxing tactics among Islamic State supporters. As noted earlier, the case of Ardit Ferizi, one of the better-known hackers with links to the Islamic State, is an instructive example to discuss the capabilities, methods, and networks of pro-Islamic State hackers.

Ferizi and the August 2015 'Kill List'

Beginning in April 2015, Kosovar national and hacker Ardit Ferizi provided support to the Islamic State by transmitting personally identifiable information (PII) of U.S. and Western European citizens to Islamic State members in Raqqa, Syria. (14) Ferizi, a computer science student at a Malaysian university, led a group of ethnic Albanian hackers known as "Kosova Hacker's Security," which compromised over 20,000 websites throughout Eastern Europe, Israel, and the United States. (15) He also managed penvid.com, an online file-sharing service that hosted Islamic State propaganda. (16g)

According to U.S. court documents, the first known online interactions between Ferizi and Islamic State members occurred via Twitter in April 2015. Using the handle @Th3Dir3ctorY, Ferizi sent a direct message to @Muslim_Sniper_D, an account operated by Hamayun Tariq, a British Islamic State fighter. (17 h) In his message, Ferizi explains, "Brother i have 4 million data of kuffar countrys (sic) which attacking islamic state," and attached screenshots of credit card and account information from over 60 citizens of Western countries. (18)

Hamayun Tariq directed Ferizi to contact another Islamic State member, Abu Hussain al-Britani, telling Ferizi that "[he] is my friend he told me a lot about u." (19) Abu Hussain al-Britani was the kunya of Junaid Hussain, a notorious British Islamic State member who directed attacks in Western countries through the use of digital communications technologies. (20) Prior to traveling to Islamic State-controlled territory in 2013, Hussain, like Ferizi, was a politically motivated hacktivist. Under the pseudonym TriCK, Hussain was part of a hacker's collective named TeaMp0isoN, which coordinated hacks against select targets, including the U.K. government. (21i) After joining the Islamic State, Hussain supported some hacking-related and doxing efforts under the banner of the Islamic State Hacking Division; In March 2015, for example, Hussain posted a 'kill list' comprised of the names and addresses of 100 members of the U.S. military. (22)

On June 13, 2015, aware of and possibly inspired by the March 2015 Islamic State Hacking Division kill list, (k) Ferizi illegally obtained "system administrator-level access" to the servers of an Illinois-based company and accessed customer records databases, containing the PII (including phone numbers, email addresses, physical addresses, and passwords) of approximately 100,000 store patrons. (23) Refining his search to entries with a .gov or .mil email address, Ferizi compiled a list of 1,351 U.S. government or military personnel. (24) The same day, Ferizi contacted Junaid Hussain on Skype and provided him links to lists of .gov and .mil email "dumps" that he pulled from the database. Hussain replied, "Akhi [brother] this will hit them hard... we will make a good message to the kuffar." (25)

Two months later (in August 2015), "in the name of the Islamic State Hacking Division," Hussain tweeted a link to the information Ferizi stole alongside the post: "NEW: U.S. Military and Government HACKED by the Islamic State Hacking Division!" (26) The 30-page document contained the PII of the 1,351 U.S. persons with .gov and .mil addresses, preceded by a brief threat from the Hacking Division: "we are in your emails and computer systems... we are extracting confidential data and passing on your personal information to the soldiers of the...