Pro-ISIS hackers: Tactics, methodology and tools

While the threat that emanates from ISIS-inspired cyber attacks is of high concern, especially in light of the formation of a new United Cyber Caliphate composed of previously disparate pro-ISIS hacking collectives, these hacking groups still operate unofficially and remain poorly organized and are likely underfunded, according to Flashpoint.

pro-ISIS hackers

“Given prior attacks that compromised the CENTCOM and Newsweek Twitter accounts, new concerns regarding ISIS’s cyber capabilities have clearly emerged. Until recently, our analysis of the group’s overall capabilities indicated that they were neither advanced nor did they demonstrate sophisticated targeting,” said Laith Alkhouri, Director of Research & Analysis for the Middle East and North Africa at Flashpoint. “With the latest unification of multiple pro-ISIS cyber groups under one umbrella, there now appears to be a higher interest and willingness amongst ISIS supporters in coordinating and elevating cyber attacks against governments and companies.”

The pro-ISIS hacking landscape

For the vast majority of its existence, the pro-ISIS hacking landscape was composed of at least five distinct groups that launched campaigns in support of the terror group. Evidence indicated that these collectives overlapped or coordinated with one another in certain campaigns, pooling their resources and manpower.

This confluence culminated in the April 4, 2016, announcement of a new group called the “United Cyber Caliphate,” following the formal merger of several groups. These efforts suggest a growing pro-ISIS community of hackers that is expected to expand further, especially if the collective’s online operations become successful. Even limited success could inflate their notoriety and enable them to continue to grow their capabilities and attract talent.

Researchers noted that thus far, pro-ISIS hackers appear to have launched attacks primarily on government, banking, and media targets. These targets appear to be not only the focus of attacks but also what generate the most publicity for the groups behind them. However, these attacks remain relatively novice-level and are mostly attacks of opportunity. Such attacks include finding and exploiting vulnerabilities in websites owned by, for example, small businesses, and defacing or DDoSing their websites. As these actors mature, they will continue targeting financial institutions.

Factors supporting the analysis

Cyber Caliphate and Islamic State hacking division: An overview of these groups’ targets, accomplishments and ability to obtain sensitive data, along with a review of past attacks where these groups have been successful in launching cyber threat incidents.

Call for cyber recruits: While ISIS has not explicitly attempted to recruit sophisticated hackers, Deep & Dark Web forums can be used as a training ground, allowing ISIS followers with low-level technical and hacking abilities to hone their skills. Deep & Dark Web forums include sections containing both beginner and advanced hacking courses, hacking tools and manuals, as well as ways to communicate with others for support and guidance.

Techniques and tactics: While it is difficult to assess what techniques, tactics, and procedures (TTPs) ISIS’s supporters employ, based on the types of cyber attacks the various pro-ISIS hacking groups have claimed responsibility for, Flashpoint analysts believe pro-ISIS hackers depend on coordinated campaigns, social media, use of malware, and specific technical tools.

Hacking tools vs. malware: Pro-ISIS cyber actors are likely to download hacking tools from publicly available sources while also utilizing both off-the-shelf and custom malware.

The complete report is available here.