The concept of “cyber terrorism” equates to a primary propaganda tool for pro-Islamic State (IS) hackers and their counterparts in other terrorist movements. Although informational gaps on pro-IS hacking groups exist, there are often overestimations of the capabilities of such groups, which is the driving force behind massive IS propaganda campaigns.
As the digital environment is evolving into a crucial part of everyday life, the attack surface for hostile activities is simultaneously increasing. Even though al-Qaeda took the first step in exploring opportunities in cyberspace, IS is the pioneer when utilising the digital environment as a means for terrorism ends.
Actors in the digital environment linked to IS are utilising digital capabilities beginning in 2014. Since then, IS has been increasing its digital footprint by establishing several affiliated organisations.
IS digital operations have mainly focused on information and communication technology (ICT) to promote, facilitate, or engage in acts of terrorism. In the last decade, IS has frequently used online platforms to spread propaganda, enhance recruitment, and offer instructions and information on training and targets.
Digital tools are also enabling financing and more explicit cyberattacks [source]. However, even though they can inflict harm on target networks, physical attacks still make up a prime focus on achieving strategic goals. Hostile actors mainly use the internet to disseminate propaganda and spread fear [source].
In 2015, cybersecurity expert Mikko Hyppönen at F-Secure expressed concerns about IS cyber terrorism capabilities in cyberspace, concluding that “The Islamic State is the first extremist group that has a credible offensive cyber capability” and that “Clearly, this situation isn’t getting better. It’s getting worse. “[source]. However, such capabilities are yet to materialise.
2.0. Situational Report
Since at least 2014, IS-affiliated actors are increasingly conducting hostile operations in the digital environment. Open sources identify at least six groups operating on behalf of IS:
- The Caliphate Cyber Army (CCA)
- Islamic State Hacking Division (ISHD)
- Islamic Cyber Army (ICA)
- Rabitat Al-Ansar – League of Supporters
- Sons Caliphate Army (SCA)
- United Cyber Caliphate (UCC)
However, it is important to note that many of these pro-IS collectives, including the UCC and the Cyber Caliphate Army, are not formally associated with IS “central”. The history, terminology and evolutions of the cyber groups linked to IS’ central arm are not straightforward. Many prominent actors with well-known aliases are likely devolved individuals with no formal link to the terror organisation.
Further complicating the picture is that the recent history of groups claiming IS affiliation is littered with unproven claims of group mergers which have gone by various names [source].
Hence, IS-affiliated actors in cyberspace are challenging to assess from open sources. The connections between the groups are unclear, as are their communication and coordination from IS leadership. Assessments point toward a loose network of actors operating under a reportedly united umbrella. However, this network lacks resources, organisation, and official acknowledgement from IS leadership [source]. Among some groups, there are indications of varying levels of connection to IS, with the ISHD as the most prominent example. The CCA and UCC have seen no promotion of their content by any official IS channel [source].
2.1. The Cyber Caliphate Army
After the caliphate declaration in the Summer of 2014, the first pro-IS actors emerged. During this time, a cyber caliphate group claimed credit for several attacks generating global awareness. Reportedly, the CCA merged with at least three other pro-IS hacking groups in 2016. They merged under the umbrella group, The United Cyber Caliphate (UCC) [source; source].
2.2. Islamic State Hacking Division
The Islamic State Hacking Division emerged in early 2015. They appeared to be inspired by, and loosely affiliated with, the Cyber Caliphate. Both groups share the roots of the pioneer Junaid Hussain’s leadership. However, there are no indications of ISHD operating under the UCC umbrella. Furthermore, ISHD gained global attention in 2015 with its kill list of 100 United States (US) military personnel. Another list of 1,500 military and government personnel follows this list. In contrast, members of the CCA and UCC are unknown outside of their hacking aliases. Official IS channels have not promoted their kill lists or other releases. [source].
2.3. Islamic Cyber Army
On 10 September 2015, the self-proclaimed “Islamic Cyber Army” (ICA) hacking group tweeted its first official statement: “the hackers’ Supporters of the Mujahideen configure under the banner of unification in the name of Islamic Cypher [sic] Army to be …[the] working front against the Americans and their followers to support the ISLAMIC STATE Caliphate with all their forces in the field of e-jihad”. However, no available data shows the group as especially active or harmful. Back in 2015, it mainly conducted propaganda campaigns and indiscriminate attacks defacing websites, i.e. small-scale sabotage [source].
2.4. Rabitat Al-Ansar
Rabitat Al-Ansar is part of a larger pro-Islamic State media collective called the Media Front. Initially, the group was not known as a cyber unit but operated to support IS as a jihadi propaganda media unit, releasing articles and jihadi material to support the group. Despite a growing community of IS supporters engaging in cyber-attacks, Rabitat Al-Ansar followed suit, eventually claiming credit for purported hacks. The group’s targets have mostly been individual data and the financial sector in the US. However, some of the group’s claimed attacks show a lack of resources and an intention to spread fear through propaganda rather than achieving any significant harm in cyberspace [source].
2.5. Sons Caliphate Army
Sons Caliphate Army (SCA) emerged in January 2016. The group appeared to be closely linked to the CCA as their establishment was first broadcasted on the CCA Telegram channel. Moreover, the two groups interlinked when spreading content and claims of credit, showing shared coordination different from other groups. The group primarily conducts hacking operations targeting Facebook and Twitter accounts. Later, they merged under the UCC umbrella [source; source].
2.6. United Cyber Caliphate
The proclamation of the UCC took place on 4 April 2016. A new collective emerged because of the merger of several groups; among them were the relatively inactive Ghost Caliphate Section, the SCA, and the CCA. Furthermore, the CCA-linked Kalashnikov E-Security Team followed suit. The group emerged in March 2016 and is known to perform website defacements and provide technical support to IS supporters. Moreover, and although disputed, there are indications of links between UCC and the Palestinian hacker group AnonGhost [source].
3.0. Tactics, Techniques, and Procedures
3.1. Typical Practices
As cyber terrorism entails malicious cyber activities to promote a political, religious, or social agenda, there are several typical practices attributed to cyber terrorist groups and IS in particular. These include:
- Denial of Service (DoS) attacks and Distributed Denial of Service (DDoS) attacks,
- Web defacement, which may include negative or derogatory comments against the government, political parties or other religious organisations,
- Disinformation/Misinformation campaigns,
- Theft or corruption of critical data-unauthorised access to sensitive information to access, steal or destroying data,
- Exploitation of system vulnerabilities (to cause unavailability, loss of service, misrepresentation),
- Virus attacks which cause system failover, unavailability or disruption of services [source].
3.2. Attack Categories
There are three primary attack categories. First is an attack targeting an organisation’s gateway, such as its internet sites. Standard methods are denial of service (DoS) attacks or defacements of the websites. Second is an attack targeting an organisation’s information systems, and the third is targeting core operational systems such as industrial control systems (ICS). Hence, attacks targeting digital systems take place at many levels of complexity and sophistication, each with different requirements regarding technology and funding.
When looking at IS-linked hacker groups, the intentions primarily focus on the spread of IS content, online communication, and covert digital financing. Previous cyber attacks targeting information systems and large databases have, in most cases, proven to be information collected from open sources of other groups’ attacks [source]. Hence, the groups are in the first attack category and have yet to prove any significant complex capabilities targeting information or operational systems.
4.0. Links to Russia
In 2015, French intelligence and the US cybersecurity firm FireEye found evidence suggesting that a large-scale attack targeting the French TV station TV5Monde, had links to the Russian state-sponsored Advanced Persistent Threat (APT) group Fancy Bear [source]. As the responsibility for the attack had recently been claimed by the CCA [source], the information pointing towards Russian involvement may suggest a certain degree of Russian support of pro-IS hacking groups.
5.0. Some Concluding Thoughts
Even though available information on pro-IS cyber terrorism groups is scarce, we must make some analyses. Evidently, the capabilities of such groups have been largely overestimated, which is the intention behind the massive IS propaganda campaigns. As for now, there are at least two reasons IS acts of cyberterrorism remain in the very basic attack categories.
First, sophisticated cyber capabilities are expensive and often a onetime weapon. When launched, the target will detect and identify the malware and contain and patch the vulnerabilities in its systems. If not integrated into a coherent strategy, a sophisticated cyberattack by a pro-IS group will probably not have any substantial effects. Second, the incentives for IS to conduct hostile kinetic operations will only increase when their old methods are no longer effective.
For now, the propaganda and scary narratives of IS cyber terrorism capabilities serve their intended purposes, i.e. spread fear and reach on a global scale. The concept of cyber terrorism does make up a primary propaganda tool for pro-IS hackers and their counterparts.