Just days before the tragic Orlando terrorist attacks, which killed 50 people and injured dozens more, the United Cyber Caliphate, a pro-ISIS hacking group, released a ‘kill list,’ containing the names and addresses of over 7,000 Americans with instructions for supporters to follow and kill those listed.
The list was released through a private channel on the encrypted messaging app Telegram. The list identified 8,318 people and included names, addresses, and email addresses, according to Vocativ.
It is unclear how the names on the list are related or why they were selected as part of the list. Additionally, it is not known if the information posted contains any new data or displays information that was already available online.
The information was posted in both Arabic and English with images promoting the terrorist organization ISIS. The group also published images of US air bases from around the world, though the same images are available on Google Earth.
The release of this information comes at a time when terrorist-hacking organizations are increasing their online presence. This is not the first hack to feature the personal information of potential targets, though it is believed to be the largest to date.
Targets on these types of lists are traditionally chosen based on their affiliation with government, media or financial institutions. Previous online terror threats include hacking groups releasing the names and information of State Department employees and Minnesota law enforcement among others, according to an April 2016 study by Flashpoint, a global leader in Deep & Dark Web data and intelligence.
The initial emergence of a pro-ISIS cybersecurity threat occurred in 2015 when the Cyber Caliphate hacked into the Twitter accounts of Newsweek and CENTCOM. This generated international publicity for the responsible party. Flashpoint credits this hack as the impetus behind the emergence and creation of other pro-ISIS hacking movements and organizations.
“Given prior attacks that compromised the CENTCOM and Newsweek Twitter accounts, new concerns regarding ISIS’s cyber capabilities have clearly emerged. Until recently, our analysis of the group’s overall capabilities indicated that they were neither advanced nor did they demonstrate sophisticated targeting,” said Laith Alkhouri, Director of Research & Analysis for the Middle East and North Africa and a co-founder at Flashpoint.
The creation of the United Cyber Caliphate, the organization responsible for the recent kill list, is the first time hacking groups supporting ISIS have announced a formal merger.
The Cyber Caliphate was formed after four known hacking groups joined in April: the Caliphate Cyber Army, responsible for the initial Newsweek hack; the Sons of Caliphate Army, the group notorious for releasing a video threatening social media executives; Ghost Caliphate Section, a group that has remained relatively inactive before the merger; and Kalashnikov E-Security Team, which self-identifies as an expert in hacking techniques.
“With the latest unification of multiple pro-ISIS cyber groups under one umbrella, there now appears to be a higher interest and willingness amongst ISIS supporters in coordinating and elevating cyber attacks against governments and companies,” said Alkhouri.
The organizations announced their conglomeration on a private Telegram channel, the same platform used to release the kill list. The unification of several online groups suggests the increased importance of hacking technologies and encryption among ISIS supporters. While these hacking groups pledge allegiance to ISIS, they are not currently directly affiliated with the organization, nor are they claimed or acknowledged by ISIS.
Groups traditionally publish content and messages on easily accessible apps, such as Telegram. The encryption technology behind this app prevents access to the information shared, except by individuals on either end of the conversation. This prohibits third-parties from accessing the content.
In addition to private conversations and channels, hacking groups often maintain active social media accounts on Twitter and Facebook. By promoting content online, supporters gain more publicity and notoriety for the terrorist organizations they pledge allegiance to. It is common for ISIS supporters to use hashtags and photos to encourage future hacks and data breaches.
The security policies of both Twitter and Facebook prohibit the promotion terrorist-affiliated content. However, terrorist groups continue to create accounts and promote content. A subset of the United Cyber Caliphate, formerly the Son of Caliphate Army, threatened the safety of the social media platforms’ creators and current users.
In February, Homeland Security Today reported that Twitter suspended 125,000 accounts for promoting or threatening terrorism. The company also said they increased the size of the teams that review reports, reducing response time, and are leveraging proprietary spam-fighting tools to identify other accounts with potential terrorist connections.
Although Twitter’s announcement represents a positive step forward, some lawmakers expressed concern that it is not enough and that legislation is needed mandating that social media companies police their networks for terrorist activity.
While there has been significant growth in the online presence of terrorist-related activity, Flashpoint states that the breaches conducted by these pro-ISIS hacking groups are not as severe as they are publicized to be. Flashpoint outlines discrepancies in the affiliation of several groups as well as duplications in the publication of various data as reasons to doubt the authenticity of these hacks.
Flashpoint has also speculated on whether the data released is personal information or a collection of information that is already publically available. Previous hacks have contained so-called sensitive information that was aggregated online, without breaching personal data.
Although poorly organized, and likely under-resourced, the United Cyber Caliphate remains a very real cybersecurity threat with the ability to inflict significant damage over the Internet.