Entering a skill free zone
The Islamic State’s is running out of hackers after the US announced the death of the Bangladeshi Siful Haque Sujan, aka Abu Khalid al-Bengali. Sujan was possibly the top ISIS hacker following the death-by-drone of Junaid Hussain, aka TRiCK, aka Abu Hussain al-Britani.
— Paul P. Murphy (@murphy) December 29, 2015
— Paul P. Murphy (@murphy) December 29, 2015
Dearth of Talent is no Excuse
Junaid had some minimal hacking skills having at least been in a black hat hacking crew (TeaMpoisoN) when he was arrested for hacking Tony Blair’s email account. Although labeled a hacker by the US forces that killed him, Sujan, had no such pedigree or skillset.
Sujan appears to have had technical literacy, and possibly even knew how to program, but he does not appear to have had cyber security skills. It seems likely that he gained the ISIS hacker mantel by simply being a “computer guy” at the ISIS shop. The most specific the Western forces could come up with for a description for his hacking responsibilities was “anti-surveillance,” i.e. he read privacy manuals.
“An Inconvenient and an Annoyance”
ISIS has not had much luck conducting offensive cyber attacks. The biggest hack attributed to the ISIS hacker crew — Cyber Caliphate — was the TV5monde hack, but it was actually a false flag operation by Russia. Even if it was actually ISIS affiliated hacktivists, it is no more impressive than any other hacktivist attack (i.e. low skill).
ISIS’ biggest actual hack was a trivial take over of the CENTCOM Twitter and YouTube accounts. This sort of account takeover is similar to what Junaid did against Tony Blair’s email account. In fact, taking over Twitter accounts seems to be common practice in ISIS Twitter circles.
The only cyber security skills that have been displayed are very simple attacks that rely on luck and perseverance more than skill. The general level of ISIS cyber operations has been no more than entry level. They appear to have no medium or advanced cyber capability at all. The extent of their cyber capabilities has been:
- brute forcing accounts passwords
- phishing emails for account passwords
- phishing emails with primitive malware
- [maybe] SQLi and other web app security basics
There was one Kosovan hacker, Ardit Ferizi, associated with ISIS who was able to do web site hacks. He was caught quickly due to his terrible operational security — he used his real name on his Twitter account that he used to post hacked data and interact with ISIS accounts. Reading between the lines suggests that he used SQL injection, or other basic web hacking techniques. It seems very likely this was the limit of his meagre skills.
Stacks on Stacks on Stacks…
Rumors inside Al Raqqa says that Hussain managed to get ISIS a huge amount of money, through hacking,
It is entirely possible that Junaid was engaged in cyber criminal activities that generated money. For example, by hacking web retailers and stealing credit cards. The usual approach is to steal something of value and then convert it to cash. Typically this will involve using stolen credit cards to purchase items that can be converted to cash. How TRiCK would cash out in Syria is something of a mystery, but it is possible. Petty cyber crime of the sort that TRiCK was capable of simply does not generate “a huge amount of money.”
The most advanced cyber operation ISIS conducted was one malware campaign using extremely primitive malware targeting the anti ISIS “Raqqa is being Slaughtered Silently” media group. This campaign has been tentatively linked to ISIS based mostly on cui bono attribution. While the use of custom malware and targeted emails is a similar playbook to APT style operations the similarities stop there. This attack was poorly executed and used crude homebrew malware. There don’t appear to have been repetitions of this style of attack either, or improvements over time. This suggests that cyber ops failed to provide the information they needed, and the necessary investment in personnel, training and tooling has not happened.
Garbage In, Garbage Out
Despite breathless articles beating the “ISIS cyberterror” drum ISIS have struggled to recruit cyber talent to their cause. Their internal development and training program is an embarrassment. ISIS struggles to develop their own cyber security content, both for anti surveillance and also for information security. Their training proposal is based on repurposed existing penetration testing tutorials. Prominently featuring a series of basic introduction to Metasploit videos.
Although a motivated and skilled computer user could train themselves to use Metasploit using these videos, this is not the best approach to developing a skilled cyber operator. Watching online videos won’t make someone a gourmet chef any more than it will make them a hacker. To develop a cyber operations center requires talent, skill, funding and training. Starting with a video course on Metasploit is as laughable as starting a Michelin star restaurant by watching Jamie Oliver YouTube videos.
Don’t believe the hype. From their dwindling talent pool of low grade hackers, to their limited cyber operations and their poor training regime, it is clear that ISIS do not pose a credible cyber threat to anyone. While this may change in the future (anything’s possible), it seems very unlikely that they will possess the capability to do any damage to anyone. ISIS simply are not a serious cyber threat actor.