Moon of Alabama
Since late 2014 the Islamic State in Iraq and Syria (ISIS, terrorist organization, banned in Russia by court order) had its own hacking group. It waged cyber attacks against media and military targets. The group became known as United Cyber Caliphate (UCC).
Later on some "experts" attributed the UCC attacks to Russia. They claimed that the Cyber Caliphate did not exist but was a Russian false flag operation. There is now new evidence such claims are nonsense.
The attacks claimed by the Cyber Caliphate included:
- Jan 2015 – Twitter and Youtube account of the U.S. CentCom taken over and filled with pro-ISIS messages.
- Mar 2015 – United States Air Force's pilots list with detailed personal information posted online.
- Apr 2015 – French TV5Monde live feed and social media hacked and defaced with the message "Je Suis ISIS".
- Apr 2015 – Australian airport website defaced with ISIS message.
- Aug 2015 – United States' military database hacked and data of some 1400 personnel posted online.
- Sep 2015 – British government emails hacked. Email addresses of top cabinet ministers published.
- Apr 2016 – UCC successfully hacks 20 Australian business websites, redirects them to ISIS content.
- Apr 2017 – UCC released a kill list of 8,786 people.
ISIS delivered flawless propaganda material with well edited videos and created its own glossy magazines. Producing these required computer expertise. It was thus not astonishing to learn that some hackers had joined ISIS and worked with its media team. From an ISIS perspective the above listed targets all made sense. There was no reason to doubt the ISIS claims.
But then the 'Russia scare' nonsense took over. Suddenly each and every assumed computer attack, including those by the Cyber Caliphate, were attributed to Russia:
Russian hackers linked to the Kremlin could be behind one of the biggest attacks to date on televised communications, which knocked French station TV5Monde off air in April, sources familiar with France’s inquiry said…
Hackers claiming to be supporters of Islamic State caused the public station’s 11 channels to temporarily go off air and posted material on its social media feeds to protest against French military action in Iraq…
U.S. cybersecurity company FireEye, which has been assisting French authorities in some cases, said on Wednesday that it believed the attack came from a Russian group it suspects works with the Russian executive branch…
Information about the TV5 attack was published on a website branded as part of the “Cyber Caliphate,” a reference to the Islamic State.
But the site was hosted on the same block of Internet Protocol addresses and used the same domain name server as the group called APT28 by FireEye and Pawn Storm by Trend Micro, another large security company.
[T]he Cyber Caliphate is a Russian intelligence operation working through what spies term a cut-out.
U.S. secret agencies, including the National Security Agency, which controls American cyber-espionage and works closely with CYBERCOM, came to similar conclusions "APT 28 is Russian intelligence, it’s that simple,” explained an NSA expert to me recently…
In other words, the Cyber Caliphate is a Russian false-flag operation.
The snake-oil sellers and the writer above (intentionally) mistake methods for actors. The Advance Persistent Threat (ATP) number 28 describes a certain course of action taken during a hack. It is well know method that can be identified to some degree. But recognizing a method does not identify the persons that use it.
If a bugler once used a crowbar to open a window, further nearby break-ins that use a similar method might have been done by the same person. Or they might not. A different bugler could have used the same method. A home owner could have used it to scam his insurance. The method does not describe the actor.
Likewise the use of certain tools and methods to break into a computer does not define an actor. ATP 28 is not Russia. These tools and methods are publicly known. A spearphishing email is send to the target. When the receiver clicks a link in that email a malicious software is launched that creates a backdoor into the targeted computer. Anyone can find such tools online and initiate an attack. The often claimed attribution of ATPxyz to Russia always was and is sheer nonsense.
There is also new proof that the Cyber Caliphate indeed exists.
A few days ago a news outlet affiliated with ISIS published an obituary of a Canadian hacker who worked for ISIS. The Montreal Gazette reports:
An Islamic State-linked media outlet says a Canadian man was behind the terror group’s highest-profile cyber attacks, including the embarrassing takeover of the Twitter account of the U.S. military’s Central Command…
The Canadian fighter, who is said to have been killed by a drone strike in Syria, also allegedly penetrated bank computers and used the “spoils” to fund their fighting and hacked the U.S. Department of Defense, airports, international media organizations and the accounts of “hundreds” of U.S. soldiers…
The Toronto-born man “managed to bring blessed victories for the Caliphate state by carrying out electronic attacks that have made the enemies taste defeat and failure,” according the [Arabic-language] notice, ..
The “martyrdom” notice published by Al-Muhajireen Foundation, an outlet with known links to ISIL, identifies the Canadian jihadi hacker only by a nickname: Abu Osama Al-Kanadi…
The announcement says Al-Kanadi became a top computer specialist with ISIL, also known by the acronym ISIS, and praises his online exploits with the Caliphate Cyber Army.
Abu Osama Al-Kanadi does not sound Russian to me. Nor were any of the hacks the Cyber Caliphate claimed in anyway useful to Russia.
But the damage is done. None of those "experts" who claimed that Russia was behind the Cyber Caliphate attacks will retract their claims and papers. Nor will there be any correction in those main stream media that repeated their nonsense.
The message is clear: Russia is bad. Every hack ever done is by Russia. Russia is the enemy. Don't you ever forget that.