Islamic State (IS) hacking divisions made headlines last year as reports on their alleged hacking spree and kill lists emerged. Pro-ISIS hackers made headlines again recently after defacing several international government websites, indicating that the extremists group's cyber division may be levelling up their skills and expanding their target base. One of the extremist group's known cyber arm, the United Cyber Caliphate (UCC) has reportedly been spotted now dabbling in malware creation.
Security experts have previously said that pro-Isis hackers appear to have low level technical skills. Experts say that although pro-ISIS hackers online propaganda and internal communication techniques may appear advanced, their actual cyber skills, including hacking tools and techniques employed are rudimentary at best. This theory was backed up by Kyle Wilhoit, senior security researcher with DomainTools, who has been analysing the cyber capabilities of Isis hacking divisions, including the UCC.
"Their relative overall technical expertise is low," Wilhoit said, DarkReading reported. The hacker group's DoS (denial of service) attack modus operandi (MO) is similar to a crowdsourced attack, the likes of which were launched by the hacktivist collective Anonymous in its peak.
Instead of exploiting botnets, "their denial-of-service attacks are being executed through Windows applications on multiple hosts," Wilhoit said. According to the security researcher, Isis hackers are also testing out other cybercriminals' tools and appear to be trying their hand and creating their own tools.
Isis hackers experimenting with cyber tools
"They are also leveraging what cybercriminals use," he added, seemingly test-driving malware development toolsets. "Just recently, with this research ... [I] found them dabbling in the creation of malware."
The researcher said that he discovered the UCC using a popular underground cybercrime toolset called Ancalog Exploit Builder to create fake HTML pages. "That piece of malware looked like it was in the development phase. It wasn't weaponized," Wilhoit added.
According to Ken Wolf, senior analyst of cyber terror research at Flashpoint backed up Wilhoit's claims of ISIS hackers do not posses skilled or sophisticated DoS attack techniques. However, Wolf said that his team spotted ISIS supporters employing a downloadable DoS tool they named "Caliphate Cannon" in an unspecified top-tier ISIS forum.
Wolf said that the tool was "written by a forum member," who appears to be an entry-level coder. The DoS tool was used in attacks in January, primarily against targets in the Middle East.
"We've seen other cases where actors have been aggregating ... open-source tools," he said adding, "But there's nothing that we've seen that's suggesting they are using those to inspire their own tool development. The greatest value that these actors provide is in their propaganda value."
"Looking at their toolsets, I found that ultimately as it stands right now they don't have advanced enough technological capability to cause a major problem" Wilhoit said. He however cautioned that ISIS hackers could become a bigger threat in the future.
Dwindling activities may indicate manpower loss from ground battle
Isis hackers are known to communicate to each other and spread propaganda via encrypted chat apps such as Telegram. However, according to Wolf, there has been no chatter on Telegram or any real cyber activities from UCC since April. The researcher said that this could indicate a loss in manpower from ground battle in Raqqa and Mosul.
"We've seen over the past year a few instances in which the United Cyber Caliphate or other groups aligned with it have announced members of their teams were killed in Syria. Most recently – in March – a UCC leader was killed in an airstrike in Syria," Wolf said. "But there's a lot of uncertainty who these actors are, or where they might be."
Wilhoit said that users concerned about defending against cyber terror groups such as the UCC don't need any specialised security services apart from state-of-the-art firewall and incorporating basic security practices.
"If you follow basic security precautions, most of these [attacks] can be blocked. They are not using infected botnets to perform denial-of-service attacks," he said. "I'm somewhat surprised that they are not further along than this," he added, commenting on UCC's cyber capabilities.