For the past few years the Islamic State (IS) has staged a brutal reign of terror against Christians in Egypt, killing hundreds of people in dozens of terror attacks and targeted killings, causing strife across the arid reaches of the Sinai peninsula.1.“Gunmen Attack Cairo Church, Killing at Least 9” : NYT These targeted acts of terror have now taken a digital form, as over sixty Facebook profiles of Christians in Egypt have been singled out and hacked by IS supporters since mid-2017. These hacked accounts have been used to make derogatory comments about Christians, threaten their lives, and share IS propaganda. These recent hacking attacks illustrate clearly the tactics that IS supporters have used for their campaigns.
IS has long claimed to have potent hacking abilities, and they have formed groups like the United Cyber Caliphate (UCC) among many others to focus on hacking.2.Alkhour, Laith, Kassirer, Alex, Nixon, Allison. “Hacking for ISIS: The Emergent Cyber Threat Landscape”. Flashpoint Group, April 2016 The group has previously carried out successful attacks such as hacking the Twitter accounts of US Central Command and Newsweek. While such attacks are headline-grabbing they are relatively simple to stage, and pose no real risk. But some more sophisticated attacks have been attempted by pro-IS hackers previously. According to US officials, IS hackers have tried to penetrate the computers that regulate the US electricity grid, and a successful attack like that would have far more serious ramifications.3.Sheafer, Sarah. “Hacking in the Name of ISIS: Should Americans Fear a Cyber Doomsday?” Georgetown Security Studies Review, Vol.4 No.2, June 2016 However, while they have attempted such sophisticated attacks they have never succeeded, and experts agree that they currently lack the abilities to carry out more complex attacks.4.“Could ISIS’ ‘Cyber Caliphate’ unleash a deadly attack on key targets?” : The Guardian The loss of their caliphate in Iraq and Syria, which was used as a base of operations for the group, makes sophisticated attacks even less likely.
Smaller-scale hacking campaigns are still a major concern, however. Pro-IS hacking groups like the UCC have claimed to have hacked thousands of social media accounts.5.Sheafer, Sarah. “Hacking in the Name of ISIS: Should Americans Fear a Cyber Doomsday?” Georgetown Security Studies Review, Vol.4 No.2, June 2016 The pro-IS Ahshad media foundation has called for hackers to go after anti-ISIS Facebook accounts.6.“O Knights of Media” text release Step-by-step instructions on how to hack Facebook profiles are accessible via websites like YouTube and justpaste.it, and are curated and updated by IS supporters. It would appear that hacking activities on behalf of IS aren’t just limited to official groups, as individuals could take it upon themselves to carry out hacking attacks using information provided by the group. Much like in the real world, so-called ‘lone wolf’ terrorists with no direct connection to IS can carry out attacks on behalf of the group based off of material produced by them.
However, despite such encouragement for individual hacking efforts and claims made by official groups, widespread hacking on Facebook by IS has not been identified.7.https://twitter.com/JihadoScope/status/934142359557869570 The uncovering of these hacked accounts in Egypt lends credence to such claims made by IS about hacking Facebook profiles, but more importantly it identifies a new dynamic in these hacking campaigns. The specific targeting of Egyptian Christians elevates this hacking to a strategic online campaign intended to terrorise a specific group.
What happens to the Egyptian accounts?
When one of these Christian profiles is hacked, a post is made stating that said profile “has been hacked by supporters of IS”. The info section is also changed to contain a similar message. The claims that these were the profiles of Christians can be corroborated by the nature of posts made on these accounts before the hacking, as well as other Christian accounts which haven’t been hacked warning about what IS is doing.
These hacked profiles are then used to post hateful messages addressed towards Christians, such as using derogatory terms to describe them and making threatening statements. In some cases the info section is changed to include the phrase “we promise to slay him soon”, referring to the owner of the account. When posting such content, a large number of the accounts’ original friends are often tagged to achieve a greater effect. Other common posts include links to more hacked accounts, or to profiles of IS supporters, to encourage people to follow them. Posts boasting about the hacking activities that have been carried out are also common, and such posts will normally include a message describing how the Christian accounts are being hacked, often including several screenshots of hacked profiles as proof.
A handful of these hacked profiles quickly gain IS-supporting followers and serve as conventional IS propaganda accounts, which post IS news and propaganda videos regularly for an extended period of time. Posts will include news from Amaq, videos from various regions, and other posts of a pro-IS nature. They include news and videos from all over IS’ areas of operations, not just Egypt. Evidence shows that some of these hacked profiles are also being used as regular Facebook accounts by the hacker, quietly offering technical advice, promoting other pro-IS profiles, making non-IS related posts, and joining various groups. It is possible this is a way for them to produce pro-IS posts with less fear of being caught as they remain anonymous.
Who is responsible?
Several of the posts made by the hacked profiles are marked with the signature of “Spiders of the Islamic State”. The names of some of the hacked profiles have also been changed in similar fashion. Although not all hacked profiles make reference to this name, the similarity of these accounts and their activities since the hacking suggests that this is the work of the same individual or group. “Spiders of the Islamic State” refer to themselves as “supporters of the Islamic State” instead of claiming to be an official part of IS central or the groups branches in Egypt, and so far the usage of this name has been limited to Egyptian accounts.
There is no way to confirm who is responsible for the hacking, though a single specific account seems to have taken a lead role in this operation. This account is regularly promoted by the hacked profiles, and has shared plentiful technical advice about ways to recover accounts blocked by Facebook, among other topics. Most telling was a post explaining how an exploit for hacking Facebook profiles still works.
Pro-IS hacking outside of Egypt
This hacking is not only a concern for Egypt. Dozens of other profiles hacked by IS supporters have been identified, including profiles created by people from Europe, the Middle East and the Americas. In these cases the hacking doesn’t target a specific group, and several of them don’t even advertise that the profile has been hacked.
In most cases these hacked accounts are used as a way to help spread propaganda, and do not have the same goal of spreading terror as the hacking by the “Spiders of the Islamic State” in Egypt. An account will be hacked, the name and profile picture will typically be changed to make it easily identifiable as a pro-IS account. It will then be used to post IS propaganda videos, statements from Amaq, and other pro-IS posts. These accounts will normally be advertised by other IS supporters on Facebook. They will quickly gain a large number of IS supporting friends and followers. On one recently identified hacked account, one of the original accounts friends posted telling the person who had hacked the account to stop what they were doing. Another IS supporter replied threatening to hack his account too.
Over a dozen South American accounts have been identified as being hacked by the same IS supporter. The goal of hacking so many accounts was to provide the hacker a network of accounts that could all be utilised for posting. If Facebook were to identify and remove one account, then there would be another account ready, ensuring a continuous stream of propaganda. In some cases the hacker will switch which account they post to after a period of time, possibly to try and reduce the risk of an account being identified and removed by Facebook. In one instance an account was used again after going unused for over a year, showing that these hacked accounts are being used for a long term. Each account has the profile picture and cover photo changed to a similar picture, making them easily identifiable for followers, and the various accounts as regularly advertised throughout the network.
Several profiles from North and Central America were hacked in another instance of a series of accounts being taken over by the same individual. Following the intrusions, the hacker changed the profile names to variations of Abu Monzer Al Shami. On all of the profiles that he hacks, links are shared leading to something akin to an introductory booklet containing broad information on IS and explaining how its representation in the media was wrong. In this instance the hacking appears to be an attempt to advertise IS to people who haven’t already been radicalised.
In at least one instance an account was hacked only to be used as the hacker’s everyday profile. A woman’s account from Canada that showed no signs of extremism suddenly changed to being used by a male IS fighter believed to be somewhere in Syria or Iraq. The posts made before the hacking were left up, including ones with pictures showing the lady’s young children. Why this fighter decided to hack an account instead of create one is difficult to understand, but may have something to do with safety from state security services.
Simply hacking accounts to use for spreading propaganda or inspiring terror is not the only activity IS supporters carry out. A common occurrence is the mass reporting of an account that is deemed to be anti-IS in an attempt to cause Facebook to automatically remove it. The original poster will state how many reports they want, normally in the low hundreds, and then they will post a link to the account in the comments section. This has been seen working on several occasions.
A private Facebook group was also created which coordinated mass reporting. Members of this group included several people that are believed to have hacked Facebook accounts. On top of being in the same group some of the suspected hackers are friends with each other, and there have been occurrences of them advertising each others accounts. It is clear that, at least online, several of the people involved in hacking know each other.
Despite grabbing headlines IS’ hacking activities have never proven effective, leading many experts to dismiss their capabilities. While official hacking groups and IS supporters certainly don’t have the abilities to stage sophisticated attacks on important targets, this targeted hacking of Egyptian Christians shows that there is still the desire and ability among IS and its supporters to stage hacking attacks. Presenting the possible risk of pro-IS hackers developing their skills or attracting better recruits allowing them to stage more sophisticated attacks in the future. The wider efforts to hack Facebook accounts will also play an important role in the continuation of IS’ online presence, helping them to spread propaganda, radicalise new supporters, and continue to promote IS even as their physical Caliphate crumbles.
|↑1||“Gunmen Attack Cairo Church, Killing at Least 9” : NYT|
|↑2||Alkhour, Laith, Kassirer, Alex, Nixon, Allison. “Hacking for ISIS: The Emergent Cyber Threat Landscape”. Flashpoint Group, April 2016|
|↑3, ↑5||Sheafer, Sarah. “Hacking in the Name of ISIS: Should Americans Fear a Cyber Doomsday?” Georgetown Security Studies Review, Vol.4 No.2, June 2016|
|↑4||“Could ISIS’ ‘Cyber Caliphate’ unleash a deadly attack on key targets?” : The Guardian|
|↑6||“O Knights of Media” text release|