The Risks Posed by Jihadist Hackers
Jul 23, 2013
The current pool of jihadist hackers (or jihadist hacktivists) is youthful, ambitious in its goals, and largely lagging in terms of its technical capabilities. This is best illustrated by the fact that these hackers have carried out few effective large-scale attacks to date. Jihadist hacktivists remain a loosely to disorganized set of individual hackers who form and disband hacking groups they create, and frequently enter into counterproductive rivalries with fellow hackers. Perhaps as a result, despite more than seven years of efforts to construct and recruit for jihadist hacking attacks via online forums, they have yet to form a jihadist hacking group that can demonstrably perform effective cyber attacks.
There are a range of skillsets, leadership abilities and ideologies among jihadist-inspired hacktivists, and some individual hackers have carried out small- to medium-scale cyber attacks against U.S. government and private sector targets, with moderate impact in terms of data loss and exposure. Those attacks also provided jihadist hacktivists with clout and a media platform (often predominately social media) from which to promote their message. The range of ideological beliefs among jihadist-inspired hackers is varied; some hacking groups embrace hard line militant Islamist imagery and messaging (such as that of al-Qa`ida), while concurrently incorporating the imagery, ethos and slogans of secular hacking collectives such as Anonymous into the informational aspects of their cyber attack campaigns.
This article evaluates existing jihadist cyber attack capabilities, offers a case study on a leading pro-jihadist hacktivist, and examines the rise in interest in cyber attacks among proponents of jihadist activism generally. It finds that although cyber attacks are becoming a more common and desirable means of furthering the global jihadist agenda, the overall impact and sophistication of jihadist hacktivists’ attacks have been relatively low and will likely remain as such in the near term.
Evaluating Existing Jihadist Cyber Attack Capabilities
In comparison to hackers and hacking groups sponsored or controlled by state actors, jihadist hacktivists are clearly behind in terms of the impact of their attacks, their diminished technical skillset, and their overall weak organizational and recruitment abilities. Their hacking activities frequently include website defacements (usually against poorly secured websites), wherein the attackers leave antagonistic imagery and comments on the victimized websites. Yet the activities of some jihadist hacktivists indicate there is a gradual sophistication of attack modes and intended attack impacts, occurring alongside a growing contingent of young jihadist enthusiasts who see cyber attacks as an increasingly effective and relatively easy way to contribute to the liberation or support of “oppressed” Muslims around the globe, which can frequently fall under the designation of “cyber terrorism.”
While jihadist-themed cyber attacks have been modest and often rudimentary over the past decade, the advancement and ambitions of certain jihadist hacking groups, individual hacktivists and proponents of cyber jihad over the past one to two years give some cause for concern in this area, particularly as those adversaries are growing more adept at identifying vulnerabilities in U.S. and other government targets, as well as those in the private sector. Clearly, the damage caused by jihadist cyber attacks pales in comparison to those under state sponsorship (prominent cases of the latter include Stuxnet in Iran, the highly destructive Saudi Aramco malware attack, operations conducted by the Syrian Electronic Army, and various data breaches performed by the Chinese People’s Liberation Army Unit 61398, among others). Jihadist cyber attacks also trail those of better known hacktivist groups such as Anonymous or LulzSec, both in terms of the volume of attacks, sophistication, and impact. Yet the prospect of jihadists conducting a high impact cyber attack—such as one against an industrial control system (ICS) target or a series of high profile financial attacks—should not be dismissed.
Junaid Hussain (aka TriCk): Pro-Jihadist Hacktivist, Cyber Criminal
One prominent jihadist-inspired hacktivist was Junaid Hussain. Born in 1994, Hussain founded the hacking group TeaMp0isoN. Between the ages of 13-17, Hussain was a highly active hacker using the online moniker “TriCk.” Between 2010 and 2012, he targeted NATO, officials and agencies of the UK government and a United States emergency response call line, among others, carrying out cyber attacks that were typically loosely jihadist-themed and promoting the liberation of Muslims in Palestine, Kashmir and other Muslim-majority conflict zones. Hussain’s attacks also included the publication of personally identifiable information on the leadership of the English Defense League (EDL), an “anti-Islamist extremism” group, in April 2011, and the theft of hundreds of Israeli credit card holders’ data as part of “Operation Free Palestine” in November 2011. He stated that he became political when he was 15-years-old, after “watching videos of children getting killed in countries like Kashmir and Palestine.” He described his actions on behalf of TeaMp0isoN as “internet guerrilla warfare.”
Hussain was sentenced on July 27, 2012, to six months imprisonment after he pleaded guilty in a London court to conspiring to commit a public nuisance between January 1, 2010, and April 14, 2012, and “causing a computer to perform a function to secure unauthorized access to a program or data” under the UK Computer Misuse Act. A resident of Birmingham, England, Hussain had turned 18 shortly before the trial date in late June 2012. His initial arrest—after years of maintaining his anonymity as a teenage hacker—was prompted by a phone-based hack and concurrent telephonic denial-of-service (DoS) attack targeting the Anti-Terrorist Hotline of the Metropolitan Police Service (MPS) on April 10-11, 2012. Following Hussain’s arrest, his previous hacking activities carried out under the name TriCk and his group, TeaMp0isoN, were handled by the Police Central eCrime Unit, which investigates major cyber crimes. This was due in part to the fact that Hussain had, in June 2011, breached the personal e-mail account of Katy Kay, a former special adviser to Prime Minister Tony Blair, and stole home addresses, phone numbers and e-mail addresses of Tony Blair, his wife and sister-in-law, as well as the personal information of other relatives, friends, and contacts in the House of Lords and Parliament.
Shortly after the telephonic DoS attack on April 11, 2012, ended, Hussain posted a four-minute audio recording on YouTube entitled “Mi6: Counter Terrorism Command Phones Hacked – Leaked Call Discussing TeaMp0isoN,” that contained an intercepted conversation among counterterrorism staff discussing the automated call “hoax.” During that recording, one employee of the counterterrorism office is heard telling a colleague that the anti-terrorism hotline had been inundated with “about 700 calls” from TeaMp0isoN over the previous two nights. The employees also acknowledged that legitimate callers had been effectively denied access to the anti-terrorism hotline that TriCk and TeaMp0isoN had targeted.
The phone-based attacks, which resulted in the breach and subsequent publication of sensitive conversations among British counterterrorism employees over the victimized phone lines, used a somewhat novel hacking technique that had been popular among the earliest generation of hackers in the 1980s known as “phreaking.” While Hussain did not disclose any further specifics about the method he and other TeaMp0isoN members claimed to use to record the phone call, he said “the conversation was tapped into via a private phreaking method, their phone system is old and we found a way to get in via basic but private phreaking technique.” As claimed, this hacking method likely enabled the hackers to eavesdrop on and record the conversations of officers in London’s MPS.
The targeting of the hotline, Hussain said in an interview on April 11, 2012, occurred in retaliation to the fact that “the UK court system has extradited Babar Ahmad, Adel Abdel Bary and a few others” to face unfair treatment in the United States. Babar Ahmad was allegedly involved in promoting militant jihadist materials online through a prominent website called “Azzam Publications.” Another of the five men to be extradited was a well-known radical cleric named Abu Hamza al-Masri who had established links to known militant groups including al-Qa`ida.
Implications of TeaMp0isoN’s Phone Hacking
TeaMp0isoN attempted a similar telephonic DoS attack on the 10th anniversary of the 9/11 attacks, but it failed, possibly due to the fact that it relied on a participatory model that required individual volunteers to work, and it ultimately lacked adequate numbers of supporters for the DoS attack to have any substantial impact. In the successful telephonic DoS attack on the MPS Anti-Terrorist Hotline in April 2012, however, the calls were made by an automated caller program (which continuously repeated the phrase “Team Poison” in a computer-generated voice), using a compromised server based in Malaysia running Asterisk software. That attack also demonstrated an ability to learn from past mistakes and deliver an improved attack mechanism within a short-time frame on the part of TriCk and supporting TeaMp0isoN members.
In addition to affecting the MPS’ anti-terrorism hotline over a two-day period, another significant aspect of the operation from a capabilities perspective is that Hussain was able to eavesdrop on sensitive, confidential phone conversations among counterterrorism and law enforcement officials. That capability was illustrated by the leaked recordings on YouTube and further evinced when MPS officials acknowledged it in the media—with the implication being that other hacktivists, including those directly supporting militant groups such as al-Qa`ida, could use it for counterintelligence purposes. While such a capability may pose a risk to the security of law enforcement and other government agencies’ communications if used effectively by adversaries, gaining highly-sensitive data from this tactic is challenging and uncommon, making it unlikely to be employed in a widespread fashion.
Similar Groups and Offshoots
Around TeaMp0isoN emerged a number of like-minded hacking groups (in addition to several others that formed organically, unrelated to TriCk or TeaMp0isoN) that have carried out similar jihadist-oriented cyber attack campaigns. These groups are often composed of a majority of young Sunni Muslims with membership and support from non-Muslims in various countries. ZCompany Hacking Crew (ZHC), which began in June 2010 as a spin-off hacking collective from TeaMp0isoN, aims to “end injustice, extremism, Zionism, illegal occupation” and other “evils,” with a primary focus on Kashmir and Palestine. In a December 2011 manifesto, it called for members and supporters to “hack USA websites against Quran burning/draw Muhammad (PBUH) or for protesting against the killings of innocents in IRAQ, AFG and Pakistan” and to “hack France websites for protesting ban on hijab.” The following month, the group launched a widespread campaign (which was again primarily composed of defacement attacks) against Western targets called “Operation 1M_vs_NATO.” On January 9, 2012, it claimed to compromise credit card holders’ data from servers located in the United States, United Kingdom and Australia. The attackers released a list of targeted servers on Pastebin, but did not readily disclose the method used in the alleged credit card theft. While it may have been exaggerated or ineffective, their claim nonetheless marked ZHC’s first declared foray into causing financial loss as a facet of their attacks.
One curious offshoot from TeaMp0isoN was “PoisAnon,” a collaboration between TeaMp0isoN and purported Anonymous members that emerged in late 2011 to carry out shared cyber operations such as “OpCensorThis” and “OpRobinHood.” During the week of December 1, 2012, as part of “OpRobinHood,” PoisAnon identified and published a purported SQL vulnerability in the First National Bank of Long Island website, then demonstrated the same SQLi (SQL injection) vulnerability on a webpage belonging to the BCD Credit Union in the United Kingdom. A TeaMp0isoN member also claimed to identify a similar vulnerability on the website of the National Bank of California. Yet in these cases, the attackers published statements saying that they would not release innocent peoples’ credit card information, instead urging them to withdraw their money from those and other financial institutions. Despite demonstrating a capability, the group members shied away from publishing breached credit card data, perhaps out of caution. More significant than the attacks, however, is the amalgamation of the sometimes jihadist-themed TeaMp0isoN and Anonymous, through a shared ethos of aiding the oppressed and confronting corrupt governments. Given how such a movement could appeal strongly to younger recruits, it could be an early indication of what the next, younger generation of jihadist enthusiasts-cum-hacktivists looks like.
TeaMp0isoN and ZHC have also been affiliated with smaller offshoot hacking groups such as the Mujahideen Hacking Unit (MHU) and Muslim Liberation Army (MLA) that had some overlapping membership with TeaMp0isoN and ZHC. These groups have largely been composed of young Pakistani Muslims espousing a hard line Salafi-jihadi message and functioned more as propaganda units than hacking cells, carrying out low level website defacements and other generally low impact activities. In addition to these groups, individual hacktivists have, at times, had an impact on the security environment.
Jihadist DDoS Attacks Gain Global Attention
On January 16, 2012, a Saudi hacker with the moniker “0xOmar” conducted a high profile distributed denial-of-service (DDoS) attack on the websites of Israeli national airline El Al and the Tel Aviv Stock Exchange. The DDoS attack also targeted the websites of three Israeli banks that same day. The DDoS attacks did not impact trading on the stock exchange, nor did it affect the operations of the airline; only the front-facing websites victimized in the attack were temporarily inaccessible.
0xOmar claimed a group called “Nightmare” assisted him in the attacks, but little information is available to confirm that such a hacking group existed that was in contact with him at the time of the attacks. The DDoS attack tool used by 0xOmar on January 16 was not disclosed. The affected websites were largely restored to normal operations within one business day, but the media impact of the attacks was felt throughout the Middle East and bolstered other pro-jihadist and Islamist-inspired hacking groups.
One prominent Muslim cleric who commented on the media coverage was Kuwaiti imam Dr. Tariq al-Suwaidan, who also hosts a popular television show. One day after 0xOmar’s DDoS attacks on Israeli targets, al-Suwaidan posted on his Twitter account, which had some 240,000 followers, a call “to unify the efforts of [Muslim] hackers in the endeavor of electronic jihad against the Zionist enemy.” Al-Suwaidan is also a leading member of the Kuwaiti Muslim Brotherhood, and in May 2007 he was listed as an unindicted co-conspirator in the U.S. Department of Justice’s case against the Muslim-American charity, the Holy Land Foundation.
Perhaps unsurprisingly, al-Suwaidan’s call to a unified cyber jihad against Israel produced little tangible effect. Similar calls to a unified jihad have been made among real-world Islamist activists for years, yet they have never managed to overcome fragmentation and in-fighting. This is in part because the jihadist hacktivist community, like its kinetic counterpart, is prone to decentralization, which explains why it has been unable to consistently mount high impact cyber attacks, whether through DDoS tools or exploiting code vulnerabilities and performing data breaches.
To date, jihadist hacktivists and hacking collectives sympathetic to jihadist causes have largely used unsophisticated attack methods. These include brute force cracking to hack into e-mail and web servers and other basic techniques such as using open source hacking software that scans for vulnerabilities, or programs that run pre-programmed exploits. Pro-jihadist hackers have also used DDoS attacks (with occasional effectiveness, notably in the case of the Saudi hacker 0xOmar) and limited spear-phishing and other social-engineering-based network intrusion techniques. These attacks have resulted in low- to medium- level data and privacy loss, but a significant distance remains between jihadist hacktivists’ demonstrated abilities and the capability to conduct an effective cyber attack on critical infrastructure, or even those with significant financial cost.
A number of “hacking units” or “cyber armies” incorporating al-Qa`ida’s name or identifying as aiding militant jihad have emerged (or at least announced their formation) in recent years, yet so far none have managed to gain traction, garner much media attention, or carry out a significant attack. They also appear to lack any skilled membership. While some on jihadist forums have called for attacks on critical infrastructure targets, no specific or viable plots have emerged against them from any jihadist-affiliated actors. Nonetheless, the interest in such high profile, high impact attacks remains among jihadist hacktivists and proponents of Islamist militancy. As the pool of jihadist hacktivists continues to grow, and some advance to more sophisticated attack tools and methods, the possibility of an effective cyber attack emerging from among these actors becomes more likely.
The continuance of vulnerable attack targets and the likely increase in Islamist hacking activity in the near term combine to form a potentially challenging security environment for U.S. and other Western governments and private companies. Many of these potential targets, however, can mitigate the impact of cyber-terrorists—whether they are jihadist hacktivists or hackers from a collective like Anonymous—by taking additional steps to safeguard the integrity of their data and their customers’ information, thereby reducing the media attention such attackers seek to exploit in pursuit of their agenda and message campaigns.
Christopher Heffelfinger is President of AVH, LLC. Based in Washington, D.C., he is also author of Radical Islam in America: Salafism’s Journey from Arabia to the West and a former Fellow of the Combating Terrorism Center’s FBI program.
 A hacktivist is a hacker who performs cyber attacks for a movement or cause. The U.S. Computer Emergency Response Team (US-CERT) includes in their definition of hacktivist: “Hacktivists form a small, foreign population of politically active hackers that includes individuals and groups with anti-U.S. motives,” although the term does not explicitly connote an anti-American agenda. For the US-CERT definition, see “Cyber Threat Source Descriptions,” U.S. Department of Homeland Security, May 2005.
 Calls for jihadist hacking units and electronic mujahidin armies have been circulating in al-Qa`ida magazines since late 2005.
 Such imagery typically includes the attacking group’s logo and/or a satire of the victim’s logo, or statements criticizing the victim’s security.
 There is often a thin line between cyberterrorism and online activism for humanitarian or social causes. As with kinetic activities, however, terrorism is distinguished by causing harm to another person or their property in the act of conveying a message, or political agenda.
 Hannah Furness, “Team Poison: Profile of the Hackers,” Telegraph, April 12, 2012.
 Eduard Kovacs, “Hackers Around the World: It’s No TriCk, He’s Among the Best in the UK,” Softpedia, February 18, 2012.
 Caroline Grant, “Hacker’s Facing Jail Over Blair Email Raid,” The Sun, June 30, 2012.
 Tammy Hughes, “‘Team Poison’ Hacker, 18, who Published Tony Blair’s Address Book Online Faces Jail,” Daily Mail, June 30, 2012.
 On the evening of April 12, 2012, TriCk and another teenager aged 16 (who was later released on bail after police said they did not believe him to be a member of TeaMp0isoN) were arrested by police at a residence in Birmingham, in West Midlands. See “Two Arrested After Hackers Attacked Anti-Terror Hotline,” Telegraph, April 12, 2012.
 “‘Team Poison’ Hacker Who Posted Tony Blair’s Details is Jailed,” Telegraph, July 27, 2012.
 Martin Evans, Christopher Williams and Hannah Furness, “Two Arrested after Hackers Attacked Anti-Terror Hotline,” Telegraph, April 12, 2012.
 Phreaking is the act of hacking into or manipulating a telephone network. Popularized in the 1980s, it is often considered the precursor to computer hacking.
 “Hackers ‘Eavesdrop on Terror Line,’” Guardian, April 11, 2012.
 Evans et al.
 “Babar Ahmad and Abu Hamza Among Terror Suspects to be Sent to US,” BBC, October 5, 2012.
 Message posted by TeaMp0isoN members announcing “Op911” on September 7, 2011, on pastebin.com, a site commonly used by hacktivists to post campaign messages.
 Paul Roberts, “UK Teen, TeaMp0isoN Member, Arrested For ‘Phone Bomb’ Attack,” ThreatPost.com, April 17, 2012; “Hackers ‘Eavesdrop on Terror Line.’”
 Asterisk software is an open source software product that enables users to convert a Linux-run server into a VoIP (Voice over Internet Protocol) telephone exchange.
 Evans et al.
 Jeremy Kirk, “How Anonymous Hacked the FBI-SOCA Conference Call,” IDG News Service, March 6, 2012.
 As observed from group membership and participation in social media during 2011-2012.
 These details are from a manifesto posted by ZHC members on pastebin.com and various social media outlets in December 2011.
 Pastebin.com is a website that allows users to store text for a certain period of time. The website is mainly used by programmers to store pieces of source code, but is open to any user to paste any type of text.
 The theft of databases of credit card holder information is not uncommon among hacktivists. Many employ programs to scan for vulnerabilities in SQL or XSS to exfiltrate sensitive customer data.
 Structured Query Language, or SQL, is a programming language designed for managing data in relational databases.
 “First National Bank of Long Island, Operation Robin Hood Victim,” Softpedia, November 29, 2011. The original statement is online at www.pastebin.com/g0Ckrq3u.
 The claim was made on a TeaMp0isoN member’s Twitter page.
 As observed from group membership and participation in social media during 2011-2012.
 A DDoS attack employs a botnet of compromised or voluntary machines as “bots,” which simultaneously send requests to a specified server and, if successful, render it unresponsive.
 Gianluca Mezzofiore, “‘Nightmare’ 0xOmar Hackers Attack Israel’s Stock Exchange and El Al,” International Business Times, January 16, 2012.
 “‘I Want to Harm Israel,’ Saudi Hacker Tells ‘Post,’” Jerusalem Post, January 16, 2012.
 In addition to his actual Twitter post, also see “Kuwaiti Imam: Cyber Jihad Effective,” ynetnews.com, January 18, 2012.
 U.S.A. v. Holy Land Foundation for Relief and Development, Northern District of Texas, 2007.
 “Spear-phishing” is a phishing attack against a specific target, rather than a general population, typically with the aim of gaining access to a secured network.
 On June 11, 2011, in a leading jihadist forum, “Yaman” posted a highly detailed message calling for a “Center for Electronic Terrorism.” A top priority for this center, he described, is the targeting of “SCADA [supervisory control and data acquisition] systems to distort the companies of electricity, gas, water, airports, trains, subway trains and central control systems” in the United States, United Kingdom and France. Yaman claimed the endeavor was a “new center for Qa`idat al-Jihad.”