Islamic State Sucks at Hacking

By Adam Clark Estes on at

A band of vandals is taking credit for doxxing some 1,400 American military and government personnel. Identifying themselves as the Islamic State’s “hacking division,” the group is telling its followers to “act and kill” the infidels. That threat rings somewhat hollow—because IS is bad at hacking.

This is at least the third time this year that IS has claimed to have hacked into government servers and extract the personal details of United States officials. “Hack” is a misleading verb, though, because in each of those instances, the terrorists didn’t exactly comprise America’s information security fortress. Either the “hacked” information was already public, or apparently completely fabricated. It would be more appropriate to describe this type of cyber warfare by saying something like “IS Googled military people” or “IS made up fake Gmail passwords for NASA officials.” That’s likely what really happened.

Ranking US military officers revealed as much in their response to this latest IS non-hack. “This is the second or third time they’ve claimed that and the first two times I’ll tell you, whatever lists they got were not taken by any cyber attack,” General Ray Odierno, the Army’s chief of staff, said after records were made public on Wednesday. “But I take it seriously because it’s clear what they’re trying to do ... even though I believe they have not been successful with their plan.”

The other instances to which General Odierno is referring are probably the CENTCOM non-hack in January of this year and the non-doxxing of U.S. soldiers in March. In both of those non-attacks, the information that the ISIS “hacking division” exposed was already public. IS sympathisers have been successful in breaking into some official military social media accounts, though the level of hacking skill required to accomplish such a feat is roughly equivalent to the amount of effort it takes to solve a The Times crossword puzzle—the easy one, that is.

This is not to say that IS isn’t a group of violent terrorists. They certainly are. It would also be disingenuous to say that we shouldn’t be worried about hackers from within its ranks, and from other terrorist groups. We should be quite worried in times like these, if only because even the US government seems pretty hapless in its understanding of cybersecurity.

However, this is not the time to freak out—these are self-proclaimed hackers describing themselves as bloodthirsty jihadists who have just released a bunch of public information on the public internet. This time around, the information even appears to be totally made up. “It’s pretty clear that [the data’s] been aggregated from different sources,” said security expert Troy Hunt explained in a well sourced blog post. “Even the passwords, they’re not strong enough to have come from a corporate or government. They’re not even strong enough to have come from an online service — you can’t create a Gmail account, for example, with a password of less than eight characters, and here we’re seeing some passwords of three letters.”

So even if you generally assume the US government isn’t great at security, you could probably bet that members of the military would need passwords longer than three characters. So then you have to assume that these self-described IS hackers are either bad at hacking or just bad at making shit up. Frankly, it’s probably a little bit of both. [Guardian, Troy Hunt]

Image via Reddit