Are IS group hackers taking jihad online?

One of the images attached to an email containing malware sent to members of Raqqa is being Slaughtered Silently
One of the images attached to an email containing malware sent to members of Raqqa is being Slaughtered Silently Google Earth, via Citizen Lab
5 min

A cyberattack on anti-Islamic State activists in Syria could be the first known case of hackers belonging to the Islamic State group directly targeting their enemies online.


“Thank you for your efforts to deliver a true picture of the reality of life in Raqqa.” This small message of support emailed to the activist group Raqqa is being Slaughtered Silently (RSS) is in fact a trap.

And, according to the Canada-based cyber research centre Citizen Lab, there is a strong possibility it was laid by the Islamic State group itself, indicating that the jihad it has been waging across large swaths of the Middle East has now moved online.

A report from Citizen Lab, published Thursday, details how the cyberattack used malware in an apparent attempt to reveal the location of activists belonging to RSS – a group that aims to highlight the daily human rights abuses committed by the Islamic State group in the central Syrian city of Raqqa, one of the terrorist organisation's strongholds.

The attack begins with the above email, sent to the addresses of unsuspecting RSS members and claims to be from a group of Syrians living in Canada and sympathetic to RSS’s aims.

“We believe in the importance of shedding light on the realities of life in Syria, and Raqqa in particular,” it says. “We are preparing a lengthy news report on the realities of life in Raqqa. We are sharing some information with you in the hope that you will correct it in case it contains errors.”

The email is accompanied by a link to a file-sharing site where the recipient can view a copy of the supposed report, including satellite images of Raqqa.

But as the target views the images, a number of malware files are secretly being downloaded on their computer, says Citizen Lab.

Tracking RSS members

It's a classic way to infect computers, but the virus itself is incredibly simple, even old-fashioned. Most modern viruses allow hackers to take control of the target’s computer, log keystrokes and steal files from the hard drive.

But the RSS virus dates from the early years of the Internet. It aims to simply log the target’s IP address (a unique number attributed to every Internet-connected device) along with a few details about their computer system and send it back to the hackers.

This information could be used “to know if other vulnerabilities exist in the targeted computers with a view, perhaps, to a more sophisticated future attack,” Jean-François Beuze, founder of cyber security firm Sifaris, told FRANCE 24.

As Loïc Guézo, cyber security specialist at Japanese firm Trend Micro, explains: “It’s like a burglar who makes a reconnaissance of a building to see which doors are secure.”

But the attack could have an even more sinister aim, says Citizen Lab.  Obtaining the IP address gives the hackers an idea of where the targeted computer, and therefore its user, is located.

Such information would clearly be of interest to IS group members, Citizen Lab points out, implying that the virus is indeed the work of the terrorist organisation.

“RSS hasn’t escaped [the Islamic State’s] notice,” say its researchers “and the group has been targeted for kidnappings, house raids, and at least one alleged targeted killing”.

The malware, for the moment, has only been downloaded a total of ten times, it notes.
This may seem a small number, but represents “potentially ten lives in danger”, says Beuze. Even if the source of the cyberattack is unconfirmed, the Islamic State seems the most probable culprit. Their likely goal: locate the activists and then neutralise them.

British hacker in the IS ranks

Until now, the IS group’s online activities have consisted mainly of spreading propaganda – including highly polished recruitment videos as well as clips and images of gruesome beheadings and other atrocities.

"But", says Beuze, “there is no reason why they wouldn’t look to use, like many other groups, cyberattacks as a weapon”.

It is highly probable the group would have the expertise within its ranks to carry out such attacks. A British hacker, Junaid Hussain, is suspected of joining the IS group after travelling to Syria in July 2014. A former student from Birmingham, Hussain was jailed for six months in 2012 for stealing personal information about former UK prime minister Tony Blair and publishing it online.

But given the group’s apparent technological know-how and significant resources, could the attack on RSS, if it did come from the IS group, be seen as surprisingly crude?

"Not so", says Guezo. The fact that the attackers did not, for example, attempt to take control of the targeted computers does not mean they did not have the ability to do so. It shows that they “were perfectly familiar with the technological environment in Raqqa”, he says.

Controlling a computer remotely requires a stable Internet connection, something difficult to find in Raqqa, he says.

A more complex virus, meanwhile, would risk “being discovered more quickly”, explains Beuze. A virus that simply logs an IP address, on the other hand, is much less likely to be detected by anti-virus software.

But above, if the IS group did carry out this cyberattack it “sends a message to all their enemies in Syria,” says Guézo.

The terrorists are saying to those that oppose them that they are now capable of tracking their activities online, so that they can find them in real life, Guézo explains.

Daily newsletterReceive essential international news every morning