ISIS Again Claims Cyber Attacks Which Were Falsely Blamed On Russia


Since late 2014 the Islamic State in Iraq and Syria (ISIS) had its own hacking group. It waged cyber attacks against media and military targets. The group became known as United Cyber Caliphate (UCC).

Later on some “experts” attributed the UCC attacks to Russia. They claimed that the Cyber Caliphate did not exist but was a Russian false flag operation. There is now new evidence such claims are nonsense.

The attacks claimed by the Cyber Caliphate included:

  • Jan 2015 – Twitter and Youtube account of the U.S. CentCom taken over and filled with pro-ISIS messages.
  • Mar 2015 – United States Air Force’s pilots list with detailed personal information posted online.
  • Apr 2015 – French TV5Monde live feed and social media hacked and defaced with the message “Je Suis ISIS”.
  • Apr 2015 – Australian airport website defaced with ISIS message.
  • Aug 2015 – United States’ military database hacked and data of some 1400 personnel posted online.
  • Sep 2015 – British government emails hacked. Email addresses of top cabinet ministers published.
  • Apr 2016 – UCC successfully hacks 20 Australian business websites, redirects them to ISIS content.
  • Apr 2017 – UCC released a kill list of 8,786 people.

ISIS delivered flawless propaganda material with well edited videos and created its own glossy magazines. Producing these required computer expertise. It was thus not astonishing to learn that some hackers had joined ISIS and worked with its media team. From an ISIS perspective the above listed targets all made sense. There was no reason to doubt the ISIS claims.

But then the ‘Russia scare’ nonsense took over. Suddenly each and every assumed computer attack, including those by the Cyber Caliphate, were attributed to Russia:


Russian hackers linked to the Kremlin could be behind one of the biggest attacks to date on televised communications, which knocked French station TV5Monde off air in April, sources familiar with France’s inquiry said.

Hackers claiming to be supporters of Islamic State caused the public station’s 11 channels to temporarily go off air and posted material on its social media feeds to protest against French military action in Iraq.

U.S. cybersecurity company FireEye, which has been assisting French authorities in some cases, said on Wednesday that it believed the attack came from a Russian group it suspects works with the Russian executive branch.

Information about the TV5 attack was published on a website branded as part of the “Cyber Caliphate,” a reference to the Islamic State.But the site was hosted on the same block of Internet Protocol addresses and used the same domain name server as the group called APT28 by FireEye and Pawn Storm by Trend Micro, another large security company.

Similar claims were made over other attacks that ISIS claimed for itself. “The Russians did it!” screamed various snake-oil selling cyber security companies.

Soon it was said that the Cyber Caliphate did not exist at all:

[T]he Cyber Caliphate is a Russian intelligence operation working through what spies term a cut-out.U.S. secret agencies, including the National Security Agency, which controls American cyber-espionage and works closely with CYBERCOM, came to similar conclusions “APT 28 is Russian intelligence, it’s that simple,” explained an NSA expert to me recently.

In other words, the Cyber Caliphate is a Russian false-flag operation.

The snake-oil sellers and the writer above (intentionally) mistake methods for actors. The Advance Persistent Threat (ATP) number 28 describes a certain course of action taken during a hack. It is well known method that can be identified to some degree. But recognizing a method does not identify the persons that use it.

If a burglar once used a crowbar to open a window, further nearby break-ins that use a similar method might have been done by the same person. Or they might not. A different bugler could have used the same method. A home owner could have used it to scam his insurance. The method does not describe the actor.

Likewise the use of certain tools and methods to break into a computer does not define an actor. ATP 28 is not Russia. These tools and methods are publicly known. A spearphishing email is sent to the target. When the receiver clicks a link in that email a malicious software is launched that creates a backdoor into the targeted computer. Anyone can find such tools online and initiate an attack. The often claimed attribution of ATPxyz to Russia always was and is sheer nonsense.

There is also new proof that the Cyber Caliphate indeed exists.

A few days ago a news outlet affiliated with ISIS published an obituary of a Canadian hacker who worked for ISIS. The Montreal Gazette reports:

An Islamic State-linked media outlet says a Canadian man was behind the terror group’s highest-profile cyber attacks, including the embarrassing takeover of the Twitter account of the U.S. military’s Central Command.

The Canadian fighter, who is said to have been killed by a drone strike in Syria, also allegedly penetrated bank computers and used the “spoils” to fund their fighting and hacked the U.S. Department of Defense, airports, international media organizations and the accounts of “hundreds” of U.S. soldiers.

The Toronto-born man “managed to bring blessed victories for the Caliphate state by carrying out electronic attacks that have made the enemies taste defeat and failure,” according the [Arabic-language] notice, ..The “martyrdom” notice published by Al-Muhajireen Foundation, an outlet with known links to ISIL, identifies the Canadian jihadi hacker only by a nickname: Abu Osama Al-Kanadi.

The announcement says Al-Kanadi became a top computer specialist with ISIL, also known by the acronym ISIS, and praises his online exploits with the Caliphate Cyber Army.

Abu Osama Al-Kanadi does not sound Russian to me. Nor were any of the hacks the Cyber Caliphate claimed in anyway useful to Russia.

But the damage is done. None of those “experts” who claimed that Russia was behind the Cyber Caliphate attacks will retract their claims and papers.  Nor will there be any correction in those mainstream media that repeated their nonsense.

The message is clear: Russia is bad. Every hack ever done is by Russia. Russia is the enemy. Don’t you ever forget that.

h/t Stephen McIntyre

Posted by b on November 9, 2018 at 03:33 PM | Permalink

With Select Comments from original thread

Here is an article that explains how the United States intelligence network has developed malware that makes it appear as though it was sourced from Russia, China, Iran or North Korea:

Washington will stoop to the lowest levels possible to see that its unipolar global agenda is retained.

Posted by: Sally Snyder | Nov 9, 2018 3:38:19 PM | 1

thanks b… there is a clear game plan on to attack russia in an all out war of some kind.. anyone can see this.. the propaganda is intense and non stop! i am surprised russia hasn’t been blamed for isis too.. i guess abu osama c. summeraki is working on it… i eagerly await the next kool aid report… i hope the pay is good, as we are dragged towards ww3…

Posted by: james | Nov 9, 2018 3:55:34 PM | 2

Looking at the dates and countries, the United Cyber Caliphate may have been conceived to sway public opinion for a coalition of the killing attack on Syria. The ISIS marketing and promotion campaign was too polished and too well covered by MSM to be some fanatical takfiri plot. Ran its website Amaq with California based cloudflare, traded oil with Turkey ect ect.
UCC is more likely CIA or some hacking unit set up in the US or UK.

Posted by: Peter AU 1 | Nov 9, 2018 4:06:40 PM | 3

WikiLeaks: CIA hacking group ‘UMBRAGE’ stockpiled techniques from other hackers

A division of the Central Intelligence Agency stockpiled hacking techniques culled from other hackers, giving the agency the ability to leave behind the “fingerprints” of the outside hackers when it broke into electronic devices … “With UMBRAGE and related projects the CIA cannot only increase its total number of attack types, but also misdirect attribution by leaving behind the ‘fingerprints’ of the groups that the attack techniques were stolen from,” Wikileaks said in a statement.

Posted by: Jackrabbit | Nov 9, 2018 4:15:30 PM | 4

I don’t have the source or link, but I recall reading that the Internet operations of ISIS was based in Qatar.

That makes sense. Huge US AF base, Muslim Brotherhood nation. Paymaster for ISIS.

How the US could not after all these years know, trackdown and destroy the Internet operations is a “mystery”.

Posted by: Red Ryder | Nov 9, 2018 5:15:26 PM | 5

“b” is the nom de guerre for Moon of Alabama’s founding editor.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License


[premium_newsticker id=”154171″]

Words from an Irish patriot—


Make sure many more people see this. It's literally a matter of life an death. Imperial lies kill! Share widely.
  • 14

Leave a Reply