The attack seemed like a garden-variety digital holdup.
A computer intruder, calling himself the “Albanian hacker,” left a message for the administrator of a website for an Illinois internet retailer: Pay two Bitcoins, or about $500 at the time, and the intruder would “remove all bugs on your shop!”
Such demands are typical among underground hackers who infect computers with malicious code and seize control of them, freeing them only after receiving a payment.
But this case was more than a surreptitious digital mugging. The trespasser had ties to the Islamic State Hacking Division, a terrorist cyber unit, and before it was over he’d put together a “kill list” for the Islamic State with the identities of 1,351 U.S. government and military personnel from the 100,000 names, credit card records and Social Security numbers he’d extracted from the host server.
The hacker operated in a gray area where criminal and terror interests blend messily to test malicious computer code, raise funds and identify Western targets, and it raises fresh concerns for U.S. businesses hit by cybercrime and for the government agents tasked with defeating it: If a business tries to make a problem quietly disappear, it may effectively be hindering government efforts to monitor terrorism. The need for collaboration between business and government on internet security has soared, even as distrust has risen between network managers and law enforcement.
The case of Ardit Ferizi, an ethnic Albanian who was raised in Kosovo, is typical of hackers who “might act on behalf of a group but are also doing it for their own profit, for criminal means,” said John P. Carlin, the assistant attorney general for national security.
Ferizi’s case is also notable because his handiwork generated one of the first “kill lists” issued by the Islamic State designed to generate fear and publicity. FBI agents used the early list of U.S. military and government employees to notify the targeted individuals. More recent lists have included thousands of ordinary civilians and even U.S. Muslims the terrorist group considers apostates.
Ferizi, 21, was extradited from Malaysia last autumn and has been held by U.S. Marshals since then. On June 15, Ferizi signed a plea agreement in Alexandria, Virginia, in which he admitted to providing material support to terrorists and to computer hacking. He also signed a statement of facts outlining details of that support.
It marked one of the federal government’s first successful cyber terrorism cases in which an individual in custody admitted a link to a foreign terrorist organization.
Ferizi’s story is gleaned from federal court records, and an interview he once gave to Infosec Institute, a Chicago-based training center for technology professionals that also does research on hackers.
A native of Gjakova in western Kosovo, Ferizi was largely self-trained in computers. By his late teens had formed the Kosova Hacker’s Security, a group with vague pro-Muslim objectives. He adopted the moniker @Th3Dir3ctorY, and claimed that the group had hacked systems in Serbia, Greece, Ukraine, France and the United States, including Microsoft’s Hotmail servers and a research domain operated by IBM.
In early 2015, Ferizi traveled to Malaysia to study and “in part to get better access to bandwidth” to carry out cyberattacks, Carlin said.
His tools? A Dell Latitude laptop, a second MSI laptop and computer application known as DUBrute, which allows a user to seize control of another computer remotely.
Ferizi had already established contact with Junaid Hussain, a Briton who Carlin called “one of the most notorious cyber terrorists in the world.” At the time, Hussain lived in the Syrian city of Raqqa, the de facto capital of the Islamic State. A charismatic hacker of Pakistani descent, Hussain had once run a collective, TeaMpOisoN, and had a club of fanboys.
One day last August, a system administrator at the Illinois company, which is not named in court documents, contacted the FBI about a cyber ransom demand. Appealing to the feds for help was an unusual step.
“Most companies today pay the 500 bucks and go back to business,” Carlin said at a June 28 forum at the Center for Strategic and International Studies, a public policy and research group in Washington.
Cyber ransom demands have exploded, with hackers hitting hundreds of businesses every day, encrypting hard drives and turning over the decryption key only once a payment has been made. The FBI estimates such attacks cost individuals and businesses $209 million in the first quarter of 2016.
“It’s grown extremely fast,” said Dan McNemar, director of intelligence at Binary Defense Systems, a Hudson, Ohio-based company that helps defend clients from cyberattack.
Yet those hit by the ransom attacks often are reluctant to report them.
“Companies do see a lot of risk when they consider coming out into the open about cyber incidents,” said Tristan Reed, a security analyst at Stratfor, an Austin, Texas-based global security consultancy. He noted that executives worry about reaction from shareholders and customers, and fear that government agencies won’t keep the information confidential.
Ferizi’s attack, however, was serious. He had placed malware on the company’s server that granted him “unfettered access to information” there, including all customer data, FBI agent Kevin M. Gallagher said in an affidavit.
Ferizi had scolded the company technician for trying to pry his malicious malware off the server, warning him in a message Aug. 19 – “please don’t touch my files!” – and signing off with a gleeful: “Greetings from an Albanian Hacker!”
In a separate message, he demanded two bitcoins, a type of encrypted digital currency, from the company in exchange for deleting his malicious code. He included a hyperlink to a Wikipedia page on bitcoins in case the administrator didn’t know what they were.
But Ferizi already had what he wanted. He’d spent the previous two months gathering and culling information from the company’s servers and passing the data to the Islamic State. According to Ferizi’s signed “statement of facts” in his case, the hacker searched the server for email addresses ending in “.gov” or “.mil,” indications that they belonged to civilian government or military employees.
On Aug. 11, the ISIS cyber army leader, Junaid Hussain, tweeted a link to a 30-page document containing vast details about 1,351 U.S. personnel, calling them “Crusaders” who were conducting a “bombing campaign against the muslims.” He said followers would “strike at your necks in your own lands!”
It was a coup for Hussain, but not one he’d live long to boast about.
A drone strike killed the British Islamic State hacker near Raqqa on Aug. 24. At the time, Hussain is said to have ranked No. 3 on a U.S. list of terror group members to be eliminated.
No direct link is publicly known between the drone attack and his release of the “kill list.”
A member of one private company’s digital intelligence team, who requested anonymity because he was dealing with terrorism, said of the Islamic State: “Their capabilities are 1,000 times what they were four years ago.”
But Daveed Gartenstein-Ross, a counter-terrorism expert at the Foundation for Defense of Democracies, said U.S. government cyber experts are “orders of magnitude better” than Islamic State-linked hackers.
Reed, the Stratfor analyst, said many issues make it difficult for companies to know whether intruders like the “Albanian hacker” are linked to terrorist groups. Determining the provenance of an attack or a digital ransom demand requires difficult forensics.
But since so much of public infrastructure in the United States is owned by the private sector, including electric utilities, the government and private businesses will find themselves needing to work together more often.
“It’s actually critical to collaborate,” Reed said.