George Osborne, the British chancellor of the Exchequer, said in a speech last month that Islamic State militants were trying to develop the ability to carry out digital attacks on critical systems, like hospitals, air traffic controls and power plants.
In the United States, Clifton Triplett, the new cybersecurity adviser hired by the Office of Personnel Management to help get the agency back on track after a series of hackings traced to China, said this month that he expected the Islamic State, also known as ISIS, might ultimately breach the agency’s systems, too. But private security researchers who track the Islamic State’s online efforts say the group’s capabilities are in fact not much better than those of tech-savvy teenagers who deface websites for thrills. That view illustrates a growing perception gap between officials’ fears and what security experts consider a believable threat. Indeed, two men considered the Islamic State’s most sophisticated hackers have been sidelined. One is dead; the other, in jail.
“To date, the attacks attributed or believed to be conducted by ISIS have been embarrassing, but not necessarily complex or sophisticated,” said Christopher Ahlberg, the chief executive and co-founder of Recorded Future, a company based in Somerville, Mass., that analyzes online threats. Mr. Ahlberg cautioned that the Islamic State is trying to recruit replacements for the hackers it lost. But, for now, its hacking capabilities appear rudimentary. In April, an attack knocked a French television station, TV5Monde, off the air for nearly an entire day. At first, the hacking was attributed to the Islamic State. But security experts later tied it to a Russian group engaged in what appeared to be an aggressive counterintelligence operation — aimed at gleaning more information about ISIS. Indeed, the online focus of Islamic State members and sympathizers has been recruitment, not computer attacks. A search of password-protected, online ISIS forums by Recorded Future yields mild discussion of digital attacks elsewhere on the web, for instance, those launched by the activist hacker group known as the Lizard Squad. But little emerges on politically motivated hacking planning or substance.
Mr. Ahlberg said his company, which pulls intelligence from open and closed web forums, ISIS propaganda forums, social media and an array of other information tools, has yet to see any public pronouncement from the Islamic State that would indicate it has acquired hacking capabilities. Hacking attacks are barely mentioned in Dabiq, the Islamic State’s online magazine, and other instructional documents, according to an analysis by Recorded Future. The words “cyber,” “cyber-attack” and “hacking” do not appear in any of the 740 recent ISIS propaganda and instructional materials that Mr. Ahlberg’s company looked at. Nor do any ISIS materials focus on such attacks as a core ambition. Of the two Islamic State sympathizers believed to have the most sophisticated hacking skills, one, Ardit Ferizi, a 20-year-old citizen of Kosovo, has been imprisoned in Malaysia. He is awaiting extradition to the United States where he faces up to 35 years in prison, according to a Justice Department indictment.
The other, Junaid Hussain, a 21-year-old British-born Pakistani who is credited with breaking into the United States Central Command’s Twitter and YouTube accounts in January, was killed in a drone strike in Syria in August. Still, officials worry that even with their ranks of talented hackers depleted, the Islamic State could one day recruit more sophisticated hackers. The group has already shown itself to be adept at using social media to draw in new members, said Rita Katz, the executive director and co-founder of the SITE Intelligence Group, which monitors ISIS’s online activity. Online discussions among ISIS members used to take place almost exclusively in password-protected forums, Ms. Katz said. But Twitter, YouTube and Tumblr offer a far bigger audience, as well as a means of communicating with other fighters and prospective recruits. It was on Twitter that Mr. Hussain and Mr. Ferizi, both well-known hackers, re-emerged as ISIS fighters. On Twitter, Mr. Hussain publicly instigated online attacks, posted information on American military forces and officers, and cheered on other fighters in the group, according to Ms. Katz.
“Junaid Hussain and Ardit Ferizi are exactly the type of people ISIS is trying to recruit,” Mr. Ahlberg said. Both were young, alienated from society and proficient with computers. Mr. Hussain was born in Birmingham, England, and began hacking as a teenager with a pro-Palestinian group called Team Poison, which has hit a range of targets, including Mark Zuckerberg’s personal Facebook page and NATO’s website. After a six-month stint in a British prison for hacking into the address book of Tony Blair, Mr. Hussain resurfaced with a new identity: In his new Twitter photo, a scarf masks the lower half of his face, he is pointing a weapon at the viewer, and he had acquired a nom de guerre: Abu Hussain al-Britani. Mr. Ferizi was born in Kosovo one year after Mr. Hussain and started hacking as a teenager for a group called Kosova Hacker’s Security. Last summer, while studying in Malaysia he began passing information stolen in a K.H.S. breach to Mr. Hussain, including the personal data of more than 1,000 American service members and federal employees, according to his indictment. The two linked up on Twitter. And that, Ms. Katz said, is where she believes the government battle against the Islamic State is falling short. A study by the Brookings Institution published in March estimated that in the last quarter of 2014, ISIS supporters used at least 46,000 Twitter accounts, each with an average of about 1,000 followers. Whenever Twitter suspended one account, others popped up almost instantaneously. “Twitter is going to continue to be the main problem we face right now because it takes no time for ISIS to find lone wolves to pull off its plots and attacks,” Ms. Katz said.