{ "id": "a0f83eee-bb5e-46e4-8efc-ae5441693dd0", "created_at": "2026-04-06T00:06:37.716943Z", "updated_at": "2026-04-10T03:38:09.954Z", "deleted_at": null, "sha1_hash": "07d4bd7ac5d7a7662acf7b4adf836fa9482dfa7e", "title": "Islamic State Hacking Division", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 125088, "plain_text": "Islamic State Hacking Division\r\nBy Contributors to Wikimedia projects\r\nPublished: 2015-08-12 · Archived: 2026-04-02 12:06:56 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nIslamic State Hacking Division\r\nAlso known as United Cyber Caliphate\r\nFoundation 2014\r\nDates of operation 2014–Present\r\nAllegiance Islamic State\r\nStatus Active\r\nThe Islamic State Hacking Division (ISHD) or The United Cyber Caliphate (UCC) is a merger of several\r\nhacker groups self-identifying as the digital army for the Islamic State of Iraq and Levant (ISIS/ISIL). The\r\nunified organization comprises at least four distinct groups, including the Ghost Caliphate Section, Sons\r\nCaliphate Army (SCA), Caliphate Cyber Army (CCA), and the Kalashnikov E-Security Team. Other groups\r\npotentially involved with the United Cyber Caliphate are the Pro-ISIS Media group Rabitat Al-Ansar (League\r\nof Supporters) and the Islamic Cyber Army (ICA).[1] Evidence does not support the direct involvement of the\r\nIslamic State leadership. It suggests external and independent coordination of Pro-ISIS cyber campaigns under\r\nthe United Cyber Caliphate (UCC) name.[2] Investigations also display alleged links to Russian Intelligence\r\ngroup, APT28, using the name as a guise to wage war against western nations.[3][4]\r\nThe group's actions have included online recruiting, website defacement, social media hacks, denial-of-service\r\nattacks, and doxing with 'kill lists.'[5][6][7] The group is classified as low-threat and inexperienced because their\r\nhistory of attacks requires a low level of sophistication and rely on publicly available hacking tools.[8][9]\r\nExperts raised doubts about the source and nature of data from released 'kill lists' containing personal information\r\nabout U.S. Military personnel claimed stolen from hacked U.S. government servers. There is no evidence that the\r\nhttps://en.wikipedia.org/wiki/Islamic_State_Hacking_Division\r\nPage 1 of 4\n\nUnited Cyber Caliphate (UCC) compromised U.S. systems. The data included public, unclassified, and often\r\noutdated information about civilians, non-U.S. citizens, and others built from old data breaches or web scraped\r\ndata.[10][11]\r\nU.S., French, and German intelligence investigated attacks following the French Television Channel TV5Monde\r\nhack and The U.S. CENTCOM Twitter attack. All three countries linked actions by the United Cyber Caliphate\r\n(UCC) to APT 28 (aka Fancy Bear), a Russian intelligence group.[3][4]\r\nThe group first emerged in hacking operations against U.S. websites in January 2015 as the Cyber Caliphate\r\nArmy (CCA).\r\n[1]\r\n In March 2015, the Islamic State published a \"kill list\" on a website that included names, ranks,\r\nand addresses of 100 U.S. military members.[12]\r\nA pattern of similar attacks emerged after the media coverage. At least 19 individual 'kill lists,' including personal\r\ninformation of American, Canadian, and European citizens released between March 2015 and June 2016.[13] On\r\nApril 4, 2016, all four groups united as the United Cyber Caliphate (UCC).[14]\r\nIn June 2016, the Middle East Media Research Institute found and revealed to the media an alleged list of\r\napproximately 8,300 people around the world as potential lone-wolf attack targets.[15]\r\nSuccessful attacks since mid-2014\r\n[edit]\r\nWebsite belonging to the Hobart Airport was defaced.[16][17]\r\nFrench TV5Monde live feed hacked, social media hacked and defaced with the message \"Je Suis ISIS\".[18]\r\nFrench investigators later discounted this, instead suspecting the involvement of a hacking group, APT28,\r\nallegedly linked to the Russian government.[19]\r\nISIS hacks Swedish radio station and broadcasts recruitment song [20]\r\nUnited States' military database hacked in early August and data pertaining to approximately 1400\r\npersonnel posted online.[21]\r\nTop secret British government emails hacked. The emails pertained to top cabinet ministers. The intrusion\r\nwas detected by GCHQ.[22]\r\nFebruary 28, 2016, Caliphate Cyber Army (CCA) carried out a cyber attack on the website of Solar UK, a\r\ncompany in the town of Battle, England. Customers were being redirected to a web page featuring the ISIS\r\nlogo accompanied by a string of threats. “Fear us,” the page stated. “We are the Islamic Cyber Army”.[23]\r\n[24]\r\nOn April 15, 2016 (Friday), Islamic State hackers under the name UCC successfully hacked 20 Australian\r\nwebsites in a coordinated attack on Australian business. Some of the websites redirected to the website\r\ncontaining their content.[25]\r\nIn early April 2017, UCC released a kill list of 8,786 people.[26]\r\nIn mid 2019, Islamic State affiliated hacking group hijacked 150 targeted Twitter handles using an\r\nunknown vulnerability.\r\n[27]\r\nhttps://en.wikipedia.org/wiki/Islamic_State_Hacking_Division\r\nPage 2 of 4\n\n1. ^ Jump up to: a\r\n \r\nb\r\n Alkhouri, Laith (2016). \"Hacking for ISIS: The Emergent Cyber Threat Landscape\"\r\n(PDF). Flashpoint. Archived from the original (PDF) on 2020-11-01. Retrieved 2020-12-08.\r\n2. ^ Alexander, Audrey (April 2019). \"Doxing and Defacements: Examining the Islamic State's Hacking\r\nCapabilities\". CTC Sentinel. 12 (4). Archived from the original on 2023-02-03. Retrieved 2020-12-08 – via\r\nCombating Terrorism Center at West Point.\r\n3. ^ Jump up to: a\r\n \r\nb\r\n \"False Flags: The Kremlin's Hidden Cyber Hand\". Observer. 2016-06-18. Retrieved\r\n2017-09-25.\r\n4. ^ Jump up to: a\r\n \r\nb\r\n \"Defense Intelligence Agency Releases Russia Military Power Assessment\". Defense\r\nIntelligence Agency. Archived from the original on 2018-03-31.\r\n5. ^ Theodore Schleifer (18 June 2015). \"FBI director: We can't yet limit ISIS on social media -\r\nCNNPolitics.com\". CNN.\r\n6. ^ Emma Graham-Harrison (12 April 2015). \"Could Isis's 'cyber caliphate' unleash a deadly attack on key\r\ntargets?\". the Guardian.\r\n7. ^ \"Flashpoint - Cyber Jihadists Dabble in DDoS: Assessing the Threat\". Flashpoint. 2017-07-13.\r\nRetrieved 2020-12-09.\r\n[permanent dead link]\r\n8. ^ Lamothe, Dan. \"U.S. military social media accounts apparently hacked by Islamic State sympathizers\".\r\nWashington Post. ISSN 0190-8286. Retrieved 2020-12-09.\r\n9. ^ Bernard, Rose (2017-05-04). \"These are not the terrorist groups you're looking for: an assessment of the\r\ncyber capabilities of Islamic State\". Journal of Cyber Policy. 2 (2): 255–265.\r\ndoi:10.1080/23738871.2017.1334805. ISSN 2373-8871.\r\n10. ^ \"Doubts cast on Islamic State's so-called leak of US .mil, .gov passwords\". theregister.co.uk.\r\n11. ^ Desk, ICT Cyber (2016). \"Case Study ? \"Killing Lists\" ? The Evolution of Cyber Terrorism?\". Case Study\r\n– \"Killing Lists\" – The Evolution of Cyber Terrorism?. pp. 34–39. ;\r\n12. ^ Schmidt, Michael S. (21 March 2015). \"ISIS Urges Sympathizers to Kill U.S. Service Members it\r\nIdentifies on Website\". The New York Times. Retrieved 8 December 2020.\r\n13. ^ Arsenault, Adrienne (15 June 2016). \"ISIS 'kill list' includes names of 151 Canadians\". CBC.ca.\r\nRetrieved 16 June 2016.\r\n14. ^ \"Special Report: Kill Lists from Pro-IS Hacking Groups\" (PDF). SITE Intelligence. 2016.\r\n15. ^ \"Are you on the Islamic State's kill list? Check here\". 10 June 2016. Retrieved 16 June 2016.\r\n16. ^ \"Australian airport website hacked by Islamic State\". Telegraph.co.uk. 13 April 2015.\r\n17. ^ \"IS supporters hack Australian airport website\". San Diego Union Tribune. 13 April 2015. Retrieved\r\n2023-08-18.\r\n18. ^ \"Europe - France's TV5Monde targeted in 'IS group cyberattack'\". France 24. 9 April 2015.\r\n19. ^ \"France probes Russian lead in TV5Monde hacking: sources\". Reuters. 10 June 2015. Retrieved 9 July\r\n2015.\r\n20. ^ \"Someone Hacked Swedish Radio Station to Play Pro-ISIS Song\". 11 November 2017.\r\n21. ^ Safi, Michael (13 August 2015). \"Isis 'hacking division' releases details of 1,400 Americans and urges\r\nattacks\". the Guardian. Retrieved 2015-08-23.\r\n22. ^ Perry, Keith (11 September 2015). \"ISIS hackers intercept top secret British Government emails\". Daily\r\nMirror. Retrieved 2015-09-21.\r\n23. ^ \"IS hackers target small Battle firm in cyber attack\". BBC News. 28 February 2016. Retrieved 2023-08-\r\n18.\r\nhttps://en.wikipedia.org/wiki/Islamic_State_Hacking_Division\r\nPage 3 of 4\n\n24. ^ \"Solar Panels at Risk of Cyber Attacks, warn Experts\". Cyber Security. 31 May 2023. Retrieved 2023-08-\r\n18.\r\n25. ^ \"'Are you joking?': Small Australian businesses targeted by pro-IS hackers\". ABC News. 15 April 2016.\r\n26. ^ \"ISIS-linked cyber group releases 'kill list' of 8,786 US targets for lone wolf attacks\". Newsweek. 2017-\r\n04-04. Retrieved 2017-04-09.\r\n27. ^ \"ACCA Claims Hacking 150 Twitter Accounts | Dark Web and Cyber Security | Articles\".\r\nent.siteintelgroup.com. 16 July 2019. Archived from the original on 2019-07-16. Retrieved 2019-07-16.\r\nSource: https://en.wikipedia.org/wiki/Islamic_State_Hacking_Division\r\nhttps://en.wikipedia.org/wiki/Islamic_State_Hacking_Division\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://en.wikipedia.org/wiki/Islamic_State_Hacking_Division" ], "report_names": [ "Islamic_State_Hacking_Division" ], "threat_actors": [ { "id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4", "created_at": "2022-10-25T16:07:23.667223Z", "updated_at": "2026-04-10T02:00:04.705778Z", "deleted_at": null, "main_name": "GCHQ", "aliases": [ "Government Communications Headquarters", "Operation Socialist" ], "source_name": "ETDA:GCHQ", "tools": [ "Prax", "Regin", "WarriorPride" ], "source_id": "ETDA", "reports": null }, { "id": "ea4f255b-346d-4907-a801-1f797a99d4b0", "created_at": "2023-01-06T13:46:38.693529Z", "updated_at": "2026-04-10T02:00:03.070408Z", "deleted_at": null, "main_name": "Cyber Caliphate Army", "aliases": [ "UUC", "CyberCaliphate", "Islamic State Hacking Division", "CCA", "United Cyber Caliphate" ], "source_name": "MISPGALAXY:Cyber Caliphate Army", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17349388-cae3-44b2-8f8b-225b91aebe15", "created_at": "2022-10-25T16:07:23.519419Z", "updated_at": "2026-04-10T02:00:04.638033Z", "deleted_at": null, "main_name": "Cyber Caliphate Army (CCA)", "aliases": [ "ATK 133", "Cyber Caliphate Army (CCA)", "Islamic State Hacking Division", "TAG-CT6", "United Cyber Caliphate (UCC)" ], "source_name": "ETDA:Cyber Caliphate Army (CCA)", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433997, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/07d4bd7ac5d7a7662acf7b4adf836fa9482dfa7e.pdf", "text": "https://archive.orkl.eu/07d4bd7ac5d7a7662acf7b4adf836fa9482dfa7e.txt", "img": "https://archive.orkl.eu/07d4bd7ac5d7a7662acf7b4adf836fa9482dfa7e.jpg" } }