{ "id": "7de64d74-8dfe-4c83-b4a3-045f35e658bf", "created_at": "2026-04-06T00:11:17.108608Z", "updated_at": "2026-04-10T03:37:50.799956Z", "deleted_at": null, "sha1_hash": "c4bf9d6f644fc95c0cc8061fc2e9ba8d400d7adf", "title": "Russian hackers posed as IS to threaten military wives", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46842, "plain_text": "Russian hackers posed as IS to threaten military wives\r\nBy By  RAPHAEL SATTER\r\nPublished: 2018-05-08 · Archived: 2026-04-05 16:14:30 UTC\r\nPARIS (AP) — Army wife Angela Ricketts was soaking in a bubble bath in her Colorado home, leafing through a\r\nmemoir, when a message appeared on her iPhone:\r\n“Dear Angela!” it said. “Bloody Valentine’s Day!”\r\n“We know everything about you, your husband and your children,” the Facebook message continued, claiming\r\nthat the hackers operating under the flag of Islamic State militants had penetrated her computer and her phone.\r\n“We’re much closer than you can even imagine.”\r\nRicketts was one of five military wives who received death threats from the self-styled CyberCaliphate on the\r\nmorning of Feb. 10, 2015. The warnings led to days of anguished media coverage of Islamic State militants’\r\nonline reach.\r\nExcept it wasn’t IS.\r\nThe Associated Press has found evidence that the women were targeted not by jihadists but by the same Russian\r\nhacking group that intervened in the American election and exposed the emails of Hillary Clinton’s presidential\r\ncampaign chairman, John Podesta.\r\nThe false flag is a case study in the difficulty of assigning blame in a world where hackers routinely borrow one\r\nanother’s identities to throw investigators off track. The operation also parallels the online disinformation\r\ncampaign by Russian trolls in the months leading up to the U.S. election in 2016.\r\nLinks between CyberCaliphate and the Russian hackers — typically nicknamed Fancy Bear or APT28 — have\r\nbeen documented previously. On both sides of the Atlantic, the consensus is that the two groups are closely\r\nrelated.\r\nBut that consensus never filtered through to the women involved, many of whom were convinced they had been\r\ntargeted by Islamic State sympathizers right up until the AP contacted them.\r\n“Never in a million years did I think that it was the Russians,” said Ricketts, an author and advocate for veterans\r\nand military families. She called the revelation “mind blowing.”\r\n“It feels so hilarious and insidious at the same time.”\r\n‘COMPLETELY NEW GROUND’\r\nAs Ricketts scrambled out of the tub to show the threat to her husband, nearly identical messages reached Lori\r\nVolkman, a deputy prosecutor based in Oregon who had won fame as a blogger after her husband deployed to the\r\nMiddle East; Ashley Broadway-Mack, based in the Washington, D.C., area and head of an association for gay and\r\nhttps://www.apnews.com/4d174e45ef5843a0ba82e804f080988f\r\nPage 1 of 4\n\nlesbian military family members; and Amy Bushatz, an Alaska-based journalist who covers spouse and family\r\nissues for Military.com.\r\nLiz Snell, the wife of a U.S. Marine, was at her husband’s retirement ceremony in California when her phone\r\nrang. The Twitter account of her charity, Military Spouses of Strength, had been hacked. It was broadcasting\r\npublic threats not only to herself and the other spouses, but also to their families and then-first lady Michelle\r\nObama.\r\nSnell flew home to Michigan from the ceremony, took her children and checked into a Comfort Inn for two nights.\r\n“Any time somebody threatens your family, Mama Bear comes out,” she said.\r\nThe women determined they had all received the same threats. They were also all quoted in a CNN piece about\r\nthe hacking of a military Twitter feed by CyberCaliphate only a few weeks earlier. In it, they had struck a defiant\r\ntone. After they received the threats, they suspected that CyberCaliphate singled them out for retaliation.\r\nThe women refused to be intimidated.\r\n“Fear is exactly what — at the time — we perceived ISIS wanted from military families,” said Volkman, using\r\nanother term for the Islamic State group.\r\nVolkman was quoted in half a dozen media outlets; Bushatz wrote an article describing what happened; Ricketts,\r\ninterviewed as part of a Fox News segment devoted to the menace of radical Islam, told TV host Greta Van\r\nSusteren that the nature of the threat was changing.\r\n“Military families are prepared to deal with violence that’s directed toward our soldiers,” she said. “But having it\r\ndirected toward us is just complete new ground.”\r\n‘WE MIGHT BE SURPRISED’\r\nA few weeks after the spouses were threatened, on April 9, 2015, the signal of French broadcaster TV5 Monde\r\nwent dead.\r\nThe station’s network of routers and switches had been knocked out and its internal messaging system disabled.\r\nPasted across the station’s website and Facebook page was the keffiyeh-clad logo of CyberCaliphate.\r\nThe cyberattack shocked France, coming on the heels of jihadist massacres at the satirical magazine Charlie\r\nHebdo and a kosher supermarket that left 17 dead. French leaders decried what they saw as another blow to the\r\ncountry’s media. Interior Minister Bernard Cazeneuve said evidence suggested the broadcaster was the victim of\r\nan act of terror.\r\nBut Guillaume Poupard, the chief of France’s cybersecurity agency, pointedly declined to endorse the minister’s\r\ncomments when quizzed about them the day after the hack.\r\n“We should be very prudent about the origin of the attack,” he told French radio. “We might be surprised.”\r\nGovernment experts poring over the station’s stricken servers eventually vindicated Poupard’s caution, finding\r\nevidence they said pointed not to the Middle East but to Moscow.\r\nhttps://www.apnews.com/4d174e45ef5843a0ba82e804f080988f\r\nPage 2 of 4\n\nSpeaking to the AP last year, Poupard said the attack “resembles a lot what we call collectively APT28.”\r\nRussian officials in Washington and in Moscow did not respond to questions seeking comment. The Kremlin has\r\nrepeatedly denied masterminding hacks against Western targets.\r\n‘THE MEDIA PLAYED RIGHT INTO IT’\r\nProof that the military wives were targeted by Russian hackers is laid out in a digital hit list provided to the AP by\r\nthe cybersecurity company Secureworks last year. The AP has previously used the list of 4,700 Gmail addresses to\r\noutline the group’s espionage campaign against journalists , defense contractors and U.S. officials . More recent\r\nAP research has found that Fancy Bear, which Secureworks dubs “Iron Twilight,” was actively trying to break into\r\nthe military wives’ mailboxes around the time that CyberCaliphate struck.\r\nLee Foster, a manager with cybersecurity company FireEye, said the repeated overlap between Russian hackers\r\nand CyberCaliphate made it all but certain that the groups were linked.\r\n“Just think of your basic probabilities,” he said.\r\nCyberCaliphate faded from view after the TV5 Monde hack, but the over-the-top threats issued by the gang of\r\nmake-believe militants found an echo in the anti-Muslim sentiment whipped up by the St. Petersburg troll farm —\r\nan organization whose operations were laid bare by a U.S. special prosecutor’s indictment earlier this year.\r\nThe trolls — Russian employees paid to seed American social media with disinformation — often hyped the threat\r\nof Islamic State militants to the United States. A few months before CyberCaliphate first won attention by\r\nhijacking various media organizations’ Twitter accounts, for example, the trolls were spreading false rumors about\r\nan Islamic State attack in Louisiana and a counterfeit video appearing to show an American soldier firing into a\r\nQuran .\r\nThe AP has found no link between CyberCaliphate and the St. Petersburg trolls, but their aims appeared to be the\r\nsame: keep tension at a boil and radical Islam in the headlines.\r\nBy that measure, CyberCaliphate’s targeting of media outlets like TV5 Monde and the military spouses succeeded\r\nhandily.\r\nRicketts, the author, said that by planting threats with some of the most vocal members of the military community,\r\nCyberCaliphate guaranteed maximum press coverage.\r\n“Not only did we play right into their hands by freaking out, but the media played right into it,” she said. “We\r\nreacted in a way that was probably exactly what they were hoping for.”\r\n___\r\nSatter reported from Paris. Associated Press writers Michael Conroy in Bloomington, Indiana; Jeff Donn in\r\nPlymouth, Massachusetts; and Desmond Butler in Washington contributed to this report.\r\n___\r\nOnline:\r\nhttps://www.apnews.com/4d174e45ef5843a0ba82e804f080988f\r\nPage 3 of 4\n\nSatter can be reached at: http://raphaelsatter.com\r\nSource: https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f\r\nhttps://www.apnews.com/4d174e45ef5843a0ba82e804f080988f\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f" ], "report_names": [ "4d174e45ef5843a0ba82e804f080988f" ], "threat_actors": [ { "id": "ea4f255b-346d-4907-a801-1f797a99d4b0", "created_at": "2023-01-06T13:46:38.693529Z", "updated_at": "2026-04-10T02:00:03.070408Z", "deleted_at": null, "main_name": "Cyber Caliphate Army", "aliases": [ "UUC", "CyberCaliphate", "Islamic State Hacking Division", "CCA", "United Cyber Caliphate" ], "source_name": "MISPGALAXY:Cyber Caliphate Army", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434277, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c4bf9d6f644fc95c0cc8061fc2e9ba8d400d7adf.pdf", "text": "https://archive.orkl.eu/c4bf9d6f644fc95c0cc8061fc2e9ba8d400d7adf.txt", "img": "https://archive.orkl.eu/c4bf9d6f644fc95c0cc8061fc2e9ba8d400d7adf.jpg" } }