{ "id": "a60fb3c7-31dd-44a3-8fdf-ff101d11178c", "created_at": "2026-04-06T00:09:50.379907Z", "updated_at": "2026-04-10T03:37:49.662899Z", "deleted_at": null, "sha1_hash": "e548a286b6eb3a55e4f8d7e16f68ebf730215e5b", "title": "Cyber Caliphate Army (CCA), United Cyber Caliphate (UCC)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54765, "plain_text": "Cyber Caliphate Army (CCA), United Cyber Caliphate (UCC)\r\nArchived: 2026-04-05 19:49:30 UTC\r\nHome \u003e List all groups \u003e Cyber Caliphate Army (CCA), United Cyber Caliphate (UCC)\r\n APT group: Cyber Caliphate Army (CCA), United Cyber Caliphate (UCC)\r\nNames\r\nCyber Caliphate Army (CCA) (self given)\r\nUnited Cyber Caliphate (UCC) (self given)\r\nIslamic State Hacking Division (self given)\r\nATK 133 (Thales)\r\nTAG-CT6 (Recorded Future)\r\nCountry [ISIS]\r\nMotivation Sabotage and destruction\r\nFirst seen 2014\r\nDescription\r\n(Wikipedia) Islamic State Hacking Division or United Cyber Caliphate refers to any\r\nnumber of group self-identifying as the digital army for Islamic State of Iraq and\r\nLevant. The cyber security group had pledged allegiance to Jeremy An and his\r\nobjectives in late 2014. Their recent claims and hacks have led FBI director James\r\nComey to state that his agency does not yet have the capabilities to limit ISIL\r\nattempts to recruit Americans through social media. Russian military hackers have\r\nbeen identified as using the CyberCaliphate nomer to cover several hacking attacks,\r\nnotably on TV5Monde and the Twitter of US CENTCOM.\r\nA list of names and details said to be of American military personnel was released by\r\nunknown parties who said they were part of the ISHD, but doubts were raised on the\r\nsource and nature of the data.\r\nObserved\r\nSectors: Defense, Government.\r\nCountries: Australia, Canada, UK, USA.\r\nTools used\r\nOperations performed Feb 2015 U.S. military wives’ death threats\r\nFive military wives received death threats from a hacker group calling\r\nitself “CyberCaliphate”, claiming to be an Islamic State affiliate, on\r\nFebruary 10, 2015. This was later discovered to have been a false flag\r\nattack by Sofacy, APT 28, Fancy Bear, Sednit, when the victims’ email\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=82cebb46-cbb7-49b5-8405-1f04b46f1b5c\r\nPage 1 of 2\n\naddresses were found to have been in the Fancy Bear phishing target\r\nlist.\r\n\u003chttps://www.apnews.com/4d174e45ef5843a0ba82e804f080988f\u003e\r\nApr 2015\r\nTasmania's Hobart International Airport website has been shut down\r\nafter it was hacked and defaced with a statement supporting the radical\r\nIslamist group\r\n\u003chttps://www.telegraph.co.uk/news/worldnews/islamic-state/11531794/Australian-airport-website-hacked-by-Islamic-State.html\u003e\r\nApr 2015\r\nCompromise of TV5Monde in France\r\n“A group calling itself the Cyber Caliphate, linked to so-called Islamic\r\nState, first claimed responsibility. But an investigation now suggests\r\nthe attack was in fact carried out by a group of Russian hackers.\r\n(Sofacy, APT 28, Fancy Bear, Sednit, ed.)”\r\n\u003chttps://www.bbc.com/news/technology-37590375\u003e\r\nJun 2015\r\nISIS 'kill list' includes names of 151 Canadians\r\n\u003chttps://www.cbc.ca/news/canada/isis-kill-list-canadians-1.3637214\u003e\r\nAug 2015\r\nIsis 'hacking division' releases details of 1,400 Americans and urges\r\nattacks\r\n\u003chttps://www.theguardian.com/world/2015/aug/13/isis-hacking-division-releases-details-of-1400-americans-and-urges-attacks\u003e\r\nSep 2015\r\nISIS hackers intercept top secret British Government emails in major\r\nsecurity breach uncovered by GCHQ\r\n\u003chttps://www.mirror.co.uk/news/uk-news/isis-hackers-intercept-top-secret-6428423\u003e\r\nApr 2017\r\nISIS-linked Cyber Group Releases 'Kill List' of 8,786 US Targets For\r\nLone Wolf Attacks\r\n\u003chttps://www.newsweek.com/isis-linked-cyber-group-releases-kill-list-8786-us-targets-lone-wolf-attacks-578765\u003e\r\nInformation \u003chttps://en.wikipedia.org/wiki/Islamic_State_Hacking_Division\u003e\r\nLast change to this card: 09 December 2021\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=82cebb46-cbb7-49b5-8405-1f04b46f1b5c\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=82cebb46-cbb7-49b5-8405-1f04b46f1b5c\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=82cebb46-cbb7-49b5-8405-1f04b46f1b5c" ], "report_names": [ "showcard.cgi?u=82cebb46-cbb7-49b5-8405-1f04b46f1b5c" ], "threat_actors": [ { "id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4", "created_at": "2022-10-25T16:07:23.667223Z", "updated_at": "2026-04-10T02:00:04.705778Z", "deleted_at": null, "main_name": "GCHQ", "aliases": [ "Government Communications Headquarters", "Operation Socialist" ], "source_name": "ETDA:GCHQ", "tools": [ "Prax", "Regin", "WarriorPride" ], "source_id": "ETDA", "reports": null }, { "id": "ea4f255b-346d-4907-a801-1f797a99d4b0", "created_at": "2023-01-06T13:46:38.693529Z", "updated_at": "2026-04-10T02:00:03.070408Z", "deleted_at": null, "main_name": "Cyber Caliphate Army", "aliases": [ "UUC", "CyberCaliphate", "Islamic State Hacking Division", "CCA", "United Cyber Caliphate" ], "source_name": "MISPGALAXY:Cyber Caliphate Army", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17349388-cae3-44b2-8f8b-225b91aebe15", "created_at": "2022-10-25T16:07:23.519419Z", "updated_at": "2026-04-10T02:00:04.638033Z", "deleted_at": null, "main_name": "Cyber Caliphate Army (CCA)", "aliases": [ "ATK 133", "Cyber Caliphate Army (CCA)", "Islamic State Hacking Division", "TAG-CT6", "United Cyber Caliphate (UCC)" ], "source_name": "ETDA:Cyber Caliphate Army (CCA)", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434190, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e548a286b6eb3a55e4f8d7e16f68ebf730215e5b.pdf", "text": "https://archive.orkl.eu/e548a286b6eb3a55e4f8d7e16f68ebf730215e5b.txt", "img": "https://archive.orkl.eu/e548a286b6eb3a55e4f8d7e16f68ebf730215e5b.jpg" } }