The attack seemed like a garden-variety digital holdup.
A computer intruder, calling himself the “Albanian hacker,” left a message for the administrator of a website for an Illinois internet retailer: Pay two Bitcoins, or about $500 at the time, and the intruder would “remove all bugs on your shop!”
Such demands are typical among underground hackers who infect computers with malicious code and seize control of them, freeing them only after receiving a payment.
But this case was more than a surreptitious digital mugging. The trespasser had ties to the Islamic State Hacking Division, a terrorist cyber unit, and before it was over he’d put together a “kill list” for the Islamic State with the identities of 1,351 U.S. government and military personnel from the 100,000 names, credit card records and Social Security numbers he’d extracted from the host server.
The hacker operated in a gray area where criminal and terror interests blend messily to test malicious computer code, raise funds and identify Western targets, and it raises fresh concerns for U.S. businesses hit by cybercrime and for the government agents tasked with defeating it: If a business tries to make a problem quietly disappear, it may effectively be hindering government efforts to monitor terrorism. The need for collaboration between business and government on internet security has soared, even as distrust has risen between network managers and law enforcement.
The case of Ardit Ferizi, an ethnic Albanian who was raised in Kosovo, is typical of hackers who “might act on behalf of a group but are also doing it for their own profit, for criminal means,” said John P. Carlin, the assistant attorney general for national security.
Ardiz Ferizi pictured.Photo via Facebook
Ferizi’s case is also notable because his handiwork generated one of the first “kill lists” issued by the Islamic State designed to generate fear and publicity. FBI agents used the early list of U.S. military and government employees to notify the targeted individuals. More recent lists have included thousands of ordinary civilians and even U.S. Muslims the terrorist group considers apostates.
Ferizi, 21, was extradited from Malaysia last autumn and has been held by U.S. Marshals since then. On June 15, Ferizi signed a plea agreement in Alexandria, Va., in which he admitted to providing material support to terrorists and to computer hacking. He also signed a statement of facts outlining details of that support.
It marked one of the federal government’s first successful cyberterrorism cases in which an individual in custody admitted a link to a foreign terrorist organization.
Ferizi’s story is gleaned from federal court records, and an interview he once gave to Infosec Institute, a Chicago-based training center for technology professionals that also does research on hackers.
A native of Gjakova in western Kosovo, Ferizi was largely self-trained in computers. By his late teens he had formed the Kosova Hacker’s Security, a group with vague pro-Muslim objectives. He adopted the moniker @Th3Dir3ctorY, and claimed that the group had hacked systems in Serbia, Greece, Ukraine, France and the United States, including Microsoft’s Hotmail servers and a research domain operated by IBM.
In early 2015, Ferizi traveled to Malaysia to study and “in part to get better access to bandwidth” to carry out cyberattacks, Carlin said.
His tools? A Dell Latitude laptop, a second MSI laptop and a computer application known as DUBrute, which allows a user to seize control of another computer remotely.
Ferizi had already established contact with Junaid Hussain, a Briton who Carlin called “one of the most notorious cyber terrorists in the world.” At the time, Hussain lived in the Syrian city of Raqqa, the de facto capital of the Islamic State. A charismatic hacker of Pakistani descent, Hussain had once run a collective, TeaMpOisoN, and had a club of fanboys.
One day last August, a system administrator at the Illinois company, which is not named in court documents, contacted the FBI about a cyber ransom demand. Appealing to the feds for help was an unusual step.
“Most companies today pay the 500 bucks and go back to business,” Carlin said at a June 28 forum at the Center for Strategic and International Studies, a public policy and research group in Washington.
But Ferizi already had what he wanted. He’d spent the previous two months gathering and culling information from the company’s servers and passing the data to the Islamic State. According to Ferizi’s signed “statement of facts” in his case, the hacker searched the server for email addresses ending in “.gov” or “.mil,” indications that they belonged to civilian government or military employees.
On Aug. 11, the ISIS cyber army leader, Junaid Hussain, tweeted a link to a 30-page document containing vast details about 1,351 U.S. personnel, calling them “Crusaders” who were conducting a “bombing campaign against the muslims.” He said followers would “strike at your necks in your own lands!”
It was a coup for Hussain, but not one he’d live long to boast about.
A drone strike killed the British Islamic State hacker near Raqqa on Aug. 24. At the time, Hussain is said to have ranked No. 3 on a U.S. list of terror group members to be eliminated.
No direct link is publicly known between the drone attack and his release of the “kill list.”
© 2016 McClatchy Washington Bureau. Distributed by Tribune Content Agency, LLC.