ISIS social media accounts are buzzing with a spreadsheet of personal data on employees of the American, British, and Australian governments, including military personnel. The Islamic State claims this list was compiled using data stolen from government systems by its “hacking division,” although some experts who have reviewed the list say most of it was more likely created using simple Google searches of publicly available data. There are about 1,400 individuals included on the list.
The list was accompanied by a message from the “Islamic State Hacking Division,” transcribed by Sky News:
O Crusaders, as you continue your aggression towards the Islamic State and your bombing campaign against the Muslims, know that we are in your emails and computer systems, watching and recording your every move.
We have your names and addresses, we are in your emails and social media accounts, we are extracting confidential data and passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike at your necks in your own lands.
So wait, we too are waiting.
The Sydney Morning Herald criticizes Australian officials for being “caught on their heels” by the hit list, which includes Defense Force employees and a Victorian MP. Even though “Australia’s most senior Islamic State militant, former Melbourne man and terror recruiter Neil Prakash” was posting links to the hit list early Wednesday morning, at least half of the Australians targeted by ISIS said they were unaware of the threat until they were informed by the media… which contacted them using the phone numbers published by the Islamic State.
“I’m completely at a loss,” said the aforementioned MP, who at least has access to a security detail assigned to protect elected officials. “What do I do? The police probably know less than you and I.” Defense Force employees on the list said they were in shock no one from the government had warned them. Various agencies of the Australian government declined to discuss the matter.
In addition to Prakash – who crowed “Cyber war got em shook!” and “Kill them where you find them and enslave their women” on Twitter – the Herald reports “other prominent militants, including British man Junaid Hussain, who is third on a CIA kill list of Islamic State operatives, also used social media to promote the leak and encourage attacks.”
Sky News reports the hit list includes British Foreign Office employees, plus a “local council employee.”
Most of the names on the list are American, including personnel from the Air Force, Marines, NASA, FBI, and the Port Authority of New York and New Jersey. Russian state outlet RT.com says the list also includes “a worker in an Israeli magistrate’s court” and “someone in a college in Mississippi.”
The RT.com article mentions some reasons for skepticism about the Islamic State’s claim that this list includes confidential information obtained by hackers: some of the phone numbers appear to be disconnected, while the purportedly stolen U.S. military passwords appearing on the list are “too weak to pass the guidelines of an official computer system operated by the Pentagon.” The Sydney Morning Herald also found some of the information published on the list to be outdated.
“This is the second or third time they’ve claimed that and the first two times I’ll tell you, whatever lists they got were not taken by any cyber attack,” said Army Chief of Staff General Ray Odierno, as quoted by the UK Guardian.
The Guardian also cites the opinion of computer security expert Troy Hunt, who said the of the supposedly hacked data: “It’s pretty clear that it’s been aggregated from different sources. It’s been put together on the basis of a .gov or .mil address. Even the passwords, they’re not strong enough to have come from a corporate or government. They’re not even strong enough to have come from an online service – you can’t create a Gmail account, for example, with a password of less than eight characters, and here we’re seeing some passwords of three letters.”
The UK Daily Mail notes that Twitter administrators appear to have shut down the Islamic State Hacking Division’s account three times on Wednesday while it attempted to spread its hit list around, leading to the creation of a fourth terrorist account with the message, “Kuffar seem to be raging.”