An Albanian hacker wormed his way into the computer server of a U.S. online retailer. For two months he sorted through the server, extracting emails and personal data. The business only became aware of the intrusion when he demanded money to restore its files.
WASHINGTON : The attack seemed like a garden-variety digital holdup.
A computer intruder, calling himself the “Albanian hacker,”
left a message for the administrator of a website for an Illinois internet
retailer: Pay two Bitcoins, or about $500 at the time, and the intruder would
“remove all bugs on your shop!”
Such demands are typical among underground hackers who
infect computers with malicious code and seize control of them, freeing them
only after receiving a payment.
But this case was more than a surreptitious digital mugging.
The trespasser had ties to the Islamic State Hacking Division, a terrorist
cyber unit, and before it was over he’d put together a “kill list” for the
Islamic State with the identities of 1,351 U.S. government and military
personnel from the 100,000 names, credit card records and Social Security numbers
he’d extracted from the host server.
The hacker operated in a gray area where criminal and terror
interests blend messily to test malicious computer code, raise funds and
identify Western targets, and it raises fresh concerns for U.S. businesses hit by
cybercrime and for the government agents tasked with defeating it: If a
business tries to make a problem quietly disappear, it may effectively be
hindering government efforts to monitor terrorism. The need for collaboration
between business and government on internet security has soared, even as
distrust has risen between network managers and law enforcement.
The case of Ardit Ferizi, an ethnic Albanian who was raised
in Kosovo, is typical of hackers who “might act on behalf of a group but are
also doing it for their own profit, for criminal means,” said John P. Carlin,
the assistant attorney general for national security.
Ferizi’s case is also notable because his handiwork
generated one of the first “kill lists” issued by the Islamic State designed to
generate fear and publicity. FBI agents used the early list of U.S. military
and government employees to notify the targeted individuals. More recent lists
have included thousands of ordinary civilians and even U.S. Muslims the
terrorist group considers apostates.
Ferizi, 21, was extradited from Malaysia last autumn and has
been held by U.S. Marshals since then. On June 15, Ferizi signed a
plea agreement in Alexandria, Virginia, in which he admitted to providing
material support to terrorists and to computer hacking. He also signed a
statement of facts outlining details of that support.
It marked one of the federal government’s first successful
cyber terrorism cases in which an individual in custody admitted a link to a
foreign terrorist organization.
Ferizi’s story is gleaned from federal court records, and an
interview he once gave to Infosec Institute, a Chicago-based training center
for technology professionals that also does research on hackers.
A native of Gjakova in western Kosovo, Ferizi was largely
self-trained in computers. By his late teens had formed the Kosova Hacker’s
Security, a group with vague pro-Muslim objectives. He adopted the moniker
@Th3Dir3ctorY, and claimed that the group had hacked systems in Serbia, Greece,
Ukraine, France and the United States, including Microsoft’s Hotmail servers
and a research domain operated by IBM.
In early 2015, Ferizi traveled to Malaysia to study and “in
part to get better access to bandwidth” to carry out cyberattacks, Carlin said.
His tools? A Dell Latitude laptop, a second MSI laptop and
computer application known asDUBrute,
which allows a user to seize control of another computer remotely.
Ferizi had already established contact with Junaid
Hussain, a Briton who Carlin called “one of the most notorious cyber
terrorists in the world.” At the time, Hussain lived in the Syrian city of
Raqqa, the de facto capital of the Islamic State. A charismatic hacker of
Pakistani descent, Hussain had once run a collective, TeaMpOisoN, and had a
club of fanboys.
One day last August, a system administrator at the Illinois
company, which is not named in court documents, contacted the FBI about a cyber
ransom demand. Appealing to the feds for help was an unusual step.
“Most companies today pay the 500 bucks and go back to
business,” Carlin said at a June 28 forum at the Center for Strategic and
International Studies, a public policy and research group in Washington.
Cyber ransom demands have exploded, with hackers hitting
hundreds of businesses every day, encrypting hard drives and turning over the
decryption key only once a payment has been made. The FBI estimates such
attacks cost individuals and businesses $209 million in the first quarter of
“It’s grown extremely fast,” said Dan McNemar, director of
intelligence at Binary Defense Systems, a Hudson, Ohio-based company that helps
defend clients from cyberattack.
Yet those hit by the ransom attacks often are reluctant to
“Companies do see a lot of risk when they consider coming
out into the open about cyber incidents,” said Tristan Reed, a security analyst
at Stratfor, an Austin, Texas-based global security consultancy. He noted that
executives worry about reaction from shareholders and customers, and fear that
government agencies won’t keep the information confidential.
Ferizi’s attack, however, was serious. He had placed malware
on the company’s server that granted him “unfettered access to information”
there, including all customer data, FBI agent Kevin M. Gallagher said in an
Ferizi had scolded the company technician for trying to pry
his malicious malware off the server, warning him in a message Aug. 19 –
“please don’t touch my files!” – and signing off with a gleeful: “Greetings
from an Albanian Hacker!”
In a separate message, he demanded two bitcoins, a type of
encrypted digital currency, from the company in exchange for deleting his
malicious code. He included a hyperlink to a Wikipedia page on bitcoins in case
the administrator didn’t know what they were.
But Ferizi already had what he wanted. He’d spent the
previous two months gathering and culling information from the company’s
servers and passing the data to the Islamic State. According to Ferizi’s signed
“statement of facts” in his case, the hacker searched the server for email
addresses ending in “.gov” or “.mil,” indications that they belonged to
civilian government or military employees.
On Aug. 11, the ISIS cyber army leader, Junaid Hussain,
tweeted a link to a 30-page document containing vast details about
1,351 U.S. personnel, calling them “Crusaders” who were conducting a “bombing
campaign against the muslims.” He said followers would “strike at your necks in
your own lands!”
It was a coup for Hussain, but not one he’d live long to
A drone strike killed the British Islamic State hacker near
Raqqa on Aug. 24. At the time, Hussain is said to have ranked No. 3 on a U.S.
list of terror group members to be eliminated.
No direct link is publicly known between the drone attack
and his release of the “kill list.”
A member of one private company’s digital intelligence team,
who requested anonymity because he was dealing with terrorism, said of the
Islamic State: “Their capabilities are 1,000 times what they were four years
But Daveed Gartenstein-Ross, a counter-terrorism expert at
the Foundation for Defense of Democracies, said U.S. government cyber experts
are “orders of magnitude better” than Islamic State-linked hackers.
Reed, the Stratfor analyst, said many issues make it
difficult for companies to know whether intruders like the “Albanian hacker”
are linked to terrorist groups. Determining the provenance of an attack or a
digital ransom demand requires difficult forensics.
But since so much of public infrastructure in the United
States is owned by the private sector, including electric utilities, the
government and private businesses will find themselves needing to work together
“It’s actually critical to collaborate,” Reed said.
**Tim Johnson: 202-383-6028, @timjohnson4