A group calling itself the Islamic State Hacking Division this week posted online a purported list of names and contacts for Americans it refers to as “targets,” according to officials.
Though the legitimacy of the list is questionable, and much of the information it contains is outdated, the message claims to provide the phone numbers, locations, and “passwords” for 1400 American government and military personnel as well as purported credit card numbers, and excerpts of some Facebook chats.
“We are extracting confidential data,” the message says, “and passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike at your necks in your own lands!”
Many of the phone numbers and email addresses on the list were not in service, when tested by CNN. But one person on the list, reached by phone, confirmed that he had previously served in the U.S. military. He asked not to be named, but said he had recently been notified by the Pentagon that his name and personal information were on the list. Another, reached by email, confirmed that she was a government employee who has been warned by the military about being on the list.
Several online terror trackers were unable to confirm whether the list actually came from ISIS. The FBI and Pentagon both say they are investigating.
“I take it seriously, because it is clear what they are trying to do,” said Gen. Raymond Odierno, the U.S. Army Chief of Staff. But he questioned whether the list had actually been obtained by sophisticated militant hacking. “This is the second or third time they’ve claimed that,” he said. “The first two times, I’ll tell you, whatever lists they got were not taken by any cyberattack.”
One online security analyst, Troy Hunt, agrees that the information does not appear to have been obtained by a hack that penetrated government databases. According to his analysis, it may have been compiled simply by surfing the Web.
“It’s an amalagamation of data that has been scraped from multiple places,” he said, “and most of it is publicly discoverable, too.”
“I doubt that it has come from anyone with any strong capability,” he said. “And it probably hasn’t even come from ISIS itself. It has all the hallmarks of a typical hacktivist.”
Pentagon spokesman Lt. Col. Jeffrey Pool cautioned that many of the military email addresses looked at least several years old, based on their suffixes. Still, he said, shortly after this list was posted, a reminder went out to service personnel that they should limit the personal information they put on social media.
“If any of your information on it is accurate, you’re very concerned,” said former Homeland Security adviser Fran Townsend, “as are government officials.”
The group calling itself the Islamic State Hacking Division has once previously put out a list of around 100 purported names, with personal information, saying they were American military personnel.
Matthew Levitt, of the Washington Institute for Near East Policy, believes that those posting these lists are trying to spark lone-wolf style attacks in the United States like the ones in Garland, Texas, and Chattanooga, Tennessee, in recent months.
“Even if this is not so advanced,” he said, “they are continuing that message: You don’t have to come to Syria and Iraq, you can stay where you are, do something where you are.”
“It also does really freak out U.S. government military and law enforcement personnel,” he said. “It certainly does create a further sense of threat.”