Evaluating the Physical Threat from UCC “Kill Lists”

In late September 2016, a Maryland man named Nelash Mohamed Das was indicted for attempting to provide material support to ISIS. This indictment was in connection with Das’s plans to attack U.S. military members, one of whom had appeared on a kill list published by pro-ISIS hackers in 2015. On October 9, the United Cyber Caliphate (UCC) published what the group referred to its “first official statement,” reaffirming the group’s allegiance to ISIS and pledging to continue publishing personally identifiable information for use in lone-wolf attacks.

Then on October 23, the group published another statement emphasizing the importance of “cyber jihad.” The UCC’s methods are low-tech and unsophisticated, and many of their kill lists are obtained from open sources, but this is probably of little comfort to those whose names appear on one of these kill lists. So how real is the physical threat posed by the UCC?

It is virtually impossible to predict lone-wolf attacks, but one of the ways we can frame and understand the kill list threat is to evaluate UCC’s ability to influence and incite attacks. There are a few data points that we can use to assist with that evaluation.

First, data from the UCC channels on Telegram, an encrypted messaging service, can help to understand the size of UCC’s audience for these lists.

Second, discussions around these lists that have taken place in ISIS Deep Web forums provide insight both into the popularity of the kill lists among this base of supporters as well as the ways in which they might take advantage of the information contained therein.

Third, Das’s plot is the only known case in which an individual has actively targeted someone named on one of these lists. Therefore, an analysis of his case provides further insight into the threat.

Leveraging Telegram

Telegram, paste sites where users can post anonymous messages, and file hosting services are the primary platforms through which the United Cyber Caliphate distributes information — including the group’s kill lists — from allegedly hacked databases.

Both Telegram and the paste sites record the number of views that each receives. Paste sites record these numbers in the form of page visits, and Telegram records each time a post is viewed.

In many cases, the pages on paste sites are disabled relatively quickly, so the page views do not provide a good indicator of the size of the audience. With Telegram, on the other hand, the posts are persistent until the channel is disabled or the post is deleted.

Furthermore, according to the Telegram FAQ, the view count on the original channel reflects the views from posts forwarded to other channels. This means that while we cannot account for the distribution of kill lists outside of Telegram, we do get a fairly accurate indication of the number of people viewing these posts in UCC’s official channel.

Flashpoint analysts have observed as few as several hundred views on UCC posts on the low end, and in excess of 6,000 on the high end.

Deep Web Influence

The discussions that these lists generate on the top tier ISIS Deep Web forums provide another indicator of UCC’s influence. The number of references to the lists tells us something about their relative popularity among this base of supporters, and the actual discussions provide insight into the ways in which supporters might seek to use the information contained within the lists themselves.

To date, Flashpoint has only observed three threads in which forum members actively discuss the UCC kill lists. Of those, only one author suggests acts of physical violence. In that example, the author states that he has advocated for making assassination operations a priority for the Islamic State, and suggests using the UCC lists for target selection.

In another thread, the reference to the kill lists was made in the context of a larger discussion about methods for carrying out lone wolf attacks. In this example, the user suggested sending powder to random people from the list, including civilians. The user notes that it will be difficult to obtain materials such as anthrax, but points out that even innocuous powders will promote panic and fear.

In the third example, the author suggests using the phone numbers in the lists to make harassing phone calls.

Historic Examples

Finally, we have Das’s case, which is the only known example of an individual actively seeking to target someone named on a kill list published by pro-ISIS hackers.

It is worth mentioning that this list was not published by the United Cyber Caliphate; however, a potential attacker is not likely to make that distinction, so it is still an acceptable case study.

According to the Department of Justice’s press release, Das expressed an interest in targeting US military personnel. Das sought to attack an individual whose name he obtained from a kill list containing personally identifiable information of military members, which was published in 2015. However, Das was ultimately arrested for attempting to carry out an attack against an individual whose information had been provided by an FBI informant, rather than a name obtained from the list.

Furthermore, before looking to the kill list, Das had published the information of an individual he believed was going to join the military, calling for attacks against that individual.

Ultimately, the DOJ release indicates that Das was adamant about attacking members of the military without concern for the source of the target. This is an important element to his case, because it tells us that it was Das’s desire to attack service members that drove him to the list in search of targets, rather than the publication of the list inciting him to act.

Likelihood of Attack

Although it is not possible for us to predict if or when the United Cyber Caliphate’s publication of kill lists might lead to a physical attack, all of this data suggests the probability of an attack inspired by these lists is low.

The view count on UCC’s Telegram posts tells us something about the scope of the audience. The upper limit that Flashpoint has observed on the view count is just over 6,000. Of that number, it is likely that only a small portion are either in the vicinity of someone named on a UCC kill list or willing to carry out an act of violence.

In addition, the lists of US military members and government employees receive the greatest number of views. This is consistent with expectations, as government and military targets typically hold higher value. The fact that UCC’s publication of kill lists has only generated three discussions on the top tier ISIS Deep Web forums, relative to the number of lists published, suggests a low degree of influence within the community.

Furthermore, it is more logistically feasible for ISIS supporters to use the phone numbers and addresses contained within the lists to harass those named therein, than to conduct assassinations. Finally, the DOJ report makes clear that Das was interested in attacking members of the US military before he found the kill list, and was not influenced by the list.

Final Notes

The real lesson here is that beyond changing passwords, organizations must rethink how personally identifiable information is exposed and made public over the Internet. UCC’s low skill and lack of sophistication are of little comfort to those named on a kill list, but they should serve as a red flag to organizations with regard to the ease with which this information is obtained.

A majority of UCC kill lists come from contact lists or other organizational data sets that are openly available on the Internet. In today’s cyber environment, in which information is increasingly weaponized, there is an increased need for awareness around the risk that exposed personally identifiable information poses to organizations, their employees, and stakeholders.