Cyber Vigilantes & Hacktivists: Double-Edged Sword Against ISIS

Photo: gremlin/

Bottom Line: Cyber vigilantes and “hacktivists” increasingly fill the void left by governments in combating terrorist activity online. While such politically motivated non-state hackers are relatively effective at removing the presence of terrorist content, their continued operations could damage overall counterterrorism efforts by undermining intelligence operations –  say by taking down a website that the CIA or NSA is monitoring. By letting these groups run loose – if even for a noble cause – the U.S. risks undermining international norms of cyber operations among states by legitimizing the phenomenon of “patriotic hackers” used as proxies by governments engaging in deniable operations.


  • Despite the collapse of ISIS’s physical caliphate in Iraq and Syria, governments have struggled to effectively adapt and combat the group’s virtual caliphate, which centers on disseminating propaganda as a means of attracting new recruits or inspiring lone-wolf attacks.
  • ISIS’ online activities are beginning to reflect the organization’s gradual loss of territory and manpower. Official ISIS propaganda is down 90 percent compared to the group’s heyday in 2015, as tracked by Charlie Winter of the International Centre for the Study of Radicalisation and Political Violence. At the high point, the group was operating some 46,000 Twitter accounts, according to a Brookings report. Now, instead of publishing new, officially sanctioned ISIS material – through publications such as Dabiq or Rumiyah the terrorist organization is increasingly leaning on a decentralized network of volunteer media operatives, referred to as the munasirun, to preach, amplify and archive the ISIS worldview.
  • ISIS’ territorial losses have forced the group to adapt its virtual message. The group now tells would-be recruits to wage jihad from afar and not to travel to join the caliphate, as before.
  • U.S. Cyber Command’s Operation Glowing Symphony has sought to bring down the virtual ISIS caliphate by using offensive cyber capabilities to breach ISIS websites, block out members, and delete content such as battlefield videos. But the lasting success of such operations has remained difficult to achieve, as online ISIS content often reemerges elsewhere. Cyber Command also faces legal constraints that inhibit it from deleting ISIS content on servers in third countries without their knowledge. In October, former Secretary of Defense Ash Carter, who ordered Cyber Command’s first public operation against ISIS, wrote that he “was largely disappointed in Cyber Command’s effectiveness against ISIS.”

Chris Inglis, former Deputy Director of the National Security Agency

“In terms of countering the message that comes off of these sites, going after them and taking them down is part of a larger strategy, and you ought to use the traditional methods, which includes the infrastructure providers and governments. But also, you need to make sure that you are trying to put your own message out there so that you are offering an alternative to the hate and discontent or recruitment that might be taking place on these sites.”

Issue: Hacktivists such as those who identify themselves as part of the Anonymous collective have made strides in combating the presence of ISIS online. Unburdened by the law, interagency equities, diplomacy or highly centralized decision making, hacktivists present a crowd-sourced alternative for laying siege to the virtual ISIS caliphate.

Robert J. Bunker, Adjunct Research Professor, Strategic Studies Institute, U.S. Army War College

“Patriotic hackers linked to liberal democracies appear to be early adaptors to perceived threats, much more so than governmental agencies and internet-based corporations such as Twitter and Facebook. Such hacktivists went after Islamic State social media far earlier than [government] agencies during the response vacuum that existed. I think the rub is when we see actual government and corporate response being implemented—it is then that hacktivist impediment takes place.”

Matt Devost, former Special Advisor, U.S. Department of Defense

“Hacktivists targeting terrorist organizations might do so in a number of different ways, including distributed denial of service (DDOS) against websites, compromise and release of sensitive information, identification of social media accounts to submit for terms of service abuse (and thus disabling them), and removing the veil of anonymity for those hiding behind an alias or attempting obfuscation of their identity.  The tactics vary in effectiveness and, as with most things on the distributed networks, evolve into variations of whack-a-mole, with new sites and accounts replacing those that have been compromised.”

  • Founded in 2004, Anonymous is a loosely-affiliated network of hacktivists that engage in collective action against designated targets, which have included the U.S. government. Following the January 2015 Charlie Hebdo terrorist attacks, the group vowed revenge using the hashtag, #OpCharlieHebdo. Again after the November 2015 terrorist attacks in Paris, the hacktivist collective announced #OpISIS and #OpParis.
  • While the cyber operations against ISIS were announced by the main Anonymous collective, a number of splinter groups – namely, BinarySec, CtrlSec, and GhostSec – took the lead by engaging in distributed denial of service attacks against ISIS websites and disabling a reported 20,000 ISIS Twitter accounts. GhostSec, for example, claimed to have taken down or disrupted over 130 ISIS-affiliated websites and reportedly helped prevent a terrorist attack planned for July 2015 on a Tunisian market by sharing critical intelligence with a security company that then passed it on to the FBI.
  • Anonymous-affiliated hackers are not the only hacktivists targeting ISIS online. For example, a “patriotic hacker” known as “Jester” has been targeting terrorists over the web since 2010. In November, a supposed Muslim hacktivist group going by the name Di5s3nSi0N declared its desire to launch future cyber operations against ISIS under the campaign of #SilenceTheSwords. It already had breached the website of ISIS’s Amaq news agency, exposing a 2,000-email ISIS subscriber list.

Robert J. Bunker, Adjunct Research Professor, Strategic Studies Institute, U.S. Army War College

“Hacktivists can, at superficial levels, engage in account spamming, mock and taunt terrorist group members in posts, and notify social media providers of inappropriate content and flag it for removal. At more advanced levels, denial of service attacks can be launched, accounts can be seized via keyboard loggers, and websites compromised and defaced. Social engineering can also be utilized via hacktivists who pretend to be new potential recruits in chat rooms and attempt to penetrate terrorist networks of trust. Against technically unsophisticated terrorist groups, I see ‘crowdsourcing-derived counterterrorism’ somewhat effective initially, but it pretty quickly results in forced evolution taking place on the part of the terrorists. We then get into an action-reaction dynamic between dispersed networks in conflict, as groups such as ISIS then engage in their own retaliatory cyber attacks via planting viruses in their online sites and documents, for instance.”

Response: While hacktivists might provide limited assistance to governments in battling terrorist activity online, most cyber experts say they cause more harm than good. U.S. Cyber Command operations against the virtual caliphate are coordinated closely with other arms of the U.S. government as well as allied nations, so they know what is being monitored and should be left alone. Hacktivists could unwittingly interfere in intelligence efforts against terrorist organizations. Despite temporarily aligned interests, law enforcement may clamp down on hacktivists targeting ISIS online, or at least, watch them closely. For instance, The Daily Dot reported in 2015 that the FBI had put hacktivist Jerry Hammond of Anonymous on a terrorism watch list, citing a leaked document.

Matt Devost, former Special Advisor, U.S. Department of Defense

“A site that gets taken down might be under heavy surveillance or penetrated by law enforcement and other entities for intelligence collection, and their activities and efficiency could be impacted by hacktivist attacks.”

Robert J. Bunker, Adjunct Research Professor, Strategic Studies Institute, U.S. Army War College

“Hacktivists acting unilaterally against terrorist websites or file-sharing distribution, is of course, not anywhere near the same level as compromising top secret strategic intelligence, but it is in the same general vein of concern. Often, it is better to keep a website or distribution channel functioning – for the information it provides about its membership or terrorist planning – than it is to take it down. This becomes far more critical when active surveillance is taking place on imminent attacks being planned by terrorist cells against the U.S. homeland and those of our allies. The last thing we need at that point is the amateurs (e.g. the well-intentioned cyber vigilantes) to muck things up.”

  • The lack of accountable central control within these hacktivist networks often leads to erroneous actions where innocent social media accounts and websites are attacked base on the judgment of a few rogue individuals. Networked campaigns are prone to fragmentation and infighting, which leads to uncoordinated movements and fleeting interest.
  • The advantage of their uncoordinated attacks is that they beat the digital brush, and flush the networks out of hiding. A terrorist’s digital footprint is a window into a group’s logistics, power dynamics, locations and intentions. When hacktivists disrupt or compromise terrorist websites, it could force them into the light, as they quickly adjust to a new environment.

Chris Inglis, former Deputy Director of the National Security Agency

“There is an old saying that chaos generally generates more intelligence than it retards, and I mean that in a metaphorical sense. It generally stimulates communication and activity, and therefore the thoughtful intelligence collector is likely to get more from it than not. But you would have to be agile and on the front balls of your feet, which is why if you are sitting on a source over a long period of time, you prefer stability and say, ‘Nobody mess with the environment here, because I have this stable, reliable and enduring source.’ But increasingly, that is not the nature of the world. So I would say, first, in terms of cyber hacktivists, those things should not be encouraged, because it is unlawful. It is an inherently government act to engage in activities of that sort, and there are rules of necessity and proportionality that should govern it. But if it happens, it can be beneficial to the collection of intelligence, though tactically they might take a source or two or three off the table. In general, more noise generates more intelligence.”

Robert Dannenberg, former Chief of Operations for the CIA Counterterrorism Center

“The U.S. intelligence community remains enormously capable to conduct both offensive and defensive operations, especially when the target set is relatively unsophisticated in cyber, as is the case with most terrorist organizations. Suppose, for example, a ‘patriotic hacker’ disrupted a terrorist website that was an important conduit for the collection of foreign intelligence, or the manipulation or targeting of those accessing the website. Potentially, those patriotically motivated hackers could short-circuit critically valuable intelligence-collection platforms.”

Anticipation: A failure to clamp down on hacktivist groups – even when they target internationally agreed-upon threats such as ISIS – risks legitimizing the malicious cyber activity of adversarial states such as Russia, who often conduct deniable state-sponsored cyber operations under the guise of “patriotic hackers.” This could allow the Kremlin to continue to operate under the veil of hacktivism.

Robert Dannenberg, former Chief of Operations for the CIA Counterterrorism Center

“In general, this type of uncontrolled activity by unregulated or uncontrolled individuals or groups is far more likely to do harm than good. I think back to the case of the so-called ‘Jester’ hacker a few years ago. While seemingly motivated to do service for the U.S., his decision to hack the Russian Ministry of Foreign Affairs in 2016 likely did more harm than good, and certainly opened the door for retaliation by Russian ‘patriotic hackers’ against U.S. government targets.”

  • In June, when Russian President Vladimir Putin was asked about Russian state-sponsored hackers interfering in the 2016 U.S. elections, he easily brushed off the claims. “Hackers are free people, just like artists who wake up in the morning in a good mood and start painting,” Putin said in a press conference. “The hackers are the same. They would wake up, read about something going on in interstate relations and if they feel patriotic, they may try to contribute to the fight against those who speak badly about Russia.”
  • Russia has also leveraged such patriotic hackers in its cyber campaigns against Estonia in 2007, Georgia in 2008 and then during the annexation of Crimea in 2014.”

Robert Dannenberg, former Chief of Operations for the CIA Counterterrorism Center

“‘Patriotic hacking’ is illegal under U.S. law and is illegal in most western countries. In my opinion, it would be counterproductive in the long run for the U.S. to try and replicate the ‘patriotic hacking’ activities of Russia or China, for example. Better to encourage those with hacking skills to engage in ‘white hat’ defensive-oriented activities or, when engaging in reconnaissance of ‘hostile’ terrorist or other sites or targets, pass that information to the U.S. intelligence community. There is no shortage of fora or opportunities for those with computer skills to contribute to the efforts of the intelligence community to deal with cyber risk from terrorists or any other source.”

Levi Maxey is a cyber and technology analyst at The Cipher Brief. Follow him on Twitter @lemax13.


Share your point of view

Your comment will be posted pending moderator approval. No ad hominem attacks will be posted. Your email address will not be published. Required fields are marked *