The events of 11 September 2001 placed jihadi-inspired extremism at the forefront of counterterrorism policy. Legislation such as the USA Patriot Act of 2001 and the Homeland Security Act of 2002 bolstered the existing counterterrorism infrastructure by improving information-sharing and expanding powers for the law enforcement and intelligence community to investigate terrorism-related activities. Nearly 20 years later, jihadi-inspired extremism continues to pose a substantial threat to the homeland. According to recent data, jihadi-inspired extremists committed the third most attacks in the US from 2015-2019 and caused the most deaths in those attacks than any other type of terrorist. Despite the warranted recent focus on far-right extremism, particularly after the 6 January insurrection at the US Capitol building, the threat of jihadi-inspired extremism is still present.
Though the physical acts of terrorism committed by jihadi-inspired extremists draw substantial attention for policymakers and practitioners, they increasingly pose threats in online spaces as well. Recent incidents have demonstrated the capacity for jihadi-inspired actors to commit consequential cyberattacks. For instance, in 2017 a group named “Team System Dz” hacked government websites in Ohio, New York, and Maryland, displaying messages supporting Islamic State (IS) and threating then-president Donald Trump. A more extreme incident involved the IS-affiliated CyberCaliphate group, which published a “kill-list” of 700 people online after acquiring the information from a hacker who stole the information through a data breach. Such cyberattacks have profound ramifications, including the loss of money, privacy, time, and a sense of security.
It should not come as a surprise that jihadists are increasingly utilising the Internet as a means to cause damage to targets. Several prolific jihadist leaders, including Omar Bakri Muhammad, Ayman al Zawahiri, and even Osama Bin Laden have encouraged their subordinates and sympathizers to commit cyberattacks and cause economic harm to the United States. Cyberattacks are thought to divert financial resources away from the United States’ military operations in the Middle East. Additionally, the dollars spent on remediating a cyberattack via upgrades to cybersecurity and computer replacements can be extreme depending on the nature of the attack.
Scholars who study the Global Jihadist Movement (GJM) suggest the targeting of Western nations, particularly the United States, is a primary objective of the ideology. However, research has found that “anti-US” groups attack United States targets in less than 5% of physical terrorist attacks. In fact, most attacks were against domestic targets in the countries those groups operated in. In an offline setting, geography and convenience may influence jihadi target selection. These characteristics would likely not be as influential to jihadi target selection in an online space, as the physical distance between a hacker and a target is effectively meaningless. However, certain other factors may influence actors’ target selection with regard to websites and other online targets, such as their significance to the actor or the ease with which the target can be compromised.
Comparing Jihadi and Non-Jihadi Defacements
We studied the characteristics of jihadi-inspired defacements against US websites to determine how target features differ from those performed by non-jihadists. Defacements are a form of cyberattack in which a hacker takes control of a webpage to change the content of the website to any text or media of their choosing. This type of cyberattack is frequently used by ideologically motivated actors, as a website provides a platform to disseminate the attacker’s views and express their grievances publicly, while causing damages to their targets in the form of time and reputation. As a result, studying defacements is useful for gaining information on the characteristics of targets as well as the motivation of the defacer themselves.
Our data came from Zone-H, a service in which hackers self-report their defacements in order to take credit and gain notoriety amongst their peers. The site has logged defacements since the early 2000s and contains information on millions of defacements against websites worldwide. Using Zone-H, we drew a sample of 2,285,172 defacements affecting US IP addresses by 29,035 distinct actors. Of this sample, we classified approximately 24,561 defacements committed by 187 actors as jihadi inspired, based on specific terminology used in the defacer’s name or handle which would indicate a jihadist affiliation (e.g. ‘jihad’, ‘martyr’, or ‘ISIS’).
We found that, in comparison to other defacers, jihadi-inspired defacers were more likely to target websites with a URL ending in .org, but not websites affiliated with the military (.mil), or government (.gov) targets. Jihadi defacers were also more likely to utilise known and unknown vulnerabilities to penetrate targeted systems. The use of unknown vulnerabilities indicates a degree of technical proficiency amongst these actors, since the attacker must have skill to both identify and utilise the correct exploit in the course of the attack. Further, jihadi defacers were less likely to use SQL attacks, which are one of the most common hacking methods used in defacements.
Jihadi defacers were no more likely to commit mass defacements, or defacements against multiple webpages at once, than they were single webpages. This is logical if the value of a target is considered, as attacking a single high-value webpage would likely be more impactful than multiple low-value webpages. Jihadist were also no more or less likely to target websites whose domains corresponded to other countries (i.e. .br for Brazil), suggesting that any targets in the global West were acceptable to jihadist defacers.
Developing our Understanding of Cyberterrorism
Overall, our findings on the frequency and characteristics of jihadi defacements mirror that of research on jihadi violence offline. The physical barriers of geography and convenience appear less important in cyberspace, as all hackers are essentially equidistant from any and all potential targets. With this sort of accessibility, we would presume that jihadi defacers would be actively targeting US-based sites in line with the explicit targeting objective of the GJM. However, defacements do not yield the same degree of public concern as, say, a data breach affecting a government database or a physical attack on a military outpost. Defacements, then, may simply be attempts to disseminate the GJM ideology as opposed to causing significant economic or physical harm. As a result, target selection may be less discriminate than other forms of attacks. We need more research on other forms of cyberterrorism to determine how the characteristics of jihadi defacements might compare.
Nonetheless, our study highlights the importance of studying ideological extremism in an online context. Researchers need to study cyberterrorism across the spectrum of ideological beliefs, and the degree to which they may vary in their technical expertise and targeting practices. By studying the online patterns of these ideological extremists, while also making direct comparisons with their respective offline activities, counterterrorism officials can develop a more thorough understanding of these ideologies and their modus operandi. Doing so will promote evidence-based, tailored policies that can effectively address the unique threat posed by each movement in online and offline spaces.