Behind the ISIS Hack of the U.S. Army

The CENTCOM hack could indicate the U.S. army upholds a surprisingly lax security regime in the face of Islamic State, an enemy that's as smart as it is brutal.

Islamic State hackers claimed on Monday to have hacked the Twitter and YouTube accounts of the United States central military command (CENTCOM) and posted what they said were stolen military documents on the Internet.

It is unclear at this stage whether the hackers were indeed members of ISIS, sympathizers of the fanatical Islamic organization or simply cyber-vandals claiming allegiance where none exists. It doesn’t really matter; the military’s social media accounts were hacked and if one group of hackers managed to do it others could as well.

More to the point is whether the stolen documents were indeed confidential and originated from servers on military networks or whether they had been released previously and were publicly available. Initial indications were that virtually all the documents were already available online.

It’s important to bear in mind that the accounts that were hacked were social media accounts managed not by the U.S. military but by external companies – in this case, Twitter and YouTube. (There have been reports that CENTCOM’s Facebook account was hacked as well, but that has not been verified.)

In other words, CENTCOM was not responsible for the security of the accounts. At most, the CENTCOM account administrators were guilty of negligence in using the accounts or managing the users.

Social media accounts are rarely linked to operational corporate or organizational networks. In other words, the hacking of a social media account will rarely provide access to the operational network where the real damage can be done. There is no indication that military security was breached in the cyber-attack.

That said, the hack could point to one or more potential weaknesses, particularly if the users whose credentials were in all likelihood stolen in order to carry out the attack also have access to the CENTCOM network. To understand how that could happen, it’s necessary to look a little deeper into the attack itself.

The are several ways in which the CENTCOM Twitter and YouTube accounts could have been hacked. The most likely scenario is that it began with what is called a targeted spear phishing attack which was able to elicit credentials for the social media accounts.

It’s probable that we’ve all been the targets of spear phishing, though we may not always be aware of it. Spear phishing is those emails we’ve all received which purport to come from reputable companies (such as Google or Facebook) and ask you to reset your password, verify your credit card number or run up provide other confidential information.

That information can then be used to illegally access accounts, make purchases, steal your identity and so on.

One successful spear phishing attack on a CENTCOM social media administrator could have been sufficient for the hackers to gain a password and post their gloating messages (“American soldiers, we are coming, watch your backs. ISIS”) on the CENTCOM accounts.

More ominous would be if the hackers followed up their phishing with what is known as a RAT malware attack. Remote Administration Tool (RAT) – sometimes also called Remote Access Trojan – malware is software that is downloaded surreptitiously to a user’s PC and allows the “operator” to observe or even control everything that is happening on the target device.

If the stolen documents turn out to have originated on the CENTCOM network, rather than on the user’s PC, say, it’s very likely that RAT malware was used. In that case, it could indicate that the U.S. army has been grossly negligent in not taking even the most basic security measures – separate computers for social media that aren’t connected to the operational network and two-factor authentication – i.e. user authentication that relies on a second factor (PIN, physical card, number etc.) in addition to a password.

At the very least, the CENTCOM hack was embarrassing to the U.S. army, which hastened to take down the affected accounts. But it could also indicate a surprisingly lax security regime in the face of an enemy which is as smart as it is brutal.