Islamic State hacker admits to hacking, sharing US military PII

shutterstock_369286427

A hacker who passed a list of US military personnel to so-called Islamic State (IS), knowing they’d use it to target those people in terrorist attacks, pleaded guilty on Wednesday and is facing the potential of a lengthy jail term.

Ardit Ferizi, a 20-year-old citizen of Kosovo who used the Twitter handle @Th3Dir3ctorY, pleaded guilty in a Virginia court to providing material support to IS, which is a designated foreign terrorist organization; to hacking a protected computer without authorization; and to stealing information.

According to a statement from the US Department of Justice (DOJ), this is the first case of its kind: one in which terror and cyber threats coincide.

Assistant Attorney General for National Security John P. Carlin:

The case against Ferizi is the first of its kind, representing the nexus of the terror and cyber threats. The National Security Division will continue to use an all-tools approach to combat this ever-evolving blended threat, and we will identify, disrupt and prosecute any individual who provides material support to ISIL [the Islamic State of Iraq and the Levant], no matter how they do so.

There’s no difference between cyber terrorists and other terrorists, the DOJ said, and the FBI won’t differentiate in tracking them down.

Assistant Director in Charge of the FBI’s Washington Field Office, Paul M. Abbate:

Ardit Ferizi launched a cyberattack to gain access to the identities of U.S. military personnel, which he shared with members of ISIL in an attempt to incite terror attacks.

No matter how a person supports a terrorist group like ISIL, whether on the battlefield or in the cyber world, the FBI will identify, disrupt and bring them to justice for placing lives at risk.

Malaysian authorities arrested Ferizi in October on behalf of the US.

He admitted to having gained administrator-level access to the server of an unnamed US company in June 2015. There, he got his hands on databases that had the personally identifiable information (PII) belonging to tens of thousands of the company’s customers.

Ferizi handed the customers’ PII over to ISIL member Junaid Hussain, aka Abu Hussain al-Britani: a British cyber-expert involved with IS who’s believed to have been killed in August 2015 by a US air strike.

After he got the list, which contained the PII of about 1,300 US military and other personnel, Hussain tweeted it to IS followers.

According to the DOJ, this is what the document stated, in part:

We are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts, we are extracting confidential data and passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike at your necks in your own lands!

Ferizi admitted that he provided the PII to ISIL with the understanding that the terrorists would use it to “hit them hard.”

According to The Washington Post, this is what he said in court about his actions:

I don’t know myself why I did this. I still ask myself why I committed this crime.

Ferizi will face sentencing on 16 September. The maximum sentence for providing material support to a US enemy is 20 years, and the maximum for accessing a protected computer without authorization and stealing data is 5 years.

That adds up to a total possible maximum of 25 years in jail, though maximum sentences are rarely handed out.

Ferizi will be deported to Kosovo after he finishes his time in jail. He’s be barred from re-entry to the country after that.