The federal workforce, already shaken by a massive cybertheft of personal data, now confronts another reality – ISIS has some of that same information.
Ardit Ferizi, 20, from Kosovo, was in federal court last week on charges he provided the brutal terrorist organization names, email addresses, passwords and locations of federal employees and military members.
It’s worth noting up front the number of people whose information was stolen for ISIS is small — 1,351, compared to the 21.5 million people whose background security clearance data was poached in the cybertheft announced last year.
Also, there is no reported harm — physical, financial or otherwise — to the cyber victims from ISIS. The FBI’s criminal complaint against Ferizi, however, paints a frightening picture of what the terrorist group, aka ISIL, planned for that information. More broadly, this case, like the Malheur National Wildlife Refuge occupation, is another indication of the particular threat federal government personnel and workplaces face from extremists, foreign and domestic.
“Specifically, the PII (personally identifiable information), stolen by Ferizi was knowingly provided to ISIL to be used by ISIL members and supporters to conduct terrorist attacks against the US government employees whose names and locations were published,” according to the document filed in federal district court in Alexandria by FBI Special Agent Kevin M. Gallagher.
It’s one thing if a cyber identity thief goes on a Best Buy shopping spree at your expense. It’s quite another if your personal information is obtained by those who practice mass murder.
This has to raise concern for public servants who must trust their employer to safeguard their information, despite serious indications that Uncle Sam, as well as many in the private sector, really can’t be trusted in that department. No one is safe. In October, a teenager claimed responsibility for hacking the private AOL email account of CIA Director John Brennan. The New York Post said the account held his security clearance information, including family Social Security numbers.
Last month, the White House outlined the measures the Obama administration is taking to strengthen cyber protections, including stronger authentication for computer systems, increasing scans for compromise and tightening practices for privileged users. Also, OPM has created the position of senior cyber adviser to help cut the risk of future intrusions. In October, the White House released its plan to modernize federal cybersecurity.
The complaint by Gallagher, formerly an independent contractor for two intelligence agencies, says Ferizi stole the information from the computer server that hosts the website of an unnamed business, referred to as “Victim Company.” Little was revealed about the firm, except it is a retailer “that sells goods via the Internet to customers in multiple states.” The server is located in Phoenix, but Gallagher noted that some theft victims live in the Eastern District of Virginia, which includes an area from the District’s suburbs to Richmond and the Hampton Roads region. This part of the state probably was cited because it’s the jurisdiction of the district court.
Ferizi allegedly stole personal information belonging not to just federal employees and service members, but to about 100,000 people in total, according to Gallagher. But the suspected intended use of the government personnel data is chilling.
Sometime between June 13 and August 11, 2015, Ferizi provided the personal information “to ISIL, intending it to be used by and for ISIL, and knowing that ISIL would use the PII against the US personnel, including to target the US personnel for attacks and violence,” the complaint reads.
On August 11, Junaid Hussain, “a known ISIL member” who received stolen information from Ferizi, reposted an Islamic State Hacking Division tweet, according to the FBI. The tweet linked to a 30-page document with a warning to the “Crusaders:”
“We are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts, we are extracting confidential data and passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike at your necks in your own lands!”
The following 27 pages in the document listed the names, email addresses and passwords, locations and phone numbers for U.S. personnel, according to the FBI. The complaint says the Islamic State Hacking Division, which the FBI says is linked to Ferizi, posted a “Kill List” in March that purportedly included the names and addresses of 100 U.S. service members.
Ferizi was arrested in Malaysia last year. Using the handle Th3Dir3ctorY, he led an Internet hacking group of ethnic Albanians called Kosova Hacker’s Security (KHS), the FBI said.
KHS has hit government and private websites in Israel, Serbia, Greece and Ukraine. The group claims it has hacked more than 20,000 websites, including Interpol, the international police organization, IBM research and Microsoft’s Hotmail, according to the complaint. KHS also claimed responsibility for having posted more than 7,000 Israeli credit card numbers in January 2012.
When five top administration officials announced new measures for background investigations several days ago, they said “we are committed to protecting the security of not only our systems and data, but also the Personally Identifiable Information of the people we entrust with protecting our national security.”
Is that a commitment they – or anyone – can keep?