However, the alleged Islamic State Hacking Division has no evidence to back up its claims.
Image: Associated Press
On Friday, a self-proclaimed hackers' group called Islamic State Hacking Division (ISHD) boasted of breaching "several [US] military servers, databases and emails" and published a hit list of 100 US service members, along with their purported pictures and home addresses.
But as it turns out, what the hackers did was mostly Googling around and collecting information publicly available on the internet, as reported by The Daily Beast on Monday. Many service men and women's names, in fact, had actually been published by the Pentagon itself in self-promotional websites.
I reached out to the person who's behind the ISHD group, or at least the person who controls their online messaging accounts, which were published on their now-suspended Twitter account.
"l0l" the person said when I linked him The Daily Beast article. He declined to be named but simply said to refer to him as a member of ISHD. "Clearly whoever wrote that didn't read the leak," he said.
The member then went on to explain how the hack supposedly happened. But he refused to provide any evidence of it because he didn't want to lose access to breached servers, which he claimed to still have.
The Pentagon declined to comment for this story, but a US defense official told Motherboard that "there is no indication of a data breach from our systems."
"There is no indication of a data breach from our systems."
For the hack, he claimed to have scanned several US military (.mil) domains and found that "many of them" were using a specific outdated content management system (or CMS), which is essentially the backend system used to publish blogs (he declined to say which one).
Then, he said, he found a vulnerability in the code and exploited it to get access to the CMS, as well as some sites' servers and webmail servers where he found links to military databases containing the names of the 100 service men and women and many more that he said he plans to release in the coming weeks.
At that point, he admitted that he went to Google to search the names of the pilots that bombed some ISIS targets. "[I] found a bunch of names because the US media and military have big egos and like to brag and show off, then i searched the names in my compiled list, some where in the list and some wasn't [sic]," he said.
And while computer security experts say the explanation provided by the ISHD member makes sense at a technical level, it's unlikely that he found sensitive information on a military webserver.
The Pentagon likely separates and compartmentalizes information, according to Dan Guido, a security researcher and founder of the firm Trail of Bits, and only puts sensitive data on its internal networks that are not connected to the internet, such as SIPRnet or NIPRnet.
"A content management system is for running a blog, is for issuing press releases," Guido told Motherboard. "The information that's on a CMS is made to be public."
The ISHD might not even be actually affiliated with ISIS in the first place.
"ISIS might really have hackers, but if they do, they don't do propaganda."
"ISIS might really have hackers, but if they do, they don't do propaganda," Andrea Stroppa, an independent security researcher, told Motherboard, while noting that there's little or no evidence of any actual espionage campaign. "But they're getting organized to do espionage."
In fact, ISIS is believed to be behind a covert—and botched—cyberattack to expose the identities of activists in Syria who work against the militant group. Some cybersecurity experts believe that attack shows ISIS might really be developing some hacking skills.
But this case is probably different.
"It's really effective marketing," Guido said.
In any case, this supposed leak does raise some serious questions for the military, according to Ken Westin, a security analyst at the firm Tripwire.
"The use of enlisted names and other information in the media does not seem like a good idea," Westin told Motherboard.
And that's exactly what the ISHD member took advantage of.
"u know america it like to throw around this word 'OPSEC' [operational security] but in reality they have no opsec because they are a nation that likes to brag and boast," he wrote.
So while this is definitely not an act of cyberwar, revealing military members personal information could have real world consequences, and the Pentagon needs to be careful what it publishes in the name of promotion.