Tampa became the latest epicenter of cyber attacks as Twitter and YouTube accounts belonging to U.S. Central Command, headquartered at MacDill Air Force Base, were temporarily taken over by a group calling itself the CyberCaliphate, which claims to be aligned with the Sunni insurgent group Islamic State.
It remains unclear whether there is any connection between the group, being investigated by the FBI for hacking media websites in New Mexico and Maryland, according to The Associated Press. But the hacks appear to be fairly unsophisticated and officials say the hackers did not access any classified information or networks.
Before Centcom shut down the accounts for several hours, the hackers posted what Centcom officials say was unclassified information that included names and addresses of retired U.S. military general officers, Powerpoint slides about military operations in Asia and threats against U.S. military personnel.
The command, which oversees U.S. military operations in Iraq, Syria, Afghanistan and 17 other nations in the Middle East and Southwest Asia, is treating the incident as “cybervandalism.”
“Our initial assessment is that no classified information was posted and that none of the information posted came from Centcom’s server or social media sites,” according to a statement from the command. “Additionally, we are notifying appropriate (Pentagon) and law enforcement authorities about the potential release of personally identifiable information and will take appropriate steps to ensure any individuals potentially affected are notified as quickly as possible.”
Centcom restored the social media sites about 10 p.m. Monday.
The sites “reside on commercial, non-Defense Department servers” and both were temporarily taken offline “while we look into the incident further,” according to the statement. “Centcom’s operational military networks were not compromised and there was no operational impact to U.S. Central Command.”
“We are viewing this purely as a case of cybervandalism,” Centcom said. “In the meantime, our initial assessment is that no classified information was posted and that none of the information posted came from Centcom’s server or social media sites.”
The command said it would reach out to Pentagon and law enforcement authorities “about the potential release of personally identifiable information” and to those people potentially affected.
A Pentagon official told The Tampa Tribune that it appears the hacking was limited to Centcom. The hack did not appear to affect access to Centcom’s coalition partners or Centcom’s computer systems.
“There is no affect of signs of intrusion,” Col. Vitalii Nazola, Ukraine’s senior national representative to Centcom, told the Tribune. “Everything works as usual in my office. The networks seem to be working. We have access to some classified information and nothing seems to be affected.”
The hack did not affect the 6th Air Mobility Wing, MacDill’s host unit, according to 2nd Lt. Patrick Gargan, a wing spokesman. Nor has it affected U.S. Special Operations Command, also headquartered at MacDill, according to spokesman Ken McGraw.
Several retired general officers now living in the area told the Tribune they have little concern about the hack attack.
“I have no concerns,” said Michael Jones, a retired Army major general who served as Centcom’s chief of staff from 2010 to 2011. “It’s not surprising that people would want to hack stuff, but there shouldn’t be anything that’s not public information.”
Hector Pagan, a retired Army brigadier general who once served as deputy commanding general of the U.S. Army John F. Kennedy Special Warfare Center and School at Fort Bragg said, “whoever got the retired general officer data got something you can get from the Internet. The real issue is the increased vulnerability of our cyber infrastructure.”
All combatant commands are targets, he said.
“Centcom is probably at the top,” said Pagan.
❖ ❖ ❖
Sometime after noon, ominous messages began appearing on Centcom’s Twitter feed.
“In the name of Allah, the Most Gracious, the Most Merciful, the CyberCaliphate continues its CyberJihad,” read one of the tweets.
The site was filled with threats that said, “American soldiers, we are coming, watch your back.” Other postings appeared to list names and phone numbers of military personnel as well as PowerPoint slides and maps. The hackers titled the Twitter page “CyberCaliphate” with an underline that said “i love you isis.”
“We won’t stop! We know everything about you, your wives and children,” read another post.
Some Islamic State militant videos were posted on the YouTube site, purporting to show military operations and explosions.
However, the hackers didn’t attack everything. Centcom’s Facebook page was unaffected, as well as least two other Twitter accounts — Centcom Dari, the Dari-language site, and CENTCOMCGPAO, the Twitter account belonging to the public affairs advisor to Centcom commander Army Gen. Lloyd Austin III.
FBI spokesman Joshua Campbell said the bureau is investigating the breaches and is working with the Pentagon to determine the scope of the incident, according to The Associated Press.
❖ ❖ ❖
CyberCaliphate began to make its presence known last week, said Bob Gourley, the first director of intelligence at the Pentagon’s cyber defense organization and former chief technology officer for the Defense Intelligence Agency.
“I track the CyberCaliphate via open source tools,” Gourley told the Tribune. “I don’t know who they are but they seem to operate in western countries with good access to technology based on the fact that they are very active.
Using a tool called RecordedFuture, which indexes more than 650,000 sources to track references to hacker groups, Gourley said the first reports about CyberCaliphate came a week ago, when The Columbia Journalism Review reported a hack against a Maryland station Then on Jan. 7, PC magazine reported that a New Mexico newspaper as well as the Maryland TV station were hit by hackers who support Islamic State. Gourley said.
The hacks, said Gourley, do not appear to be the work of advanced cyberwarriors.
“Based on this short history and the style of attacks I am pretty sure this is not advanced hacking of any sort,” he said.
This was the second time a group with ties to the Middle East claimed a hack attack on Centcom. In March, the Syrian Electronic Army, alligned with the government of Bashar al-Assad, claimed to have hacked Centcom and as with Monday’s attack, released information it said was classified. Gourley said that in both cases, the information was not classified.
Both Gourley and Sri Sridharan, managing director and chief operating officer of the Florida Center for Cybersecurity at the University of South Florida, offered adivce about what Centcom should do now.
“I think the remedation is to give training to employees to prevent social engineering,” said Gourley, referring to methods used to obtain passwords by either chicanery, finding out who system administrators are then guessing what passwords they might use, or just guessing. “They could also add tools like Invincea to prevent phishing scams from getting a foothold.”
Sridharan said that “if I were Centcom, I would do a couple of things. One, I would be looking to make sure there was no malware or anything installed that may have penetrated the system and do more damage. And two, they are probably trying to make sure they know who did it and find the ways they managed to hack in.”