Menu
Browse

Cyber Threat Actor: Islamic State Hacker

Actor Type Location Known Incidents
 Icon
Terrorist
China
1 incident
Profile

The threat actor known publicly as the Islamic State Hacker operates under that alias and has been linked to activities originating from China, according to the limited open‑source reporting available. The group claims affiliation with the Islamic State militant organization, using names such as “Abdellah Elmaghribi” and “Moroccan Wolf” and branding itself as “ISLAMIC STATE HACKERS (El Moujahidine)” in its communications. No public evidence ties the actor to a state sponsor or a broader criminal consortium; the attribution rests solely on the group’s own statements and the thematic content of its attacks.

Targeting observed in the reported incidents includes diplomatic and educational sectors, with attacks occurring in Belarus and China. The 2015 defacement of the Turkmen embassy website in Minsk aimed to display a masked individual holding a firearm and to post messages in English and Russian declaring the site “hacked” and serving the regime, indicating an intent to disrupt diplomatic online presence and propagate extremist rhetoric. The 2016 compromise of Tsinghua University’s web portal for teachers and students featured a photograph and audio supporting jihad, accompanied by the English statement “Everything is OK in the end. If it’s not OK, then it’s not the end,” showing a similar goal of ideological dissemination and service interruption rather than financial gain or espionage.

The actor’s tactics, techniques, and procedures, as described in the sources, consist primarily of website defacement accompanied by multimedia propaganda. The attacks involved altering web content to display extremist imagery and audio, and posting textual messages in multiple languages. No specific malware families, exploit kits, or initial access vectors are mentioned in the available material, so the observed TTPs are limited to basic web‑site modification and the upload of propaganda files.

Notable operations attributed to the Islamic State Hacker include the April 2015 Turkmen embassy website defacement in Belarus and the January 2016 Tsinghua University website compromise in China. Both incidents were publicly reported, involved claims of Islamic State affiliation, and resulted in the temporary inaccessibility of the targeted sites while serving as platforms for jihadist messaging. These cases represent the only concrete examples of the actor’s activity documented in the open source record.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
1 source