Cyber Incident Victim: Solar UK Ltd
Date:
Jan 2016
Location:
United Kingdom
Summary
A small UK-based solar energy firm with 11 employees was targeted by hackers affiliated with the Islamic State group, identifying as the Caliphate Cyber Army. The attackers compromised the company's website, replacing it with their propaganda material for approximately two and a half hours, claiming retaliation for a drone strike that killed a prominent extremist. The intrusion was traced to an IP address in Kuwait, with the hackers later featuring the breach in a propaganda video alongside other cyberattacks and violent content. The victim organization lacked robust security measures as it did not handle sensitive financial data, and investigators believe automated scanning tools exploited a specific vulnerability to identify the target. Following the incident, the company enhanced its cybersecurity defenses.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around January 31, 2016, Solar UK Ltd, an 11-employee solar energy firm based in Battle, Sussex, experienced a cyber attack that resulted in its website being defaced and temporarily disabled. The attackers, identifying themselves as the Caliphate Cyber Army (CCA) and operating in support of the Islamic State group, replaced the company’s website content with propaganda material. The group claimed the attack was retaliation for a U.S. drone strike in Syria that killed Junaid Hussain, a British hacker affiliated with IS who had played a significant role in radicalizing recruits and coordinating cyber operations. Solar UK co-founder Duncan Lee discovered the breach when the website became inaccessible, initially dismissing it as a routine hacking incident. The company had no prior indication of being targeted and maintained minimal cybersecurity measures due to its small scale and lack of sensitive customer data such as payment information. The website remained offline for approximately two and a half hours before normal operations were restored.
The broader significance of the attack became apparent days later when a Sunday Times reporter alerted Mr. Lee that Solar UK’s breach had been featured in a CCA propaganda video released after the incident. This video showcased the company as the eleventh entry in a list of claimed cyber attacks against Western entities, alongside graphic content including beheadings. Forensic analysis traced the offending IP address to Kuwait, though no definitive attribution was established beyond the CCA’s public claim. Mr. Lee speculated that automated scanning tools had identified Solar UK’s website as vulnerable during indiscriminate internet trawling, rather than through deliberate targeting of the firm’s operations. The attack caused no direct financial losses or data compromises but prompted the company to enhance its cybersecurity posture as a precautionary measure. Publicity surrounding the incident generated media attention due to its connection to international terrorism, though Mr. Lee downplayed concerns about physical threats to staff, stating the situation seemed "ridiculous" given the company’s non-strategic profile. No further cyber incidents targeting Solar UK were reported following the implementation of improved security protocols.