A Citizen Lab report released today says there's strong evidence that the Islamic jihadist group sent the phishing email in late November, but it's not conclusive.
"This bears little resemblance to anything we've seen from the usual suspects," said report co-author John Scott-Railton. "That, combined with who they are targeting … gives us pause and makes us think that maybe we're looking at ISIS malware."
If ISIS is responsible for the attempted attack on the citizen media group, it could mark an early warning sign that the group is embracing a new tactic in its fight to establish a caliphate.
Scott-Railton says that prospect should be "very concerning" for opponents of the Islamic State in Iraq and Syria, including humanitarian organizations, citizen media groups and Western governments. Canada is part of a U.S.-led coalition fighting ISIS in Iraq and Syria.
Scott-Railton, a research fellow with the Citizen Lab, based at the University of Toronto's Munk School of Global Affairs, says the group analyzed the malware and decided to publish the report to warn others of the potentially dangerous implant.
The malware posed an "extreme threat" to the safety of members of the targeted group, Raqqah Is Being Slaughtered Silently (RSS), he said.
How group targeted
The email sent by hackers was carefully worded to instil the trust of the activists.
"It was clearly done by someone who knew how the group was going to interact and had a pretty good sense that the group would find it credible," said Scott-Railton.
Hackers pretended to represent a group of Syrians residing in Canada who were preparing a news report on life in the northern Syria city of Raqqa, used as the de facto ISIS capital. It was a plausible alias since nearly 41,000 Canadians identify as Syrian.
"We are working with media because we believe in the importance of shedding light on the realities of life in Syria, and Raqqa in particular," the hackers wrote.
The email asked the citizens group to download a link containing its preliminary report and a map of Syria, asking them to check it for accuracy.
The activist decided not to click on the malicious link and instead sent it to an online safety group. The email later ended up in the hands of Citizen Lab analysts, who have spent years examining the use of malware in the Syrian conflict.
If the activist clicked on the link, malware would have have infected their computer and then emailed the attacker its IP address. Each time the activist turned on a computer, the hacker would receive IP information, essentially acting as a beacon to locate the individual.
Many members of Raqqah Is Being Slaughtered Silently are not publicly identified because of safety concerns. However, the beacon would have given the hackers enough information to locate the member in the region, which has few internet cafés, many of which are ISIS run.
A 'unique development'
A large part of the reason Citizen Lab analysts suspect ISIS of the attempted attack is it was "not highly technical" like the ones it's seen over the years from supporters of the Syrian regime.
Nor does it fit with any of the characteristics of Syrian regime-related attacks, which tend to use malware that allows remote access of the target's computer.
ISIS also has clear motivation. The Islamist group has targeted Raqqah Is Being Slaughtered Silently in the past, reportedly kidnapping and killing members.
Recently, ISIS supporters said the group had set up CCTV cameras. One supporter said on social media that the system could be used to track down members of the citizen media group.
Amarnath Amarasingam, a post-doctoral student at Dalhousie University researching radicalization, says ISIS is obsessed about the image projected about it, particularly about Raqqa, the city it uses as a capital.
"It is a kind of unique development in how they control the message," said Amarasingam.
He says ISIS has attracted a number of foreign fighters from all walks of life, from graphic designers to computer scientists, so it's not surprising to see the Islamic State becoming cyber savvy.
Junaid Hussain, a British hacker who was jailed for stealing former U.K. prime minister Tony Blair's address book in 2012 and publishing it, is believed to have travelled to Syria to join ISIS.
Islamic State has expressed interest in electronic surveillance.
Last week, a post to a pro-Islamic State forum carried a proposal for a project that would task a team of computer experts with hacking into the caliphate's enemies, according to the SITE Intelligence Group.