Those indicators lead iSight to conclude that the Russian hacking entity is either the same group operating the "Cyber Caliphate" or is sharing office space with it.
Read MoreFireEye's CEO and the meaning of 'basically'
Gallop said there were several details that made it clear ISIS is not in control of the Cyber Caliphate, including that specific Internet accounts tracked by iSight were used to purchase infrastructure that has been used by both the Caliphate and Tsar teams. The firm also spotted command and control server infrastructure shared between Tsar Team and Cyber Caliphate. "We're highly confident that these groups are related," said Brian Bartholomew, iSight's senior intelligence analyst.
The conclusion that the Cyber Caliphate is not run by ISIS is shared by the State Department, which questioned the Caliphate's provenance in a recent report that was detailed by The Washington Free Beacon website.
Authors of the report by the State Department's Overseas Security Advisory Council could not find any links between ISIS and the Cyber Caliphate. "Although Cyber Caliphate declares to support ISIL, there are no indications—technical or otherwise—that the groups are tied," the report said, according to the Free Beacon. ISIS is also known as ISIL.
Bartholomew and Gallop say their theory is the Cyber Caliphate grew out of a hack into the Warsaw stock exchange in October—an attack conducted by hackers using ISIS type rhetoric. The hack came just before the Polish government said it was moving troops to the border in response to Russian activity in Ukraine, and seemed to iSight that Russian hackers might be sending a subtle message to the Poles. After that, the idea of using jihadist cover to undertake Russian hacking could have taken hold in Moscow, the researchers said. "They maybe realized how effective they could be in doing that, and in November decided to put the 'Cyber Caliphate' label on it," Bartholomew said.
Read MoreCybersecurity stocks hit high; Goldman sees more
The iSight team said they don't know whether the groups are operated by the Russian government, Russian criminals, or some other type of Russian entity. "At a minimum, they are connected within some overarching organization," Bartholomew said.
But why would Russians of any type want to operate a fake jihadist hacking operation? Bartholomew said he thinks the ISIS cover gives the Russian hackers freedom to spread propaganda designed to weaken Western governments and also test hacking techniques that could be used in any broader future cyberwarfare.
It's not clear whether U.S. intelligence has come to the same conclusion about who's running the Cyber Caliphate. A spokesman for the director of National Intelligence declined to comment to CNBC.
Read MoreCybersecurity ETF benefits from hack attacks
But even if U.S. intelligence also concluded that Russia was to blame, it could be counterproductive for the U.S. government to publicly say what it knows. Doing so could reveal American cybersecurity sources and methods, and it might cause the Cyber Caliphate to vanish at a time when watching it may yield more valuable intelligence. So far at least, the Cyber Caliphate activity is seen as tantamount to Internet vandalism, not nearly as severe as the Sony hack that compelled U.S. policymakers to publicly identify the North Koreans. That may make disrupting the group less important in U.S. eyes than watching and learning about Cyber Caliphate—whoever is behind the mysterious group.