Early this year, a group calling itself the "Cyber Caliphate" claimed responsibility for hacks into the Twitter accounts of The Albuquerque Journal and Maryland's WBOC 16 TV station. On its Facebook page, the group's message seethed with ISIS-inspired rage: "You'll see no mercy infidels. We are already here, we are in your PCs, in each house, in each office," the group wrote.
Within days, the group had also seized control of the U.S. military's Central Command Twitter account, posting the message "AMERICAN SOLDIERS, WE ARE COMING, WATCH YOUR BACK. ISIS."
The jarring hacks were widely seen as an effort by ISIS to rattle nerves inside the United States during the expanding U.S. military effort against the extremist group.
But a newly emerging theory suggests that the Cyber Caliphate—which suddenly appeared on the international scene last fall—is not what it appears to be. And it may not be associated with the so-called Islamic State at all.
According to experts at the cybersecurity firm iSight Partners, Cyber Caliphate is likely what spies call a "false flag" operation—set up to appear as if it is representing one side in a conflict, but actually working on behalf of someone else.
What's more, iSight says it believes the "Cyber Caliphate" is actually operated by a group of Russians—not ISIS sympathizers.
"From the very outset we were skeptical of them being associated with ISIS," said Joseph Gallop, the head of the "hacktivism" practice at iSight Partners. "Then we began to see the technical indicators to demonstrate that resources were shared between Cyber Caliphate and the group we call the Tsar Team.'"
Those indicators lead iSight to conclude that the Russian hacking entity is either the same group operating the "Cyber Caliphate" or is sharing office space with it.
Gallop said there were several details that made it clear ISIS is not in control of the Cyber Caliphate, including that specific Internet accounts tracked by iSight were used to purchase infrastructure that has been used by both the Caliphate and Tsar teams. The firm also spotted command and control server infrastructure shared between Tsar Team and Cyber Caliphate. "We're highly confident that these groups are related," said Brian Bartholomew, iSight's senior intelligence analyst.
The conclusion that the Cyber Caliphate is not run by ISIS is shared by the State Department, which questioned the Caliphate's provenance in a recent report that was detailed by The Washington Free Beacon website.
Authors of the report by the State Department's Overseas Security Advisory Council could not find any links between ISIS and the Cyber Caliphate. "Although Cyber Caliphate declares to support ISIL, there are no indications—technical or otherwise—that the groups are tied," the report said, according to the Free Beacon. ISIS is also known as ISIL.
Bartholomew and Gallop say their theory is the Cyber Caliphate grew out of a hack into the Warsaw stock exchange in October—an attack conducted by hackers using ISIS type rhetoric. The hack came just before the Polish government said it was moving troops to the border in response to Russian activity in Ukraine, and seemed to iSight that Russian hackers might be sending a subtle message to the Poles. After that, the idea of using jihadist cover to undertake Russian hacking could have taken hold in Moscow, the researchers said. "They maybe realized how effective they could be in doing that, and in November decided to put the 'Cyber Caliphate' label on it," Bartholomew said.
The iSight team said they don't know whether the groups are operated by the Russian government, Russian criminals, or some other type of Russian entity. "At a minimum, they are connected within some overarching organization," Bartholomew said.
But why would Russians of any type want to operate a fake jihadist hacking operation? Bartholomew said he thinks the ISIS cover gives the Russian hackers freedom to spread propaganda designed to weaken Western governments and also test hacking techniques that could be used in any broader future cyberwarfare.
It's not clear whether U.S. intelligence has come to the same conclusion about who's running the Cyber Caliphate. A spokesman for the director of National Intelligence declined to comment to CNBC.
But even if U.S. intelligence also concluded that Russia was to blame, it could be counterproductive for the U.S. government to publicly say what it knows. Doing so could reveal American cybersecurity sources and methods, and it might cause the Cyber Caliphate to vanish at a time when watching it may yield more valuable intelligence. So far at least, the Cyber Caliphate activity is seen as tantamount to Internet vandalism, not nearly as severe as the Sony hack that compelled U.S. policymakers to publicly identify the North Koreans. That may make disrupting the group less important in U.S. eyes than watching and learning about Cyber Caliphate—whoever is behind the mysterious group.