#OpIsrael Campaign – April 7, 2015: Cyber Intelligence Review

Background

This is the third round of the anti-Israel cyber campaign called #OpIsrael. The hacktivists are highly motivated to attack Israel, and they have been gradually building their campaign infrastructures on social media networks. Many have been posting videos with threatening messages in the leadup to April 7. AnonGhost, which is behind the campaign, has announced that it will cooperate with three anti-Israel groups known from previous campaigns: Fallaga, MECA (Middle East Cyber Army), and Anon Official Arabe.

Official announcement from AnonGhost on future cooperation
Official announcement from AnonGhost on future cooperation

Most of the social media discussions about the campaign are taking place in the Middle East, North Africa, Southeast Asia, Western Europe, and the United States (the attackers appear to be using proxy services). In addition, during March 2015 the number of Twitter tweets about the campaign increased by hundreds per day. Nevertheless, it is important to note that during the campaign, there will likely be several thousand or even tens of thousands of tweets a day, as was the case during previous campaigns.

Increase in the number of tweets about #OpIsrael per day in March 2015
Increase in the number of tweets about #OpIsrael per day in March 2015

Prominent Participants

At the time of writing, the number of participants is about 5,000. The most prominent groups in the campaign are from North Africa, the Middle East, and Southeast Asia. Groups of hackers from South America, such as Anonymous Chile and Anon Defense Brasil, and hackers affiliated with Anonymous have also expressed support for the campaign. We have not yet seen evidence of active involvement or public support for the campaign by cyberterrorist groups.

Attack Targets

The attack targets recommended by those participating in the campaign are government websites, financial websites such as the Tel Aviv Stock Exchange’s or the Bank of Israel’s, academic websites, telecom websites, and media websites. These lists are familiar from previous anti-Israel campaigns.

In addition, AnonGhost and Fallaga leaked a list of hundreds of telephone numbers of Israeli officials from an unknown source to point out potential targets for anti-Israel text messages or phishing attacks, such as those that took place during #OpSaveGaza.

Post from AnonGhost threatening to send messages to Israeli telephone numbers
Post from AnonGhost threatening to send messages to Israeli telephone numbers

Attack Tools

The attack tools we have identified so far mostly appear in lists that include links for downloading the tools. Most of these lists are well-known from previous anti-Israel campaigns. However, we identified several unique self-developed tools created specifically for the campaign:

  • AnonGhost DDoS – A DDoS tool developed by AnonGhost, which initiated the campaign.
  • LOIC Fallaga – A DDoS tool developed by Fallaga. This tool was developed for an anti-Israel hacktivist operation that took place on March 20 of this year, but we expect that hacktivists will use it in the #OpIsrael campaign as well.

How Hackers Use Social Media Networks to Put Your Organization at Risk

SenseCy’s teams monitor underground and password-protected forums and communities in many languages – Russian, Arabic, Persian, Chinese, Portuguese, English, and more. By gaining access to the Deep Web and Darknet, we identify suspicious activity and new hacker tools and enable our clients to mitigate or eliminate cyber threats.

Hacker communities on social networks continue to evolve. More and more communities are creating Twitter accounts as well as pages and groups in popular social networks such as Facebook and VKontakte (a Russian social network) to share information, tools, and experience.

In the past, hackers came together on social networks to hold operational discussions, share targets, and join forces for DDoS attacks, but less to upload or download hacking tools. Since this is changing, we are now monitoring hacking tools offered for download on Twitter, Facebook, and VKontakte.

Source code published on Twitter
Source code published on Twitter

These hacker communities can be classified into three main categories:

  1. Open public groups and accounts that make common, well-known tools available.

    Open Facebook group of well-known Arab hackers
    Open Facebook group of well-known Arab hackers
  2. Closed, secret groups sharing rare or sector-related tools or programs in a specific language.

    Secret Facebook group from Southeast Asia
    Secret Facebook group from Southeast Asia
  3. Groups sharing or even selling self-developed tools.
    Facebook post in closed Asian hacker group
    Facebook post in closed Asian hacker group

    A prominent example is the self-developed DDoS tool created by hacker group AnonGhost for the #OpIsrael cyber campaign, which is expected to take place on April 7, 2015. This tool uses three flooding methods, TCP, UDP, and HTTP and can operate through a proxy if needed. AnonGhost posted its new tool on its official Facebook page with a link to a tutorial on YouTube, and soon it was widely distributed among hacktivists through social media.

    From AnonGhost's official Facebook Page
    From AnonGhost’s official Facebook Page

    We regularly monitor trends and developments in social networks, since they are becoming the preferred platform for groups of hackers to share and improve attack tools. SenseCy also takes part in these communities, which gives us the edge in preventing attacks in real time. We continue to track new trends and developments to detect cyber threats for our clients.

Al-Qaeda’s Electronic Jihad

Al-Qaeda (AQ) announced on its official video that they have established a new branch, Qaedat al-Jihad al-Electroniyya that will be responsible for performing electronic jihad under the command of AQ member Yahya al-Nemr. According to our research, his deputy is another AQ member, Mahmud al-Adnani.

From al-Qaeda official video
From al-Qaeda official video

The Qaedat al-Jihad al-Electroniyya YouTube channel publishes basic hacking lessons. Some of them deal with the famous njRAT tool. They also have an official Twitter account called al-Qaeda al-Electroniyya (@alqaeda_11_9).

Official Twitter account
Official Twitter account

This new AQ branch has already launched cyber-attacks against Western websites, such as the American Coyalta website that they defaced.

SenseCy 2014 Annual Cyber Intelligence Report

Written and prepared by SenseCy’s Cyber Intelligence analysts.

Executive Summary

Clearly, 2014 was an important year in the cyber arena. The technical level of the attacks, the variety of tools and methods used and the destructive results achieved have proven, yet again, that cyber is a cross-border tool that is rapidly gaining momentum.

This year, we witnessed attacks on key vectors: cyber criminals setting their sights on targets in the private sector, hacktivists using cyber tools for their ideological struggles, state-sponsored campaigns to facilitate spying on high-profile targets, and cyber conflicts between countries.

The following is an excerpt from an annual report prepared by our Cyber Intelligence analysts. To receive a copy, please send a request to: info@sensecy.com

Insights

Below are several of our insights regarding cyber activity this past year:

  • The financial sector was and continues to be a key target for cyber criminals, with most of the corporations hacked this year in the U.S. being attacked through infection of Point-of-Sale (POS) systems. Despite the high level of awareness as to the vulnerability of these systems following the Target breach at the end of 2013, ever more organizations are continuing to fall victim to these types of attacks, as the cybercrime community develops and sells dedicated tools for these systems.
  • In 2014, we saw another step up in the use of cyber as a cross-border weapon, the use of which can be highly destructive. This was evidenced in the attack on JPMorgan, which according to reports was a response to sanctions imposed by the U.S. on Russia. The ensuing Sony breach and threats to peoples’ lives should the movie The Interview be screened exacerbated the state of asymmetrical war in cyber space, where on the one hand, we see countries attacking companies, and on the other, groups of hackers attacking countries. This trend becomes even more concerning following the reports of the deaths of three workers at a nuclear reactor in South Korea, after it became the target of a targeted cyber-attack, evidently by North Korean entities.
  • This past year was rife with campaigns by anti-Israel hacktivist campaigns, whose motivation for attacking Israel’s cyber networks was especially strong. Again, it was clearly demonstrated that the relationship between physical and virtual space is particularly strong, when alongside Operation Protective Edge (July-August 2014), we witnessed a targeted cyber campaign by hacktivist organizations from throughout the Muslim world (but not only) and by cyber terror groups, which in some cases were able to score significant successes. We believe that in 2015, attacks by hacktivist groups will become higher quality (DDoS attacks at high bandwidth, for example) and the use of vectors, which to date have been less common, such as attacks against mobile devices, will become increasingly frequent.
  • Involvement of the internal factor in cyber-attacks: According to some speculations published recently in the global media regarding the massive Sony breach, former company employees  may have abused their positions and status to steal confidential information and try to harm the organization. This underscores the importance of information security and internal compartmentalization in organizations with databases containing sensitive information.

The Past Year on the Russian Underground

In 2014, we saw active underground trading of malware and exploits, with some of them being used in attacks inside and outside Russia that gained widespread media coverage in sources dealing with information security.

The following is a list of categories of malware and the main services offered for sale in 2014 on the Russian-speaking underground forums. Note that in this analysis, we only included important tools that were well-received by the buyers, which indicates their reliability and level of professionalism. Additionally, only tools that were sold for over a month were included. Let us also note that the analysis does not include special PoS firmware, but only programs designed to facilitate remote information theft through takeover of the terminal.

Malware_Russian Underground

Prices

The average price of a tool offered for sale in 2014 was $1,500. Since 2013, the average price has increased by $500. The following graph lists the average price in each of the categories outlined above (in USD):

Average_Price_by_Category

Key Trends Observed on the Russian Underground this Past Year

Trojan Horses for the Financial Sector

Malware designed to target financial institutions is a highly sought-after product on the Russian underground, and this past year we observed the development of malware based on Kronos source code – Zeus, Chthonic (called Udacha by the seller) and Dyre malware. Additionally, the sale of tools designed to sell login details for banking sites via mobile devices were also observed.

In this context, it should be noted that the modular structure of many types of financial malware allows flexibility by both the seller and the buyer. Most financial malware is sold in this format – meaning, various modules responsible for the malware’s activity can be purchased separately: Formgrabber module, Web-Injections module and more.

MitM Attacks

This type of attack vector, known to cyber criminals as Web injections, is most common as a module in Trojan horses for the financial sector. Members of many forums offer their services as injection writers, referring to creation of malware designed to be integrated into a specific banking Trojan horse (generally based on Zeus), tailored to the specific bank, which imitates the design of its windows, etc. In 2014, we saw this field prosper, with at least seven similar services offered on the various forums.

Ransomware

This year we witnessed a not insignificant amount of ransomware for sale on Russian-speaking forums. It would appear that the forums see a strong potential for profit through this attack vector and therefore invest in the development of ransomware. Furthermore, note that some of the ransomware uses the Tor network to better conceal the command and control servers. Since CryptoLocker was discovered in September 2013, we have seen numerous attempts at developing similar malware both for PCs and laptops.

Additional trends and insights are detailed in the full report.

Cyber Campaign against French Websites

In response to the recent escalations in France and the Anonymous #OpCharlieHebdo cyber campaign against Islamic extremists platforms, hundreds of French websites have been defaced by Muslim hacktivist groups (mostly from North Africa, such as the Tunisian hacker group dubbed Fallaga).

The famous hacktivist group Middle East Cyber Army (MECA) created an #OpFrance Facebook event page for organizing cyber-attacks against French websites on January 15, 2015. Another famous hacktivist group Fallaga created a similar event page that organized an anti-France cyber-attack on January 10, 2015.

MECA #OpFrance event page
MECA #OpFrance event page

Additionally, the famous hacktivist group AnonGhost has made calls on several social media platforms to hack French websites. The group also uploaded a video to YouTube, in which they explain their motive to act against French websites: “In reaction of France’s crimes against Muslims in Mali, Syria, Center Africa & Iraq, bombing mosques, killing innocents, under the banner of ‘fighting terrorism.'”

Finally, motivation to hack French websites is high and the anti-France message is quickly spreading via social media platforms.

Anonymous versus ISIS

Alongside the war being waged against ISIS in Iraq and Syria, there is another battle front against ISIS in cyber space. Anonymous has declared war against ISIS platforms, to destroy ISIS propaganda and influence throughout the web. Anonymous supporters and opponents of ISIS are using social networks to spread their message. The following is a short summary of Anonymous efforts to block ISIS ideology on Facebook, Twitter and YouTube:
On October 4, 2014, a cyber-campaign was launched against ISIS. 110 Facebook users joined the event page that was created to organize DDoS attacks against websites affiliated with ISIS.

Event Page against ISIS
Event Page against ISIS

However, a more potent campaign against ISIS and its supporters is running on Twitter and Facebook, under the hashtags #OpIceISIS and #No2ISIS. There is also a Twitter account named Operation Ice ISIS.

There is also another anti-ISIS campaign on Twitter calling for an ISIS Media Blackout. The most active Twitter account in this operation named Bomb Islamic State.

Some tweets say that supporting ISIS is like supporting Assad or even Israel.

It should be noted that we also found an anti-ISIS group on the Darknet. The founder of the group, that has 32 members, invited all who wishes to eradicate ISIS to join the group.

ISIS in Cyber Space

We tried to search for ISIS cyber forces, if there is such thing, and we found some evidence on Twitter indicating the existence of an Islamic State Electronic Brigades. These brigades also have a YouTube channel and chat room. Here you can see a screenshot of an image in Arabic announcing that ISIS Electronic Brigades hacked the Twitter account @SawaTblanc.

Furthermore, the trend to support ISIS among hackers from the Muslim world is becoming more popular by the day. On Facebook, you can find many hacker groups affiliated with ISIS, such as the Army of the Electronic Islamic State that has 146 members. This group tried to launch a cyber-campaign against Arab TV Channels on September 27, 2014. There is another Facebook group that gives hacking lessons to ISIS supporters. Moreover, a Twitter account named Lizard Squad claimed that he uploaded an ISIS flag to Sony servers.

It should be noted that there can sometimes be conflicts among Arab hacker groups affiliated with Anonymous that also support the ISIS agenda, such as Anonymous Official Arabe, who posted on its Facebook page that they would not hack ISIS websites, despite their Anonymous affiliation.In conclusion, our examples show that ISIS has a presence in cyber space but there is also high motivation to hack their platforms to delete their spreading influence.

Hacker Idol

The cyber world is anxiously awaiting the next big event and you can feel the buzz in the air since the Anon Official Arab hacker group announced their survey of the “Best Hacker Group in the Arab World for Year 2014”. People have been asked to vote for the best hacker group according to its achievements during 2014. The survey will be available to the public for 48 hours, after which time the organizers will announce the winners.

The Survey
The Survey

The nominees for the title “Best Hacker Group” are Anonymous, AnonGhost, Gaza Hacker Team, Fallaga, Moroccan Kingdom and Moroccan Islamic Union Mail. All are very popular groups with undisguised agendas against Israel, the U.S. and other governments around the world.
We have already voted for our favorite group. Have you? 🙂

The Rebirth of #OpIsraelReborn

#OpIsraelReborn 2014

Since 2001, the date 9/11 has held symbolic meaning for all terror groups and Islamist hacktivists. Every year, come September, many countries raise their alert status, fearing that a terror attack might be executed on this date to amplify its resonance and attach more significance to it. Ergo, it came of little surprise that this date was chosen in 2013 for the #OpUSA campaign that mainly targeted the websites of different American governmental and financial institutions. To further leverage the momentum, a second campaign, #OpIsraelReborn, was launched by AnonGhost concurrently with #OpUSA. However, the 2013 #OpIsraelReborn campaign failed to produce the desired results, and perhaps for this reason, this year the group has decided to have another go at it.

1111

On August 21, 2014, AnonGhost tweeted “Next operation is #OpIsrael Reborn. On 11 September, be ready Israel – you will taste something sweet as usual”. While we do not expect them to hand out vanilla-flavored ice-cream to random Israelis on the street, we also do not believe this campaign poses an exceptionally grim threat. Nevertheless, the AnonGhost group, together with many other hackers, are undoubtedly highly motivated to launch cyberattacks against Israeli targets, especially after the recent Protective Edge campaign, and they should therefore be afforded appropriate attention.

Based on last year’s experience, we expect that the main attack vectors will include DDoS attacks, defacements and SQL injections, and the prime victims of these attacks will be the websites of small businesses that maintain a low level of security.

9/11 is drawing closer and we will soon find out what cake AnonGhost has baked for us this time.        

2222

Did Turkish Hackers Actually Hack the Israeli “Iron Dome”?

Ayyildiz Tim (AYT) is one of the more prominent Turkish hacker groups today. The group was founded in 2002 by Turkish hackers residing outside of Turkey. AYT advocates Turkish state ideology and has declared its intention to fight against “every form of attack on the Turkish Republic”, or attempts to threaten Turkish unity and Islam. Israel, the U.S., Armenia, Syria and the Kurdistan Workers’ Party (PKK) are counted among the group’s main targets.

A number of sources and web surfers refer to AYT as “The Turkish Cyber Army”, claiming that the group directly represents the tactical arm of the Turkish government with regard to everything surrounding cyberwarfare.

AYT founder, Mehmet İshak Telli (Cedkan Bir Yafes), was interviewed by the Ihlas News Agency (IHA) – one of the leading video news agencies in the world – on August 7, 2014. In the interview, Telli claimed that Turkish hackers had hacked Israel’s “Iron Dome” air-defense system and that it would be a good answer to Israel aggression. In his statement, Telli claimed that the Arrow 3 anti-ballistic missile software had also been hacked. He further stated that a secret war has been waged between the Turkish and Israeli intelligence units and AYT had proven their cyber superiority.

Following this interview, numerous media outlets published his statements, falsely and mistakenly adding that “BBC editor” Brian Krebs had congratulated AYT and MIT (the Turkish National Intelligence Agency) on their hacking of Israel’s “Iron Dome”. However, the reports about Brian Krebs also misspelled his name “Vrian Krebs.” According to RedHack (another Turkish hacker group), AYT is merely exploiting the media to fool people.

Twit of a Member of Redhack Group
Tweet made by a RedHack member

What Krebs actually wrote on July 28 was: “According to Columbia, Md.-based threat intelligence firm Cyber Engineering Services Inc. (CyberESI), between October 10, 2011 and August 13, 2012, attackers thought to be operating out of China hacked into the corporate networks of three top Israeli defense technology companies…”.

Another investigation undertaken by security expert Reza Rafati also concluded that the information supporting the AYT claim regarding “Iron Dome” was fake.

#OpSaveGaza Campaign – Insights from the Recent Anti-Israel Cyber Operation

The #OpSaveGaza Campaign was officially launched on July 11, 2014, as a counter-reaction to operation “Protective Edge”. This is the third military operation against Hamas since the end of December 2008, when Israel waged operation “Cast Lead”, followed by operation “Pillar of Defense” in November 2012.

These military operations were accompanied by cyber campaigns emanating from pro-Palestinian hacker groups around the world. #OpSaveGaza was not the only recent cyber campaign against Israel, but it is the most organized, diverse and focused. During this campaign, hacker groups from Malaysia and Indonesia in the East to Tunisia and Morocco in the West have been participating in cyber attacks against Israel.

The Use of Social Networks

Hacktivist groups recruit large masses for their operations by means of social networks. Muslim hacker groups use mostly Facebook and Twitter to upload target lists, incite others to take part in cyberattacks and share attack tools.

The #OpSaveGaza campaign was planned and organized using these two social media platforms. The organizers of the campaign succeeded in recruiting tens of thousands of supporters to their anti-Israel ideology.

OpSaveGaza - Facebook Event

Attack Vectors

When examining the types of attacks perpetrated against Israeli cyber space, it appears that this campaign has been the most diverse in terms of attack vectors. It not only includes simple DDoS, defacement and data leakage attacks, but also phishing (even spear-phishing based on leaked databases), SMS spoofing and satellite hijacking (part of the Hamas psychological warfare), in addition to high-volume/high-frequency DDoS attacks.

Hackers targeting Israeli ISPs
Hackers targeting Israeli ISPs

Furthermore, these attacks have been much more focused as the attackers attempt to deface and knock offline governmental websites, defense contractors, banks and energy companies. Simultaneously, a large number of small and private websites were defaced (over 2,500) and several databases were leaked online.

Pro-Palestinian hackers defacing Israeli websites
Pro-Palestinian hackers defacing Israeli websites

Motivation and the Involvement of other Threat Actors

The motivation for waging cyberattacks against Israel during a military operation is clear. This is not the first time that a physical conflict has had implications on the cyber sphere. However, we believe that other factors are contributing to the cyber campaign. In July 2014, the Muslim world observed the month of Ramadan, a holy month in Muslim tradition. There are two significant dates in this month – “Laylat al-Qadr” (the Night of Destiny), the night the first verses of the Quran were revealed to the Prophet Muhammad; and “Quds Day” (Jerusalem Day), an annual event held on the last Friday of Ramadan and mentioned specifically by Iran and Hezbollah. We identified an increase in the number of attacks, as well as their quality, surrounding these dates.

Last year, several days before “Quds Day” a hacker group named Qods Freedom, suspected to be Iranian, launched a massive cyber operation against Israeli websites. In other words, we believe that not only hacktivist elements participated in this campaign but also cyber terrorism units and perhaps even state-sponsored groups from the Middle East.

The Islamic Cyber Resistance (ICR) leaking an internal database
The Islamic Cyber Resistance (ICR) leaking an internal database

To summarize, this campaign was far better organized than the recent cyber operations we experienced in 2009 and 2012 alongside physical conflicts with Hamas. We have seen changes in several aspects:

  • Improvement in attack tools and technical capabilities
  • Information-sharing between the groups (targets, attack tools, tutorials)
  • The involvement of hacker groups from Indonesia in the East and Morocco in the West.
  • Possible involvement of cyber terrorism groups
  • Well-managed psychological warfare and media campaign by the participating groups

The scope and manner in which this campaign was conducted shows improved capabilities of the perpetrators, which is in-line with Assaf Keren’s assessment of the evolution of hacktivist capabilities.