#OpSaveGaza – Interim Summary

Written by Yotam Gutman

When the cannons roar, the muses stay silent (but the hacktivists hack).

As we reported last week, operation “Protective Edge” instigated a flurry of activity by Muslim hacktivists, targeting Israel. In the following post we will review the activities which took place so far and try to characterize them.

Attacker Types

Attackers can by divided into three types: individuals, hacktivist groups and cyber terror organizations. Individuals usually join larger campaigns by hacktivists groups and show their support on social media sites.

Hacktivist groups taking a stance make extensive use of Facebook as a “command and control” platform. The largest “event” dubbed #OpSaveGaza was created by Moxer Cyber Team, a relatively new group who probably originated from Indonesia whose event page has 19,000 followers.

Moxer Cyber Team event page
Moxer Cyber Team event page

The event included many lesser known Islamic groups, mainly from Indonesia, who did not participate in previous campaigns against Israel. Another event page by the Tunisian AnonGhost announced that the attack will include 38 groups from around the Muslim world. The campaign is planned to continue until the 14th of July.

Cyber terror organization in the form of the SEA (Syrian Electronic Army and ICR (Islamic Cyber Resistance) have not officially declared their participation in the campaign but have waged several high profile attacks, such as hacking into the IDF spokesman blog and Twitter account (SEA) and leaking a large database of job seekers (ICR).

Attacker Tools

The participants in this campaign use similar tools as previous campaigns – Generic DDoS tools, SQLi tools, shells and IP anonymization tools.

Results (Interim Summary)

#OpSaveGaza campaign included to date mainly defacement attacks (about 500 sites have been defaced), DDoS attacks of minor scale and some data dumps. Two interesting trend we’re seeing are recycling older data dumps and claiming it to be a new one, and posting publicly available information which was allegedly breached.

Summary

We estimate that these activities will continue until the hostilities on the ground subside, with perhaps more substantial denial of service or data leak attempts.

To the Rescue? Muslim Hacktivists Prepare Cyber Retaliation against Operation “Protective Edge”

Following the escalation between Israel and the Hamas regime in Gaza, Muslim hacktivists have announced the launch of several cyber campaigns against Israeli targets.

Unlike the real Middle-East, where Muslims from different factions fight each other, when it comes to assaulting Israel they are happy to join forces. While several groups have launched campaigns to show their solidarity with the Palestinians, the most prominent are AnonGhost with #OpSaveGaza and Anonymous Arabe that launched #Intifada_3, alongside Moroccan Tigers Team.

#OpSaveGaza is scheduled to peak on July 11, but attacks have already commenced against government, financial and Telcos, and is combining hackers from Malaysia in the East to Tunisia in the West.

#OpSaveGaza
#OpSaveGaza

#intifada_3 is lead by Anonymous Arabe and Moroccan Tigers Team, and is promising to launch daily attacks against an assortment of sites with defacement and DDoS attacks.

#intifiada_3
#intifiada_3

We expect the attack attempts to intensify in line with the progress of the armed conflict.

Anonymous versus ISIS – Hacktivism against Cyber Jihad

For the past few weeks, members of Anonymous and supporters of ISIS have been battling each other over the social media networks.

First, several Twitter accounts were created under the hashtag #No2ISIS to protest against ISIS activity in Iraq. Then, on June 21, 2014, an Anonymous-affiliated group called TheAnonMessage uploaded a public press release via YouTube about a cyber-attack targeting countries that support ISIS, such as Saudi Arabia, Qatar and Turkey.

On July 1, 2014, the Twitter account @TheAnonMessenger tweeted that the #No2ISIS cyber operation would continue until Anonymous decided otherwise.

The pro-Islamic Hilf-ol-Fozoul Twitter account also accused ISIS of being a protégé of the U.S.

Contrastingly, several Muslim hackers that support ISIS responded to the Anonymous declarations by adding the hashtag #OpAnonymous to their tweets. To boot, a very active hacker nicknamed Kjfido tweeted this message to Anonymous members.

Kjfido presents himself as a cyber-jihadist and an official member of the ISIS Electronic Army.It should be mentioned that there is no evidence that the ISIS Electronic Army actually exists, although there is a Twitter account by the name @electonic_ISIS that tweets about ISIS activity and its agenda.

#OpSriLanka

Over the last few days, several Muslim hacker groups have hacked government and financial websites in Sri Lanka in protest against the government’s attitude toward the violent clashes between Buddhists and Muslims.

As you can see in the graph below, there were hundreds of tweets over the weekend with the related hashtag #OpSriLanka.

Twitter Activity about #OpSriLanka
Twitter Activity about #OpSriLanka

For example, one Twitter account named Global Revolution called for the hacking of the Sri Lanka central bank website.

a Tweet about hacking SriLanka central bank
a Tweet about hacking SriLanka central bank

There is also a group page on Facebook named #OpSriLanka with 1,590 members. The main targets of the group are Sri Lankan government websites and official websites of the Buddhist population in Sri Lanka. The attack tools are mostly DDoS tools for computers and Android phones.

From the Facebook Group Page
From the Facebook Group Page

List of targets:

Tools:

Mirror of a defaced website:

Additionally, on June 22, 2014, a group of hackers nicknamed Izzah Hackers leaked Sri Lankan government emails and passwords via Pastebin.

Leaked Sri Lankan emails and password
Leaked Sri Lankan emails and passwords

Sri Lanka is not alone. Muslim hacker groups are responsible for previous cyber-attacks against Myanmar (Burma) and the Central African Republic (CAR), protesting the killing of Muslims on religious grounds.

 

Understanding the Cyber Intelligence Ecosystem

Technology Evolution

The intelligence world has undergone dramatic change in recent years. The growth in traffic, online platforms, applications, devices and users has made the intelligence gathering process much more complex and challenging.

Today, each individual makes multiple simultaneous online appearances. We operate social media accounts, such as Facebook and Twitter (in Russia there is VK and Odnoklassniki and in China RenRen and QZone). We are also active on professional networks, such as LinkedIn. We participate in discussion groups and forums. We share pictures and videos via dedicated websites, and we process transactions by way of ecommerce sites, etc. This makes it much harder today to track the online footsteps of an individual and connect the dots between his diverse online representations, especially if he uses multiple aliases and email addresses.

Man versus Machine

In today’s virtual world, web-crawlers and automated collection tools have limitations. Don’t get me wrong – they are very important and we are dependent on automated tools in our daily work, but in some areas they simply cannot compete with a human analyst.

I will give you an example – in order to access a particular Russian closed hacking forum, you must write 100 posts, receive a recommendation from the administrator of the forum and finally, pay 50 dollars in Bitcoin. Such a task cannot be accomplished by a crawler or an automated tool. You must have an analyst that understands the relevant ecosystem and who is also familiar with the specific slang or lingo of the forum members. You must know that “Kaptoxa” (“Potato” in Russian) on a deep-web hacking forum does not really mean “Potato”, but rather refers to the BlackPOS – a Point-of-Sale (POS) malware used in the Target attack at the end of last year.

BlackPOS is offered for sale on a Russian closed hacking forum (February 2013)
BlackPOS is offered for sale on a Russian closed hacking forum (February 2013)

Cyber Activity Areas

If we take a look at the threat actors in the world of cyber security, we can roughly divide them into four categories: hacktivists (such as Anonymous-affiliated groups around the world); cyber terrorists (for example, the cyber unit of Hezbollah, and lately we have seen clear indications of al-Qaeda (AQ) attempts to develop a cyber unit within their organization).

Collaboration between Al-Qaeda and Tunisian hackers
Collaboration between Al-Qaeda and Tunisian hackers

A third category is cyber criminals (we have recently heard about cybercrime activities organized by groups in Ukraine, Eastern Europe, China and Latin America). The final category is governments, or state-sponsored groups (such as the Chinese PLA Unit 61398, also known as APT1, or the Izz ad-Din al-Qassam Cyber Fighters, an Iranian hacker group that launched “Operation Ababil” two years ago against the American financial sector).

Today, it is clear that every industry or sector is a potential target for cyber attack, or, as the Director of the FBI said two years ago, “There are only two types of companies: those that have been hacked and those that will be.”

And indeed, we are witnessing attacks on media organizations, public records (and in recent months attacks against healthcare services, mainly for the purpose of extortion), academic institutions, banks, the energy sector, and, of course, government agencies.

These diverse threat actors use the Internet to chat, plan their attacks, publish target lists, and even upload and share attack tools. But where can we find them? They have different online platforms.

Unlike APT campaigns that have almost no online footprint, the strength of hacktivism is its capability to recruit large masses for its operations, using social networks. In recent hacktivist campaigns we have identified Facebook as a “Command and Control” (C&C) platform for the attackers, where they plan the operation, publish a target list and share attack tools.

OpFIFA 2014 Campaign
OpFIFA 2014 Campaign

Cyber terrorists are mostly active on closed, dedicated forums where you must login with a username and password after receiving admin approval. We have experience with such forums in Arabic, Persian and even Turkish.

Cyber criminals, on the other hand, can be found on Darknet platforms, where you need to use a special browser to gain access. They can also be found on password-protected forums that sometimes require an entrance fee, payable in Bitcoin or other crypto-currencies. On these platforms we can find sophisticated attack tools for sale, pieces of advanced code, zero-day exploits, stolen data dumps and more.

Silk Road - the infamous online market on Darknet
Silk Road – the infamous online market on Darknet

Regarding governments or state-sponsored groups, I do not believe that they chat online, and generally speaking they do not leave footprints on the Web. However, we occasionally uncover activities by nation-state actors, such as the Syrian Electronic Army (SEA) or Iranian-affiliated groups.

I would like to argue that in today’s world we must use traditional methods of intelligence gathering, specifically operating covert agents, or virtual spies, throughout the Web – in closed discussion rooms, on secret Facebook pages, in the deep-web and Darknet platforms – in order to obtain quality, relevant and real-time intelligence.

OpIsrael – Happy Birthday! My, You’ve Grown Big…

AnonGhost announced a cyber-attack against Israel on April 7, 2014, one year after the last #OpIsrael campaign. To date, more than 6,000 Facebook users have joined different anti-Israel Facebook event pages, and many groups, such as Fallaga, AnonSec, Gaza Hacker Team, Indonesian Cyber Army, and more have declared their support. As you can see, the participants come from all over the world, but mainly North Africa, the Middle East and Southeast Asia. The rest usually use American proxy servers. According to our analysis, most participants are between the ages of 17 and 34.

One of the Campaign Official Images
One of the Campaign Official Images

The campaign has an official dedicated website, designed by the famous hacker Mauritania Attacker from AnonGhost, as well as a new Twitter account. The official website features online notifications about hacked Israeli websites and a list of campaign participants.

The Official Website of the Campaign
The Official Website of the Campaign

The main targets are government and financial websites, alongside defense industries. Recently, however, we have noticed an increasing focus on hacking government websites in Israel.

Moreover, we have identified publications of leaked emails and passwords belonging to thousands of Israelis. Our investigation also revealed intentions to hack and spam smartphones using assorted viruses.

All in all, the scope of the upcoming cyber-campaign appears to be significant. However, we believe that mainly small and private websites will suffer from these attacks.

Evolution of Hacktivist Campaigns

In the next week we are going to see a major hacktivist operation, aimed against Israel, called #OpIsraelBirthday which is supposed to start on the 7th of April. The operation is dubbed “birthday“ since it comes to commemorate the last OpIsrael that took place on the same date last year. In recent weeks, there was a lot of internal debate in SenseCy about what has changed from then to now and what can we expect to see in the coming operation. I think that the results of this debate might be interesting to you as well:

–          DDoS Attacks – DDoS attacks are nothing new, but recently, attackers have started utilizing a new-old approach in the form of reflection attacks. If a year ago the height of the attack topped at 30Gb/sec attacks, it’s more than plausible to assume that we’re going to see one order of magnitude higher than that. This might be ok for a large sized country but for Israel this might cause problems in the ISP infrastructure itself and not just create a denial of service to the target site.

–          Self-Developed Code – If up until now, most of what we have seen coming from the anti-Israel hacktivism groups was reuse of anonymous code, with maybe slight improvements in the UI interface, lately we have started to identify unique/ original code developed by the groups themselves, albeit some of it is dependent on existing code and available libraries but this might be an indicator for things to come.

 AnonGhost DDoSer

AnonGhostDDoSer – Developed by AnonGh0st for OpIsraelBirthday

 

–          Dumps vs. Defacements – It seems that the general objective now is less the defacement of sites and more the ability to create harm and panic through the publication of stolen data dumps. We see more and more details regarding allegedly hacked sites (some of them important) with the promise that the databases will be published on the 7th of April. This is probably the first time these hacktivist groups are trying to achieve a more widespread impact that is, at least in spirit, similar to the terror effect.

–          Shells and RATs – It seems that SQL injections and cross site scripting is shifting from being the end result to being the means in which the hacktivist groups place web shells on their targets or infect the targets with RATs and other malware. It might, in effect, suggest a more coherent effort to cause more sophisticated damages to their targets.

All in all, it seems that the motivation for the attack remains similar, but the magnitude and scope of the upcoming operation seems to be larger and more dangerous than the last one (in terms of tools available and number of participants). However, companies and organizations that are aware of the threat can, in turn, take actions to handle and mitigate these attacks.

March 10 Hacktivist Campaign – “Op” or “Flop”?

Several hacktivist groups planned to launch a cyber assault (“Op”) against Israel on March 10, as a prequel to a major assault scheduled for April 7.

Although the Op was led by the capable militant groups Red Hack (Turkey) and AnonGhost (Tunisia), it did not appear to manifest fully – the scope of the attacks and the extent of damage were marginal at best. Several private Israeli websites were hacked/ DDoSd ?and some email addresses belonging to Bank of Israel employees were leaked (no password or additional details). The Op incorporated several alleged attempts to hack Israeli government sites. One of these was recorded as part of a tutorial on March 9th  – a Tunisian hacker affiliated with AnonGhost uploaded  a tutorial to YouTube explaining to beginners how to hack websites with different tools, in order to participate in the #OpIsrael attacks on April 7, 2014. The video demonstrates an attempt to hack an Israeli government website with ByteDos, LOIC, Snake Bite and more. It should be mentioned that this video is one of many uploaded to YouTube during the preparations for #OpIsrael and during the preparations for #OpIsrael and other cyber campaigns.

https://www.youtube.com/watch?v=uAjmDDxR2Y8&list=UUZuiY5Awp7xdQTzZyqXFywQ

YouTube tutorial of attempted hack of Israeli site
YouTube tutorial of attempted hack of Israeli site

In conclusion, it seems that the March 10 “Op” cannot be labeled a success, not even in terms of a grand rehearsal for the upcoming April campaign.

Qods Freedom Hacker Group – Possible Iranian Involvement in Cyber Activity against Israel

In late July and early August 2013, a Gaza-based hacker group named “Qods Freedom” launched a cyber-operation against Israeli websites. The attack comprised distributed denial-of-service (DDoS) attacks, website defacements and attempted bank account breaches.

"Qods Freedom" Facebook page
“Qods Freedom” Facebook page

The DDoS-affected sites were Israel Railways, El Al (Israel’s national airline) and a leading daily newspaper. The attacks were all effective, topping at about 3.2 Gb/sec, rendering the sites inaccessible for many hours.

Screenshot posted by the group showing El Al site down due to their attack
Screenshot posted by the group showing El Al site down due to their attack

The group defaced over 600 sites, most of them related to two hosting service providers (likely to have been compromised). The defacement messages suggest that the motivation for the attack was to commemorate “Quds Day” – the last Friday of Ramadan.The group did not attempt to conceal its actions. Quite the contrary – it has an official Facebook page and Imageshack account where it posted images purportedly depicting the breach of Israeli bank accounts.

The political affiliation of the groups seems very clear – hardcore Palestinian, anti-Israeli. This was also evident from pictures they posted on the defaced sites that included images of the Dome of the Rock, the Palestinian flag, footage of protesters skirmishing with IDF soldiers and a portrait of Hezbollah leader Hassan Nasrallah and a quote from his famous “Spider Web” speech, which he delivered in southern Lebanon in 2000 (where he predicted that Israel would break apart like spider webs in the slightest wind).

The group's defacement signature quoting Nasrallah with a typo
The group’s defacement signature quoting Nasrallah with a typo

After the attack subsided, SenseCy cyber intelligence analysts decided to take a closer look at the actions of this so-called Palestinian group. Gilad Zahavi, Director of Cyber Intelligence, recounted: “Something just didn’t add up. We were seeing many indications that this group was not what it portrayed itself to be, so we decided to dig deeper.”Using virtual entities (some of which have been in operation for some time, and are used to collect information on the vibrant hacking scene in Gaza), they started sniffing around on Palestinian forums and social media groups, but no-one seemed to know much about this group. With little else to do, the team looked again at the “signature” the group left after defacing one website. And there it was – a very uncharacteristic typo in the transcript of Nasrallah’s famous speech, one that no native Arab speaker would make. This raised suspicions that this group might not be Arab at all. A closer look at the font used to type the message confirmed that it originated from a Farsi-language keyboard.

Focusing on the Iranian connection, the team uncovered several other indications of the true origins of the group. For starters, “Quds Day” is mostly celebrated by the Iranian government and Hezbollah, not by Palestinian Sunnis. Secondly, the only references to these attacks (anywhere in the Muslim world) have come from the Iranian media. Two additional Iranian groups, “Iranian Data Coders” and Persian Flag Guards” use the same defacement signature, indicating at least some affiliation to Iranian cyber groups. The last telltale sign was that Iranian hacker groups often choose to masquerade as Arab hackers, choosing Arabic instead of Farsi names. A notable example is the “Izz ad-Din al-Qassam Cyber Fighters”, perceived to be linked to the Palestinian Hamas organization, but in fact operated by the Iranian regime.

So there you have it – an Iranian group with high technical capabilities, masquerading as a Palestinian group and attacking Israeli sites. This scheme was uncovered not by fancy computer forensics, but by good old-fashioned intelligence work, built on linguistic and cultural expertise, combined with a deep understanding of the cyber domain and intimate knowledge of the Middle East hacking scene.

Ukraine versus Russia in a Cyber-Duel

The eyes of the world are trained on events unfolding between Russia and the Ukraine these days – partly curious, partly concerned, with others directly supportive of one of the sides, either through actions or by disseminating the agenda they believe in. Everyone understands that this conflict (or should we already use the term “war”?), may have a huge impact on the balance of power in Eastern Europe, and further afield. For the time being, we can only assume what Russia’s true goals are in this conflict and to what extent it can deteriorate. But one thing is already clear – this is a confrontation not only in the battlefield, with tanks and guns, but also in cyberspace, where the weapons are site defacements, data leaks and damage to the networks of financial and critical infrastructures. And it is not so obvious which of them is the more merciless and destructive…

This is not the first time that Russia has resorted to cyber-attacks against her enemies. April 2007 is still burned into the collective memory of Estonia, when thousands of sites belonging to Estonian organizations came under cyber-attack over a three-week period, which withheld many essential services from the general public.

Another conflict that served as a background to numerous cyber-attacks was the Russia–Georgia war in 2008. South Ossetian, Russian, Georgian, and Azerbaijani informational and governmental websites were hacked, resulting in defacements with political messages and denial of service to numerous websites. It was not clear whether the attack was an organized, government supported warfare or a riot of individuals and groups touting pro-Russian views.

The current confrontation in the Crimean Peninsula has only been underway for a few days, but it is already widely backed by supporters from both sides in cyberspace. Many websites with Russian and Ukrainian URLs have already been hacked and #OpUkraine and #OpRussia campaigns launched on social networks, mainly VK, Odnoklassniki and Facebook.

The Ukranians, imbued with patriotic feelings, are trying to hack Russian sites and leak data. The Ukranian site Bimba, which calls itself the “cyber weapon of the Maidan revolution,” announced its recruitment of cyber volunteers wishing to work for the benefit of the Ukraine.

Defacement of Russian Sites by Anonymous Ukraine
Recruitment of cyber volunteers on anti-Russian site

The VK group #опПокращення // #OpUkraine, identified with Anonymous, uploaded a paste to the pastebin.com site, containing an anti-Russian message and a link to a download of an internal SQL data from Crownservice.ru (publishes tenders for governmental jobs), in a file called Putin Smack Down Saturday.

Other hacker groups in the Ukraine hacked regime websites, in expression of their support for the revolution. In general, a large number of internal cyberattacks among the different Ukrainian groups have been executed since the clashes began at the end of 2013. One of the more prominent was the hacking of the email of Ukraine opposition leader, Vitali Klitschko.

Russia tried to get even, although in a less obvious manner. Starting February 28, reports about cyberattacks in the Crimean Peninsula were published by some sources. Local communication companies experienced problems in their work that may have been caused by cyberattacks, as well as landline and Internet services. Moreover, Russia’s Internet monitoring agency (Roskomnadzor) has blocked Internet pages linked to the Ukraine protest movement.

Aside from Russians and Ukrainians, this conflict has attracted hackers from other countries, and we have already seen Turkish, Tunisian, Albanian and Palestinian hacker groups attacking Russian sites in support of the Ukrainian revolution.

Turkish hackers teams join in hacking Russian and Ukrainian sites
Anonymous Gaza hack Russian websites

At the time of writing, news sites have reported two more attacks on Russian sites by Ukrainian activists. This is a surprising, dynamic duel, and cyberspace is likely the stage upon which it will be played out.