Following the escalation between Israel and the Hamas regime in Gaza, Muslim hacktivists have announced the launch of several cyber campaigns against Israeli targets.
Unlike the real Middle-East, where Muslims from different factions fight each other, when it comes to assaulting Israel they are happy to join forces. While several groups have launched campaigns to show their solidarity with the Palestinians, the most prominent are AnonGhost with #OpSaveGazaand Anonymous Arabe that launched #Intifada_3, alongside Moroccan Tigers Team.
#OpSaveGazais scheduled to peak on July 11, but attacks have already commenced against government, financial and Telcos, and is combining hackers from Malaysia in the East to Tunisia in the West.
#intifada_3 is lead by Anonymous Arabe and Moroccan Tigers Team, and is promising to launch daily attacks against an assortment of sites with defacement and DDoS attacks.
We expect the attack attempts to intensify in line with the progress of the armed conflict.
Over the last few days, several Muslim hacker groups have hacked government and financial websites in Sri Lanka in protest against the government’s attitude toward the violent clashes between Buddhists and Muslims.
As you can see in the graph below, there were hundreds of tweets over the weekend with the related hashtag #OpSriLanka.
For example, one Twitter account named Global Revolution called for the hacking of the Sri Lanka central bank website.
There is also a group page on Facebook named #OpSriLanka with 1,590 members. The main targets of the group are Sri Lankan government websites and official websites of the Buddhist population in Sri Lanka. The attack tools are mostly DDoS tools for computers and Android phones.
List of targets:
Mirror of a defaced website:
Additionally, on June 22, 2014, a group of hackers nicknamed Izzah Hackers leaked Sri Lankan government emails and passwords via Pastebin.
Sri Lanka is not alone. Muslim hacker groups are responsible for previous cyber-attacks against Myanmar (Burma) and the Central African Republic (CAR), protesting the killing of Muslims on religious grounds.
Hacktivist collective Anonymous announced a cyber campaign called #OpPetrol, planned to be executed on June 20th, 2014. This is a re-run of a similar campaign with an identical name which was launched at the same exact date last year, aimed at the international oil and gas industry at various geographies. The most prominent group seems to be AnonGhost that recently defaced hundreds of websites and leaked a large amount of credit cards details.
The campaign is likely to include a mix of DDoS, defacement and data dumps. The countries that are targeted are:
In addition, specific Oil and Gas companies in various locations, from the Gulf to Norway are on the target list. Last year’s campaign did not cause any substantial damage and we assume this re-run will achieve similar results.
In the past few years, the penchant of the Iranian regime for legitimizing hacking groups and their activities in Iran has become increasingly evident. While cooperation between the regime and certain hacking groups in Iran remains a non-declarative action by the Iranian government, the remarkable coordination between the two sides cannot be ignored. Examples of this alleged coordination is evidenced in several cases where Iranian hacker groups appear to act according to government interests. Two such examples were the subdual of Iranian hacker activities during the nuclear negotiations and the lull in attacks against banks during the Iranian presidential elections.
That said, it was not unexpected for Iran to become a fertile ground for numerous hacking groups, some more prominent than others.
This legitimacy and the free-hand policy have indirectly created an interesting trend in the Iranian cyber arena – rather than hiding and masking their activities, Iranian hackers or hacking groups are presenting themselves as security firms. This new ‘security firm’ disguise, ‘Hackurity’ if you will, may appear legitimate from the outside, but a review of the individuals supporting these firms or managing them, reveals a very different picture.
Such was the case in the Iranian DataCoders Security Team and cyber security firm.
Additional examples revealed the possibility that the group is also operating under an Arab alias.
At the beginning of August 2013, an unknown hacker group calling itself ‘Qods Freedom’ claimed to have waged several high-volume cyber-attacks against official Israeli websites and banks. In their Facebook account, they presented themselves as Palestinians hackers from Gaza. Taking into consideration Palestinian hacker capabilities, as well as an examination of the defacement signature left by ‘Qods Freedom’ has led us to believe that the group has connections with Iran. One of the Iranian groups that used the same signature on the exact same day was the Iranian DataCoders Security Team.
It appears that the Iranian DataCoders is going to a lot of trouble to maintain its legitimacy as a new security firm, rather than sticking to its former title as a hacker group.
According to a list posted in 2012 on an Iranian computer blog, the group is ranked among the top three Iranian hacker groups at that time, and is mostly active in the fields of training, security, penetration testing, and network exploits and vulnerabilities.
The group leader is Ali Alipour, aka Cair3x, who operates an active blog, where he describes himself as “Head of the Ajax Security Team.” Alipour is a former member of one of the oldest and most prominent hacker groups in Iran – “Ashiyane Digital Security Team” – and is accredited with perpetrating some of the exploits and defacements by the group. He was also listed on several forums as “one of Iran’s most terrible hackers“.
‘Pars-Security’ provides various services to the private and business sectors, including penetration testing, security and web programming. One of their most popular products is a technical guide entitled “Configuration and Server Security Package,” produced in cooperation with AjaxTM.
Although the ‘About us’ section on the site discloses that the company enjoys the support of the AjaxTM members, there is good reason to believe that the company is actually run by the Ajax Security Team themselves.
Another example of the tight relations between the ‘formats’ of Iranian hacker groups and security firms is the Mihan Hack Security Team. Since 2013, this group’s forum has been inactive, and was probably disabled by the group itself. With its forum and old website down, Mihan Hack has begun to reposition itself as a legitimate security firm.
The above-mentioned groups are just an example of the ‘hackurity groups’ trend in Iran. Our monitoring of the Iranian cyber arena has revealed more and more hacker groups once renowned for their defacement activities and hacking tool development, who have started to position themselves as ‘white hat’ security advisors and small Information Security (IS) consulting companies. The idea of active hackers supporting security firms and providing security services is not new, but is especially intriguing in Iran. The ‘former’ hacker groups that might be government-affiliated or supported are opening their own security firms rather than supporting existing firms and promoting self-developed products.
This action, accompanied by a decline in the declared activities of the group can divert attention from undercover activities and allows the group to operate more freely – a valuable resource for any hacker group, especially an Iranian one, due to the ever-growing global interest in Iran’s cyber activity.
The group demands that the U.S. withdraw its soldiers from Islamic countries, or they will attack U.S. targets, such as airport computers. The group also demanded that the U.S. respond via the group’s Twitter account, @xhckerTN.
On May 12, 2014, an AnonGhost member and developer of the new AnonGhost DDoS tool, nicknamed Ali KM, created an event page on Facebook announcing a cyber-campaign against FIFA websites. #OpFIFA will take place between June 10 and 12, 2014.
It is worth mentioning that already in January 2014, hacktivists had created event pages on Facebook threatening to carry out cyberattacks against websites affiliated with the Brazilian Government (hosting the games) and FIFA.
According to Ali KM, the main reason for the #OpFIFA campaign is what they consider FIFA’s humiliating attitude towards Muslim teams. Thus far, approximately 100 Facebook users have joined the event and over 1,000 users have been invited.
Ali KM has promised that if the participants wage successful DDoS attacks against FIFA websites, he will provide them with free HD live streaming from his own servers during the World Cup games.
In a related matter, according to cyber security researchers, hackers use FIFA World Cup games to spread different malware. For example, a new backdoor was discovered in a file called Jsc Sport Live + Brazil World Cup 2014 HD.rar. The archive contains an executable file that creates a remote access, allowing hackers to gain full control of the victim’s computer. Hackers also spread a claimed key generator for cracking football games that actually run an adware on the victim’s computer.
World Cup games are also a useful platform for phishing attempts, such as the one spotted last year, claiming to provide a promotional offer for FIFA World Cup 2014, but which actually tried to steal credit card credentials and personal details of the victims. Security researchers recommend ignoring such links and files and keeping antivirus updated.
Written by Hila Marudi, Yotam Gutman and Gilad Zahavi
The #OpIsrael Birthday campaign took place as scheduled on April 7 and involved thousands of participants from all over the Muslim world, from Indonesia in the East to Morocco in the West.
It seems that the bulk of the activity focused on leaking data obtained from various breached databases. Some of the data published was simply a recycling of older data dumps, but some was new and included email addresses, passwords and personal details.
Hundreds of government email addresses were leaked and posted on Pastebin. In addition, private password-protected website databases were also leaked. The Islamic Cyber Resistance Group (ICRG), affiliated with Hezbollah and Iran, leaked hundreds of Bar-Ilan University email addresses and defaced a sub-domain of the University’s website.
Summary of the groups participating in the campaign:
Tunisian, the campaign instigator
Defaced hundreds of sites, developed and distributed an attack tool named “AnonGhost DDoSer”, leaked email addresses
Pro-Palestinian Muslim group
Leaked government email addresses, defaced websites and launched DDoS attacks
Built web-based attack tools and shells, launched DDoS attacks against government sites
Launched DDoS attacks against government sites and leaked government email addresses
Pro-Palestinian Muslim group
Launched DDoS attacks against websites and leaked email addresses
Hacker Anonymous Military
Pro-Palestinian Muslim group
Launched DDoS attacks against government sites, leaked government email addresses and defaced websites
Moroccan Agent Secret
Defaced websites and leaked email addresses
According to the campaign’s official website, approximately 500 Israeli websites were defaced by AnonGhost, most of which were SMBs and private websites.
According to our analysis, we have not witnessed a dramatic change since the previous OpIsrael campaign that took place on April 7, 2013. We can think of at least two reasons for that:
The level of awareness and readiness in large organizations (but also in small ones) has improved and is improving each day.
During this campaign we have not seen attacks waged by nation-state actors such as the Syrian Electronic Army, the Izz ad-Din al-Qassam Cyber Fighters and others.
It appears that the attackers focused on attacking government sites and leaking databases. In addition, the number of authentic dumps containing email addresses, passwords and personal details was much bigger than the last campaign.
However, under the surface we have been noticing in recent weeks an emerging and concerning trend. We know that hacktivist groups and terrorist organizations try to develop their own capabilities. Those groups are also share information between themselves (guide books, scripts, tutorials). Lately we even have identified exchange of capabilities between Russian cyber criminals and anti-Israeli hackers and hacktivists.
The next phase, and we are not there yet, might be the purchase of advanced cyber weapons by terrorist organizations. It can be only a matter of time until terrorist groups (al-Qaeda for example) use sophisticated tools to attack critical infrastructure systems. If this happens, the results of the next OpIsrael campaign would be completely different.
AnonGhost announced a cyber-attack against Israel on April 7, 2014, one year after the last #OpIsrael campaign. To date, more than 6,000 Facebook users have joined different anti-Israel Facebook event pages, and many groups, such as Fallaga, AnonSec, Gaza Hacker Team, Indonesian Cyber Army, and more have declared their support. As you can see, the participants come from all over the world, but mainly North Africa, the Middle East and Southeast Asia. The rest usually use American proxy servers. According to our analysis, most participants are between the ages of 17 and 34.
The campaign has an official dedicated website, designed by the famous hacker Mauritania Attacker from AnonGhost, as well as a new Twitter account. The official website features online notifications about hacked Israeli websites and a list of campaign participants.
The main targets are government and financial websites, alongside defense industries. Recently, however, we have noticed an increasing focus on hacking government websites in Israel.
Moreover, we have identified publications of leaked emails and passwords belonging to thousands of Israelis. Our investigation also revealed intentions to hack and spam smartphones using assorted viruses.
All in all, the scope of the upcoming cyber-campaign appears to be significant. However, we believe that mainly small and private websites will suffer from these attacks.
Several hacktivist groups planned to launch a cyber assault (“Op”) against Israel on March 10, as a prequel to a major assault scheduled for April 7.
Although the Op was led by the capablemilitant groups Red Hack (Turkey) and AnonGhost (Tunisia), it did not appear to manifest fully – the scope of the attacks and the extent of damage were marginal at best. Several private Israeli websites were hacked/ DDoSd ?and some email addresses belonging to Bank of Israel employees were leaked (no password or additional details). The Op incorporated several alleged attempts to hack Israeli government sites. One of these was recorded as part of a tutorial on March 9th – a Tunisian hacker affiliated with AnonGhost uploaded a tutorial to YouTube explaining to beginners how to hack websites with different tools, in order to participate in the #OpIsrael attacks on April 7, 2014. The video demonstrates an attempt to hack an Israeli government website with ByteDos, LOIC, Snake Bite and more. It should be mentioned that this video is one of many uploaded to YouTube during the preparations for #OpIsrael and during the preparations for #OpIsrael and other cyber campaigns.
In late July and early August 2013, a Gaza-based hacker group named “Qods Freedom” launched a cyber-operation against Israeli websites. The attack comprised distributed denial-of-service (DDoS) attacks, website defacements and attempted bank account breaches.
The DDoS-affected sites were Israel Railways, El Al (Israel’s national airline) and a leading daily newspaper. The attacks were all effective, topping at about 3.2 Gb/sec, rendering the sites inaccessible for many hours.
The group defaced over 600 sites, most of them related to two hosting service providers (likely to have been compromised). The defacement messages suggest that the motivation for the attack was to commemorate “Quds Day” – the last Friday of Ramadan.The group did not attempt to conceal its actions. Quite the contrary – it has an official Facebook page and Imageshack account where it posted images purportedly depicting the breach of Israeli bank accounts.
The political affiliation of the groups seems very clear – hardcore Palestinian, anti-Israeli. This was also evident from pictures they posted on the defaced sites that included images of the Dome of the Rock, the Palestinian flag, footage of protesters skirmishing with IDF soldiers and a portrait of Hezbollah leader Hassan Nasrallah and a quote from his famous “Spider Web” speech, which he delivered in southern Lebanon in 2000 (where he predicted that Israel would break apart like spider webs in the slightest wind).
After the attack subsided, SenseCy cyber intelligence analysts decided to take a closer look at the actions of this so-called Palestinian group. Gilad Zahavi, Director of Cyber Intelligence, recounted: “Something just didn’t add up. We were seeing many indications that this group was not what it portrayed itself to be, so we decided to dig deeper.”Using virtual entities (some of which have been in operation for some time, and are used to collect information on the vibrant hacking scene in Gaza), they started sniffing around on Palestinian forums and social media groups, but no-one seemed to know much about this group. With little else to do, the team looked again at the “signature” the group left after defacing one website. And there it was – a very uncharacteristic typo in the transcript of Nasrallah’s famous speech, one that no native Arab speaker would make. This raised suspicions that this group might not be Arab at all. A closer look at the font used to type the message confirmed that it originated from a Farsi-language keyboard.
Focusing on the Iranian connection, the team uncovered several other indications of the true origins of the group. For starters, “Quds Day” is mostly celebrated by the Iranian government and Hezbollah, not by Palestinian Sunnis. Secondly, the only references to these attacks (anywhere in the Muslim world) have come from the Iranian media. Two additional Iranian groups, “Iranian Data Coders” and “Persian Flag Guards” use the same defacement signature, indicating at least some affiliation to Iranian cyber groups. The last telltale sign was that Iranian hacker groups often choose to masquerade as Arab hackers, choosing Arabic instead of Farsi names. A notable example is the “Izz ad-Din al-Qassam Cyber Fighters”, perceived to be linked to the Palestinian Hamas organization, but in fact operated by the Iranian regime.
So there you have it – an Iranian group with high technical capabilities, masquerading as a Palestinian group and attacking Israeli sites. This scheme was uncovered not by fancy computer forensics, but by good old-fashioned intelligence work, built on linguistic and cultural expertise, combined with a deep understanding of the cyber domain and intimate knowledge of the Middle East hacking scene.