#OpIcarus Cyber Campaign – Round 5

Hacktivists recently launched the fifth phase of the #OpIcarus cyber campaign (also dubbed #OpSacred) against the financial sector around the world. This campaign was first launched in February 2016, and as in previous phases, the official target list contains mainly websites of central banks around the world. In addition, the initiators share links to download known DDoS tools, such as Continue reading “#OpIcarus Cyber Campaign – Round 5”

Updates about the Upcoming #OpIsrael Campaign

The number of participants in the event pages of the #OpIsrael campaign, as of the first week of April 2017, is approximately 600 Facebook users – a very low number of supporters compared to the same period in previous campaigns. In general, the response on social networks to the #OpIsrael campaign over the years since 2013 is constantly declining. Continue reading “Updates about the Upcoming #OpIsrael Campaign”

#OpIcarus – a War against the Global Financial Sector

During May 2016, we witnessed the second phase of the #OpIcarus cyber campaign against banks around the world, launched by the Anonymous collective in February 2016. The participants carried out DDoS attacks against bank websites in various countries on a daily basis. Several cyber-attacks succeeded in shutting down the websites of central banks in Greece, Cyprus and other countries.

Platforms

The initiators created two Facebook event pages and opened an IRC channel to coordinate their cyber-attacks. Approximately 2,000 participants joined the #OpIcarus event pages, but many more hacktivists expressed their support of this campaign via their social media accounts. With regard to the dedicated IRC channel, it appears not to have been as active as the campaign platforms in Facebook and Twitter.

From the #OpIcarus IRC Channel

Attacks and Tools

According to news reports, #OpIcarus participants shut down bank websites around the world on a daily basis. We cannot confirm that all of the mentioned banks websites were actually offline, due to the participant DDoS attacks, but we wish to point out several incidents that caught our attention.

A member of the Ghost Squad Hackers group dubbed s1ege took responsibly for shutting down the email server of the Bank of England. The bank did respond to this attack, but according to news reports, the bank’s mail server was offline on May 13, 2016.

Member of Ghost Squad Hackers claimed they shut down the mail server of the Bank of England
Member of Ghost Squad Hackers claimed they shut down the mail server of the Bank of England

In addition, according to a single news report shared on various Facebook accounts, Chase Bank ATMs stopped working on May 14, 2016, as a result of the Anonymous collective cyber activity. The Twitter account of Chase Bank’s technical support tweeted that their ATMs did not accept any deposits on this day, but they did not mention what had caused the problem. Meanwhile, the Ghost Squad Hackers group tweeted that the incident was part of the #OpIcarus campaign.

Chase Bank's technical support tweeted about a problem with their ATMs
Chase Bank’s technical support tweeted about a problem with their ATMs
Ghost Squad Hackers claim that Chase ATMs were hacked during #OpIcarus
Ghost Squad Hackers claimed that Chase ATMs were hacked during #OpIcarus

Additionally, s1ege claimed on May 18, 2016, that they had shut down a website related to the NYSE. The NYSE Twitter account tweeted that they had experienced a technical issue in one of their trading units. They did not mention what had caused the problem. Therefore, it is unclear if there is any connection to the Ghost Squad Hackers group, aside from the latter’s claim of responsibility.

A member of Ghost Squad Hackers claimed they hacked a website related to the NYSE
The NYSE announced that they had a technical issue that affected their daily activity
The NYSE announced that they had a technical issue that affected their daily activity

With regard to the attack tools, the participants used a variety of DDoS, some of which were simple online tools with no sophisticated DDoS abilities. However, there were indications that they used DDoS-as-a-Service (DaaS) platforms, such as Booters/Stressers that require payment and registration. In addition, the New World Hackers (NWH) team that took responsibility for shutting down the HSBC Bank website on January 29, 2016, supported the #OpIcarus campaign.

A call to use Booters on an #OpIcarus event page
A call to use Booters on an #OpIcarus event page

This campaign gained high popularity among hacktivists from all over the world who were motivated to DDoS bank websites protesting corruption and other issues. It is possible that the initiators will decide to engage an additional phase of this campaign, since one of them claimed in an interview that “Operation Icarus will continue as long as there are corrupt and greedy banks out there.”

#OpIsrael 2016 – Summary

This year, #OpIsrael hacktivists focused on defacing private websites, carrying out DDoS attacks and leaking databases. Hundreds of private Israeli websites were defaced, mostly by Fallaga and AnonGhost members. Various databases containing Israeli email addresses and credit cards were leaked, but the majority were recycled from previous campaigns.

The hacktivists attacks commenced on April 5, 2016, two days before the campaign was launched, with a massive DDoS attack against an Israeli company that provides cloud services. The fact that no one took responsibility for the attack, alongside the massive DDoS power invested, may indicate that threat actors with advanced technical abilities were responsible.

On April 7, 2016, approximately 2,650 Facebook users expressed their desire to participate in the campaign via anti-Israel Facebook event pages. There are several possible reasons for the low number of participants (compared for example to the 5,200 participants in #OpIsrael 2015). One reason might be disappointment in last year’s lack of significant achievements. Another reason could be the devotion of attention to other topics, such as the cyber campaign against the Islamic State (IS), in the wake of the recent terrorist attacks in Brussels. Moreover, it is possible that anti-Israel hacktivists have abandoned social media networks for other platforms, such as IRC and Telegram.

1
Number of participants in the #OpIsrael campaign since 2014

During the campaign, we detected many indications of the use of common DDoS tools, such as HOIC, and simple DDoS web platforms that do not require any prior technical knowledge in order to operate them. Most of the DDoS attacks were directed against Israeli government and financial websites. Hacktivists claimed they managed to take down two Israeli bank websites. While this could be true, the websites were up and operational again within a short time. In addition, there were no indications of the use of RATs or ransomware against Israeli targets.

2
Using common DDoS tools against an Israeli website

As mentioned previously, most of the leaked databases were recycled from previous campaigns. However, we noticed that almost all of the new leaked databases were stolen from the same source – an Israeli company that develop websites. Notably, during the 2014 #OpIsrael campaign, this company website appeared on a list of hacked websites.

There was no immediate claim of responsibility for the leakage of these databases, which raises many questions, since anti-Israel hacktivists typically publish their achievements on social media networks to promote the success of the campaign. Moreover, almost all of these databases were first leaked in the Darknet, but anti-Israel hacktivists do not use this platform at all. In addition, all of the data leakages were allegedly leaked by a hacker dubbed #IndoGhost, but there are no indications to suggest that this entity was involved in the #OpIsrael campaign or any other anti-Israel activity.

Finally, we detected several attempts to organize another anti-Israel campaign for May 7, 2016. As an example, we identified a post calling to hack Israeli government websites on this date. We estimate that these attempts will not succeed in organizing another anti-Israel cyber campaign.

AnonGhost VS Uncle Sam (#OpUSA – May 7, 2015)

Hacking group AnonGhost has published an official video on #OpUSA, its upcoming cyber campaign against the United States. The video, addressed to the U.S. government, does not mention the date of the campaign or the list of targets, but based on the group’s 2013 #OpUSA campaign, it appears that it is set to take place on May 7. The official video’s YouTube page mentions prominent AnonGhost members Mauritania Attacker, An0nx0xtn, DarkCoder, Donnazmi, and Hussein Haxor, all of whom promote the group’s agenda in social networks.

AnonGhost post about #OpUSA
AnonGhost post about #OpUSA

On May 7, 2013, AnonGhost, along with other groups such as the Tunisian Hackers, threatened to hack American government and financial websites. While they were highly motivated, they failed to achieve much other than to deface several websites and leak emails and personal information. A possible reason for their limited success is that several days before the campaign, hackers speculated on social media that #OpUSA was actually a trap set by the federal government in order to expose and arrest the participants.

Partial list of #OpUSA targets in 2013
Partial list of #OpUSA targets in 2013

One of the groups that participated in 2013, N4m3le55 Cr3w, published a long list of recommended DDoS tools at that time, most of which are common hacking tools that are likely to be used in the current campaign as well.

  • HOIC
  • LOIC
  • Slowloris
  • ByteDos
  • TorsHammer, a Python-based DDoS tool created by the group called An0nSec.
  • SYN Flood DOS, a DDoS tool that operates with NMAP and conducts a SYN Flood attack.

Intelligence Review of #OpIsrael Cyber Campaign (April 7, 2015)

Starting at the end of last week, hacktivist groups from around the Muslim world tried to attack Israeli websites, particularly those of government institutions, as part of the #OpIsrael cyber campaign. In the past twenty-four hours they stepped up their activity, but we have seen no signs of major attacks. Despite all the publicity prior to the campaign, the hackers’ successes were limited to defacing several hundred private websites and leaking the email addresses of tens of thousands of Israelis, many of them recycled from previous campaigns. Several dozen credit card numbers were also leaked on information-sharing websites, but our examination shows that some were recycled from past leaks.

AnonGhost, which initiated the campaign, was the main actor behind it. However, other groups of hackers, such as Fallaga, MECA (Middle East Cyber Army), Anon.Official.org, and Indonesian and Algerian groups also participated in the attacks. As the campaign progressed, we saw an increasing number of posts and tweets about it (over 3,000), but this is still significantly less than last year, when there were tens of thousands.

As we noted in previous updates, the campaign was conducted primarily on social networks, especially Facebook and Twitter. IRC channels opened for the campaign were barely active, partly because hackers feared spying by “intelligence agents.” On closed forums and Darknet platforms, we saw no activity related to #OpIsrael.

Participants discuss why the campaign is smaller than in 2013
Participants discuss why the campaign is smaller than in 2013

Following is a summary of the main results of the attacks that we have identified so far:

  • Defacing of hundreds of websites. Victims included Meretz (an Israeli political party), various Israeli companies, sub-domains of institutions of higher education, municipalities, Israeli artists, and more.
  • Leaking of tens of thousands of email addresses and personal information of Israelis. A significant portion of the information was recycled from previous campaigns. Databases from third-party websites were also leaked. In addition, two files were leaked and according to the hackers, one had 30,000 email addresses and the other 150,000 records.
  • Publication of details from dozens of credit cards, some of them recycled.

#OpIsrael Campaign – April 7, 2015: Cyber Intelligence Review

Background

This is the third round of the anti-Israel cyber campaign called #OpIsrael. The hacktivists are highly motivated to attack Israel, and they have been gradually building their campaign infrastructures on social media networks. Many have been posting videos with threatening messages in the leadup to April 7. AnonGhost, which is behind the campaign, has announced that it will cooperate with three anti-Israel groups known from previous campaigns: Fallaga, MECA (Middle East Cyber Army), and Anon Official Arabe.

Official announcement from AnonGhost on future cooperation
Official announcement from AnonGhost on future cooperation

Most of the social media discussions about the campaign are taking place in the Middle East, North Africa, Southeast Asia, Western Europe, and the United States (the attackers appear to be using proxy services). In addition, during March 2015 the number of Twitter tweets about the campaign increased by hundreds per day. Nevertheless, it is important to note that during the campaign, there will likely be several thousand or even tens of thousands of tweets a day, as was the case during previous campaigns.

Increase in the number of tweets about #OpIsrael per day in March 2015
Increase in the number of tweets about #OpIsrael per day in March 2015

Prominent Participants

At the time of writing, the number of participants is about 5,000. The most prominent groups in the campaign are from North Africa, the Middle East, and Southeast Asia. Groups of hackers from South America, such as Anonymous Chile and Anon Defense Brasil, and hackers affiliated with Anonymous have also expressed support for the campaign. We have not yet seen evidence of active involvement or public support for the campaign by cyberterrorist groups.

Attack Targets

The attack targets recommended by those participating in the campaign are government websites, financial websites such as the Tel Aviv Stock Exchange’s or the Bank of Israel’s, academic websites, telecom websites, and media websites. These lists are familiar from previous anti-Israel campaigns.

In addition, AnonGhost and Fallaga leaked a list of hundreds of telephone numbers of Israeli officials from an unknown source to point out potential targets for anti-Israel text messages or phishing attacks, such as those that took place during #OpSaveGaza.

Post from AnonGhost threatening to send messages to Israeli telephone numbers
Post from AnonGhost threatening to send messages to Israeli telephone numbers

Attack Tools

The attack tools we have identified so far mostly appear in lists that include links for downloading the tools. Most of these lists are well-known from previous anti-Israel campaigns. However, we identified several unique self-developed tools created specifically for the campaign:

  • AnonGhost DDoS – A DDoS tool developed by AnonGhost, which initiated the campaign.
  • LOIC Fallaga – A DDoS tool developed by Fallaga. This tool was developed for an anti-Israel hacktivist operation that took place on March 20 of this year, but we expect that hacktivists will use it in the #OpIsrael campaign as well.

How Hackers Use Social Media Networks to Put Your Organization at Risk

SenseCy’s teams monitor underground and password-protected forums and communities in many languages – Russian, Arabic, Persian, Chinese, Portuguese, English, and more. By gaining access to the Deep Web and Darknet, we identify suspicious activity and new hacker tools and enable our clients to mitigate or eliminate cyber threats.

Hacker communities on social networks continue to evolve. More and more communities are creating Twitter accounts as well as pages and groups in popular social networks such as Facebook and VKontakte (a Russian social network) to share information, tools, and experience.

In the past, hackers came together on social networks to hold operational discussions, share targets, and join forces for DDoS attacks, but less to upload or download hacking tools. Since this is changing, we are now monitoring hacking tools offered for download on Twitter, Facebook, and VKontakte.

Source code published on Twitter
Source code published on Twitter

These hacker communities can be classified into three main categories:

  1. Open public groups and accounts that make common, well-known tools available.

    Open Facebook group of well-known Arab hackers
    Open Facebook group of well-known Arab hackers
  2. Closed, secret groups sharing rare or sector-related tools or programs in a specific language.

    Secret Facebook group from Southeast Asia
    Secret Facebook group from Southeast Asia
  3. Groups sharing or even selling self-developed tools.
    Facebook post in closed Asian hacker group
    Facebook post in closed Asian hacker group

    A prominent example is the self-developed DDoS tool created by hacker group AnonGhost for the #OpIsrael cyber campaign, which is expected to take place on April 7, 2015. This tool uses three flooding methods, TCP, UDP, and HTTP and can operate through a proxy if needed. AnonGhost posted its new tool on its official Facebook page with a link to a tutorial on YouTube, and soon it was widely distributed among hacktivists through social media.

    From AnonGhost's official Facebook Page
    From AnonGhost’s official Facebook Page

    We regularly monitor trends and developments in social networks, since they are becoming the preferred platform for groups of hackers to share and improve attack tools. SenseCy also takes part in these communities, which gives us the edge in preventing attacks in real time. We continue to track new trends and developments to detect cyber threats for our clients.

Cyber in Chinatown – Asian Hacktivists Act against Government Corruption

Social networks are well-known tools used by activists to mobilize the masses. As witnessed during the Arab Spring and in recent incidents in Hong Kong, government opposition groups can organize dissatisfied citizens by means of a massive campaign. More closed countries, such as North Korea or China try to limit access by their citizens to international social networks such as Twitter or Facebook. We have noticed an increasing tendency toward anti-government campaigns in Asian countries and the cyber arena plays an important role in this process. We have identified this kind of activity in China, Malaysia, Taiwan, Japan and North Korea. Local cyber hacktivist groups are calling for people to unite against infringements on freedom by violating privacy rights. Hacktivists are organizing anti-government groups and events on popular social media platforms and are posting tutorials on how to circumvent the blocking of certain websites and forums in countries where such Internet activity is forbidden. Furthermore, the groups are posting provocative materials and anti-government appeals in local Asian languages, alongside to English. Thus, we can see an attempt to recruit support from non-state activists for a national struggle.

Anonymous Japan and Anonymous North Korea Facebook Posts
Anonymous Japan and Anonymous North Korea Facebook Posts

These groups are eager to reach a large number of supporters, and not only for political and psychological purposes. Together with publishing tutorials for “safe browsing” in the Internet for large masses of people the groups translate popular cyber tools for mass attacks and they disseminate instructional manuals translated into local languages on how to use these tools.

Popular DDoS Tool in Japanese
Popular DDoS Tool in Japanese

One example of exactly such an organization is Anonymous Japan – an anti-government hacking group. The group develops and uses DDoS tools and is also involved in spam activity. Furthermore, members of the group develop their own tools and publish them on Facebook for wider audiences.

#OpJapan Attack Program
#OpJapan Attack Program

Amongst the large-scale campaigns launched by this organization, you can find #OpLeakageJp – an operation tracking radiation pollution in Japan.

TweetStorm post against the Nuclear Regulatory Commission in Japan
TweetStorm post against the Nuclear Regulatory Commission in Japan

In addition to internal struggles, hacktivist groups are operating against targets in the area. One such example is operations by hacktivism groups personifying themselves with North Korean insignia and targeting sources in South Korea. Examples of such cyber campaigns are #Opsouthkoreatarget and #OpNorthKorea.

#OpJapan Attack Program
#OpJapan Attack Program

In China, we found an example of the #OpChinaCW campaign. A cyber campaign hosted by Anonymous was launched on November 2, 2014 against Chinese government servers and websites. The campaign was organized on a Facebook event page and was further spread on Twitter.

#OpChinaCW Twitter Post
#OpChinaCW Twitter Post

Hacktivists have also published cyber tools for this campaign. See below an example of a DDoS tool sold on Facebook for only US$10.

DDoS Tool for Sale
DDoS Tool for Sale

As previously mentioned, cyber activity in the Asia region is directed not only against enemy states, but also against the “internal enemy” – the government. Hacktivism groups not only organize such campaigns on underground platforms, but they also make wide use of open popular social networks to recruit supporters. Moreover, they also develop their own cyber tools.