When the cannons roar, the muses stay silent (but the hacktivists hack).
As we reported last week, operation “Protective Edge” instigated a flurry of activity by Muslim hacktivists, targeting Israel. In the following post we will review the activities which took place so far and try to characterize them.
Attackers can by divided into three types: individuals, hacktivist groups and cyber terror organizations. Individuals usually join larger campaigns by hacktivists groups and show their support on social media sites.
Hacktivist groups taking a stance make extensive use of Facebook as a “command and control” platform. The largest “event” dubbed #OpSaveGaza was created by Moxer Cyber Team, a relatively new group who probably originated from Indonesia whose event page has 19,000 followers.
The event included many lesser known Islamic groups, mainly from Indonesia, who did not participate in previous campaigns against Israel. Another event page by the Tunisian AnonGhost announced that the attack will include 38 groups from around the Muslim world. The campaign is planned to continue until the 14th of July.
Cyber terror organization in the form of the SEA (Syrian Electronic Army and ICR (Islamic Cyber Resistance) have not officially declared their participation in the campaign but have waged several high profile attacks, such as hacking into the IDF spokesman blog and Twitter account (SEA) and leaking a large database of job seekers (ICR).
The participants in this campaign use similar tools as previous campaigns – Generic DDoS tools, SQLi tools, shells and IP anonymization tools.
Results (Interim Summary)
#OpSaveGaza campaign included to date mainly defacement attacks (about 500 sites have been defaced), DDoS attacks of minor scale and some data dumps. Two interesting trend we’re seeing are recycling older data dumps and claiming it to be a new one, and posting publicly available information which was allegedly breached.
We estimate that these activities will continue until the hostilities on the ground subside, with perhaps more substantial denial of service or data leak attempts.
Following the escalation between Israel and the Hamas regime in Gaza, Muslim hacktivists have announced the launch of several cyber campaigns against Israeli targets.
Unlike the real Middle-East, where Muslims from different factions fight each other, when it comes to assaulting Israel they are happy to join forces. While several groups have launched campaigns to show their solidarity with the Palestinians, the most prominent are AnonGhost with #OpSaveGazaand Anonymous Arabe that launched #Intifada_3, alongside Moroccan Tigers Team.
#OpSaveGazais scheduled to peak on July 11, but attacks have already commenced against government, financial and Telcos, and is combining hackers from Malaysia in the East to Tunisia in the West.
#intifada_3 is lead by Anonymous Arabe and Moroccan Tigers Team, and is promising to launch daily attacks against an assortment of sites with defacement and DDoS attacks.
We expect the attack attempts to intensify in line with the progress of the armed conflict.
For the past few weeks, members of Anonymous and supporters of ISIS have been battling each other over the social media networks.
First, several Twitter accounts were created under the hashtag #No2ISIS to protest against ISIS activity in Iraq. Then, on June 21, 2014, an Anonymous-affiliated group called TheAnonMessage uploaded a public press release via YouTube about a cyber-attack targeting countries that support ISIS, such as Saudi Arabia, Qatar and Turkey.
On July 1, 2014, the Twitter account @TheAnonMessenger tweeted that the #No2ISIS cyber operation would continue until Anonymous decided otherwise.
The pro-Islamic Hilf-ol-FozoulTwitter account also accused ISIS of being a protégé of the U.S.
Contrastingly, several Muslim hackers that support ISIS responded to the Anonymous declarations by adding the hashtag #OpAnonymous to their tweets. To boot, a very active hacker nicknamed Kjfido tweeted this message to Anonymous members.
Kjfido presents himself as a cyber-jihadist and an official member of the ISIS Electronic Army.It should be mentioned that there is no evidence that the ISIS Electronic Army actually exists, although there is a Twitter account by the name @electonic_ISIS that tweets about ISIS activity and its agenda.
Over the last few days, several Muslim hacker groups have hacked government and financial websites in Sri Lanka in protest against the government’s attitude toward the violent clashes between Buddhists and Muslims.
As you can see in the graph below, there were hundreds of tweets over the weekend with the related hashtag #OpSriLanka.
For example, one Twitter account named Global Revolution called for the hacking of the Sri Lanka central bank website.
There is also a group page on Facebook named #OpSriLanka with 1,590 members. The main targets of the group are Sri Lankan government websites and official websites of the Buddhist population in Sri Lanka. The attack tools are mostly DDoS tools for computers and Android phones.
List of targets:
Mirror of a defaced website:
Additionally, on June 22, 2014, a group of hackers nicknamed Izzah Hackers leaked Sri Lankan government emails and passwords via Pastebin.
Sri Lanka is not alone. Muslim hacker groups are responsible for previous cyber-attacks against Myanmar (Burma) and the Central African Republic (CAR), protesting the killing of Muslims on religious grounds.
The intelligence world has undergone dramatic change in recent years. The growth in traffic, online platforms, applications, devices and users has made the intelligence gathering process much more complex and challenging.
Today, each individual makes multiple simultaneous online appearances. We operate social media accounts, such as Facebook and Twitter (in Russia there is VK and Odnoklassniki and in China RenRen and QZone). We are also active on professional networks, such as LinkedIn. We participate in discussion groups and forums. We share pictures and videos via dedicated websites, and we process transactions by way of ecommerce sites, etc. This makes it much harder today to track the online footsteps of an individual and connect the dots between his diverse online representations, especially if he uses multiple aliases and email addresses.
Man versus Machine
In today’s virtual world, web-crawlers and automated collection tools have limitations. Don’t get me wrong – they are very important and we are dependent on automated tools in our daily work, but in some areas they simply cannot compete with a human analyst.
I will give you an example – in order to access a particular Russian closed hacking forum, you must write 100 posts, receive a recommendation from the administrator of the forum and finally, pay 50 dollars in Bitcoin. Such a task cannot be accomplished by a crawler or an automated tool. You must have an analyst that understands the relevant ecosystem and who is also familiar with the specific slang or lingo of the forum members. You must know that “Kaptoxa” (“Potato” in Russian) on a deep-web hacking forum does not really mean “Potato”, but rather refers to the BlackPOS – a Point-of-Sale (POS) malware used in the Target attack at the end of last year.
Cyber Activity Areas
If we take a look at the threat actors in the world of cyber security, we can roughly divide them into four categories: hacktivists (such as Anonymous-affiliated groups around the world); cyber terrorists (for example, the cyber unit of Hezbollah, and lately we have seen clear indications of al-Qaeda (AQ) attempts to develop a cyber unit within their organization).
A third category is cyber criminals (we have recently heard about cybercrime activities organized by groups in Ukraine, Eastern Europe, China and Latin America). The final category is governments, or state-sponsored groups (such as the Chinese PLA Unit 61398, also known as APT1, or the Izz ad-Din al-Qassam Cyber Fighters, an Iranian hacker group that launched “Operation Ababil” two years ago against the American financial sector).
Today, it is clear that every industry or sector is a potential target for cyber attack, or, as the Director of the FBI said two years ago, “There are only two types of companies: those that have been hacked and those that will be.”
And indeed, we are witnessing attacks on media organizations, public records (and in recent months attacks against healthcare services, mainly for the purpose of extortion), academic institutions, banks, the energy sector, and, of course, government agencies.
These diverse threat actors use the Internet to chat, plan their attacks, publish target lists, and even upload and share attack tools. But where can we find them? They have different online platforms.
Unlike APT campaigns that have almost no online footprint, the strength of hacktivism is its capability to recruit large masses for its operations, using social networks. In recent hacktivist campaigns we have identified Facebook as a “Command and Control” (C&C) platform for the attackers, where they plan the operation, publish a target list and share attack tools.
Cyber terrorists are mostly active on closed, dedicated forums where you must login with a username and password after receiving admin approval. We have experience with such forums in Arabic, Persian and even Turkish.
Cyber criminals, on the other hand, can be found on Darknet platforms, where you need to use a special browser to gain access. They can also be found on password-protected forums that sometimes require an entrance fee, payable in Bitcoin or other crypto-currencies. On these platforms we can find sophisticated attack tools for sale, pieces of advanced code, zero-day exploits, stolen data dumps and more.
Regarding governments or state-sponsored groups, I do not believe that they chat online, and generally speaking they do not leave footprints on the Web. However, we occasionally uncover activities by nation-state actors, such as the Syrian Electronic Army (SEA) or Iranian-affiliated groups.
I would like to argue that in today’s world we must use traditional methods of intelligence gathering, specifically operating covert agents, or virtual spies, throughout the Web – in closed discussion rooms, on secret Facebook pages, in the deep-web and Darknet platforms – in order to obtain quality, relevant and real-time intelligence.
Hacktivist collective Anonymous announced a cyber campaign called #OpPetrol, planned to be executed on June 20th, 2014. This is a re-run of a similar campaign with an identical name which was launched at the same exact date last year, aimed at the international oil and gas industry at various geographies. The most prominent group seems to be AnonGhost that recently defaced hundreds of websites and leaked a large amount of credit cards details.
The campaign is likely to include a mix of DDoS, defacement and data dumps. The countries that are targeted are:
In addition, specific Oil and Gas companies in various locations, from the Gulf to Norway are on the target list. Last year’s campaign did not cause any substantial damage and we assume this re-run will achieve similar results.
The group demands that the U.S. withdraw its soldiers from Islamic countries, or they will attack U.S. targets, such as airport computers. The group also demanded that the U.S. respond via the group’s Twitter account, @xhckerTN.
On May 12, 2014, an AnonGhost member and developer of the new AnonGhost DDoS tool, nicknamed Ali KM, created an event page on Facebook announcing a cyber-campaign against FIFA websites. #OpFIFA will take place between June 10 and 12, 2014.
It is worth mentioning that already in January 2014, hacktivists had created event pages on Facebook threatening to carry out cyberattacks against websites affiliated with the Brazilian Government (hosting the games) and FIFA.
According to Ali KM, the main reason for the #OpFIFA campaign is what they consider FIFA’s humiliating attitude towards Muslim teams. Thus far, approximately 100 Facebook users have joined the event and over 1,000 users have been invited.
Ali KM has promised that if the participants wage successful DDoS attacks against FIFA websites, he will provide them with free HD live streaming from his own servers during the World Cup games.
In a related matter, according to cyber security researchers, hackers use FIFA World Cup games to spread different malware. For example, a new backdoor was discovered in a file called Jsc Sport Live + Brazil World Cup 2014 HD.rar. The archive contains an executable file that creates a remote access, allowing hackers to gain full control of the victim’s computer. Hackers also spread a claimed key generator for cracking football games that actually run an adware on the victim’s computer.
World Cup games are also a useful platform for phishing attempts, such as the one spotted last year, claiming to provide a promotional offer for FIFA World Cup 2014, but which actually tried to steal credit card credentials and personal details of the victims. Security researchers recommend ignoring such links and files and keeping antivirus updated.
Written by Hila Marudi, Yotam Gutman and Gilad Zahavi
The #OpIsrael Birthday campaign took place as scheduled on April 7 and involved thousands of participants from all over the Muslim world, from Indonesia in the East to Morocco in the West.
It seems that the bulk of the activity focused on leaking data obtained from various breached databases. Some of the data published was simply a recycling of older data dumps, but some was new and included email addresses, passwords and personal details.
Hundreds of government email addresses were leaked and posted on Pastebin. In addition, private password-protected website databases were also leaked. The Islamic Cyber Resistance Group (ICRG), affiliated with Hezbollah and Iran, leaked hundreds of Bar-Ilan University email addresses and defaced a sub-domain of the University’s website.
Summary of the groups participating in the campaign:
Tunisian, the campaign instigator
Defaced hundreds of sites, developed and distributed an attack tool named “AnonGhost DDoSer”, leaked email addresses
Pro-Palestinian Muslim group
Leaked government email addresses, defaced websites and launched DDoS attacks
Built web-based attack tools and shells, launched DDoS attacks against government sites
Launched DDoS attacks against government sites and leaked government email addresses
Pro-Palestinian Muslim group
Launched DDoS attacks against websites and leaked email addresses
Hacker Anonymous Military
Pro-Palestinian Muslim group
Launched DDoS attacks against government sites, leaked government email addresses and defaced websites
Moroccan Agent Secret
Defaced websites and leaked email addresses
According to the campaign’s official website, approximately 500 Israeli websites were defaced by AnonGhost, most of which were SMBs and private websites.
According to our analysis, we have not witnessed a dramatic change since the previous OpIsrael campaign that took place on April 7, 2013. We can think of at least two reasons for that:
The level of awareness and readiness in large organizations (but also in small ones) has improved and is improving each day.
During this campaign we have not seen attacks waged by nation-state actors such as the Syrian Electronic Army, the Izz ad-Din al-Qassam Cyber Fighters and others.
It appears that the attackers focused on attacking government sites and leaking databases. In addition, the number of authentic dumps containing email addresses, passwords and personal details was much bigger than the last campaign.
However, under the surface we have been noticing in recent weeks an emerging and concerning trend. We know that hacktivist groups and terrorist organizations try to develop their own capabilities. Those groups are also share information between themselves (guide books, scripts, tutorials). Lately we even have identified exchange of capabilities between Russian cyber criminals and anti-Israeli hackers and hacktivists.
The next phase, and we are not there yet, might be the purchase of advanced cyber weapons by terrorist organizations. It can be only a matter of time until terrorist groups (al-Qaeda for example) use sophisticated tools to attack critical infrastructure systems. If this happens, the results of the next OpIsrael campaign would be completely different.
AnonGhost announced a cyber-attack against Israel on April 7, 2014, one year after the last #OpIsrael campaign. To date, more than 6,000 Facebook users have joined different anti-Israel Facebook event pages, and many groups, such as Fallaga, AnonSec, Gaza Hacker Team, Indonesian Cyber Army, and more have declared their support. As you can see, the participants come from all over the world, but mainly North Africa, the Middle East and Southeast Asia. The rest usually use American proxy servers. According to our analysis, most participants are between the ages of 17 and 34.
The campaign has an official dedicated website, designed by the famous hacker Mauritania Attacker from AnonGhost, as well as a new Twitter account. The official website features online notifications about hacked Israeli websites and a list of campaign participants.
The main targets are government and financial websites, alongside defense industries. Recently, however, we have noticed an increasing focus on hacking government websites in Israel.
Moreover, we have identified publications of leaked emails and passwords belonging to thousands of Israelis. Our investigation also revealed intentions to hack and spam smartphones using assorted viruses.
All in all, the scope of the upcoming cyber-campaign appears to be significant. However, we believe that mainly small and private websites will suffer from these attacks.