Evolution of Hacktivist Campaigns

In the next week we are going to see a major hacktivist operation, aimed against Israel, called #OpIsraelBirthday which is supposed to start on the 7th of April. The operation is dubbed “birthday“ since it comes to commemorate the last OpIsrael that took place on the same date last year. In recent weeks, there was a lot of internal debate in SenseCy about what has changed from then to now and what can we expect to see in the coming operation. I think that the results of this debate might be interesting to you as well:

–          DDoS Attacks – DDoS attacks are nothing new, but recently, attackers have started utilizing a new-old approach in the form of reflection attacks. If a year ago the height of the attack topped at 30Gb/sec attacks, it’s more than plausible to assume that we’re going to see one order of magnitude higher than that. This might be ok for a large sized country but for Israel this might cause problems in the ISP infrastructure itself and not just create a denial of service to the target site.

–          Self-Developed Code – If up until now, most of what we have seen coming from the anti-Israel hacktivism groups was reuse of anonymous code, with maybe slight improvements in the UI interface, lately we have started to identify unique/ original code developed by the groups themselves, albeit some of it is dependent on existing code and available libraries but this might be an indicator for things to come.

 AnonGhost DDoSer

AnonGhostDDoSer – Developed by AnonGh0st for OpIsraelBirthday

 

–          Dumps vs. Defacements – It seems that the general objective now is less the defacement of sites and more the ability to create harm and panic through the publication of stolen data dumps. We see more and more details regarding allegedly hacked sites (some of them important) with the promise that the databases will be published on the 7th of April. This is probably the first time these hacktivist groups are trying to achieve a more widespread impact that is, at least in spirit, similar to the terror effect.

–          Shells and RATs – It seems that SQL injections and cross site scripting is shifting from being the end result to being the means in which the hacktivist groups place web shells on their targets or infect the targets with RATs and other malware. It might, in effect, suggest a more coherent effort to cause more sophisticated damages to their targets.

All in all, it seems that the motivation for the attack remains similar, but the magnitude and scope of the upcoming operation seems to be larger and more dangerous than the last one (in terms of tools available and number of participants). However, companies and organizations that are aware of the threat can, in turn, take actions to handle and mitigate these attacks.

March 10 Hacktivist Campaign – “Op” or “Flop”?

Several hacktivist groups planned to launch a cyber assault (“Op”) against Israel on March 10, as a prequel to a major assault scheduled for April 7.

Although the Op was led by the capable militant groups Red Hack (Turkey) and AnonGhost (Tunisia), it did not appear to manifest fully – the scope of the attacks and the extent of damage were marginal at best. Several private Israeli websites were hacked/ DDoSd ?and some email addresses belonging to Bank of Israel employees were leaked (no password or additional details). The Op incorporated several alleged attempts to hack Israeli government sites. One of these was recorded as part of a tutorial on March 9th  – a Tunisian hacker affiliated with AnonGhost uploaded  a tutorial to YouTube explaining to beginners how to hack websites with different tools, in order to participate in the #OpIsrael attacks on April 7, 2014. The video demonstrates an attempt to hack an Israeli government website with ByteDos, LOIC, Snake Bite and more. It should be mentioned that this video is one of many uploaded to YouTube during the preparations for #OpIsrael and during the preparations for #OpIsrael and other cyber campaigns.

https://www.youtube.com/watch?v=uAjmDDxR2Y8&list=UUZuiY5Awp7xdQTzZyqXFywQ

YouTube tutorial of attempted hack of Israeli site
YouTube tutorial of attempted hack of Israeli site

In conclusion, it seems that the March 10 “Op” cannot be labeled a success, not even in terms of a grand rehearsal for the upcoming April campaign.

Ukraine versus Russia in a Cyber-Duel

The eyes of the world are trained on events unfolding between Russia and the Ukraine these days – partly curious, partly concerned, with others directly supportive of one of the sides, either through actions or by disseminating the agenda they believe in. Everyone understands that this conflict (or should we already use the term “war”?), may have a huge impact on the balance of power in Eastern Europe, and further afield. For the time being, we can only assume what Russia’s true goals are in this conflict and to what extent it can deteriorate. But one thing is already clear – this is a confrontation not only in the battlefield, with tanks and guns, but also in cyberspace, where the weapons are site defacements, data leaks and damage to the networks of financial and critical infrastructures. And it is not so obvious which of them is the more merciless and destructive…

This is not the first time that Russia has resorted to cyber-attacks against her enemies. April 2007 is still burned into the collective memory of Estonia, when thousands of sites belonging to Estonian organizations came under cyber-attack over a three-week period, which withheld many essential services from the general public.

Another conflict that served as a background to numerous cyber-attacks was the Russia–Georgia war in 2008. South Ossetian, Russian, Georgian, and Azerbaijani informational and governmental websites were hacked, resulting in defacements with political messages and denial of service to numerous websites. It was not clear whether the attack was an organized, government supported warfare or a riot of individuals and groups touting pro-Russian views.

The current confrontation in the Crimean Peninsula has only been underway for a few days, but it is already widely backed by supporters from both sides in cyberspace. Many websites with Russian and Ukrainian URLs have already been hacked and #OpUkraine and #OpRussia campaigns launched on social networks, mainly VK, Odnoklassniki and Facebook.

The Ukranians, imbued with patriotic feelings, are trying to hack Russian sites and leak data. The Ukranian site Bimba, which calls itself the “cyber weapon of the Maidan revolution,” announced its recruitment of cyber volunteers wishing to work for the benefit of the Ukraine.

Defacement of Russian Sites by Anonymous Ukraine
Recruitment of cyber volunteers on anti-Russian site

The VK group #опПокращення // #OpUkraine, identified with Anonymous, uploaded a paste to the pastebin.com site, containing an anti-Russian message and a link to a download of an internal SQL data from Crownservice.ru (publishes tenders for governmental jobs), in a file called Putin Smack Down Saturday.

Other hacker groups in the Ukraine hacked regime websites, in expression of their support for the revolution. In general, a large number of internal cyberattacks among the different Ukrainian groups have been executed since the clashes began at the end of 2013. One of the more prominent was the hacking of the email of Ukraine opposition leader, Vitali Klitschko.

Russia tried to get even, although in a less obvious manner. Starting February 28, reports about cyberattacks in the Crimean Peninsula were published by some sources. Local communication companies experienced problems in their work that may have been caused by cyberattacks, as well as landline and Internet services. Moreover, Russia’s Internet monitoring agency (Roskomnadzor) has blocked Internet pages linked to the Ukraine protest movement.

Aside from Russians and Ukrainians, this conflict has attracted hackers from other countries, and we have already seen Turkish, Tunisian, Albanian and Palestinian hacker groups attacking Russian sites in support of the Ukrainian revolution.

Turkish hackers teams join in hacking Russian and Ukrainian sites
Anonymous Gaza hack Russian websites

At the time of writing, news sites have reported two more attacks on Russian sites by Ukrainian activists. This is a surprising, dynamic duel, and cyberspace is likely the stage upon which it will be played out.

Gaza’s Electronic Battalion

There are many hacker groups with an anti-Israeli agenda that express their empathy with Gaza, for example the Gaza Hacker Team, Anonymous Gaza or the Electronic Battalion of Gaza (Katibat Gaza el-Electroniyya, or KGE).

On September 28, 2013, the anniversary of the “al-Aqsa Intifada”, the KGE launched the “al-Aqsa Electronic Intifada” on their Facebook page. They uploaded an official video to YouTube inviting hackers from all over the world to attack Israel, proposing official and financial websites as targets. Many hackers showed their support via social networks and several news websites reported on the upcoming attack. They did not manage to hack any important target, although the group uploaded images from an Israeli database, claiming that they belonged to Israeli soldiers.

KGE invites hackers to join al-Aqsa electronic Intifada
KGE invites hackers to join al-Aqsa electronic Intifada

The KGE has different platforms, such as a Facebook page, YouTube channel, Pastebin account, Google+ and a website (currently offline). According to their Facebook group page, they have over 600 members and supporters. One of them is Nasser Isam (nicknamed Neso), a hacker from Gaza who administers one of the group’s pages on Facebook.

Neso Isam's Facebook page
Neso Isam’s Facebook page

We found an image on Facebook of a tool called “KGE Doser”. This may indicate that the group has the ability to develop hacking tools. The group has not mentioned new targets recently, although they have promised to wage cyber attacks in the near future. Who knows when we will hear from them again?

Online Jihadists Express Interest in Cyber Warfare and Cyber Security

In March 2013, a hacker group called the “Tunisian Cyber Army” (TCA) claimed that they, in coordination with the al-Qaeda Electronic Army (AQEA), (or AQECA – al-Qaeda Electronic Cyber Army), have hacked several U.S. government websites.

The attackers stated that they were assisted by “Chinese hackers.” In addition, the groups claimed that these attacks were in preparation for #OpBlackSummer, a cyber campaign designed to target U.S. websites between May and September 2013.

OpBlackSummer

Regardless of the authenticity of these attacks, we clearly see the increased motivation of AQ-affiliated cyber units to wage attacks against Western targets. We would not be at all surprised to see sophisticated AQ attacks in the near future. We can assume that they are developing cyber attack tools, or even worse – purchasing advanced tools from the underground black market.

In September 2013, the Global Islamic Media Front (GIMF) – a propaganda organization associated with AQ – posted an encryption program for mobile phones on jihadi forums. The program is called Tashfeer al-Jawwal, or Mobile Encryption, and the GIMF described it as the “first Islamic encryption software for mobiles.”

The release was prefaced by an introduction from renowned jihadi ideologue Abu Sa’ad al-A’mili, who promised that the program would be a qualitative move for secure communications between jihadists and a surprising shock to the enemy. It should be mentioned that the GIMF provided a description of the program on their website, as well as tutorials in Arabic, English, Indonesian and Urdu.

Tashfeer al-Jawwal -  encryption program for mobile phones
Tashfeer al-Jawwal – encryption program for mobile phones

In December 2013, the exclusively online AQ propaganda distributor, the al-Fajr Media Center, published a new encryption program called Amn al-Mujahid (“Security of the Mujahid”) on jihadi forums, accompanied by a 28-page instructional manual. Al-Fajr said that AQ’s Technical Committee sought to develop an encryption program equipped with the latest technology that would enable the user  to use advanced encryption standards.

Although these developments are merely versions of available programs, the steady introduction of programs such as these reveals jihadi interest in cyber security and cyber warfare.

March 10, 2014 – Anti-Israeli Hackers Plan a Cyber Campaign against Israel

On February 9, 2014, anti-Israeli hacker groups announced a cyber operation against Israel scheduled for March 10. According to a press release issued on Pastebin, all hacktivists worldwide are called upon “to wipe Israel yet again off the cyber web on March 10th, 2014 on the anniversary of Israels attack on Palestinian leader Yasser Arafat’s office in Gaza City”.

#OpIsrael3.0 press release
#OpIsrael3.0 press release

The attackers published a target list of about 1,360 websites, including government websites, banks and financial institutions, media outlets, academic institutions, defense industry, etc. We have identified several hacker groups that will participate in the campaign. One of them is AnonGhost that initiated the April 7, 2014 campaign. Another interesting group is RedHack – a Turkish hacker group that recently waged several high-profile attacks.

The attackers have also created an official Twitter account and a Facebook page, where they have posted links to download various attack tools, such as  DDoS, SQL, RAT, keyloggers and more.

@OpIsrael3 Twitter account
@OpIsrael3 Twitter account

As was the case in previous campaigns, we assume that pro-Palestinian hacker groups will launch cyberattacks against Israeli websites, but with a low success rate, especially with regard to banks and critical infrastructure websites.

SenseCy is coming to town! Come meet us at the RSA USA 2014 conference, February 24-28, in San Francisco.

Hacking as an Artistic Expression

Hackers are creative people. Everybody knows that. They have to be technically creative in order to outsmart security mechanisms, perform their antics and get away without being caught (sometimes).
But artistic creativity? Not the first thing we associate with hacking. However, after witnessing their creative works of art, we felt compelled to share these with you.
So you are welcome to enjoy the works of the “Russian classical painters”, the “surrealist hacktivists designers” and the “Iranian masters”:

A Russian hacking forum
A Russian hacking forum
Portal of Russian hackers
Portal of Russian hackers
Another Russian hacking forum
Another Russian hacking forum
A carding shop
A carding shop
#OpUSA (May 7, 2013)
#OpUSA (May 7, 2013)
#OpPetrol (June 20, 2013)
#OpPetrol (June 20, 2013)
#OpEgypt
#OpEgypt
Iranian Cyber Army (ICA)
Iranian Cyber Army (ICA)
Ashiyane Digital Security Team (ADST)
Ashiyane Digital Security Team (ADST)

Cyber Threats to Oil and Gas Industry

Recent years have witnessed an increase in the number of cyber attacks against the energy sector. This sector’s main vulnerability is its reliance on ICS/SCADA systems, which have been causing serious concern for the security community for the past years.

The Oil and Gas Industry is considered privileged targets for different adversaries such as nation-state actors, cyber terrorists, hacktivists and even cyber criminals that sell stolen sensitive data in the underground market. In 2012, for example, energy companies were targeted in 41% of the malware-attack cases reported to the US Department of Homeland Security (DHS). And, vulnerabilities in this industry have skyrocketed 600% since 2010, according to data reported in an NSS Labs’ Vulnerability Threat Report.

Here are some examples of significant attacks pertaining to the energy sector:

State-Sponsored

In August 2012, Saudi Aramco was hit by a computer virus that wiped data from 30,000 computers. Although the attack did not have an impact on the oil production, it disrupted Saudi Aramco’s internal communications. The virus, termed ‘Shamoon’, was inserted to the company’s network via a USB stick. The US government has blamed Iran for the attack, and the Secretary of Defense Leon Panetta stated that it was “probably the most destructive attack that the private sector has seen to date”.

Hacktivism

On June 20, 2013, the hacktivist collective Anonymous launched a cyber operation dubbed #OpPetrol planned to target various oil companies around the world. The operation was not a success, but it emphasized the fact that the oil and gas industry represents an attractive target for attackers with different agendas and motivations, including sabotage, cyber espionage, financial, political, and more.

OpPetrol_2

Terrorist Groups

In Tunisia the hacker group Tunisian Cyber Army (TCA) is joining forces with the Electronic Army of al-Qaeda (AQEA). The groups had already carried out cyber attacks against Western targets and they definitely pose an emerging threat in the cyber domain.

Conclusion

We believe that the threat to the Oil and Gas industry will grow in the near future, as the hunt for vulnerabilities in SCADA systems has increased. A couple of weeks ago it was reported that Kaspersky experts discovered a java version of Icefog espionage campaign that targeted at least three US oil and gas companies. According to Symantec, the energy sector was the second most targeted vertical in the last six months of 2012, with only the government/public sector exceeding it with 25.4 percent of all attacks. With millions of threats of varying complexity experienced by the industry on weekly basis, it is not surprising that by 2018 the oil and gas industry will be spending up to $1.87 billion on cyber security.

April 7, 2014 – Hacker Groups Plan a Cyber Operation against Israel

Written by Hila Marudi

In recent weeks, our Cyber Intelligence team has identified Muslim hacktivist group intentions to launch a cyber operation against Israel on April 7, 2014 – one year after the last April 7 campaign that attempted to shut-down Israeli cyber space.

AnonGhost Team was the first to announce on December 23, 2013 that it would launch cyberattacks against Israel on April 5-7, 2014. The group, that initiated the previous April 7 campaign, also published a video entitled “#OpIsrael Birthday” (likely intended as a warning that this campaign will launch annually on April 7).

AnonGhost

Shortly after the AnonGhost announcement, other groups, such as AnonGhost Tunisie (sic.) and the Norwegian Ghost Cyber Attackers opened event-pages on anti-Israel Facebook. In addition, several other groups, such as the pro-Palestinian Fallaga and Virus Noir Ps, were listed as participants for future cyber operations. The main targets are mostly government websites, but we assume that more targets, largely financial, will be advised soon.

OpIsrael

What Does “Cyber Intelligence” Mean, And Why Is It Needed?

Hi All,

SenseCy Blog has been up and running for a week now and we are extremely happy with the traction we’ve achieved so far.

Its time to elaborate about what we mean when we say “Cyber intelligence”.

As far as cyber defense goes, organizations have traditionally relied on technology and procedures to mitigate cyber threats.

But as recent events show, this thinking is no longer valid. Without knowing what threats are out there, and who is targeting them, organizations find it impossible to tweak their defensive mechanism and procedures and fail time and again to secure their data from breaches.

So what attributes one must look for in cyber intelligence services?

  • Up-to-date intelligence needs to be on-time, relevant and accurate, based on the needs of a specific organization.
  • Derived from research sources, including Deep Web, open-source, closed groups and password-protected forums (this is where the real information resides), covering multiple languages.
  • A mixture of both technical and operational intelligence (not just “Another variant of malware was detected”)
  • “Analyst approved” intelligence, meaning that information has been correlated, aggregated and analyzed from leading to near-zero false positives.
  • Have operational value – “What do I do next?” question answered.
Example of operational intelligence derived from password-protected groups

With such intelligence at its disposal, the organization could better mitigate evolving threats and achieve much greater efficiency and effectiveness from its technology.  

In future posts, we will explore the production and analysis aspects of Cyber Intelligence and show some real-life examples of our work.

Keep in touch!

The SenseCy Team