#OpIsrael 2016 – Summary

This year, #OpIsrael hacktivists focused on defacing private websites, carrying out DDoS attacks and leaking databases. Hundreds of private Israeli websites were defaced, mostly by Fallaga and AnonGhost members. Various databases containing Israeli email addresses and credit cards were leaked, but the majority were recycled from previous campaigns.

The hacktivists attacks commenced on April 5, 2016, two days before the campaign was launched, with a massive DDoS attack against an Israeli company that provides cloud services. The fact that no one took responsibility for the attack, alongside the massive DDoS power invested, may indicate that threat actors with advanced technical abilities were responsible.

On April 7, 2016, approximately 2,650 Facebook users expressed their desire to participate in the campaign via anti-Israel Facebook event pages. There are several possible reasons for the low number of participants (compared for example to the 5,200 participants in #OpIsrael 2015). One reason might be disappointment in last year’s lack of significant achievements. Another reason could be the devotion of attention to other topics, such as the cyber campaign against the Islamic State (IS), in the wake of the recent terrorist attacks in Brussels. Moreover, it is possible that anti-Israel hacktivists have abandoned social media networks for other platforms, such as IRC and Telegram.

1
Number of participants in the #OpIsrael campaign since 2014

During the campaign, we detected many indications of the use of common DDoS tools, such as HOIC, and simple DDoS web platforms that do not require any prior technical knowledge in order to operate them. Most of the DDoS attacks were directed against Israeli government and financial websites. Hacktivists claimed they managed to take down two Israeli bank websites. While this could be true, the websites were up and operational again within a short time. In addition, there were no indications of the use of RATs or ransomware against Israeli targets.

2
Using common DDoS tools against an Israeli website

As mentioned previously, most of the leaked databases were recycled from previous campaigns. However, we noticed that almost all of the new leaked databases were stolen from the same source – an Israeli company that develop websites. Notably, during the 2014 #OpIsrael campaign, this company website appeared on a list of hacked websites.

There was no immediate claim of responsibility for the leakage of these databases, which raises many questions, since anti-Israel hacktivists typically publish their achievements on social media networks to promote the success of the campaign. Moreover, almost all of these databases were first leaked in the Darknet, but anti-Israel hacktivists do not use this platform at all. In addition, all of the data leakages were allegedly leaked by a hacker dubbed #IndoGhost, but there are no indications to suggest that this entity was involved in the #OpIsrael campaign or any other anti-Israel activity.

Finally, we detected several attempts to organize another anti-Israel campaign for May 7, 2016. As an example, we identified a post calling to hack Israeli government websites on this date. We estimate that these attempts will not succeed in organizing another anti-Israel cyber campaign.

AnonGhost VS Uncle Sam (#OpUSA – May 7, 2015)

Hacking group AnonGhost has published an official video on #OpUSA, its upcoming cyber campaign against the United States. The video, addressed to the U.S. government, does not mention the date of the campaign or the list of targets, but based on the group’s 2013 #OpUSA campaign, it appears that it is set to take place on May 7. The official video’s YouTube page mentions prominent AnonGhost members Mauritania Attacker, An0nx0xtn, DarkCoder, Donnazmi, and Hussein Haxor, all of whom promote the group’s agenda in social networks.

AnonGhost post about #OpUSA
AnonGhost post about #OpUSA

On May 7, 2013, AnonGhost, along with other groups such as the Tunisian Hackers, threatened to hack American government and financial websites. While they were highly motivated, they failed to achieve much other than to deface several websites and leak emails and personal information. A possible reason for their limited success is that several days before the campaign, hackers speculated on social media that #OpUSA was actually a trap set by the federal government in order to expose and arrest the participants.

Partial list of #OpUSA targets in 2013
Partial list of #OpUSA targets in 2013

One of the groups that participated in 2013, N4m3le55 Cr3w, published a long list of recommended DDoS tools at that time, most of which are common hacking tools that are likely to be used in the current campaign as well.

  • HOIC
  • LOIC
  • Slowloris
  • ByteDos
  • TorsHammer, a Python-based DDoS tool created by the group called An0nSec.
  • SYN Flood DOS, a DDoS tool that operates with NMAP and conducts a SYN Flood attack.

Intelligence Review of #OpIsrael Cyber Campaign (April 7, 2015)

Starting at the end of last week, hacktivist groups from around the Muslim world tried to attack Israeli websites, particularly those of government institutions, as part of the #OpIsrael cyber campaign. In the past twenty-four hours they stepped up their activity, but we have seen no signs of major attacks. Despite all the publicity prior to the campaign, the hackers’ successes were limited to defacing several hundred private websites and leaking the email addresses of tens of thousands of Israelis, many of them recycled from previous campaigns. Several dozen credit card numbers were also leaked on information-sharing websites, but our examination shows that some were recycled from past leaks.

AnonGhost, which initiated the campaign, was the main actor behind it. However, other groups of hackers, such as Fallaga, MECA (Middle East Cyber Army), Anon.Official.org, and Indonesian and Algerian groups also participated in the attacks. As the campaign progressed, we saw an increasing number of posts and tweets about it (over 3,000), but this is still significantly less than last year, when there were tens of thousands.

As we noted in previous updates, the campaign was conducted primarily on social networks, especially Facebook and Twitter. IRC channels opened for the campaign were barely active, partly because hackers feared spying by “intelligence agents.” On closed forums and Darknet platforms, we saw no activity related to #OpIsrael.

Participants discuss why the campaign is smaller than in 2013
Participants discuss why the campaign is smaller than in 2013

Following is a summary of the main results of the attacks that we have identified so far:

  • Defacing of hundreds of websites. Victims included Meretz (an Israeli political party), various Israeli companies, sub-domains of institutions of higher education, municipalities, Israeli artists, and more.
  • Leaking of tens of thousands of email addresses and personal information of Israelis. A significant portion of the information was recycled from previous campaigns. Databases from third-party websites were also leaked. In addition, two files were leaked and according to the hackers, one had 30,000 email addresses and the other 150,000 records.
  • Publication of details from dozens of credit cards, some of them recycled.

#OpIsrael Campaign – April 7, 2015: Cyber Intelligence Review

Background

This is the third round of the anti-Israel cyber campaign called #OpIsrael. The hacktivists are highly motivated to attack Israel, and they have been gradually building their campaign infrastructures on social media networks. Many have been posting videos with threatening messages in the leadup to April 7. AnonGhost, which is behind the campaign, has announced that it will cooperate with three anti-Israel groups known from previous campaigns: Fallaga, MECA (Middle East Cyber Army), and Anon Official Arabe.

Official announcement from AnonGhost on future cooperation
Official announcement from AnonGhost on future cooperation

Most of the social media discussions about the campaign are taking place in the Middle East, North Africa, Southeast Asia, Western Europe, and the United States (the attackers appear to be using proxy services). In addition, during March 2015 the number of Twitter tweets about the campaign increased by hundreds per day. Nevertheless, it is important to note that during the campaign, there will likely be several thousand or even tens of thousands of tweets a day, as was the case during previous campaigns.

Increase in the number of tweets about #OpIsrael per day in March 2015
Increase in the number of tweets about #OpIsrael per day in March 2015

Prominent Participants

At the time of writing, the number of participants is about 5,000. The most prominent groups in the campaign are from North Africa, the Middle East, and Southeast Asia. Groups of hackers from South America, such as Anonymous Chile and Anon Defense Brasil, and hackers affiliated with Anonymous have also expressed support for the campaign. We have not yet seen evidence of active involvement or public support for the campaign by cyberterrorist groups.

Attack Targets

The attack targets recommended by those participating in the campaign are government websites, financial websites such as the Tel Aviv Stock Exchange’s or the Bank of Israel’s, academic websites, telecom websites, and media websites. These lists are familiar from previous anti-Israel campaigns.

In addition, AnonGhost and Fallaga leaked a list of hundreds of telephone numbers of Israeli officials from an unknown source to point out potential targets for anti-Israel text messages or phishing attacks, such as those that took place during #OpSaveGaza.

Post from AnonGhost threatening to send messages to Israeli telephone numbers
Post from AnonGhost threatening to send messages to Israeli telephone numbers

Attack Tools

The attack tools we have identified so far mostly appear in lists that include links for downloading the tools. Most of these lists are well-known from previous anti-Israel campaigns. However, we identified several unique self-developed tools created specifically for the campaign:

  • AnonGhost DDoS – A DDoS tool developed by AnonGhost, which initiated the campaign.
  • LOIC Fallaga – A DDoS tool developed by Fallaga. This tool was developed for an anti-Israel hacktivist operation that took place on March 20 of this year, but we expect that hacktivists will use it in the #OpIsrael campaign as well.

How Hackers Use Social Media Networks to Put Your Organization at Risk

SenseCy’s teams monitor underground and password-protected forums and communities in many languages – Russian, Arabic, Persian, Chinese, Portuguese, English, and more. By gaining access to the Deep Web and Darknet, we identify suspicious activity and new hacker tools and enable our clients to mitigate or eliminate cyber threats.

Hacker communities on social networks continue to evolve. More and more communities are creating Twitter accounts as well as pages and groups in popular social networks such as Facebook and VKontakte (a Russian social network) to share information, tools, and experience.

In the past, hackers came together on social networks to hold operational discussions, share targets, and join forces for DDoS attacks, but less to upload or download hacking tools. Since this is changing, we are now monitoring hacking tools offered for download on Twitter, Facebook, and VKontakte.

Source code published on Twitter
Source code published on Twitter

These hacker communities can be classified into three main categories:

  1. Open public groups and accounts that make common, well-known tools available.

    Open Facebook group of well-known Arab hackers
    Open Facebook group of well-known Arab hackers
  2. Closed, secret groups sharing rare or sector-related tools or programs in a specific language.

    Secret Facebook group from Southeast Asia
    Secret Facebook group from Southeast Asia
  3. Groups sharing or even selling self-developed tools.
    Facebook post in closed Asian hacker group
    Facebook post in closed Asian hacker group

    A prominent example is the self-developed DDoS tool created by hacker group AnonGhost for the #OpIsrael cyber campaign, which is expected to take place on April 7, 2015. This tool uses three flooding methods, TCP, UDP, and HTTP and can operate through a proxy if needed. AnonGhost posted its new tool on its official Facebook page with a link to a tutorial on YouTube, and soon it was widely distributed among hacktivists through social media.

    From AnonGhost's official Facebook Page
    From AnonGhost’s official Facebook Page

    We regularly monitor trends and developments in social networks, since they are becoming the preferred platform for groups of hackers to share and improve attack tools. SenseCy also takes part in these communities, which gives us the edge in preventing attacks in real time. We continue to track new trends and developments to detect cyber threats for our clients.

Cyber Campaign against French Websites

In response to the recent escalations in France and the Anonymous #OpCharlieHebdo cyber campaign against Islamic extremists platforms, hundreds of French websites have been defaced by Muslim hacktivist groups (mostly from North Africa, such as the Tunisian hacker group dubbed Fallaga).

The famous hacktivist group Middle East Cyber Army (MECA) created an #OpFrance Facebook event page for organizing cyber-attacks against French websites on January 15, 2015. Another famous hacktivist group Fallaga created a similar event page that organized an anti-France cyber-attack on January 10, 2015.

MECA #OpFrance event page
MECA #OpFrance event page

Additionally, the famous hacktivist group AnonGhost has made calls on several social media platforms to hack French websites. The group also uploaded a video to YouTube, in which they explain their motive to act against French websites: “In reaction of France’s crimes against Muslims in Mali, Syria, Center Africa & Iraq, bombing mosques, killing innocents, under the banner of ‘fighting terrorism.'”

Finally, motivation to hack French websites is high and the anti-France message is quickly spreading via social media platforms.

AnonGhost Targets Universities around the World

During November 2014, the popular hacker group AnonGhost attempted to deface academic websites from around the world.

Background

AnonGhost was established by a famous hacker dubbed Mauritania Attacker. The group has launched many wide-scale cyber campaigns against the U.S., Israel and other countries around the world. The group’s most popular repeat campaign is #OpIsrael, which was relaunched on April 7, 2014 (one year after its inaugural launch), targeting Israeli cyber-space.

Their most recent ongoing campaign is #OpGov, where group members attempt to hack government websites in different countries. In the following image, you can see an example of the group’s intention to hack Jamaican government websites:

#OpGov

The group has also leaked information from databases, such as emails, passwords and personal details.

Targeting Academic Websites

Recently, we noticed that AnonGhost is focusing on academic websites in the U.S., such as Washington University, Olin College of Engineering and Utah State University. On its official Facebook and Twitter accounts, the group announced that they had successfully defaced these American academic websites. In the following images, you can see the group’s post and their tweet regarding Washington University websites:

Post and Tweet

In the following image, you can see the group’s post on Facebook listing its achievements in hacking government and academic websites:

Post

Defaced Websites as Tools for Future Attacks

It should be noted that cyber researchers have recently warned about new methods used by hacktivist groups to attack users who visit defaced websites, using a malicious link that leads to a Dokta Chef Exploit Kit hosting website. The Dokta Chef EK takes advantage of a recently disclosed vulnerability that allows remote code execution related to the Internet Explorer browser. In the following image, you can see a defaced website with the malicious link (lulz.htm):a Defaced Website

Related Posts


#OpIsraelReborn Campaign launched by AnonGhost September 5, 2014 by CyInfo

#OpSaveGaza – by the Tunisian AnonGhost  July 13, 2014 by Yotam Gutman

Recycled Fuel? OpPetrol Campaign by AnonGhost leaked a large amount of credit cards details June 18, 2014 by Yotam Gutman

 

Hacker Idol

The cyber world is anxiously awaiting the next big event and you can feel the buzz in the air since the Anon Official Arab hacker group announced their survey of the “Best Hacker Group in the Arab World for Year 2014”. People have been asked to vote for the best hacker group according to its achievements during 2014. The survey will be available to the public for 48 hours, after which time the organizers will announce the winners.

The Survey
The Survey

The nominees for the title “Best Hacker Group” are Anonymous, AnonGhost, Gaza Hacker Team, Fallaga, Moroccan Kingdom and Moroccan Islamic Union Mail. All are very popular groups with undisguised agendas against Israel, the U.S. and other governments around the world.
We have already voted for our favorite group. Have you? 🙂

The Rebirth of #OpIsraelReborn

#OpIsraelReborn 2014

Since 2001, the date 9/11 has held symbolic meaning for all terror groups and Islamist hacktivists. Every year, come September, many countries raise their alert status, fearing that a terror attack might be executed on this date to amplify its resonance and attach more significance to it. Ergo, it came of little surprise that this date was chosen in 2013 for the #OpUSA campaign that mainly targeted the websites of different American governmental and financial institutions. To further leverage the momentum, a second campaign, #OpIsraelReborn, was launched by AnonGhost concurrently with #OpUSA. However, the 2013 #OpIsraelReborn campaign failed to produce the desired results, and perhaps for this reason, this year the group has decided to have another go at it.

1111

On August 21, 2014, AnonGhost tweeted “Next operation is #OpIsrael Reborn. On 11 September, be ready Israel – you will taste something sweet as usual”. While we do not expect them to hand out vanilla-flavored ice-cream to random Israelis on the street, we also do not believe this campaign poses an exceptionally grim threat. Nevertheless, the AnonGhost group, together with many other hackers, are undoubtedly highly motivated to launch cyberattacks against Israeli targets, especially after the recent Protective Edge campaign, and they should therefore be afforded appropriate attention.

Based on last year’s experience, we expect that the main attack vectors will include DDoS attacks, defacements and SQL injections, and the prime victims of these attacks will be the websites of small businesses that maintain a low level of security.

9/11 is drawing closer and we will soon find out what cake AnonGhost has baked for us this time.        

2222

#OpSaveGaza – Interim Summary

Written by Yotam Gutman

When the cannons roar, the muses stay silent (but the hacktivists hack).

As we reported last week, operation “Protective Edge” instigated a flurry of activity by Muslim hacktivists, targeting Israel. In the following post we will review the activities which took place so far and try to characterize them.

Attacker Types

Attackers can by divided into three types: individuals, hacktivist groups and cyber terror organizations. Individuals usually join larger campaigns by hacktivists groups and show their support on social media sites.

Hacktivist groups taking a stance make extensive use of Facebook as a “command and control” platform. The largest “event” dubbed #OpSaveGaza was created by Moxer Cyber Team, a relatively new group who probably originated from Indonesia whose event page has 19,000 followers.

Moxer Cyber Team event page
Moxer Cyber Team event page

The event included many lesser known Islamic groups, mainly from Indonesia, who did not participate in previous campaigns against Israel. Another event page by the Tunisian AnonGhost announced that the attack will include 38 groups from around the Muslim world. The campaign is planned to continue until the 14th of July.

Cyber terror organization in the form of the SEA (Syrian Electronic Army and ICR (Islamic Cyber Resistance) have not officially declared their participation in the campaign but have waged several high profile attacks, such as hacking into the IDF spokesman blog and Twitter account (SEA) and leaking a large database of job seekers (ICR).

Attacker Tools

The participants in this campaign use similar tools as previous campaigns – Generic DDoS tools, SQLi tools, shells and IP anonymization tools.

Results (Interim Summary)

#OpSaveGaza campaign included to date mainly defacement attacks (about 500 sites have been defaced), DDoS attacks of minor scale and some data dumps. Two interesting trend we’re seeing are recycling older data dumps and claiming it to be a new one, and posting publicly available information which was allegedly breached.

Summary

We estimate that these activities will continue until the hostilities on the ground subside, with perhaps more substantial denial of service or data leak attempts.