Intelligence Review of #OpIsrael Cyber Campaign (April 7, 2015)

Starting at the end of last week, hacktivist groups from around the Muslim world tried to attack Israeli websites, particularly those of government institutions, as part of the #OpIsrael cyber campaign. In the past twenty-four hours they stepped up their activity, but we have seen no signs of major attacks. Despite all the publicity prior to the campaign, the hackers’ successes were limited to defacing several hundred private websites and leaking the email addresses of tens of thousands of Israelis, many of them recycled from previous campaigns. Several dozen credit card numbers were also leaked on information-sharing websites, but our examination shows that some were recycled from past leaks.

AnonGhost, which initiated the campaign, was the main actor behind it. However, other groups of hackers, such as Fallaga, MECA (Middle East Cyber Army), Anon.Official.org, and Indonesian and Algerian groups also participated in the attacks. As the campaign progressed, we saw an increasing number of posts and tweets about it (over 3,000), but this is still significantly less than last year, when there were tens of thousands.

As we noted in previous updates, the campaign was conducted primarily on social networks, especially Facebook and Twitter. IRC channels opened for the campaign were barely active, partly because hackers feared spying by “intelligence agents.” On closed forums and Darknet platforms, we saw no activity related to #OpIsrael.

Participants discuss why the campaign is smaller than in 2013
Participants discuss why the campaign is smaller than in 2013

Following is a summary of the main results of the attacks that we have identified so far:

  • Defacing of hundreds of websites. Victims included Meretz (an Israeli political party), various Israeli companies, sub-domains of institutions of higher education, municipalities, Israeli artists, and more.
  • Leaking of tens of thousands of email addresses and personal information of Israelis. A significant portion of the information was recycled from previous campaigns. Databases from third-party websites were also leaked. In addition, two files were leaked and according to the hackers, one had 30,000 email addresses and the other 150,000 records.
  • Publication of details from dozens of credit cards, some of them recycled.

#OpIsrael Birthday Campaign – Summary

Written by Hila Marudi, Yotam Gutman and Gilad Zahavi

The #OpIsrael Birthday campaign took place as scheduled on April 7 and involved thousands of participants from all over the Muslim world, from Indonesia in the East to Morocco in the West.

#OpIsrael Birthday logo
#OpIsrael Birthday logo

It seems that the bulk of the activity focused on leaking data obtained from various breached databases. Some of the data published was simply a recycling of older data dumps, but some was new and included email addresses, passwords and personal details.

Hundreds of government email addresses were leaked and posted on Pastebin. In addition, private password-protected website databases were also leaked. The Islamic Cyber Resistance Group (ICRG), affiliated with Hezbollah and Iran, leaked hundreds of Bar-Ilan University email addresses and defaced a sub-domain of the University’s website.

Data leaked from Bar-Ilan University
Data leaked from Bar-Ilan University

Summary of the groups participating in the campaign:

Group name Group Details Activity
AnonGhost Tunisian, the campaign instigator Defaced hundreds of sites, developed and distributed an attack tool named “AnonGhost DDoSer”, leaked email addresses
AnonSec Pro-Palestinian Muslim group Leaked government email addresses, defaced websites and launched DDoS attacks
Fallaga Tunisian Built web-based attack tools and shells, launched DDoS attacks against government sites
Security_511 Saudi group Launched DDoS attacks against government sites and leaked government email addresses
Izzah Hackers Pro-Palestinian Muslim group Launched DDoS attacks against websites and leaked email addresses
Hacker Anonymous Military Pro-Palestinian Muslim group Launched DDoS attacks against government sites, leaked government email addresses and defaced websites
Moroccan Agent Secret Moroccan Group Defaced websites and leaked email addresses

According to the campaign’s official website, approximately 500 Israeli websites were defaced by AnonGhost, most of which were SMBs and private websites.

Conclusion

According to our analysis, we have not witnessed a dramatic change since the previous OpIsrael campaign that took place on April 7, 2013. We can think of at least two reasons for that:

  • The level of awareness and readiness in large organizations (but also in small ones) has improved and is improving each day.
  • During this campaign we have not seen attacks waged by nation-state actors such as the Syrian Electronic Army, the Izz ad-Din al-Qassam Cyber Fighters and others.

It appears that the attackers focused on attacking government sites and leaking databases. In addition, the number of authentic dumps containing email addresses, passwords and personal details was much bigger than the last campaign.

However, under the surface we have been noticing in recent weeks an emerging and concerning trend. We know that hacktivist groups and terrorist organizations try to develop their own capabilities. Those groups are also share information between themselves (guide books, scripts, tutorials). Lately we even have identified exchange of capabilities between Russian cyber criminals and anti-Israeli hackers and hacktivists.

The next phase, and we are not there yet, might be the purchase of advanced cyber weapons by terrorist organizations. It can be only a matter of time until terrorist groups (al-Qaeda for example) use sophisticated tools to attack critical infrastructure systems. If this happens, the results of the next OpIsrael campaign would be completely different.

OpIsrael – Happy Birthday! My, You’ve Grown Big…

AnonGhost announced a cyber-attack against Israel on April 7, 2014, one year after the last #OpIsrael campaign. To date, more than 6,000 Facebook users have joined different anti-Israel Facebook event pages, and many groups, such as Fallaga, AnonSec, Gaza Hacker Team, Indonesian Cyber Army, and more have declared their support. As you can see, the participants come from all over the world, but mainly North Africa, the Middle East and Southeast Asia. The rest usually use American proxy servers. According to our analysis, most participants are between the ages of 17 and 34.

One of the Campaign Official Images
One of the Campaign Official Images

The campaign has an official dedicated website, designed by the famous hacker Mauritania Attacker from AnonGhost, as well as a new Twitter account. The official website features online notifications about hacked Israeli websites and a list of campaign participants.

The Official Website of the Campaign
The Official Website of the Campaign

The main targets are government and financial websites, alongside defense industries. Recently, however, we have noticed an increasing focus on hacking government websites in Israel.

Moreover, we have identified publications of leaked emails and passwords belonging to thousands of Israelis. Our investigation also revealed intentions to hack and spam smartphones using assorted viruses.

All in all, the scope of the upcoming cyber-campaign appears to be significant. However, we believe that mainly small and private websites will suffer from these attacks.