#OpClosedMedia: Hacktivists Threaten to Target the Media Sector on September 22, 2016

Hacktivists are threatening to launch #OpClosedMedia, a month-long cyber campaign against websites and platforms of “mainstream media,” on September 22, 2016, for failing to inform the public about the real news.

The campaign’s official target list includes the websites of the BBC, The Daily Mail, The Independent, Reuters, Channel One (Russia) and others.

opclosedmedia
#OpClosedMedia – September 22, 2016

Thus far, participants have claimed responsibility for hacking several websites related to the media sector from around the world, but they also claimed to have hacked other websites with a loose connection to this sector.

Calls to launch attacks against media outlets on September 22, 2016
Calls to launch attacks against media outlets on September 22, 2016

This is not the first time that the media sector has been targeted by hacktivists. In June 2016, the Ghost Squad Hackers group launched the #OpSilence campaign against prominent news agencies, such as Fox News and CNN, protesting against what they called the “silence and lies” regarding the Palestinian situation. However, it seems that the Ghost Squad Hackers are not involved in this campaign.

In conclusion, popular news platforms and the media sector in general are targeted by hacktivists who wish to shut them down. Only time will tell if they will succeed or not.

#OpIsrael 2016 – Summary

This year, #OpIsrael hacktivists focused on defacing private websites, carrying out DDoS attacks and leaking databases. Hundreds of private Israeli websites were defaced, mostly by Fallaga and AnonGhost members. Various databases containing Israeli email addresses and credit cards were leaked, but the majority were recycled from previous campaigns.

The hacktivists attacks commenced on April 5, 2016, two days before the campaign was launched, with a massive DDoS attack against an Israeli company that provides cloud services. The fact that no one took responsibility for the attack, alongside the massive DDoS power invested, may indicate that threat actors with advanced technical abilities were responsible.

On April 7, 2016, approximately 2,650 Facebook users expressed their desire to participate in the campaign via anti-Israel Facebook event pages. There are several possible reasons for the low number of participants (compared for example to the 5,200 participants in #OpIsrael 2015). One reason might be disappointment in last year’s lack of significant achievements. Another reason could be the devotion of attention to other topics, such as the cyber campaign against the Islamic State (IS), in the wake of the recent terrorist attacks in Brussels. Moreover, it is possible that anti-Israel hacktivists have abandoned social media networks for other platforms, such as IRC and Telegram.

1
Number of participants in the #OpIsrael campaign since 2014

During the campaign, we detected many indications of the use of common DDoS tools, such as HOIC, and simple DDoS web platforms that do not require any prior technical knowledge in order to operate them. Most of the DDoS attacks were directed against Israeli government and financial websites. Hacktivists claimed they managed to take down two Israeli bank websites. While this could be true, the websites were up and operational again within a short time. In addition, there were no indications of the use of RATs or ransomware against Israeli targets.

2
Using common DDoS tools against an Israeli website

As mentioned previously, most of the leaked databases were recycled from previous campaigns. However, we noticed that almost all of the new leaked databases were stolen from the same source – an Israeli company that develop websites. Notably, during the 2014 #OpIsrael campaign, this company website appeared on a list of hacked websites.

There was no immediate claim of responsibility for the leakage of these databases, which raises many questions, since anti-Israel hacktivists typically publish their achievements on social media networks to promote the success of the campaign. Moreover, almost all of these databases were first leaked in the Darknet, but anti-Israel hacktivists do not use this platform at all. In addition, all of the data leakages were allegedly leaked by a hacker dubbed #IndoGhost, but there are no indications to suggest that this entity was involved in the #OpIsrael campaign or any other anti-Israel activity.

Finally, we detected several attempts to organize another anti-Israel campaign for May 7, 2016. As an example, we identified a post calling to hack Israeli government websites on this date. We estimate that these attempts will not succeed in organizing another anti-Israel cyber campaign.

Intelligence Review of #OpIsrael Cyber Campaign (April 7, 2015)

Starting at the end of last week, hacktivist groups from around the Muslim world tried to attack Israeli websites, particularly those of government institutions, as part of the #OpIsrael cyber campaign. In the past twenty-four hours they stepped up their activity, but we have seen no signs of major attacks. Despite all the publicity prior to the campaign, the hackers’ successes were limited to defacing several hundred private websites and leaking the email addresses of tens of thousands of Israelis, many of them recycled from previous campaigns. Several dozen credit card numbers were also leaked on information-sharing websites, but our examination shows that some were recycled from past leaks.

AnonGhost, which initiated the campaign, was the main actor behind it. However, other groups of hackers, such as Fallaga, MECA (Middle East Cyber Army), Anon.Official.org, and Indonesian and Algerian groups also participated in the attacks. As the campaign progressed, we saw an increasing number of posts and tweets about it (over 3,000), but this is still significantly less than last year, when there were tens of thousands.

As we noted in previous updates, the campaign was conducted primarily on social networks, especially Facebook and Twitter. IRC channels opened for the campaign were barely active, partly because hackers feared spying by “intelligence agents.” On closed forums and Darknet platforms, we saw no activity related to #OpIsrael.

Participants discuss why the campaign is smaller than in 2013
Participants discuss why the campaign is smaller than in 2013

Following is a summary of the main results of the attacks that we have identified so far:

  • Defacing of hundreds of websites. Victims included Meretz (an Israeli political party), various Israeli companies, sub-domains of institutions of higher education, municipalities, Israeli artists, and more.
  • Leaking of tens of thousands of email addresses and personal information of Israelis. A significant portion of the information was recycled from previous campaigns. Databases from third-party websites were also leaked. In addition, two files were leaked and according to the hackers, one had 30,000 email addresses and the other 150,000 records.
  • Publication of details from dozens of credit cards, some of them recycled.

Cyber in Chinatown – Asian Hacktivists Act against Government Corruption

Social networks are well-known tools used by activists to mobilize the masses. As witnessed during the Arab Spring and in recent incidents in Hong Kong, government opposition groups can organize dissatisfied citizens by means of a massive campaign. More closed countries, such as North Korea or China try to limit access by their citizens to international social networks such as Twitter or Facebook. We have noticed an increasing tendency toward anti-government campaigns in Asian countries and the cyber arena plays an important role in this process. We have identified this kind of activity in China, Malaysia, Taiwan, Japan and North Korea. Local cyber hacktivist groups are calling for people to unite against infringements on freedom by violating privacy rights. Hacktivists are organizing anti-government groups and events on popular social media platforms and are posting tutorials on how to circumvent the blocking of certain websites and forums in countries where such Internet activity is forbidden. Furthermore, the groups are posting provocative materials and anti-government appeals in local Asian languages, alongside to English. Thus, we can see an attempt to recruit support from non-state activists for a national struggle.

Anonymous Japan and Anonymous North Korea Facebook Posts
Anonymous Japan and Anonymous North Korea Facebook Posts

These groups are eager to reach a large number of supporters, and not only for political and psychological purposes. Together with publishing tutorials for “safe browsing” in the Internet for large masses of people the groups translate popular cyber tools for mass attacks and they disseminate instructional manuals translated into local languages on how to use these tools.

Popular DDoS Tool in Japanese
Popular DDoS Tool in Japanese

One example of exactly such an organization is Anonymous Japan – an anti-government hacking group. The group develops and uses DDoS tools and is also involved in spam activity. Furthermore, members of the group develop their own tools and publish them on Facebook for wider audiences.

#OpJapan Attack Program
#OpJapan Attack Program

Amongst the large-scale campaigns launched by this organization, you can find #OpLeakageJp – an operation tracking radiation pollution in Japan.

TweetStorm post against the Nuclear Regulatory Commission in Japan
TweetStorm post against the Nuclear Regulatory Commission in Japan

In addition to internal struggles, hacktivist groups are operating against targets in the area. One such example is operations by hacktivism groups personifying themselves with North Korean insignia and targeting sources in South Korea. Examples of such cyber campaigns are #Opsouthkoreatarget and #OpNorthKorea.

#OpJapan Attack Program
#OpJapan Attack Program

In China, we found an example of the #OpChinaCW campaign. A cyber campaign hosted by Anonymous was launched on November 2, 2014 against Chinese government servers and websites. The campaign was organized on a Facebook event page and was further spread on Twitter.

#OpChinaCW Twitter Post
#OpChinaCW Twitter Post

Hacktivists have also published cyber tools for this campaign. See below an example of a DDoS tool sold on Facebook for only US$10.

DDoS Tool for Sale
DDoS Tool for Sale

As previously mentioned, cyber activity in the Asia region is directed not only against enemy states, but also against the “internal enemy” – the government. Hacktivism groups not only organize such campaigns on underground platforms, but they also make wide use of open popular social networks to recruit supporters. Moreover, they also develop their own cyber tools.

#OpIsrael Birthday Campaign – Summary

Written by Hila Marudi, Yotam Gutman and Gilad Zahavi

The #OpIsrael Birthday campaign took place as scheduled on April 7 and involved thousands of participants from all over the Muslim world, from Indonesia in the East to Morocco in the West.

#OpIsrael Birthday logo
#OpIsrael Birthday logo

It seems that the bulk of the activity focused on leaking data obtained from various breached databases. Some of the data published was simply a recycling of older data dumps, but some was new and included email addresses, passwords and personal details.

Hundreds of government email addresses were leaked and posted on Pastebin. In addition, private password-protected website databases were also leaked. The Islamic Cyber Resistance Group (ICRG), affiliated with Hezbollah and Iran, leaked hundreds of Bar-Ilan University email addresses and defaced a sub-domain of the University’s website.

Data leaked from Bar-Ilan University
Data leaked from Bar-Ilan University

Summary of the groups participating in the campaign:

Group name Group Details Activity
AnonGhost Tunisian, the campaign instigator Defaced hundreds of sites, developed and distributed an attack tool named “AnonGhost DDoSer”, leaked email addresses
AnonSec Pro-Palestinian Muslim group Leaked government email addresses, defaced websites and launched DDoS attacks
Fallaga Tunisian Built web-based attack tools and shells, launched DDoS attacks against government sites
Security_511 Saudi group Launched DDoS attacks against government sites and leaked government email addresses
Izzah Hackers Pro-Palestinian Muslim group Launched DDoS attacks against websites and leaked email addresses
Hacker Anonymous Military Pro-Palestinian Muslim group Launched DDoS attacks against government sites, leaked government email addresses and defaced websites
Moroccan Agent Secret Moroccan Group Defaced websites and leaked email addresses

According to the campaign’s official website, approximately 500 Israeli websites were defaced by AnonGhost, most of which were SMBs and private websites.

Conclusion

According to our analysis, we have not witnessed a dramatic change since the previous OpIsrael campaign that took place on April 7, 2013. We can think of at least two reasons for that:

  • The level of awareness and readiness in large organizations (but also in small ones) has improved and is improving each day.
  • During this campaign we have not seen attacks waged by nation-state actors such as the Syrian Electronic Army, the Izz ad-Din al-Qassam Cyber Fighters and others.

It appears that the attackers focused on attacking government sites and leaking databases. In addition, the number of authentic dumps containing email addresses, passwords and personal details was much bigger than the last campaign.

However, under the surface we have been noticing in recent weeks an emerging and concerning trend. We know that hacktivist groups and terrorist organizations try to develop their own capabilities. Those groups are also share information between themselves (guide books, scripts, tutorials). Lately we even have identified exchange of capabilities between Russian cyber criminals and anti-Israeli hackers and hacktivists.

The next phase, and we are not there yet, might be the purchase of advanced cyber weapons by terrorist organizations. It can be only a matter of time until terrorist groups (al-Qaeda for example) use sophisticated tools to attack critical infrastructure systems. If this happens, the results of the next OpIsrael campaign would be completely different.

Evolution of Hacktivist Campaigns

In the next week we are going to see a major hacktivist operation, aimed against Israel, called #OpIsraelBirthday which is supposed to start on the 7th of April. The operation is dubbed “birthday“ since it comes to commemorate the last OpIsrael that took place on the same date last year. In recent weeks, there was a lot of internal debate in SenseCy about what has changed from then to now and what can we expect to see in the coming operation. I think that the results of this debate might be interesting to you as well:

–          DDoS Attacks – DDoS attacks are nothing new, but recently, attackers have started utilizing a new-old approach in the form of reflection attacks. If a year ago the height of the attack topped at 30Gb/sec attacks, it’s more than plausible to assume that we’re going to see one order of magnitude higher than that. This might be ok for a large sized country but for Israel this might cause problems in the ISP infrastructure itself and not just create a denial of service to the target site.

–          Self-Developed Code – If up until now, most of what we have seen coming from the anti-Israel hacktivism groups was reuse of anonymous code, with maybe slight improvements in the UI interface, lately we have started to identify unique/ original code developed by the groups themselves, albeit some of it is dependent on existing code and available libraries but this might be an indicator for things to come.

 AnonGhost DDoSer

AnonGhostDDoSer – Developed by AnonGh0st for OpIsraelBirthday

 

–          Dumps vs. Defacements – It seems that the general objective now is less the defacement of sites and more the ability to create harm and panic through the publication of stolen data dumps. We see more and more details regarding allegedly hacked sites (some of them important) with the promise that the databases will be published on the 7th of April. This is probably the first time these hacktivist groups are trying to achieve a more widespread impact that is, at least in spirit, similar to the terror effect.

–          Shells and RATs – It seems that SQL injections and cross site scripting is shifting from being the end result to being the means in which the hacktivist groups place web shells on their targets or infect the targets with RATs and other malware. It might, in effect, suggest a more coherent effort to cause more sophisticated damages to their targets.

All in all, it seems that the motivation for the attack remains similar, but the magnitude and scope of the upcoming operation seems to be larger and more dangerous than the last one (in terms of tools available and number of participants). However, companies and organizations that are aware of the threat can, in turn, take actions to handle and mitigate these attacks.

March 10 Hacktivist Campaign – “Op” or “Flop”?

Several hacktivist groups planned to launch a cyber assault (“Op”) against Israel on March 10, as a prequel to a major assault scheduled for April 7.

Although the Op was led by the capable militant groups Red Hack (Turkey) and AnonGhost (Tunisia), it did not appear to manifest fully – the scope of the attacks and the extent of damage were marginal at best. Several private Israeli websites were hacked/ DDoSd ?and some email addresses belonging to Bank of Israel employees were leaked (no password or additional details). The Op incorporated several alleged attempts to hack Israeli government sites. One of these was recorded as part of a tutorial on March 9th  – a Tunisian hacker affiliated with AnonGhost uploaded  a tutorial to YouTube explaining to beginners how to hack websites with different tools, in order to participate in the #OpIsrael attacks on April 7, 2014. The video demonstrates an attempt to hack an Israeli government website with ByteDos, LOIC, Snake Bite and more. It should be mentioned that this video is one of many uploaded to YouTube during the preparations for #OpIsrael and during the preparations for #OpIsrael and other cyber campaigns.

https://www.youtube.com/watch?v=uAjmDDxR2Y8&list=UUZuiY5Awp7xdQTzZyqXFywQ

YouTube tutorial of attempted hack of Israeli site
YouTube tutorial of attempted hack of Israeli site

In conclusion, it seems that the March 10 “Op” cannot be labeled a success, not even in terms of a grand rehearsal for the upcoming April campaign.

Online Jihadists Express Interest in Cyber Warfare and Cyber Security

In March 2013, a hacker group called the “Tunisian Cyber Army” (TCA) claimed that they, in coordination with the al-Qaeda Electronic Army (AQEA), (or AQECA – al-Qaeda Electronic Cyber Army), have hacked several U.S. government websites.

The attackers stated that they were assisted by “Chinese hackers.” In addition, the groups claimed that these attacks were in preparation for #OpBlackSummer, a cyber campaign designed to target U.S. websites between May and September 2013.

OpBlackSummer

Regardless of the authenticity of these attacks, we clearly see the increased motivation of AQ-affiliated cyber units to wage attacks against Western targets. We would not be at all surprised to see sophisticated AQ attacks in the near future. We can assume that they are developing cyber attack tools, or even worse – purchasing advanced tools from the underground black market.

In September 2013, the Global Islamic Media Front (GIMF) – a propaganda organization associated with AQ – posted an encryption program for mobile phones on jihadi forums. The program is called Tashfeer al-Jawwal, or Mobile Encryption, and the GIMF described it as the “first Islamic encryption software for mobiles.”

The release was prefaced by an introduction from renowned jihadi ideologue Abu Sa’ad al-A’mili, who promised that the program would be a qualitative move for secure communications between jihadists and a surprising shock to the enemy. It should be mentioned that the GIMF provided a description of the program on their website, as well as tutorials in Arabic, English, Indonesian and Urdu.

Tashfeer al-Jawwal -  encryption program for mobile phones
Tashfeer al-Jawwal – encryption program for mobile phones

In December 2013, the exclusively online AQ propaganda distributor, the al-Fajr Media Center, published a new encryption program called Amn al-Mujahid (“Security of the Mujahid”) on jihadi forums, accompanied by a 28-page instructional manual. Al-Fajr said that AQ’s Technical Committee sought to develop an encryption program equipped with the latest technology that would enable the user  to use advanced encryption standards.

Although these developments are merely versions of available programs, the steady introduction of programs such as these reveals jihadi interest in cyber security and cyber warfare.

March 10, 2014 – Anti-Israeli Hackers Plan a Cyber Campaign against Israel

On February 9, 2014, anti-Israeli hacker groups announced a cyber operation against Israel scheduled for March 10. According to a press release issued on Pastebin, all hacktivists worldwide are called upon “to wipe Israel yet again off the cyber web on March 10th, 2014 on the anniversary of Israels attack on Palestinian leader Yasser Arafat’s office in Gaza City”.

#OpIsrael3.0 press release
#OpIsrael3.0 press release

The attackers published a target list of about 1,360 websites, including government websites, banks and financial institutions, media outlets, academic institutions, defense industry, etc. We have identified several hacker groups that will participate in the campaign. One of them is AnonGhost that initiated the April 7, 2014 campaign. Another interesting group is RedHack – a Turkish hacker group that recently waged several high-profile attacks.

The attackers have also created an official Twitter account and a Facebook page, where they have posted links to download various attack tools, such as  DDoS, SQL, RAT, keyloggers and more.

@OpIsrael3 Twitter account
@OpIsrael3 Twitter account

As was the case in previous campaigns, we assume that pro-Palestinian hacker groups will launch cyberattacks against Israeli websites, but with a low success rate, especially with regard to banks and critical infrastructure websites.

SenseCy is coming to town! Come meet us at the RSA USA 2014 conference, February 24-28, in San Francisco.

April 7, 2014 – Hacker Groups Plan a Cyber Operation against Israel

Written by Hila Marudi

In recent weeks, our Cyber Intelligence team has identified Muslim hacktivist group intentions to launch a cyber operation against Israel on April 7, 2014 – one year after the last April 7 campaign that attempted to shut-down Israeli cyber space.

AnonGhost Team was the first to announce on December 23, 2013 that it would launch cyberattacks against Israel on April 5-7, 2014. The group, that initiated the previous April 7 campaign, also published a video entitled “#OpIsrael Birthday” (likely intended as a warning that this campaign will launch annually on April 7).

AnonGhost

Shortly after the AnonGhost announcement, other groups, such as AnonGhost Tunisie (sic.) and the Norwegian Ghost Cyber Attackers opened event-pages on anti-Israel Facebook. In addition, several other groups, such as the pro-Palestinian Fallaga and Virus Noir Ps, were listed as participants for future cyber operations. The main targets are mostly government websites, but we assume that more targets, largely financial, will be advised soon.

OpIsrael