#OpClosedMedia: Hacktivists Threaten to Target the Media Sector on September 22, 2016

Hacktivists are threatening to launch #OpClosedMedia, a month-long cyber campaign against websites and platforms of “mainstream media,” on September 22, 2016, for failing to inform the public about the real news.

The campaign’s official target list includes the websites of the BBC, The Daily Mail, The Independent, Reuters, Channel One (Russia) and others.

opclosedmedia
#OpClosedMedia – September 22, 2016

Thus far, participants have claimed responsibility for hacking several websites related to the media sector from around the world, but they also claimed to have hacked other websites with a loose connection to this sector.

Calls to launch attacks against media outlets on September 22, 2016
Calls to launch attacks against media outlets on September 22, 2016

This is not the first time that the media sector has been targeted by hacktivists. In June 2016, the Ghost Squad Hackers group launched the #OpSilence campaign against prominent news agencies, such as Fox News and CNN, protesting against what they called the “silence and lies” regarding the Palestinian situation. However, it seems that the Ghost Squad Hackers are not involved in this campaign.

In conclusion, popular news platforms and the media sector in general are targeted by hacktivists who wish to shut them down. Only time will tell if they will succeed or not.

#OpIsrael 2016 – Summary

This year, #OpIsrael hacktivists focused on defacing private websites, carrying out DDoS attacks and leaking databases. Hundreds of private Israeli websites were defaced, mostly by Fallaga and AnonGhost members. Various databases containing Israeli email addresses and credit cards were leaked, but the majority were recycled from previous campaigns.

The hacktivists attacks commenced on April 5, 2016, two days before the campaign was launched, with a massive DDoS attack against an Israeli company that provides cloud services. The fact that no one took responsibility for the attack, alongside the massive DDoS power invested, may indicate that threat actors with advanced technical abilities were responsible.

On April 7, 2016, approximately 2,650 Facebook users expressed their desire to participate in the campaign via anti-Israel Facebook event pages. There are several possible reasons for the low number of participants (compared for example to the 5,200 participants in #OpIsrael 2015). One reason might be disappointment in last year’s lack of significant achievements. Another reason could be the devotion of attention to other topics, such as the cyber campaign against the Islamic State (IS), in the wake of the recent terrorist attacks in Brussels. Moreover, it is possible that anti-Israel hacktivists have abandoned social media networks for other platforms, such as IRC and Telegram.

1
Number of participants in the #OpIsrael campaign since 2014

During the campaign, we detected many indications of the use of common DDoS tools, such as HOIC, and simple DDoS web platforms that do not require any prior technical knowledge in order to operate them. Most of the DDoS attacks were directed against Israeli government and financial websites. Hacktivists claimed they managed to take down two Israeli bank websites. While this could be true, the websites were up and operational again within a short time. In addition, there were no indications of the use of RATs or ransomware against Israeli targets.

2
Using common DDoS tools against an Israeli website

As mentioned previously, most of the leaked databases were recycled from previous campaigns. However, we noticed that almost all of the new leaked databases were stolen from the same source – an Israeli company that develop websites. Notably, during the 2014 #OpIsrael campaign, this company website appeared on a list of hacked websites.

There was no immediate claim of responsibility for the leakage of these databases, which raises many questions, since anti-Israel hacktivists typically publish their achievements on social media networks to promote the success of the campaign. Moreover, almost all of these databases were first leaked in the Darknet, but anti-Israel hacktivists do not use this platform at all. In addition, all of the data leakages were allegedly leaked by a hacker dubbed #IndoGhost, but there are no indications to suggest that this entity was involved in the #OpIsrael campaign or any other anti-Israel activity.

Finally, we detected several attempts to organize another anti-Israel campaign for May 7, 2016. As an example, we identified a post calling to hack Israeli government websites on this date. We estimate that these attempts will not succeed in organizing another anti-Israel cyber campaign.

Intelligence Review of #OpIsrael Cyber Campaign (April 7, 2015)

Starting at the end of last week, hacktivist groups from around the Muslim world tried to attack Israeli websites, particularly those of government institutions, as part of the #OpIsrael cyber campaign. In the past twenty-four hours they stepped up their activity, but we have seen no signs of major attacks. Despite all the publicity prior to the campaign, the hackers’ successes were limited to defacing several hundred private websites and leaking the email addresses of tens of thousands of Israelis, many of them recycled from previous campaigns. Several dozen credit card numbers were also leaked on information-sharing websites, but our examination shows that some were recycled from past leaks.

AnonGhost, which initiated the campaign, was the main actor behind it. However, other groups of hackers, such as Fallaga, MECA (Middle East Cyber Army), Anon.Official.org, and Indonesian and Algerian groups also participated in the attacks. As the campaign progressed, we saw an increasing number of posts and tweets about it (over 3,000), but this is still significantly less than last year, when there were tens of thousands.

As we noted in previous updates, the campaign was conducted primarily on social networks, especially Facebook and Twitter. IRC channels opened for the campaign were barely active, partly because hackers feared spying by “intelligence agents.” On closed forums and Darknet platforms, we saw no activity related to #OpIsrael.

Participants discuss why the campaign is smaller than in 2013
Participants discuss why the campaign is smaller than in 2013

Following is a summary of the main results of the attacks that we have identified so far:

  • Defacing of hundreds of websites. Victims included Meretz (an Israeli political party), various Israeli companies, sub-domains of institutions of higher education, municipalities, Israeli artists, and more.
  • Leaking of tens of thousands of email addresses and personal information of Israelis. A significant portion of the information was recycled from previous campaigns. Databases from third-party websites were also leaked. In addition, two files were leaked and according to the hackers, one had 30,000 email addresses and the other 150,000 records.
  • Publication of details from dozens of credit cards, some of them recycled.

How Hackers Use Social Media Networks to Put Your Organization at Risk

SenseCy’s teams monitor underground and password-protected forums and communities in many languages – Russian, Arabic, Persian, Chinese, Portuguese, English, and more. By gaining access to the Deep Web and Darknet, we identify suspicious activity and new hacker tools and enable our clients to mitigate or eliminate cyber threats.

Hacker communities on social networks continue to evolve. More and more communities are creating Twitter accounts as well as pages and groups in popular social networks such as Facebook and VKontakte (a Russian social network) to share information, tools, and experience.

In the past, hackers came together on social networks to hold operational discussions, share targets, and join forces for DDoS attacks, but less to upload or download hacking tools. Since this is changing, we are now monitoring hacking tools offered for download on Twitter, Facebook, and VKontakte.

Source code published on Twitter
Source code published on Twitter

These hacker communities can be classified into three main categories:

  1. Open public groups and accounts that make common, well-known tools available.

    Open Facebook group of well-known Arab hackers
    Open Facebook group of well-known Arab hackers
  2. Closed, secret groups sharing rare or sector-related tools or programs in a specific language.

    Secret Facebook group from Southeast Asia
    Secret Facebook group from Southeast Asia
  3. Groups sharing or even selling self-developed tools.
    Facebook post in closed Asian hacker group
    Facebook post in closed Asian hacker group

    A prominent example is the self-developed DDoS tool created by hacker group AnonGhost for the #OpIsrael cyber campaign, which is expected to take place on April 7, 2015. This tool uses three flooding methods, TCP, UDP, and HTTP and can operate through a proxy if needed. AnonGhost posted its new tool on its official Facebook page with a link to a tutorial on YouTube, and soon it was widely distributed among hacktivists through social media.

    From AnonGhost's official Facebook Page
    From AnonGhost’s official Facebook Page

    We regularly monitor trends and developments in social networks, since they are becoming the preferred platform for groups of hackers to share and improve attack tools. SenseCy also takes part in these communities, which gives us the edge in preventing attacks in real time. We continue to track new trends and developments to detect cyber threats for our clients.

Cyber in Chinatown – Asian Hacktivists Act against Government Corruption

Social networks are well-known tools used by activists to mobilize the masses. As witnessed during the Arab Spring and in recent incidents in Hong Kong, government opposition groups can organize dissatisfied citizens by means of a massive campaign. More closed countries, such as North Korea or China try to limit access by their citizens to international social networks such as Twitter or Facebook. We have noticed an increasing tendency toward anti-government campaigns in Asian countries and the cyber arena plays an important role in this process. We have identified this kind of activity in China, Malaysia, Taiwan, Japan and North Korea. Local cyber hacktivist groups are calling for people to unite against infringements on freedom by violating privacy rights. Hacktivists are organizing anti-government groups and events on popular social media platforms and are posting tutorials on how to circumvent the blocking of certain websites and forums in countries where such Internet activity is forbidden. Furthermore, the groups are posting provocative materials and anti-government appeals in local Asian languages, alongside to English. Thus, we can see an attempt to recruit support from non-state activists for a national struggle.

Anonymous Japan and Anonymous North Korea Facebook Posts
Anonymous Japan and Anonymous North Korea Facebook Posts

These groups are eager to reach a large number of supporters, and not only for political and psychological purposes. Together with publishing tutorials for “safe browsing” in the Internet for large masses of people the groups translate popular cyber tools for mass attacks and they disseminate instructional manuals translated into local languages on how to use these tools.

Popular DDoS Tool in Japanese
Popular DDoS Tool in Japanese

One example of exactly such an organization is Anonymous Japan – an anti-government hacking group. The group develops and uses DDoS tools and is also involved in spam activity. Furthermore, members of the group develop their own tools and publish them on Facebook for wider audiences.

#OpJapan Attack Program
#OpJapan Attack Program

Amongst the large-scale campaigns launched by this organization, you can find #OpLeakageJp – an operation tracking radiation pollution in Japan.

TweetStorm post against the Nuclear Regulatory Commission in Japan
TweetStorm post against the Nuclear Regulatory Commission in Japan

In addition to internal struggles, hacktivist groups are operating against targets in the area. One such example is operations by hacktivism groups personifying themselves with North Korean insignia and targeting sources in South Korea. Examples of such cyber campaigns are #Opsouthkoreatarget and #OpNorthKorea.

#OpJapan Attack Program
#OpJapan Attack Program

In China, we found an example of the #OpChinaCW campaign. A cyber campaign hosted by Anonymous was launched on November 2, 2014 against Chinese government servers and websites. The campaign was organized on a Facebook event page and was further spread on Twitter.

#OpChinaCW Twitter Post
#OpChinaCW Twitter Post

Hacktivists have also published cyber tools for this campaign. See below an example of a DDoS tool sold on Facebook for only US$10.

DDoS Tool for Sale
DDoS Tool for Sale

As previously mentioned, cyber activity in the Asia region is directed not only against enemy states, but also against the “internal enemy” – the government. Hacktivism groups not only organize such campaigns on underground platforms, but they also make wide use of open popular social networks to recruit supporters. Moreover, they also develop their own cyber tools.

AnonGhost Targets Universities around the World

During November 2014, the popular hacker group AnonGhost attempted to deface academic websites from around the world.

Background

AnonGhost was established by a famous hacker dubbed Mauritania Attacker. The group has launched many wide-scale cyber campaigns against the U.S., Israel and other countries around the world. The group’s most popular repeat campaign is #OpIsrael, which was relaunched on April 7, 2014 (one year after its inaugural launch), targeting Israeli cyber-space.

Their most recent ongoing campaign is #OpGov, where group members attempt to hack government websites in different countries. In the following image, you can see an example of the group’s intention to hack Jamaican government websites:

#OpGov

The group has also leaked information from databases, such as emails, passwords and personal details.

Targeting Academic Websites

Recently, we noticed that AnonGhost is focusing on academic websites in the U.S., such as Washington University, Olin College of Engineering and Utah State University. On its official Facebook and Twitter accounts, the group announced that they had successfully defaced these American academic websites. In the following images, you can see the group’s post and their tweet regarding Washington University websites:

Post and Tweet

In the following image, you can see the group’s post on Facebook listing its achievements in hacking government and academic websites:

Post

Defaced Websites as Tools for Future Attacks

It should be noted that cyber researchers have recently warned about new methods used by hacktivist groups to attack users who visit defaced websites, using a malicious link that leads to a Dokta Chef Exploit Kit hosting website. The Dokta Chef EK takes advantage of a recently disclosed vulnerability that allows remote code execution related to the Internet Explorer browser. In the following image, you can see a defaced website with the malicious link (lulz.htm):a Defaced Website

Related Posts


#OpIsraelReborn Campaign launched by AnonGhost September 5, 2014 by CyInfo

#OpSaveGaza – by the Tunisian AnonGhost  July 13, 2014 by Yotam Gutman

Recycled Fuel? OpPetrol Campaign by AnonGhost leaked a large amount of credit cards details June 18, 2014 by Yotam Gutman

 

The Rebirth of #OpIsraelReborn

#OpIsraelReborn 2014

Since 2001, the date 9/11 has held symbolic meaning for all terror groups and Islamist hacktivists. Every year, come September, many countries raise their alert status, fearing that a terror attack might be executed on this date to amplify its resonance and attach more significance to it. Ergo, it came of little surprise that this date was chosen in 2013 for the #OpUSA campaign that mainly targeted the websites of different American governmental and financial institutions. To further leverage the momentum, a second campaign, #OpIsraelReborn, was launched by AnonGhost concurrently with #OpUSA. However, the 2013 #OpIsraelReborn campaign failed to produce the desired results, and perhaps for this reason, this year the group has decided to have another go at it.

1111

On August 21, 2014, AnonGhost tweeted “Next operation is #OpIsrael Reborn. On 11 September, be ready Israel – you will taste something sweet as usual”. While we do not expect them to hand out vanilla-flavored ice-cream to random Israelis on the street, we also do not believe this campaign poses an exceptionally grim threat. Nevertheless, the AnonGhost group, together with many other hackers, are undoubtedly highly motivated to launch cyberattacks against Israeli targets, especially after the recent Protective Edge campaign, and they should therefore be afforded appropriate attention.

Based on last year’s experience, we expect that the main attack vectors will include DDoS attacks, defacements and SQL injections, and the prime victims of these attacks will be the websites of small businesses that maintain a low level of security.

9/11 is drawing closer and we will soon find out what cake AnonGhost has baked for us this time.        

2222

#OpSaveGaza Campaign – Insights from the Recent Anti-Israel Cyber Operation

The #OpSaveGaza Campaign was officially launched on July 11, 2014, as a counter-reaction to operation “Protective Edge”. This is the third military operation against Hamas since the end of December 2008, when Israel waged operation “Cast Lead”, followed by operation “Pillar of Defense” in November 2012.

These military operations were accompanied by cyber campaigns emanating from pro-Palestinian hacker groups around the world. #OpSaveGaza was not the only recent cyber campaign against Israel, but it is the most organized, diverse and focused. During this campaign, hacker groups from Malaysia and Indonesia in the East to Tunisia and Morocco in the West have been participating in cyber attacks against Israel.

The Use of Social Networks

Hacktivist groups recruit large masses for their operations by means of social networks. Muslim hacker groups use mostly Facebook and Twitter to upload target lists, incite others to take part in cyberattacks and share attack tools.

The #OpSaveGaza campaign was planned and organized using these two social media platforms. The organizers of the campaign succeeded in recruiting tens of thousands of supporters to their anti-Israel ideology.

OpSaveGaza - Facebook Event

Attack Vectors

When examining the types of attacks perpetrated against Israeli cyber space, it appears that this campaign has been the most diverse in terms of attack vectors. It not only includes simple DDoS, defacement and data leakage attacks, but also phishing (even spear-phishing based on leaked databases), SMS spoofing and satellite hijacking (part of the Hamas psychological warfare), in addition to high-volume/high-frequency DDoS attacks.

Hackers targeting Israeli ISPs
Hackers targeting Israeli ISPs

Furthermore, these attacks have been much more focused as the attackers attempt to deface and knock offline governmental websites, defense contractors, banks and energy companies. Simultaneously, a large number of small and private websites were defaced (over 2,500) and several databases were leaked online.

Pro-Palestinian hackers defacing Israeli websites
Pro-Palestinian hackers defacing Israeli websites

Motivation and the Involvement of other Threat Actors

The motivation for waging cyberattacks against Israel during a military operation is clear. This is not the first time that a physical conflict has had implications on the cyber sphere. However, we believe that other factors are contributing to the cyber campaign. In July 2014, the Muslim world observed the month of Ramadan, a holy month in Muslim tradition. There are two significant dates in this month – “Laylat al-Qadr” (the Night of Destiny), the night the first verses of the Quran were revealed to the Prophet Muhammad; and “Quds Day” (Jerusalem Day), an annual event held on the last Friday of Ramadan and mentioned specifically by Iran and Hezbollah. We identified an increase in the number of attacks, as well as their quality, surrounding these dates.

Last year, several days before “Quds Day” a hacker group named Qods Freedom, suspected to be Iranian, launched a massive cyber operation against Israeli websites. In other words, we believe that not only hacktivist elements participated in this campaign but also cyber terrorism units and perhaps even state-sponsored groups from the Middle East.

The Islamic Cyber Resistance (ICR) leaking an internal database
The Islamic Cyber Resistance (ICR) leaking an internal database

To summarize, this campaign was far better organized than the recent cyber operations we experienced in 2009 and 2012 alongside physical conflicts with Hamas. We have seen changes in several aspects:

  • Improvement in attack tools and technical capabilities
  • Information-sharing between the groups (targets, attack tools, tutorials)
  • The involvement of hacker groups from Indonesia in the East and Morocco in the West.
  • Possible involvement of cyber terrorism groups
  • Well-managed psychological warfare and media campaign by the participating groups

The scope and manner in which this campaign was conducted shows improved capabilities of the perpetrators, which is in-line with Assaf Keren’s assessment of the evolution of hacktivist capabilities.

#OpSriLanka

Over the last few days, several Muslim hacker groups have hacked government and financial websites in Sri Lanka in protest against the government’s attitude toward the violent clashes between Buddhists and Muslims.

As you can see in the graph below, there were hundreds of tweets over the weekend with the related hashtag #OpSriLanka.

Twitter Activity about #OpSriLanka
Twitter Activity about #OpSriLanka

For example, one Twitter account named Global Revolution called for the hacking of the Sri Lanka central bank website.

a Tweet about hacking SriLanka central bank
a Tweet about hacking SriLanka central bank

There is also a group page on Facebook named #OpSriLanka with 1,590 members. The main targets of the group are Sri Lankan government websites and official websites of the Buddhist population in Sri Lanka. The attack tools are mostly DDoS tools for computers and Android phones.

From the Facebook Group Page
From the Facebook Group Page

List of targets:

Tools:

Mirror of a defaced website:

Additionally, on June 22, 2014, a group of hackers nicknamed Izzah Hackers leaked Sri Lankan government emails and passwords via Pastebin.

Leaked Sri Lankan emails and password
Leaked Sri Lankan emails and passwords

Sri Lanka is not alone. Muslim hacker groups are responsible for previous cyber-attacks against Myanmar (Burma) and the Central African Republic (CAR), protesting the killing of Muslims on religious grounds.

 

Recycled Fuel? OpPetrol Campaign Rerun This June

Hacktivist collective Anonymous announced a cyber campaign called #OpPetrol, planned to be executed on June 20th, 2014. This is a re-run of a similar campaign with an identical name which was launched at the same exact date last year, aimed at the international oil and gas industry at various geographies. The most prominent group seems to be AnonGhost that recently defaced hundreds of websites and leaked a large amount of credit cards details.

Image

The campaign is likely to include a mix of DDoS, defacement and data dumps. The countries that are targeted are:

  • US
  • Canada
  • England
  • Israel
  • China
  • Italy
  • France
  • Russia
  • Germany

In addition, specific Oil and Gas companies in various locations, from the Gulf to Norway are on the target list. Last year’s campaign did not cause any substantial damage and we assume this re-run will achieve similar results.