#OpSriLanka

Over the last few days, several Muslim hacker groups have hacked government and financial websites in Sri Lanka in protest against the government’s attitude toward the violent clashes between Buddhists and Muslims.

As you can see in the graph below, there were hundreds of tweets over the weekend with the related hashtag #OpSriLanka.

Twitter Activity about #OpSriLanka
Twitter Activity about #OpSriLanka

For example, one Twitter account named Global Revolution called for the hacking of the Sri Lanka central bank website.

a Tweet about hacking SriLanka central bank
a Tweet about hacking SriLanka central bank

There is also a group page on Facebook named #OpSriLanka with 1,590 members. The main targets of the group are Sri Lankan government websites and official websites of the Buddhist population in Sri Lanka. The attack tools are mostly DDoS tools for computers and Android phones.

From the Facebook Group Page
From the Facebook Group Page

List of targets:

Tools:

Mirror of a defaced website:

Additionally, on June 22, 2014, a group of hackers nicknamed Izzah Hackers leaked Sri Lankan government emails and passwords via Pastebin.

Leaked Sri Lankan emails and password
Leaked Sri Lankan emails and passwords

Sri Lanka is not alone. Muslim hacker groups are responsible for previous cyber-attacks against Myanmar (Burma) and the Central African Republic (CAR), protesting the killing of Muslims on religious grounds.

 

Evolution of Hacktivist Campaigns

In the next week we are going to see a major hacktivist operation, aimed against Israel, called #OpIsraelBirthday which is supposed to start on the 7th of April. The operation is dubbed “birthday“ since it comes to commemorate the last OpIsrael that took place on the same date last year. In recent weeks, there was a lot of internal debate in SenseCy about what has changed from then to now and what can we expect to see in the coming operation. I think that the results of this debate might be interesting to you as well:

–          DDoS Attacks – DDoS attacks are nothing new, but recently, attackers have started utilizing a new-old approach in the form of reflection attacks. If a year ago the height of the attack topped at 30Gb/sec attacks, it’s more than plausible to assume that we’re going to see one order of magnitude higher than that. This might be ok for a large sized country but for Israel this might cause problems in the ISP infrastructure itself and not just create a denial of service to the target site.

–          Self-Developed Code – If up until now, most of what we have seen coming from the anti-Israel hacktivism groups was reuse of anonymous code, with maybe slight improvements in the UI interface, lately we have started to identify unique/ original code developed by the groups themselves, albeit some of it is dependent on existing code and available libraries but this might be an indicator for things to come.

 AnonGhost DDoSer

AnonGhostDDoSer – Developed by AnonGh0st for OpIsraelBirthday

 

–          Dumps vs. Defacements – It seems that the general objective now is less the defacement of sites and more the ability to create harm and panic through the publication of stolen data dumps. We see more and more details regarding allegedly hacked sites (some of them important) with the promise that the databases will be published on the 7th of April. This is probably the first time these hacktivist groups are trying to achieve a more widespread impact that is, at least in spirit, similar to the terror effect.

–          Shells and RATs – It seems that SQL injections and cross site scripting is shifting from being the end result to being the means in which the hacktivist groups place web shells on their targets or infect the targets with RATs and other malware. It might, in effect, suggest a more coherent effort to cause more sophisticated damages to their targets.

All in all, it seems that the motivation for the attack remains similar, but the magnitude and scope of the upcoming operation seems to be larger and more dangerous than the last one (in terms of tools available and number of participants). However, companies and organizations that are aware of the threat can, in turn, take actions to handle and mitigate these attacks.

Online Jihadists Express Interest in Cyber Warfare and Cyber Security

In March 2013, a hacker group called the “Tunisian Cyber Army” (TCA) claimed that they, in coordination with the al-Qaeda Electronic Army (AQEA), (or AQECA – al-Qaeda Electronic Cyber Army), have hacked several U.S. government websites.

The attackers stated that they were assisted by “Chinese hackers.” In addition, the groups claimed that these attacks were in preparation for #OpBlackSummer, a cyber campaign designed to target U.S. websites between May and September 2013.

OpBlackSummer

Regardless of the authenticity of these attacks, we clearly see the increased motivation of AQ-affiliated cyber units to wage attacks against Western targets. We would not be at all surprised to see sophisticated AQ attacks in the near future. We can assume that they are developing cyber attack tools, or even worse – purchasing advanced tools from the underground black market.

In September 2013, the Global Islamic Media Front (GIMF) – a propaganda organization associated with AQ – posted an encryption program for mobile phones on jihadi forums. The program is called Tashfeer al-Jawwal, or Mobile Encryption, and the GIMF described it as the “first Islamic encryption software for mobiles.”

The release was prefaced by an introduction from renowned jihadi ideologue Abu Sa’ad al-A’mili, who promised that the program would be a qualitative move for secure communications between jihadists and a surprising shock to the enemy. It should be mentioned that the GIMF provided a description of the program on their website, as well as tutorials in Arabic, English, Indonesian and Urdu.

Tashfeer al-Jawwal -  encryption program for mobile phones
Tashfeer al-Jawwal – encryption program for mobile phones

In December 2013, the exclusively online AQ propaganda distributor, the al-Fajr Media Center, published a new encryption program called Amn al-Mujahid (“Security of the Mujahid”) on jihadi forums, accompanied by a 28-page instructional manual. Al-Fajr said that AQ’s Technical Committee sought to develop an encryption program equipped with the latest technology that would enable the user  to use advanced encryption standards.

Although these developments are merely versions of available programs, the steady introduction of programs such as these reveals jihadi interest in cyber security and cyber warfare.

April 7, 2014 – Hacker Groups Plan a Cyber Operation against Israel

Written by Hila Marudi

In recent weeks, our Cyber Intelligence team has identified Muslim hacktivist group intentions to launch a cyber operation against Israel on April 7, 2014 – one year after the last April 7 campaign that attempted to shut-down Israeli cyber space.

AnonGhost Team was the first to announce on December 23, 2013 that it would launch cyberattacks against Israel on April 5-7, 2014. The group, that initiated the previous April 7 campaign, also published a video entitled “#OpIsrael Birthday” (likely intended as a warning that this campaign will launch annually on April 7).

AnonGhost

Shortly after the AnonGhost announcement, other groups, such as AnonGhost Tunisie (sic.) and the Norwegian Ghost Cyber Attackers opened event-pages on anti-Israel Facebook. In addition, several other groups, such as the pro-Palestinian Fallaga and Virus Noir Ps, were listed as participants for future cyber operations. The main targets are mostly government websites, but we assume that more targets, largely financial, will be advised soon.

OpIsrael