List of first goals for attacks is published on this site: http://www.stopgeorgia.ru/?pg=tar. DDoS attacks are being carried for most of the sites/resources at the moment. All who can help—we enlist. Please leave your suggestions for that list in that topic.[1]
On August 8, 2008, the Russian Federation launched a military assault against Georgia. One day later, the StopGeorgia.ru Project forum was up and running with 30 members, eventually topping out at over 200 members by September 15, 2008.
Not only did it launch with a core group of experienced hackers, the forum also featured a list with 37 high-value targets, each one vetted by whether it could be accessed from Russian or Lithuanian IP addresses. This was done because the Georgian government began blocking Russian IPs the month prior when the President of Georgia’s website was knocked offline by a DDoS attack on July 21, 2008.
In addition to the target list, it provided members with downloadable DDoS kits, as well as advice on how to launch more sophisticated attacks, such as SQL injection.
StopGeorgia.ru was not the only forum engaged in organized nationalistic hacking, but it serves as a good example of how this recent extension of state warfare operates in cyberspace. In addition to this forum, an IRC channel was created on irc.dalnet.ru, called #stopgeorgia.
At StopGeorgia.ru, there was a distinct forum hierarchy wherein forum leaders provided the necessary tools, pinpointed application vulnerabilities, and provided general target lists for other less-knowledgeable forum members to act on.
Those forum members who pinpointed application-level vulnerabilities and published target lists seemed to have moderate/high technical skill sets, whereas those carrying out the actual attacks appeared to have low/medium technical sophistication.
Forum leaders analyzed the DoS tools and found them to be simple yet effective. Some forum members had difficulty using the tools, reinforcing that many of the forum members showed low/medium technical sophistication, but were able to carry out attacks with the aid of tools and pinpointed vulnerability analysis.
Forum administrators at both the well-known Russian hacker portal XAKEP.ru and StopGeorgia.ru were monitoring who visited their respective sites and kept an eye on what was being posted.
During one week of intensive collection activity at the XAKEP.ru forum, Project Grey Goose analysts experienced two incidents that demonstrated that operational security (OPSEC) measures were in effect.
Within hours after I discovered a post on XAKEP.ru that pointed to a password-protected StopGeorgia.ru forum named ARMY, that link was removed by the forum administrator.
After about a half-dozen Grey Goose analysts spent one week probing the XAKEP.ru forum for relevant posts, all US IP addresses were blocked from further forum access (a 403 error was returned). This lasted for about 10 days before the block was lifted.
The StopGeorgia.ru forum also had to fend off attacks from Georgian hackers who had temporarily taken down their forum and a “project site” from August 14 to 18, both of which were hosted on a US server owned by SoftLayer Technologies.
According to one conversation between two members of the StopGeorgia.ru forum (Alexander and CatcherMax), one Georgian hacker forum had over 10,000 members and blocked access to it from all Russian IP addresses. For that reason, members frequently discussed the use of various proxy servers, such as FreeCap.ru.
The following document helps paint a picture of how Russian military and political officials viewed the cyber component of the Russia-Georgia conflict of 2008.
Anatoly Tsyganok is a retired officer who’s now the director for the Center of Military Forecasting at the Moscow Institute of Political and Military Analysis. His essay “Informational Warfare—a Geopolitical Reality (http://en.fondsk.ru/article.php?id=1714)” was just published by the Strategic Culture Foundation. It’s an interesting look at how the July and August cyber war between Russia and Georgia was viewed by an influential Russian military expert. The full article discusses information warfare, but this portion focuses on the cyber exchange:
Georgia was also the first to launch an attack in cyberspace. When Tskhinvali was shelled on August 8 the majority of the South Ossetian sites were also knocked out. Later Russian media including Russia Today also came under cyberspace attacks. The response followed shortly as the sites of the Georgian President, parliament, government, and foreign ministry suffered malicious hacks. The site of Georgian President Saakashvili was simultaneously attacked from 500 IP-addresses. When the initially used addresses were blocked, the attacks resumed from others. The purpose was to render the Georgia sites completely inoperable. D.D.O.S. attacks overload and effectively shut down Internet servers. The addresses from which the requests meant to overload sites were sent were blocked by specialists from the Tulip Systems, but attacks from new 500 addresses began in just minutes. Cleaning up after a cyberspace attack took an average of 2 hours.
Part of what’s so interesting about this excerpt is Tsyganok’s choice of words. He clearly states that Georgia launched a cyber attack against Russia first. This presents the attack as a state action rather than a civilian one. He then carefully states the Russian response, i.e., “the response followed shortly.” Since the subject of this exchange is two states warring, “the response followed shortly” implies a state response rather than a spontaneous grassroots action of so-called hacktivists.
Tsyganok’s depiction of events manages to underscore the Russian government’s practice of distancing itself from the nationalistic hacker community, thus gaining deniability while passively supporting and enjoying the strategic benefits of their actions.
Pravada.ru printed an article by Maksim Zharov of the Foundation for Effective Politics (FEP) entitled “Russia Versus Georgia: War on the Net—Day One” on August 9, 2008. Zharov is also one of the authors of the book Chronicles of Information Warfare and used to work for Nikita Ivanov, then deputy chief of the Administration for Interregional and Cultural Ties With Foreign Countries of the President’s Staff and supervisor of the pro-Kremlin youth movements (i.e., Nashi). (Zharov earlier published (through Yevropa) an instruction manual for bloggers who want to “fight the enemies of Russia” in the blogosphere.)
The Foundation for Effective Politics is a Kremlin-friendly organization created by Gleb Pavlovsky, one of the earliest adopters of the Russian Internet for state propaganda purposes. You can read more on Pavlovsky and the FEP in Chapter 11.
Zharov comments on the use of the Russian youth movements to wage warfare on the Net. This was repeated by the administrator of the StopGeorgia.ru forum in the following announcement to its membership on August 9, 2008, at 3:08 p.m.:
Let me remind you that on August 8, leaders of several Russian youth movements have signed the statement which calls for supporters to wage information war against the President of Georgia Michael Saakashvili on all Internet resources.
Zharov elaborates on this fact by referring to an event in the city of Krasnoyarsk where a joint statement by the leaders of Russian youth movements announced:
We declare information war on the Saakashvili regime. The Internet should oppose American-Georgian propaganda which is based on double standards.
He names Nashi as one such organization whose leaders have close ties with the Kremlin and whose members have been involved in these Internet wars, both in Estonia and Georgia.
Internet warfare, according to Zharov, was started by Georgian hackers attacking South Ossettian websites on August 7, one day before the Russian invasion.
The South Ossetian site http://cominf.org reported in the afternoon of August 7 that because of a DDoS attack, the Ossetian sites were often inaccessible for long periods. In order to relieve them, an additional site, tskhinval.ru, had to be set up. In addition, a fake site of the Osinform news agency, http://www.os-inform.com, created by Georgia, appeared.
Zharov’s personal preference for information about the Georgian war was LiveJournal, known in Russian as ZhZh (Zhivoy Zhurnal), particularly the georgia_war community. It contained, in Zharov’s words, “a fairly objective indicator of the state of affairs on the Internet front, in which the most diverse opinions are published.”
One of the more interesting things that Zharov wrote in “Russia Versus Georgia: War on the Net. Day Three,” published in Moscow Pravda.ru in Russian August 11, 2008, was his conjecture about which nation had the capability to launch a DDoS attack of the size seen during the five-day war:
In general, many people are forming the impression that these attacks are certainly not the work of Georgian hackers.
And to be honest, I do not believe that the Russian military have a special service that swamped all of the Georgian websites even more quickly on the very day of the unexpected attacks by the Georgians.
However, in the United States, such sub-units of cyber troops were created many years ago (emphasis added).
So Zharov acknowledges their involvement in organizing an “information war” against Georgia, but he completely ignores their involvement in the cyber war, and he instead speculates that the only military force that has the capability of “swamping all of Georgian websites” so quickly is that of the United States. This serves as another example of the Kremlin strategy of making the cyber war debate about military capabilities rather than their use of Russian hackers and, of course, to paint the United States as the aggressor whenever possible.
Attacking Israeli websites has been a popular way for Palestinians and their supporters to voice their protests and hurt their adversaries. Arab and Muslim hackers mobilized to attack Danish and Dutch websites in 2006 during the Prophet cartoon controversy. A small-scale “cyber war” also erupted between Shiite and Sunni Muslims in the fall of 2008, as predominantly Arab Sunni Muslims and Iranian Shiite Muslims worked to deface or disrupt websites associated with one another’s sects.
The latest example of this occurred when Israel began a military assault on Hamas’s infrastructure in Gaza on December 27, 2008, called Operation Cast Lead. After almost a month into the operation, Palestinian officials declared the death toll had topped 1,000, and media reports carried images of massive property destruction and civilian casualties. This provoked outrage in the Arab and Muslim communities, which manifested itself in a spike of anti-Semitic incidents around the world, calls for violent attacks on Jewish interests worldwide, and cyber attacks on Israeli websites.
The exact number of Israeli or other websites that have been disrupted by hackers is unknown, but the number is well into the thousands. According to one estimate, the number reached 10,000 by the first week of January 2009 alone. Most attacks are simple website defacements, whereby hackers infiltrate the site, leaving behind their own graffiti throughout the site or on the home page. The hackers’ graffiti usually contains messages of protest against the violence in Gaza, as well as information about the hackers, such as their handles and country of origin. The majority of cyber attacks launched in protest of Operation Cast Lead were website defacements. There is no data to indicate more sophisticated or dangerous kinds of cyber attacks, such as those that could cause physical harm or injury to people.
While media coverage focuses on the most high-profile hacks or defacements, this current cyber campaign is a “war of a thousand cuts,” with the cumulative impact on thousands of small businesses, vanity websites, and individual websites likely outweighing the impact of more publicized, larger exploits.
However, successfully compromising higher-profile websites not only brings more public attention, it also compels businesses all over Israel to preventively tighten security, which costs money. For that reason, the financial impact of infiltrating a few larger corporate websites may be as important as disrupting thousands of smaller sites.
High-profile attacks or defacements between December 27, 2008, and February 15, 2009, include:
- Ynetnews.com
The English language portal of one of Israel’s largest newspapers. The Morocco-based “Team Evil” accessed a domain registrar called DomainTheNet in New York and redirected traffic from Ynetnews and other Israeli websites. Traffic was redirected to a site with a protest message in jumbled English. Ynetnews.com emphasized that its site had not actually been “hacked,” but that Team Evil obtained a password allowing them to access a server. The Team then changed the IP addresses for different domain names, sending users attempting to access Ynetnews.com to a domain containing their message.
The website of Discount Bank, one of the three largest banks in Israel, was also registered with DomainTheNet, and Team Evil switched its IP address just as they did with Ynetnews.
- Israel’s Cargo Airlines Ltd.
An Israeli airline defaced by hackers.
- Kadima.org.il
The website of Israel’s Kadima party was defaced twice during this period.
DZ team, based in Algeria, was responsible for the first defacement, in which they adorned the Kadima’s home page with photos of IDF soldiers’ funerals, accompanied by messages in Arabic and Hebrew promising that more Israelis would die.
The second time occurred on February 13, 2009, three days after close parliamentary elections in which Kadima and Likud both claimed victory and hackers targeted the Kadima site as a result of the expected spike in traffic. Gaza Hacker Team claimed responsibility for the second defacement.
- Ehudbarak.org.il (This URL is no longer active.)
Israeli Defense Minister and Deputy Prime Minister Ehud Barak’s website was defaced by Iranian hackers who call themselves Ashianeh Security Team. The group left a message in English reading “ISRAEL, You killed more than 800 innocent civil people in gaza. Do you think that you won’t pay for this? Stop War. If you don’t we will continue hacking your important sites.”
- http://www.102fm.co.il/
Hackers left images from Gaza, a graphic of burning US and Israeli flags, and a message calling for Israel to be destroyed on this Radio Tel Aviv website.
Defacements of Israeli portals associated with the following multinational companies or product lines were also defaced: Skype, Mazda, McDonald’s, Burger King, Pepsi, Fujifilm, Volkswagen, Sprite, Gillette, Fanta, Daihatsu, and Kia.
Judging from the graffiti left behind on defaced websites, the most active hackers are Moroccan, Algerian, Saudi Arabian, Turkish, and Palestinian, although they may be physically located in other countries. Applicure Technologies, Ltd., an Israeli information security company, claims that some of the hackers are affiliated with Iranian organizations, as well as the terrorist group Hezbollah. So far, however, neither the messages left behind on defaced sites nor conversations among hackers on their own websites explicitly indicates membership in Hezbollah or other Islamist groups. The hackers involved do not have any unifying body organizing their activities, although some of them congregate in certain specialized hacker forums.
Many active hackers during the current Gaza crisis are experienced. Some of them were involved in the Sunni-Shiite cyber conflict that intensified in the fall of 2008. Others have numerous apolitical hacks under their belts. Their participation in the current, politically motivated hacking of Israeli websites is a reflection of their personal political feelings and/or recognition of the increased attention that they can attract with Gaza-related hacks.
The majority of the graffiti left behind on Israeli websites contains images of the victims and destruction in Gaza and exhortations to Israel and/or the United States to stop the violence. The most common motivation of the hackers appears to be to draw attention to the plight of the Palestinians in the Gaza Strip and to register their protest against Israeli actions there. In the words of two hackers interviewed by a Turkish newspaper, “Our goal is to protest what is being done to the innocent people in Gaza and show our reaction. The reason we chose this method was our bid to make our voices louder.”
The imagery and text left on defaced websites suggests the importance the hackers place on sending messages to Israeli or Western audiences through their attacks. The owner of a Palestinian graphic design company designed images for hackers to use in their defacements. A hacker forum even held a competition to see who could come up with the best designs to leave on Israeli websites, with monetary rewards for the winners.
Investigations into the hackers’ motivations have revealed the following:
- Inflicting financial damage to Israeli businesses, government, and individuals
A message on the Arabic hackers’ site Soqor.net exhorted hackers to “Disrupt and destroy Zionist government and banking sites to cost the enemy not thousands but millions of dollars. ...”
- Delivering threats of physical violence to an Israeli audience
One Moroccan hacker’s team posted symbols associated with violent Jihadist movements and an image of an explosion, along with a threatening message for Israelis.
- Using cyber attacks as leverage to stop Operation Cast Lead
Many of the defacements contained messages indicating that attacks on Israeli sites and servers would stop only when Israel stopped its violence in Gaza.
- Fulfilling the religious obligation of Jihad
Some hackers couched their activities in religious terms, insisting that cyber attacks were tantamount to fighting Jihad against Islam’s enemies. One hacker wrote, “Use [the hacking skills] God has given you as bullets in the face of the Jewish Zionists. We cannot fight them with our bodies, but we can fight them with our minds and hands. ... By God, this is Jihad.”
- Achieving enhanced personal status among the community of hackers or improving one’s personal position in rivalries or competitions with other hackers
Two of the hackers’ websites held contests to encourage productive competition in hacking Israeli sites. Although there is much mutual encouragement and assistance on hackers’ websites, there are also signs of rivalry, with hackers defacing each other’s websites and leaving critical or taunting messages.
The following are brief profiles of some of the hackers involved. They were identified by press reports or by the content of hacker websites as being the most active or high-profile hackers in the anti-Israel campaign.
Team Evil gained widespread notoriety for defacing thousands of websites in 2006 in protest of Israel’s military activities in the Gaza Strip and Lebanon. The group defaced more than 8,000 websites between June and November 2006. In addition to Israeli and Western sites, this tally also included websites associated with the governments of China, Saudi Arabia, and Indonesia. In all, Team Evil defaced 171 significant websites, according to records on zone-h (http://www.zone-h.org/), a website that serves as an archive of hacker exploits. The team often left anti-Israel or anti-Semitic messages on their defacements, regardless of the country of origin of the website.
Israel’s Ynetnews reported that Team Evil was responsible for the majority of damage to Israeli websites in the first half of 2006, including sites belonging to banks, hospitals, major companies, NGOs, and political parties. When Ynetnews contacted the group, its members told the paper that they were Moroccan hackers who “hack into sites as part of the resistance in the war with Israel.”
The group has resurfaced to take part in the current campaign against Israeli websites, but it is not as active as it was in 2006. Its greatest recent accomplishment was to reroute traffic from Ynetnews, Discount Bank, and other Israeli websites to a page with an anti-Israel message.
The Israeli IT security company Beyond Security released an extensive case study of Team Evil’s 2006 attacks. Its report concluded that Team Evil demonstrated a higher degree of technical skill than typically seen in similar groups. Given the skill and commitment it has previously demonstrated, it is unclear why Team Evil has not participated in the current campaign to a greater extent. It is possible the group is planning something for the future.
Cold Zero first gained notoriety for an attack on the Likud Party website in August 2008. He has since claimed responsibility for 5,000 website defacements, according to Gary Warner, an expert in computer forensics. He has a profile on the Arabic Mirror website, which lists 2,485 of these defacements. According to the Arabic Mirror site, 779 of these are related to the Gaza crisis.
Cold Zero is a member of Team Hell (discussed in the next section). Whereas most members of Team Hell are Saudi, Cold Zero is a Palestinian and is proficient in Hebrew. He runs a website at http://www.hackteach.net/.
Cold Zero is engaged in rivalries with other anti-Israeli hackers. He has hacked both al3sifa.com and soqor.net, leaving messages criticizing their administrators. His own website was also attacked by DNS Team, which we’ll discuss later.
According to a French-language news source published on January 9, 2009, Cold Zero was arrested by Israeli authorities. The news source identified him as a 17-year-old Israeli Arab and reported that he appeared on January 6 before the Federal Court of Haifa, where the Israeli Justice Department alleged that he attacked commercial and political sites, mentioning the Likud Party website hack, as well as an attack on the website of the Tel Aviv Maccabis basketball team. According to the same source, he worked with accomplices in Turkey, Lebanon, Saudi Arabia, and elsewhere. He was caught in a “honey pot” set up by authorities. Authorities also uncovered his identity from a database stolen from Turkish hackers.
The information from this news report has not yet been corroborated by other sources. The last hack for Cold Zero listed on the Arabic Mirror website was recorded on January 2, 2009, after a period of high activity, suggesting an abrupt interruption to his hacking campaign. Zone-h records hundreds of websites hacked by Cold Zero in late December, followed by a lull for one month. On January 29, 2009, Cold Zero returned with a defacement of rival hackers DNS Team’s website. Cold Zero has committed no Israeli or other website defacements after late December on zone-h, lending credibility to the report of his arrest.
The graffiti from many websites hacked by Cold Zero name him as a member of Team Hell. Team Hell self-identifies as a Saudi-based hackers group, usually consisting of Kaspersky, Jeddawi, Dr. Killer, BlackShell, RedHat, Ambt, and Cold Zero.
Team Hell’s politically oriented hacks include more than just Israeli sites. In April 2007, Team Hell hacked Al-Nusra, a Palestinian-focused Jihadist website. They left a message indicating they associated al-Nusra with religious deviancy. On websites they have defaced, Cold Zero and Team Hell have expressed support for the secular, nationalist Fatah party. This would explain why Team Hell would hack Al-Nusra, a Salafist-Jihadist website, even though it is also anti-Israel. The group has also defaced the website of the Syrian parliament.
Agd Scorp/Peace Crew are Turkish hackers who defaced NATO and US military websites in response to Operation Cast Lead. On three subdomains of the US Army Military District of Washington website and on the NATO parliament site (http://www.nato-pa.int), the group posted a message reading: “Stop attacks u israel and usa! you cursed nations! one day muslims will clean the world from you!” The group also used an SQL injection attack to deface the website of the Joint Force Headquarters of the National Capital Region.
Previously, the group has hacked websites belonging to a number of high-profile organizations, including the United Nations, Harvard University, Microsoft, Royal Dutch Shell, and the National Basketball Association. They also attacked US military websites earlier in 2008.
Jurm Team is a Moroccan group that has partnered with both Agd_Scorp and Team Evil. They have recently defaced the Israeli portals for major companies and products, including Kia, Sprite, Fanta, and Daihatsu. Their members call themselves Jurm, Sql_Master, CyberTerrorist, Dr. Noursoft, Dr. Win, J3ibi9a, Scriptpx //Fatna, and Bant Hmida.
C-H Team consists of two hackers or hacker teams: Cmos_Clr and hard_hackerz. C-H Team targets Dutch and Israeli websites, leaving threatening messages in Hebrew on the latter. Both team members are Algerian. Besides defacing sites, Cmos_Clr claims to have used a variant of the Bifrost Trojan horse to break into Israeli computers, infiltrating 18 individual machines.
Hackers Pal is the administrator of the Hackers Hawks website and has claimed 285 defacements of Israeli websites. He is a supporter of the secular Fatah party.
Gaza Hacker Team runs the website of the same name. It is responsible for defacing the Kadima party website on February 13, 2009. The team consists of six members: Lito, Le0n, Claw, Virus, Zero code, and Zero Killer.
DNS Team is an active Arab hackers team focused primarily on apolitical hacking. However, it occasionally exhibits politically motivated attacks—targeting websites in Denmark and the Netherlands during the fall of 2008 in retaliation for the cartoon controversy, and it participated in recent anti-Israeli hacks. DNS Team maintains a hacking and security forum at http://www.v4-team.com/cc/.
Team Rabat-Sale (named after the two Moroccan cities of Rabat and Sale) is unique because it has participated in this campaign and garnered press coverage without actually targeting Israeli websites. Instead, the group targets a variety of websites (probably opportunistic hacks; the group seems to specialize in websites using Linux) and then leaves startling messages and Jihadist imagery. It may reason that if the whole Western world is against the citizens of Gaza, any English-language website is a conduit for their message. They have recorded 380 such defacements on the Arabic Mirror site and 196 on zone-h. Their members go by the aliases Mr. Tariklam, Mr. Sabirano, X-Diablo, Mr. Konan, and Virus T.
Team Rabat-Sale’s graffiti features the message, “For the Kids of Gaza...This Hack iS To DeFend Islam That Has Been Harrased by Denmark and USA and Israel.” The defacement includes an image of a sword piercing a skull with a Star of David on it, surrounded by skulls with the US, UK, and Danish flags superimposed on them.
On another Team Rabat-Sale defacement, a Jihadist anthem commonly used as the soundtrack to insurgent videos plays in the background. It also features a picture of Osama Bin Laden, as well as a Team Rabat-Sale group logo depicting a Kalashnikov and crossed swords against a globe, with a Salafist flag waving from the barrel of the weapon. It includes an image that may imply a threat against a tractor-trailer truck. The photograph of the masked man with a laptop and a handgun by his side suggests physical violence in addition to cyber mischief.
DZ Team consists of Algerian and Egyptian hackers who use the aliases AOxideA, Maxi32, Skins, The Legend, Cyb3r-Devil, and The Moorish. It first made headlines in April 2008 when it hacked the Bank of Israel website over Passover weekend. DZ Team defaced several Israeli websites during Operation Cast Lead, including the Israeli portals of Volkswagen, Burger King, and Pepsi, the website of Israeli defense contractor BVR systems, the Kadima party website, and the Hillel Yaffe hospital website. Videos of the group’s successful defacements were posted to YouTube.
In an interview following its hack of the Bank of Israel site, members of the group reached by the press claimed they were religiously motivated: “We do everything in the name of Allah,” said one of them. Although one member of DZ team expressed support for suicide bombers in the interview, another stressed that the group members were not terrorists themselves. According to the interview, one member of the team specializes in creating Trojan horses, and another, a Hebrew-speaking Egyptian, specializes in locating security breaches.
The Iranian Fars News Agency reported that the Ashianeh Security Group hacked 400 Israeli websites, including the websites of the Mossad and Israeli Defense Minister Ehud Barak. The group does not seem to participate in online hacker forums. It is possibly state-supported.
Nimr al-Iraq provides advice and links to download tools on hacker forums, especially the soqor.net forum. He is credited with updating the al-Durrah distributed denial of service tool for use during Operation Cast Lead (see the next section, ). He also provided links to download a remote access tool (RAT) program called hackattack, which permits hackers to gain remote control of another person’s computer. According to his profile on soqor.net, Nimr al-Iraq is a 22-year-old Iraqi named Mohammed Sattar al-Shamari and is listed as a former moderator on that site.
XX_Hacker_XX is a moderator on soqor.net, and like Nimr al-Iraq, he provides advice and links to download tools, such as RAT programs. He is the moderator of the “hacking programs” section of the soqor.net website. His profile describes him as an 18-year-old from Kuwait.
Analysis of discussions on Arabic hacker forums and general pro-Jihad forums indicates that anti-Israeli hackers would like to carry out serious cyber attacks against Israeli targets. However, they do not have a demonstrated capability to carry out such attacks, and their actions have been limited to small- to mid-scale denial of service attacks and mass website defacement attacks. They may also have attempted to compromise individual computers via Trojans, particularly the Bifroze Trojan, a variant of which was developed by members of the 3asfh hacker forum. Additionally, they talk of the desire to use viruses against Israeli computers, although the kind of viruses under discussion are relatively old and many computers would already have been updated with protections against them.
Muslim hackers are using both indigenously developed and borrowed DDoS tools and making them available for download on hacker forums. One tool, named after Mohammed al-Durra, a Palestinian child allegedly shot and killed by Israeli soldiers in 2000, was first developed in 2006. An updated version has been provided by Nimr al-Iraq for use in the current conflict.
With the al-Durra program, a user voluntarily downloads the program and then checks to see which target websites are on Arabic hacker forums. He then plugs in the target and the program will repeatedly send requests to it. When a sufficient number of people utilize the al-Durra program against a site, they can overwhelm it and bring it down. Other DDoS tools developed by hackers outside this community, such as hack tek, are also being used.
Such tools do not require sophisticated technical skills or training. This makes them useful in a political dispute such as the Gaza crisis, when there is a very large global community willing to assist in cyber attacks against Israel but not necessarily skilled enough for more sophisticated attacks.
The hackers download vulnerability scanners from hacker forums to find websites with exploitable vulnerabilities. On the Arabic hacker forums, they have discussed using a few different methods, including SQL injection, cross-site scripting (XSS), and other web server software vulnerabilities.
In most cases, they are reusing previously released exploit code to attack known vulnerabilities that the scanners identify. This is somewhat more difficult than the denial of service attacks, but it is still not considered sophisticated within the larger spectrum of hacking activities. The vulnerabilities being exploited by these hackers have already been identified, and patches and updates have been released to fix them. The only websites that are still susceptible are those whose administrators have been lax in updating their software and downloading patches. There is no evidence that this community is locating “zero day” vulnerabilities—that is, those that have not yet been discovered—at this time.
Hacker forums reveal a desire to use viruses against Israeli targets, but there is no evidence of success thus far. A couple of hackers have boasted of successfully using Trojans and RATs to gain wide access to individual Israeli computers. This could give them the ability to capture passwords and other important data, facilitating financial crime and harassment. However, there is not yet much evidence that they have been successful with these tools.
Israel and its supporters have also participated in this cyber conflict in a couple of ways. The Israeli government is behind an effort to recruit supporters who speak languages other than Hebrew—mostly new immigrants—to flood blogs with pro-Israel opinions. The Israel Defense Forces has hacked a television station belonging to Hamas. Supporters of Israel have also been hacking pro-Palestinian Facebook groups, using fake login pages and phishing emails to collect the login details of group members.
According to the administrators of Gaza Hacker Team, pro-Israel activists are also pressuring hosting companies to cut off service to hacker websites. After the Gaza Hacker Team defaced the Kadima party website, they reported that their US-based hosting company denied them service after being subjected to “Jewish” pressure.
Perhaps the most creative tactic employed by Israel’s supporters is the development of a voluntary botnet. Developed by a group of Israeli hacktivists known as Help Israel Win, the distributed denial of service tool called Patriot is designed to attack anti-Israel websites.
Once installed and executed, Patriot opens a connection to a server hosted by Defenderhosting.com. It runs in the background of a PC and does not have a configurable user interface that would allow the user to control which sites to attack. Rather, the server at Defenderhosting.com likely updates the client with the IP addresses to target.
Help Israel Win describes itself as “a group of students who are tired of sitting around doing nothing while the citizens of Sderot and the cities around the Gaza Strip are suffering.” Their stated goal is to create “a project that unites the computer capabilities of many people around the world. Our goal is to use this power in order to disrupt our enemy’s efforts to destroy the state of Israel.” The Help Israel Win website is registered to Ron Shalit of Haifa, Israel.
Cyber wars are not always fought between states or between nonstate actors; sometimes they are fought between a government and its political opponents. This is precisely the case in Nigeria, where the Information Minister Dora Akunyili, with the support of Nigeria’s President Umaru Yar’adua, has launched a $5 million campaign to support and create government-friendly websites. The objective, according to a June 16, 2009, news report filed by Saharareporters, is “to do everything to ensure that websites like yours (saharareporters.com) and others are stopped from taking root in Nigeria.”
Additionally, the plan calls for paying forum administrators to create discussion threads about topics created by Akunyili that will serve to cast the administration in the most favorable light.
A third plank of the plan accelerates the arrest and detention of opposition bloggers at airports or other entry points into Nigeria. Civil actions against negative posters could include the filing of a libel lawsuit against them by the government.
It would seem so. Instances of prosecution of Russian or Chinese hackers involved in foreign website attacks are so few as to be statistically insignificant. A news article written by Xinhua News Agency writers Zhou Zhou and Yuan Ye entitled “Experts: Web Security a pressing challenge in China” for China View (August 8, 2009) relates the pervasive security challenges China’s online population, which numbers almost 340 million, faces. The only illegal acts prosecuted by the PRC are online attacks causing financial harm to China; for example, two men from Yanbian County in Jilin Province were recently arrested and prosecuted for breaking into online banking systems and stealing 2.36 million yuan ($345,269 US). All other types of attacks, according to Li Xiaodong, deputy director of the China Internet Network Information Center (CNNIC), fall into a “grey area.”
Similarly, in the Russian Federation, the police are interested only in arresting hackers for financial crimes against Russian companies. Hacking attacks cloaked in nationalism are not only not prosecuted by Russian authorities, but they are encouraged through their proxies, the Russian youth associations, and the Foundation for Effective Policy.
[1] Translated from the original forum post, which was written in Russian (Cnucoк nepвooчepeдHbIX цeлeй для amaк onyблuкoвaH Ha caйme: http://www.stopgeorgia.ru/?pg=tar Пo MHoгuM pecypcaM в дaHHbй MoMeHm вeдymcя DDoS- amaкu. Bce кmo Moжem noMoчь - omnucbвaeM. Cвou npeдлoжeHuя no дaHHoMy cnucкy npocьбa ocmaвляmь в эmoM monuкe.).