The Channel logo


By | John Leyden 20th April 2015 17:59

IT'S WAR: Hacktivists throw in their lot with spies and the military

Code develops into a major weapon

Feature Hacktivism has lost its innocence. Once characterised in the early days of Anonymous back in 2008 by assaults against the Church of Scientology, it has now become part and parcel of far darker plans, such as the spread of terrorist propaganda by Islamic militants.

Meanwhile, over in the Ukraine, cyber militias of patriot hackers thought to have shadowy connections with Russia's intel agencies and military are blitzing websites affiliated to Kiev and the west or slinging malware.

The methods that hacktivists use to target organisations – including defacing websites, DNS hijacking, DDoS attacks, account hijacks and the stealing and leaking of confidential information – haven't changed that much over the last seven years.

The participants are still predominantly young males, so the demographic hasn't shifted that much either. What has changed, according to many but not all observations, is the motivations of attackers and the structure of the organisations to which they are affiliated.

What's changed is not so much hacktivism, rather than the roll-out of an expanded battleground for more activism all tied to conflicts in the real world. The internet has become another forum of society where war spills over to the real world.

In isolated cases – most particularly in the Ukraine – security watchers are noticing the appearance of "black operations" (black ops) campaigns launched through the internet, with cyber-militias seemingly using military doctrines of plausible deniability.

It's all a very long way from donning Guy Fawkes' masks and picketing Scientology offices or using the LOIC [Low Orbit Ion Cannon] tool to flood Visa's website with junk traffic to protest its decision to pull Wikileaks' merchant status.

Elsewhere, groups such as ISIS have taken to social media to spread their message and recruit supporters. In response, social media sites such as Twitter have been taking actions to delete accounts used to promote terrorism. Some security pros have even gone as far as describing "cyber-terrorism as the new normal".

That may be somewhat exaggerated but what's clear is that we've moved on from mayhem, mischief, 4Chan-related shenanigans and casual acts of vandalism towards hacktivism as an adjunct of information warfare.

The party's over. And we've woken up not just with a hangover, but with what's arguably an increasingly militarised internet on multiple fronts.

Guerre Monde-iale

French TV network TV5Monde was taken off air after an attack by pro-Islamic State hackers earlier this month. The hack was the most far-reaching of its type, but Islamic hackers have been busy for months in hijacking social media accounts and defacing websites in order to spread their uncompromising message.

Previous targets have included French newspaper Le Monde in January, as well as US and UK media outlets. Many of the hacks are thought to have been been pulled off using a combination of social engineering and spear phishing.

The TV5Monde attack was something of a propaganda coup for Islamic State (AKA ISIS or ISIL), but there is disagreement about the group's cyber-capabilities. Islamic State has created a special division, known as the Cyber Caliphate. The unit claimed a high profile hijack against the Twitter feed of the US Central Command prior to the TV5Monde hack. It has also carried out various other attacks in France, Russia and elsewhere.

Over recent months, many websites have been hacked and defaced with the ISIS flag, with all manner of random targets falling under the boot of the Cyber Caliphate. The majority of the hacked sites appear to be built on the WordPress content management platform.

ISIS supporters have little interest in using highly sophisticated cyber-attacks to get their message out – they just want to make enough noise to get the attention of those who might be receptive to their terrorist cause.

ISIS: Great at Photoshop, rubbish at hacking

These attacks have generated plenty of headlines, but security experts are split on how capable Islamic hacktivists are and how much a danger – beyond damage to the reputations of hacked organisations – they might pose.

Frank Engelsman, an international crime and terrorism analyst, is dismissive of the "poor technical skills" of ISIS, al-Shabaab and Boko Haram. None bear comparison with nation-state spies and intel agencies, he argues.

"All three organisations do not have the right skills in-house to conduct a well-coordinated and successful cyber-attack like the North Koreans and Chinese can," Engelsman writes. "Neither is it their focus. Their enemies are not a high-tech society which can be affected by a cyber-attack."

The TV5Monde hack and others like it were pulled off by online sympathisers of the Middle Eastern terrorist group, rather than ISIS itself, he adds.

"Sympathisers and internet hooligans do have some script kiddie skills to deface web pages and gain media attention to proclaim their message. Except for excellent Photoshop skills, ISIS has NO serious technical IT skills," Engelsman suggests.

"ISIS never targeted US and European sources through cyber-attacks, except for the script kiddie level of defacing web sites. We do not expect them nor Boko Haram or al-Shabaab to execute real cyber-attacks," he concludes.

The analyst puts Al-Qaeda's technical capabilities on a far higher level than younger Salafist Jihadi groups.

"Being a long-term strategic organisation, Al-Qaeda does have serious internet/IT coding, encryption, cloaking, hacking and security skills available. Some of their top-level messengers (used to) work for the big IT companies, the military and banking industries," he writes. "The capabilities of the terror organisations ISIS, al Shabaab and Boko Haram are over-rated when it comes to cyber-attacks and capabilities, and are extremely under-rated when it comes to their ability to disrupt a region."

Eastern front

Other infosec experts, such as Moscow-based security consultancy Group-IB, credits ISIS with greater capabilities and threat levels. Hackers from Islamic State attacked 600 Russian net resources last year, according to a recent Group-IB report.

Group-IB reckons three criminal groups participated in ISIS activities, namely Team System Dz, FallaGa Team and Global Islamic Caliphate. "There are more than 40 people in these groups, and since Autumn 2014 they have been participating in attacks on Russian resources," according to Group-IB. "Their main methods are mass breach of sites or targeted attacks on popular internet resources", with defacements later publicised through Twitter and other social media outlets.

Several banks, construction companies, plants, governmental organisations and even lyceums and scientific centres became victims of these attacks. Victims included the North Urals Local History Museum, and Mitischy city portal.

"Russian internet security services and Russian companies shouldn't undervalue ISIL (ISIS) capabilities, as their attacks are [not the result] of any logic and are aimed to the maximum social resonance," said Ilya Sachkov, chief exec of Group-IB, in a statement.

Opportunity knocks

Russian and English-language cyber-crime forums and malware trading platforms may become a point of interest for ISIS hackers, who may in future expand their ambitions towards launching more damaging attacks.

"Considering the growth of the number of members in ISIL cyber divisions, their training and fanaticism, there's a risk of transition from the comparably easy attacks by ISIL hackers to more complicated ones, including critical infrastructure and industrial systems threats," Sachkov warned.

Group-IB's assessment is not shared by the majority of security firms, most of which are inclined to downplay the current capabilities and future threat of ISIS.

Guillaume Lovet, senior threat response manager at Fortinet, commented: "There is no evidence at all that ISIS has started to build or will ever build an operational cyber-terrorism unit with consequent financial and material back-up. The evidence so far only points at isolated, loosely affiliated cells, with little or no back-up."

Dahema Gordon, an intelligence analyst at security intelligence firm Centient, which specialises in monitoring the so-called dark net, argues that Salafist Jihadi hackers don't need to be elite in order to further their objectives.

"It is relatively true to suggest that the cyber capabilities of groups such as ISIS, Boko Haram, Al-Qaeda and al-Shabaab are poor," Gordon comments. "However, it might not be the groups’ intent to take down cyber networks, banking systems etc. They are probably very well aware that they lack the skills to do so. Instead, they are only trying to instil fear in companies/governments and sometimes that is enough to set off panic within the affected industry or country. That in itself might be ‘job done’ for the hackers."

Big Data

Other experts caution that it would be unwise to focus only on ISIS-affiliated and other Salafist jihadis.

Crime analytics firm Wynyard Group said that a new generation of terrorist groups is utilising social networks as a command-and-control platform to propagandise, recruit and radicalise followers from around the world.

"Understanding who poses a risk and who is at risk in the new world of terror is a key real-world challenge facing under-resourced governments, intelligence and law enforcement agencies," a spokeswoman for the firm explained. "To quickly find persons of interest from large volumes of data from numerous sources – including existing evidence and open source data from websites, news feeds, chat rooms, blogs and social media – is not easy."

Cyber-attack statistics put together by website Hackmageddon suggest that hacktivism remains flat, but cyber-crime continues to rise. "The issue is that hacktivism, by its very nature, is loud and visible to all," according to TK Keanini, CTO at security analytics firm Lancope. "The rest of the threat categories are quiet and sometimes silent in their activities, so it may not appear to be a large percentage."

Yuval Ben-Itzhak, CTO at anti-virus firm AVG Technologies, said that conflicts in the wider Middle East have had a cyber dimension for years.

"This form of cyber terrorism – which represents an often ‘hidden’ side to politically motivated conflict – is neither new nor unique," Ben-Itzhak explains. "For years we’ve witnessed a close correlation between tensions in the Middle East and the number of cyber-attacks detected in conflict zones. Political conflicts between Turkey, Syria, Lebanon, Israel, Egypt and Palestine have also regularly triggered waves of cyber-attacks, such as website defacements and Denial of Service attacks (DDoS)."

For example, back in 2011 the Harvard website was hacked by Syrian protesters, while the year before that Turks hacked Israeli Facebook accounts over the Gaza blockade incident.

Ben-Itzhak concludes: "The focus on cyber-terrorism today is less about the threat landscape changing, but more about our increased attention on it. ISIS’s high-profile status means we are acutely aware of their online actions through the media, particularly when targets include household names like TV5Monde."

State-sponsored hackers

The phenomenon of state-sponsored hackers, which arguably started in China in the late 90s with so-called red hacker groups such as the Honker Union, is spreading across the world.

Nationalistic hacker groups worldwide are operating globally in countries including Syria and Ukraine. In some cases, these groups operate alongside official military and intelligence agencies, while in others they square off against local governments.

Joseph Gallop, head of the activism practice at iSIGHT Partners, who is presenting on the topic at next week's RSA Conference, argues that hacktivism has developed a more crystallised purpose as a component of geo-political conflicts.

Hacktivists now align with warring factions, rallying to either support nations or those forces opposing them. Gallop offers a comparison of hacktivism in Syria and the Ukraine.

"Syria pioneered the public adoption of hacktivism for government interests," Gallop explains. "While there is some confusion as to whether the hacktivist group 'Syrian Electronic Army' (SEA) existed and was active before being sponsored by the state, there is no question that some level of support has been given by the state, and the SEA has openly admitted to cooperating with officials in the Assad regime."

"This openness is one of the main differentiators between hacktivism serving Syrian government interests and hacktivism serving Russian government interests in the Ukraine conflict. The primary pro-Russian hacktivist group, CyberBerkut, is almost certainly supported by Russian authorities, but labels itself as a Ukrainian resistance group," he adds.

Broadly speaking, hacktivists in Syria operate overtly, making little secret of their allegiances, while those in Ukraine are more covert, especially when it comes to acknowledging links with governments.

"This difference in openness illuminates the tipping points and drivers for each of these nations to sponsor hacktivist activity," Gallop tells El Reg.

"Simplistically put, the Syrian regime is driven by the recognition that it is in an existential dilemma, and therefore the regime has no aversion seeking the most direct route toward survival. On the other hand, the Russian authorities are driven by a much more nuanced desire for resource dominance and hegemony, resulting in efforts which subvert foreign governments and influence public opinion in surrounding nations, while maintaining plausible deniability."

Gallop says that elements of the military in Iran and North Korea are more than capable of mounting CyberBerkut-style operations, particularly in support of strategic objectives – or for North Korea, a perceived slight to national honour.

Both Iran and North Korea reportedly maintain squads of sock-puppet trolls to spread their message, as El Reg has previously reported.

Anon and on

iSIGHT Partners defines hacktivism as cyber-threat activity that is motivated by ideology or rationale (whether religious, social or political) and has the objective of either directly altering the actions or opinions of an audience, or of enacting justice.

"Hacktivism as threat source is often mistakenly confined to Anonymous-affiliated hackers, or to grass-roots groups that hold to conventional anti-security and anti-establishment ideologies," Gallop explains.

"Although the Anonymous movement during 2010-2012 was a watershed for both the concept of hacktivism in general, and for certain hacktivist methodologies in particular, the security industry must recognise hacktivism’s evolution in the years since the dispersal of the Anonymous collective’s figurehead faction: LulzSec/Antisec."

The antics of the likes of LulzSec may even have encouraged nation states to adopt similar tactics to either stifle dissent or manufacture consent, according to Gallop.

"Hacktivist objectives naturally engender a desire for publicity and unsophisticated hacktivists seek publicity without caring who the audience is," Gallop says. "However, when sophisticated hacktivists have identified a particular audience that is entrenched or influential, this natural desire for publicity leads to a willingness to conduct attacks that are highly impactful and even destructive."

He continues: "The sophisticated LulzSec/AntiSec faction, strengthened in influence by sheer numbers in the broader Anonymous collective, demonstrated to the world how impactful hacktivist activity could be. In the two years that followed AntiSec’s disbandment in March 2012, iSIGHT Partners continually advised that national governments would not ignore the potential of co-opting hacktivist methods to achieve their own political and ideological objectives."

Gallop's observation adds to the more long-standing criticism from white hat hackers that the antics of the likes of LulzSec – particularly attacks against government agencies and law enforcement – might be used by government as a pretext to push for harsher penalties and repressive anti-hacker laws, such as the USA's Computer Misuse Act.

Icing ISIS

Despite the focus in the news on hacktivist groups such as ISIS and pro-Russia hackers in Ukraine, Anonymous hasn't gone away. The loose-knit hacktivist collective continues to execute one-off campaigns, some of which directly confront online Jihadis, such as OpISIS.

More than 25,000 Twitter accounts have been terminated, 233 websites attacked and 85 websites "destroyed" as part of its ongoing campaign, according to Anonymous.

Other groups, such as pro-Assad hackers of the infamous Syrian Electronic Army, are also active in Middle Eastern theatres of conflict.

For example, FireEye recently detailed the activities of a cyder-espionage group that stole the strategies and battle plans of the Syrian opposition. To pull off the operation, the hacking group ensnared its victims through conversations with seemingly sympathetic and attractive women. As the conversations progressed, the “women” would offer up a personal photo, laden with malware designed to compromise the target’s computer or Android phone.

The ongoing conflict in eastern Ukraine also features a side show of hacking and malware distribution.

Ukrainian prime minister Arseny Yatsenyuk accused Russian intelligence rather than hacktivists of being behind a recent attack on German government sites in January. Hacktivists from CyberBerkut blockaded the websites of the Bundestag and Chancellor Merkel's office, demanding Berlin end support for the Ukrainian government.

CyberBerkut has also been blamed for attacks on NATO websites and US private military companies, but its main target has been Ukrainian government agencies and Kiev politicians.

Several anti-virus firms have noted an upswing in malware activity in the region.

The life of crimeware

A criminal group called Quedagh has been attacking Ukrainian government organisations using the BlackEnergy trojan, according to Finnish security firm F-Secure (PDF). BlackEnergy – which started out as a general-purpose cybercrime tool – was reapplied for APT-style cyber-espionage attacks, starting in Georgia in 2008, before more recently moving over to Ukraine, the Finnish firm explains.

BlackEnergy is a popular crimeware (that is, malware designed to automate criminal activities) that is sold in the Russian cyber underground and dates back to as early as 2007. Originally, it was designed as a toolkit for creating botnets for use in conducting Distributed Denial of Service (DDoS) attacks.

Over time, the malware has evolved to support different plug-ins, which are used to extend its capabilities to provide necessary functions, depending on the purpose of an attack.

Given the nature of its toolkit, BlackEnergy has unsurprisingly been used by different gangs for different purposes; some use it for sending spam, others for stealing banking credentials.

The most notorious use may be when it was used to conduct cyber-attacks against Georgia during the Russo-Georgian confrontation in 2008.

In the summer of 2014, BlackEnergy caught our attention when we noticed that samples of it were now tailored to target Ukrainian government institutions. Though it maybe unrelated, it is interesting to note that this change conveniently coincides with the ongoing crisis in that country.

Related or not, one thing is certain: the actor(s) using these customised BlackEnergy malware are intent on stealing information from the targets. The use of this crimeware in what constitutes as an advance persistent threat (APT) attack is interesting.

In ‘black operations’ (black ops), an important criteria is that the attack should not be attributable – and what provides better plausible deniability than crimeware known to be used by multiple parties?

Separately security software firm ESET warned last September that BlackEnergy had claimed a large number of victims in Ukraine and Poland, including state organisations and businesses.

My enemy's enemy

The introduction of malware-slinging tactics further muddles an already confusing threat landscape, particularly in Iraq and Syria, where some groups are thought to do business with ideological opponents in cases where it suits their short-term interests.

The same thinking in this respect operates in cyberspace as much as it does on the ground, according to some observers.

Centient's Gordon comments: "Hackers have no loyalty. They will co-operate/collaborate with each other whenever it suits them or to achieve a common end."

"Conflicts between groups can be a complicated matter and could be triggered by different factors, including politics or religion," Gordon explains.

"An Islamic hacker group might target another Islamic group such as the SEA and vice versa, because the countries they represent might have different political leanings and might support policies that negatively affect the other’s country."

"This has been evidenced with the SEA targeting hackers from Turkey, because they believe that the Turkish government is supporting the conflict in Syria by providing money, weapons and training to rebels fighting against the Assad regime. The Turkish groups will retaliate, as they believe it is their duty to protect their country."

Experts are split on whether or not recent conflicts have led to the militarisation of the internet. Some argue it's always been that way.

Adam Kujawa, head of malware intelligence at security software firm Malwarebytes – and a veteran of a number of United States federal and defence agencies – argues that the militarisation of the internet has been happening for years. The ongoing conflict in Ukraine is an example of real-world events spilling over into cyber-space:

“If you define the militarisation of the internet as the ability to conduct warfare over the medium, then this is something that has been happening for a very long time. The use of Russian hackers in conflicts in Georgia and the Ukraine is a perfect example of this kind of militarisation, as the actions of a nation and the actions of a single group align."

Russia has armed average users – not specialised super hackers – with simple tools, before telling them which direction to point them in, according to Kujawa.

Plus ça change

Andrew Conway, a research analyst at message security firm Cloudmark, argues that despite changes in motivation, the demographics of activists remain unchanged.

"The average hacktivist is a young male (few females are involved) in North America, Western Europe or the Middle East. The hacktivist will target those that they see as doing wrong or something immoral and will aim to expose or embarrass the perpetrator. The motive are therefore personal politics and/or ethics."

Target organisations include governments, law enforcement, big businesses and the media.

"Hacktivists often work in groups where mutual reinforcement will convince them that they are righteous in their actions," Conway explains. "However, Hacktivists are not in for the long run and will refocus their attention to the next hack quickly. There are different forms of hacktivism. Some whistle blowers are hacktivists who take action to lift the lid on what they consider to be unjust, targeting employers, the military, or secret government initiatives."

In at least one case, an old-school hacktivist graduated to the ranks of fully-fledged Islamic terrorist, following a spell in prison.

The Daily Mail reports that a member of hacktivist group TeaMp0isoN, Junaid Hussain, skipped bail before resurfacing in Syria as a disciple of ISIS.

Hussain was jailed in youth detention for six months in 2012, after he was convicted of breaking into an email account linked to former UK prime minister Tony Blair, among other attacks. Hussain (AKA "TriCK") also pleaded guilty to flooding the UK's national anti-terrorism hotline with more than 100 automated calls in a denial-of-service attack.

Field of battle

Dr Martin Wright, academic director at the Global Institute of Cyber Intelligence & Security (GICIS), argues that extremist groups are treating cyber-space as a "field of battle" like any other. He warned that all are far more ruthless than earlier terrorist groups.

“With the pro-ISIS attack on TV5Monde, one thing is absolutely clear; by targeting a French media outlet, ISIS was certain to generate a significant amount of publicity," Wright explains. "Aside from the obvious need for everyone to review their cyber-security systems and practices, the publication of the identities of relatives of French military personnel clearly demonstrates the breadth of what ISIS considers ‘legitimate targets’."

"This is a new battleground. While other terrorist organisations such as the Provisional IRA would only target the military and police and not their relatives, etc., the actions of ISIS in inviting attacks on family members has again demonstrated their brutality. By doing so, the Islamic State is seeking to not only terrorise, and thereby undermine the morale of the French military, but also signal that the security services will need to do far more to protect their own."

"It is safe to conclude that ISIS is presuming France will find the cost and effort of combatting such issues so onerous, it will change its foreign policy," he concluded.

Wright raises the possibility that terrorist may form loose alliances of interests with cyber-criminals and others.

"Terrorist groups now work collaboratively and pool resources not only amongst themselves but also with other actors, such as cyber-criminal networks and perhaps semi-governmental organisations who are opposed to the West," he adds.

Propaganda war

Much of this has been a medium-term concern among infosec circles for some time. Video of a presentation by Mikko Hyppönen, chief research officer at F-Secure, at RSA 2012 discussing terrorist use of the internet can be found here.

The talk mentions jihadi use of malware and a case of money laundering using stolen credit cards and online poker games, but it mostly focuses on terrorist use of the internet to spread propaganda, with Al-Qaeda in the Arabian Peninsula's Inspire magazine cited as an example.

While some say the internet has always been a militarised environment where governments and others have played out their agendas, one thing that has changed is that the tools for creating havoc are more readily available than ever.

Commercial enterprises can find themselves under attack as they become pawns in international disputes. Enterprises also stand at risk of becoming collateral damage of indiscriminate attempts to disrupt the assets of opposing groups and beliefs.

In the face of such threats, corporates would be well-advised to batten down the hatches, in particular taking the trouble to secure social media accounts.

Edward Parsons, senior manager at KPMG’s cyber-security practice, commented: "Companies need to protect themselves from similar incidents by treating corporate social media accounts with the same governance and protection as you would apply to any corporate account. They must also ensure that internet-facing services are patched regularly to remediate vulnerabilities that could be exploited in an attack, furthermore there needs to be a tried and tested response mechanism in place." ®

comment icon Read 12 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe