Inside Cyber Warfare Part 2

The Way Forward.

If I were asked what I hoped to accomplish with this collection of facts, opinions, and a.s.sessments about cyber warfare and its various permutations, my answer would be to expand the limited thinking of senior leaders.h.i.+p and policymakers surrounding the subject and to instigate a broader and deeper conversation in the public sphere. This book will probably feel more like a collection of essays or an anthology by different authors than a cohesive story with a clean development arc. In part, that's because of the nature of the beast. When it comes to how attacks orchestrated by a myriad of parties across globally connected networks are impacting national security for the United States and other nation-states, we're all like blind men describing an elephant. The big picture sort of eludes us. My hope for this book is that it will inform and engage the reader; inform through the recounting of incidents and actors stretching across multiple nations over a period of 12 years up to almost the present day (Thanksgiving 2011) and engage by firing the reader's enthusiasm to get involved in the debate on every level-local, state, and national. If it raises almost as many questions as my contributors and I have attempted to answer, I'll feel like the book accomplished its mission.

Chapter 2. The Rise of the Nonstate Hacker..

List of first goals for attacks is published on this site: http://www.stopgeorgia.ru/?pg=tar. DDoS attacks are being carried for most of the sites/resources at the moment. All who can help-we enlist. Please leave your suggestions for that list in that topic.[1]

-Administrator, StopGeorgia.ru forum post, August 9, 2008.

The StopGeorgia.ru Project Forum.

On August 8, 2008, the Russian Federation launched a military a.s.sault against Georgia. One day later, the StopGeorgia.ru Project forum was up and running with 30 members, eventually topping out at over 200 members by September 15, 2008.

Not only did it launch with a core group of experienced hackers, the forum also featured a list with 37 high-value targets, each one vetted by whether it could be accessed from Russian or Lithuanian IP addresses. This was done because the Georgian government began blocking Russian IPs the month prior when the President of Georgia's website was knocked offline by a DDoS attack on July 21, 2008.

In addition to the target list, it provided members with downloadable DDoS kits, as well as advice on how to launch more sophisticated attacks, such as SQL injection.

StopGeorgia.ru was not the only forum engaged in organized nationalistic hacking, but it serves as a good example of how this recent extension of state warfare operates in cybers.p.a.ce. In addition to this forum, an IRC channel was created on irc.dalnet.ru, called #stopgeorgia.

At StopGeorgia.ru, there was a distinct forum hierarchy wherein forum leaders provided the necessary tools, pinpointed application vulnerabilities, and provided general target lists for other less-knowledgeable forum members to act on.

Those forum members who pinpointed application-level vulnerabilities and published target lists seemed to have moderate/high technical skill sets, whereas those carrying out the actual attacks appeared to have low/medium technical sophistication.

Forum leaders a.n.a.lyzed the DoS tools and found them to be simple yet effective. Some forum members had difficulty using the tools, reinforcing that many of the forum members showed low/medium technical sophistication, but were able to carry out attacks with the aid of tools and pinpointed vulnerability a.n.a.lysis.

Counter-Surveillance Measures in Place.

Forum administrators at both the well-known Russian hacker portal XAKEP.ru and StopGeorgia.ru were monitoring who visited their respective sites and kept an eye on what was being posted.

During one week of intensive collection activity at the XAKEP.ru forum, Project Grey Goose a.n.a.lysts experienced two incidents that demonstrated that operational security (OPSEC) measures were in effect.

Within hours after I discovered a post on XAKEP.ru that pointed to a pa.s.sword-protected StopGeorgia.ru forum named ARMY, that link was removed by the forum administrator.

After about a half-dozen Grey Goose a.n.a.lysts spent one week probing the XAKEP.ru forum for relevant posts, all US IP addresses were blocked from further forum access (a 403 error was returned). This lasted for about 10 days before the block was lifted.

The StopGeorgia.ru forum also had to fend off attacks from Georgian hackers who had temporarily taken down their forum and a "project site" from August 14 to 18, both of which were hosted on a US server owned by SoftLayer Technologies.

According to one conversation between two members of the StopGeorgia.ru forum (Alexander and CatcherMax), one Georgian hacker forum had over 10,000 members and blocked access to it from all Russian IP addresses. For that reason, members frequently discussed the use of various proxy servers, such as FreeCap.ru.*[1] Translated from the original forum post, which was written in Russian (Cnuco nepooepeHbIX ee ama onyuoaH Ha came: http://www.stopgeorgia.ru/?pg=tar o MHouM pecypcaM aHHb MoMeHm eymc DDoS- amau. Bce mo Moem noMo - omnucbaeM. Cou npeoeHu no aHHoMy cnucy npoca ocmam moM monue.).

The Russian Information War.

The following doc.u.ment helps paint a picture of how Russian military and political officials viewed the cyber component of the Russia-Georgia conflict of 2008.

Anatoly Tsyganok is a retired officer who's now the director for the Center of Military Forecasting at the Moscow Inst.i.tute of Political and Military a.n.a.lysis. His essay "Informational Warfare-a Geopolitical Reality (http://en.fondsk.ru/article.php?id=1714)" was just published by the Strategic Culture Foundation. It's an interesting look at how the July and August cyber war between Russia and Georgia was viewed by an influential Russian military expert. The full article discusses information warfare, but this portion focuses on the cyber exchange: Georgia was also the first to launch an attack in cybers.p.a.ce. When Tskhinvali was sh.e.l.led on August 8 the majority of the South Ossetian sites were also knocked out. Later Russian media including Russia Today also came under cybers.p.a.ce attacks. The response followed shortly as the sites of the Georgian President, parliament, government, and foreign ministry suffered malicious hacks. The site of Georgian President Saakashvili was simultaneously attacked from 500 IP-addresses. When the initially used addresses were blocked, the attacks resumed from others. The purpose was to render the Georgia sites completely inoperable. D.D.O.S. attacks overload and effectively shut down Internet servers. The addresses from which the requests meant to overload sites were sent were blocked by specialists from the Tulip Systems, but attacks from new 500 addresses began in just minutes. Cleaning up after a cybers.p.a.ce attack took an average of 2 hours.

Part of what's so interesting about this excerpt is Tsyganok's choice of words. He clearly states that Georgia launched a cyber attack against Russia first. This presents the attack as a state action rather than a civilian one. He then carefully states the Russian response, i.e., "the response followed shortly." Since the subject of this exchange is two states warring, "the response followed shortly" implies a state response rather than a spontaneous gra.s.sroots action of so-called hacktivists.

Tsyganok's depiction of events manages to underscore the Russian government's practice of distancing itself from the nationalistic hacker community, thus gaining deniability while pa.s.sively supporting and enjoying the strategic benefits of their actions.

The Foundation for Effective Politics' War on the Net (Day One).

Pravada.ru printed an article by Maksim Zharov of the Foundation for Effective Politics (FEP) ent.i.tled "Russia Versus Georgia: War on the Net-Day One" on August 9, 2008. Zharov is also one of the authors of the book Chronicles of Information Warfare and used to work for Nikita Ivanov, then deputy chief of the Administration for Interregional and Cultural Ties With Foreign Countries of the President's Staff and supervisor of the pro-Kremlin youth movements (i.e., Nas.h.i.+). (Zharov earlier published (through Yevropa) an instruction manual for bloggers who want to "fight the enemies of Russia" in the blogosphere.) The Foundation for Effective Politics is a Kremlin-friendly organization created by Gleb Pavlovsky, one of the earliest adopters of the Russian Internet for state propaganda purposes. You can read more on Pavlovsky and the FEP in Chapter 11.

Zharov comments on the use of the Russian youth movements to wage warfare on the Net. This was repeated by the administrator of the StopGeorgia.ru forum in the following announcement to its members.h.i.+p on August 9, 2008, at 3:08 p.m.: Let me remind you that on August 8, leaders of several Russian youth movements have signed the statement which calls for supporters to wage information war against the President of Georgia Michael Saakashvili on all Internet resources.

Zharov elaborates on this fact by referring to an event in the city of Krasnoyarsk where a joint statement by the leaders of Russian youth movements announced: We declare information war on the Saakashvili regime. The Internet should oppose American-Georgian propaganda which is based on double standards.

He names Nas.h.i.+ as one such organization whose leaders have close ties with the Kremlin and whose members have been involved in these Internet wars, both in Estonia and Georgia.

Internet warfare, according to Zharov, was started by Georgian hackers attacking South Ossettian websites on August 7, one day before the Russian invasion.

The South Ossetian site http://cominf.org reported in the afternoon of August 7 that because of a DDoS attack, the Ossetian sites were often inaccessible for long periods. In order to relieve them, an additional site, tskhinval.ru, had to be set up. In addition, a fake site of the Osinform news agency, http://www.os-inform.com, created by Georgia, appeared.

Zharov's personal preference for information about the Georgian war was LiveJournal, known in Russian as ZhZh (Zhivoy Zhurnal), particularly the georgia_war community. It contained, in Zharov's words, "a fairly objective indicator of the state of affairs on the Internet front, in which the most diverse opinions are published."

One of the more interesting things that Zharov wrote in "Russia Versus Georgia: War on the Net. Day Three," published in Moscow Pravda.ru in Russian August 11, 2008, was his conjecture about which nation had the capability to launch a DDoS attack of the size seen during the five-day war: In general, many people are forming the impression that these attacks are certainly not the work of Georgian hackers.

And to be honest, I do not believe that the Russian military have a special service that swamped all of the Georgian websites even more quickly on the very day of the unexpected attacks by the Georgians.

However, in the United States, such sub-units of cyber troops were created many years ago (emphasis added).

So Zharov acknowledges their involvement in organizing an "information war" against Georgia, but he completely ignores their involvement in the cyber war, and he instead speculates that the only military force that has the capability of "swamping all of Georgian websites" so quickly is that of the United States. This serves as another example of the Kremlin strategy of making the cyber war debate about military capabilities rather than their use of Russian hackers and, of course, to paint the United States as the aggressor whenever possible.

The Gaza Cyber War between Israeli and Arabic Hackers during Operation Cast Lead.

Attacking Israeli websites has been a popular way for Palestinians and their supporters to voice their protests and hurt their adversaries. Arab and Muslim hackers mobilized to attack Danish and Dutch websites in 2006 during the Prophet cartoon controversy. A small-scale "cyber war" also erupted between s.h.i.+te and Sunni Muslims in the fall of 2008, as predominantly Arab Sunni Muslims and Iranian s.h.i.+te Muslims worked to deface or disrupt websites a.s.sociated with one another's sects.

The latest example of this occurred when Israel began a military a.s.sault on Hamas's infrastructure in Gaza on December 27, 2008, called Operation Cast Lead. After almost a month into the operation, Palestinian officials declared the death toll had topped 1,000, and media reports carried images of ma.s.sive property destruction and civilian casualties. This provoked outrage in the Arab and Muslim communities, which manifested itself in a spike of anti-Semitic incidents around the world, calls for violent attacks on Jewish interests worldwide, and cyber attacks on Israeli websites.

The exact number of Israeli or other websites that have been disrupted by hackers is unknown, but the number is well into the thousands. According to one estimate, the number reached 10,000 by the first week of January 2009 alone. Most attacks are simple website defacements, whereby hackers infiltrate the site, leaving behind their own graffiti throughout the site or on the home page. The hackers' graffiti usually contains messages of protest against the violence in Gaza, as well as information about the hackers, such as their handles and country of origin. The majority of cyber attacks launched in protest of Operation Cast Lead were website defacements. There is no data to indicate more sophisticated or dangerous kinds of cyber attacks, such as those that could cause physical harm or injury to people.

Impact.

While media coverage focuses on the most high-profile hacks or defacements, this current cyber campaign is a "war of a thousand cuts," with the c.u.mulative impact on thousands of small businesses, vanity websites, and individual websites likely outweighing the impact of more publicized, larger exploits.

However, successfully compromising higher-profile websites not only brings more public attention, it also compels businesses all over Israel to preventively tighten security, which costs money. For that reason, the financial impact of infiltrating a few larger corporate websites may be as important as disrupting thousands of smaller sites.

High-profile attacks or defacements between December 27, 2008, and February 15, 2009, include: Ynetnews.com The English language portal of one of Israel's largest newspapers. The Morocco-based "Team Evil" accessed a domain registrar called DomainTheNet in New York and redirected traffic from Ynetnews and other Israeli websites. Traffic was redirected to a site with a protest message in jumbled English. Ynetnews.com emphasized that its site had not actually been "hacked," but that Team Evil obtained a pa.s.sword allowing them to access a server. The Team then changed the IP addresses for different domain names, sending users attempting to access Ynetnews.com to a domain containing their message.

The website of Discount Bank, one of the three largest banks in Israel, was also registered with DomainTheNet, and Team Evil switched its IP address just as they did with Ynetnews.

Israel's Cargo Airlines Ltd.

An Israeli airline defaced by hackers.

Kadima.org.il The website of Israel's Kadima party was defaced twice during this period.

DZ team, based in Algeria, was responsible for the first defacement, in which they adorned the Kadima's home page with photos of IDF soldiers' funerals, accompanied by messages in Arabic and Hebrew promising that more Israelis would die.

The second time occurred on February 13, 2009, three days after close parliamentary elections in which Kadima and Likud both claimed victory and hackers targeted the Kadima site as a result of the expected spike in traffic. Gaza Hacker Team claimed responsibility for the second defacement.

Ehudbarak.org.il (This URL is no longer active.) Israeli Defense Minister and Deputy Prime Minister Ehud Barak's website was defaced by Iranian hackers who call themselves As.h.i.+aneh Security Team. The group left a message in English reading "ISRAEL, You killed more than 800 innocent civil people in gaza. Do you think that you won't pay for this? Stop War. If you don't we will continue hacking your important sites."

http://www.102fm.co.il/ Hackers left images from Gaza, a graphic of burning US and Israeli flags, and a message calling for Israel to be destroyed on this Radio Tel Aviv website.

Defacements of Israeli portals a.s.sociated with the following multinational companies or product lines were also defaced: Skype, Mazda, McDonald's, Burger King, Pepsi, Fujifilm, Volkswagen, Sprite, Gillette, Fanta, Daihatsu, and Kia.

Overview of Perpetrators.

Judging from the graffiti left behind on defaced websites, the most active hackers are Moroccan, Algerian, Saudi Arabian, Turkish, and Palestinian, although they may be physically located in other countries. Applicure Technologies, Ltd., an Israeli information security company, claims that some of the hackers are affiliated with Iranian organizations, as well as the terrorist group Hezbollah. So far, however, neither the messages left behind on defaced sites nor conversations among hackers on their own websites explicitly indicates members.h.i.+p in Hezbollah or other Islamist groups. The hackers involved do not have any unifying body organizing their activities, although some of them congregate in certain specialized hacker forums.

Many active hackers during the current Gaza crisis are experienced. Some of them were involved in the Sunni-s.h.i.+te cyber conflict that intensified in the fall of 2008. Others have numerous apolitical hacks under their belts. Their partic.i.p.ation in the current, politically motivated hacking of Israeli websites is a reflection of their personal political feelings and/or recognition of the increased attention that they can attract with Gaza-related hacks.

The majority of the graffiti left behind on Israeli websites contains images of the victims and destruction in Gaza and exhortations to Israel and/or the United States to stop the violence. The most common motivation of the hackers appears to be to draw attention to the plight of the Palestinians in the Gaza Strip and to register their protest against Israeli actions there. In the words of two hackers interviewed by a Turkish newspaper, "Our goal is to protest what is being done to the innocent people in Gaza and show our reaction. The reason we chose this method was our bid to make our voices louder."

Motivations.

The imagery and text left on defaced websites suggests the importance the hackers place on sending messages to Israeli or Western audiences through their attacks. The owner of a Palestinian graphic design company designed images for hackers to use in their defacements. A hacker forum even held a compet.i.tion to see who could come up with the best designs to leave on Israeli websites, with monetary rewards for the winners.

Investigations into the hackers' motivations have revealed the following: Inflicting financial damage to Israeli businesses, government, and individuals A message on the Arabic hackers' site Soqor.net exhorted hackers to "Disrupt and destroy Zionist government and banking sites to cost the enemy not thousands but millions of dollars. ..."

Delivering threats of physical violence to an Israeli audience One Moroccan hacker's team posted symbols a.s.sociated with violent Jihadist movements and an image of an explosion, along with a threatening message for Israelis.

Using cyber attacks as leverage to stop Operation Cast Lead Many of the defacements contained messages indicating that attacks on Israeli sites and servers would stop only when Israel stopped its violence in Gaza.

Fulfilling the religious obligation of Jihad Some hackers couched their activities in religious terms, insisting that cyber attacks were tantamount to fighting Jihad against Islam's enemies. One hacker wrote, "Use [the hacking skills] G.o.d has given you as bullets in the face of the Jewish Zionists. We cannot fight them with our bodies, but we can fight them with our minds and hands. ... By G.o.d, this is Jihad."

Achieving enhanced personal status among the community of hackers or improving one's personal position in rivalries or compet.i.tions with other hackers Two of the hackers' websites held contests to encourage productive compet.i.tion in hacking Israeli sites. Although there is much mutual encouragement and a.s.sistance on hackers' websites, there are also signs of rivalry, with hackers defacing each other's websites and leaving critical or taunting messages.

Hackers' Profiles.

The following are brief profiles of some of the hackers involved. They were identified by press reports or by the content of hacker websites as being the most active or high-profile hackers in the anti-Israel campaign.