Inside Cyber Warfare
Inside Cyber Warfare
Jeffrey Carr
foreword by Lewis Shepherd
Beijing • Cambridge • Farnham • Köln • Sebastopol • Taipei • Tokyo
Inside Cyber Warfare
by Jeffrey Carr
Copyright © 2010 Jeffrey Carr. All rights reserved.
Printed in the United States of America.
Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472.
O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions
are also available for most titles (http://my.safaribooksonline.com). For more information, contact our
corporate/institutional sales department: (800) 998-9938 or corporate@oreilly.com.
Editor: Mike Loukides
Production Editor: Loranah Dimant
Copyeditor: Genevieve d’Entremont
Proofreader: Loranah Dimant
Indexer: John Bickelhaupt
Cover Designer: Karen Montgomery
Interior Designer: David Futato
Illustrator: Robert Romano
Printing History:
December 2009:
First Edition.
Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of
O’Reilly Media, Inc. Inside Cyber Warfare, the image of light cavalry, and related trade dress are trademarks of O’Reilly Media, Inc.
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as
trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a
trademark claim, the designations have been printed in caps or initial caps.
While every precaution has been taken in the preparation of this book, the publisher and author assume
no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.
TM
This book uses RepKover™, a durable and flexible lay-flat binding.
ISBN: 978-0-596-80215-8
[M]
1259961702
Table of Contents
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
1. Assessing the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
The Complex Domain of Cyberspace
Cyber Warfare in the 20th and 21st Centuries
Cyber Espionage
Cyber Crime
Future Threats
Increasing Awareness
Critical Infrastructure
The Conficker Worm: The Cyber Equivalent of an Extinction Event?
Africa: The Future Home of the World’s Largest Botnet?
The Way Forward
1
2
4
5
6
7
8
12
13
14
2. The Rise of the Non-State Hacker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
The StopGeorgia.ru Project Forum
Counter-Surveillance Measures in Place
The Russian Information War
The Foundation for Effective Politics’ War on the Net (Day One)
The Gaza Cyber War Between Israeli and Arabic Hackers During
Operation Cast Lead
Impact
Overview of Perpetrators
Hackers’ Profiles
Methods of Attack
Israeli Retaliation
Control the Voice of the Opposition by Controlling the Content in
Cyberspace: Nigeria
Are Non-State Hackers a Protected Asset?
15
16
16
17
19
19
21
22
26
28
28
29
v
3. The Legal Status of Cyber Warfare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Nuclear Nonproliferation Treaties
The Antarctic Treaty System and Space Law
UNCLOS
MALT
U.S. Versus Russian Federation: Two Different Approaches
The Law of Armed Conflict
Is This an Act of Cyber Warfare?
South Korea
Iran
Tatarstan
United States
Kyrgyzstan
Israel and the Palestinian National Authority
Zimbabwe
Myanmar
Cyber: The Chaotic Domain
32
33
34
34
34
35
37
37
37
37
37
38
38
38
39
39
4. Responding to International Cyber Attacks As Acts of War . . . . . . . . . . . . . . . . . . . . 45
Introduction by Jeffrey Carr
Introduction
The Legal Dilemma
The Road Ahead: A Proposal to Use Active Defenses
The Law of War
General Prohibition on the Use of Force
The First Exception: UN Security Council Actions
The Second Exception: Self-Defense
A Subset of Self-Defense: Anticipatory Self-Defense
An Alternate Basis for Using Active Defenses: Reprisals
Non-State Actors and the Law of War
Armed Attacks by Non-State Actors
Duties Between States
Imputing State Responsibility for Acts by Non-State Actors
Cross-Border Operations
Analyzing Cyber Attacks Under Jus ad Bellum
Cyber Attacks As Armed Attacks
Establishing State Responsibility for Cyber Attacks
The Duty to Prevent Cyber Attacks
Support from International Conventions
Support from State Practice
Support from the General Principles of Law
Support from Judicial Opinions
Fully Defining a State’s Duty to Prevent Cyber Attacks
vi | Table of Contents
45
45
47
48
48
49
49
50
51
52
52
53
54
55
56
57
58
61
62
63
64
66
67
67
Sanctuary States and the Practices That Lead to State Responsibility
The Choice to Use Active Defenses
Technological Limitations and Jus ad Bellum Analysis
Jus in Bello Issues Related to the Use of Active Defenses
Conclusion
68
68
69
71
74
5. The Intelligence Component to Cyber Warfare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
The Korean DDoS Attacks (July 2009)
The Botnet Versus the Malware
The DPRK’s Capabilities in Cyberspace
One Year After the RU-GE War, Social Networking Sites Fall to DDoS
Attack
Ingushetia Conflict, August 2009
The Predictive Role of Intelligence
78
80
81
83
85
86
6. Non-State Hackers and the Social Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Russia
China
The Middle East
Pakistani Hackers and Facebook
The Dark Side of Social Networks
The Cognitive Shield
TwitterGate: A Real-World Example of a Social Engineering Attack with
Dire Consequences
Automating the Process
Catching More Spies with Robots
89
90
91
92
93
94
97
99
99
7. Follow the Money . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
False Identities
Components of a Bulletproof Network
ICANN
The Accredited Registrar
The Hosting Company
The Bulletproof Network of StopGeorgia.ru
StopGeorgia.ru
NAUNET.RU
SteadyHost.ru
Innovation IT Solutions Corp
Mirhosting.com
SoftLayer Technologies
SORM-2
The Kremlin and the Russian Internet
Nashi
103
105
105
106
106
106
106
107
108
110
112
112
114
115
115
Table of Contents | vii
The Kremlin Spy for Hire Program
Sergei Markov, Estonia, and Nashi
A Three-Tier Model of Command and Control
117
118
119
8. Organized Crime in Cyberspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
A Subtle Threat
Atrivo/Intercage
ESTDomains
McColo: Bulletproof Hosting for the World’s Largest Botnets
Russian Organized Crime and the Kremlin
125
125
126
127
129
9. Investigating Attribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Using Open Source Internet Data
Background
What Is an Autonomous System Network?
Team Cymru and Its Darknet Report
Using WHOIS
Caveats to Using WHOIS
131
132
134
137
138
140
10. Weaponizing Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
A New Threat Landscape
StopGeorgia.ru Malware Discussions
Twitter As DDoS Command Post Against Iran
Social Engineering
Channel Consolidation
An Adversary’s Look at LinkedIn
BIOS-Based Rootkit Attack
Malware for Hire
Anti-Virus Software Cannot Protect You
Targeted Attacks Against Military Brass and Government Executives
141
141
144
146
148
149
150
151
151
152
11. The Role of Cyber in Military Doctrine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
The Russian Federation
The Foundation for Effective Politics (FEP)
“Wars of the Future Will Be Information Wars”
“RF Military Policy in International Information Security”
The Art of Misdirection
China Military Doctrine
Anti-Access Strategies
The 36 Stratagems
U.S. Military Doctrine
viii | Table of Contents
161
163
165
166
169
171
174
174
176
12. A Cyber Early Warning Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Introduction by Jeffrey Carr
The Challenge We Face
Cyber Early Warning Networks
Building an Analytical Framework for Cyber Early Warning
Cases Studies of Previous Cyber Attacks
Lessons Learned
Defense Readiness Condition for Cyberspace
179
179
180
180
183
187
188
13. Advice for Policy Makers from the Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
When It Comes to Cyber Warfare: Shoot the Hostage
The United States Should Use Active Defenses to Defend Its Critical
Information Systems
Scenarios and Options to Responding to Cyber Attacks
Scenario 1
Scenario 2
Scenario 3
Scenario 4
In Summary
Whole-of-Nation Cyber Security
191
194
196
196
197
198
198
198
199
Afterword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Table of Contents | ix
Foreword
During his campaign for reelection in 1996, the Internet-savvy President Bill Clinton
used the slogan “Building a Bridge to the 21st Century.” It turns out that the bridge is
operated and maintained in cyber form, and that malevolent actors can practice their
black arts to disrupt or destroy the bridge, its cyber traffic, and all who rely upon it.
And although it is disturbingly clear that the bridge to the 21st century can be taken
out, it is even more clear that we don’t always know by whom or why.
Jeffrey Carr’s Inside Cyber Warfare explores the factual background of why that is so,
who the actors are (and their motivations) and the likely future course of cyber warfare
in all its manifestations. In part, this book’s value is the comprehensiveness of its coverage, across the spectrum of militarized or warlike computer network operations
(CNO). New students of the field—and there are many, in academia, government, and
private industry—will benefit from the clear explication of the divisions between computer network defense, computer network exploitation, and computer network attack.
Examples abound of each, described in dispassionate, factual prose more helpful than
the sometimes frightening headline media coverage of isolated events.
Experts in the field of cyber warfare and CNO will find that these pages are required
reading, for Jeffrey Carr has applied an evidentiary analytical framework to understanding the intricacies that distinguish state and non-state actors and hackers, and the
varying but discoverable mosaic of political, economic, and social motivations that
incentivize cyber warfare.
I first became aware of Jeffrey Carr and his expertise while serving in the intelligence
community, where like others, I relied on his much-read-within-the-Beltway blog
Intelfusion. For this book, Carr’s background is ideal: an early career at the world’s
leading software and technology company (Microsoft), his entrepreneurial founding of
the highly regarded Project Grey Goose (which I have advised), and the activities of his
GreyLogic organization. He now adds to that list the title of “authority,” with its imprimatur stamped by virtue of the pages in this book.
xi
Military analysts, pundits, and warfighters alike have known for centuries the Latin
adage attributed to “the Roman Sun Tzu,” Publius Flavius Vegetius Renatus, famous
for his “art-of-war” classic from 390 BC, De Re Militari: “Si vis pacem, para bellum”;
if you wish peace, prepare for war. Inside Cyber Warfare is the necessary handbook for
a new 21st century in which all who hope for the new world of cyber-powered peaceful
interactions must prepare for cyber war.
—Lewis Shepherd
Chief Technology Officer and Senior Fellow,
Microsoft Institute for Advanced Technology in Governments
Senior Technology Officer, Defense Intelligence Agency (2004–2007)
xii | Foreword
Preface
I was recently invited to participate in a cyber security dinner discussion by a few
members of a well-known Washington D.C. think tank. The idea was that we could
enjoy a fine wine and a delicious meal while allowing our hosts to pick our brains about
this “cyber warfare stuff.” It seems that the new threatscape emerging in cyberspace
has caught them unprepared and they were hoping we could help them grasp some of
the essentials in a couple of hours. By the time we had finished dinner and two bottles
of a wonderful 2003 red, one of the Fellows in attendance was holding his head in his
hands, and it wasn’t because of the wine.
International acts of cyber conflict (commonly but inaccurately referred to as cyber
warfare) are intricately enmeshed with cyber crime, cyber security, cyber terrorism, and
cyber espionage. That web of interconnections complicates finding solutions because
governments have assigned different areas of responsibility to different agencies which
historically do not play well with others. Then there is the matter of political will. When
I signed the contract to write this book, President Obama had committed to make cyber
security a top priority in his administration. Seven months later, as I write this introduction, cyber security has been pushed down the priority ladder behind the economy
and health care, and the position of cyber coordinator, who originally was going to
report directly to the President, must now answer to multiple bosses with their own
agendas. A lot of highly qualified candidates have simply walked away from a position
that has become a shadow of its former self. Consequently, we all find ourselves holding
our heads in our hands more often than not.
Cyberspace as a warfighting domain is a very challenging concept. The temptation to
classify it as just another domain, like air, land, sea, and space, is frequently the first
mistake that’s made by our military and political leaders and policy makers.
I think that a more accurate analogy can be found in the realm of science fiction’s
parallel universes–—mysterious, invisible realms existing in parallel to the physical
world, but able to influence it in countless ways. Although that’s more metaphor than
reality, we need to change the habit of thinking about cyberspace as if it’s the same
thing as “meat” space.
xiii
After all, the term “cyberspace” was first coined by a science fiction writer. My own
childhood love affair with science fiction predated William Gibson’s 1984 novel Neuromancer, going all the way back to The New Tom Swift Jr. Adventures series, which
was the follow-up to the original series of the early 1900s. By some quirk of fate, the
first Tom Swift Jr. book was published in 1954 (the year that I was born) and ceased
publication in 1971 (the year that I left home for college). Although the young inventor
didn’t have cyberspace to contend with, he did have the “Atomic Earth Blaster” and
the “Diving Sea Copter.” In an otherwise awful childhood, the adventures of Tom Swift
Jr. kept me feeling sane, safe, and excited about the future until I was old enough to
leave home and embark on my own adventures.
Now, 38 years later, I find myself investigating a realm that remains a sci-fi mystery to
many leaders and policy makers of my generation, while younger people who have
grown up with computers, virtual reality, and online interactions of all kinds are perfectly comfortable with it. For this reason, I predict that the warfighting domain of
cyberspace won’t truly find its own for another five to eight years, when military officers
who have grown up with a foot in both worlds rise to senior leadership roles within the
Department of Defense.
How This Book Came to Be
This book exists because of an open source intelligence (OSINT) experiment that I
launched on August 22, 2008, named Project Grey Goose (Figure P-1). On August 8,
2008, while the world was tuning in to the Beijing Olympics, elements of the Russian
Federation (RF) Armed Forces invaded the nation of Georgia in a purported self-defense
action against Georgian aggression. What made this interesting to me was the fact that
a cyber component preceded the invasion by a few weeks, and then a second, much
larger wave of cyber attacks was launched against Georgian government websites
within 24 hours of the invasion date. These cyber attacks gave the appearance of being
entirely spontaneous, an act of support by Russian “hacktivists” who were not part of
the RF military. Other bloggers and press reports supported that view, and pointed to
the Estonian cyber attacks in 2007 as an example. In fact, that was not only untrue, but
it demonstrated such shallow historical analysis of comparable events that I found
myself becoming more and more intrigued by the pattern that was emerging. There
were at least four other examples of cyber attacks timed with RF military actions dating
back to 2002. Why wasn’t anyone exploring that, I wondered?
I began posting what I discovered to my blog IntelFusion.net, and eventually it caught
the attention of a forward deployed intelligence analyst working at one of the threeletter agencies. By “forward deployed” I refer to those analysts who are under contract
to private firms but working inside the agencies. In this case, his employer was Palantir
Technologies. “Adam” (not his real name) had been a long-time subscriber to my blog
and was as interested in the goings-on in Georgia as I was. He offered me the free use
of the Palantir analytic platform for my analysis.
xiv | Preface
Figure P-1. The official logo of Project Grey Goose
After several emails and a bunch of questions on my part, along with my growing
frustration at the overall coverage of what was being played out in real time in the North
Caucasus, I flashed on a solution. What would happen if I could engage some of the
best people inside and outside of government to work on this issue without any restrictions, department politics, or bureaucratic red tape? Provide some basic guidance,
a collaborate work space, and an analytic platform, and let experienced professionals
do what they do best? I loved the idea. Adam loved it. His boss loved it.
On August 22, 2008, I announced via my blog and Twitter an open call for volunteers
for an OSINT experiment that I had named Project Grey Goose. Prospective volunteers
were asked to show their interest by following a temporary Twitter alias that I had
created just for this enrollment. Within 24 hours, I had almost 100 respondents consisting of college students, software engineers, active duty military officers, intelligence
analysts, members of law enforcement, hackers, and a small percentage of Internetcreated personas who seemed to have been invented just to see if they could get in (they
didn’t). It was an astounding display of interest, and it took a week for a few colleagues
and I to make the selections. We settled on 15 people, Palantir provided us with some
training on their platform, and the project was underway. Our Phase I report was produced about 45 days later. A follow-up report was produced in April 2009. This book
pulls from some of the data that we collected and reported on, plus it contains quite a
bit of new data that has not been published before.
A lot has happened between April 2009 and September 2009, when the bulk of my
writing for this book was done. As more and more data is moved to the Cloud and the
popularity of social networks continues to grow, the accompanying risks of espionage
and adversary targeting grow as well. While our increasingly connected world does
manage to break down barriers and increase cross border friendships and new understandings, the same geopolitical politics and national self interests that breed conflicts
and wars remain. Conflict continues to be an extension of political will, and now
Preface | xv
conflict has a new domain upon which its many forms can engage (espionage, terrorism,
attacks, extortion, disruption).
This book attempts to cover a very broad topic with sufficient depth to be informative
and interesting without becoming too technically challenging. In fact, there is no shortage of technical books written about hackers, Internet architecture, website vulnerabilities, traffic routing, etc. My goal with this book is to demonstrate how much more
there is to know about a cyber attack than simply what comprises its payload.
Welcome to the new world of cyber warfare.
Conventions Used in This Book
The following typographical conventions are used in this book:
Italic
Indicates new terms, URLs, email addresses, filenames, and file extensions.
Constant width
Used for queries.
Constant width italic
Shows text that should be replaced with user-supplied values or by values determined by context.
This icon signifies a tip, suggestion, or general note.
Using Code Examples
This book is here to help you get your job done. In general, you may use the code in
this book in your programs and documentation. You do not need to contact us for
permission unless you’re reproducing a significant portion of the code. For example,
writing a program that uses several chunks of code from this book does not require
permission. Selling or distributing a CD-ROM of examples from O’Reilly books does
require permission. Answering a question by citing this book and quoting example
code does not require permission. Incorporating a significant amount of example code
from this book into your product’s documentation does require permission.
We appreciate, but do not require, attribution. An attribution usually includes the title,
author, publisher, and ISBN. For example: “Inside Cyber Warfare, by Jeffrey Carr.
Copyright 2010 Jeffrey Carr, 978-0-596-80215-8.”
If you feel your use of code examples falls outside fair use or the permission given here,
feel free to contact us at permissions@oreilly.com.
xvi | Preface
How to Contact Us
Please address comments and questions concerning this book to the publisher:
O’Reilly Media, Inc.
1005 Gravenstein Highway North
Sebastopol, CA 95472
800-998-9938 (in the United States or Canada)
707-829-0515 (international or local)
707-829-0104 (fax)
We have a web page for this book, where we list errata, examples, and any additional
information. You can access this page at:
http://oreilly.com/catalog/9780596802158/
To comment or ask technical questions about this book, send email to the following,
quoting the book’s ISBN number (9780596802158):
bookquestions@oreilly.com
To contact the author and obtain information about GreyLogic and Project Grey
Goose, visit the website at:
http://greylogic.us
For more information about our books, conferences, Resource Centers, and the
O’Reilly Network, see our website at:
http://oreilly.com
Safari® Books Online
Safari Books Online is an on-demand digital library that lets you easily
search over 7,500 technology and creative reference books and videos to
find the answers you need quickly.
With a subscription, you can read any page and watch any video from our library online.
Read books on your cell phone and mobile devices. Access new titles before they are
available for print, and get exclusive access to manuscripts in development and post
feedback for the authors. Copy and paste code samples, organize your favorites, download chapters, bookmark key sections, create notes, print out pages, and benefit from
tons of other time-saving features.
O’Reilly Media has uploaded this book to the Safari Books Online service. To have full
digital access to this book and others on similar topics from O’Reilly and other publishers, sign up for free at http://my.safaribooksonline.com.
Preface | xvii
Acknowledgments
Many people have contributed to moving this book from the idea stage to a finished
product and I cannot possibly identify and thank all of them individually so I’d like to
take this opportunity to thank all of my colleagues at Project Grey Goose (including
Alex, Shyam, Shreyas, and Will at Palantir Technologies), as well as the wonderful
production and editing team at O’Reilly Media.
A few individuals have extended themselves beyond the call of duty and deserve special
mention: Mike Loukides, Nitesh Dhanjani, Billy Rios, Lt. Col. Mark Coffin (USA), Lt.
Cdr. Matt Sklerov (USN), and Lewis Shepherd. Also in this group are a few individuals
who prefer to work without acknowledgment and as much as I’d love to thank you
publicly, I respect your wishes in this matter.
Finally and most importantly, I want to thank my beautiful and talented wife, Lilly,
whose love and support has kept me sane, focused, and happy during the writing of
this book and the greater adventure of launching a new consultancy (Greylogic).
xviii | Preface
CHAPTER 1
Assessing the Problem
“You can’t say that civilization don’t advance, however,
for in every war they kill you in a new way.”
—Will Rogers, the New York Times,
December 23, 1929
Whenever someone asks if anyone ever died in a cyber war, Magomed Yevloev springs
to mind.
On August 31, 2008, in the North Caucasus Republic of Ingushetia, Yevloev was arrested by Nazran police, ostensibly for questioning regarding his anti-Kremlin website
Ingusheta.ru. As he was being transported to police headquarters, one of the officers
in the car “accidentally” discharged his weapon into the head of Magomed Yevloev.
The U.S. Department of State called for an investigation. Vladimir Putin reportedly said
that there would be an investigation. To date, nothing has been done.
Ingushetia.ru (now Ingushetia.org) and the Chechen website kavkazcenter.com are
some of the earliest examples of politically motivated Russian cyber attacks dating as
far back as 2002. In other words, in addition to Russian military operations in Chechnya, there were cyber attacks launched against opposition websites as well.
The Russia Georgia War of August 2008 is the latest example, occurring just a few
weeks before Magomed Yevloev’s killing. If anyone would qualify as a casualty of cyber
warfare, it might just be this man.
The Complex Domain of Cyberspace
The focus of this book is cyber warfare, and therein lies the first complexity that must
be addressed. As of this writing, there is no international agreement on what constitutes
an act of cyber war, yet according to McAfee’s 2008 Virtual Criminology Report, there
are over 120 nations “leveraging the Internet for political, military, and economic espionage activities.”
1
The U.S. Department of Defense (DOD) has prepared a formal definition of this new
warfighting domain, which is discussed in Chapter 11, but inspired by the writings of
Sun Tzu, I offer this definition instead:
Cyber Warfare is the art and science of fighting without fighting; of defeating an opponent without spilling their blood.
To that end, what follows are some examples of the disparate ways in which governments have attempted to force their wills against their adversaries and find victory
without bloodshed in the cyber domain.
Cyber Warfare in the 20th and 21st Centuries
China
The emergence of the People’s Republic of China’s (PRC) hacker community was instigated by a sense of national outrage at anti-Chinese riots taking place in Indonesia
in May 1998. An estimated 3,000 hackers self-organized into a group called the China
Hacker Emergency Meeting Center, according to Dahong Min’s 2005 blog entry entitled “Say goodbye to Chinese hackers’ passionate era: Writing on the dissolving moment of ‘Honker Union of China.’” The hackers launched attacks against Indonesian
government websites in protest.
About one year later on May 7, 1999, a NATO jet accidentally bombed the Chinese
embassy in Belgrade, Yugoslavia. Less than 12 hours later, the Chinese Red Hacker
Alliance was formed and began a series of attacks against several hundred U.S. government websites.
The next event occurred in 2001 when a Chinese fighter jet collided with a U.S. military
aircraft over the South China Sea. This time over 80,000 hackers became engaged in
launching a “self-defense” cyber war for what they deemed to be an act of U.S. aggression. The New York Times referred to it as “World Wide Web War I.”
Since then, most of the PRC’s focus has been on cyber espionage activities in accordance
with its military strategy to focus on mitigating the technological superiority of the U.S.
military.
Israel
In late December 2008, Israel launched Operation Cast Lead against Palestine. A corresponding cyber war quickly erupted between Israeli and Arabic hackers, which has
been the norm of late when two nation states are at war.
The unique aspect of this case is that at least part of the cyber war was engaged in by
state hackers rather than the more common non-state hackers. Members of the Israeli
Defense Forces hacked into the Hamas TV station Al-Aqsa to broadcast an animated
cartoon showing the deaths of Hamas’ leadership with the tag line “Time is running
out” (in Arabic).
2 | Chapter 1: Assessing the Problem
In contrast, during the Chechnya, Estonia, and Georgia conflicts, nationalistic nonstate hackers acted in concert but were not in the employ of any nation state.
That is the second complication: attribution. And lack of attribution is one of the benefits for states who rely on or otherwise engage non-state hackers to conduct their cyber
campaigns. In other words, states gain plausible deniability.
Russia
The Second Russian-Chechen War (1997–2001). During this conflict, in which the Russian military invaded the breakaway region of Chechnya to reinstall a Moscow-friendly regime,
both sides used cyberspace to engage in Information Operations to control and shape
public perception.
Even after the war officially ended, the Russian Federal Security Service (FSB) was
reportedly responsible for knocking out two key Chechen websites at the same time
that Russian Spetsnaz troops engaged Chechen terrorists who were holding Russian
civilians hostage in a Moscow theatre on October 26, 2002.
The Estonian cyber war (2007). Although there is no hard evidence linking the Russian government to the cyber attacks launched against Estonian government websites during
the week of April 27, 2007, at least one prominent Russian Nashi youth leader,
Konstantin Goloskokov, has admitted his involvement along with some associates.
Goloskokov turned out to be the assistant to State Duma Deputy Sergei Markov of the
pro-Kremlin Unified Russia party.
The activating incident was Estonia’s relocation of the statue “The Bronze Soldier of
Tallinn,” dedicated to soldiers of the former Soviet Union who had died in battle. The
resulting massive distributed denial of service (DDoS) attacks took down Estonian
websites belonging to banks, parliament, ministries, and communication outlets.
The Russia-Georgia War (2008). This is the first example of a cyber-based attack that coincided directly with a land, sea, and air invasion by one state against another. Russia
invaded Georgia in response to Georgia’s attack against separatists in South Ossetia.
The highly coordinated cyber campaign utilized vetted target lists of Georgian government websites as well as other strategically valuable sites, including the U.S. And British
embassies. Each site was vetted in terms of whether it could be attacked from Russian
or Lithuanian IP addresses. Attack vectors included DDoS, SQL injection, and crosssite scripting (XSS).
Iran
The Iranian Presidential elections of 2009 spawned a massive public protest against
election fraud that was fueled in large part by the availability of social media such as
Twitter and Facebook as outlets for public protest. The Iranian government responded
by instituting a harsh police action against protesters and shutting down media channels as well as Internet access inside the country. Some members of the opposition
The Complex Domain of Cyberspace | 3
movement resorted to launching DDoS attacks against Iranian government websites.
Twitter was used to recruit additional cyber warriors to their cause, and links to automated DDoS software made it easy for anyone to participate.
North Korea
Over the July 4th weekend of 2009, a few dozen U.S. websites, including the White
House and other U.S. government sites, came under a mild DDoS attack. A few days
later the target list grew to include South Korean government and civilian websites. The
Democratic People’s Republic of Korea (DPRK) was the primary suspect, but as of this
writing there is no evidence to support that theory. Nevertheless, South Korean media
and government officials have pressed the case against the North, and U.S. Rep. Pete
Hoekstra (R-MI) has called for the U.S. military to launch a cyber attack against the
DPRK to send them a “strong signal.”
Cyber Espionage
Acts of cyber espionage are far more pervasive than acts of cyber warfare, and the
leading nation that is conducting cyber espionage campaigns on a global scale is the
People’s Republic of China.
In December 2007, Jonathan Evans, the director-general of MI5, informed 300 British
companies that they were “under attack by Chinese organizations,” including the People’s Liberation Army.
Titan Rain
“Titan Rain” is the informal code name for ongoing acts of Chinese cyber espionage
directed against the U.S. Department of Defense since 2002. According to Lieutenant
General William Lord, the Air Force’s Chief of Warfighting Integration and Chief Information Officer, “China has downloaded 10 to 20 terabytes of data from the NIPRNet
(DOD’s Non-Classified IP Router Network).” This stolen data came from such agencies
as the U.S. Army Information Systems Engineering Command, The Naval Ocean Systems Center, the Missile Defense Agency, and Sandia National Laboratories.
According to testimony by Timothy L. Thomas (Lt. Col., USA Retired) of the Foreign
Military Studies Office, Joint Reserve Intelligence Office, Ft. Leavenworth, Kansas,
before the U.S.-China Economic and Security Review Commission in 2008, DOD
computers experienced a 31% increase in malicious activity over the previous year,
amounting to 43,880 incidents.
In 2006, Department of Defense officials claimed that the Pentagon network backbone,
known as the Global Information Grid, was the recipient of 3 million daily scans, and
that China and the U.S. were the top two sources.
Acts of cyber espionage are not only directed at U.S. Government websites but also at
private companies that do classified work on government contracts. According to Allen
4 | Chapter 1: Assessing the Problem
Paller of the SANS Institute, Raytheon, Lockheed Martin, Boeing, Northrup Grumman,
and other large government contractors experienced data breaches in 2007.
In January 2009, SRA, a company that specializes in providing computer security services to the U.S. government, reported that personal information on its employees and
customers was at risk when it discovered malware on one of its servers.
Cyber Crime
At this time it is unknown if the attacks originated from the North Korean Army, a lonely
South Korean Student, or the Japanse-Korean Mafia. Indeed, all of these entities could
have been involved in the attacks at the same time. This is because the differentiation
between Cyber Crime, Cyber Warfare and Cyber Terror can be a misleading one—in
reality, Cyber Terror is often Cyber Warfare utilizing Cyber Crime.
—Alexander Klimburg, Cyber-Attacken als Warnung (DiePresse.com, July 15, 2009)
Most of the sources on cyber warfare that are publicly available do not address the
problem of cyber crime. The reasoning goes that one is a military problem, whereas the
other is a law enforcement problem; hence these two threats are dealt with by different
agencies that rarely speak with one another.
Unfortunately, this approach is not only counterproductive, but it also creates serious
information gaps in intelligence gathering and analysis. My experience as Principal
Investigator of the open source intelligence effort Project Grey Goose provides ample
evidence that many of the non-state hackers who participated in the Georgian and Gaza
cyber wars were also involved in cyber crime. It was, in effect, their “day job.”
Additionally, cyber crime is the laboratory where the malicious payloads and exploits
used in cyber warfare are developed, tested, and refined. The reason why it is such an
effective lab environment is because cracking a secure system, whether it’s Heartland
Payment Systems or the Global Information Grid, is valuable training, and it’s happening every day inside the cyber underground.
The chart in Figure 1-1, prepared by independent security researcher Jart Armin, demonstrates the rapid rise in volume and sophistication of attacks in just the last 10 years.
A 2009 report by Gartner Research states that financial fraud was up by 47% in 2008
from 2007, with 687 data breaches reported. What does that translate to in dollars? No
one seems to know, although Chris Hoofnagle, Senior Fellow with the Berkeley Center
for Law and Technology, says in an article that he wrote for the Fall 2007 issue of the
Harvard Journal of Law and Technology that it’s probably in the tens of billions:
Currently we don’t know the scope of the problem…. We do know that it is a big problem
and that the losses are estimated in the tens of billions. Without reporting, we cannot
tell whether the market is addressing the problem. Reporting will elucidate the scope of
the problem and its trends, and as explained below, create a real market for identity theft
prevention.
Cyber Crime | 5
Figure 1-1. Evolution of cyber attacks
In January 2009, Heartland Payment Systems revealed that it was the victim of the
largest data breach in history, involving more than 130 million accounts. No one really
knows for sure because hackers had five months of uninterrupted access to Heartland’s
secure network before the breach was discovered.
Organized crime syndicates from Russia, Japan, Hong Kong, and the U.S. are consolidating their influence in the underground world of cyber crime because the risk-reward
ratio is so good. Although law enforcement agencies are making sustained progress in
cyber crime detection and enforcement—such as Operation DarkMarket, an FBI sting
that resulted in the arrest of 56 individuals worldwide, more than $70 million in potential economic loss prevented, and recovery of 100,000 compromised credit cards—
cyberspace is still a crime syndicate’s dream environment for making a lot of money
with little to no risk.
Future Threats
The assessment of future threats is an important part of assessing the priority for increased cyber security measures, not to mention building out the capabilities of a military cyber command.
6 | Chapter 1: Assessing the Problem
A recent report by the European Commission predicts:
There is a 10% to 20% probability that telecom networks will be hit by a major breakdown in the next 10 years, with a potential global economic cost of around €193 billion
($250 billion). This could be caused by natural disasters, hardware failures, rupture of
submarine cables (there were 50 incidents recorded in the Atlantic Ocean in 2007 alone),
as well as from human actions such as terrorism or cyber attacks, which are becoming
more and more sophisticated.
The commission goes on to recommend an increased focus in key areas to counter
future threats in cyberspace. These include:
Preparedness and prevention
Fostering cooperation of information and transfer of good policy practices between
member states via a European Forum Establishing a European Public-Private Partnership for Resilience, which will help businesses share experience and information
with public authorities.
Detection and response
Supporting the development of a European information-sharing and alert system.
Mitigation and recovery
Stimulating stronger cooperation between member states via national and multinational contingency plans and regular exercises for large-scale network security
incident response and disaster recovery.
International cooperation
Driving a Europe-wide debate to set EU priorities for the long-term resilience and
stability of the Internet with a view to proposing principles and guidelines to be
promoted internationally.
Establish criteria for European critical infrastructure in the Information and Communication Technologies (ICT) sector
The criteria and approaches currently vary across member states.
Increasing Awareness
The potential impact of attacks delivered in cyberspace has not always been as
appreciated as it is today. As early as February 18, 2003, in an interview with PBS’s
Frontline: Cyberwar!, noted expert James Lewis, director of the Center for Strategic and
International Studies, said:
Some people actually believe that this stuff here that they’re playing with is equal, if not
a bigger threat, than a dirty bomb…. Nobody argues—or at least no sane person argues—
that a cyber attack could lead to mass casualties. It’s not in any way comparable to
weapons of mass destruction. In fact, what a lot of people call them is “weapons of mass
annoyance.” If your power goes out for a couple hours, if somebody draws a mustache
on Attorney General Ashcroft’s face on his website, it’s annoying. It’s irritating. But it’s
not a weapon of mass destruction. The same is true for this.
Future Threats | 7
Now contrast that statement with the following excerpt from “Securing Cyberspace for
the 44th Presidency: A Report of the CSIS Commission on Cybersecurity for the 44th
Presidency” (issued December 2008), for which Mr. Lewis was the project director:
The Commission’s three major findings are: (1) cybersecurity is now a major national
security problem for the United States; (2) decisions and actions must respect privacy
and civil liberties; and (3) only a comprehensive national security strategy that embraces
both the national and international aspects of cybersecurity will make us more secure.
That shows a significant difference of opinion on the part of Mr. Lewis in a relatively
short period of time. Part of the reason for various respected individuals such as James
Lewis to downplay the potential impact of cyber war is that past examples have not
demonstrated any significant harm. Website defacements and extended downtime of
a small country’s Internet access, while burdensome, have not resulted in human
injuries.
Even in 2009, when there is little doubt remaining about the critical need to address
cyber vulnerabilities, there are still voices of dissent such as Jim Harper, director of
information policy studies at the CATO Institute, who said in an interview with Russia
Today on July 31, 2009 that “Both cyber terrorism and cyber warfare are concepts that
are gross exaggerations of what’s possible through Internet attacks.”
Although acts of cyber espionage such as Titan Rain or incidents of cyber crime resulting in major data losses such as Heartland Payment Systems are gravely serious in
their own right, stove-piped thinking that excludes cyber crime from cyber war means
that the potential for a threat case doesn’t cross over in the mind of the military
strategist.
Critical Infrastructure
There is a growing awareness of the vulnerability of a nation’s critical infrastructure to
network attack. Transportation, banking, telecommunications, and energy are among
the most vulnerable systems and may be subject to the following modes of attack:
• Insider threats
• Anonymous access to protected networks via the Internet and Supervisory Control
and Data Acquisition (SCADA)
• Counterfeit hardware
• Employee abuse of security guidelines leading to malware propagation inside the
firewall
The following future threat scenario is modeled after the ones created for the latest
National Intelligence Council (NIC) report “Global Trends 2025.” While containing
many scenarios on a variety of national security issues, the NIC did not include a largescale cyber event. The authors did, however, have this to say:
8 | Chapter 1: Assessing the Problem
Cyber and sabotage attacks on critical US economic, energy, and transportation infrastructures might be viewed by some adversaries as a way to circumvent US strengths on
the battlefield and attack directly US interests at home.
What follows is my offering to stimulate discussion and raise awareness within the
National Security community of what is possible in the cyber realm.
The question of whether a nuclear catastrophe could be initiated by a
hacker attack was explored through multiple scenarios in a paper commissioned by the International Commission on Nuclear Nonproliferation and Disarmament entitled “Hacking Nuclear Command and Control” by Jason Fritz, et al.
Future Scenario Involving Critical Infrastructure
October 19, 20**
Chairperson
House Permanent Select Committee on Intelligence
Washington, D.C.
RE: Establishment of North American Urgent Radiological Information Exchange
Madame Chairperson:
While we do not believe that this is a matter that rightfully falls under the province of
your Committee, in the interest of cooperation, this letter will address the events leading
up to the establishment of the North American Urgent Radiological Information Exchange (NAURIE).
As you know, on the nth year anniversary of 9/11, all of our nation’s nuclear power
plants were targeted in a massive distributed denial of service attack orchestrated by
the Conficker D botnet, which had grown to a heretofore unheard of 30,000,000+
infected hosts.
While US CERT teams as well as regional DOE cyber security personnel were focused
on combating this external threat, each plant’s internal firewall separating the Command and Safety System Networks from the Site Local Area Network was breached
from the inside due to the use of pirated hardware with malicious embedded code that
passed server control to external users.
Future Threats | 9
Of even more concern is the fact that all of these plants were targets of a carefully
planned, long-term social engineering attack that relied on human error and the broadbased appeal of social network sites. As DOE employees broke protocol and downloaded phony social software apps, malicious code worked its way into secure networks
and lay dormant until activated by the attacking force.
This led to a number of consecutive failures in our safety mechanisms resulting in partial
to complete core meltdowns at 70% of our plants. When these plants went offline, the
nation’s power requirements couldn’t be met. Grids were overwhelmed and blackouts
began occurring in our most heavily populated urban areas. Once criminal gangs realized that overburdened police departments were unable to respond to every 911 call,
looting of businesses began in earnest as did home invasions in the wealthier
neighborhoods.
One year later, we still do not have a final count on the number of deaths and casualties
but most responsible estimates place them in the tens of thousands. If we extrapolate
out for the as yet unknown future effects of radiation poisoning on the victims, the
count goes into six figures.
While this is clearly a tragedy on every level, I feel I must point out that the NNSA, as
late as 2009, in a letter to the Los Alamos National Laboratory, did its part in improving
security by determining that the loss of 83 LANL laptops should no longer be considered just a “property management” issue, but a cyber security issue as well.
Also, our G3 physical security model (Gates, Guards, Guns) was not compromised,
and cyber security compliance has never been a mandatory policy; instead it is an ongoing negotiation among various other considerations.
v/r,
Director, National Nuclear Security Agency
This scenario is perfectly plausible given what we know today about software exploits
driven by social engineering; the availability of counterfeit hardware such as routers,
switches, Gigabit Interface Converters, and WAN interface cards; and Conficker-type
botnets that consist of millions of infected PCs.
Combine those threats with a motivated, patient, and well-financed hacker crew and
any number of doomsday scenarios become possible.
If this scenario sounds far-fetched or seems to overstate the risk, the following news
stories represent a sampling of actual cyber security events that have occurred at nuclear
power plants since 2003:
“NNSA wants more funding for cyber security” (Federal Computer Week, February 6,
2008)
“Numerous cybersecurity problems at the department have come to light over the
past few months. A recently released report by the department’s inspector general
report said Energy had 132 serious security breaches in fiscal 2006.”
10 | Chapter 1: Assessing the Problem
“Slammer worm crashed Ohio nuke power plant” (SecurityFocus, August, 19, 2003)
“The Slammer worm penetrated a private computer network at Ohio’s Davis-Besse
nuclear power plant in January and disabled a safety monitoring system for nearly
five hours, despite a belief by plant personnel that the network was protected by a
firewall, SecurityFocus has learned.”
“Cyber Incident Blamed for Nuclear Power Plant Shutdown” (The Washington Post,
June 5, 2008)
“A nuclear power plant in Georgia was recently forced into an emergency shutdown for 48 hours after a software update was installed on a single computer.
According to a report filed with the Nuclear Regulatory Commission, when the
updated computer rebooted, it reset the data on the control system, causing safety
systems to errantly interpret the lack of data as a drop in water reservoirs that cool
the plant’s radioactive nuclear fuel rods. As a result, automated safety systems at
the plant triggered a shutdown.”
“Fed aims to tighten nuclear cyber security” (SecurityFocus, January 25, 2005)
“The U.S. Nuclear Regulatory Commission (NRC) quietly launched a public comment period late last month on a proposed 15-page update to its regulatory guide
‘Criteria for Use of Computers in Safety Systems of Nuclear Power Plants.’ The
current version, written in 1996, is three pages long and makes no mention of
security.
Adherence to the new guidelines would be strictly voluntary for operators of the
103 nuclear reactors already running in the U.S.—a detail that irks some security
experts. In filed comments, Joe Weiss, a control systems cyber security consultant
at KEMA, Inc., argued the regulatory guide shouldn’t be limited to plant safety
systems, and that existing plants should be required to comply.
“There have been numerous cases of control system cyber security impacts including several in commercial nuclear plants,” Weiss wrote. “Many nuclear plants
have connected their plant networks to corporate networks making them potentially vulnerable to cyber intrusions.”
“Congressmen Want Explanation on Possible Nuclear Power Plant Cyber Security Incident” (SC Magazine, May 21, 2007)
“U.S. Rep. Bennie G. Thompson, D-Miss., chairman of the House Committee on
Homeland Security, and Rep. James R. Langevin, D-R.I., chairman of the Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, have
asked Dale E. Klein, chairman of the U.S. Nuclear Regulatory Commission (NRC),
to investigate the nation’s nuclear cybersecurity infrastructure.
They said a cybersecurity ‘incident’ resembling a DoS attack on Aug. 19, 2006 left
the Browns Ferry Unit 3 nuclear power facility in northern Alabama at risk.”
Besides the risks posed by various malicious attacks, both real and projected, a further
complication that must be considered is the significant age of most of our nuclear power
plants and how difficult it will be to rid a legacy network of a virus.
Future Threats | 11
In a speech at the 2006 American Nuclear Society Winter Meeting, Nuclear Regulatory
Committee Commissioner Peter B. Lyons recounted how, as he visited many of the
U.S. Nuclear power plants, he was struck by the number that still use “very old analog
instrumentation.” Keep in mind that this was just a few years ago.
Now imagine the complexity involved in returning an infected machine back to a trustworthy state. If there’s a known good source available, a reinstall should work; however, do these antiquated systems even have a known good source? How does a nuclear
power plant take all of its critical systems offline? Much of the software used in critical
infrastructures in the U.S. were custom-made one-off versions. After infection occurs,
the likelihood of a kernel-level rootkit remaining on the machine is worrisome at best,
and catastrophic at worst.
The Conficker Worm: The Cyber Equivalent of an Extinction
Event?
Perhaps the most obvious frightening aspect of Conficker C is its clear potential to do
harm. Among the long history of malware epidemics, very few can claim sustained
worldwide infiltration of multiple millions of infected drones. Perhaps in the best case,
Conficker may be used as a sustained and profitable platform for massive Internet fraud
and theft. In the worst case, Conficker could be turned into a powerful offensive weapon
for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself.
—Phillip Porras, Hassen Saidi, and Vinod Yegneswaran “An Analysis of Conficker’s
Logic and Rendezvous Points,” SRI International report updated March 18, 2009
There are at least two sustained mysteries surrounding the Conficker worm: who is
behind it, and what do they plan to do with it?
Regarding the former, researchers who have studied the code contained in the worm
as well as its A, B, and C variants can say with some certainty that the authors are skilled
programmers with knowledge about the latest developments in cryptography along
with an in-depth knowledge of Windows internals and security. They are also adept at
code obfuscation and code packing, and they are closely monitoring and adapting to
attempts to thwart Conficker’s operation.
Perhaps more importantly, the Conficker authors have shown that they are innovative,
agile, and quick to implement improvements in their worm. Quoting from the SRI
report:
They are among the first to introduce the Internet rendezvous point scheme, and have
now integrated a sophisticated P2P protocol that does not require an embedded peer list.
They have continually seeded the Internet with new MD5 variants, and have adapted
their code base to address the latest attempts to thwart Conficker. They have infiltrated
government sites, military networks, home PCs, critical infrastructure, small networks,
and universities, around the world. Perhaps an even greater threat than what they have
done so far, is what they have learned and what they will build next.
12 | Chapter 1: Assessing the Problem
There has been an unprecedented amount of collaboration in the software community
to overcome the threat posed by Conficker. Microsoft has offered a $250,000 reward
for information leading to the arrest and conviction of Conficker’s authors. Although
the idea of a bounty is interesting, the amount offered is ridiculously low. There are
carders (cyber criminals who engage in illegal credit card transactions) who earn that
much in one month.
The software giant has also established a “Conficker Cabal” in the hope that collaboration will yield more results than one company’s efforts alone. Members of the cabal
include ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global
Domains International Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers
from Georgia Tech, the Shadowserver Foundation, Arbor Networks, and Support
Intelligence.
As of this writing, no progress has been made on discovery or mitigation of this threat,
and the Conficker worm continues to propagate.
Africa: The Future Home of the World’s Largest Botnet?
African IT experts estimate an 80% infection rate on all PCs continent-wide, including
government computers. It is the cyber equivalent of a pandemic. Few can afford to pay
for anti-virus software, and for those who can, the download time on a dial-up connection makes the update out of date by the time the download is complete.
Now, with the arrival of broadband service delivered via undersea cables such as Seacom’s on July 23, 2009, Teams cable (September 2009), and the East African Submarine
Cable System (mid-year 2010), there will be a massive, target-rich environment of almost 100 million computers available for botnet herders to add infected hosts to their
computer armies (Figure 1-2).
One botnet of one million hosts could conservatively generate enough traffic to take
most Fortune 500 companies collectively offline. A botnet of 10 million hosts (like
Conficker) could paralyze the network infrastructure of a major Western nation.
As of today, there is no unified front to combat botnets of this size. However, since
these botnets are Windows-based, a switch to the Linux operating system is a feasible
alternative being floated to address the African crisis. Another would be for anti-virus
(AV) companies to provide free subscriptions to African residents. A third would require that Microsoft radically modify its policy about pirated versions of Windows and
make its security patches available to all who request them, regardless of whether they
have genuine software loaded on their boxes.
The participation of the software industry is crucial as governments and the private
sector face both criminal and geopolitical adversaries in a domain that has been in
existence only since the birth of the World Wide Web in 1990, a domain that millions
of individuals are impacting, shaping, and transforming on a daily, even hourly, basis.
Africa: The Future Home of the World’s Largest Botnet? | 13
Figure 1-2. Broadband undersea cable service for Africa
The Way Forward
If I were asked what I hoped to accomplish with this collection of facts, opinions, and
assessments about cyber warfare and its various permutations, my answer would be to
expand senior leadership and policy makers’ limited thinking that surrounds the subject and instigate a broader and deeper conversation in the public sphere. This book
will probably feel more like a collection of essays or an anthology by different authors
than a cohesive story with a clean development arc. In part, that’s because of the nature
of the beast. When it comes to how attacks orchestrated by a myriad of parties across
globally connected networks are impacting national security for the U.S. and other
nation states, we’re all like blind men describing an elephant. The big picture sort of
eludes us. My hope for this book is that it will inform and engage the reader; inform
through the recounting of incidents and actors stretching across multiple nations over
a period of 10 years up to almost the present day (Thanksgiving 2009) and engage by
firing the reader’s enthusiasm to get involved in the debate on every level—local, state,
and national. If it raises almost as many questions as my contributors and I have attempted to answer, I’ll feel like the book accomplished its mission.
14 | Chapter 1: Assessing the Problem
CHAPTER 2
The Rise of the Non-State Hacker
Список первоочередных целей для атак
опубликован на сайте: http://www.stopgeorgia.ru/
?pg=tar По многим ресурсам в данный момент
ведутся DDoS- атаки. Все кто может помочь отписываем. Свои предложения по данному списку
просьба оставлять в этом топике.
List of first goals for attacks is published on this site:
[link]. DDoS attacks are being carried for most of the
sites/resources at the moment. All who can help—we
enlist. Please leave your suggestions for that list in that
topic.”
—Administrator, StopGeorgia.ru forum post,
August 09, 2008, 2:47 p.m.
The StopGeorgia.ru Project Forum
On August 8, 2008, the Russian Federation launched a military assault against Georgia.
One day later, the StopGeorgia.ru Project forum was up and running at http://www
.stopgeorgia.ru with 30 members, eventually topping out at over 200 members by September 15, 2008.
Not only did it launch with a core group of experienced hackers, the forum also featured
a list with 37 high-value targets, each one vetted by whether it could be accessed from
Russian or Lithuanian IP addresses. This was done because the Georgian government
began blocking Russian IPs the month prior when the President of Georgia’s website
was knocked offline by a DDoS attack on July 21, 2008.
In addition to the target list, it provided members with downloadable DDoS kits, as
well as advice on how to launch more sophisticated attacks, such as SQL injection.
StopGeorgia.ru was not the only forum engaged in organized nationalistic hacking, but
it serves as a good example of how this recent extension of state warfare operates in
15
cyberspace. In addition to this forum, an IRC channel was created on irc.dalnet.ru,
called #stopgeorgia.
At StopGeorgia.ru, there was a distinct forum hierarchy wherein forum leaders provided the necessary tools, pinpointed application vulnerabilities, and provided general
target lists for other less-knowledgeable forum members to act upon.
Those forum members who pinpointed application-level vulnerabilities and published
target lists seemed to have moderate/high technical skill sets, whereas those carrying
out the actual attacks appeared to have low/medium technical sophistication.
Forum leaders analyzed the DoS tools and found them to be simple yet effective. Some
forum members had difficulty using the tools, reinforcing that many of the forum
members showed low/medium technical sophistication, but were able to carry out attacks with the aid of tools and pinpointed vulnerability analysis.
Counter-Surveillance Measures in Place
Forum administrators at both the well-known Russian hacker portal XAKEP.ru and
StopGeorgia.ru were monitoring who visited their respective sites and kept an eye on
what was being posted.
During one week of intensive collection activity at the XAKEP.ru forum, Project Grey
Goose analysts experienced two incidents that demonstrated that operational security
(OPSEC) measures were in effect.
Within hours after this author discovered a post on XAKEP.ru that pointed to a
password-protected forum named ARMY (http://www.stopgeorgia.ru), that link was
removed by the forum administrator.
After about a half-dozen Grey Goose analysts spent one week probing the XAKEP.ru
forum for relevant posts, all U.S. IP addresses were blocked from further forum access
(a 403 error was returned). This lasted for about 10 days before the block was lifted.
The StopGeorgia.ru forum also had to fend off attacks from Georgian hackers who had
temporarily taken down their forum and a “project site” from August 14–18, both of
which were hosted on a U.S. server owned by SoftLayer Technologies.
According to one conversation between two members of the StopGeorgia forum
(Alexander and CatcherMax), one Georgian hacker forum had over 10,000 members
and blocked access to it from all Russian IP addresses. For that reason, members frequently discussed the use of various proxy servers, such as FreeCap.ru.
The Russian Information War
The following document helps paint a picture of how Russian military and political
officials viewed the cyber component of the Russia-Georgia conflict of 2008.
16 | Chapter 2: The Rise of the Non-State Hacker
Anatoly Tsyganok is a retired officer who’s now the director for the Center of Military
Forecasting at the Moscow Institute of Political and Military Analysis. His essay “In
formational Warfare—a Geopolitical Reality”(http://en.fondsk.ru/article.php?id=
1714) was just published by the Strategic Culture Foundation. It’s an interesting look
at how the July and August cyber war between Russia and Georgia was viewed by an
influential Russian military expert. The full article discusses information warfare, but
this portion focuses on the cyber exchange:
Georgia was also the first to launch an attack in cyberspace. When Tskhinvali was shelled
on August 8 the majority of the South Ossetian sites were also knocked out. Later Russian
media including Russia Today also came under cyberspace attacks. The response followed shortly as the sites of the Georgian President, parliament, government, and foreign
ministry suffered malicious hacks. The site of Georgian President Saakashvili was simultaneously attacked from 500 IP-addresses. When the initially used addresses were
blocked, the attacks resumed from others. The purpose was to render the Georgia sites
completely inoperable. D.D.O.S. attacks overload and effectively shut own Internet servers. The addresses from which the requests meant to overload sites were sent were
blocked by specialists from the Tulip Systems, but attacks from new 500 addresses began
in just minutes. Cleaning up after a cyberspace attack took an average of 2 hours.
Part of what’s so interesting about this excerpt is Tsyganok’s choice of words. He clearly
states that Georgia launched a cyber attack against Russia first. This presents the attack
as a state action rather than a civilian one. He then carefully states the Russian response,
i.e., “the response followed shortly.” Since the subject of this exchange is two states
warring, “the response followed shortly” implies a state response rather than a spontaneous grassroots action of so-called hactivists.
Tsyganok’s depiction of events manages to underscore the Russian government’s
practice of distancing itself from the nationalistic hacker community, thus gaining deniability while passively supporting and enjoying the strategic benefits of their actions.
The Foundation for Effective Politics’ War on the Net (Day One)
Pravada.ru printed an article by Maksim Zharov of the Foundation for Effective Politics
(FEP) entitled “Russia Versus Georgia: War on the Net—Day One” on August 9, 2008.
Zharov is also one of the authors of the book Chronicles of Information Warfare and
used to work for Nikita Ivanov, then deputy chief of the Administration for Interregional and Cultural Ties With Foreign Countries of the President’s Staff and supervisor
of the pro-Kremlin youth movements (i.e., Nashi). (Zharov earlier published (through
Yevropa) an instruction manual for bloggers who want to “fight the enemies of Russia”
in the blogosphere.)
The Foundation for Effective Politics is a Kremlin-friendly organization created by Gleb
Pavlovsky, one of the earliest adopters of the Russian Internet for state propaganda
purposes. You can read more on Pavlovsky and the FEP in Chapter 11.
The Russian Information War | 17
Zharov comments on the use of the Russian youth movements to wage warfare on the
Net. This was repeated by the administrator of the StopGeorgia.ru forum in the following announcement to its membership on August 9, 2008, at 3:08 p.m.:
Let me remind you that on August 8, leaders of several Russian youth movements have
signed the statement which calls for supporters to wage information war against the
President of Georgia Michael Saakashvili on all Internet resources.
Zharov elaborates on this fact by referring to an event in the city of Krasnoyarsk where
a joint statement by the leaders of Russian youth movements announced:
We declare information war on the Saakashvili regime. The Internet should oppose
American-Georgian propaganda which is based on double standards.
He names Nashi as one such organization whose leaders have close ties with the Kremlin and whose members have been involved in these Internet wars, both in Estonia and
Georgia.
Internet warfare, according to Zharov, was started by Georgian hackers attacking South
Ossettian websites on August 7, one day before the Russian invasion.
The South Ossetian site http://cominf.org reported in the afternoon of August 7 that
because of a DDoS attack, the Ossetian sites were often inaccessible for long periods.
In order to relieve them, an additional site, tskhinval.ru, had to be set up. In addition,
a fake site of the Osinform news agency, http://www.os-inform.com, created by Georgia,
appeared.
Zharov’s personal preference for information about the Georgian war was LiveJournal,
known in Russian as ZhZh (Zhivoy Zhurnal), particularly the georgia_war community.
It contained, in Zharov’s words, “a fairly objective indicator of the state of affairs on
the Internet front, in which the most diverse opinions are published.”
One of the more interesting things that Zharov wrote in “Russia Versus Georgia: War
on the Net. Day Three,” published in Moscow Pravda.ru in Russian August 11, 2008,
was his conjecture about which nation had the capability to launch a DDoS attack of
the size seen during the five-day war:
In general, many people are forming the impression that these attacks are certainly not
the work of Georgian hackers.
And to be honest, I do not believe that the Russian military have a special service that
swamped all of the Georgian websites even more quickly on the very day of the unexpected attacks by the Georgians.
However, in the United States, such sub-units of cyber troops were created many years
ago (emphasis added).
So Zharov acknowledges their involvement in organizing an “information war” against
Georgia, but he completely ignores their involvement in the cyber war, and he instead
speculates that the only military force that has the capability of “swamping all of Georgian websites” so quickly is that of the United States. This serves as another example
of the Kremlin strategy in making the cyber war debate about military capabilities rather
18 | Chapter 2: The Rise of the Non-State Hacker
than their use of Russian hackers and, of course, to paint the United States as the
aggressor whenever possible.
The Gaza Cyber War Between Israeli and Arabic Hackers During
Operation Cast Lead
Attacking Israeli websites has been a popular way for Palestinians and their supporters
to voice their protests and hurt their adversaries. Arab and Muslim hackers mobilized
to attack Danish and Dutch websites in 2006 during the Prophet cartoon controversy.
A small-scale “cyber war” also erupted between Shiite and Sunni Muslims in the fall of
2008, as predominantly Arab Sunni Muslims and Iranian Shiite Muslims worked to
deface or disrupt websites associated with one another’s sects.
The latest example of this occurred when Israel began a military assault on Hamas’s
infrastructure in Gaza on December 27, 2008, called Operation Cast Lead. After almost
a month into the operation, Palestinian officials declared the death toll had topped
1,000, and media reports carried images of massive property destruction and civilian
casualties. This provoked outrage in the Arab and Muslim communities, which manifested itself in a spike of anti-Semitic incidents around the world, calls for violent
attacks on Jewish interests worldwide, and cyber attacks on Israeli websites.
The exact number of Israeli or other websites that have been disrupted by hackers is
unknown, but the number is well into the thousands. According to one estimate, the
number reached 10,000 by the first week of January 2009 alone. Most attacks are simple
website defacements, whereby hackers infiltrate the site, leaving behind their own
graffiti throughout the site or on the home page. The hackers’ graffiti usually contains
messages of protest against the violence in Gaza, as well as information about the
hackers, such as their handles and country of origin. The majority of cyber attacks
launched in protest of Operation Cast Lead were website defacements. There is no data
to indicate more sophisticated or dangerous kinds of cyber attacks, such as those that
could cause physical harm or injury to people.
Impact
While media coverage focuses on the most high-profile hacks or defacements, this
current cyber campaign is a “war of a thousand cuts,” with the cumulative impact on
thousands of small businesses, vanity websites, and individual websites likely outweighing the impact of more publicized, larger exploits.
However, successfully compromising higher-profile websites not only brings more
public attention, it also compels businesses all over Israel to preventively tighten security, which costs money. For that reason the financial impact of infiltrating a few
larger corporate websites may be as important as disrupting thousands of smaller sites.
The Gaza Cyber War Between Israeli and Arabic Hackers During Operation Cast Lead | 19
High-profile attacks or defacements between December 27, 2008, and February 15,
2009, include:
Ynetnews.com
The English language portal of one of Israel’s largest newspapers. The Moroccobased “Team Evil” accessed a domain registrar called DomainTheNet in New York
and redirected traffic from Ynetnews and other Israeli websites. Traffic was redirected to a site with a protest message in jumbled English. Ynetnews.com emphasized that its site had not actually been “hacked,” but that Team Evil obtained a
password allowing them to access a server. The Team then changed the IP addresses for different domain names, sending users attempting to access Ynet
news.com to a domain containing their message.
Discount Bank, one of the three largest banks in Israel, also had its website was
also registered with DomainTheNet, and Team Evil switched its IP address just as
they did with Ynetnews.
Israel’s Cargo Airlines Ltd.
An Israeli airline defaced by hackers.
Kadima.org.il
The website of Israel’s Kadima party was defaced twice during this period.
DZ team, based in Algeria, was responsible for the first defacement, in which they
adorned the Kadima’s home page with photos of IDF soldiers’ funerals, accompanied by messages in Arabic and Hebrew promising that more Israelis would die.
The second time occurred on February 13, 2009, three days after close parliamentary elections in which Kadima and Likud both claimed victory and hackers could
expect a spike in traffic to the Kadima website. Gaza Hacker Team claimed responsibility for the second defacement.
Ehudbarak.org.il (This URL is no longer active.)
Israeli Defense Minister and Deputy Prime Minister Ehud Barak’s website was
defaced by Iranian hackers who call themselves Ashianeh Security Team. The
group left a message in English reading “ISRAEL, You killed more than 800 innocent civil people in gaza. Do you think that you won’t pay for this? Stop War. If
you don’t we will continue hacking your important sites.”
http://www.102fm.co.il/
Hackers left images from Gaza, a graphic of burning U.S. and Israeli flags, and a
message calling for Israel to be destroyed on this Radio Tel Aviv website.
Defacements of Israeli portals associated with the following multinational companies
or product lines were also defaced: Skype, Mazda, McDonald’s, Burger King, Pepsi,
Fujifilm, Volkswagen, Sprite, Gillette, Fanta, Daihatsu, and Kia.
20 | Chapter 2: The Rise of the Non-State Hacker
Overview of Perpetrators
Judging from the graffiti left behind on defaced websites, the most active hackers are
Moroccan, Algerian, Saudi Arabian, Turkish, and Palestinian, although they may be
physically located in other countries. Applicure Technologies, Ltd., an Israel information security company, claims that some of the hackers are affiliated with Iranian
organizations, as well as the terrorist group Hezbollah. So far, however, neither the
messages left behind on defaced sites nor conversations among hackers on their own
websites explicitly indicates membership in Hezbollah or other Islamist groups. The
hackers involved do not have any unifying body organizing their activities, although
some of them congregate in certain specialized hacker forums.
Many active hackers during the current Gaza crisis are experienced. Some of them were
involved in the Sunni-Shiite cyber conflict that intensified in the fall of 2008. Others
have numerous apolitical hacks under their belts. Their participation in the current,
politically motivated hacking of Israel websites is a reflection of their personal political
feelings and/or recognition of the increased attention that they can attract with Gazarelated hacks.
The majority of the graffiti left behind on Israel websites contains images of the victims
and destruction in Gaza and exhortations to Israel and/or the United States to stop the
violence. The most common motivation of the hackers appears to be to draw attention
to the plight of the Palestinians in the Gaza Strip and to register their protest against
Israeli actions there. In the words of two hackers interviewed by a Turkish newspaper,
“Our goal is to protest what is being done to the innocent people in Gaza and show
our reaction. The reason we chose this method was our bid to make our voices louder.”
Motivations
The imagery and text left on defaced websites suggests the importance the hackers place
on sending messages to Israeli or Western audiences through their attacks. The owner
of a Palestinian graphic design company designed images for hackers to use in their
defacements. A hacker forum even held a competition to see who could come up with
the best designs to leave on Israeli websites, with monetary rewards for the winners.
Investigations into the hackers’ motivations have revealed the following:
Inflicting financial damage to Israeli businesses, government, and individuals
A message on the Arabic hackers’ site Soqor.net exhorted hackers to “Disrupt and
destroy Zionist government and banking sites to cost the enemy not thousands but
millions of dollars....”
Delivering threats of physical violence to an Israeli audience
One Moroccan hacker’s team posted symbols associated with violent Jihadist
movements and an image of an explosion, along with a threatening message for
Israelis.
The Gaza Cyber War Between Israeli and Arabic Hackers During Operation Cast Lead | 21
Using cyber attacks as leverage to stop Operation Cast Lead
Many of the defacements contained messages indicating that attacks on Israeli sites
and servers would stop only when Israel stopped its violence in Gaza.
Fulfilling the religious obligation of Jihad
Some hackers couched their activities in religious terms, insisting that cyber attacks
were tantamount to fighting Jihad against Islam’s enemies. One hacker wrote, “Use
[the hacking skills] God has given you as bullets in the face of the Jewish Zionists.
We cannot fight them with our bodies, but we can fight them with our minds and
hands…. By God, this is Jihad.”
Achieving enhanced personal status among the community of hackers or improving one’s
personal position in rivalries or competitions with other hackers
Two of the hackers’ websites held contests to encourage productive competition
in hacking Israeli sites. Although there is much mutual encouragement and assistance on hackers’ websites, there are also signs of rivalry, with hackers defacing
each other’s websites and leaving critical or taunting messages.
Hackers’ Profiles
The following are brief profiles of some of the hackers involved. They were identified
by press reports or by the content of hacker websites as being the most active or highprofile hackers in the anti-Israel campaign.
Team Evil
Team Evil gained widespread notoriety for defacing thousands of websites in 2006 in
protest of Israel’s military activities in the Gaza Strip and Lebanon. The group defaced
more than 8,000 websites between June and November 2006. In addition to Israeli and
Western sites, this tally also included websites associated with the governments of
China, Saudi Arabia, and Indonesia. In all, Team Evil defaced 171 significant websites,
according to records on Zone h, a website that serves as an archive of hacker exploits.
The team often left anti-Israel or anti-Semitic messages on their defacements, regardless
of the country of origin of the website.
Israel’s Ynetnews reported that Team Evil was responsible for the majority of damage
to Israeli websites in the first half of 2006, including sites belonging to banks, hospitals,
major companies, NGOs, and political parties. When Ynetnews contacted the group,
its members told the paper that they were Moroccan hackers who “hack into sites as
part of the resistance in the war with Israel.”
The group has resurfaced to take part in the current campaign against Israeli websites,
but it is not as active as it was in 2006. Its greatest recent accomplishment was to reroute
traffic from Ynetnews, Discount Bank, and other Israeli websites to a page with an antiIsrael message.
22 | Chapter 2: The Rise of the Non-State Hacker
The Israeli IT security company Beyond Security released an extensive case study of
Team Evil’s 2006 attacks. Its report concluded that Team Evil demonstrated a higher
degree of technical skill than typically seen in similar groups. Given the skill and commitment it has previously demonstrated, it is unclear why Team Evil has not participated in the current campaign to a greater extent. It is possible the group is planning
something for the future.
Cold Zero (aka Cold Z3ro aka Roma Burner)
Cold Zero first gained notoriety for an attack on the Likud Party website in August
2008. He has since claimed responsibility for 5,000 website defacements, according to
Gary Warner, an expert in computer forensics. He has a profile on the Arabic Mirror
website, which lists 2,485 of these defacements. According to the Arabic Mirror site,
779 of these are related to the Gaza crisis.
Cold Zero is a member of Team Hell (discussed in the next section). Whereas most
members of Team Hell are Saudi, Cold Zero is a Palestinian and is proficient in Hebrew.
He runs a website at http://www.hackteach.net/.
Cold Zero is engaged in rivalries with other anti-Israeli hackers. He has hacked both
al3sifa.com and soqor.net, leaving messages criticizing their administrators. His own
website was also attacked by DNS Team, which we’ll discuss later.
According to a French language news source published on January 9, 2009, Cold Zero
was arrested by Israeli authorities. The news source identified him as a 17-year-old
Israeli Arab and reported that he appeared on January 6 before the Federal Court of
Haifa, where the Israeli Justice Department alleged that he attacked commercial and
political sites, mentioning the Likud Party website hack, as well as an attack on the
website of the Tel Aviv Maccabis basketball team. According to the same source, he
worked with accomplices in Turkey, Lebanon, Saudi Arabia, and elsewhere. He was
caught in a “honey pot” set up by authorities. Authorities also uncovered his identity
from a database stolen from Turkish hackers.
The information from this news report has not yet been corroborated by other sources.
The last hack for Cold Zero listed on the Arabic Mirror website was recorded on January
2, 2009, after a period of high activity, suggesting an abrupt interruption to his hacking
campaign. Zone-h records hundreds of websites hacked by Cold Zero in late December,
followed by a lull for one month. On January 29, 2009, Cold Zero returned with a
defacement of rival hackers DNS Team’s website. Cold Zero has committed no Israeli
or other website defacements after late December on Zone-h, lending credibility to the
report of his arrest.
Team Hell (aka Team H3ll and Team Heil)
The graffiti from many websites hacked by Cold Zero name him as a member of Team
Hell. Team Hell self-identifies as a Saudi-based hackers group, usually consisting of
Kaspersky, Jeddawi, Dr. Killer, BlackShell, RedHat, Ambt, and Cold Zero.
The Gaza Cyber War Between Israeli and Arabic Hackers During Operation Cast Lead | 23
Team Hell’s politically oriented hacks include more than just Israeli sites. In April 2007,
Team Hell hacked Al-Nusra, a Palestinian-focused Jihadist website. They left a message
indicating they associated al-Nusra with religious deviancy. On websites they have
defaced, Cold Zero and Team Hell have expressed support for the secular, nationalist
Fatah party. This would explain why Team Hell would hack Al-Nusra, a SalafistJihadist website, even though it is also anti-Israel. The group has also defaced the website of the Syrian parliament.
Agd_Scorp/Peace Crew (aka Agd_Scorp/Terrorist Crew)
Agd Scorp/Peace Crew are Turkish hackers who defaced NATO and U.S. military
websites in response to Operation Cast Lead. On three subdomains of the U.S. Army
Military District of Washington website and on the NATO parliament site http://www
.nato-pa.int, the group posted a message reading: “Stop attacks u israel and usa! you
cursed nations! one day muslims will clean the world from you!” The group also used
an SQL injection attack to deface the website of the Joint Force Headquarters of the
National Capital Region.
Previously, the group has hacked websites belonging to a number of high-profile organizations, including the United Nations, Harvard University, Microsoft, Royal Dutch
Shell, and the National Basketball Association. They also attacked U.S. military websites earlier in 2008.
Jurm Team
Jurm Team is a Moroccan group that has partnered with both Agd_Scorp and Team
Evil. They have recently defaced the Israeli portals for major companies and products,
including Kia, Sprite, Fanta, and Daihatsu. Their members call themselves Jurm,
Sql_Master, CyberTerrorist, Dr. Noursoft, Dr. Win, J3ibi9a, Scriptpx //Fatna, and Bant
Hmida.
C-H Team (aka H-C Team)
C-H Team consists of two hackers or hacker teams: Cmos_Clr and hard_hackerz.
C-H Team targets Dutch and Israeli websites, leaving threatening messages in Hebrew
on the latter. Both team members are Algerian. Besides defacing sites, Cmos_Clr claims
to have used a variant of the Bifrost Trojan horse to break into Israeli computers, infiltrating 18 individual machines.
Hackers Pal
Hackers Pal is the administrator of the Hackers Hawks website and has claimed 285
defacements of Israeli websites. He is a supporter of the secular Fatah party.
24 | Chapter 2: The Rise of the Non-State Hacker
Gaza Hacker Team
Gaza Hacker Team runs the website of the same name. It is responsible for defacing
the Kadima party website on February 13, 2009. The team consists of six members:
Lito, Le0n, Claw, Virus, Zero code, and Zero Killer.
DNS Team
DNS Team is an active Arab hackers team focused primarily on apolitical hacking.
However, it occasionally exhibits politically motivated attacks—targeting websites in
Denmark and the Netherlands during the fall of 2008 in retaliation for the cartoon
controversy, and it participated in recent anti-Israeli hacks. DNS Team maintains a
hacking and security forum at http://www.v4-team.com/cc/.
!TeAm RaBaT-SaLe! (aka Team Rabat-Sale aka Team Rabat-Sala)
Team Rabat-Sale (named after the two Moroccan cities of Rabat and Sale) is unique
because it has participated in this campaign and garnered press coverage without actually targeting Israeli websites. Instead, the group targets a variety of websites (probably opportunistic hacks; the group seems to specialize in websites using Linux) and
then leaves startling messages and Jihadist imagery. It may reason that if the whole
Western world is against the citizens of Gaza, any English-language website is a conduit
for their message. They have recorded 380 such defacements on the Arabic Mirror site
and 196 on Zone-h. Their members go by the aliases Mr. Tariklam, Mr. Sabirano, XDiablo, Mr. Konan, and Virus T.
Team Rabat-Sale’s graffiti features the message, “For the Kids of Gaza…This Hack iS
To DeFend Islam That Has Been Harrased by Denmark and USA and Israel.” The
defacement includes an image of a sword piercing a skull with a Star of David on it,
surrounded by skulls with the U.S., UK, and Danish flags superimposed on them.
On another Team Rabat-Sale defacement, a Jihadist anthem commonly used as the
soundtrack to insurgent videos plays in the background. It also features a picture of
Osama Bin Laden, as well as a Team Rabat-Sale group logo depicting a Kalashnikov
and crossed swords against a globe, with a Salafist flag waving from the barrel of the
weapon. It includes an image that may imply a threat against a tractor-trailer truck.
The photograph of the masked man with a laptop and a handgun by his side suggests
physical violence in addition to cyber mischief.
DZ Team
DZ Team consists of Algerian and Egyptian hackers who use the aliases AOxideA,
Maxi32, Skins, The Legend, Cyb3r-Devil, and The Moorish. It first made headlines in
April 2008 when it hacked the Bank of Israel website over Passover weekend. DZ Team
defaced several Israeli websites during Operation Cast Lead, including the Israeli portals of Volkswagen, Burger King, and Pepsi, the website of Israeli defense contractor
The Gaza Cyber War Between Israeli and Arabic Hackers During Operation Cast Lead | 25
BVR systems, the Kadima party website, and the Hillel Yaffe hospital website. Videos
of the group’s successful defacements were posted to YouTube.
In an interview following its hack of the Bank of Israel site, members of the group
reached by the press claimed they were religiously motivated: “We do everything in the
name of Allah,” said one of them. Although one member of DZ team expressed support
for suicide bombers in the interview, another stressed that the group members were
not terrorists themselves. According to the interview, one member of the team specializes in creating Trojan horses, and another, a Hebrew-speaking Egyptian, specializes
in locating security breaches.
Ashianeh Security Group
The Iranian Fars News Agency reported that the Ashianeh Security Group hacked 400
Israeli websites, including the websites of the Mossad and Israeli Defense Minister Ehud
Barak. The group does not seem to participate in online hacker forums. It is possibly
state-supported.
Nimr al-Iraq (“The Tiger of Iraq”) and XX_Hacker_XX
Nimr al-Iraq provides advice and links to download tools on hacker forums, especially
the soqor.net forum. He is credited with updating the al-Durrah distributed denial of
service tool for use during Operation Cast Lead (see the next section, “Methods of
Attack”). He also provided links to download a remote access tool (RAT) program
called hackattack, which permits hackers to gain remote control of another person’s
computer. According to his profile on soqor.net, Nimr al-Iraq is a 22-year-old Iraqi
named Mohammed Sattar al-Shamari and is listed as a former moderator on that site.
XX_Hacker_XX is a moderator on soqor.net, and like Nimr al-Iraq, he provides advice
and links to download tools, such as RAT programs. He is the moderator of the “hacking programs” section of the soqor.net website. His profile describes him as an 18-yearold from Kuwait.
Methods of Attack
Analysis of discussions on Arabic hacker forums and general pro-Jihad forums indicates
that anti-Israeli hackers would like to carry out serious cyber attacks against Israeli
targets. However, they do not have a demonstrated capability to carry out such attacks,
and their actions have been limited to small- to mid-scale denial of service attacks and
mass website defacement attacks. They may also have attempted to compromise individual computers via Trojans, particularly the Bifroze Trojan, a variant of which was
developed by members of the 3asfh hacker forum. Additionally, they talk of the desire
to use viruses against Israeli computers, although the kind of viruses under discussion
are relatively old and many computers would already have been updated with protections against them.
26 | Chapter 2: The Rise of the Non-State Hacker
Distributed denial of service (DDoS) capability
Muslim hackers are using both indigenously developed and borrowed DDoS tools and
making them available for download on hacker forums. One tool, named after Mohammed al-Durra, a Palestinian child allegedly shot and killed by Israeli soldiers in
2000, was first developed in 2006. An updated version has been provided by Nimr alIraq for use in the current conflict.
With the al-Durra program, a user voluntarily downloads the program and then checks
to see which target websites are on Arabic hacker forums. He then plugs in the target
and the program will repeatedly send requests to it. When a sufficient number of people
utilize the al-Durra program against a site, they can overwhelm it and bring it down.
Other DDoS tools developed by hackers outside this community, such as hack tek, are
also being used.
Such tools do not require sophisticated technical skills or training. This makes them
useful in a political dispute such as the Gaza crisis, when there is a very large global
community willing to assist in cyber attacks against Israel but not necessarily skilled
enough for more sophisticated attacks.
Website defacements
The hackers download vulnerability scanners from hacker forums to find websites with
exploitable vulnerabilities. On the Arabic language forums, they have discussed using
a few different methods, including SQL injection, cross-site scripting (XSS), and other
web server software vulnerabilities.
In most cases, they are reusing previously released exploit code to attack known vulnerabilities that the scanners identify. This is somewhat more difficult than the denial
of service attacks, but it is still not considered sophisticated within the larger spectrum
of hacking activities. The vulnerabilities being exploited by these hackers have already
been identified, and patches and updates have been released to fix them. The only
websites that are still susceptible are those whose administrators have been lax in updating their software and downloading patches. There is no evidence that this community is locating “zero day” vulnerabilities—those that have not yet been
discovered—at this time.
Viruses and Trojans
Hacker forums reveal a desire to use viruses against Israeli targets, but there is no evidence of success thus far. A couple of hackers have boasted of successfully using Trojans
and RATs to gain wide access to individual Israeli computers. This could give them the
ability to capture passwords and other important data, facilitating financial crime and
harassment. However, there is not yet much evidence that they have been successful
with these tools.
The Gaza Cyber War Between Israeli and Arabic Hackers During Operation Cast Lead | 27
Israeli Retaliation
Israel and its supporters have also participated in this cyber conflict in a couple of ways.
The Israeli government is behind an effort to recruit supporters who speak languages
other than Hebrew—mostly new immigrants—to flood blogs with pro-Israel opinions.
The Israel Defense Forces has hacked a television station belonging to Hamas. Supporters of Israel have also been hacking pro-Palestinian Facebook groups, using fake
login pages and phishing emails to collect the login details of group members.
According to the administrators of Gaza Hacker Team, pro-Israel activists are also
pressuring hosting companies to cut off service to hacker websites. After the Gaza
Hacker Team defaced the Kadima party website, they reported that their U.S. hosting
company denied them service after being subjected to “Jewish” pressure.
Perhaps the most creative tactic employed by Israel’s supporters is the development of
a voluntary botnet. Developed by a group of Israeli hacktivists known as Help Israel
Win, the distributed denial of service tool called Patriot is designed to attack anti-Israel
websites.
Once installed and executed, Patriot opens a connection to a server hosted
by Defenderhosting.com. It runs in the background of a PC and does not have a configurable user interface that would allow the user to control which sites to attack.
Rather, the server at Defenderhosting.com likely updates the client with the IP addresses to target.
Help Israel Win describes itself as “a group of students who are tired of sitting around
doing nothing while the citizens of Sderot and the cities around the Gaza Strip are
suffering….” Their stated goal is to create “a project that unites the computer capabilities of many people around the world. Our goal is to use this power in order to disrupt
our enemy’s efforts to destroy the state of Israel.” The Help Israel Win website is registered to Ron Shalit of Haifa, Israel.
Control the Voice of the Opposition by Controlling the Content
in Cyberspace: Nigeria
Cyber wars are not always fought between states or between non-state actors; sometimes they are fought between a government and its political opponents. This is
precisely the case in Nigeria where the Information Minister Dora Akunyili, with the
support of Nigeria’s President Umaru Yar’adua, has launched a $5 million dollar campaign to support and create government-friendly websites. The objective, according to
a June 16, 2009, news report filed by Saharareporters, is “to do everything to ensure
that websites like yours (saharareporters.com) and others are stopped from taking root
in Nigeria.”
28 | Chapter 2: The Rise of the Non-State Hacker
Additionally, the plan calls for paying forum administrators to create discussion threads
about topics created by Akunyili that will serve to cast the administration in the most
favorable light.
A third plank of the plan accelerates the arrest and detention of opposition bloggers at
airports or other entry points into Nigeria. Civil actions against negative posters could
include the filing of a libel lawsuit against them by the government.
Are Non-State Hackers a Protected Asset?
It would seem so. Instances of prosecution of Russian or Chinese hackers involved in
foreign website attacks are so few as to be statistically insignificant. A news article
written by Xinhua News Agency writers Zhou Zhou and Yuan Ye entitled “Experts:
Web Security a pressing challenge in China” for China View (August 8, 2009) relates
the pervasive security challenges China’s online population, which numbers almost
340 million, faces. The only illegal acts prosecuted by the PRC are online attacks causing
financial harm to China; for example, two men from Yanbian County in Jilin Province
were recently arrested and prosecuted for breaking into online banking systems and
stealing 2.36 million yuan ($345,269 U.S.). All other types of attacks, according to Li
Xiaodong, deputy director of the China Internet Network Information Center
(CNNIC), fall into a “grey area.”
Similarly, in the Russian Federation, the police are interested only in arresting hackers
for financial crimes against Russian companies. Hacking attacks cloaked in nationalism
are not only not prosecuted by Russian authorities, but they are encouraged through
their proxies, the Russian youth associations, and the Foundation for Effective Policy.
Are Non-State Hackers a Protected Asset? | 29
CHAPTER 3
The Legal Status of Cyber Warfare
Although cyber warfare has been around for a decade or so, it still has not been well
defined. As of this writing, there is no international treaty in place that establishes a
legal definition for an act of cyber aggression. In fact, the entire field of international
cyber law is still murky.
The NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE) published a
paper on the subject in November 2008 entitled “Cyber Attacks Against Georgia: Legal
Lessons Identified.” In it, the authors discuss possible applicability of the Law of Armed
Conflict (...
Purchase answer to see full
attachment