22
May/13

OpGTMO Campaign Fuses Cyber and Kinetic Protests

by under Cyber Security

We’ve talked previously about the linkages between cyber intelligence and physical warfare. But when we saw the recently executed Operation Guantanamo (#OpGTMO) campaign by Anonymous that culminated this past weekend, it was clear that there are related signals that tie together physical and digital social movements.

The OpGTMO campaign provides an example of how to pick up clues of impending hacker campaigns and intentions as well as evaluate the potential for converging physical and digital demonstrations. Let’s start with the earliest indicator of #OpGTMO:

OpGitmo Twitter Account

The image above shows a “parked” Twitter account created on May 4 using variable spelling – “OpGitmo” – to hold the online property as well as redirect errant spellers to Anonymous’ impending campaign: #OpGTMO. Note: solid material for a real-time alert that should be put in place by all of you open source cyber analysts!

The chosen campaign tag  of #OpGTMO matches the name of Guantanamo’s military base operator Joint Task Force Guantanamo (JTF-GTMO) rather than the colloquial “Gitmo”. Although misspellings caused consternation among some supporters, the handle of choice was ultimately successful in dominating the conversation:

OpGTMO vs OpGitmo

Credit to Topsy for data and chart

From Social Media Awareness to Mainstream Attention

For the purposes of further investigation, we’ll consider #OpGTMO and #OpGitmo conflated. This took place early on via positioning by Anon mouthpieces on Twitter, and over the course of the campaign, the intentions behind use of one or the other appear indistinguishable.

So, from the first parking of the “OpGitmo” account on May 4, the first tweet from the Operation Guantanamo account appeared early in the morning Eastern time on May 5. A video posted to YouTube followed on May 6, and Russia Today was the first mainstream source to report on the campaign. Use of the actual terms #OpGTMO or #OpGitmo was, unsurprisingly, largely found on the social web:

OpGTMO Timeline

Click for interactive view in Recorded Future

The volume of mainstream coverage mentioning the campaign tag #OpGTMO is insignificant compared to the mentions in social media. You can see this clearly in the timeline above that is colored by media category. Non-social channels often referred to the Anonymous campaign by the more formal “Operation Guantanamo”.

But if shutting down the Guantanamo detention center was the stated goal of Anonymous then how did the operation do? Aside from the obvious answer – the facility has not been immediately closed – we should consider the mainstream coverage and public attention to the Guantanamo facility and ongoing hunger strikes that #OpGTMO achieved.

To gauge this attention, we’ll step back from the folksonomy tags of #OpGTMO and #OpGitmo and use Recorded Future to look at mainstream coverage of Guantanamo issues at large.

Guantanamo Mainstream Coverage

Click for interactive view

As you can see in the above timeline spanning two months between March 22 and May 22, the level of mainstream media attention to Guantanamo issues during mid-May is the third highest during the period. The only points in time when Guantanamo drew more media attention than these past few days: detainees being placed in individual cells in mid-April and news that the number of hunger strikers topped 100 on April 27.

The reasons for this recent bump in mainstream attention are even more interesting to evaluate as we consider any achievements of OpGTMO. First of all, a portion of recent media coverage had nothing to do with Anonymous; news of the Pentagon’s request for funding to upgrade the prison hit just after the OpGTMO “twitterstorm” on May 17-19.

However, a share of the bump in coverage can be attributed to physical protests and the specter of cyber attacks leading to the shutdown of Guantanano’s Wi-Fi service.

From Digital to Physical Protests

In the end, it wasn’t just the social media efforts of Anonymous that drove recent conversations related to Guantanamo during the build up and conclusion of #OpGTMO. Responsibility for coordination and amplification of the cause was taken up by activist organizations starting on Day 1, and physical protests representing #OpGTMO took place from Los Angeles to DC to Dublin to Sydney.

You’ll notice protest events in these and other locations as well as reporting on events led by CODEPINK and members of chapters of the Occupy community in the network graph.

OpGTMO Protest Network

Click for interactive view

The breadth of OpGTMO comes as no surprise to loyal readers of ours already familiar with the distributed and cooperative cyber attacks as part of OpIsrael and OpUSA. This was just the latest in Anonymous’ series of “Op” campaigns, and it’s a near certainty that this won’t be the last time we see such broad coordination for its causes of choice. We’ll watch closely for the reaction to President Obama’s speech on national security planned for tomorrow that is expected to address the future of Guantanamo Bay prison.

Learn more about how Recorded Future’s Web Intelligence products can improve your cyber threat assessment.

, , , Leave a Comment more...

17
May/13

IED Trends: Turning Tennis Balls Into Bombs

by under Terrorism

Terrorists are relentlessly evolving tactics and techniques for IEDs (Improvised Explosive Devices), and analyzing reporting on IEDs can provide insight complementary to HUMINT on emerging militant methods. Preparing for an upcoming webcast with our friends at Terrogence, we found incidents using sports balls, particularly tennis balls and cricket balls, more frequently appearing as a delivery vehicle for explosives.

When we break these incidents from the last four months down by location, the city of Karachi in southern Pakistan stands out as  a hotbed. There is also evidence that this tactic is being embraced around the globe as you can see sports balls fashioned into bombs found from Longview, Washington in the United States to Varanasi in India.

We can use Recorded Future’s Web Intelligence platform to plot out the locations where incidents have recently occurred as well as the frequency and timing.

Timeline Sports Ball Bombs

Click for interactive view

You can click the timeline above for an interactive view of the reporting on these issues or join us next week to hear an in-depth discussion on analyst methodology for combining broad web-scale OSINT and deep vertical intelligence with OSINT and Virtual HUMINT.

Upcoming Webcast: Counter-IED Insight from Web Intelligence

Reminder: Join Recorded Future and Terrogence on May 23 for a webcast on applying Web Intelligence to counter-IED research. The discussion will illustrate a Web Intelligence workflow that leverages both broad web-scale OSINT and deep vertical intelligence with OSINT and Virtual HUMINT. Register here.

, , , , Leave a Comment more...

14
May/13

When Governments Throttle the Web: Timeline of Internet Blackouts

by under Open Source Intelligence

Cutting internet access has proven to be a favorite, if ineffective and costly, tactic for under fire dictators in recent years as social movements coalesce on the web. But the larger dominoes of the Arab Spring – Egypt, Libya, and Syria – aren’t the only states to experience internet blackouts as attempted crowd control.

We’ve put together a timeline using Recorded Future that shows internet cut offs by country between 2007 and 2013. Click the image for an interactive look:

Internet Cut Off Timeline 2007 to 2013

Click for interactive view

To call out a few events that predate the Arab Spring internet blackouts in Egypt and Libya as well as the ongoing disruptions in Syria:

  • Internet access in Myanmar was cut off on Sept. 28, 2007, two days after troops opened fire on pro-democracy protesters and images of the crackdown were plastered on Web sites.
  • For nearly the entire second half of 2009, the inhabitants of China’s the Xinjiang region were cut off from the Internet as part of an attempt to stifle civic unrest.
  • On Feb 10, 2010, Iranian authorities drastically reduced internet service in the country, cut off text messaging services and even cracked down on Google.

The challenges these internet blackouts pose are many: from increased insecurity for those on the ground to a likely rash of misinformation for the global community. But as Jim Cowie, CTO of Renesys, was quoted by NBC News: ”Taking away the Internet brings attention to people’s protests in a way that the protests by themselves can’t muster… How do you make everybody care? Turn off the Internet.”

, , , , , , Leave a Comment more...

11
May/13

How Inspire Magazine Uniquely Motivates Acts of Terrorism

by under Terrorism

Note: Massive thanks to Dr. Jarret Brachman for his guidance and support in putting together this post. He’s one of the best out there studying violent extremism, and we recommend that you check out his book Global Jihadism: Theory and Practice and follow him on Twitter.

The Boston bombing investigation continues to reveal new information on the two primary suspects, but quietly reported last Friday was the discovery of jihadi propaganda Inspire Magazine - produced by al-Qaeda in the Arabian Peninsula (AQAP) - on a computer belonging to the elder Tsarnaev brother’s widow. The publication, particularly its first issue containing instructions for building a pressure cooker bomb, was spotlighted as a possible resource immediately after the bombings. The news that the Tsarnaevs possessed Inspire, whether it directly influenced their actions or not, serves as evidence of the AQAP magazine’s reach and visibility in the jihadist community.

Now, Max Fisher at the Washington Post rightly pointed out that Inspire is not the only place to find such information; so, why exclusively call out and analyze Inspire? What makes the magazine so intriguing from a counter terrorism perspective is its seemingly unique ability to spur people into action.

There are many places where you can learn to build a destructive device; there are far fewer that emotionally instigate actual mass killing operations. As communication scholars at Arizona State University have explained, some of al-Qaida’s most effective pied pipers have been able to link widely accepted collections of stories or “master narratives” (“insult to Islam” or “support of Israel”) to challenges being faced in specific geographic locations “local narratives” to calls for individual-level action, such as using pressure cookers, knives on trucks, etc.

Narrative as the Hook

Instructions for IEDs are typically uninteresting when disconnected from incentive. Where Inspire has proven competent is living up to its name and making an act of terrorism accessible to the radicalized malcontent without an army. Take the following excerpts from Inspire #2 and Inspire #10 respectively:

Inspire #2 (October 2010): This idea could be implemented in countries like Israel, the U.S., Britain, Canada, Australia, France, Germany, Denmark, Holland and other countries where the government and public sentiment is in support of the Israeli occupation of Palestine, the American invasion of Afghanistan and Iraq or countries that had a prominent role in the defamation of Muhammad. In such countries we may strike at the public at large. As long as they target our noncombatants, we will target theirs. This is one of many ways to implement this idea. You may modify it and add or subtract to it according to what is suitable for your particular conditions.

and…

Inspire # 10 (March 2013): The French crusade on Mali is certainly connected to the historic crusades, and definitely its result won’t defer from its predecessors. So, why is France so thick in learning from its past mistakes? Is it leaving Paris undefended once again to engage in a war away from home? Woe upon you from tens of Muhammad Merah!

As you can see, there’s a heavy dose of “why” one should be willing to carry out a attack in the name of Islam. Providing a narrative, whether it be insult of Muhammad, occupation of Palestine, or American wars, loads the rest of the instructions with emotion. Next in the process is localizing the capacity for an attack.

Localizing a Mission

Map of Inspire Magazine Targets

Click for interactive map

The above map created using Recorded Future details all of the countries mentioned in the ten issues of Inspire Magazine. As you can see, there are very specific actions tied to distinct locations following the explanation and rationalization for an attack. Pulling examples from above:

  • From Inspire #1 – On the other hand, there were some completely misguided efforts such as those of some of the callers to Islam who paid a visit to Denmark along with young Muslim boys and girls to start a dialogue in order to build bridges of understanding between the Muslims and the people of Denmark! It is not enough to have the intention of doing good. One must do good in the proper way. So what is the proper solution to this growing campaign of defamation? The medicine prescribed by the Messenger of Allah is the execution of those involved.
  • From Inspire #2 – This idea [to use a pickup truck as a mowing machine] could be implemented in countries like Israel, the U.S., Britain, Canada, Australia, France, Germany, Denmark, Holland and other countries…
  • From Inspire #9 – Choosing the targeted country [for an ember bomb]: This is done according to the basis of weather this country or that is at war with Islam and Muslims… Leading the list of the countries that are waging this war is America, Britain and Israel. Then comes the NATO’s countries and whoever enter into their alliance. The targeted areas must be in the land of Kuffr but away from Muslims populated areas so that damage is only restricted to the people of Kuffr.

So after two steps, Inspire has outlined the “why” and the “where” to make attacks both emotionally and locally relevant. The final step is convincing a reader that they can do this on their own, which brings us back to the instruction manuals that have drawn much of the mainstream media’s attention.

Blueprints for DIY Destruction

Inspire Mowing Machine Timeline

Click for interactive view

Instructions for individually organized attacks and homemade weapons of mass destruction are a recurring feature in Inspire. The timeline above shows plots that have been connected to a description of the ”human mowing machine” in Inspire – though not necessarily examples of an attack actually being put into practice that we can confirm - from the publication’s second issue:

You would need a 4WD pickup truck. The stronger the better. You would then need to weld on steel blades on the front end of the truck. These could be a set of butcher blades or thick sheets of steel. They do not need to be extra sharp because with the speed of the truck at the time of impact, even a blunter edge would slice through bone very easily. You may raise the level of the blades as high as the headlights. That would make the blades strike your targets at the torso level or higher.

There have been instructions for other devices and tactics ranging from pressure cooker bombs and remote detonation to fire bombing forests and igniting parked vehicles. The above visualization shows how we can look for and analyze events that fit the model and have been tied to it in public discourse, which in some ways, may help to further amplify the utility of certain sections whether or not they were initially inspired by the magazine.

Conclusion

This narrative style used by Inspire becomes the perfect storm for individual acts of violence: an argued “moral” obligation to act on behalf of Islam and Muslims around the world; the declaration of “ideal” target locations for particular kinds of attacks; and the finally, the piece by piece instruction of how to construct the necessary weaponry. Tools for analyzing the original text of Inspire alongside open source information on events connected to the publication’s recommendations can be useful in understanding its resonance in the jihadi community.

, , , , , , Leave a Comment more...

9
May/13

Pattern of Life and Temporal Signatures of Hacker Organizations

by under Cyber Security

Observing an organization or person by their activities can provide interesting clues about who and where they actually are. These clues can include targets, methods, tools, language, etc. This is true in both the physical and cyber world. We will in this post look at the temporal signature of activities by hacker groups and use those to discern their pattern of life – basically their work week – for matching with national work weeks/schedules. Top level conclusion? Different groups have different temporal signatures that could potentially be used to differentiate between those on very regular schedules – i.e. working a desk job (nation state?) – and those on nights/weekend schedules – independent hackers? – as well as to establish their geographic location.

Temporal analysis has long played a part in cyber defense.  For example, Bob Gourley, who was the Director of Intelligence for a new (at the time) military unit responsible for defending all DoD networks, indicated in a conversation with me that the initial Moonlight Maze intrusion set matched up very well with working hours in Moscow.  This was just one of many other factors that pointed to Russian involvement, but it helped orient analysts.

Another example is how Mandiant used observations of hacker team activity as one signal of indicating a group being Chinese (or in other other countries in same time zone):

“Hacker teams regularly began work, for the most part, at 8 a.m. Beijing time. Usually they continued for a standard work day, but sometimes the hacking persisted until midnight.”

KPMG calls out in their Cyber threat intelligence and the lessons from law enforcement report:

“Time: Are there any temporal patterns regarding cyber attacks and, similarly, are your information assets more vulnerable at certain times?”

Sample world wide work week patterns

A quick summary of work week data from Wikipedia yields us the following on work week from around the world:

Global Weekend Calendar

Work Week Calendar

Analyzing hacker groups given work week as baseline

Now given the above temporal signatures – can we say anything about various hacker groups? We’ll find out using the Recorded Future data set, and in particular 250,000 cyber threat events involving various groups and individuals and times of attacks all collected from open web sources ranging from Twitter and other social media to government sites to hacker forums to regular news in 7 different languages.

We’ve taken all the time points of the events and transformed them to day of week so that we can determine what days various groups activate and other patterns.

Below we look at a series of hacker groups – Syrian Electronic Army, Anonymous, Al Qassam Cyber Fighters, Lulzsec, Zcompany, and TeaMp0ison – versus a large group of other cyber events that either fall with other groups (Nation states, individuals, and other groups) as well as non-attributed attacks. Our data collection harvests open source data, so obviously, there is potential for skewing towards more media oriented groups (e.g. Anonymous, and yes, we have more data on them), but given that we’re looking at the pattern, not the volume, this should be less of an issue.

Temporal Patterns of Cyber Attacks

Temporal Patterns of Cyber Attacks

The graph above visualizes weekday distribution for each group. A statistical test for non-random distribution is at the very bottom of the post.

Group-by-group observations

  • Syrian Electronic Army

    • Activates right after Syrian weekend. Between actual name and pattern of life/temporal signature this certainly indicates a group located in Syria that takes time off during the weekend, i.e. potentially a state sponsored group on a paid schedule.

  • Anonymous

    • Anonymous interestingly peaks in activity during the weekend, which indicates that they are mostly students or western people with “normal jobs” that use weekends for hacking. Good example would be how Reuters recently fired an alleged Anonymous member, who probably had a busy regular workweek. We will be back to take apart the temporal signature by various Anonymous groups around the world.

  • Al Qassam Cyber Fighters

    • Al Qassam Cyber Fighters activates on Mondays and Wednesdays. Given their focus on hitting US and European banks this could make a lot of sense: hit them Monday morning when online banking activity peaks up. But you could also argue that the pattern indicates activating after Saturday, i.e. a regular state-employed hacker week in the middle East.

  • Lulzsec

    • Lulzsec (the breakout group from Anonymous) is interestingly enough completely inverted in its temporal signature from Anonymous. It peaks on Wednesday (and this is across many observations.) This might just be the peak of internet traffic…

  • ZCompany

    • Fits the “modern Islamic country” calendar perfectly: key activity is Monday-Thursday with little activity Friday-Sunday. The organized work schedule may indicate a state actor/paid schedule. It could also point to Pakistan, which aligns with ZCompany’s targeting of India.

  • TeaMp0ison

    • This rival group to Lulzsec activates Tuesday-Wednesday. It’s targeting is inconsistent but includes anti-Islamic targets. 

Cross correlation analysis

There is great potential for cross correlation analysis here:

  • Compare activity with temporal signatures other than the work week such as Thanksgiving, Christmas break, Spring break, Ramadan, etc.

  • Compare group activity to their Twitter patterns through the use of http://sleepingtime.org/. Potentially a very insightful cross-correlation to be had with this data, for example, TeaMp0ison – http://sleepingtime.org/teamp0ison.

  • Correlate with other pattern of life variables: targeting, human language used, people association, etc.

  • Correlate/normalize vs. general internet activity per country potentially with Internet Census data. Likewise, the data from HoneyNet would be powerful to mash up and investigate.

  • If you had access to proprietary IP level data of attacks by these groups you could obviously cross-correlate those activities in a very powerful way. Unfortunately, such data is less readily available to the public.

Conclusion

Temporal signatures can be helpful in developing pattern of life analysis on groups in cyberspace. Obviously it’s only one signal, but potentially a quite interesting one.

Appendix – comments on data and analysis

  • Data is from Recorded Future collection activities, explore interactively at www.recordedfuture.com

  • Time stamp is event time, which should be time of event. However, given the nature of cyber attacks it could very well be time of discovery/publication.

  • There are multiple normalizations that could be done to this data – both within the domain of cyber events as well normalization vs. a total event metric – and we will be back with that.

  • As a statistical test we did a chi squared test on likelihood that day of week is unrelated a cyber attack. Results below – day of week is significant for all groups except for ZCompany.

Statistical Significance

Anonymous.p.value               0.000000e+00

Lulzsec.p.value                1.859388e-155

Qassam Cyber Fighters.p.value   1.012541e-09

Syrian Electronic Army.p.value  1.349523e-17

TeaMp0ison.p.value              8.786394e-07

ZCompany.p.value                7.409912e-02

Untagged.p.value                0.000000e+00

Events by Group per Day

                                     Su      Mo      Tu      We      Th      Fr      Sa

 Anonymous              5199  3631  3394  4079  5890  4321  6587

 Lulzsec                        456   488   628   924   257   389   208

 Qassam Cyber Fighters     59    91    51    75    37    43    28

 Syrian Electronic Army    75    82    51    46    39    22     8

 TeaMp0ison               1     6    13    17    26     6     8

 ZCompany                   1     4     8     6     6     1     2

 Untagged                     31629 50451 51697 53206 53699 46981 37949

, , , , Leave a Comment more...

7
May/13

On the Ball: Recorded Future Calling Out Violent Demonstrations in Dhaka – Before They Happened

by under Geopolitics, Intelligence Analysis, Predictive Analytics

At least 36 people were killed between May 5-6 in the latest bout of violence to hit the protest-stricken streets of Dhaka, the capital of Bangladesh. But what sparked this uptick in violence amidst the ongoing protests in Dhaka? Recorded Future made sense of this otherwise unsensible situation before it even happened.

Two precipitating events highlighted by Recorded Future provide context:

  • April 24: A building collapse at Tazreen Factory on the outskirts of Dhaka kills over 600 people. Outrage over the disaster leads to more people taking to the streets, those protesting the factory owners merging with those protesting the results of a tribunal on January 21.
  • May 1: Protests swell with the annual demonstrations on International Workers’ Day, which are noticeably more aggressive than in past years.

But there is more.

On April 11, a member of Jamaat-e-Islami, the country’s largest islamist organization, was shot dead by security forces while protesting during the fourth day of a nationwide strike. This shooting helped set off a drumbeat of protests, heavily influenced by Islamist elements.  Recorded Future called out this event when it happened.

In fact, Hefezat-e-Islam, an Islamist organization backed by Jamaat-e-Islami, organized the demonstrations on May 5 that pit them against the security forces. And with the deaths, more martyrs are born – and more protests are expected. As always, Recorded Future is and will continue to be on the ball.

, Leave a Comment more...

  • How to Analyze Global Threat Trends With Web Intelligence

    Webcast | Thursday, May 23 | 11:00 AM EST

    Webcast Reserve Your Seat

  • Recent Posts

  • Join Recorded Future

    Recorded Future software helps businesses anticipate risks and capitalize on opportunities. Every day.

    • Copyright © 1996-2010 Analysis Intelligence. All rights reserved.
    iDream theme by Templates Next | Powered by WordPress