The intelligence community watched closely when US embassies were besieged during the week of September 11, 2012 by protests against an anti-Islam film. Soon after the physical protests, an online campaign dubbed Operation Ababil emerged in solidarity by attacking US bank websites. The self-proclaimed Izz ad-Din al-Qassam Cyber Fighters hit targets with DDoS attacks that successfully knocked out the websites of numerous financial giants including Bank of America, Wells Fargo, PNC, and more.
The group, presumed not to be a single person, waged its campaign until late October, paused for more than a month, and then renewed attacks in mid-December. The campaign has been linked to Iran and Anonymous during its short existence while its origins remain shadowy, but its most consistent claim is that when the video is pulled from YouTube by the US government then the attacks will stop.
Similar to our analysis of the Shamoon malware attack against Saudi Aramco, we’ll use this space to examine:
- what sources broke the story, and how has attribution evolved?
- is this believed to be a state sponsored attack?
- where do allegations of Iran’s involvement stand?
- what is the latest reported on the Izz ad-Din al-Qassam Cyber Fighters?
The above timeline shows a history of the Izz ad-Din al-Qassam Cyber Fighters since they first hit the web on September 18, one week after physical protests and attacks against US embassies began over the ‘Innocence of Muslims’, attacking and successfully disrupting service to Bank of America’s website. Shortly thereafter they launched DDoS attacks on Wells Fargo and JPMorgan Chase and forewarned of efforts against PNC and U.S. Bancorp. The group continued to warn of and carry out attacks during October as Suntrust and Regions Financial were affected, highlighting the fact that even advance notice didn’t seem to help in preventing outages.
The group went on hiatus after hitting HSBC in mid-October, claiming to break for the Muslim holiday Eid al-Adha, but returned with a bang on December 10 by attacking BofA, SunTrust, JPMorgan Chase, US Bancorp, Wells Fargo, and PNC Financial Services Group in subsequent days, and as noted above, posting warning of more to come in a note published to Pastebin on December 25.
Source Analysis Reveals a Mysterious Twitter Account
After the Saudi Aramco hack was claimed on Pastebin in August, cyber watchers began paying close attention to that site as a promotional ground for operations. As early as 6:51AM EST on September 18, there were tweets being directed to the information security community with links to English and Arabic posts on Pastebin by the Izz ad-Din al-Qassam Cyber Fighters (their Pastebin profile and history can be found here). Unlike the Aramco attack where multiple parties claimed credit, they are the only group to claim credit for this cyber operation.
The aforementioned Twitter account first reporting the attacks on Bank of America and the NYSE (which sustained a brief website outage) was a now quiet account: @cyberstrikenews. Interestingly, the @cyberstrikenews account went dormant on October 23 when Al-Qassam operations paused and has not since resumed tweeting. The account never commented on a subject outside of the Aramco attack – its first tweet was the day after – and the Al-Qassam cyber attacks.
Others on Twitter started to link the story with the Al-Qassam cyber organization while consumer sites reported outages as quickly as 7:29am EST, just 38 minutes after the first tweet. The earliest news outlets reporting on the story were Fox Business and Reuters, which linked the BoA website outages to the claimed cyber attack by 1:30pm EST and 4:30pm EST respectively.
Individuals claiming to be associated with the group have also not been shy about discussing their intentions and affiliations although it goes without saying that the credibility of these statements should be taken warily. Interviews were granted with a security consulting group Flashpoint Partners (see PDF transcript), ABC News, and other media outlets with consistent messaging about their relationship with Iran or other states – “Nope” – and mission: removal of the offensive anti-Islam film.
The Group’s Targets and Alleged Connections
As noted above, the bank attacks were claimed early by Izz ad-Din al-Qassam Cyber Fighters, and there has so far been little to show there are other parties involved. Links to Anonymous members were pointed out by the hacker th3j35t3r, and his comments are backed by al-Qassam’s use of JS LOIC malware, but so far the relationship appears to be transactional rather than operational support.
The group claims to consist of volunteers from different parts of the Middle East, but in the above network, you’ll specifically notice two more specific locations: Palestine and Iran. The Iran connection appeared shortly after the attacks and took little time to be called out publicly as Sen. Joe Lieberman claimed the Iranian government sponsored attacks in retaliation for imposed economic sanctions. The group itself has denied the connections to the government of Iran while the Palestine reference related to the group’s name in honor of an islamic militant killed by British Troops in Palestine in the 1930s.
One characteristic that Izz ad-Din al-Qassam Cyber Fighters shares with Anonymous is a knack for managing the media. The group often shares its intended targets (Wall Street & Tech) in advance, and as of writing, has successfully executed attacks against each target it has called out:
State Sponsored Attacks?
Within days of the first attack, major news outlets including the Washington Post and Reuters explicitly called out links to Iran although the source of this intelligence remains unnamed. The attacks received no coverage on Iran’s Press TV, typically busy reporting on cyber attacks, although the Iranian government took to the Fars News Agency to publicly reject affiliation with the hackers. The al-Qassam Cyber Fighters also rejected claims of ties to the Iranian government during each of their email interviews.
The contrast between political claims such as Lieberman’s statements and more nuanced reports from the security community is stark. Consider the evaluation of attack tools as reported by analysts such as Dancho Danchev, who points out that the PHP based DDoS attack script known as “itsoknoproblembro” was available online well before these attacks, Jeffrey Carr, who pushes back against the widely reported remarks, and Robert Lemos at DarkReading, who highlights the flexibility of attack vectors and potential piggybacking of the Operation Ababil campaign on existing hacktivist work. There’s also the interesting data point of a light version of the “itsoknoproblembro” malware discovered on a server in Saudi Arabia by Radwer security analysts.
It’s certainly messy. There is the proximity of these attacks to the formation of a “cyber defense team” announced by Iran in February of this year and a Hezbollah cyber meeting in Tehran at the end of 2011. US government officials, again anonymously, claimed that the attacks can be traced back to a group of ~100 Iranian security professionals. And there have been suggestions that Operation Ababil is tied to a Russian hacker syndicate seeking to skim money from major banks, and the DDoS attacks are being used as distracting device.
Media Coverage Analysis
Given the nature of the targets, it’s no surprise that the largest share of sources reporting on these attacks are published in the United States. The countries with the next most reporting sources are the UK and Australia, but that this has been painted as an American issue by the media seems to short its broader implications for big infrastructure, big security organizations. As noted above, there is little attention given to the attacks from English-language Iranian outlets with the only nod to the events being a denial of responsibility issued by the state-run Fars News Service shortly after the US government allegations.
Also of note are the sources that are regularly reporting on developments related to Operation Ababil and even better, those channels that are consistently providing information about forewarned attacks. The tables below describe sources reporting on events that include mention of the Al Qassam Cyber Fighters in some capacity as well as a target, not just an absent mention of, say, “Bank X website is down”. What we see are major sources by volume versus those that might not be reporting every new event but do provide details on future attacks with BankInfoSecurity and Packet Storm showing as speedy sources for early warning.
An Uncertain Conclusion
The al-Qassam Cyber Fighters were able to rapidly get their name out to the world, and if the background and name are a shroud for state-backing then it was effective PR as the name was cited by mainstream media on the day of the first attacks. Yet, despite the significant coverage – likely a result of several factors including the big bank targets, the publicity of the attacks, and heightened attention to cyber threats after Aramco – there remains little real detail about the culprits, prevention, or a resolution. Aside from anonymous US officials claiming the attacks as a product of Iranian support, if not the government itself, public information is slim.
One of the most interesting pieces of intelligence revealed by this open source analysis is the Twitter account that appears as the first public source reporting Operation Ababil after it was posted to Pastebin on September 18. The same account commented on the Aramco attack in its first ever tweet, which highlights the attack’s success. The anonymous Twitter account was referenced by popular security site Hackmageddon as a unique source of information on the Shamoon attack, and provides a tenuous link between the two major cyber attacks both alleged to be coming from Iran.
In the end, using the “Innocence of Muslims” video as a rationale for the attacks is strategically convenient: the hacktivists call for the United States government to remove the video, something the government has little power to do since Google controls the content, and the banks under attack have no affiliation with the video meaning the attacks will be “justified” indefinitely.