Tag: opisrael

Anti-Israel Hackers Parastoo Prepare for OpIsrael Anniversary

Anti-Israel hacker organization Parastoo last week announced its intention to join #OpIsrael2, also touted as OpIsrael Birthday, to commence in April. The group is targeting US, NATO, and ISAF engineering, military communications and technology resources.

This was Parastoo’s second public statement during January after several months of silence. However, those statements continue a pattern that suggests the group, which once rattled off a worrisome string of hacks against international energy organizations, is currently limited to PsyOps and riding the coattails of other hacktivists.

Security blogger John Casaretto has written extensively about Parastoo on SiliconAngle, and previously called out the group’s occasional lack of substance. We ask, after Parastoo’s initial successes during late 2012/early 2013, has the group been limited to unsubstantiated claims and self-proclaimed affiliation with OpIsrael actors?

We’ll use Recorded Future for cyber threat intelligence to analyze the timing of Parastoo’s activity. First, let’s get familiar with the group’s claims on Pastebin and Cryptome through the below timeline of digital and physical attacks claimed by Parastoo.

Parastoo Hacker Timeline

View the interactive timeline

The group’s first claimed data compromises of IAEA information (November 2012) were verified by the target. The subsequent attacks on DOE (January 2013) and Jane’s (February 2013) also appear to have been legitimate and resulted in the publishing of sensitive, if not top-secret, data.

Interestingly, the IHS breach reportedly actually occurred around the same time as the IAEA hack, but information was held until February 2013. The IHS Jane’s data was also posted to Quickleak, which we’ve profiled for its ties to Iran-linked hackers the Islamic Cyber Resistance.

Attribution then quickly gets fuzzy beginning with the Department of Energy breach, which CSO Magazine reported might be the work of Chinese hackers, not Parastoo.

Evaluating the Timing of Parastoo Claims

Parastoo often foreshadows events, but does so in a way that positions the group for opportunistically claiming responsibility. For example, in its announcement on February 22 of the Jane’s data dump, the group referenced the potential for damage from a hijacked drone. This was two weeks prior to the reported UAV sighting near JFK airport on March 5.

Parastoo referenced the drone sighting above New York City on March 8 a day after an anonymous source suggested the group could be responsible. It seems the group either wasn’t ready to take credit or it jumped at the chance to put their name next to a mysterious and unsolved security incident.

The group started referencing Geneva II in mid-2013 as an event around which they would release already captured sensitive information. The international meeting was ultimately delayed until January 2014; as we now know, Parastoo resurfaced during that time but without much of substance. More on that in a moment, particularly their claims of a physical attack on a PG&E substation in San Jose, California.

Verified Incidents Where Parastoo Claims Preceded Official Statements

IAEA Data Dump 1
Announced November 25, 2012 by Parastoo on Pastebin and Cryptome
Confirmed by IAEA on November 26

IAEA Data Dump 2
Announced November 29, 2012 by Parastoo on Cryptome
Confirmed by officials via Reuters on November 30

DOE Server Breach
Announced January 21, 2013 by Parastoo on Cryptome
Internal communication by Department of Energy made on February 1; confirmed by media on February 4

IHS Jane’s Server Breach
Announced February 22 by Parastoo on Cryptome
Confirmed by IHS to Washington Free Beacon with statement that server was compromised but no confidential information was lost and information posted by Parastoo was publicly available in various digital and physical formats.

Delay Emerges in Parastoo Claims Compared to Actual Events

After the IHS information drop last February, we observed a shift in Parastoo’s claims: the group becomes reactive to events. They started hijacking credit or co-opting campaigns carried out by anonymous or unknown parties in order to spread disinformation and fear to Israel and its allies. Read on for examples.

OpIsrael 2013 and OpIsrael Birthday 2014

The broader OpIsrael campaign described as revived at the beginning of this post has been ongoing since fall 2012, and a collective of hackers organized efforts to carry out attacks against multiple targets on April 7, 2013. Last year, Parastoo was not mentioned in an interview with An0nGhost by Hackers Post or in even earlier statements about the planned campaigned published on March 7.

Parastoo, while long referencing the broader online protest against Israel, only included the specific #OpIsrael April 7 operation in its statement of targets on March 9, 2013 two days after the campaign was made public.

For the planned operation during April 2014, An0nGhost announced its plans on December 29, 2013 for OpIsrael anniversary attacks to occur on April 7, 2014. Earlier rumors of the operation were spreading via Twitter on December 22; Parastoo only made its statement more than a month later about their intended participation and recommended targeting.

The group also describes a different data, April 4, rather than the April 7 date called for by An0nGhost and its affiliates. All of this suggests members of Parastoo aren’t closely coordinating with other hacktivist organizations participating in OpIsrael.

Claims of NNSA Breach

During May 2013, Parastoo made a statement distributing public information about the National Nuclear Security Administration (NNSA) while also claiming it had infiltrated secure systems. Nothing has yet come of those claims. Interestingly, NNSA had been breached before, which makes it an ideal candidate for making false claims of data exfiltration. Analysts, media, and the organization itself are challenged to recall and accurately portray what information was previously exposed.

Claims of Second Drone Hack

During early July 2013, Parastoo claims to have hijacked and controlled flight of a UAV over an uninhabited area of Maryland. The group suggested it would release details of this operation and technical spec of the RQ-170 during the Geneva II talks but thus far nothing has been seen. No reports could be verified of the drone supposedly owned by iDirect, but again, this is an opportunistic claims as the group likely will have seen drone activity in that state given the publicity around a crashed drone in June 2012.

Claims Support of Physical Attack on PG&E Substation

On April 16, 2013, vandals cut optic cords and damaged transformers at a PG&E substation near San Jose, California. Eight months after the incident, Parastoo claims to have supported the individuals responsible for that physical security breach. Their statement was made days after attention to the attack resurfaced.

We also recognize that hitting critical infrastructure has long been an intention of Parastoo based on a statement released at Cryptome criticizing the group for such targeting.

What Happens Next with Parastoo and OpIsrael Birthday

This evaluation of open source information from the web suggests that the anti-Israel, Iran-linked hacker group Parastoo hasn’t demonstrated much success of its own for quite some time. However, based on its recent statements, the group remains active and is seeking greater relevance.

Parastoo’s most recent communication claims it is developing a “secure” forum to be hosted at parastoo.ir. We’ll follow this development closely to see if the group gains more sophistication and ammunition for once again conducting successfully disruptive operations after the launching its own communication channel.

OpIsrael BirthdayRecorded Future’s web intelligence for cyber threat intelligence is structured to enable analysts efficient monitoring and analysis for operations such as the upcoming OpIsrael Birthday. Here’s a live feed of the latest to emerge on that operation.

We’re also prepared to monitor developments related to Parastoo to evaluate whether its current pattern continues in claiming attacks, and likely misrepresenting themselves as the perpetrator, or if new threat capabilities emerge as the group launches its own community space. Reach out to us if you’re interested in setting up your own threat intelligence alerts related to Parastoo or other related threat actors in energy and defense domains.

Global hacker network unites in Anonymous campaign against Israel

We recently reported on the revival of Operation Israel (#OpIsrael) being coordinated by a group of hackers aligned with Anonymous. The excellent information security blog Voice of Grey Hat subsequently detailed some of the known or suspected locations of participating entities: ”The coalition of hackers appears to have ties to the Iranian government, Pakistan, Syria, Egypt, and the terror group Hezbollah, according to a report published by Cryptome.”

We wanted to corroborate and potentially add to the list of actors compiled in that report posted to Cryptome to see how it matches up with commentary about the campaign from recent weeks. Using Recorded Future, we generated a timeline of discussion on OpIsrael broken into rows by mention of different locations.

Anonymous OpIsrael Timeline

Click for live view

In addition to those called out by Voice of Grey Hat, the timeline reveals other locations related to suspected participants: Mauritania, Morocco, Algeria, and Turkey. The Turkish connection adds a dash of internal conflict to the mix as a recent hack against Mossad claimed by RedHack, a Turkey-based organization, reportedly caused the primary arm of Anonymous Turkey to abandon their participation in OpIsrael.

Infighting aside (a bigger topic for another blog post), the above discoveries lead us to look for other hackers and recruiters with a history of attacks on Israel that haven’t yet been bubbled up in the Operation Israel discussion. What other hackers have been linked to attacks on Israel during the last four months that might take up the cause?

Cyber Attack Network Israel

Click for live view

Picking through the network and ignoring some of the better recognized players such as Parastoo and AnonGhost we can highlight a few hacker links worth watching as the April 7 date for OpIsrael approaches:

  • Commentary from Times of Israel in January 2013: “3Qrab Almoseam, Gaza Hacker Team, and CapoO_TunisiAnoO are the most political of the anti-Israel hackers, but there are many others. The difference is that they either don’t target Israel exclusively, or their messages aren’t specifically anti-Israel. For example, HTC 28 DZ hacks a lot of Israeli sites, but many of its recent messages encourage viewers to ‘respect the Prophet Mohammed’…”
  • As reported by Hackread, there were a series of attacks against non-Israeli governments carried out in support of the Palestinian cause including TeaM MosTa hacking and defacing 62 Vietnamese government websites during January and Charaf Anons, a hacker of Anonymous Algeria, defacing ~900 Chinese websites as a protest against Israel last month.
  • The Hackers Post reported on March 23 that Dr.SHA6H hacked and defaced the official website of Adidas sportswear ( www.adidas.co.il) website designated for Israel while El Periodico in January reported Saudi Arabian hackers going by Group-XP stole and published data of 14,000 Israeli credit cards stolen from an Israeli sports site.

Summing up the above details: there is a widely distributed network of known hackers uniting for OpIsrael; the public conflict between RedHack and Anonymous Turkey suggests the coordinated campaign set for April 7 is very real; and a sizable group of hackers with a history of attacking Israel remain either on the sidelines or unrecognized as participants by the security community, which suggests that there is potential for even more significant impact and reach.

We’ll watch this issue closely as the promoted April 7 event date approaches, and you can follow the latest or build off of these existing OpIsrael visualizations using Recorded Future.

Anonymous Revives #OpIsrael with Threat to ‘Erase Israel from the Internet’

Hacktivists are often blusterous. Sensationalism helps recruit for campaigns and raises awareness of their cause via the resulting media coverage. As a consequence, it’s easy to pick out grandiose threats from recent memory – taking down the internet or crashing Facebook – that failed to materialize.

However, Anonymous earlier this month called for support to ‘erase Israel from the Internet’ on April 7. It is rightly drawing considerable attention; as reported by CyberWarZone, the campaign announced by hacker AnonGhost is being supported by a myriad of known hacktivists with a history of carrying out state-targeted attacks and solidarity attacks are already underway. This is not a “faceless” warning  loosely aligned with the Anonymous cause, and it comes at a time when persistent attacks against state run sites including properties owned by Israel have been successfully carried out. Need more examples? See attacks against the United States, Turkey, and most recently, South Korea.

This planned event is actually a revitalization of Anon’s #OpIsrael campaign in support of Palestine during the Israel-Gaza conflict last November. Aside from the date for initiating this second round of #OpIsrael, what has publicly appeared about the campaign since it’s initial promotion?

OpIsrael Timeline Plans

Click for live view

The first event that bubbles up on the timeline for mentions of “OpIsrael” since March 11 comes from a since deleted Facebook post describing analysis of the actors allegedly involved in the campaign:

The attributions are to the best of our knowledge, based on language analysis, history and helps from our sources who speak Arabic ( various forms ) and Farsi ( various forms, mostly Persian ) natively: AnonGhost ( distributed – freelance ) AnonymousPal ( U.S and E.U – freelance ) OsamaTheGod ( false flag ) Teamr00t ( Pakistan – ideological ) Hannibal ( Anti-OPISRAEL , inside fight , Indian – freelance ) PunkBoyinSF ( Egyptian ties – freelance ) Mauritania HaCker Team ( distributed – freelance ) ajax Team ( unknown ) MLA – Muslim Liberation Army ( ties to Pakistan ) Gaza Hacker Team ( Palestinians in U.S and E.U , perhaps some members in Arab countries as well ) Gaza Security Team ( same ) Gaza Security Team ( ties to Syria – Syrian nationals – freelance ) Algerian Hacker ( unknown ) Iranian Cyber Army ( Iran , hired hackers based in Iran ) Remember Emad ( Joint Lebanese and Iranian effort – high likely state-backed ) Parastoo ( Iranian , reported to have ties with IRGC-QF and Hezbollah ) Syrian Electronic Army ( reported to be controlled by elements of pro-Hezbollah activists ).

There are two other points of interest:

  • An attack reported on March 18 against 1600 websites, many Chinese, carried out by Anonymous Algeria that was done allegedly as a “sign protest and give a wake up call to the government of the world on Palestinian issue”.
  • The appearance on Facebook of material, instructions, and attack vectors used during the original OpIsrael campaign that may be prepared for reuse in the planned April 7 campaign.

The rise of Anonymous and  other nebulous hacktivist groups has created a fascinating challenge with regards to attribution in information security threat assessment. The “We Are Anonymous” motto provides a convenient shroud for cyber activity, including savvy state operatives, whether philosophically associated with the movement or not. We think back to the “Shamoon” attack on Saudi Aramco when several different suspected attackers were cited ranging from vigilante hackers to a cyber Jihadi group to the Iranian government. Misdirection and the amplification of disinformation is easier than ever, and those of us acting as analysts should be wary.

Irrespective of your feelings on the credibility of the latest #OpIsrael campaign, we’d like to get your thoughts on the use of open source web intelligence in evaluating and monitoring forewarned cyber attacks such as this one. As noted above, there are already faint signals of capability and dissemination of campaign information. Where else should analysts be looking?

Copyright © 1996-2010 Analysis Intelligence. All rights reserved.
iDream theme by Templates Next | Powered by WordPress