Archive for the Counter Terror Category

Georgian Attacks: Remember Estonia?

Posted in Counter Terror, Daily Rant, IT Security on August 14, 2008 by blackflag

Yet another update regarding the ongoing Georgian cyber attacks. For those that don’t realize the significance of this some botherders and do-it-your-self hacktivists have pretty much succeeded in taking most of Georgia’s government news outlets off line. Most of the gov.ge sites have now regrouped on the Blogspot platform but there are some residing on other providers.

I have been following this very closely and working with others to get a better picture of what is happening. The results of those efforts are being updated over at the Shadowserver news wiki but I’ll repost it below for your convenience.

Here is the latest update:

Georgia and Estonia Have Something New in Common

Since last Friday (August 8, 2008) a large number of Georgian websites, both government and non-government alike, have come under attack. There has been a lot of speculation about whether or not foreign governments were involved in the attacks or if it is just the work of outraged citizens taking the action on their own. While no one could really say for sure who was behind the attacks, one thing was clear–the attacks were having a devastating impact on their targets. Even at this very moment, several Georgian websites are still unreachable.

We have been seeing constant distributed denial of service (DDoS) attacks against Georgian website from various command and control (C&C) servers since last Friday. In fact they were still on going. However, we have not observed an attacks against several of the different websites that are currently offline. While we of course do not have in sight into all DDoS attacks, we were still surprised to see these sites offline and not have observed any traffic destined for them. We were not real sure why this was until today.

Additional Attack Information

Shadowserver has received reliable information that one of the Georgian government websites was being attacked by dozens of Russian computers from several different ISPs throughout the country covering both dialup and broadband users. The traffic destined for the website is overwhelming ICMP traffic. Did we dare say Russian? Yes we did, however, let’s be clear here: we were not pointing fingers and we are absolutely not implicating any government involvement (no reason to suspect this).

What does it mean though? Lots of Russians host and lots of ICMP traffic. Could this be a botnet that instructed all of its hosts to send an ICMP flood to the destination? Possibly. However, usually botnets are widely dispeared in several geographic locations. Why on earth would be see such an overwhelming amount of Russian hosts?

Is it possible the same thing that happened to Estonia is happening to Georgia? To put it quite simply, the answer is yes.

The Grass Roots Effect

Lots of ICMP traffic and Russian hosts sounds a lot more like users firing off the ‘ping’ command and a lot less like some evil government controlled botnet. It did not take us long to find out what is going on. Much like in the attacks against Estonia, several Russian blogs, forums, and websites are spreading a Microsoft Windows batch script that is designed to attack Georgian websites. Basically people are taking matters into their own hands and asking others to join in by continually sending ICMP traffic via the ‘ping’ command to several Georgian websites, of which the vast majority are government.

The following text is a redacted version of the script being posted:

@echo off
@echo Call this file (MSK) 18:00, 20:00
@echo Thanks for support of South Ossetia! Please, transfer this file to the friends!
pause
newsgeorgia.ru
apsny.ge
nukri.org
opentext.org.ge
messenger.com.ge
president.gov.ge
government.gov.ge
parliament.ge
nsc.gov.ge
constcourt.gov.ge
supremecourt.ge
cec.gov.ge
nbg.gov.ge
nplg.gov.ge
police.ge
mod.gov.ge
mes.gov.ge
mfa.gov.ge
iberiapac.ge
mof.ge

We have removed the actual commands and parameters of the script to avoid being a distribution point for it. However, you can see the raw list of targets that are being spread across the websites. This script has been posted on several websites and is even being hosted as “war.rar” which contains “war.bat” within it on one site. It would appear that these cyber attacks have certainly moved into the hands of the average computer using citizen.

Conclusion

It appears evident that the average user is now getting involved and helping to attack Georgian websites. We do not know the size of the attack, but with many most likely sympathetic and the message spreading from blog to blog and forum to forum, it might not slow any time soon. Whether it is through the use of a botnet or a personal machine, it is quite clear what kind of effect these attacks can have on an infrastructure that is unable to fend them off. We will continue to monitor the situation and report back any developments we observe.

Cross Posted at The Jawa Report.

Republic of Georgia Cyber Attacks “Part Deux”

Posted in Counter Terror, Daily Rant on August 14, 2008 by blackflag

I posted about the ongoing attacks against Georgian resources on August 11th. Since that time a lot of the media have been getting on the “lets blame the Russian Business Network and Russian Government” bandwagon without really putting things into context. I mentioned the RBN in the original post as an unverified point of interest (RBN is worth reading up on whether involved in this or not).

To clarify a few points Shadowserver’s “Mike Johnson” has updated the wiki with a post titled “Georgian Websites Under Attack – Don’t Believe the Hype“. It warrants reading as it lays out a bit more historical information on the botnets involved.

An excerpt from that post is below.

We have been tracking these servers for a while now, some for a year or more (and before you ask, yes we’ve tried to get them shut down, but with little co-operation), so we know their history. We have seen many different DDoS attacks from these particular C&C servers, but there doesn’t seem to be any rhyme or reason to it. What does seem apparent is that the targeted sites don’t strike me as being something a government would go after. Without listing the actual targets, they fall into the following broad categories:* Adult video websites
* Prostitution websites
* White supremacy websites
* Carder websites (sites that trade in stolen credit card numbers)
* Online gambling websites
* Virtual currency websites (think PayPal, but not nearly that legitimate)
* Russian news websites
* Random Russian websites
* Many other websites

Read More “Republic of Georgia Cyber Attacks “Part Deux””

The ddos attacks appear to be ongoing as of this morning (13 August 2008) and it is of note that the botnets involved continue to simultaneously attack other web sites that do not belong to the Republic of Georgia.

Update: For more context see Popular Mechanics interview with RBNexploit’s Jart Armin.

Cross Posted at The Jawa Report

The Jihad Has Failed.

Posted in Counter Terror, Daily Rant, Jihad Denied on November 15, 2007 by blackflag

Via AKI:

A former leader of an armed Islamic group in Libya, Numan Bin Uthman, has written a letter to al-Qaeda second in command Ayman al-Zawahiri telling him that Jihadi groups in Arab countries have failed.

“Dear Doctor Ayman, as I told you during a meeting in Kandahar [in Afghanistan] in 2000, the experience of the Jihadi groups in Arab countries is failed and despite our appeals, the armed groups are divided and will not unite,” he said in the letter, a copy of which was published in the London based pan-Arab daily al-Hayat.

The letter by Uthman, who is based in London, comes after an audio message by al-Zawahiri – an Egyptian medic – was released on Saturday. In it, al-Zawahiri announced that the Libyan Islamic Fighting Group, had joined al-Qaeda. He also called for the ousting of regimes in North Africa.

The Libyan Islamic Fighting Group first announced itself in 1995, vowing to topple the Libyan regime. It is the second organisation to allegedly join al-Qaeda after Algeria’s Salafist Group for Preaching and Combat (GSPC), which changed its name to the al-Qaeda Organisation in the Islamic Maghreb last January.

I ask you and whoever is behind you to review the way you behave because the Jihadi groups are acting very badly towards those who think differently from the way they do,” said Uthman in the letter.

“I aks you to stop the armed operations in the Arab countries, to guarantee the security of Muslims and to retract your threats toward the West, to take away from them the terrorism card used by some Western governments to hate Islam and Muslims,” he said.

Imagine that.

With bonus phunny from Cox & Forkum:

jihad denied

On a side note: I’d be just giddy if the WordPress editor didn’t strip the text formatting off of anything on blockquotes, it really gets on my nerves.

The “Dark Web” Counter Terrorism Project

Posted in Counter Terror, Daily Rant, IT Security, Jihad Denied on October 23, 2007 by blackflag

Now that I’ve slacked off for a few weeks and indulged myself in teasing our terroristic friend Samir Khan, it’s time to get back to some serious work. I’d like to direct your attention to a Counter Terrorism project of truly epic proportions, that being the “Dark Web” Counter Terrorism research project underway at the Artificial Intelligence Lab, University of Arizona. After reading about this project at Dancho Danchevs blog I’ve been spending quite a bit of research time over at the AI project site studying thier methodology.

The stated research goals of this project are as follows:

The AI Lab Dark Web project is a long-term scientific research program that aims to study and understand the international terrorism (Jihadist) phenomena via a computational, data-centric approach. We aim to collect “ALL” web content generated by international terrorist groups, including web sites, forums, chat rooms, blogs, social networking sites, videos, virtual world, etc.

We have developed various multilingual data mining, text mining, and web mining techniques to perform link analysis, content analysis, web metrics (technical sophistication) analysis, sentiment analysis, authorship analysis, and video analysis in our research.

The approaches and methods developed in this project contribute to advancing the field of Intelligence and Security Informatics (ISI). Such advances will help related stakeholders to perform terrorism research and facilitate international security and peace.

It is our belief that we (US and allies) are facing the dire danger of losing the “The War on Terror” in cyberspace (especially when many young people are being recruited, incited, infected, and radicalized on the web) and we would like to help in our small (computational) way.

Now then, at first glance that doesnt seem all that impressive, let’s dig a little deeper. The Dark Web project is not your typical “vigilante” (thanks Mr. Moss) homegrown cyber-terrorism research effort, it is a well funded, long term, counter terrorism project recieving grants from the Department of Homeland Security, the National Science Foundation and others. In short, the project uses web crawlers to gather information from a (large) list of target sites and forums. This data is then indexed and data mined for actionable information. I once considered a similar method of data acquisition but dismissed it for more targetted methods after considering the amount of computational resources it would take. The Dark Web project has been indexing sites for about five years and have the following to show for their efforts.

Claims: Dr. Gabriel Weimann of the University of Haifa has estimated that there are about 5,000 terrorist web sites as of 2006. Based on our actual spidering experience over the past 5 years, we believe there are about 50,000 sites of extremist and terrorist content as of 2007, including: web sites, forums, blogs, social networking sites, video sites, and virtual world sites (e.g., Second Life). The largest increase in 2006-2007 is in various new Web 2.0 sites (forums, videos, blogs, virtual world, etc.) in different languages (i.e., for home-grown groups, particularly in Europe). We have found significant terrorism content in more than 15 languages.

Testbed: We collect (using computer programs) various web contents every 2 to 3 months; we started spidering in 2002. Currently we only collect the complete contents of about 1,000 sites, in Arabic, Spanish, and English languages. We also have partial contents of about another 10,000 sites. In total, our collection is about 2 TBs in size, with close to 500,000,000 pages/files/postings from more than 10,000 sites.

We believe our Dark Web collection is the largest open-source extremist and terrorist collection in the academic world. (We have no way of knowing what the intelligence, justice, and defense agencies are doing.) Researchers can have graded access to our collection by contacting our research center.

Now, that is impressive. Additionally, the Dark Web researchers perform Social Network Analysis on the data gathered to determine the relationships of online content authors. It is important to realize that these researchers are mathmeticians, not counter terrorism agents, they are applying science to the issue of online Terrorism in an attempt to understand the phenomena.

They describe themselves thusly:

A Few Words about Civil Liberties and Human Rights: The Dark Web project is NOT like Total Information Awareness (TIA) (at least we try very hard not to be like it). This is not a secretive government project conducted by spooks. We perform scientific, longitudinal hypothesis-guided terrorism research like other terrorism researchers (who have done such research for 30+ years). However we are clearly more computationally-oriented; unlike other traditional terrorism research that relies on sociology, communications, and policy based methodologies. Our contents are open source in nature (similar to Google’s contents) and our major research targets are international, Jihadist groups, not regular citizens. Our researchers are primarily computer and information scientists from all over the world. We develop computer algorithms, tools, and systems. Our research goal is to study and understand the international extremism and terrorism phenomena. Some people may refer to this as understanding the “root cause of terrorism.”

There is much much more in depth information at the Dark Web Project site, pay special attention to the Journal Articles, Conference Papers and Presentations links at the bottom of the page and you should stay busy for quite some time.

In closing I’ll quote the following:

As an NSF-funded research project, our research team has generated significant findings and publications in major computer science and information systems journals and conferences. However, we have taken great care not to reveal sensitive group information or technical implementation details (specifics). We hope our research will help educate the next generation of cyber/Internet savvy analysts and agents in the intelligence, justice, and defense communities.

It does indeed.

Updated! x2: “Inshallahshaheed” (GIMF) Has a New Home!

Posted in Counter Terror, Daily Rant, Jihad Denied on September 26, 2007 by blackflag

 Updated x2:

Samirs latest site for distributing militant Salafi ideology and intolerance is here.  I typically don’t link his (active) site’s but the latest story from the NYT has quite a few “Western” surfers clicking through looking for it. I think they could stand a good dose of what Al-Qaeda in America looks like.

Updated:

Oh Snap! I wonder if it’s the work of the mysterious “hackers” again (that only target InshallahShaheeds site) that our friend “FalsehoodExsposer” mentions in the comments.

~~~~~~~~

It seems that our favorite mouthpiece for the Global Islamic Media Front here on WordPress.com has had his latest incarnation of a GIMF outlet taken offline for Terms Of Service. I find it hard to believe WordPress.com staff would do that based on past history but it appears to be the case.

A “member” of Inshallahshaheed’s site was kind enough to drop by and update us on the location of his “new” blog. (What happened to your site archives mate? I hate to see all that good GIMF propaganda wasted.) The new site is located here.

The site used to be at “http://inshallahshaheed.wordpress.com” and then it moved to “http://ignoredknowledge.wordpress.com” after the author (Hi!) deleted it in a panic while trying to cover his tracks online.

Several members of the GIMF are currently being tried in Germany for planning terrorist attacks and several more are being sought.

The last WordPress site looks like this:

We’ll just go have a look at the latest incarnation of the site and have a dose of the ‘ole Salafist Ideology for good measure.

Thanks for the update and best of luck with the new digs.

Updated: Cyber Jihadi Wusses Out

Posted in Counter Terror, Daily Rant, Jihad Denied on September 7, 2007 by Howie

Updated by blackflag:

It’s worth mentioning that the editor of Inshallahshaheed (.wordpress.com) was a known member of Al-Qaeda’s “Global Islamic Media Front” (aka: GIMF) . Inshallahshaheed is loosely translated into English as “God Willing, Martyr”, an Islamist killed during an act of violent Jihad is considered a Shaheed and purportedly be delivered to Heaven for an everlasting meeting with his 72 Virgins. The GIMF is best known for releasing terrorist training and beheading video’s and propaganda to the Internet at large, it is a well known and very effective tool for Al-Qaeda. The editor made very little effort to disguise his involvement with the GIMF after he was recruited by a GIMF operative during the GIMF’s recruitment drive back in June of 2007 (more at the Jawa Report). He was very open in his support of Al-Qeada and regularly re-posted “news” releases for the GIMF on his blog. It was only when his website was recently mentioned on national television as an Al-Qaeda resource did he panic and delete the website himself in an effort hide his involvement. It’s really too late for that, his site, and it’s visitors, have been under scrutiny by a multitude of analysts for quite some time. Even though he “deleted” the blog from WordPress.coms servers it has been archived and a good portion is still available at the Internet Archives “Wayback Machine” as well.

GIMF

I must add that the administrators of WordPress.com were notified by several sources of the existence of GIMF websites (including this one) and chose to take no action until public outcry and media attention was such that it forced a take down. Understandably they can’t discuss this aspect of their business with the public at large but their response has historically been less than timely when notified of a terrorist website using their services. Considerations of “Free Speech” aside, it is illegal (United States Code, Title 18, Part I, Chapter 113B, § 2339B) for a U.S. based technology services provider (like WordPress and Blogspot) to knowingly provide services to a known Foreign Terrorist Organization.

If this particular GIMF operative doesn’t get the attention he deserves from the .gov he will almost certainly return to his Jihadist ways once media attention cools down. When he does the usual group of civilian analysts will be there to monitor and archive his activities as always.

Howie:

The al-Qaeda supporting slime-bucket who ran The Ignored Puzzle of Knowledge on wordpress was starting to feel the heat. The mujahasbeen scumbag wussed out and deleted his own blog. It won’t help him as the Zionist Internet Cabal has been watching him. He’s toast baby. Expect and update with an arrest soon.

Via The Jawa Report: I promised myself that I wouldn’t give my ‘friend’ Inshallahshaheed from the WordPress hosted al Qaeda support website The Ignored Puzzle of Knowledge’ any more press than he deserves. Inshallahshaheed is at the center of a network of online jihadis that include convicted terrorist Daniel Joseph Maldonado, aka Daniel al Jughaifi. WordPress continues to host the convicted terrorists website.After complaining to WordPress on dozens and dozens of occasions about Inshallahshaheed I pretty much gave up on getting them to play ball. But I also knew that Inshallahshaheed was being investigated, not by the FBI, but by other interested parties. So I stopped writing about that particular website and even discouraged others (like Weasel Zip) from writing about it. Except, of course, in passing reference.

Earlier today, though, I noted that at Rabbi Abraham Cooper mentioned the website at a Simon Wiesenthal Center sponsored event. It now seems that the FBI are taking the website seriously. Finally.

Here’s what his website looks like now.We have a little message for him.

Updated: “Hamas: Operating in Iraq and Hosted in the United States” Site Down.

Posted in Counter Terror, Daily Rant, Jihad Denied on July 12, 2007 by blackflag

bf1-trans

The website of Hamas-in-Iraq that I covered in this story is down, many thanks to HostDepartment LLC for their prompt action and respect for U.S Federal Law.

hamas iraq suspended

Thanks to the Jawa crew for helping out behind the scenes with this one as well.