Non-Subscriber Extract
E-Intifada: political disputes cast shadows in cyberspace
- Article Tools
| 3 November 2000 |
Izhar Lev reports
Asymmetric warfare has long been a favourite tool of terrorist organisations worldwide. The recent suicide attack on the USS Cole is a painful reminder of the ability of a small terrorist organisation to wage war against the most powerful of nations. However, this type of attack is not new. Now, new trends of attack are visible in cyberspace.
The current clashes in the Middle East are casting their shadows on cyberspace. 'Hacktivism', a combination of 'activism' and 'hacking', is not a new phenomenon. The first members of the traditional hacktivist community to use hacking methods were anti-corporate groups. Later, hacker groups such as 'G-Force Pakistan' or the lone cracker, 'Herbless', in the 'defacement scene', translated explicitly ethno-nationalist and political struggles into the electronic sphere. However, denial of service (DoS) attacks similar to the ones that temporarily crippled the cyber-world on 7 February 2000 were not yet seen as a form of hacktivism on a large scale.
Terrorist organisations thrive on media exposure. It is their means of transforming low-impact strikes into world attention, thus gaining exposure for their manifestos. Hizbullah of Lebanon could be referred to as a model terrorist group with regard to their media command. Throughout the last decade, they developed their own newspaper, television and radio stations, filming their operations and broadcasting the footage.
In recent years, Hizbullah have placed themselves on the Internet. In keeping with their media tradition, they have maintained a high-standard, multilingual website, which appeals to the masses worldwide. As a result, Hizbullah's web presence has become a strategic asset and therefore a potential vulnerability. Attacking Hizbullah's websites directly damages their media coverage.
In response to the kidnapping of three Israeli soldiers, on 6 October 2000, Israeli vigilantes established a website dedicated to providing information and guidance, including DoS tools, for conducting cyber-attacks against the Hizbullah website. On 16 October, the Israelis claimed that the main Hizbullah site was 'down' because of previous attacks and that Hizbullah's alternate site had become the current target. Since then, the alternate Hizbullah site has also been disabled and the vigilantes have changed their focus and posted new targets, including websites related to Hamas and the Palestinian Authority (PA).
The vigilante site was dynamic and well maintained. Initially, the site was crudely designed, with the text originally written only in Hebrew in a relatively old-fashioned way, suggesting that the author might be middle-aged, or possibly someone for whom Hebrew is a second language.
Following the kidnapping of an Israeli civilian in Switzerland, the site was updated. Since 15 October the site has been updated at least three times, with English text added, a mailing list for updates created, and a list of targets and successful attacks posted. Originally, the site posted a disclaimer warning surfers about the illegality of the DoS tools, but this was later removed. As of 26 October there were 24,772 hits logged on the site.
The Internet Service Provider (ISP) hosting this anti-Hizbullah site is based in the USA. The Lebanese Daily Star reported that the Hizbullah webmaster, Ali Ayoub, has already e-mailed the American ISP to complain about the illegal action. It now seems that either the website was taken down by the hosting ISP or was crippled by counterattacks.
Since the Israeli website was established, other similar websites have been set up. Particularly interesting is a site called 'Hizbullah - No More!' The site is similar to the one set up following the kidnap of the Israeli soldiers, but much more commercial, containing news updates, a 'virtual-attack status room', download options for DoS tools, user-friendly web-attack options, articles, a chat room, links and ads. The site is targeting Israelis and is published only in Hebrew. To date, there have been 22,253 hits logged on the site counter.
The Hizbullah webmaster, Ayoub, told Reuters that: "[We] have names of 8,521 servers mainly in these two countries [Israel and USA] that have been hitting our website regularly and sending us simultaneously tens of thousands of hostile e-mails, some of them carrying viruses to sabotage our server."
Ayoub went on to state that: "[We] noticed that the number of hits on our website increased significantly at the beginning of the month after we started showing live video clips and information about the killing of Palestinians by Israeli soldiers in the West Bank and Gaza. The number increased to nine million hits per day, mainly from Israel, the United States and to a lesser degree from Canada and South Africa. It became a real e-mail bombing."
Admitting that Hizbullah considers their website an important tool in their campaign against Israel, Ayoub declared: "[We] will never give up the Internet. We have successfully used it in the past when we showed video clips and pictures of the damage caused by Israeli bombings on Lebanon." In order to sidestep Israeli attacks, Hizbullah established several alternative sites, but announced it will not resort to illegal cyber counterattacks.
There have also been claims in various newsgroups that a Hizbullah website was 'occupied' by pro-Israeli hacktivists and is currently serving as a platform for Israeli protest against Hizbullah and Arab attacks. However, it should be noted that the Uniform Resource Locator (URL), while very similar to the original Hizbullah site, is not the same one. A close inspection of the original hosts of both sites indicates that the false site, which is hosted by an American ISP, is not a bona fide Hizbullah site. It may be a site set up by Israeli vigilantes for the express purpose of registering a propaganda victory or to direct potential traffic away from the genuine Hizbullah website.
From the other side, pro-Palestinian hacktivists, especially students, from around the world have been launching counter-attacks that can be divided into three categories: propaganda, DoS attacks and cracking websites. Propaganda campaigns consist of establishing and using existing websites to convey an anti-Israeli message.
Another form of propaganda emerged on 12 October 2000 when a pro-Palestinian hacktivist defaced an Israeli academic site protesting against Israeli activities in recent weeks. Textual analysis suggests that the defacer is not a native English speaker, but is clearly well-educated. Although 'Dodi' calls for the cyber-destruction of the Israeli Internet infrastructure, he attacked a low-profile academic institute, probably because of its lack of security. Following the initial incident, 'Dodi' defaced other sites with similar anti-Israeli and anti-US messages.
Particularly interesting is the last 'Dodi' defacement on 21 October. The cracker claims to have disabled NetVision, Israel's biggest ISP, in retaliation for the Israeli attack on the Hizbullah website. 'Dodi' later claimed that the Israeli Ministry of Defence (MoD) and the Israel Defence Force (IDF) sites were hosted by NetVision, and that they were also disabled. As proof of his deeds, 'Dodi' provided a trace-route table, showing that 86% of data-packets were lost from a ping on his host machine. This proves that a successful DoS attack took place.
In keeping with the dynamic nature of the cyber-world, cyber-attack websites were also established by pro-Palestinian hacktivists, successfully attacking official Israeli sites and counter-attacking the Israeli anti-Hizbullah sites. The Israeli right-wing party, Likud, has also been subjected to a barrage of offensive e-mails, known as a 'spamming attack'.
The Israeli newspaper Ha'aretz reported that numerous attacks have been launched against NetVision, and that governmental and military sites - including the IDF, the prime minister's office, the Knesset, and the foreign office - hosted by NetVision computers were disabled. The Associated Press reported that, in the case of the attacks against the Israeli parliament website, there is evidence that crackers broke into and tampered with files. NetVision Chief Executive Officer Gilad Rabinowitz told Ha'aretz that the attacks are fierce and highly sophisticated. Preliminary investigations suggest that the sources of the attacks were from all around the world, with significant numbers from neighbouring Arab countries.
A NetVision official told JIR that, due to direct attempts to crack official websites, NetVision had to temporarily remove them from the Internet in order to enhance their data security. Whatever the case, the severity of the attack caused the IDF to hire AT&T as a back-up ISP. There are indications, however, that AT&T is now threatened with a boycott by pro-Palestinian Americans. The National Infrastructure Protection Center (NIPC) warning that the Middle East cyber-war could spill over onto US sites, particularly those hosted by AT&T, underlines the fact that disputes in cyber-space cannot be contained.
Izhar Lev is a Researcher at the International Centre for Security Analysis. Visit www.icsa.ac.uk