Is Trend Micro correct in its #OpIsrael ‘Botnets Involved in Anonymous DDoS Attacks’

OpIsrael DDoS spike: 7 April

Trend has done an analysis of #OpIsrael attacks on April 7. It notes that on that particular day, traffic to one particular website, normally around 90% Israeli, became 90% international due to the botnet DDoS attacks.

This increase in non-Israeli traffic was well distributed, with users from 27 countries (beside Israel itself) accessing the target site.

This is factual and we can take it at face value from a company like Trend. The next comments, however, start with fact but end in interpretation:

[fact] Examining the IP addresses that had accessed the target site, we noticed that some of these were known to be parts of various botnets under the control of cybercriminals. In addition, further investigation revealed that these IP addresses had been previously identified as victims of other attacks like FAKEAV, ransomware, and exploit kits.

[opinion] These findings highlight how major DDoS attacks are, at least in part, not just carried out by hacker groups like Anonymous but by cybercriminals as well. These attacks are not nearly as “harmless” as some would think.

The interpretation is that because a particular PC is known to be infected with a bot, participation in the DDoS attack against Israel was necessarily under the direction of the botherder criminal. But an alternative interpretation could be that the PC owner, entirely independently, decided to take part in the protest. (This is unlikely given the need to hide the source IP during such a protest.) Another possibility, however, could be that an activist protester, not otherwise a criminal, could have hired a botnet from a criminal, not otherwise an activist.

My point is that the final comment (“major DDoS attacks are, at least in part, not just carried out by hacker groups like Anonymous but by cybercriminals as well”) is a non-sequitur from the preceding argument. Trend may be right; but should not be making such a bald statement without further ‘proof’.

It highlights a danger we all face as we shift our news intake from traditional newspapers to blogs: the automatic acceptance of an opinion as fact. Blogs, for their part, should draw a distinction between fact and opinion – and the conclusion of this particular blog should be clearly labelled ‘opinion’.

israel-trade.org got hacked – israeltrade.org did not

There’s a really nice hack of israel-trade.org – visually very, well, nice. And coming at the beginning of the ‘Anonymous’ war on Israel, I suppose it is only to be expected.

Nice hack design on israel-trade.org

Thing is, I’m not sure whether saying ‘you’re hacked’ on your own website is genuine hacking…

There is a very similar sounding site called israeltrade.org – and that site is still (at least at the time of writing this) running fine.

israeltrade.org still running…

But israel-trade.org got got – and oh look – it only took the hacker a couple of hours from registration to hack…

A rather late April Fool joke on the media, I suspect.

If Izz ad-Din al-Qassam is the Iranian government, does that mean that Anonymous is the US government?

Incapsula recently reported that it discovered one of its clients was being used to launch DDoS attacks against US banks. It doesn’t say, but it seems likely that the DDoS tool was the same ‘itsoknoproblembro’ that I reported on in Infosecurity Magazine here, currently in use by an Iranian hacking group calling itself the Izz ad-Din al-Qassam Cyber Fighters.

Most of the media that has picked up on the Incapsula story consciously or unconsciously links it to a separate concurrent story in the New York Times:

But there was something disturbingly different about the wave of online attacks on American banks in recent weeks. Security researchers say that instead of exploiting individual computers, the attackers engineered networks of computers in data centers, transforming the online equivalent of a few yapping Chihuahuas into a pack of fire-breathing Godzillas.
Bank Hacking Was the Work of Iranians, Officials Say

The whole article can be consigned to the category of sensationalist journalism, well beneath what we should expect from the New York Times. The purpose, however, is very simple: “There is no doubt within the U.S. government that Iran is behind these attacks,” said James A. Lewis, a former official in the State and Commerce Departments and a computer security expert at the Center for Strategic and International Studies in Washington.”

The purpose behind this and many similar articles – on both sides of the Atlantic – is to put cyberfear into the hearts of the people. This then justifies the introduction of more and more draconian legislation and more and more surveillance from the US and European governments on their own people. Just read the press and see how many threats are coming from Iran and China. Mostly, the implication rather than anything else is that these threats are government sponsored; that is, it is the Iranian government and the Chinese government that is behind them all.

That, frankly, is baloney. It is targeted fear-mongering by our own governments.

The reality is that the Iranian and Chinese governments are most likely aware, and possibly tolerate the existence and aims, of these hacking groups – but there is no evidence that they are behind them. The same goes on in the West. The hacktivist known as Jester shares the same views as the US government. He attacks muslim websites, and anyone he believes ‘disses’ US government policy (such as WikiLeaks and Cryptocomb). When he took down Cryptocomb, the site put up the notice: ‘Cryptocomb will be back after the state sponsored attack ends.” It beggars belief that neither the FBI nor DHS know the identity of Jester – but it doesn’t benefit their policies to arrest him; so they don’t and won’t. I have no doubt that the same goes on in Iran and China – but that doesn’t mean that governments are directing the attacks.

David Graham makes a valid point.

When Muslims claim the offensive “Innocence of Muslims” video is state-sponsored by the U.S. government, we know their conspiracy theory is silly.
State sponsored attack: a howto guide

But when Muslim activists retaliate, we immediately accuse the Iranian government. Strange.

But it’s not at all strange. The simple fact is that US and EU law enforcement agencies are using the attacks to justify increased ‘counter-terrorism’ budgets, and increased home surveillance and control. And articles like this from the New York Times will help them. Calling Izz ad-Din al-Qassam an arm of the Iranian government is similar to calling Anonymous a branch of western governments because it has supported the Syrian rebels against Bashar al-Assad.