Pierluigi Paganini April 18, 2013

We all remember the debated attacks of Anonymous collective against Israeli government that targeted various websites of the country last April 7th. The data on the cyber attacks reported by Israel government are really different from the one provided by the group of hacktivists in the damage report for #OpIsrael that account for a Total damage of $3-plus billion damage.

The hackers hit the principal web sites of the country with a series of powerful DDoS attacks, but how the attackers did it?

The most plausible hypothesis is that Anonymous gathered control of a huge quantity of machine infected with a malware.

The researchers in TrendMicro use data collected by the Smart Protection Network, “a cloud-based security infrastructure that rapidly and accurately collects and identifies new threats, delivering instant protection for data wherever it resides.”

Analyzing traffic directed to one of the hit website the expert discovered that meanwhile usually more of 90% of the traffic is originated in Israel, during the attack on April 7th this percentage has fallen to 9%as shown in the following chart:

The attackers haven’t used compromised machines within Israel as usual happen, but the traffic coming from outside the Israeli networks appearing well distributed from 27 countries. The histogram below shows the spike in traffic during the attacks:

As usual I desire to reflect with you on the data:

According to TrendMicro many IP addresses involved in the attacks were related to machine belonging to known botnets under the control of cyber criminals. Which is the link between Anonymous and cybercrime?

Here you are my hypothesis:

• Member of the collective is renting criminal services in the underground, in this way they could be operational in a short time and could avoid to be tracked back. Anonymous hasn’t its botnet and this is a strength because it can thus escape the investigations of security firms.
• Criminal organizations joined in the attacks for other reasons, probably they were instructed to attack strategic objectives or to acquire sensitive information to resell.
• Member of criminal organizations in many countries enjoys coverage governments for whom they conduct cyber operations,  this is nothing new, we all know about the dirty mixture of groups of hackers and central authorities.
• As security community agrees that principal criminal organizations operate in Eastern Europe and in Russia, have you noted that none of these countries would seem to be involved in the attacks? I have your same idea.
• I suppose that many governments were advantaged by the #OpIsrael to conduct attacks under cover  in what I consider an asymmetric and under silent Information warfare. The Anonymous attack could be used as a diversionary tactic that has alienated attention on the real targets of state sponsored hackers.

The investigation added another interesting element, the IP addresses used in the attacks had been previously identified as victims of other attacks like exploit kits, fake antivirus applications and ransomware.

TrendMicro post states:

“These attacks are not nearly as “harmless” as some would think.” “These findings highlight how major DDoS attacks are, at least in part, not just carried out by hacker groups like Anonymous but by cybercriminals as well. These attacks are not nearly as “harmless” as some would think.”

I agree, underestimate these attacks is stupid, these events must be analyzed in detail trying to identify the attackers and related motivations, but above all the real targets of the offensive …

Are we sure the websites hit was really the targets of the attacks? Is it possible that third part actors were silently attacking other infrastructures?

In my opinion Anonymous has received a great and unexpected support from other entities …

Does the collective really want this? I think no!

Pierluigi Paganini

(Security Affairs – Anonymous)