Cyberwar PsyOps Analysis: Egypt 2011

Share this article:

Sitrep Egypt: 2011

The crockpot turned cauldron of the Middle East was kicked into high gear by crackdowns on social media. Last week in three blog posts, two for Cybercrime Corner, and one for Securing Our eCity, I analyzed regional social media policies.

From Libya to Egypt, the North African coast has become a region of unrest after seeing corruption [alleged] exposed in Tunisia by WikiLeaks-released cable traffic from the U.S. Department of State.

YouTube videos, Facebook pictures and Twitter slogans captured the imagination of millions around the world and served as testaments to the brutality of political orders bereft of mercy. [Iranian.com]

Twitter tags #Jan25 and #Egypt related events faster than the news cycle for Vietnam, and even faster than both Gulf Wars. With a cell phone and internet communication technology (ICT), everyone's a reporter. Everyone's a photographer.

Global Voices, a source I used recently for my Tunisia story, relates one tale from Egypt which underscores digital devices in the combat zone:

I had my dear iPhone in hand, and I was trying to take photos or record videos, until I got surrounded by a large enough amount of soldiers who started beating me ferociously with their sticks, delivering painful blows on my head, face, stomach and legs.

In fact, Egypt's internet went down yesterday just a few minutes after this video denoting the death of a protester was posted by Associated Press. Violent reprisals are everywhere.

The world is watching and organizers are quick to adapt. As noted in Egypt Protests 2011,

A lot of Twitter coverage on #jan25 is in English, suggesting that it is being used for amplification and international news purposes, rather than for organizational purposes on the ground. Metaphorically as well, social media present a rooftop vantage.

Result: a lot of voices, but which ones are worth following is hard to determine. There's a niche here. Those who report accurately are linked to, which raises their credibility in aggregators like topsy.com.

Is cellular data a risk to totalitarian governments?

While this is a short-term solution to a larger problem, expect tactics on the government side to grow in sophistication as each Islamic country becomes the focus of protests. The cellular phone networks are now the platform of choice because four billion global cellular devices.

Read: SC Magazine's recent article talking about the vulnerabilities
Here are a couple of attack methods which could counter Twitter or other SMS / MMS text messaging social media platforms:

Caller ID spoofing – Briefly covered in a 2010 Cybercrime Corner article, the technology to spoof caller IDs could be used to spam/DoS the most credible Twitter resources. In conjunction with an online DoS this could be attempted to shut down Twitter. The governments in North Africa and other regions may have the ability to filter the Tweets coming from cell phones according to one industry expert.

Cell phone bricking – If there are vulnerabilities in mobile devices, expect nation-states under duress from protesters to use a kill switch built into most cellular devices. In 2010, I collaborated with ESET's Aryeh Goretsky, McAfee's very first employee, to analyze the attack surface of cellular devices. This included extensive review of the smsanalysis.org supporting research.

Our key finding was simple:

Analysis: Cyberwarfare will probably include DDoS on cellular. If you can interrupt communications on several layers, you can disrupt any operations plan. This is pretty much a Sun Tsu principle applied to cyberwarfare.

Word on the Egyptian street

While Egypt initially resorted to shutting down social media sites, organizers quickly rallied around other internet techologies, shifting their operations so quickly that initial reports from Tweeters in Egypt yesterday stated that the entire internet was coming down.

Let's think about that for a minute – removing internet technology backbone of commerce is not sustainable and actually it will add to the problem rather than remove the problem. Once again this is a matter of the cultural value of saving face rather than personal accountability, as was written about in Cyberwar PsyOps Part 1 and Part 2.

While Jordan, Egypt and Saudi Arabia all have restrictive internet café spycam surveillance, this story should be referenced along with the recent Tunisian crackdown on free speech.

Tunisia and Saudi Arabia are two different cultures, yet the loss of face in the Arab cultures was documented by the CIA in this study which lends itself to the effectiveness and BDA of Stuxnet attack – embarrassment in Iran rather than bombs has simply been a more effective warfare method.

Outside threats: #AnonOps Hivemind DDoS and others

Earlier Cybercrime Corner analysis on Western-based DDoS attacks:

In cyberspace, the  DDoS engines that formerly directed Operation Payback are currently hammering away at the Tunisian government, controlled under #Anonymous, #LOIC and #Anonops with a manifesto which partially reads:

"This is a warning to the Tunisian government: Attacks at the freedom of speech and information of its citizens will not be tolerated. Any organization involved in censorship will be targeted and will not be released until the Tunisian government hears the claim for freedom to its people."

This week, the AnonOps shifted its fire to the #OpEgypt target. Recently it was called off due to the internet being completely taken down by the Egyptian authorities.

Battle damage assessment: Egypt 2011

BDA for the entire blended attack is zero internet communication, or near zero. I'm surprised that AnonOps doesn't realize that in warfare you don't cease operations until the job is done, but a quick look at their targeting feed shows that four new targets took priority less than 40 minutes ago: Twitter, Facebook, and Google. As of 0930 PST:

wikileaks_pp: DNS -> 8.8.8.8 / Twitter-> "128.242.240.52" Facebook-> "69.63.189.34" Google-> "72.14.204.99" #Egypt #OpEgypt -> plz RT

I'm at a loss to understand why these targets are related to Egypt, but one key factor in all these hiveminds is that co-opting the account of the main influencers (or physically putting a gun to their head) will gain temporary control of a lot of the hive who simply follow orders.

[UPDATE: Correction: These IP addresses are redirecting web traffic, not redirecting #LOIC attacks.]

Law enforcement action like that taken in the UK is only one risk factor, I wouldn't be surprised to see counter-intelligence operations against these smart-by-half cyberwarfare enthusiasts in the very near future. Word to the wise: Unless you're living in a van down by the river pirating Wi-Fi, being part of #AnonOps is not a healthy long-term choice.

CIOs: Persistent threat assessment

As most experts state, cyberwar is the persistent threat of 2011.

Do a threat assessment based on your industry and customer profiles. Ramp up your defensive procedures in case the low orbit ion cannons of protest single your business out for DDoS.

Look at the motivation for defacement differently with a cultural twist. If an equivalent to the Iranian Cyber Army happens to deface your page, consider the full implication of this being more than just graffiti. Take it with a grain of salt if you must. However, reporting the act to the IC3.gov will aid global efforts against cyberwarfare, therefore I urge you to consider adding the reporting step into your procedures.

Attend free first-responder training. Consider sending one or more of your IT folks to the regional and [often] no-cost Cyberterrorism First Responder trainings that DHS does.

Share this article: