Hired guns: Cyberwar PsyOps, Part 2
With account credentials obtained [allegedly] through malware driven account hijacking and admin level overrides, the Tunisian government has wiped blog content clean, disrupted Facebook and other social media sites, and created a furor expressed in protesting in the streets.
Al Jazeera reported earlier this week:
The Tunisian authorities have allegedly carried out targeted "phishing" operations: stealing users passwords to spy on them and eradicate online criticism. Websites on both sides have been hacked.
Sofiene Chourabi, a journalist for Al-Tariq al-Jadid magazine and blogger known for his unabashed criticism of the Tunisian authorities, has been unable to recover his email and Facebook accounts after they were hijacked several days ago. The first attempted hijacking of his Facebook account happened last week. Chourabi says he believes the Tunisian Internet Agency is responsible for hijacking his accounts. The agency has blocked access to his Facebook wall since October 2009, and his blogs are also unreachable from within Tunisia.
Another activist who was caught in the phishing campaign is a Tunis-based man, who goes by the name of Azyz Amamy in the online world. Amamy told Al Jazeera in a phone interview that his Facebook and email accounts had been hijacked on Monday. Amamy was able to recover both accounts within two hours, after Facebook and Gmail responded to his request. Two hours was enough time for the authorities to get the login information for his four blogs from his email accounts, deleting all the content.
Because this exposure is counter to the regional culture's norm, the government's rule of law becomes jeopardized and authority is perceived as being undermined. Understanding this cultural authoritative backlash against open communication is critical in understanding why this cyberwar is occurring.
Hired guns respond: Western-based citizen DDoS cyber attacks
In cyberspace, the DDoS engines that formerly directed Operation Payback are currently hammering away at the Tunisian government, controlled under #Anonymous, #LOIC and #Anonops with a manifesto which partially reads:
"This is a warning to the Tunisian government: attacks at the freedom of speech and information of its citizens will not be tolerated. Any organization involved in censorship will be targeted and will not be released until the Tunisian government hears the claim for freedom to its people."
While this is not the actions of a Cyber-PMC, our Hired Guns section deals with the communities which can effectively coordinate and carry out politically motivated cyber attacks – cyberwarfare for the masses.
Cultural consequences of DDoS loss of face
The loss of face in the Arab cultures was well documented in one CIA in this study. One example from this publication I noted in the previous article applies:
There is a proverb in Chinese which can be roughly translated, "Point at the chicken to scold the dog." On its face incomprehensible to the Westerner, it means that if the dog has done something wrong you should berate the chicken in his presence in order to get at the wrong-doer without causing undue embarrassment. The chicken is not embarrassed because everyone knows it was not he who did it, and the dog does not lose face through public shame or direct censure.
This should put defacement into proper perspective: Even though it may be perceived as internet graffiti, to other parts of the world any loss of face is much more value-added. I repeat this here because it is critical to understand that motivation and intent behind an attack are often hard to articulate.
CIOs: Persistent threat assessment
As most experts state, cyberwar is the persistent threat of 2011.
Do a threat assessment based on your industry and customer profiles. Ramp up your defensive procedures in case the low orbit ion cannons of protest single your business out for DDoS.
Look at the motivation for defacement differently with a cultural twist. If an equivalent to the Iranian Cyber Army happens to deface your page, consider the full implication of this being more than just graffiti. Take it with a grain of salt if you must, however reporting the act to the IC3.gov will aid global efforts against cyberwarfare, therefore I urge you to consider adding the reporting step into your procedures.
Attend free first responder training. Consider sending one or more of your IT folks to the regional and [often] no cost Cyberterrorism First Responder trainings that DHS does.
Cyberwar trend will continue to climb
There's a bit of naiveté involved with this DDoS approach, however well meaning it is. The brief point is that it is illegal in most countries. Whether or not those countries choose to prosecute [eventually] is another point entirely.
Personally I wouldn't take my chances on a federal charge. So don't do It.
Either way, community driven cyberwarfare tactics like the low orbit ion cannon (#LOIC) are here to stay. The ramifications, however, are larger in scope than the participants believe. There will be indictments from federal agencies to make examples out of some participants, and this will be mandated by the State Department to keep the peace between allies who are irritated at our personal freedoms when they negatively impact the allies' backyard. Think of it as a kinder, gentler Hezbollah from the U.S. and EU.
While this type of attack was pioneered by the Russia vs. Estonia and Russia vs. Georgia conflicts, in the future I would expect this to become a growing trend due to its successful distributed model.
Where I would expect it to go kinetic is in the top tier of commanders of this meat-net army. Somebody somewhere has the passwords and access, and that person (or persons) is a target for identity theft in the worst possible way, up to and including extraction.