Radware’s ERT Analyzes ‘Operation Ababil’ – and Wonders Who Was Really Behind the Attacks?

BACKGROUND:

On September 18, 2012 a group called ‘Cyber fighters of Izz ad-din Al qassam’ called on hacktivists around the world to join a cyber-attack campaign that targeted American financial institutions.  The group said the attacks were in response to a YouTube video that sparked demonstrations and violent protest in Muslim countries around the world.  The attack campaign was named ‘Operation Ababil’ which was also the name of a failed Pakistani military operation that occurred in April, 1984.

The attack was split into two major stages, the first stage of the attacks targeted Bank of America and the New York Stock Exchange.  The second stage of the attack targeted J.P. Morgan Chase. That entire attack campaign lasted for five days in which all the proclaimed targets have been attacked.

ERT OBSERVATIONS:

These recent attacks were investigated and analyzed by Radware’s ERT (Emergency Response Team) and reached the following conclusions:

1. The same attackers were behind at least two of the attacks. We can conclude this based on the attack traffic and the pattern of the attacks.
2. The actual attack traffic didn’t contain the attack tool that was published for use.  In its postings, Cyber fighters of Izz ad-din Al Qassam published several attack tools including the Mobile LOIC Apache Killer version.  That tool was not present in the observed attack traffic, however, meaning it is possible that the Cyber fighters of Izz ad-din Al Qassam group was NOT behind the attack after all, or that it didn’t manage to recruit supporters to its attack who were willing to use the Mobile LOIC attack tool.
3. During the attacks the attackers managed to generate very high throughput of Denial of Service (DoS) attack traffic. We believe that in order to generate such a massive amount of traffic, the attackers utilized many computers and probably a large botnet.
4. To make a political statement and garner media attention, hacktivists target top financial institutions, such as attacks on the Bank of Israel earlier this year. It seems that beyond government agencies, high profile financial institutions are at higher risk to be attacked during a cyber war.

TAKE AWAYS

Attacks are falling more and more into the advanced persistent threat (APT) category and target specific entities or industries. (At least one of these attacks lasted almost five days.) Organizations today are not capable of handling such a long period of attacks, and should rethink their best practices to handle these persistent attacks and build a security team that can resist such protracted events.