Threat Intelligence

Islamic State of Iraq and Syria (ISIS) a Global Threat: Analysis of the Effects on Cyberspace of the Iraqi Situation

Pierluigi Paganini
July 8, 2014 by
Pierluigi Paganini

What is ISIS and why it is menacing the world?

The Islamic State of Iraq and Syria and Islamic State of Iraq and al-Sham, also known as ISIS, is an unrecognized state and a Jihadist militant group operating in Iraq and Syria. The group claims religious authority over all Muslims and aspires to a macro state which includes many countries in the Middle East: Cyprus, Jordan, Kuwait, Israel, Lebanon, Palestine, and part of Syria. ISIS is known for its uncompromising interpretation of Islam. The group is responsible for brutal violence against Shia Muslims and Christians.

ISIS acquired great popularity last year. The group stems from a clash inside al-Qaeda, during the civil war in Syria when the group fought against another Jihadist group named Jabhat to Nusra Front, which was very active against Bashar Assad. In 2014, the relationship with al-Qaeda was interrupted because of the contrast with al-Nusra Front, which is supported by the al-Qaeda leader al-Zawahiri.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

In June 2014, the Islamic State of Iraq and the Levant (ISIS aka ISIL) and aligned forces started an offensive in the northern area of Iraq against government forces.

Many mercenaries joined with aligned forces for ISIS. The group created by al-Baghdadi has a great appeal among young foreigners, especially Western youngsters who have converted to Jihad. According to Peter Neumann at King's College London, 80 percent of the foreign fighters in Syria have gone with al-Baghdadi.

With a series of attacks, ISIS and aligned forces conquered many cities, including Samarra (June 5th), Mosul (June 9th) and Tikrit (June 11th).

The Iraqi military left the areas, and on June 13th, Kurdish forces took control of the oil hub of Kirkuk in the north of the Iraq. By late June, the Iraqi government had lost control of its border with Jordan and Syria.

Figure - Map showing area in Iraq and Syria under ISIS control as of 18 June 2014 (The Guardian)

The Iraq war and its impact on cyberspace

As usual, it is very interesting to study the dynamics in cyberspace to collect further information about the events and to understand the actors involved and their tactics. In these weeks, the Iranian government has offered complete support to the Iraqi government. Iran is involving in the operation its special forces Quds Force. Also, the US is involved in the operations in Iraq, mainly for surveillance activities. American armed drones currently patrol the skies above Baghdad.

US and senior Iraqi officials confirmed that Iran is offering the government of Prime Minister Nouri al-Maliki its total military support, including highly trained irregular units of its revolutionary guard corps. The commander of Iran's elite Quds Force has already arrived in Baghdad to prepare a counteroffensive.

In concomitance with recent disorders in Iraq, security experts have noticed an increase in the illegal cyber activities related to IP addresses in the range assigned to the Iraq and also an increase of campaigns of hacktivism related to the dispute in the area.

Figure – Disorders

Malware infections and network monitoring

IntelCrawler, a US-based Cyber threat intelligence firm, has recently published an interesting post in which its experts analyze the repercussion of Iraq Civil disorders on cyberspace. Intelligence researchers have analyzed the activities within the Iraqi ISP industry, discovering a significant increase in the number of cyber attacks during recent months. The experts observed a significant number of botnets using dynamic DNS services. The circumstance could be related to ongoing cyber espionage campaigns on systems in the area.

The attackers have used the dynamic DNS services (e.g. "no-ip.biz" and "zapto.org") to allow the malware which infected the machines in the country to reach the Command & Control servers. Also, their IP addresses will change to avoid detection.

"The increased activity correlates with other geopolitical conflicts where state-sponsored activities in cyberspace try to affect outcomes on the ground. Most of the identified malicious domain names used for C&C communications were registered using free public DNS providers. The resolved IP addresses were related to subnets of various regional ISPs in Iraq, such as GORANNET, IQ-EARTHLINK, IQNETWORKS, IQ-NEWROZ and IQ-TARINNET," states the blog post.

According to data provided by InterCrawler, the malicious traffic was mainly concentrated in four Iraqi cities: Baghdad, Erbil, Basra and Mosul. The capital is of course the location with the greatest concentration.

Figure - Geographic Distribution of malicious traffic interesting Iraqi ISPs (InterCrawler)

The data related to the malicious activities by Internet Service Providers shows that GORANNET was the ISP involved in the majority of malicious activities.

Figure - Malicious Activity by ISP (InterCrawler)

The bad actors involved in the observed cyber attacks mainly used a popular RAT, dubbed njRAT, which allows attackers to gain complete control over the victims.

In March 2014, experts from Symantec observed the growth of indigenous groups of attackers in the Middle East which adopted the njRAT for their attacks. The malware different from other RAT is developed and supported by Arabic speakers. Symantec noted that several groups of bad actors have used the RAT to target government entities in the region.

"Symantec analyzed 721 samples of njRAT and uncovered a fairly large number of infections, with 542 control-and-command (C&C) server domain names found and 24,000 infected computers worldwide. Nearly 80 percent of the C&C servers were located in regions in the Middle East and North Africa, including Saudi Arabia, Iraq, Tunisia, Egypt, Algeria, Morocco, the Palestinian Territories and Libya. "

Figure - njRAT infections (Symantec)

Be aware, because according Symantec, the majority of the C&C server IP addresses were traced to ADSL lines used by home users Middle Eastern region.

The Electronic Frontier Foundation (EFF) and Citizen Lab discovered that the njRAT spyware was largely used to target Syrian opposition groups during the Syrian conflict.

Of course, the attackers used social engineering techniques to lure victims into visiting an infected URL or open malicious files. Researchers at InterlCrawler isolated many malware samples with strings such as "النصر لنا ", "النصر لنا هجوم" and others, that refer to political motivations of targeted cyber attacks.

The malware includes most common data-stealer features like screen grabbing, keylogger and the ability to download and execute further malicious code on the infected systems.

In the following table are reported the Command and Control servers hosted on the ISPs in Iraq.

FQDN

IP

http://njrat7777.no-ip.biz/

91.235.168.183

http://sajad999.no-ip.biz/

37.238.161.119

http://rexhacker.no-ip.org/

37.236.204.157

http://hackerrr0000.no-ip.biz/

91.235.168.149

http://alihussain.no-ip.biz:9988

37.239.248.37

http://hpyassin.no-ip.biz:81

37.17.129.46

http://chrome-update.sytes.net

37.238.176.71

http://safanaali1.no-ip.biz

37.238.29.27

http://a7zaan.no-ip.biz

37.236.76.68

http://younisdeaaa.zapto.org/

62.201.203.109

http://gaseem.zapto.org/

37.239.64.193

http://hackid12.no-ip.biz/

37.237.136.208

The experts at InterCrawler also noticed that a significant number of SOHO-routers compromised with IP addresses assigned to Iraq. Bad actors compromised the routers with a large-scale exploitation of vulnerabilities in UPnP and bruteforcing the administration consoles of the network devices.

The experts suspect that such a large number of SOHO devices compromised in the same area could be caused by a surveillance network for Internet traffic control in the region.

A precious source of information as usual is represented by Tor Metrics, a series of indicators which can help the analysts to understand the use of the Tor anonymizing network in the area and the alleged existence of monitoring activities. I produced a graph related to the number of direct users from Iraq. The visual representation shows that the number of users passed from 1,000 in June to more that 15,000 in the middle of June. This data confirms that a growing number of users is accessing to the Tor network to avoid Internet surveillance in Iraq that it is likely to be reinforced during the recent disorders.

Figura - Directly connecting users from Iraq (Tor Metrics)

Who is behind the attacks and what is the motivation?

The number of groups located in Iraq and involved in illegal activities has sensibly increased. Political and religious motivations are the primary reasons for participation in the cyber operations.

Despite the fact that experts make no explicit reference to the bad actors involved in the attacks, due to the nature of malware used, it's my opinion that neighboring countries like Syria, but also Israel and Western countries, could be interested into collecting information of the events in Iraq. The cyber espionage probably also targeted government entities, but there aren't reports that confirm any malicious activities against the Iraqi government.

"Most appear united with Egypt, Lybian, Lebanese, Iranian, Syrian and various distributed Islamic groups performing targeted attacks because of religious and political motivation supported by state parties," states Intercrawler.

The experts noted the participation of groups of cyber mercenaries that operated from many other counties in the ISIS area.

Hacktivism: Anonymous vs ISIS

Another element of great interest for security analysts is the activity related to groups of hacktivists, mainly for two reasons:

  • For their direct involvement in cyber operations that could disclose sensitive information during the cyber attacks.
  • Because state-sponsored hackers could benefit from the cyber campaigns of hacktivitsts to organize cyber attacks on strategic targets and remain in the shadow.

The popular group of hacktivists Anonymous has announced a new campaign dubbed Operation NO2ISIS against some nations it accuses of funding or arming the radical Islamic terror group ISIS. In particular, Anonymous will target three states suspected of offering support to the Islamic State of Syria and al-Sham (ISIS). Anonymous is promoting a recruiting campaign to organize a series of major attacks against digital assets of its enemies.

Figure - Manifest for Anonymous #OpNO2ISIS

Saudi Arabia will be one of the targets, as it is suspected of supporting ISIS and terror groups, despite that the government has denied any involvement in the activities of ISIS.

Other possible targets include Kuwait and other nations in the Middle East thought to have funded ISIS in the past.

"We plan on sending a straightforward message to Turkey, Saudi Arabia, Qatar and all other countries that evidently supply ISIS for their own gain … In the next few days we will begin defacing the government websites of these countries so that they understand this message clearly … We are unable to target ISIS because they predominately fight on the ground. But we can go after the people or states who fund them," reported a member of Anonymous to Forbes journalist Jasper Hamill.

The video manifesto of the operation is available on YouTube at the following URL:

http://www.youtube.com/watch?v=_kJtvFUMELM

Figure - Op No2ISIS Video YouTube

Many cyber experts do not consider the announcement made by Anonymous an effective threat. In some cases, they have interpreted the declarations of the group of hacktivists as simple media propaganda to gain notoriety:

"Public announcements by these groups are often used as a means to gain notoriety or media attention and can be of highly volatile credibility. These attacks are typically low scale consisting of DDoS activity against publicly accessible webservers, website defacement efforts, or data exploitation. Symantec does take these threats seriously and has detection in place," is the opinion expressed by researchers at Symantec.

The ISIS group is also very active in cyberspace, and though it hasn't yet demonstrated capabilities like the Syrian Electronic Army, it conducts an effective propaganda campaign through the principal social media.

Analyzing the Twitter platform it is possible to note that several accounts were created to under the hashtag #No2ISIS to protest against ISIS activity in Iraq and to spread information on its cruel attacks.

Figure - NO2ISIS Tweet

But social media are used by both sides for misinformation campaigns. A pro-Islamic Hilf-ol-Fozoul Twitter account also accused ISIS of being supported by the US to destabilize the area and hit Iran and Iraq governments.

Contrastingly, several Muslim hackers that support ISIS responded to the Anonymous declarations.

Figure - Another Tweet against ISIS

On the other side, a group which named itself ISIS Electronic Army is declaring war to Western countries and to the Anonymous collective. One of the most active members of the ISIS Electronic Army, using the nicknamed Kjfido, tweeted this message to Anonymous members.

Figure - ISIS Electronic Army

Kjfido is condidered a cyber-jihadist and an official member of the ISIS Electronic Army (@electonic_ISIS), despite there being no evidence that this group of hackers actually exists.

Last week the Twitter account @theanonmessage was hijacked by ISIS members to spread atrocious images of violence. Anonymous was disconcerted by the attack on its profile.

"To be honest, we were taken off guard … We didn't expect a bunch of ragtagsto any damage. The ISIS hacking techniques were very similar to hacks done by the Syrian Electronic Army, so that's pretty interesting," said the hacktivist to Forbes.

The intensification of hacking campaigns may have numerous effects that could destabilize the region, below the principal concerns for Intelligence Analysts.

  • Other countries could be interested in destabilizing the region and could act in the name of Anonymous to hit government entities belonging to the alleged Anonymous's targets.
  • Possible reprisal could shake cyberspace. If ISIS is linked to the Syrian Electronic Army, numerous attacks will target Western entities with serious repercussions.

The opinions of the experts

A desire to close this short analysis with the opinion of the cyber experts at IntelCrawler which supported me in this research. Following are the answers and related questions I've prepared:

Which scenario do you expect in the next couple of months?

One of the potential scenarios is an active continuation of cyber attacks and developing of cyber warfare within the region for intelligence purposes between conflicting parties.

Which is your opinion of ISIS cyber capabilities?

As you may see, most of the attacks use public malware (like njRAT). From the other side, all the detected incidents were done in a very targeted and selective way. Which means that the bad actors are pretty skilled.

Is ISIS linked to Syria Electronic Army and how?

No, but it is important to say that some Iraqi bad actors were identified as very close to its leaders. As you may see, after our report, the group has stopped the series of cyber attacks against famous US companies. Mostly, they are targeted at local Syrian groups and new government for today. Some of their members were involved in some hacking groups, organized with the support of Iraqi hackers as well. SEA has no relation to the report, but some of their actions against the new Syrian hovernment were very similar to current findings, most of them were using spear phishing. The last successful attack was against IsraeliDefence Forces' Twitter, which also seems to be politically motivated.

Do you think possible that a foreign state could be advantaged by the crisis to destabilize the area?

No, as identified signs of cyber attacks are related to internal local conflicting groups, not to foreign countries. It seems to be that the key parties are local groups within Iraq, such as the conflicting Erbil government and Baghdad, using malware for targeted intelligence on each other. It is very hard to confirm who is the author, as some of the malware is used from public sources (like njRAT), but it is very visible that it is used within Iraq, and not outside against foreign countries, which may explain the beginning of internal local cyberwar. We assume that one of the sides is state sponsored, just because of the fact that most of the targets are opposition or civil population. It may be very important for some political parties to control them, as well as to organize Internet surveillance using such offensive methods on the first stage on such infrastructure.

ISIS - A global menace

The ISIS group is considered a destabilizing factor in the balance of the Middle East region. Unfortunately the group is acquiring popularity and is attracting a growing number of followers, many of them from Western countries. Another worrying element is the economic capability of ISIS. Many experts consider it one of the richest Jihadist group in the world.

A few days ago, during the last battle of Mosul, ISIS has subtracted (according to the account of the institution of the governor and some local media) $429 million in an assault on the headquarters of the Central Bank. Its militants have also stolen a large number of gold bars. The stolen money represents a serious threat for the stability of the region. According to intelligence experts, the amount of money subtracted could provide the necessary funds to recruit sixty thousand terrorists to the high wages of $600 a month. For this reason, many analysts consider ISIS the richest Jihadist organization in the world and evaluate it as a truly global threat, not inferior to al-Qaeda.

An army of martyrs can be recruited to carry out attacks in the world... no one is secure.

References

http://securityaffairs.co/wordpress/26215/hacking/opo2isis-anonymous-against-isis.html

http://securityaffairs.co/wordpress/26323/cyber-crime/implications-crisis-iraq-cyberspace.html

http://www.smh.com.au/comment/iraq-syria-iran-and-the-new-world-disorder-20140613-zs6o7.html

http://en.wikipedia.org/wiki/2014_Northern_Iraq_offensive

http://www.ibtimes.co.uk/mosul-seized-jihadis-loot-429m-citys-central-bank-make-isis-worlds-richest-terror-force-1452190

http://intelcrawler.com/news-20

http://www.symantec.com/connect/blogs/simple-njrat-fuels-nascent-middle-east-cybercrime-scene

http://www.theguardian.com/world/2014/jun/18/isis-iraq-syria-two-wars-one-nightmare

https://www.eff.org/files/2013/12/28/quantum_of_surveillance4d.pdf

http://www.forbes.com/sites/jasperhamill/2014/06/27/anonymous-hacktivists-prepare-for-strike-against-isis-supporters/

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

http://blog.sensecy.com/2014/07/02/anonymous-vs-isis-hacktivism-against-cyber-jihad/

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.