- Email: [email protected]
When Who Tells the Best Story Wins
C H A P T E R
4 When Who Tells the Best Story Wins: Cyber and Information Operations in the Middle East O U T L I N E Hijacking Noncombatant Civilian IP Addresses to Help the War Effort: The Israel-Hezbollah “July War” of 2006 The Information Operations of Hezbollah Hezbollah Hijacks IP Addresses
Civilians in the Cyber Melee: Operation Cast Lead 38 IO and Cyber Warfare in the 2008 Israel-Hamas War 39
34 35 37
Summary
41
Suggested Further Reading
41
I N F O R M A T IO N I N T H I S C H A P T E R • IP address hijacking and CYOP
• Cyber operations during the 2006 IsraelHezbollah war
• Cybercortical warfare
• The utility of cyber operations in information operations
33
34
4. CYBER AND INFORMATION OPERATIONS IN THE MIDDLE EAST
In Chapters 2 and 3, the incidents of cyber attack were somewhat one-sided in the virtual world. The Russians attacked Estonia and Georgia with little or no retaliation from the other combatant. However, two other wars that occurred in the same decade saw significant cyber attacks performed by both sides, specifically, the Israel-Hezbollah war in the summer of 2006 (“July War”) and the Israel-Hamas war of 2008-2009 (“Operation Cast Lead”). Conventional wisdom on the cyber capabilities of the combatants in these conflicts could lead us to believe that Israel likely is the more formidable cyber force. For instance, it has been long rumored that the Israeli Defense Force (IDF) “Unit 8200” was involved in cyber operations throughout the early 2000s.1 Anti-Israeli groups were generally less regarded in this respect. The “cyber terrorist” group known as “Team Evil”2—predominantly consisting of Moroccan youths3—was noted for many hacks, particularly Web defacements, throughout the first decade of the 2000s. However, although numerous, these hacks generally lacked sophistication. The cyber activities of the “July War” and “Operation Cast Lead” moved somewhat beyond these more simplistic attacks. As Israel’s conflict with Hezbollah and Hamas is expected to continue for the foreseeable future, we can expect the cyber activities to continue to evolve, perhaps making the Levant one of the fastest developing areas of the world in the field.
HIJACKING NONCOMBATANT CIVILIAN IP ADDRESSES TO HELP THE WAR EFFORT: THE ISRAEL-HEZBOLLAH “JULY WAR” OF 2006 In February 2005, Lebanon was rocked with the assassination of Former Prime Minister Rafiq al-Hariri. This event resulted in mass Lebanese protests (“Cedar Revolution”) against occupational power Syria as well as American and French insistence on the withdrawal of Syrian troops from the country. Syria ultimately obliged, leaving the Lebanese to form a new coalition government in April 2005.4 Many in the West believed that this new government would lead to the demilitarization of Hezbollah. The Iranian-supported Shi’ite militant group operates freely in Lebanon and is listed as a “terrorist group” by the United States. With its role doubted by many in Lebanon, and rumors of an impending Israeli strike on Lebanon, the leaders of Hezbollah decided to take preemptive action against Israel in July 2006. Members of the organization killed three and kidnapped two Israeli soldiers in cross-border raids. Hezbollah proceeded by initiating a series of short-range rocket attacks against the Jewish state. The resulting massive Israeli retaliation caused significant damage to the Lebanese infrastructure and claimed the lives of over one thousand civilians—while failing to dislodge the true culprit, Hezbollah. After about a month of fighting, the Lebanese government announced that it would send 15,000 troops to the South—a move that would potentially escalate the conflict further. However, at this point, both sides sought to end the conflict—which was done by U.N. Resolution 1701, which ordered a ceasefire and practically led to the end of the “2006 Lebanon War.”5 Though both Hezbollah (Figure 4.1) and Israel declared victory, the fact that Hezbollah was neither destroyed nor disarmed led many to view Israel as having lost the conflict.6 After all, these were the original goals Israel had stated, while Hezbollah sought to merely survive. The operations on the ground were accompanied by various cyber war techniques on both sides. Notably, the Israelis conducted a denial-of-service attack on the Web site of Hezbollah’s
HIJACKING NONCOMBATANT CIVILIAN IP ADDRESSES TO HELP THE WAR EFFORT
35
FIGURE 4.1 Hezbollah insignia (http://www.english. moqawama.org/).
television station, “Al Manar.” Israeli civilians, especially the “World Union of Jewish Students” created a piece of software called “megaphone” that alerted users to online polls, discussion forums, and blogs in order to encourage them to post information supportive of the Israeli cause.7 On the other side, there have been reports of Hezbollah hackers gaining access to networks of Israeli Defense Force (IDF) units stationed on the Lebanese border.8 If such activities occurred, it was likely for Intelligence gathering as there have been no reports in the open media of DDoS-style attacks against tactical IDF units during this conflict.
The Information Operations of Hezbollah Perhaps the most noteworthy instance of cyber warfare during this conflict was a tactic to support Hezbollah’s information operations (IO). It is feasible that one of the key enablers of Hezbollah’s “victory” was their ability to communicate their story faster and more effectively than the Israelis. For example, immediately after the successful missile attack on an Israeli naval vessel, Hezbollah’s Secretary General, Sayyed Hassan Nasrallah, was on Al-Manar satellite television station persuading viewers to take a look at the burning Israeli ship. His statements followed footage of the attack and the wreckage. At that point in time, the Israelis had not even confirmed the event.9 Hezbollah’s integrated approach to information warfare was central to their strategy (Figure 4.2). One of the main components was “cyber psychological operations” (CyberPSYOP or CYOP).10 CYOP is defined as the use of cyber operations to directly attack and influence the attitudes and behaviors of soldiers and the general population. For instance,
36
4. CYBER AND INFORMATION OPERATIONS IN THE MIDDLE EAST
FIGURE 4.2 Hezbollah’s Secretary General, Sayyed Hassan Nasrallah. Under Nasrallah, Hezbollah embraced the Internet in the 1990s for propaganda purposes and later for cyber warfare activities in support of propaganda (http://www.english.moqawama.org/).
CYOP could include the use of “new media”—social networking sites such as Facebook—to spread the message of one of the combatants. Likewise, CYOP can also potentially take the form of a DDoS attack—denying the enemy the ability to spread their message. CYOP is a core component of a new type of strategy adopted by Hezbollah in the early 2000s known as cybercortical warfare.a In this strategy, a state or nonstate actor uses credible political and military power to command attention and project information power—offensively shaping the information environment in a conflict via the Internet.11 Hezbollah’s efforts to leverage cyber assets as a key part of their information campaign started as early as 1996 with the launch of “hizbollah.org.” Other related Web sites included one for Hezbollah’s Al-Manar satellite television station (www.almanar.com.lb) as well as a homepage for Hassan Nasrallah. At the time of writing, the Al-Manar Web site coexists with a Web site of the “Islamic Resistance in Lebanon” (www.moqawama.org). Perhaps most interesting about the early launch of “hizbollah.org” was the lack of Lebanese and Arabic audience. In 1997, there were less than a quarter million Internet users in the Arab world (outside of Israel) and a mere 35,520 users in Lebanon.12 This small presence, coupled with the fact that Hezbollah maintained their sites in both English and Arabic from the day of their launch, indicates that the militant organization viewed the Internet as a tool to shape their image in (mainly) western eyes. Hezbollah’s targeting of worldwide and adversarial media had become a standard practice by the 2006 war with Israel. The organization quickly and accurately reported the tactical situation and created professional media products that were disseminated through a variety of means—their respective Web sites and YouTube. Further, these products were created in a variety of languages, including Hebrew—which again illustrates the strategy’s main goal of influencing the opponent’s perception.13 These reports tended to focus on and emphasize the destruction of civilian infrastructure caused by the IDF. What could be viewed as “collateral damage” Hezbollah understood to exploit for its own benefits. It should be noted that in the aftermath of the war the assessed damage was less than reported by the group.14 Perhaps most infamous in the exaggerated a
The term cybercortical warfare is derived from the idea of neocortical warfare that was introduced by Richard Szafranski in the November 1994 issue of Military Review. Szafranski defines neocortical warfare as a warfare that “strives to control or shape the behavior of enemy organisms, but without destroying the organisms.”
HIJACKING NONCOMBATANT CIVILIAN IP ADDRESSES TO HELP THE WAR EFFORT
37
reporting of this sort was the case of Reuter’s reporter Adnan Hajj who doctored images of destruction. Hajj was ultimately dismissed by Reuters.15
Hezbollah Hijacks IP Addresses In response to Hezbollah’s CYOP, many of Israel’s allies in the West, such as the United States, banned Hezbollah Web sites such as Al-Manar.16 There were also reports of the IDF launching unspecified cyber attacks against Al Manar and other Hezbollah sites.17,18 Unable to rely on their own, legitimate IP address, Hezbollah “hijacked” addresses from corporations worldwide—including the United States, Canada, and India.19 We will now examine a case study of this sort of hijacking (Figure 4.3): on the Internet, information is transmitted from one location to another through a series of routers. A collection of routers and other network devices under control of a single organization on the Internet is referred to as an “autonomous system” (AS).20 Each AS has a few routers that are facing the rest of the Internet known as “border gateway routers.” These special routers communicate to the rest of the Internet and help ensure that any traffic intended for a computer in a certain AS is directed the right way. For example, if you request to view the Web site of “Company X,” your request will be routed through the Internet until it reaches the border gateway router of that company. It is then internally routed though Company X until it reaches their Web server. The routers on the Internet are able to successfully transmit the request to Company X’s AS because their border gateway router sends its adjacent routers on the Internet a list of IP addresses that the firm uses. This information is communicated using the “Border Gateway Protocol” (BGP).21
The rest of the Internet
Adjacent (non-Company X) router
Adjacent (non-Company X) router
Border of Company X’s autonomous system
Company X’s border gateway router
Computer requesting Web page
Company X Web server
FIGURE 4.3 The role of a border gateway router.
38
4. CYBER AND INFORMATION OPERATIONS IN THE MIDDLE EAST
In the BGP protocol, there is an implicit trust relationship. The adjacent router receiving the list of IP addresses from the border gateway router assumes that the addresses are valid (which in normal goodwill transactions is the case). However, if the administrator of an autonomous system does not take the proper precautions, and/or misconfigures the border gateway router, then some of the IP addresses allocated to this network could be hijacked. In such a case, a third party advertises a subset of the target system’s addresses.22 As Hilary Hylton of Time magazine points out, IP-address hijacking is analogous to adding an extension on a phone line from the victim company. If the target does not detect the hijack, the hijackers would have effectively taken control over that IP address to use for their own purposes. This is what Hezbollah did during the July war. The organization that headed the effort to stop Hezbollah’s hijackings was the “Society for Internet Research”—a group that referred to themselves as “freelance counter-terrorists.”23 This informal group of computer security experts monitored Hezbollah’s Internet traffic in order to identify the coopted address and alert the target company in order to shut down the Hezbollah IO operations. However, the Society for Internet Research noted that Hezbollah once detected was able to quickly hijack new IP addresses, which caused them to refer to their efforts as “whack-a-mole”—soon after one hijacked IP address was shut down, another one was corrupted.24 The Israel-Hezbollah war of July 2006 is significant from a cyber war perspective, because it illustrates the emerging interplay between cyber warfare and information operations. Because of their prior adoption of the strategy of cybercortical warfare, Hezbollah closely linked tactical operations with information operations (IO). The Israeli response of shutting down their opponent’s Web sites can be viewed similar to the supposed Russian intent of their 2008 Georgia campaign. However, Hezbollah was able to successfully respond with cyber operations of their own, borne out of and extending their preexisting IO efforts. The repeated hijacking of noncombatant IP addresses allowed Hezbollah to maintain the communication of their strategic message.
CIVILIANS IN THE CYBER MELEE: OPERATION CAST LEAD Israel learned some difficult lessons from the 2006 war with Hezbollah. Despite the fact that the UN Resolution 1701 was actually more favorable toward Israel, the IO campaign of Hezbollah was able to portray Israel as a paper tiger to the “Arab Street.” According to their IO, Hezbollah appeared to be David fending against the Goliath IDF. Hezbollah further painted a picture of the IDF as a force that, despite launching attacks that had serious impact on Lebanese infrastructure, was still unable to achieve the tactical goals of liberating Israeli prisoners and stopping Hezbollah’s short-range rocket attacks. As a result, the Israelis entered a period of introspection. The Jewish state established the Winograd Commission to collect the lessons learned from their recent bout with Hezbollah. The commission found that tactically the IDF leadership had become entrenched in the mindset of Low Intensity Conflict (LIC) as exemplified by the al Aqsa Intifada in 2000. Consequently, combined operations that involved armor and tactical aviation became neglected in the years leading up to the 2006 war.25 The Winograd Commission also made recommendations to improve Israeli IO and subsequently the National Information Directorate was created. This organization—tasked with “hasbara” or “explanation” organized all media activities—from traditional means
CIVILIANS IN THE CYBER MELEE: OPERATION CAST LEAD
39
(i.e. broadcast) to emerging technologies on the Internet.26 These efforts included outreach to Jewish and Israeli support groups worldwide through social media. This outreach differs from Hezbollah’s cybercortical warfare, which is oriented toward the opponent as these Israeli efforts were directed at like-minded audiences to rally support.
IO and Cyber Warfare in the 2008 Israel-Hamas War In late December 2008, Israel commenced a new operation—“Cast Lead”—with the goal of stopping missile strikes in southern Israel that originated from Gaza. The attack commenced with an air assault that took out 50 Hamas targets on the first day. Israel emplaced a carefully constructed information campaign that actually began simultaneously with the physical conflict. Two days after the initial airstrike, the IDF launched the YouTube channel called the “IDF Spokesperson’s Unit.” This channel, the brainchild of some IDF soldiers, included a variety of footage of the IDF—everything from video logs (“vlogs”) of IDF personnel to gun video of precision strikes and the footage of humanitarian assistance missions.27 Additionally, the “Jewish Internet Defense Force” played a key role in encouraging the Jewish Diaspora to become active in the “new media” of the Internet. For instance, their Web site included instructions for using various types of social media—including Facebook, YouTube, Wikipedia, and various blogging services. Further, they also directed efforts against the “new media” of the opposing force as they also claimed to be responsible for shutting down several pro-Hamas YouTube channels. Hamas and the inhabitants of Gaza responded to Israel’s IO campaign with its own content documenting the devastation of the Israeli attack. Leveraging mobile phones, Twitter, digital images, and blogs, the Gazans were able to tell their story to the world.28 They responded to the attempts to shut down their YouTube channels with the creation of paltube.com—a site dedicated to Hamas videos. Not only did Hamas and its supporters fight Israeli IO with their own information campaign, and conducted a series of hundreds of defacements of Israeli Web sites. Though some Web site defacements were high profile enough to gain the attention of mass media,29 the actual damage (likely economic) is presumed to have resulted from the sheer number of these actions carried out by pro-Hamas hackers. Typically, the pro-Hamas groups conducted some rudimentary vulnerability scanning of targeted Israeli Web sites, often with the Web server software. Upon obtaining access to parts of the server, the pro-Hamas hackers would deface the Web sites with anti-Israeli graffiti.30 Perhaps the most notable hacking group for these Web site defacements was known as “Team Hell.” One member, known as “Cold Zero,” was responsible for over 2000 defacements of Israeli Web sites, nearly 800 of which were carried out during the 2008 war. He allegedly conducted defacements of high-profile sites such as Israel’s Likud Party and the Tel Aviv Maccabis basketball team.31 Upon his arrest in early January 2009, “Cold Zero” was found to be a 17-year-old Palestinian male Israeli-Arab who worked with accomplices in other Islamic countries. In addition to Web site defacements, Hamas supporters also leveraged DDoS attacks on a small to medium scale. Pro-Hamas hacker, Nimu al-Iraq, who is thought to be a 22-year-old Iraqi Mohammed Sattar al-Shamari, modified the hacking DDoS-tool known as al-Durrah
40
4. CYBER AND INFORMATION OPERATIONS IN THE MIDDLE EAST
for use in the 2008 Gaza war. This software is similar to that the DDoS software used by the Russian hacktivists in the Georgian conflict (as described in Chapter 3): both allowed novice users to easily participate in DDoS attacks during the conflict without giving up control of their own computer. An al-Durrah user would enter the addresses of targeted Israeli servers into al-Durrah’s interface, which he/she would obtain from a pro-Hamas hacker forum, and the software would proceed to flood the targeted server with requests eventually taking it offline.32 Israeli hacktivists also had DDoS tools of their own. A pro-Israeli group known as “Help Israel Win” created a tool called “Patriot” which was designed to attack pro-Hamas Web sites during the conflict. This software has been referred to as a “voluntary botnet” as the users of this software would then be connected to a command-and-control server, which uses the URL “defenderhosting.com” which would then direct the Patriot user’s computer in attacks. Unlike al-Durrah, the tools used by the Russian hacktivists (see Chapter 3), or the low-orbit ion cannon (LOIC) of Anonymous (Chapter 6), Patriot is not configurable by the user—allowing defenderhosting.com to completely control the cyber attack actions of its volunteered host.33 As the 24-day conflict passed its initial days, the tide of the IO war shifted from Israel, who initially was telling the more dominant story, to Hamas. The pictures of devastation in Gaza spread through the news media like a virus. What led to this shift? The likely explanation is the fact that several months prior to the outbreak of the conflict Israel started limiting media access to Gaza. In doing so, they hoped to limit the images of collateral damage to infrastructure and civilian casualties that would undoubtedly be reported by Hamas and the Gazans. By limiting the output of such reports, the international community would be slower to call for a resolution to stop the hostilities—thereby giving Israel more time to accomplish its tactical objectives. In this regard, their plan worked—the IDF was generally successful in achieving its tactical goals (as opposed to the 2006 conflict with Hezbollah). However, the side effect was that all the reporting from within Gaza came from Hamas and the Gazans. As a result, the story told from within Gaza was one-sided. By not letting independent media in the area, the Israelis effectively denied the opportunity for a disinterested party to refute the claims of the Gazans.34 Though there were some successful Israeli hacking operations, such as the IDF’s hack of the Hamas television station and attempts by Israeli supporters to hack pro-Palestinian Facebook accounts,35 the Israeli efforts in cyberspace were insufficient to stop Hamas from delivering an effective message to the world. Further, the presence of Arab news media reporters from Al Jazeera, who stayed in Gaza since before the IDF started to curb media access, ensured that the Gazans’ story was told to the entire (Arab) world.36 The Israel-Hamas war of 2008 illustrates the importance of social media in modern information operations during conflict and both sides’ attempts to integrate cyber operations to support them. However, unlike Hezbollah’s use of IP address hijacking, which directly contributed to the success of their IO in 2006, neither Israel nor Hamas were able to make highly effective use of cyber tactics to support their respective public relations in 2008. The Israelis, despite DDoS attacks against a pro-Hamas Web site and the shutting down of pro-Hamas YouTube channels, was ultimately unsuccessful in stopping Gazans’ story from reaching the world. While the Hamas supporters may have successfully leveraged some IT knowledge,
SUGGESTED FURTHER READING
41
as in the case of setting up paltube.com, they did not seem to conduct successful, sophisticated cyber operations—as their cyber attacks appeared to be limited to Web site defacements and small-/medium-scale DDoS. Likely, this is due to a lack of technical expertise in their organization—something Hezbollah clearly had in 2006. This could potentially reflect a lack of prioritization on cyber within Hamas in 2008.
SUMMARY The armed conflicts between Israel and Hezbollah in 2006 as well as Israel and Hamas in 2008 illustrate how combatants attempt to use cyber operations to support their information campaign. These conflicts clearly illustrate that the use of social media such as Facebook and Twitter, along with the ease of uploading digital images from mobile phones, adds a new dimension to an otherwise conventional conflict. As a result, cyber operations—to both enhance and diminish the adversary’s use of social media—become an attractive option to military commanders and civilians alike to support the war effort. Hezbollah showed how an organization can become resilient by cleverly hijacking IP addresses to convey their message. Israel, in 2008, sought to use cyber attacks to prevent Hamas from telling their story—at least long enough to complete tactical objectives. Hacktivism by all parties will likely increase in future conflicts as civilians—both in the conflict area and members of global communities backing one side or the other. For example, Chapter 6 describes how members of Anonymous enabled and supported the protestors in Tunisia, Egypt, and other countries experiencing the upheaval of the so-called Arab Spring.
SUGGESTED FURTHER READING Cybercortical Warfare, which is viewed as central part of the Hezbollah strategy, is discussed by Maura Conway in an article entitled “Cybercortical Warfare,” which was presented in 2003 at the European Consortium for Political Research. This concept is closely related to the idea of “CYOP” introduced by Timothy Thomas in his paper “Hezbollah, Israel, and Cyber PSYOP” published in IO Sphere in 2007. Cyber operations of the Israel– Hezbollah war are discussed in the ACM WebSci’11 conference paper “Asymmetric Cyber-warfare between Israel and Hezbollah: The Web as a new strategic battlefield,” by Sabrine Saad et al. The information operations of the Israel-Hamas confrontation are discussed in detail in the Military Review paper “Learning to Leverage New Media: The Israeli Defense Forces in Recent Conflicts” by LTG William Caldwell and others. Cyber operations during that conflict, though limited, are explored along with an analysis of pro-Hamas hacking groups, in a paper published in 2009 by GreyLogic security firm entitled “Project Grey Goose Phase II Report: The evolving state of cyber warfare.”
42
4. CYBER AND INFORMATION OPERATIONS IN THE MIDDLE EAST
References 1. Katz Y. IDF admits to using cyber space to attack enemies. The Jerusalem Post June 3, 2012; http://www.jpost. com/Defense/Article.aspx?id¼272503&R¼R9. 2. See “Case study: a cyber-terrorism attack, analysis, and response” by Damari K, Chayun A, and Evron G and “The return of SIMBAR: cyber terrorism methodology” by Damari K and Oboler A published by Beyond Security. http://www.beyondsecurity.com. 3. Mor G, Kinan E. Major Israeli websites hacked, YNet News June 2006; [accessed January 2, 2013]. http://www. ynetnews.com/articles/0,7340,L-3268449,00.html. 4. Nakhleh HT. The 2006 Israeli war on Lebanon: analysis and strategic implications, Master’s Thesis, U.S. Army War College; 2007. 5. Ibid. 6. Inbar E. How Israel bungled the second Lebanon war. The Middle East Quarterly 2007; vol. XIV, 57–65. 7. Saad S, Bazan S, Varin C. Asymmetric cyber-warfare between Israel and Hezbollah: the web as a new strategic battlefield. Proceedings of the ACM WebSci’11, Koblenz, Germany, June 14–17, 2011; 2011. 8. Ibid. 9. Rohozinski R. New media and information effects during the 33 day war, The SecDev Group; 2008. 10. Thomas TL. Hezballah, Israel, and cyber PSYOP. IO Sphere Winter 2007;30–35. 11. Conway M. Cybercortical warfare: the case of Hizbollah.org. European Consortium for Political Research, Edinburg, UK, March 28–April 2, 2003; 2003. 12. Ibid. 13. Ibid., Rohozinski. 14. Ibid. 15. Ibid., Thomas. 16. Hylton H. How Hizballah hijacks the Internet. Time August 8, 2006. 17. Ibid., Saad. 18. Peri S. IDF hacks Nasrallah’s TV channel. yNetNews.com July 31, 2006; http://www.ynetnews.com/articles/ 0,7340,L-3283866,00.htm [accessed September 2, 2012]. 19. Ibid., Hylton. 20. For a more precise definition, see Hawkinson J. Guidelines for creation, selection, and registration of an Autonomous System (AS), RFC 1930. http://tools.ietf.org/html/rfc1930; March 1996 [accessed January 2, 2013]. 21. Rekhter Y, Li T. A border gateway protocol 4 (BGP-4), RFC 1771, http://www.ietf.org/rfc/rfc4271.txt; March 1995 [accessed January 2, 2013]. 22. Ballani H, Francis P, Zhang X. A study of prefix hijacking and interception in the internet. SIGCOMM ’07, Kyoto, Japan, August 27–31, 2007; 2007. 23. Ibid., Hylton. 24. Ibid., Hylton. 25. Johnson DE. Military capabilities for hybrid war: insights from the Israel defense forces in Lebanon and Gaza. Santa Monica, CA: RAND Corporation; 2010. 26. Caldwell W, Murphy D, Menning A. Learning to leverage new media: the Israeli defense forces in recent conflicts. Military Rev., May-June 2009;2–10. 27. Ibid., Caldwell et al. 28. Ibid., Caldwell et al. 29. Ibid., Caldwell et al. 30. GreyLogic. Project grey goose phase II report: the evolving state of cyber warfare; May 20, 2009. 31. Ibid., GreyLogic. 32. Ibid., GreyLogic. 33. Ibid., GreyLogic. 34. Ibid., Caldwell et al. 35. Ibid., GreyLogic. 36. Ibid., Caldwell et al.
4 When Who Tells the Best Story Wins: Cyber and Information Operations in the Middle East O U T L I N E Hijacking Noncombatant Civilian IP Addresses to Help the War Effort: The Israel-Hezbollah “July War” of 2006 The Information Operations of Hezbollah Hezbollah Hijacks IP Addresses
Civilians in the Cyber Melee: Operation Cast Lead 38 IO and Cyber Warfare in the 2008 Israel-Hamas War 39
34 35 37
Summary
41
Suggested Further Reading
41
I N F O R M A T IO N I N T H I S C H A P T E R • IP address hijacking and CYOP
• Cyber operations during the 2006 IsraelHezbollah war
• Cybercortical warfare
• The utility of cyber operations in information operations
33
34
4. CYBER AND INFORMATION OPERATIONS IN THE MIDDLE EAST
In Chapters 2 and 3, the incidents of cyber attack were somewhat one-sided in the virtual world. The Russians attacked Estonia and Georgia with little or no retaliation from the other combatant. However, two other wars that occurred in the same decade saw significant cyber attacks performed by both sides, specifically, the Israel-Hezbollah war in the summer of 2006 (“July War”) and the Israel-Hamas war of 2008-2009 (“Operation Cast Lead”). Conventional wisdom on the cyber capabilities of the combatants in these conflicts could lead us to believe that Israel likely is the more formidable cyber force. For instance, it has been long rumored that the Israeli Defense Force (IDF) “Unit 8200” was involved in cyber operations throughout the early 2000s.1 Anti-Israeli groups were generally less regarded in this respect. The “cyber terrorist” group known as “Team Evil”2—predominantly consisting of Moroccan youths3—was noted for many hacks, particularly Web defacements, throughout the first decade of the 2000s. However, although numerous, these hacks generally lacked sophistication. The cyber activities of the “July War” and “Operation Cast Lead” moved somewhat beyond these more simplistic attacks. As Israel’s conflict with Hezbollah and Hamas is expected to continue for the foreseeable future, we can expect the cyber activities to continue to evolve, perhaps making the Levant one of the fastest developing areas of the world in the field.
HIJACKING NONCOMBATANT CIVILIAN IP ADDRESSES TO HELP THE WAR EFFORT: THE ISRAEL-HEZBOLLAH “JULY WAR” OF 2006 In February 2005, Lebanon was rocked with the assassination of Former Prime Minister Rafiq al-Hariri. This event resulted in mass Lebanese protests (“Cedar Revolution”) against occupational power Syria as well as American and French insistence on the withdrawal of Syrian troops from the country. Syria ultimately obliged, leaving the Lebanese to form a new coalition government in April 2005.4 Many in the West believed that this new government would lead to the demilitarization of Hezbollah. The Iranian-supported Shi’ite militant group operates freely in Lebanon and is listed as a “terrorist group” by the United States. With its role doubted by many in Lebanon, and rumors of an impending Israeli strike on Lebanon, the leaders of Hezbollah decided to take preemptive action against Israel in July 2006. Members of the organization killed three and kidnapped two Israeli soldiers in cross-border raids. Hezbollah proceeded by initiating a series of short-range rocket attacks against the Jewish state. The resulting massive Israeli retaliation caused significant damage to the Lebanese infrastructure and claimed the lives of over one thousand civilians—while failing to dislodge the true culprit, Hezbollah. After about a month of fighting, the Lebanese government announced that it would send 15,000 troops to the South—a move that would potentially escalate the conflict further. However, at this point, both sides sought to end the conflict—which was done by U.N. Resolution 1701, which ordered a ceasefire and practically led to the end of the “2006 Lebanon War.”5 Though both Hezbollah (Figure 4.1) and Israel declared victory, the fact that Hezbollah was neither destroyed nor disarmed led many to view Israel as having lost the conflict.6 After all, these were the original goals Israel had stated, while Hezbollah sought to merely survive. The operations on the ground were accompanied by various cyber war techniques on both sides. Notably, the Israelis conducted a denial-of-service attack on the Web site of Hezbollah’s
HIJACKING NONCOMBATANT CIVILIAN IP ADDRESSES TO HELP THE WAR EFFORT
35
FIGURE 4.1 Hezbollah insignia (http://www.english. moqawama.org/).
television station, “Al Manar.” Israeli civilians, especially the “World Union of Jewish Students” created a piece of software called “megaphone” that alerted users to online polls, discussion forums, and blogs in order to encourage them to post information supportive of the Israeli cause.7 On the other side, there have been reports of Hezbollah hackers gaining access to networks of Israeli Defense Force (IDF) units stationed on the Lebanese border.8 If such activities occurred, it was likely for Intelligence gathering as there have been no reports in the open media of DDoS-style attacks against tactical IDF units during this conflict.
The Information Operations of Hezbollah Perhaps the most noteworthy instance of cyber warfare during this conflict was a tactic to support Hezbollah’s information operations (IO). It is feasible that one of the key enablers of Hezbollah’s “victory” was their ability to communicate their story faster and more effectively than the Israelis. For example, immediately after the successful missile attack on an Israeli naval vessel, Hezbollah’s Secretary General, Sayyed Hassan Nasrallah, was on Al-Manar satellite television station persuading viewers to take a look at the burning Israeli ship. His statements followed footage of the attack and the wreckage. At that point in time, the Israelis had not even confirmed the event.9 Hezbollah’s integrated approach to information warfare was central to their strategy (Figure 4.2). One of the main components was “cyber psychological operations” (CyberPSYOP or CYOP).10 CYOP is defined as the use of cyber operations to directly attack and influence the attitudes and behaviors of soldiers and the general population. For instance,
36
4. CYBER AND INFORMATION OPERATIONS IN THE MIDDLE EAST
FIGURE 4.2 Hezbollah’s Secretary General, Sayyed Hassan Nasrallah. Under Nasrallah, Hezbollah embraced the Internet in the 1990s for propaganda purposes and later for cyber warfare activities in support of propaganda (http://www.english.moqawama.org/).
CYOP could include the use of “new media”—social networking sites such as Facebook—to spread the message of one of the combatants. Likewise, CYOP can also potentially take the form of a DDoS attack—denying the enemy the ability to spread their message. CYOP is a core component of a new type of strategy adopted by Hezbollah in the early 2000s known as cybercortical warfare.a In this strategy, a state or nonstate actor uses credible political and military power to command attention and project information power—offensively shaping the information environment in a conflict via the Internet.11 Hezbollah’s efforts to leverage cyber assets as a key part of their information campaign started as early as 1996 with the launch of “hizbollah.org.” Other related Web sites included one for Hezbollah’s Al-Manar satellite television station (www.almanar.com.lb) as well as a homepage for Hassan Nasrallah. At the time of writing, the Al-Manar Web site coexists with a Web site of the “Islamic Resistance in Lebanon” (www.moqawama.org). Perhaps most interesting about the early launch of “hizbollah.org” was the lack of Lebanese and Arabic audience. In 1997, there were less than a quarter million Internet users in the Arab world (outside of Israel) and a mere 35,520 users in Lebanon.12 This small presence, coupled with the fact that Hezbollah maintained their sites in both English and Arabic from the day of their launch, indicates that the militant organization viewed the Internet as a tool to shape their image in (mainly) western eyes. Hezbollah’s targeting of worldwide and adversarial media had become a standard practice by the 2006 war with Israel. The organization quickly and accurately reported the tactical situation and created professional media products that were disseminated through a variety of means—their respective Web sites and YouTube. Further, these products were created in a variety of languages, including Hebrew—which again illustrates the strategy’s main goal of influencing the opponent’s perception.13 These reports tended to focus on and emphasize the destruction of civilian infrastructure caused by the IDF. What could be viewed as “collateral damage” Hezbollah understood to exploit for its own benefits. It should be noted that in the aftermath of the war the assessed damage was less than reported by the group.14 Perhaps most infamous in the exaggerated a
The term cybercortical warfare is derived from the idea of neocortical warfare that was introduced by Richard Szafranski in the November 1994 issue of Military Review. Szafranski defines neocortical warfare as a warfare that “strives to control or shape the behavior of enemy organisms, but without destroying the organisms.”
HIJACKING NONCOMBATANT CIVILIAN IP ADDRESSES TO HELP THE WAR EFFORT
37
reporting of this sort was the case of Reuter’s reporter Adnan Hajj who doctored images of destruction. Hajj was ultimately dismissed by Reuters.15
Hezbollah Hijacks IP Addresses In response to Hezbollah’s CYOP, many of Israel’s allies in the West, such as the United States, banned Hezbollah Web sites such as Al-Manar.16 There were also reports of the IDF launching unspecified cyber attacks against Al Manar and other Hezbollah sites.17,18 Unable to rely on their own, legitimate IP address, Hezbollah “hijacked” addresses from corporations worldwide—including the United States, Canada, and India.19 We will now examine a case study of this sort of hijacking (Figure 4.3): on the Internet, information is transmitted from one location to another through a series of routers. A collection of routers and other network devices under control of a single organization on the Internet is referred to as an “autonomous system” (AS).20 Each AS has a few routers that are facing the rest of the Internet known as “border gateway routers.” These special routers communicate to the rest of the Internet and help ensure that any traffic intended for a computer in a certain AS is directed the right way. For example, if you request to view the Web site of “Company X,” your request will be routed through the Internet until it reaches the border gateway router of that company. It is then internally routed though Company X until it reaches their Web server. The routers on the Internet are able to successfully transmit the request to Company X’s AS because their border gateway router sends its adjacent routers on the Internet a list of IP addresses that the firm uses. This information is communicated using the “Border Gateway Protocol” (BGP).21
The rest of the Internet
Adjacent (non-Company X) router
Adjacent (non-Company X) router
Border of Company X’s autonomous system
Company X’s border gateway router
Computer requesting Web page
Company X Web server
FIGURE 4.3 The role of a border gateway router.
38
4. CYBER AND INFORMATION OPERATIONS IN THE MIDDLE EAST
In the BGP protocol, there is an implicit trust relationship. The adjacent router receiving the list of IP addresses from the border gateway router assumes that the addresses are valid (which in normal goodwill transactions is the case). However, if the administrator of an autonomous system does not take the proper precautions, and/or misconfigures the border gateway router, then some of the IP addresses allocated to this network could be hijacked. In such a case, a third party advertises a subset of the target system’s addresses.22 As Hilary Hylton of Time magazine points out, IP-address hijacking is analogous to adding an extension on a phone line from the victim company. If the target does not detect the hijack, the hijackers would have effectively taken control over that IP address to use for their own purposes. This is what Hezbollah did during the July war. The organization that headed the effort to stop Hezbollah’s hijackings was the “Society for Internet Research”—a group that referred to themselves as “freelance counter-terrorists.”23 This informal group of computer security experts monitored Hezbollah’s Internet traffic in order to identify the coopted address and alert the target company in order to shut down the Hezbollah IO operations. However, the Society for Internet Research noted that Hezbollah once detected was able to quickly hijack new IP addresses, which caused them to refer to their efforts as “whack-a-mole”—soon after one hijacked IP address was shut down, another one was corrupted.24 The Israel-Hezbollah war of July 2006 is significant from a cyber war perspective, because it illustrates the emerging interplay between cyber warfare and information operations. Because of their prior adoption of the strategy of cybercortical warfare, Hezbollah closely linked tactical operations with information operations (IO). The Israeli response of shutting down their opponent’s Web sites can be viewed similar to the supposed Russian intent of their 2008 Georgia campaign. However, Hezbollah was able to successfully respond with cyber operations of their own, borne out of and extending their preexisting IO efforts. The repeated hijacking of noncombatant IP addresses allowed Hezbollah to maintain the communication of their strategic message.
CIVILIANS IN THE CYBER MELEE: OPERATION CAST LEAD Israel learned some difficult lessons from the 2006 war with Hezbollah. Despite the fact that the UN Resolution 1701 was actually more favorable toward Israel, the IO campaign of Hezbollah was able to portray Israel as a paper tiger to the “Arab Street.” According to their IO, Hezbollah appeared to be David fending against the Goliath IDF. Hezbollah further painted a picture of the IDF as a force that, despite launching attacks that had serious impact on Lebanese infrastructure, was still unable to achieve the tactical goals of liberating Israeli prisoners and stopping Hezbollah’s short-range rocket attacks. As a result, the Israelis entered a period of introspection. The Jewish state established the Winograd Commission to collect the lessons learned from their recent bout with Hezbollah. The commission found that tactically the IDF leadership had become entrenched in the mindset of Low Intensity Conflict (LIC) as exemplified by the al Aqsa Intifada in 2000. Consequently, combined operations that involved armor and tactical aviation became neglected in the years leading up to the 2006 war.25 The Winograd Commission also made recommendations to improve Israeli IO and subsequently the National Information Directorate was created. This organization—tasked with “hasbara” or “explanation” organized all media activities—from traditional means
CIVILIANS IN THE CYBER MELEE: OPERATION CAST LEAD
39
(i.e. broadcast) to emerging technologies on the Internet.26 These efforts included outreach to Jewish and Israeli support groups worldwide through social media. This outreach differs from Hezbollah’s cybercortical warfare, which is oriented toward the opponent as these Israeli efforts were directed at like-minded audiences to rally support.
IO and Cyber Warfare in the 2008 Israel-Hamas War In late December 2008, Israel commenced a new operation—“Cast Lead”—with the goal of stopping missile strikes in southern Israel that originated from Gaza. The attack commenced with an air assault that took out 50 Hamas targets on the first day. Israel emplaced a carefully constructed information campaign that actually began simultaneously with the physical conflict. Two days after the initial airstrike, the IDF launched the YouTube channel called the “IDF Spokesperson’s Unit.” This channel, the brainchild of some IDF soldiers, included a variety of footage of the IDF—everything from video logs (“vlogs”) of IDF personnel to gun video of precision strikes and the footage of humanitarian assistance missions.27 Additionally, the “Jewish Internet Defense Force” played a key role in encouraging the Jewish Diaspora to become active in the “new media” of the Internet. For instance, their Web site included instructions for using various types of social media—including Facebook, YouTube, Wikipedia, and various blogging services. Further, they also directed efforts against the “new media” of the opposing force as they also claimed to be responsible for shutting down several pro-Hamas YouTube channels. Hamas and the inhabitants of Gaza responded to Israel’s IO campaign with its own content documenting the devastation of the Israeli attack. Leveraging mobile phones, Twitter, digital images, and blogs, the Gazans were able to tell their story to the world.28 They responded to the attempts to shut down their YouTube channels with the creation of paltube.com—a site dedicated to Hamas videos. Not only did Hamas and its supporters fight Israeli IO with their own information campaign, and conducted a series of hundreds of defacements of Israeli Web sites. Though some Web site defacements were high profile enough to gain the attention of mass media,29 the actual damage (likely economic) is presumed to have resulted from the sheer number of these actions carried out by pro-Hamas hackers. Typically, the pro-Hamas groups conducted some rudimentary vulnerability scanning of targeted Israeli Web sites, often with the Web server software. Upon obtaining access to parts of the server, the pro-Hamas hackers would deface the Web sites with anti-Israeli graffiti.30 Perhaps the most notable hacking group for these Web site defacements was known as “Team Hell.” One member, known as “Cold Zero,” was responsible for over 2000 defacements of Israeli Web sites, nearly 800 of which were carried out during the 2008 war. He allegedly conducted defacements of high-profile sites such as Israel’s Likud Party and the Tel Aviv Maccabis basketball team.31 Upon his arrest in early January 2009, “Cold Zero” was found to be a 17-year-old Palestinian male Israeli-Arab who worked with accomplices in other Islamic countries. In addition to Web site defacements, Hamas supporters also leveraged DDoS attacks on a small to medium scale. Pro-Hamas hacker, Nimu al-Iraq, who is thought to be a 22-year-old Iraqi Mohammed Sattar al-Shamari, modified the hacking DDoS-tool known as al-Durrah
40
4. CYBER AND INFORMATION OPERATIONS IN THE MIDDLE EAST
for use in the 2008 Gaza war. This software is similar to that the DDoS software used by the Russian hacktivists in the Georgian conflict (as described in Chapter 3): both allowed novice users to easily participate in DDoS attacks during the conflict without giving up control of their own computer. An al-Durrah user would enter the addresses of targeted Israeli servers into al-Durrah’s interface, which he/she would obtain from a pro-Hamas hacker forum, and the software would proceed to flood the targeted server with requests eventually taking it offline.32 Israeli hacktivists also had DDoS tools of their own. A pro-Israeli group known as “Help Israel Win” created a tool called “Patriot” which was designed to attack pro-Hamas Web sites during the conflict. This software has been referred to as a “voluntary botnet” as the users of this software would then be connected to a command-and-control server, which uses the URL “defenderhosting.com” which would then direct the Patriot user’s computer in attacks. Unlike al-Durrah, the tools used by the Russian hacktivists (see Chapter 3), or the low-orbit ion cannon (LOIC) of Anonymous (Chapter 6), Patriot is not configurable by the user—allowing defenderhosting.com to completely control the cyber attack actions of its volunteered host.33 As the 24-day conflict passed its initial days, the tide of the IO war shifted from Israel, who initially was telling the more dominant story, to Hamas. The pictures of devastation in Gaza spread through the news media like a virus. What led to this shift? The likely explanation is the fact that several months prior to the outbreak of the conflict Israel started limiting media access to Gaza. In doing so, they hoped to limit the images of collateral damage to infrastructure and civilian casualties that would undoubtedly be reported by Hamas and the Gazans. By limiting the output of such reports, the international community would be slower to call for a resolution to stop the hostilities—thereby giving Israel more time to accomplish its tactical objectives. In this regard, their plan worked—the IDF was generally successful in achieving its tactical goals (as opposed to the 2006 conflict with Hezbollah). However, the side effect was that all the reporting from within Gaza came from Hamas and the Gazans. As a result, the story told from within Gaza was one-sided. By not letting independent media in the area, the Israelis effectively denied the opportunity for a disinterested party to refute the claims of the Gazans.34 Though there were some successful Israeli hacking operations, such as the IDF’s hack of the Hamas television station and attempts by Israeli supporters to hack pro-Palestinian Facebook accounts,35 the Israeli efforts in cyberspace were insufficient to stop Hamas from delivering an effective message to the world. Further, the presence of Arab news media reporters from Al Jazeera, who stayed in Gaza since before the IDF started to curb media access, ensured that the Gazans’ story was told to the entire (Arab) world.36 The Israel-Hamas war of 2008 illustrates the importance of social media in modern information operations during conflict and both sides’ attempts to integrate cyber operations to support them. However, unlike Hezbollah’s use of IP address hijacking, which directly contributed to the success of their IO in 2006, neither Israel nor Hamas were able to make highly effective use of cyber tactics to support their respective public relations in 2008. The Israelis, despite DDoS attacks against a pro-Hamas Web site and the shutting down of pro-Hamas YouTube channels, was ultimately unsuccessful in stopping Gazans’ story from reaching the world. While the Hamas supporters may have successfully leveraged some IT knowledge,
SUGGESTED FURTHER READING
41
as in the case of setting up paltube.com, they did not seem to conduct successful, sophisticated cyber operations—as their cyber attacks appeared to be limited to Web site defacements and small-/medium-scale DDoS. Likely, this is due to a lack of technical expertise in their organization—something Hezbollah clearly had in 2006. This could potentially reflect a lack of prioritization on cyber within Hamas in 2008.
SUMMARY The armed conflicts between Israel and Hezbollah in 2006 as well as Israel and Hamas in 2008 illustrate how combatants attempt to use cyber operations to support their information campaign. These conflicts clearly illustrate that the use of social media such as Facebook and Twitter, along with the ease of uploading digital images from mobile phones, adds a new dimension to an otherwise conventional conflict. As a result, cyber operations—to both enhance and diminish the adversary’s use of social media—become an attractive option to military commanders and civilians alike to support the war effort. Hezbollah showed how an organization can become resilient by cleverly hijacking IP addresses to convey their message. Israel, in 2008, sought to use cyber attacks to prevent Hamas from telling their story—at least long enough to complete tactical objectives. Hacktivism by all parties will likely increase in future conflicts as civilians—both in the conflict area and members of global communities backing one side or the other. For example, Chapter 6 describes how members of Anonymous enabled and supported the protestors in Tunisia, Egypt, and other countries experiencing the upheaval of the so-called Arab Spring.
SUGGESTED FURTHER READING Cybercortical Warfare, which is viewed as central part of the Hezbollah strategy, is discussed by Maura Conway in an article entitled “Cybercortical Warfare,” which was presented in 2003 at the European Consortium for Political Research. This concept is closely related to the idea of “CYOP” introduced by Timothy Thomas in his paper “Hezbollah, Israel, and Cyber PSYOP” published in IO Sphere in 2007. Cyber operations of the Israel– Hezbollah war are discussed in the ACM WebSci’11 conference paper “Asymmetric Cyber-warfare between Israel and Hezbollah: The Web as a new strategic battlefield,” by Sabrine Saad et al. The information operations of the Israel-Hamas confrontation are discussed in detail in the Military Review paper “Learning to Leverage New Media: The Israeli Defense Forces in Recent Conflicts” by LTG William Caldwell and others. Cyber operations during that conflict, though limited, are explored along with an analysis of pro-Hamas hacking groups, in a paper published in 2009 by GreyLogic security firm entitled “Project Grey Goose Phase II Report: The evolving state of cyber warfare.”
42
4. CYBER AND INFORMATION OPERATIONS IN THE MIDDLE EAST
References 1. Katz Y. IDF admits to using cyber space to attack enemies. The Jerusalem Post June 3, 2012; http://www.jpost. com/Defense/Article.aspx?id¼272503&R¼R9. 2. See “Case study: a cyber-terrorism attack, analysis, and response” by Damari K, Chayun A, and Evron G and “The return of SIMBAR: cyber terrorism methodology” by Damari K and Oboler A published by Beyond Security. http://www.beyondsecurity.com. 3. Mor G, Kinan E. Major Israeli websites hacked, YNet News June 2006; [accessed January 2, 2013]. http://www. ynetnews.com/articles/0,7340,L-3268449,00.html. 4. Nakhleh HT. The 2006 Israeli war on Lebanon: analysis and strategic implications, Master’s Thesis, U.S. Army War College; 2007. 5. Ibid. 6. Inbar E. How Israel bungled the second Lebanon war. The Middle East Quarterly 2007; vol. XIV, 57–65. 7. Saad S, Bazan S, Varin C. Asymmetric cyber-warfare between Israel and Hezbollah: the web as a new strategic battlefield. Proceedings of the ACM WebSci’11, Koblenz, Germany, June 14–17, 2011; 2011. 8. Ibid. 9. Rohozinski R. New media and information effects during the 33 day war, The SecDev Group; 2008. 10. Thomas TL. Hezballah, Israel, and cyber PSYOP. IO Sphere Winter 2007;30–35. 11. Conway M. Cybercortical warfare: the case of Hizbollah.org. European Consortium for Political Research, Edinburg, UK, March 28–April 2, 2003; 2003. 12. Ibid. 13. Ibid., Rohozinski. 14. Ibid. 15. Ibid., Thomas. 16. Hylton H. How Hizballah hijacks the Internet. Time August 8, 2006. 17. Ibid., Saad. 18. Peri S. IDF hacks Nasrallah’s TV channel. yNetNews.com July 31, 2006; http://www.ynetnews.com/articles/ 0,7340,L-3283866,00.htm [accessed September 2, 2012]. 19. Ibid., Hylton. 20. For a more precise definition, see Hawkinson J. Guidelines for creation, selection, and registration of an Autonomous System (AS), RFC 1930. http://tools.ietf.org/html/rfc1930; March 1996 [accessed January 2, 2013]. 21. Rekhter Y, Li T. A border gateway protocol 4 (BGP-4), RFC 1771, http://www.ietf.org/rfc/rfc4271.txt; March 1995 [accessed January 2, 2013]. 22. Ballani H, Francis P, Zhang X. A study of prefix hijacking and interception in the internet. SIGCOMM ’07, Kyoto, Japan, August 27–31, 2007; 2007. 23. Ibid., Hylton. 24. Ibid., Hylton. 25. Johnson DE. Military capabilities for hybrid war: insights from the Israel defense forces in Lebanon and Gaza. Santa Monica, CA: RAND Corporation; 2010. 26. Caldwell W, Murphy D, Menning A. Learning to leverage new media: the Israeli defense forces in recent conflicts. Military Rev., May-June 2009;2–10. 27. Ibid., Caldwell et al. 28. Ibid., Caldwell et al. 29. Ibid., Caldwell et al. 30. GreyLogic. Project grey goose phase II report: the evolving state of cyber warfare; May 20, 2009. 31. Ibid., GreyLogic. 32. Ibid., GreyLogic. 33. Ibid., GreyLogic. 34. Ibid., Caldwell et al. 35. Ibid., GreyLogic. 36. Ibid., Caldwell et al.