The information security industry spends time and effort not only to stop hackers but also to understand and simulate them. Vulnerability assessments and penetration tests are specially designed to understand what a criminal hacker could do. Security Affairs is one of the leading information security news sources on the internet and has decided to contribute to the collective effort in understanding the criminal hacker. This is the first of a series of “Hacker Interviews” that will hopefully help us get a better understanding of the motivations and techniques of the hackers. Please feel free to send us an email if there are any particular hacker or attack technique you’d like us to investigate.
The mail starts with “Hello, My name is zurael sTz”.
@zurael_sTz is one of the many Twitter accounts that publish their latest hacks. We have been following this account for sometime and have noticed it’s very typical of the politically motivated hacker profile. He hacks target mostly Palestinian websites with occasionally a Libyan or Egyptian site.
Another trait of this account is its use of the same technique. We usually face 3 different kind of hackers categorized based on their skill levels as “simple”, “smart” and “advanced”. The largest group is the “simple” attacker. A group that is very crowded as this is where “script kiddies” are. They have limited technical knowledge and rarely target their attacks. The second group we call “smart” is very close to this account. Members of this group are generally good in one specific attack and can target their attacks. @brutelogic would be a good example for a smart attacker who has mastered XSS (Cross Site Scripting) attacks and Zurael almost exclusively uses SQL injections. This focus on a specific attack technique, while having its limitations, makes this group more dangerous for government agencies and companies worldwide. In the last group are “advanced” attackers where we see APT gangs.
Seeing an opportunity to better understand what motivates the “smart” attacker we have sent Zurael a series of questions.
What are the motivations?
I like my job, I keep the security of Israeli citizens against attacks #opIsrael
Success, it’s one of the motivations to continue saving the citizens of Israel Online
What was your greatest challenge?
I broke into the website of the Palestinian Wafa news agency
I broke into the Palestinian Health Office in
I started to find radio Jenin
Etc. The list is long, and now, the breaking and entering into the Syrian Ministry of Transport (details coming soon)
What was your largest hack?
It’s complicated. Mainly large companies, Bank of Palestine, but will not talk about it so as not to risk.
Are you an IT professional?
I was a military role, now I work in a small company
How do you choose your targets?
Who harms the State of Israel, will not be immune to attack my
What are the tools you use?
I usually do not use any software
How do you find your targets?
I’m a guy purpose (a) and finds error and penetrates sql injection manually
The answers above show that the hacker isn’t motivated by personal gain or money but rather politically. The targets are probably chosen based on their locations (or domain) and on the presence of an exploitable SQL injection vulnerability.
There are two main lessons we can learn from the answers given by the hacker.
First, every website is under attack. One reaction I often from my customers who aren’t government or financial institution is “no body who attack us anyway”. The fact that you are not a defense industry company doesn’t make you immune to attacks. Opportunistic hackers looking for a specific vulnerability wouldn’t hesitate to exploit it if they found it on your systems. Also, your domain name (.ps, .co.il, .pk, .ru, etc.) might be enough to attract hackers.
The second important lesson is that we should rethink our understanding of cybrwar. Images of the U.S. Cyber Command, the Israeli Unit 8200, the Chinese Specialized Military Network Warfare Forces or the Iranian Cyber Defense Command come to mind anywhere we hear the words “cyberwar”. This misrepresentation usually leads to the false belief that our corporate networks are free from any potential politically motivated attacks. However, as seen from the above profile, any individual or civil group can chose to act based on what they believe is in the interest of their country. Which would make us victims of a politically motivated attack without being part of any political conflict.
Written by: Alper Başaran
Alper Basaran provides business process focused and goal oriented penetration testing services to his customers. Based in Turkey he has expanded his operations to the Middle East.
Edited by Pierluigi Paganini
(Security Affairs – hackers, hacktivism)