Tuesday, 18 December 2018

Operation Icarus - 2018: An Independent Research and Analysis

On 12 December 2018, while I was checking for some security news on Twitter, i stumbled upon a post with the hashtag #OpIcarus. The post was made by a Twitter user using the handle @LorianSynaro on 11 December calling for others to join in the cause and naturally, target financial organizations (FOs) worldwide.


A list of targets called "World Banking Cartel Master Target List" was shared in the form of a Ghostbin link. In this list, over 150 FOs were listed as targets.


The list however bears striking similarities to the list posted on Pastebin in 2016.
https://pastebin.com/dVyqyJi5 (posted 22 March 2016)
https://pastebin.com/QcqqEdKw (posted 10 October 2016)

These lists were used in the first #OpIcarus campaign back in 2016. The only addition to the 'new' list in Ghostbin is 11 FOs under the "The Biggest Banks of the Globe (from the Internet):". Everything else from the "Federal Reserve of America"  downwards are recycled from the 2016 Pastebin lists.

As of 18 December 2018 since the posting of that Tweet and the target list, the following FOs websites were claimed to have been successfully "brought down" by the campaign's participants using the hashtag #tangodown accompanied with screenshots from check-host.net as evidence.

An example of a Tweet showcasing a successful attack with the #Tangodown hashtag
The Victims

By @LorianSynaro:
  • http://www.bkam.ma/
  • http://www.banxico.org.mx/
  • https://www.bankofalbania.org/
  • http://www.centralbankbahamas.com/
  • https://www.bancaditalia.it/
  • https://www.rba.gov.au/
  • http://www.cbiraq.org/
  • https://www.bcu.gub.uy
  • https://www.bis.org/

By @Pryzraky
  • https://www.centralbankofindia.co.in/english/home.aspx

By @__sh1z3n
  • http://www.centralbank.org.bb/ 
References:
https://twitter.com/__sh1z3n/status/1074909637395267589
https://twitter.com/Pryzraky/status/1073711856513093632
https://twitter.com/LorianSynaro/status/1074342005852004353
https://twitter.com/LorianSynaro/status/1073960930025893889
https://twitter.com/LorianSynaro/status/1073317278786162688
https://twitter.com/LorianSynaro/status/1072596945259114497

Initial Findings:

One of the things I found was that out of the 11 FOs attacked, 4 of them were not in the target list. They were:
  • https://www.centralbankofindia.co.in/english/home.aspx
  • http://www.centralbank.org.bb/
  • https://www.bis.org/
  • http://www.cbiraq.org/ 
Out of the 11 FOs, 10 of them are not deemed as critical website. This means that these 10 websites are simply banking organization information, help sites and client references rather than banking websites where customers visit to login and perform any digital monetary transaction. Also I observed no complains raised in social media on the inaccessibility of these affected websites.

DDoS or DoS?

One of the things I was interested to know is the participants' technical capabilities and the tools used to perform the attacks. To do this, I had to look at past #OpIcarus campaigns and identify what were the tools used.

One of the handful posts found to be sharing tools for #OpIcarus
Interestingly, most of the tools shared by past #OpIcarus participants were similar to the list of tools recommended above. Tools like TorsHammer, Xerxes and Slowloris are "web stressing tools" designed to test the response of web server and can be used individually. These tools are publicly available tools and are technically classified as denial of service (DoS) testing tools - NOT DDoS tools. Of course, one man's testing tool is another man's attacking tool.

TorsHammer for example is one of the most common tools used by participants to conduct DoS attacks. Even the description sounds promising.

A fave tool with 187 downloads this week!

As a matter of fact, TorsHammer has been 'recommended' to use for targeting unprotected web servers running on Apache.

TorsHammer used against Apache or IIS 

The question now is...is TorsHammer and similar DoS tools were used by this current #OpIcarus campaign's participants? To find this out, I had to use several open source databases such as IPV4info.com and Shodan to find out the IP addresses of these websites and the web services used. 

Without naming the specific FOs:
  • 5 were running on Apache
  • 1 was running on nginx
  • 3 were running on IIS 7.5-8.5
  • 2 were undetermined
There is a possibility that a DoS tool was used to bring down these systems (based on the majority of Apache based servers affected) rather than a massive distributed computers targeting these web servers. BUT I need corroboration to confirm my theory. The only way to do that is to chat with the participants themselves!


Not only did i get the confirmation that one of the participants were using DoS tools like Hammer and Goldeneye. I was also shared with a link to all the other tools used by the group -mostly DoS/web stresser tools.

Tools used by Anonymous members

While tools like TorsHammer, Xerxes and Slowloris have been reported to work well on Apache and IIS web servers, Goldeneye has been reported to successfully work on nginx.

nginx not able to withstand Goldeneye
At this point, I am pretty confident that most of the targeted websites that were successfully brought down were most likely attacked by web stresser tools rather than a full fledged DDoS attack. However, one of the participants @Pryzraky who claimed to have successfully brought down the only FO website that are relied on by customers to perform digital transactions, seemed to use a different technique than the others. 

@Pryzraky not only has a Twitter and Facebook profiles but also has a YouTube channel. One of the videos posted was a live demonstration of him targeting the website of NASA. The method used? An IRC botnet! This is the only participant so far that I've researched to actually use DDoS attack technique.

Taking down NASA using an IRC botnet
Conclusion:
Seeing how some of the FOs targeted were not listed in the 'Target List' shows that the list is there to promote fear rather than actual targets itself. At the same time, seeing the websites of those FOs affected where most of them are simply static websites conveying information of the FO rather than to perform login or digital transaction highlights the possibility that the participants are relying on low hanging fruits (indulging in stressing at everything and post those that were successful).  

Hence, it is possible to see malicious traffic/activities in some FO's networks but as long the FO introduced proper and adequate security protection technologies and processes (WAF, Firewall rules, Patching) learning from past hacktivists campaigns, I would see this campaign having little to no substantial impact to the major or mature FOs.

It is also important to note that the number of participants involved in this campaign is so much lesser than what it used to be (in the hundreds) in 2016. Most of the Twitter accounts, Facebook pages and groups dedicated to Operation Icarus have little to no activity since mid 2017. 
https://twitter.com/__sh1z3n/status/1074909637395267589