Al Qaeda rocked by apparent cyberattack. But who did it?
Five jihadi websites that make up the core online forums promoting Al Qaeda were knocked out 12 days ago and remain mostly offline in what appears to be a major cyberattack against the group.
The simplicity of the mode of attack and its timing is leading some experts to suggest that the US is "not at the top of the list" of potential perpetrators – it could have made such an attack years ago. Instead, experts say, another country might be testing out its cyberwar capabilities against an enemy with few friends.
What is more certain is that the outage could cause multiple problems for Al Qaeda, particularly at a time when it is still reeling from the death of Osama bin Laden. Not only do the outages hamper Al Qaeda's ability to get out its message, but the scramble to establish new jihadi websites could give intelligence agencies data to locate more terrorists.
The attack "has had a huge impact on Al Qaeda in the short term because they haven't had one official release since March 23," says Aaron Zelin, a Brandeis University researcher in its Western Jihadism Project, which monitors jihadi websites. "Al Qaeda affiliates in Pakistan, Yemen, Iraq, and North Africa haven't had any releases since then. I don't remember a time when it's been 11 days between releases."
There's long been intense debate over what, if anything, to do about jihadi websites. They inspire Al Qaeda acolytes by showing gruesome videos purporting to show Western forces brutalizing innocent Muslims, as well as by promulgating propaganda justifying terrorist acts.
But knocking out websites has been likened to the carnival game of "Whack-a-mole" – new websites pop up to replace the one that's shot down. This time, however, timing could be key. While jihadi sites will doubtless return, a short-term disruption could be more of a body blow given the recent death of Mr. bin Laden.
"In the long term it doesn't matter because someone will step into this void with their message," says William McCants, a jihadi research analyst at the Center for Naval Analyses, a research and development center serving the Navy. "But in the short term, it causes a lot of confusion with them. It's a good tactic if you wish to sow even more distrust than is already out there."
The outages will cause Al Qaeda's followers on the web a host of problems as they try to move their activities to other sites. First, they can't be sure the new sites are secure. Second, they fear enemies will produce false propaganda under the Al Qaeda logo at those sites, says Dr. McCants, founder of Jihadica, a leading research site on jihadism.
The outages could also help governments glean intelligence. As jihadis are funneled into one or two sites, they will be easier for government cyberspies to monitor. Simply shifting to a new website – opening an account and putting in a password – offers numerous opportunities for government intelligence agencies to monitor the flurry of online transactions.
"There may be a good tactical reason to do it – a lot of reasons," McCants says.
On the downside, the jihadi forums serve as a valuable window on the grass roots of global terrorism. Taking down the sites means closing that window, at least temporarily.
"Monitoring these sites is a valuable, low cost way to get insights we wouldn't otherwise have," says James Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington. "The chat rooms and websites are good indicators to get pointers to into things that might be coming up."
The question of why to attack now is intertwined with the question of who did it, experts say.
"Different nations intelligence agencies want to do different things," Mr. Zelin says. "It's not like all intelligence agencies think the same way. Some might think Al Qaeda is really vulnerable right now, so if you cut the cord – cut their communications – you undercut the movement, hurt the cheerleaders, and the group's ability to recruit fighters."
The type of attack has not been firmly identified, but evidence suggests a major distributed denial of service (DDoS). DDoS attacks are exceedingly basic stuff for many governments. A DDoS attack involves having a network of many computers send a torrent of spurious requests for data to the website. The site's servers can't handle the load and the site is blocked.
Other attacks have been more sophisticated. Britain's MI-6, for example, infiltrated an Al Qaeda website and replaced the recipe for a pipe bomb with the recipe for making cupcakes, according to reports. Dubbed "Operation Cupcake" by some, the sleight of hand involved substituting computer code into "Inspire," Al Qaeda's online magazine.
In this case, it appears a DDoS attack inundated the websites' of five servers physically located in four nations: Malaysia, Denmark, Germany, and Panama, according to a preliminary analysis by John Bumgarner, chief technology officer at the US Cyber Consequences Unit, a nonprofit security think tank that advises government and industry.
He offers further evidence that the outages were the result of a DDoS attack: Other websites with IP addresses near the targeted jihadi sites were hit as well – apparent collateral damage of the same attack.
"It's consistent with a typical DDoS attack," says Mr. Bumgarner, a former military hacker. "There is usually some collateral damage to the digital neighbors of the primary website attacked."
All five websites were reported to be hit by technical problems beginning around March 23, say researchers who monitor the sites. A couple of sites briefly popped back up only to be shut down again. Just one – Ansar al-Mujahidin – has resurfaced so far, coming back online April 1.
As to who could have done it, it's speculation at this point.
"A lot of governments don't like Al Qaeda and there are a number of new entrants into cyberweapons field that, if they wanted to test their capabilities, this would be a fun target to practice on," Mr. Lewis says. "Certainly we [the US] could do it, so we're a candidate. But we're not the top of the list."
