Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Jihadi Sites Fall Down… Go Boom… Again.

leave a comment »

3.22.12

Mohammed Merah, kills 7 people and plans on killing more but is cornered in his home. He is tracked by his IP address when he attempts to buy a scooter online. Merah holds up in his apartment for 30 hours before being killed in a gun battle. The French put out the word that they are going to crack down on Jihadi online content, or much more to the point, if they catch you looking they are going to arrest you.

The laws are still being haggled over.

3.23.12

On or about the 23rd of March, the sites that are usually monitored by certain people and organizations began to wink out of existence online. The sites started to have trouble then just went offline. It was obvious at the time for me and some others that these were not just the run of the mill DDoS attacks, but instead, the sites had been either RM’d offline by attackers or they had been yanked offline by the increasingly twitchy admins.

The sites stay down and are supplanted by the likes of As-Ansar for traffic, but basically, the boards go quiet… Paranoia builds.

3.27.12

Muhrad Hussein Almalki is arrested in Valencia Spain. He was the admin of “Ansar Al-Mujahedeen network” and praised Merah for his killings online. His online name is أمين المكتبة  It is suspected that the librarian is in charge of more than one of the sites that eventually goes down.

4.3.12 to 4.5.12

On the 3rd of April, the domain for shamikh1 and its server is moved to a hosting service in the Caribbean. On the 5th of April the site comes up again. The admin sends out an email to all members:

السلام عليكم ورحمة الله وبركاته

بشرى سارة
عودة شبكة الجهاد العالمي

الإدارة

All of the data from the site is back online and it seems the backend has been cp’d elsewhere before the takedown occurred.

4.6.12

Some of the sites have returned like Shamikh others have not. Out of the 5 it seems that at least a couple are still down and others seem to be under attack in other areas.  Almadad is now under attack it seems and is as of this looksee down.

Questions:

At first I thought that perhaps players within the patriot hacker movement may have been involved, and perhaps they did after all, but, it seems to me more so now that the timing of the events all point toward a concerted action by governments. The hacking of the sites likely was done via bad installs of the PHP and SQL installations on the boxes that the databases resided on. There must have been actionable intelligence on some actions that the AQ boys and girls were planning or, the powers that be decided it was time for an interruption. You see, at least one of the main sites is back and it would seem they are back in business pretty quickly. Of course they have had this happen in the past and have moved servers and domains quickly enough.

Now, the questions though are the following:

  1. Was this takedown the work of governments
  2. If it was government and the dbases are all back up as they were before… Then this means that they are compromised. They seem unchanged
  3. The admin’s were twitchy enough before with all of the attacks by the jokey’s of the world and other <REDACTED> things that happened. So how are they going to react now?
  4. If this was the patriot hacker movement, then why no bragging?
  5. Did DGSE have anything to do with this? They seemed pretty motivated given the chatter online post the Merah incident that they planned some actions soon in France
  6. Last time there was a big takedown, there was a large roll up of players soon after… Should we expect some more now?
Overall, many have been asking the questions out there, even <REDACTED> news services have been asking me. I cannot say what has really transpired because it’s above my pay grade, but, if you look at the evidence you have to come to some conclusions here.

Conclusions:

  • I lean toward a government sanctioned action perhaps using those patriot hackers.. But more likely it was a group of “SPOOK” hackers
  • The sites had been compromised for some time and the word was finally given by whatever government service/agency/power to pull the plug
  • They knew the sites would return, it is possible that someone took over for the likes of the librarian but… One has to wonder if maybe shop has been set up as a honeypot
  • If it’s not a honeypot, then it shows the resiliency of the movements within the technical area and that they can stand up a site fairly quickly and seem to have a DR program up

Interesting times indeed. I would keep an eye on the news for a couple of things…

  1. Some very specific drone strikes
  2. Arrests
  3. VERY jumpy admins of other sites.

K.

Written by Krypt3ia

2012/04/06 at 18:16

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: