Inside Cyber Warfare

Jeffrey Carr

Part 3

Report Chapter

Team Evil.

Team Evil gained widespread notoriety for defacing thousands of websites in 2006 in protest of Israel's military activities in the Gaza Strip and Lebanon. The group defaced more than 8,000 websites between June and November 2006. In addition to Israeli and Western sites, this tally also included websites a.s.sociated with the governments of China, Saudi Arabia, and Indonesia. In all, Team Evil defaced 171 significant websites, according to records on zone-h (, a website that serves as an archive of hacker exploits. The team often left anti-Israel or anti-Semitic messages on their defacements, regardless of the country of origin of the website.

Israel's Ynetnews reported that Team Evil was responsible for the majority of damage to Israeli websites in the first half of 2006, including sites belonging to banks, hospitals, major companies, NGOs, and political parties. When Ynetnews contacted the group, its members told the paper that they were Moroccan hackers who "hack into sites as part of the resistance in the war with Israel."

The group has resurfaced to take part in the current campaign against Israeli websites, but it is not as active as it was in 2006. Its greatest recent accomplishment was to reroute traffic from Ynetnews, Discount Bank, and other Israeli websites to a page with an anti-Israel message.

The Israeli IT security company Beyond Security released an extensive case study of Team Evil's 2006 attacks. Its report concluded that Team Evil demonstrated a higher degree of technical skill than typically seen in similar groups. Given the skill and commitment it has previously demonstrated, it is unclear why Team Evil has not partic.i.p.ated in the current campaign to a greater extent. It is possible the group is planning something for the future.

Cold Zero (aka Cold Z3ro or Roma Burner).

Cold Zero first gained notoriety for an attack on the Likud Party website in August 2008. He has since claimed responsibility for 5,000 website defacements, according to Gary Warner, an expert in computer forensics. He has a profile on the Arabic Mirror website, which lists 2,485 of these defacements. According to the Arabic Mirror site, 779 of these are related to the Gaza crisis.

Cold Zero is a member of Team h.e.l.l (discussed in the next section). Whereas most members of Team h.e.l.l are Saudi, Cold Zero is a Palestinian and is proficient in Hebrew. He runs a website at

Cold Zero is engaged in rivalries with other anti-Israeli hackers. He has hacked both and, leaving messages criticizing their administrators. His own website was also attacked by DNS Team, which we'll discuss later.

According to a French-language news source published on January 9, 2009, Cold Zero was arrested by Israeli authorities. The news source identified him as a 17-year-old Israeli Arab and reported that he appeared on January 6 before the Federal Court of Haifa, where the Israeli Justice Department alleged that he attacked commercial and political sites, mentioning the Likud Party website hack, as well as an attack on the website of the Tel Aviv Maccabis basketball team. According to the same source, he worked with accomplices in Turkey, Lebanon, Saudi Arabia, and elsewhere. He was caught in a "honey pot" set up by authorities. Authorities also uncovered his ident.i.ty from a database stolen from Turkish hackers.

The information from this news report has not yet been corroborated by other sources. The last hack for Cold Zero listed on the Arabic Mirror website was recorded on January 2, 2009, after a period of high activity, suggesting an abrupt interruption to his hacking campaign. Zone-h records hundreds of websites hacked by Cold Zero in late December, followed by a lull for one month. On January 29, 2009, Cold Zero returned with a defacement of rival hackers DNS Team's website. Cold Zero has committed no Israeli or other website defacements after late December on zone-h, lending credibility to the report of his arrest.

Team h.e.l.l (aka Team H3ll or Team Heil).

The graffiti from many websites hacked by Cold Zero name him as a member of Team h.e.l.l. Team h.e.l.l self-identifies as a Saudi-based hackers group, usually consisting of Kaspersky, Jeddawi, Dr. Killer, BlackSh.e.l.l, RedHat, Ambt, and Cold Zero.

Team h.e.l.l's politically oriented hacks include more than just Israeli sites. In April 2007, Team h.e.l.l hacked Al-Nusra, a Palestinian-focused Jihadist website. They left a message indicating they a.s.sociated al-Nusra with religious deviancy. On websites they have defaced, Cold Zero and Team h.e.l.l have expressed support for the secular, nationalist Fatah party. This would explain why Team h.e.l.l would hack Al-Nusra, a Salafist-Jihadist website, even though it is also anti-Israel. The group has also defaced the website of the Syrian parliament.

Agd_Scorp/Peace Crew (aka Agd_Scorp/Terrorist Crew).

Agd Scorp/Peace Crew are Turkish hackers who defaced NATO and US military websites in response to Operation Cast Lead. On three subdomains of the US Army Military District of Washington website and on the NATO parliament site (, the group posted a message reading: "Stop attacks u israel and usa! you cursed nations! one day muslims will clean the world from you!" The group also used an SQL injection attack to deface the website of the Joint Force Headquarters of the National Capital Region.

Previously, the group has hacked websites belonging to a number of high-profile organizations, including the United Nations, Harvard University, Microsoft, Royal Dutch Sh.e.l.l, and the National Basketball a.s.sociation. They also attacked US military websites earlier in 2008.

Jurm Team.

Jurm Team is a Moroccan group that has partnered with both Agd_Scorp and Team Evil. They have recently defaced the Israeli portals for major companies and products, including Kia, Sprite, Fanta, and Daihatsu. Their members call themselves Jurm, Sql_Master, CyberTerrorist, Dr. Noursoft, Dr. Win, J3ibi9a, Scriptpx //Fatna, and Bant Hmida.

C-H Team (aka H-C Team).

C-H Team consists of two hackers or hacker teams: Cmos_Clr and hard_hackerz. C-H Team targets Dutch and Israeli websites, leaving threatening messages in Hebrew on the latter. Both team members are Algerian. Besides defacing sites, Cmos_Clr claims to have used a variant of the Bifrost Trojan horse to break into Israeli computers, infiltrating 18 individual machines.

Hackers Pal.

Hackers Pal is the administrator of the Hackers Hawks website and has claimed 285 defacements of Israeli websites. He is a supporter of the secular Fatah party.

Gaza Hacker Team.

Gaza Hacker Team runs the website of the same name. It is responsible for defacing the Kadima party website on February 13, 2009. The team consists of six members: Lito, Le0n, Claw, Virus, Zero code, and Zero Killer.

*** You are reading on ***

DNS Team.

XX_Hacker_XX is a moderator on, and like Nimr al-Iraq, he provides advice and links to download tools, such as RAT programs. He is the moderator of the "hacking programs" section of the website. His profile describes him as an 18-year-old from Kuwait.

Methods of Attack.

a.n.a.lysis of discussions on Arabic hacker forums and general pro-Jihad forums indicates that anti-Israeli hackers would like to carry out serious cyber attacks against Israeli targets. However, they do not have a demonstrated capability to carry out such attacks, and their actions have been limited to small- to mid-scale denial of service attacks and ma.s.s website defacement attacks. They may also have attempted to compromise individual computers via Trojans, particularly the Bifroze Trojan, a variant of which was developed by members of the 3asfh hacker forum. Additionally, they talk of the desire to use viruses against Israeli computers, although the kind of viruses under discussion are relatively old and many computers would already have been updated with protections against them.

Distributed denial of service (DDoS) capability.

Muslim hackers are using both indigenously developed and borrowed DDoS tools and making them available for download on hacker forums. One tool, named after Mohammed al-Durra, a Palestinian child allegedly shot and killed by Israeli soldiers in 2000, was first developed in 2006. An updated version has been provided by Nimr al-Iraq for use in the current conflict.

With the al-Durra program, a user voluntarily downloads the program and then checks to see which target websites are on Arabic hacker forums. He then plugs in the target and the program will repeatedly send requests to it. When a sufficient number of people utilize the al-Durra program against a site, they can overwhelm it and bring it down. Other DDoS tools developed by hackers outside this community, such as hack tek, are also being used.

Such tools do not require sophisticated technical skills or training. This makes them useful in a political dispute such as the Gaza crisis, when there is a very large global community willing to a.s.sist in cyber attacks against Israel but not necessarily skilled enough for more sophisticated attacks.

Website defacements.

The hackers download vulnerability scanners from hacker forums to find websites with exploitable vulnerabilities. On the Arabic hacker forums, they have discussed using a few different methods, including SQL injection, cross-site scripting (XSS), and other web server software vulnerabilities.

In most cases, they are reusing previously released exploit code to attack known vulnerabilities that the scanners identify. This is somewhat more difficult than the denial of service attacks, but it is still not considered sophisticated within the larger spectrum of hacking activities. The vulnerabilities being exploited by these hackers have already been identified, and patches and updates have been released to fix them. The only websites that are still susceptible are those whose administrators have been lax in updating their software and downloading patches. There is no evidence that this community is locating "zero day" vulnerabilities-that is, those that have not yet been discovered-at this time.

Viruses and Trojans.

Hacker forums reveal a desire to use viruses against Israeli targets, but there is no evidence of success thus far. A couple of hackers have boasted of successfully using Trojans and RATs to gain wide access to individual Israeli computers. This could give them the ability to capture pa.s.swords and other important data, facilitating financial crime and hara.s.sment. However, there is not yet much evidence that they have been successful with these tools.

*** You are reading on ***

Popular Novel