New details on attack that took out al-Qaeda’s communications hub

by Steve Ragan - Jun 30 2011, 04:30

Hackers have taken out the communications network for one of the world’s most notorious terror organizations. Evan Kohlmann, the terror expert who helped break the story with NBC News, gave us more details on how this was accomplished. So far, al-Qaeda will only admit to technical problems, which they are working to resolve shortly.

Evan Kohlmann, has spent over a decade tracking al-Qaeda. He currently works with Flashpoint Partners, and he is a senior investigator for the Nine Eleven Finding Answers (NEFA) Foundation. It was his research that helped NBC reporter Pete Williams break the story that al-Qaeda was hacked and their communications network crippled.

“Al-Qaida's online communications have been temporarily crippled, and it does not have a single trusted distribution channel available on the Internet," said Kohlmann.

Calling the attack well coordinated, noting that it involved an unusual cocktail of “relatively sophisticated techniques”, Kohlmann said that he thinks that it will “…take them at least several days more to repair the damage and get their network up and functioning again.”

The lack of communications leaves the terror group without the means to spread propaganda. No one has claimed the attack, but Kohlmann speculated that it was a government sponsored hit.

Exactly one year ago, Kohlmann told us, al-Qaeda suffered a similar communications outage. So what is it about this attack that makes it an unusual cocktail of “relatively sophisticated techniques”?

“Hacking attacks by amateur cybervigilantes typically involve one technique, be it DDOS or SQLI. This particular event began as a basic domain hijacking, which does tend to happen every so often. At this point, the forum was still available to registered users via its IP address,” Kohlmann explained in an email to The Tech Herald.

“Then, about 12 hours later, the server hosting the site itself was blanked out via unknown methods. These forums are fairly well-protected against run-of-the-mill SQLI attacks -- if you are representing Al-Qaida on the web, you somewhat have to expect that people from the peanut gallery will try and interrupt your efforts.”

However, he noted, the site wasn’t defaced or simply compromised, “it was apparently wiped clean.”

“And the fact that Al-Qaida admins just happened to suffer mysterious random critical errors afflicting both their domain names and their data servers within 12 hours of each other is a bit eyebrow raising. That kind of coordinated tandem assault on Al-Qaida forums hasn't happened since June 2010.”

We asked Kohlmann to speculate on if there was any data taken from the al-Qaeda website before it was wiped. It seems this would be a fair assumption, as whoever wiped the site would want the data hosted on it too.

“I don't know if the party responsible was able to grab the underlying forum data files, but I certainly hope so. Those files contain records of IP addresses and private messages sent between users. Since the user database of this forum includes actual armed militants on frontlines from Somalia to Afghanistan, I imagine that information would be quite useful to the proper authorities. It would be like Al-Qaida meets WikiLeaks.”

Would al-Qaeda use an untrusted communications network? Did they do it when previously attacked? What types of information was being disseminated?

“The forum that was blanked was the only trusted channel used by Al-Qaida to disseminate their official communiqués, audio recordings, video recordings, and other material. However, many of the users on the forum are also registered users on other Al-Qaida-style social networking forums which simply have not received the official imprimatur of Al-Qaida,” Kohlmann explained.

So, the underlying users themselves can probably still communicate with each other via those other forums, he added.

“But, nonetheless, Al-Qaida the brand name just lost its broadcast channel. The last time this happened (exactly one year ago), Al-Qaida waited for over ten days until their then-officially sanctioned forum managed to get back online before releasing any new material. They are awfully fussy about these things and don't typically take chances with anyone they aren't 100% sure about.  So far, all they've admitted (in messages posted on other forums) is that they've encountered ‘technical problems’ with the site and are working to bring it back online ‘shortly’.”

The original NBC story is here.

Around the Web