Cyberspace as a Combat Zone: The Phenomenon of Electronic Jihad

Cyberspace as a Combat Zone: The Phenomenon of Electronic Jihad
By: E. Alshech

Alongside military jihad, which has been gaining momentum and extracting an ever growing price from many countries around the globe, Islamists have been developing a new form of warfare, termed “electronic jihad,” which is waged on the Internet. This new form of jihad was launched in recent years and is still in its early stages of development. However, as this paper will show, Islamists are fully aware of its destructive potential, and persistently strive to realize this potential.

Electronic jihad is a phenomenon whereby mujahideen use the Internet to wage economic and ideological warfare against their enemies. Unlike other hackers, those engaged in electronic jihad are united by a common strategy and ideology which are still in a process of formation. This paper aims to present the phenomenon of electronic jihad and to characterize some of its more recent developments. It lays out the basic ideology and motivations of its perpetrators, describes, as far as possible, its various operational strategies, and assesses the short- and long-term dangers posed by this relatively new phenomenon. The paper focuses on electronic jihad waged by organized Islamist groups that mobilize large numbers of hackers around the world to attack servers and websites owned by those whom they regard as their enemies.

Organized Electronic Jihad

In the past few years Islamist websites have provided ample evidence that Islamist hackers do not operate as isolated individuals, but carry out coordinated attacks against websites belonging to those whom they regard as their enemies. [1] As evident from numerous postings on the Islamist websites, many of these coordinated attacks are organized by groups devoted to electronic jihad. Six prominent groups of this sort have emerged on the Internet over the past few years: [2] Hackboy, [3] Ansar Al-Jihad Lil-Jihad Al-Electroni, [4] Munazamat Fursan Al-Jihad Al-Electroni, [5] Majmu’at Al-Jihad Al-Electroni, [6] Majma’ Al-Haker Al-Muslim, and Inhiyar Al-Dolar. [7] All these groups, with the exception of Munazamat Fursan Al-Jihad and Inhiyar al-Dolar, have websites of their own through which they recruit volunteers to take part in electronic attacks, [8] maintain contacts with others who engage in electronic jihad, coordinate their attacks, and enable their members to chat with one another anonymously. The Majmu’at Al-Jihad Al-Electroni website, for example, includes the following sections: A document explaining the nature of electronic jihad, a section devoted to electronic jihad strategy, a technical section on software used for electronic attacks, a section describing previous attacks and their results, and various appeals to Muslims, mujahideen, and hackers worldwide.

A more recent indication of the increasingly organized nature of electronic jihad is an initiative launched January 3, 2007 on Islamist websites: mujahideen operating on the Internet (and in the media in general) were invited to sign a special pact called “Hilf Al-Muhajirin” (“Pact of the Immigrants”). [9] In it, they agree “to stand united under the banner of the Muhajirun Brigades in order to promote [cyber-warfare],” and “to pledge allegiance to the leader [of the Muhajirun Brigades].” They vow to “obey [the leader] in [all tasks], pleasant or unpleasant, not to contest [his] leadership, to exert every conceivable effort in [waging] media jihad… [and to persist] in attacking those websites which do harm to Islam and to the Muslims…” [10] This initiative clearly indicates that the Islamist hackers no longer regard themselves as loosely connected individual activists, but as dedicated soldiers who are bound by a pact and committed to a joint ideological mission.

The Ideology and Ethical Boundaries of Electronic Jihad

Missionstatements posted on the websites of electronic jihad groups reveal that just like the mujahideen on the military front, the mujahideen operating on the Internet are motivated by profound ideological conviction. They despise hackers who “engage in purposeless and meaningless sabotage” [11] or are motivated by desire for publicity or by any other worldly objective. They perceive themselves as jihad-fighters who assist Islam and promote tawhid(Monotheism) via the Internet. [12] More importantly, they view cyberspace as a virtual battlefield in which the mujahideen can effectively defeat the West.

That the mujahideen operating in cyberspace are motivated by ideology, in contrast to many hackers, is illustrated by the following example. Recently, a participant on an Islamist forum posted instructions for breaking into a UK-based commercial website and stealing the customers’ credit card information in order to inflict financial damage on the “unbelievers” (i.e. on the non-Muslims customers and retailers). His initiative sparked a fierce debate among the forum participants, the dominant opinion being that this initiative falls outside the boundaries of legitimate cyber-jihad. One forum participant wrote: “Oh brother, we do not steal… We attack racist, American and Shi’ite [websites] and all corrupt websites.” Another participant reminded the forum members that stealing from unbelievers is forbidden. [13]

Image from Muslim Hackerz website

The Objectives of Electronic Jihad

One objective of electronic jihad which is frequently evoked by the mujahideen is assisting Islam by attacking websites that slander Islam or launch attacks against Islamic websites, or by attacking websites that interfere with the goal of rendering Islam supreme (e.g. Christian websites). More recently, however, the mujahideen have begun to cite additional objectives: avenging the death of Muslim martyrs and the suffering of Muslims worldwide (including imprisoned jihad fighters); inflicting damage on Western economy; affecting the morale of the West; and even bringing about the total collapse of the West.

The following excerpts from Arabic messages posted by Islamist hackers exemplify each of these objectives.

Eliminating Websites That Harm Islam

“The administration wishes to inform you of the following so that you understand our operational methods and our jihad strategy. My brothers, our operational methods are not only to assault… and target any website that stands in the way of our victory… We are indeed victorious when we disable such [harmful] websites, but the matter is not so simple. We target… websites that wage intensive war [against us]… We target them because they are the foremost enemies of jihad in cyberspace; their existence threatens Islamic and religious websites throughout the Internet…” [14]

Avenging the Death of Martyrs and the Suffering of Muslims and Imprisoned Mujahideen Worldwide

“We shall say to the Crusaders and their followers: We take an oath to avenge the martyrs’ blood and the weeping of Muslim mothers and children. The Worshipers of the Cross and their followers have already been warned that their websites may be broken into and destroyed. We must not forget our leaders, our mujahideen, our people and our children who were martyred in Palestine, Iraq, Afghanistan, Chechnya and in other places. We shall take revenge upon you, O Zionists and Worshippers of the Cross. We shall never rest or forget what you did to us. [There are only two options] in electronic jihad for the sake of Allah: Victory or death.

We dedicate these [operations of] hacking [into enemy websites] to the martyr and jihad-fighter sheikh Abu Mus’ab Al-Zarqawi, to the jihad-fighter Sheikh Osama bin Laden, to the imprisoned fighter of electronic jihad Irhabi 007, to the fighter of electronic jihad Muhibb Al-Shaykhan and to all the mujahideen for the sake of Allah…” [15]

Inflicting Economic Damage on the West and Damaging its Morale

“Allah has commanded us in various Koranic verses to wage war against the unbelievers… Electronic jihad utilizes methods and means which inflict great material damage on the enemy and [which also] lower his morale and his spirits via the Internet. The methods of [hacking] have been revealed [to us] by expert [hackers] on the Internet and networks… many of whom engage in purposeless and meaningless sabotage. These lethal methods will be harnessed [for use] against our enemies, so as to inflict the greatest [possible] financial damage [upon them] – which can amount to millions – and [in order] to damage [their] morale, so that [they] will be afraid of the Muslims wherever they go and even when they are surfing the Web.” [16]

Bringing About the Total Collapse of the West

“I have examined most of the material [available] in hacking manuals but have not found articles which discuss… how to disable all the [electronic] networks around the world. I found various articles which discuss how to attack websites, e-mails, servers, etc., but I have not read anything about harming or blocking the networks around the world, even though this is one of the most important topics for a hacker and for anyone who engages in electronic jihad. Such [an attack] will cripple the West completely. I am not talking about attacking websites or [even] the Internet [as a whole], but [about attacking] all the [computer] networks around the world including military networks, and [networks] which control radars, missiles and communications around the world… If all these networks stop [functioning even] for a single day… it will bring about the total collapse of the West… while affecting our interests only slightly. The collapse of the West will bring about the breakdown of world economy and of the stock markets, which depend on [electronic] communication [for] their activities, [e.g.] transfers of assets and shares. [Such an attack] will cause the capitalist West to collapse.

Actual Attacks and Their Effects

Reports on Islamist websites indicate that most of the hacking operations carried out by mujahideen have been aimed at three types of websites:

a) Ideological websites which promote beliefs, doctrines and ideologies which the mujahideen perceive as incompatible with Sunni Islam, such as Christianity, Shi’ism and Zionism. [17]

b) Websites which the mujahideen perceive as defamatory or harmful to Islam. Many of these are private blogs, news blogs and non-Islamic forums (e.g., http://answering-islam.org.uk). [18]

c) Websites which promote behavior that is contrary to the mujahideen’s religious worldview (e.g., http://www.nscrush.org/news/journal, a website associated with a girls’ sports team).

As for websites associated with governments, defense systems, and Western economic interests – Islamist websites present little or no evidence that mujahideen have actually attacked them. There is, however, sufficient evidence to suggest that such sensitive targets continue to be of intense interest to the mujahideen. For example, an Islamist forum recently conducted a survey among its participants regarding the targets they would like to attack. Among the targets suggested were Western financial websites and websites associated with the FBI and CIA. [19] Moreover, in September 2006, an Islamic website posted a long list of IP addresses allegedly associated with key governmental defense institutions in the West, including “the Army Ballistics Research Laboratory,” “the Army Armament Research Development and Engineering Center,” “the Navy Computers and Telecommunications Station,” “the National Space Development Agency of Japan,” and others. [20] The title of the message indicates that the list is meant for use in electronic attacks.

Another message, posted on an Islamist website on December 5, 2006, stated that Islamist hackers had cancelled a planned attack, nicknamed “The Electronic Guantanamo Raid,” against American banks. The posting explained that the attack had been cancelled because the banks had been warned about the attack by American media and government agencies. It stated further that the panic in the media shows how important it is “to focus on attacking sensitive economic American websites [instead of] other [websites, like those that offend Islam]…” The writer added: “If [we] attack websites associated with the stock[market] and with banks, disabling them for a few days or even for a few hours, it will cause millions of dollars’ worth of damage… I [therefore] call upon all members [of this forum] to focus on these websites and to urge all Muslims who are able to participate in this [type of] Islamic Intifada to attack websites associated with the American stock[market] and banks…” [21]

Attack Strategies

Postings on Islamist websites reveal that the cyberspace mujahideen favor two main strategies. The first is to paralyze sites by “swarming”, i.e., flooding them with hits and thus creating a traffic overload. When traffic to the site exceeds the website’s or server’s capacity, the site is blocked to additional users, and in some cases it even crashes. The second strategy is called “ping attack”: special programs are used to flood a website with thousands of e-mails, sometimes containing viruses, thus clogging the website and infecting it. [22] The programs utilized by mujahideen in these attacks are either programs available to the hacker community at large (see image below) or programs created especially for Islamist hackers (see images below). [23]

Program used by the general hacker’s community

Programs created by Islamists

Reports posted by the mujahideen after attacks on websites indicate that these cyber-assaults affect the websites only temporarily, if at all. In many cases the mujahideen themselves admit that their attack was ineffective [24] and that the website returned to normal functioning only minutes or hours after the attack. [25] In light of this, the mujhahideen often resort to another method in an attempt to completely eliminate the targeted site. An Islamist hacker explained the method as follows: “We contact… the server [which hosts the target website] before and after the assault, and threaten [the server admin] until they shut down the target website. [In such cases], the ‘host’ [i.e., server] is usually forced to shut down the website. The battle continues until the enemy declares: ‘I surrender.'” [26]

Islamist websites present very little evidence of more sophisticated attacks utilizing actual hacking techniques (i.e., obtaining the admin password and using admin privileges to corrupt data or damage the server itself). However, two examples do indicate that the cyberspace mujahideen may possess the capability to carry out such attacks. [27] On October 17, 2006, an Islamist website posted a message [28] containing a link to what appeared to be live pictures of Anchorage International Airport taken by the airport’s security cameras. There was also a link to an admin control program allowing surfers to control the airport’s security cameras. If this was an authentic break-in, it indicates that Muslim hackers are capable of hacking even into highly secure servers.

Another example which illustrates the extent of the mujahideen‘s hacking skills is the story of 22-year-old Younis Tsouli from West London, better know as Irhabi 007, who was arrested in 2005 by Scotland Yard. In his short but rich hacking career, Irahbi 007 wrote a hacking manual for mujahideen, instructed Islamist hackers online, and broke into servers of American universities, using them to upload shared files containing jihad-related materials. [29]

Image taken from the Ansar Al-Jihad website

Coordination of Attacks

Islamist websites provide extensive evidence that Islamist cyber-attacks are not random initiatives by individual mujahideen, but are steadily becoming more coordinated. Firstly, announcements of imminent attacks, which appear almost daily, are posted on numerous sites simultaneously. Participants are instructed to look out for postings specifying the time of attack, the URL of the target (usually posted some 30 minutes before the attack itself) and the program to be used for carrying out the attack. Secondly, before the attacks, websites have lately begun to post messages addressed to specific individuals referred to as “attack coordinators,” each of whom is associated with a specific Islamist site. Finally, there is a significant increase in response to the calls for participation in electronic attacks. Recently, for example, a message announcing an attack on a Shi’ite website received 15,000 hits, and approximately 3,000 forum members responded to the message. [30] The attacks, then, seem to be well-organized and supervised by a network of specially appointed individuals on various sites, and they appear to generate high participation level among forum members.

The following three examples demonstrate the coordinated nature of the attacks.

Instructions for Attack Coordinators

On December 21, 2006, the Al-Muhajirun website posted the following message regarding a planned attack: “Our attack will take place this coming Friday… I remind you that the name of the program to be used will not be posted until half an hour to an hour before the attack… Attack coordinators, you worked hard last week… and I ask you to display the same zeal in this [upcoming] attack. I ask [each] individual who intends to serve as attack coordinator on [his] website to reply [to this posting with the message]: “I will be the attack coordinator for this network…” [The coordinator] will be responsible for the following: …urging forum participants [to take part in the attack], while [taking care] not to mention names of ‘Hilf Al-Muhajirin’ members and the names of those who take part in the attack… [The coordinators] must be online at least one full hour before the attack… in order to post links to the programs that will be used and to the [intended target] websites. [They are also] responsible for posting the code-name of the attack, along with the text shown below [which presents some general information about the attack]… ” [31]

Announcement of a Ping Attack Against a Website That Harms Islam

The following message was posted November 23, 2006 on the website Majmu’at Al-Jihad Al-Electroni: “…An attack is about to be carried out by all the Internet mujahideen, may Allah accept it as jihad for His sake… [The targets are] websites that do harm to Islam… The attacks will take place on Saturday, Monday, and Thursday, between 6:00 P.M. and 10:00 P.M., Mecca time, or between 5:00 P.M. and 9:00 P.M. Jerusalem time… The primary [computer] program to be used is Al-Jihad Al-Electroni 1.5… We have been able to create a better version of the [program]… and eliminate most of the problems that were encountered by members [in the past]. [The new version] is much lighter and is capable of producing a much more powerful attack…” [32]

A General Call to Participate in a Virus Attack

“This action is a rapid [response] to [a website] that has annoyed us. This is war… Who is with me and who is against me? Allah is with me… and the Crusader Jew and his followers… are against me. I have… uploaded three viruses and a file which can disable firewalls. I will inform you of the time of the attacks… Whoever wishes to participate in the raid should download the virus he wishes to use and [then] send it [to the target]… I ask that before you do anything on the Internet… my mujahid brother, [please] place your trust in Allah.” [33]

Site infected with virus by Islamist hackers

Electronic Jihad: A Nuisance or a Real Threat?

The evidence presented here shows that electronic jihad is a form of cyber-warfare with ideological underpinnings and defined goals, which manifests in well-coordinated cyber-attacks. Examination of the websites reveals that the Islamist hackers maintain constant communication among themselves, share software and expertise and conduct debates on strategy and legitimate targets. There is also evidence of increasingly efficient coordination of attacks. The mujahideen’s own statements show that they mean to position themselves as a formidable electronic attack force which is capable of inflicting severe damage – greater even than the damage caused by conventional terrorist attacks.

At the same time, however, the information presented here reveals a significant gap between the mujahideen’s aspirations and their actual capabilities. Despite their self-proclaimed intention to target key economic and government systems and websites in order to bring about a total economic collapse of the West, Islamist websites provide no evidence that such targets have indeed been attacked. In actuality, most of the attacks documented on Islamist websites were aimed at sites that are seen by the mujahideen as morally corrupt or offensive to Islam. In addition, most of the attacks were carried out using unsophisticated methods which are not very likely to pose a significant threat to Western economic interests or sensitive infrastructure. In this respect, electronic jihad can still be seen, at least present, as a nuisance rather than a serious threat.

Nevertheless, it is important not underestimate the potential danger posed by this phenomenon. First, as shown above, at least two examples indicate that the mujahideen are already capable of compromising servers, even highly secure ones. Given the increasing communication and the constant sharing of expertise among Islamist hackers, [34] the gap between their goals and their actual capabilities is bound to narrow down. In other words, the mujahideen’s persistent pursuit of expertise in the area of hacking, as reflected in numerous website postings, may eventually enable them to compromise Western websites of a highly sensitive nature.

Second, past experience has shown that even primitive attacks, which do not damage servers, can cause substantial financial damage. For example, after a midair collision between a Chinese fighter jet and an American spy plane on April 1, 2001, Chinese hackers spread a malicious “worm,” known as the “Code Red Worm,” which infected about a million U.S. servers in July 2001 and caused some $2.6 billion worth of damage to computer hardware, software, and networks. [35] On another occasion, a ping attack against the retail giants Yahoo, eBay, and Amazon in February 2000 was estimated to have caused Yahoo alone a loss of $500,000 due a decrease in hits during the attack. [36]

In conclusion, electronic jihad, in its current state of development, is capable of causing some moderate damage to Western economy, but there is no indication that it constitutes an immediate threat to more sensitive interests such as defense systems and other crucial infrastructure. Nevertheless, in light of the rapid evolvement of this phenomenon, especially during the recent months, the Western countries should monitor it closely in order to track the changes in its modes of operation and the steady increase in its sophistication.

*Dr. Alshech is the Director of the Jihad and Terrorism Studies Project.


[1] For early examples of coordinated attacks, see www.3asfh.net/vb/showthread.php?t=18162. See also the following IslamOnline.net article from 2002 about a coordinated attack carried out by mujahideen against a Hebrew newspaper www.islamonline.net/Arabic/science/200205/Article01.shtml. I am indebted to Y. Yehoshua for these references.

[2] Some electronic Jihad groups, such as http://groups.msn.com/falastinhorra , are no longer active.

[3] http://www.hacker-boy.150m.com/.

[4] http://www.al-ansar.150m.com/.

[5] The Islamist website Al-Firdaws announced the establishment of this group (http://www.alfirdaws.org/vb/showthread.php?t=9944 ) but, to our knowledge, it has not launched its own website.

[6] http://www.al-jinan.org. The group’s self-proclaimed title is “Jihad Electroni: The Group Which Specializes in Attacking Israeli Websites and [Websites] Harmful to Islam.”

[7] http://www.mslamh.jeeran.com/.

[8] Electronic jihad groups also use the general Islamist forums to recruit participants for their enterprises.

[9] The name “Hilf Al-Muhajirin” is presumably derived from the name of the forum which launched the initiative (www.mohajroon.com ) and/or from the historical “Hilf Al-Muhajirin” pact which, according to Muslim tradition, was undertaken by the people who migrated with the Prophet Muhammad from Mecca to Medina in 622 CE.

[10] http://208.64.27.42/~taliban/vb/showthread.php?t=40391. It is noteworthy that the wording of the pledge of allegiance to the leader bears a strong resemblance to the wording that appears in various versions of the historical pledge of allegiance between the early Muslims and the Prophet Muhammad.

[11] http://www.al-jinan.org/jihad.htm.

[12] http://alfirdaws.org/vb/showthread.php?t=9944.

[13] This participant cited expatriate Syrian Salafi sheikh Abu Basir Al-Tartusi, who holds that, unlike a Muslim who invades the abode of unbelievers, a Muslim who dwells there and is granted protection (aman) by unbelievers must not steal property from the non-Muslims dwelling in this abode.

See http://www.altartosi.com/book/book03/index.html.

[14] http://www.al-jinan.org.

[15] http://www.al-ansar.150m.com/8.htm.

[16] http://www.al-jinan.org/jihad.htm ; see also http://www.al-ekhlaas.net/forum/showthread.php?t=35424 .

[17] E.g., www.meca-me.org ; http://www.mecalove4all.com/main.php, http://www.islameyat.com/.

[18] See MEMRI Special Dispatch No. 1330, “Islamist Website Calls to Disable German Websites Offensive to Islam,” October 20, 2006, http://memri.org/bin/articles.cgi?Page=subjects&Area=iwmp&ID=SP133006.

See also the forum at http://www.al-boraq.com/showthread.php?t=13896, in which a participant calls upon electronic jihadists to disable a site that defames the Koran in his opinion.

[19] http://www.mohajroon.com/vb/showthread.php?t=38360.

[20] http://www.alnusra.net/vb/showthread.php?t=6946.

[21] http://alfirdaws.org/vb/showthread.php?t=21318 .

[22] For examples of the mujhideen‘s use of viruses, see http://www.mohajroon.com/vb/showthread.php?t=21629 ; http://www.abualbokhary.info/vb3/showthread.php?t=13173.

[23] For the programs most frequently used by the mujahideen, see http://www.al-ansar.150m.com/5.htm.

[24] http://www.mohajroon.com/vb/showthread.php?t=38447.

[25] http://www.al-ansar.150m.com/3.htm.

[26] http://www.al-jinan.org/strategy.htm.

[27] http://alfirdaws.org/vb/showthread.php?t=18266.

[28] See MEMRI Special Report No. 1326, “Islamist Websites Monitor No. 9 – Mujahideen Gather Information on Anchorage International Airport,” October 18, 2006,

http://memri.org/bin/articles.cgi?Page=subjects&Area=iwmp&ID=SP132606.

[29] For more information on Irhabi 007’s activities and arrest, see: http://www.washingtonpost.com/wp-dyn/content/article/2006/03/25/AR2006032500020.html. Note, however, that hacking a database for the sake of corrupting or stealing data requires greater technical expertise than hacking for the sake of uploading files or defacing a website’s front page.

[30] http://www.mohajroon.com/vb/showthread.php?t=42442.

[31] http://www.mohajroon.com/vb/showthread.php?t=38694.

[32] http://www.elshouraa.ws/vb/showthread.php?t=2635.

[33] http://www.abualbokhary.info/vb3/showthread.php?t=13173. For another example of the mujahideen‘s use of virus, see http://www.mohajroon.com/vb/showthread.php?t=21629.

[34] For examples of mujahideen sharing information and expertise on computer hacking, see

http://www.al-ekhlaas.net/forum/showthread.php?t=27154 ;

http://www.al-ekhlaas.net/forum/showthread.php?t=20305 ;

http://www.al-ekhlaas.net/forum/showthread.php?t=3468 ;

http://www.al-ekhlaas.net/forum/showthread.php?t=34679 ; http://www.abualbokhary.info/vb3/showthread.php?t=19813&highlight=%E6%D5%ED%C9.

[35] Gabriel Weimann, Terror on the Internet (Washington, 2006), pp. 156-157.

[36] http://www.cis.udel.edu/~sunshine/courses/F06/CIS664/class12.pdf ; http://archives.cnn.com/2000/TECH/computing/02/09/cyber.attacks.01/index.html.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: