Al Qaeda rocked by apparent cyberattack. But who did it?

"Monitoring these sites is a valuable, low cost way to get insights we wouldn't otherwise have," says James Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington. "The chat rooms and websites are good indicators to get pointers to into things that might be coming up."

The question of why to attack now is intertwined with the question of who did it, experts say. 

"Different nations intelligence agencies want to do different things," Mr. Zelin says. "It's not like all intelligence agencies think the same way. Some might think Al Qaeda is really vulnerable right now, so if you cut the cord – cut their communications – you undercut the movement, hurt the cheerleaders, and the group's ability to recruit fighters."

The type of attack has not been firmly identified, but evidence suggests a major distributed denial of service (DDoS). DDoS attacks are exceedingly basic stuff for many governments. A DDoS attack involves having a network of many computers send a torrent of spurious requests for data to the website. The site's servers can't handle the load and the site is blocked. 

Other attacks have been more sophisticated. Britain's MI-6, for example, infiltrated an Al Qaeda website and replaced the recipe for a pipe bomb with the recipe for making cupcakes, according to reports. Dubbed "Operation Cupcake" by some, the sleight of hand involved substituting computer code into "Inspire," Al Qaeda's online magazine. 

In this case, it appears a DDoS attack inundated the websites' of five servers physically located in four nations: Malaysia, Denmark, Germany, and Panama, according to a preliminary analysis by John Bumgarner, chief technology officer at the US Cyber Consequences Unit, a nonprofit security think tank that advises government and industry.

He offers further evidence that the outages were the result of a DDoS attack: Other websites with IP addresses near the targeted jihadi sites were hit as well – apparent collateral damage of the same attack.

"It's consistent with a typical DDoS attack," says Mr. Bumgarner, a former military hacker. "There is usually some collateral damage to the digital neighbors of the primary website attacked."

All five websites were reported to be hit by technical problems beginning around March 23, say researchers who monitor the sites. A couple of sites briefly popped back up only to be shut down again. Just one – Ansar al-Mujahidin – has resurfaced so far, coming back online April 1.

As to who could have done it, it's speculation at this point.

"A lot of governments don't like Al Qaeda and there are a number of new entrants into cyberweapons field that, if they wanted to test their capabilities, this would be a fun target to practice on," Mr. Lewis says. "Certainly we [the US] could do it, so we're a candidate. But we're not the top of the list."

Previous

1 | 2