Al Qaeda rocked by apparent cyberattack. But who did it?

Al Qaeda's core jihadi websites have all been hit by an apparent cyberattack. For a group in flux, it's a big blow, but the nature of the attack raises questions about who's responsible. 

Five jihadi websites that make up the core online forums promoting Al Qaeda were knocked out 12 days ago and remain mostly offline in what appears to be a major cyberattack against the group.

The simplicity of the mode of attack and its timing is leading some experts to suggest that the US is "not at the top of the list" of potential perpetrators – it could have made such an attack years ago. Instead, experts say, another country might be testing out its cyberwar capabilities against an enemy with few friends.

What is more certain is that the outage could cause multiple problems for Al Qaeda, particularly at a time when it is still reeling from the death of Osama bin Laden. Not only do the outages hamper Al Qaeda's ability to get out its message, but the scramble to establish new jihadi websites could give intelligence agencies data to locate more terrorists.

The attack "has had a huge impact on Al Qaeda in the short term because they haven't had one official release since March 23," says Aaron Zelin, a Brandeis University researcher in its Western Jihadism Project, which monitors jihadi websites. "Al Qaeda affiliates in Pakistan, Yemen, Iraq, and North Africa haven't had any releases since then. I don't remember a time when it's been 11 days between releases."

There's long been intense debate over what, if anything, to do about jihadi websites. They inspire Al Qaeda acolytes by showing gruesome videos purporting to show Western forces brutalizing innocent Muslims, as well as by promulgating propaganda justifying terrorist acts.

But knocking out websites has been likened to the carnival game of "Whack-a-mole" – new websites pop up to replace the one that's shot down. This time, however, timing could be key. While jihadi sites will doubtless return, a short-term disruption could be more of a body blow given the recent death of Mr. bin Laden.

"In the long term it doesn't matter because someone will step into this void with their message," says William McCants, a jihadi research analyst at the Center for Naval Analyses, a research and development center serving the Navy. "But in the short term, it causes a lot of confusion with them. It's a good tactic if you wish to sow even more distrust than is already out there."

The outages will cause Al Qaeda's followers on the web a host of problems as they try to move their activities to other sites. First, they can't be sure the new sites are secure. Second, they fear enemies will produce false propaganda under the Al Qaeda logo at those sites, says Dr. McCants, founder of Jihadica, a leading research site on jihadism.

The outages could also help governments glean intelligence. As jihadis are funneled into one or two sites, they will be easier for government cyberspies to monitor. Simply shifting to a new website – opening an account and putting in a password – offers numerous opportunities for government intelligence agencies to monitor the flurry of online transactions.

"There may be a good tactical reason to do it – a lot of reasons," McCants says.

On the downside, the jihadi forums serve as a valuable window on the grass roots of global terrorism. Taking down the sites means closing that window, at least temporarily. 

"Monitoring these sites is a valuable, low cost way to get insights we wouldn't otherwise have," says James Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington. "The chat rooms and websites are good indicators to get pointers to into things that might be coming up."

The question of why to attack now is intertwined with the question of who did it, experts say. 

"Different nations intelligence agencies want to do different things," Mr. Zelin says. "It's not like all intelligence agencies think the same way. Some might think Al Qaeda is really vulnerable right now, so if you cut the cord – cut their communications – you undercut the movement, hurt the cheerleaders, and the group's ability to recruit fighters."

The type of attack has not been firmly identified, but evidence suggests a major distributed denial of service (DDoS). DDoS attacks are exceedingly basic stuff for many governments. A DDoS attack involves having a network of many computers send a torrent of spurious requests for data to the website. The site's servers can't handle the load and the site is blocked. 

Other attacks have been more sophisticated. Britain's MI-6, for example, infiltrated an Al Qaeda website and replaced the recipe for a pipe bomb with the recipe for making cupcakes, according to reports. Dubbed "Operation Cupcake" by some, the sleight of hand involved substituting computer code into "Inspire," Al Qaeda's online magazine. 

In this case, it appears a DDoS attack inundated the websites' of five servers physically located in four nations: Malaysia, Denmark, Germany, and Panama, according to a preliminary analysis by John Bumgarner, chief technology officer at the US Cyber Consequences Unit, a nonprofit security think tank that advises government and industry.

He offers further evidence that the outages were the result of a DDoS attack: Other websites with IP addresses near the targeted jihadi sites were hit as well – apparent collateral damage of the same attack.

"It's consistent with a typical DDoS attack," says Mr. Bumgarner, a former military hacker. "There is usually some collateral damage to the digital neighbors of the primary website attacked."

All five websites were reported to be hit by technical problems beginning around March 23, say researchers who monitor the sites. A couple of sites briefly popped back up only to be shut down again. Just one – Ansar al-Mujahidin – has resurfaced so far, coming back online April 1.

As to who could have done it, it's speculation at this point.

"A lot of governments don't like Al Qaeda and there are a number of new entrants into cyberweapons field that, if they wanted to test their capabilities, this would be a fun target to practice on," Mr. Lewis says. "Certainly we [the US] could do it, so we're a candidate. But we're not the top of the list."

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.