National Infrastructure Protection Center
The Threat to the U.S. Information Infrastructure
and emerging international situations will increasingly lead to cyber
protests. The cyber protests that have occurred thus far have had little
impact on U.S. infrastructure. As computing technology becomes faster
and better, and hacking tools become more advanced and easier to use,
cyber protesting and hacktivism will become more significant to U.S.
national interests. Cyber protesters are becoming increasingly more
organized and their techniques more sophisticated but, most likely,
will continue to deface web sites and perform DoS attacks. There will
also be an increase in the number of apparently unrelated hacking groups
participating in the cyber protests. National boundaries will not always
be clearly delineated in attacks on opposing organizations. International
activity will also tend to spill over into the United States. Because
the United States is a multicultural, world-leading nation it will suffer
from attacks on culturally related sites and structures in the future.
Generally, the most
popularly targeted sites are those belonging to government, educational,
commercial, and cultural institutions. However, any site with an exploitable
vulnerability will be susceptible to a cyber attack. The infrastructure
has been targeted in other countries in cyber protests and it is expected
that it will eventually be targeted in the United States as well. Cyber
protesters certainly will target infrastructure more often and exploit
opportunities to disrupt or damage it.
Web sites that remain
open to known hacking tools will have a higher probability of suffering
defacement. Network administrators must remain educated and defenses
must evolve along with the threats and offensive capabilities. Although
the cyber protests seen today have already caused limited damage, the
potential for future attacks could bring about large economic losses
as well as potentially severe damage to the national infrastructure,
affecting global markets as well as public safety.
In the last decade,
with the explosion of the size of the Internet, protests and political
activism have entered a new realm.(1) Political activism on the Internet
has already generated a wide range of activity, from using e-mail and
web sites to organize, to web page defacements and denial-of-service
(DOS) attacks.(2) These politically motivated computer-based attacks
are usually described as hacktivism, a marriage of hacking and political
In addition to the
consistent activity of groups devoted to a specific long-term cause,
the Internet has also seen short-term periods of intense political activity,
which can be referred to as cyber protests. Cyber protests have become
a worldwide phenomenon available to anyone with access to computers.
Unrestrained by geographic boundaries, protesters have an enormous forum
in which to be heard.
have a wide range of goals or objectives. Some hackers want to expose
government corruption or fundamental violation of human rights; others
just want to hack and cause mischief for fun. It has only been since
1998 that cyber protests have skyrocketed in popularity and become commonplace
in today's computerized world.
The most common
type of cyber protest comes in the form of web page defacements. In
such scenarios, a web site is compromised through some security deficiency
and the hacker is able to alter it, many times placing propaganda, profanity,
or pornographic images on it. This can range from being a nuisance and
embarrassment for an organization to a major economic loss for an e-commerce
Protests and civil
disturbances are nothing new. People unhappy with their situations have
always found outlets to spread their message, be it a peaceful sit-in,
letter- writing campaign, picket march, or violent gang fight. Now,
with the advent of the Internet and the growing number of people online,
it has become easier to organize protests. That is not to say that every
web defacement is an organized event on the part of some political organization.
Many defacements are perpetrated by lone hackers that have no political
motivation other than to create chaos. Nation-states and their respective
citizens have also been involved in cyber protests. Several countries
have waged ongoing cyber battles against each other through web defacements
and DOS attacks. Mail bombing is a popular form of a DOS attack. Massive
amounts of e-mail or web traffic are directed against a specific site,
overloading it and causing it to crash. It should be noted, however,
that some parties involved in these cyber protests are not citizens
of the respective countries. They might hold similar views or they might
be involved just to participate in hacking different sites. Alliances
can be tenuous at best for some of these groups.
One high profile
incident occurred in May 1999 after the United States accidentally bombed
the Chinese embassy in Belgrade, Yugoslavia during the NATO air campaign.
U.S. web sites were defaced in the name of China and massive e-mail
campaigns were executed to gain sympathy and support for the Chinese
cause. Government web sites were primarily targeted. The U.S. Departments
of Energy and the Interior, and the National Park Service all suffered
web page defacements. In addition, the White House web site was taken
down for three days after it was continually mail bombed. This action
was relatively unorganized in fashion, short in length, and affected
a small number of U.S. sites.
also acted against Taiwan during the Taiwanese presidential elections
in August and September 1999. Cyber protesters and hacktivists compromised
165 Taiwanese web sites, mainly defacing them, over the two-month period.
Their ultimate goal, as it was stated, was to negatively affect and
bring down Taiwan's infrastructure. Among the targeted sites were electricity,
economic institutions, telecommunications, and air traffic control.
Although teams began to develop and organize near the end of the operations,
the damage was relatively light, similar to the attacks on U.S. sites
earlier in the year. Importantly, strategic targeting and some organization
of forces became accepted strategies for future protests and hacks.
These hackers are likely to become more organized and more successful
in future incidents.(3)
In late April and
early May 2001 pro-Chinese hacktivists and cyber protesters began a
cyber assault on U.S. web sites. This resulted from an incident in early
April where a Chinese fighter jet was lost at sea after colliding with
a U.S. naval reconnaissance airplane. It also coincided with the two-year
anniversary of the Chinese embassy bombing by the United States in Belgrade
and the traditionally celebrated May Day and Youth Day in China. Led
by the Honkers Union of China (HUC), pro-Chinese hackers defaced or
crashed over 100 seemingly random web sites, mainly .gov and .com, through
DOS attacks and similar exploits.(4) Although some of the tools used
were sophisticated, they were readily available to both sides on the
of U.S. sites included posting pictures of the dead Chinese pilot Wang
Wei and profane messages calling for the downfall of the United States.
Pro-United States hackers responded with similar defacements, messages,
and damage on 300 Chinese web sites. Of interest is that some pro-Chinese
hackers violated hacker etiquette by wiping some compromised servers.
(5) The rule of thumb is to deface or crash a web site but to leave
the information intact, otherwise it is considered bad form.(6)
Israeli and Palestinian
In October 2000,
Israeli and Palestinian hackers engaged in adversarial hacking when
the prolonged peace talks between the two groups broke down. During
this difficult time, hackers seized the opportunity to attack web sites
belonging to the opposition. Starting October 6, 2000, 40 Israeli web
sites and at least 15 Palestinian web sites suffered defacements at
the hands of opposing hackers.(7) This coincided, of course, with physical
violence in the region. It was also a problem for US based web sites.
U.S. web sites will often fall victim, regardless of their lack of proximity
or involvement in the events. For example, several U.S. sites were hacked
by pro-Palestinian hacktivists, including the take down of a lobbyist
group web site. The hackers then posted group membership information
and credit card numbers.(8) This activity did little to affect the United
States as a whole although it illustrates how a seemingly unrelated
event can potentially affect U.S. sites.
The level of sophistication
ranged from low-level activity using simple defacements to coordinated,
relatively sophisticated attacks such as potential root access penetrations.
Several hacking tools were developed specifically for this engagement.
Any type of attack was considered during this time, including the perpetration
of viruses, DOS attacks with e-mail bombing, and sustained, amplified
pinging attacks. Web sites containing these various hacking tools were
readily available for download to anyone who wanted to join the action.
hackers hit any type of Israeli sites that they were able to compromise,
many times defacing them with messages such as, "Free Palestine"
or "Free Kashmir."(9) FloodNet software was a major tool used
by the Israelis. The cyber protesters simply visited a site and FloodNet
would repeatedly send requests to the targeted server. This type of
virtual sit-in is a popular form of a DOS attack. Many of these attacks
were successful as servers were bombarded and went down repeatedly.
Targets included ethnic specific organizational web sites and those
of financial institutions to disrupt the infrastructure. E-commerce
sites crashed and there was an economic impact reflected in the Israeli
markets. It was, however, the root access attempts that were most dangerous
for the defenders. Hackers who can gain root access to sites give them
unlimited freedom to do whatever they wish. This is the highest level
of penetration possible although no successful root access penetrations
These events attracted
a wide variety of hackers eager to join the fight. Both sides were well-organized
and used reconnaissance and intelligence gathering techniques to maximize
their effectiveness. Even outside hacking groups, such as G-Force Pakistan,
joined forces with the Palestinians to lend a helping hand. This is
increasingly common. Some outside groups join an effort because they
have similar political or ethnic motivations, however, this is not always
the case. Some groups participate in hacks simply for the desire to
hack or the publicity, not out of a sense of loyalty.
Overall it can be
expected that Israeli and Palestinian hackers will be active whenever
a stumbling block appears in the road to possible peace between the
groups. On the other hand, increased hacking might also occur when the
Israelis and Palestinians are close to a peace agreement. System administrators
must remain vigilant and focused on providing effective network security.
Indian and Pakistani
is India and Pakistan engaging in a cyber protest caused by national
and ethnic differences. After a cease-fire in the Kashmir Valley hackers
took it upon themselves to continue the hostilities. In 2000, pro-Pakistani
hackers defaced more than 500 Indian web sites. Conversely, only one
known Pakistani site was hacked by the Indians. This illustrates a large
difference in technical, hacking abilities or the willingness to use
the skills to strike at an adversary. In this event the apparent level
of sophistication on both sides is relatively low. Web site defacements
are the leading form of this protest. The group G-Force Pakistan was
the most active group claiming involvement in the events.(10)
has been targeted twice in online protests. During the first week of
April 2001, pro-Korean hackers attacked Japanese organizations responsible
for the approval of a new history textbook. The textbook glossed over
atrocities committed by Japan during World War II and the occupation
of China and South Korea. The perceived reluctance of Japan to accept
responsibility for its actions triggered these events. The main participants
in this incident were Korean university students, who used e-mail bombs
in a DOS attack. The students crashed several web sites, including Japan's
Education Ministry, Liberal Democratic Party and the publishing company
responsible for the textbook.(11) These attacks were neither long lasting
nor were they largely organized.
In early August
2001, pro-Chinese hackers targeted Japanese web sites after Japan's
Prime Minister visited a controversial war memorial, the Yasukuni Shrine.
In a brief period of time, hackers defaced several web sites belonging
mainly to Japanese companies and research institutes.(12) This indicates
the continuing willingness of pro-Chinese hackers to use cyberspace
and hacking tools as a platform for protests and cyber civil disobedience,
as well as for displaying a strong sense of patriotic nationalism.
While the cyber
damage thus far has been minimal, the infrastructure will certainly
be a target of cyber protestors and hacktivists in the future, with
the potential goal being intentional destruction rather than public
embarrassment or purely political statements. Pro-active network defense
and security management are imperative to the prevention of more serious
damage to infrastructure assets. International cooperation and private-public
cooperation within the United States is necessary to ensure the ongoing
function of the critical infrastructure.
groups have never had the global platform that the Internet provides
today. Bulletin boards and group subscriber lists were the only computerized
links protestors had from the 1970s through the early 1990s. The introduction
of web browsers supporting graphics and multimedia content and the
expansive growth of the Internet, coupled with the growing number
of home computers, gave organizations a new outlet for distributing
information or disrupting events for a political cause. The fact that
many organizations have a web site has enabled them to spread their
beliefs to a wider audience. It has also enabled other groups to target
them for attack.
2. Freedom of
speech is a fundamental right protected by the Constitution of the
United States of America that should not be taken lightly. Individuals
and groups generally have the right to actively and legally support
those causes in which they believe. Many protesters and political
activist groups have used cyberspace to organize and advance their
memberships and activities. Using computers and the Internet has greatly
increased protesters' effectiveness in spreading their message and
achieving their goals. This paper deals with past incidents in which
cyber protests have led to the destruction of property and other illegal
activities, citing, specifically, foreign protests.
Hacker Wars," Jane's Information Group Limited 1999. Volume 000/2565,
21 October 1999 [online]; available from http://www.infowar.com/hacker/99/hack_102199a_j.shtml;
4. Rose Tang,
"China-U.S. Cyber War Escalates," 01 May 2001 [online];
available from http://www.cnn.com/2001/WORLD/asiapcf/east/04/27/china.hackers;
Hackers Concede Defeat in U.S. Hacker War, Call Cease-fire,"
Agence France Presse, 10 May 2001.
6. This highlights
the fact that although web defacements usually cause minimal damage,
they indicate a very serious breach in security. A web defacement
is, by definition, the manipulation of a web server's data by gaining
unauthorized access to that server. It must be determined if the hacker
installed a back door, introduced malicious code, or affected the
server in any other way. A seemingly low-level hack could result in
future problems if systems administrators do not take positive actions
to stop future intrusions and restore the server to its previous condition.
7. Larisa Paul,
"When Cyber Hacktivism Meets Cyberterrorism," Sans Institute,
19 February 2001 [online]; available from http://www.sans.org/infosecFAQ/hackers/terrorism.htm;
Take Conflict to Internet," Associated Press, 4 November 2000.
Take Conflict to Internet," Associated Press, 4 November 2000.
10. Kaajal Wallia,
"Indians, Pakistanis Play Patriotic Games on Net," The Times
of India, 06 January 2001.
11. Stuart McMillan,
"Cyber Attackers Remind Japan of its Infamous Past," The
National Business Review, 2001. 04 April 2001 [online]; available
from http://www.infowar.com/hacker/01/hack_040501a_j.shtml; Internet.
12. 12 "Chinese
Hackers Attack Japanese Web sites over Shrine Visit," Agence
France Presse, 14 August 2001.