White Paper A Deep Dive Into Defacement
White Paper A Deep Dive Into Defacement
into Defacement:
How Geopolitical Events
Trigger Web Attacks
7
reserves the right to modify the contents of this document
at any time without prior notice.
of Website Defacers
related to the accuracy of a translation, please refer to
the original language official version of the document. Any
discrepancies or differences created in the translation are
not binding and have no legal effect for compliance or
enforcement purposes.
58
Conclusion
Our first two sections provide high-level insights into our dataset of defacements,
as well as some defining facts about the targets and tactics used by the defacers.
Our next section on Real World Impact breaks down seven top campaigns that
have affected Israel, France, India, Syria, Kosovo, and countries surrounding
the South China Sea. We delve into specific conflicts in those areas and the
defacements that happened in the aftermath.
The succeeding sections cover the hacking groups' affiliations and how their
collectives are organized—some collectives are formed across continents, and
some are a loose collection of local hackers. Recruitment tools and the methods
used to distribute hacking techniques are also discussed.
The final sections discuss other activities that defacers take part in, and
how the current activities may evolve. Recently, there have been incidents of
hackers who have gone from simple web defacement to activities supporting
cybercrime. There is a real possibility that defacers and defacement groups will
start to escalate their activities, move away from ideological motivations, and
turn into cybercrime.
Our Approach to the
Investigation
Our objectives include exploring motivations and influences behind website defacements, focusing
on how geopolitical events act as triggers for web defacement activities. To better understand these
dynamics globally, we gathered web defacement reports from third-party sources and processed them
with an automated system we designed specifically for this purpose.
1. Meta-information on the defacement, such as timestamp, website URL, the defacer's name,
vulnerability, and more.
2. The deface page planted by the defacer (or modified, if this is the case). The deface page comes in
the form of a source code (HTML/JS/CCS) and may contain small-sized external resources such as
images. Additional content is fetched dynamically at analysis-time.
Our system automatically analyzes each deface page via two components:
1. A static-code analyzer that extracts representative features (i.e., characteristics) from the page (like
title, length, and encoding) in an offline manner.
2. A dynamic-code analyzer that renders the page with a headless browser and extracts additional
features in an online fashion. This analyzer works better with dynamically generated pages (e.g., when
a link is generated via JavaScript) or pages with external content like embedded streams of songs.
The output of these components is a set of features that describe the page at high-level. These features
are used as input for the following component: the campaign detector.
The campaign detector looks for defacements that—we believe—are conducted by the same actor
or criminal group. This is often the case with campaigns wherein multiple actors unite and conduct
defacements that relate to each other, such as those with similar target choices or deface pages. In
fact, defacers enlisted on the same campaign are usually provided with a template for rendering similar
5 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
deface pages. These templates provide consistency in promoting the criminal group and spreading the
campaign's propaganda and motivations.
This component groups similar pages accordingly, and represents them in form of clusters of web
defacement campaigns. For this process, we make use of machine learning. We apply unsupervised
learning to a set of features that well represents a summary of the pages — these are received from the
static and dynamic analyzers mentioned before. The process automatically detects new campaigns and
labels them for inspection. The result of this processing is indexed in an elastic-search back end and
visualized via a web console. For each campaign, the console allows the analyst to inspect information
like the lifespan of the campaign, the composition of the deface pages, as well as that of their actors. The
console also allows analysis on how criminal groups are organized and if/when a certain actor belongs
to multiple groups or moves from one to another. We will discuss the details of our system in a follow-up
paper that will be released later in the year.
6 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Targets and Methods of
Website Defacers
As previously stated, our work is based on a large-scale analysis of 13 million website defacements that
we collected from the following data sources:
2M
1.5M
1M
500K
0
1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
The total number of unique defacers is 104,135, and the total number of unique compromised domains is
9,929,484. Note that one domain can have multiple incidents recorded.
7 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Linux 9,074,567
Unknown 637,392
Apache 8,541,048
IIS/6.0 1,525,578
IIS/5.0 334,898
Unknown 244,402
8 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Based on the metadata voluntarily provided by the defacers (which we cannot validate), here is a visual
representation of the class of vulnerabilities leveraged by the attackers:
9 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
The Role of Social Media
We observed that defacers voluntarily leave contact information upon compromise, based on the features
(i.e., characteristics) automatically extracted during the analysis of the deface pages. It seems to be
common practice for attackers that push propaganda to advertise their beliefs and refer their “viewers” to
social networking sites or provide contact emails of the group.
Overall, we found that emails and Twitter are the primary forms of advertisement, with 25% (email) and
8% (Twitter) of pages displaying at least one of these. In fact, 6% of pages have multiple contact emails.
In contrast, the telephone seems to be an unloved form of contact—only 3% of our attack records have
telephone information. Not a surprising percentage since it may expose the defacer to attribution.
10 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Real-World Conflicts
Reflected in Cyberspace
Mass attacks, or attacks that typically use automated hacking tools to compromise as many websites
as possible indiscriminately, are common across the web. But in the course of our research, we noted
a more coordinated form of attack that we labeled “campaigns”. In a campaign, the attackers launch
specific attacks as a reaction to certain events, to push an agenda, make known their grievances, or
spread political messages.
Our system allowed us to identify the top seven campaigns connected to and motivated by real-world
conflicts. In the graph below, the horizontal (X) axis pertains to the number of attackers participating in
a particular campaign, while the vertical (Y) axis maps the number of hacktivism-related defacements
on record. The data shows that the #OpIsrael campaign garnered the most number of attackers, while
Free Kashmir has the most number of defacements. We will delve deeper into these campaigns in the
succeeding sections.
20K
#opisrael
#savesyria
10K
#antiserbs
#opindia
5K
#opfrance
number of attackers
Figure 5. Overview of the top seven defacement campaigns from collected data
11 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Conflicts Spark Anti-Israel Defacement Campaigns
So far, we've identified three major anti-Israel web defacement campaigns. The first (and the longest)
is #OpIsrael, which is composed of several campaigns supported by different groups. Then there is the
#OpSaveGaza campaign, which is a short, but highly effective defacement campaign in reaction to Israel's
Operation Protective Edge. Last is #OpBader / #ElectronicBader / #BaderOperation, a loosely organized
campaign with multiple groups participating that has gained traction since May 2016.
1,200
1,000
800
600
400
200
The struggle between Israel and Palestine is one of the longest modern-day conflicts, starting in 1948 and
continuing to this day7. Israel's continued occupation of the West Bank and military operations in Gaza
only serve as fuel to the anger of Palestinians and other groups sympathetic to Palestine.
12 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Target TLDs of #OpIsrael Defacements
These defacements are not random. As much as possible, the hacking groups target Israeli websites, as
co.il and org.il top-level domains (TLDs) rank second and sixth respectively in the distribution of defaced
websites carrying anti-Israel messages.
6K
3K
0
com co.il org co.uk net ru com.au com.br de info nl fr ca it pl gov.gh hu in org.il co.za
#OpIsrael
The very first #OpIsrael web defacement was made by "imLulzPirate" on August 26, 2012. The website
myisrael.us fell victim to the defacement, with the main page of the website altered to display a politically
charged message against Israel and Zionism. The defacement embeds a YouTube video uploaded by
Canadians for Justice and Peace in the Middle East, condemning the Gaza War in December 2007 –
January 2008.
13 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Figure 8. The first #OpIsrael defacement made by imLulzPirate
#OpIsrael did not gain any traction after the initial defacement made by imLulzPirate. It took several
months for members of the Anonymous collective to support the cause and organize a campaign against
Israeli websites.
The first organized large-scale defacement campaign happened on April 7, 2013, a date chosen because
it coincides with Holocaust Remembrance Day. This attack has been repeated every year since then, with
326 defacers executing 11,000 plus defacements on more than 5,400 domains.
#OpIsrael Sub-campaigns
#OpIsrael Engaged is a sub-campaign that started in 2015 and continued up to 2016. Similar to the main
#OpIsrael campaign, it peaked every April 7. The AnonGhost team, a tight-knit group that claims to have
members from Mauritania, Morocco, Malaysia, Indonesia, Tunisia, USA, and Ireland, mostly did the 2015
campaign. Anonymous Arabe, a loose group of hackers from Arabic-speaking countries in the Middle
East and North Africa, was responsible for the majority of the 2016 campaign.
14 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Figure 9. Defaced pages by AnonGhost Team and Anonymous Arabe showing identical wording for the
#OpIsrael Engaged campaign
It is worth noting that AnonGhost seems to have either branched out to other countries or has sub-
groups, with AnonGhost being the umbrella group. So far we've seen AnonGhostDz, which is the Algerian
sub-group, AnonGhost Indonesia, AnongGhost Gaza, AnonGhost Tunisia, AnonGhost Maldives, and
AnonGhost Vietnamese.
#OpIsrael Decided is another sub-campaign that started around the same time as #OpIsrael Engaged,
and uses a similar message. It is supported mostly by an AnonCoders team that is a loose association
of hackers from Albania, Tunisia, Morocco, Lebanon, Bangladesh, Indonesia, and France, among others.
15 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Figure 10. #OpIsrael Decided defacement pages shows similar wording to #OpIsrael Engaged
The only common identifiable string we can find related to this campaign is the use of these hashtags:
"Bader" is a reference to the Battle of Badr, a significant battle won by the Prophet Muhammad in the early
years of Islam8. These historical references strongly indicate that these hacking groups view themselves
as cyber-jihadists, viewing their actions as part of a digital jihad.
#OpSaveGaza
The #OpSaveGaza/#SaveGaza campaign is related to #OpIsrael since both target Israel and Israeli actions
in Palestinian territories, but #OpSaveGaza/#SaveGaza is mostly influenced by events in the Gaza region
specifically.
On July 2014, Israel launched Operation Protective Edge, which included airstrikes and a land invasion aimed
at destroying tunnels from Gaza to Israel9. Not surprisingly, the first instance of #OpSaveGaza/#SaveGaza
appeared in response to the land invasion. The defacements continued until October, and only when
hostilities in the Gaza strip subsided significantly did the 2014 campaign die down. #OpSaveGaza had
3,415 defacements within that short period, making it one of the most active web defacement campaigns.
16 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Figure 11. Sample defacement pages of the #OpSaveGaza campaign
#Save Gaza
#Save Gaza started in July of 2016 as a sub-campaign under #opBader, primarily driven by Anonymous
Ghost Gaza. Among the sub-campaigns discussed, it has been the most vocal and the most forceful.
While #OpIsrael Decided and #OpIsrael Engaged use relatively tame language, #Save Gaza incites
violence and puts direct pressure on Israelis, threatening to steal credit card information, bank credentials,
and other website credentials.
17 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Figure 12. Forceful language in the defacement campaign #Save Gaza
It is worth noting that Anonymous Ghost Gaza followed through on their threat to steal the personal
information of Israeli citizens. Members of Anonymous Ghost Gaza posted Israeli citizens' credit card
information and online account credentials on their Facebook page and Pastebin.
18 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Figure 13. Hacking groups publicly expose Israeli citizens’ information and financial details
19 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Groups behind the Campaigns
Hackers and hacking groups participating in #OpIsrael campaigns are mostly from Arabic-speaking
countries in the Middle East and North Africa, with other groups from Bangladesh, Malaysia, and Indonesia
also participating. Note that these are countries that do not recognize the validity of Israel as a state.
The common use of the name "fallaga" by hackers and hacking groups in North Africa is a reference to
"felaghas" or "fellagha", armed groups that were instrumental in driving out the French from Algeria in the
Algerian War that lasted from the 1950s to early 1960s.
20 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
350
175
15
15
15
15
15
15
15
5
6
15
15
15
15
15
15
15
16
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
01
20
20
20
20
20
20
20
20
20
20
20
20
20
20
20
/2
/2
/2
/2
/2
/2
/2
/2
/2
/2
/2
/2
/2
/2
/2
/2
/2
/2
/2
/2
/2
5/
5/
2/
9/
3/
0/
7/
4/
1/
8/
1/
8/
5/
5/
3/
11
18
25
15
22
15
22
12
24
31
28
12
19
/1
/8
/6
10
24
17
28
25
/2
/1
/2
/2
/1
/2
/2
1/
2/
2/
3/
3/
4/
7/
1/
11
11
12
1/
1/
1/
2/
2/
3/
3/
4/
5/
5/
6/
7/
7/
1/
1/
7/
8/
9/
10
11
11
11
12
12
12
Figure 15. Timeline of #OpFrance—activity peaked January to March 2015, right after the Charlie Hebdo
attacks
500
250
0
com fr org ru dk net nl com.br de info com.ua eu co.uk pl be ca gr com.ar gouv.fr in
This campaign focused on French websites, with defacers targeting sites of companies like the French
supermarket Carrefour, or sites with .fr TLDs. From our data, 36% of #OpFrance defacements have .fr
TLDs.
21 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Figure 17. Defacement pages for the #OpFrance campaign
Hacking groups from Muslim-majority countries such as Tunisia, Syria, Mauritania, Morocco, Bangladesh
and Indonesia began targeting French websites in an #OpFrance web defacement campaign that appear
to be in support of the attacks. Some of the defacements even paraphrased Saudi-Australian Islamic
preacher Junaid Thorne's statement on the matter, “If you want to enjoy 'freedom of speech' with no
limits, expect others to exercise 'freedom of action.'”
22 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Figure 18. Defaced page promoting Islamic preachers’ statement on Charlie Hebdo
Even though several groups were part of #OpFrance, the Middle East Cyber Army was particularly active
and did the majority of the defacements. This group includes members that belong to other hacking
groups such as Anonymous Arabe and some hackers from North Africa.
It is worth noting that one suspected member of the Middle East Cyber Army was arrested several months
after the January – March #OpFrance campaign. The Bulgarian police arrested a 21-year-old Syrian
student residing in Bulgaria, believed to be the leader of the group11. Based on the defacement pages of
Middle East Cyber Army, the hacker with the alias "The Greatest" was arrested. The group modified their
defacement pages to include #OPSaveTheGreatest after the arrest.
Figure 19. Defaced page modified to support “The Greatest”, who was supposedly arrested in Bulgaria
23 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Groups Behind the Campaigns
The visualization below shows the Middle East Cyber Army to be the most active group behind #OpFrance.
AnonGhost, which was active in the anti-Israel defacements, also widely participated, as well as hackers
from Mauritius (Mauritania Coder), and some from Bangladesh and Indonesia.
MrAhSan Mr.bz
HaXor
24 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Target TLD’s of #OpIndia
500
250
0
com in ac.in co.in org net org.in edu.in gov.in co info net.in biz lk ch com.ar hu Other biz.id by
The hackers targeted Indian websites, as evidenced by the TLD's .in, ac.in, co.in, org.in, edu.in and gov.
being in the top nine domains with websites defaced.
The campaign #OpIndia started on March 2015, executed by Bangladeshi hackers, after Indian politician
Shashi Tharoor tweeted that he preferred to face the Bangladesh cricket team (called The Tigers) in the
Cricket World Cup quarterfinals. Tharoor reportedly felt Bangladesh was a weaker team that would give
India an easier path to the finals.
25 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Figure 22. Defacement page for #OpIndia with an image of the Bangladesh cricket team featured
Free Kashmir
Led by Pakistani hacking groups ZCompany Hacking Crew (ZHC) and Muslim Liberation Army, Free
Kashmir is a long-standing campaign that started in 2011. The attacks began with the calling out of the
illegal occupation and human rights abuses the Indian Armed Forces committed against Kashmiris12.
Free Kashmir has the most number of defacements out of all the campaigns studied, despite having only
around half the number of attackers that #OpIsrael had.
26 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Pakistan is India's rival claimant to the disputed territory of Kashmir, and the defacement pages of both
ZHC and Muslim Liberation Army commonly quote India's Penal Code Act No. 45 of 1860, which does
not include the State of Jammu and Kashmir as part of India. However, the ruler of Jammu and Kashmir,
Maharaja Hari Singh, acceded both territories to India in 194713.
The messages of ZHC and the Muslim Liberation Army have a Pakistani slant and do not necessarily
reflect the sentiments of the Kashmiri people. However, they may gain traction with younger Kashmiris as
ZHC and Muslim Liberation Army also highlight the human rights abuses and disappearances of Kashmiri
activists and militants14, an issue that has not received international attention.
27 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
One such incident happened in 2015 when a Pakistani hacker named Faisal 1337 hacked into multiple
Indian websites. The government website of the state of Kerala was the most prominent website defaced.
Immediately, hacking groups from India launched #op_pak_cyber_space, defacing hundreds of Pakistani
websites in retaliation.
The defacement of Mumbai Airport Customs website by Pakistani defacer Alone Injector is another
example. After the incident, Indian hackers retaliated with a campaign defacing the websites for Islamabad,
Peshawar, Multan and Karachi airports in Pakistan.
28 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Figure 27. Mumbai Airport Customs defacement
Figure 28. The defacement page seen on Islamabad, Peshawar, Multan and Karachi airport websites
29 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Fallout of the Attacks between India and its Neighbors
Aside from ongoing campaigns by Indian, Pakistani and Bangladeshi hackers (against or in response to
each other's hacking), the real-world conflict between the three countries has significantly increased in
the past two years.
One event happened on January 2, 2016, when several terrorists attacked India's Pathankot Air Force
base, killing several Indian military men and one civilian. The attack was later claimed and attributed to
Jaish-e-Mohammed, a separatist group in Kashmir15. After the attack, Indian hacking groups retaliated by
targeting Pakistani websites.
Figure 29. Retaliatory defacements made by Team Indian Black Hats aka Indian Cyber Devils
On September 18, 2016, attackers from Jaish-e-Mohammed, the same terror group responsible for the
Pathankot Air Base attack a few months prior, launched another attack on an Indian army headquarters in
Uri that left 17 army members dead, as well as all four attackers16. A few days later, the Indian government
launched surgical strikes targeting locations in Kashmir.
These series of incidents sparked back and forth campaigns between Indian and Pakistani hacking
groups, with defacements containing politically charged messages, freedom slogans, or just plain hate
speech.
30 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Figure 30. Defacements generated by conflict with India
Another event that triggered a sizeable defacement campaign was the drafting of Nepal’s new constitution
in September 2015. Some in India believed that the constitution marginalized certain ethnic groups; an
issue that was highlighted when the Indian Express reported that India requested Nepal to make seven
amendments to its constitution17. The report triggered an outrage in Nepal, as the message was seen as
a foreign country meddling in the internal affairs of an independent sovereignty.
The outrage triggered the #BackOffIndia campaign during October 2015, supported by DQN hacker and
craXerbikash from Nepal, BloodSecurity from the Philippines, and several Pakistani hackers.
31 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Groups behind the Attacks
The most prominent anti-India defacements came from RiseOfTheTigers, a collective that was created just
for the #OpIndia campaign in March 2015. Several Bangladeshi hacking groups joined RiseOfTheTigers:
Bangladesh Grey Hat Hackers, Bangladesh Cyber Army, Team_CC, Bangladesh Script Kiddie Hackers,
Blacksmith Hackers Team, 3xp1re Cyber Army, Bangladesh Black Hat Hackers, and others.
Ghost_Root
Zain pk_Robot dulava!
Mr.Sh4hz3b-HaXoR Haxor
Mr. Bangladesh
32 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Target TLDs of #SaveSyria
1,500
750
0
ru com de it net org fr gr nl com.br co.uk kz by ch com.ua pl fi eu be info
Most of the #SaveSyria defacements targeted Russian websites because many suspected that Russia
was behind the April 2016 airstrikes. Russia is seen as supportive of Syrian president Bashar al-Assad,
and the country has reinforced Assad's regime through air superiority assets.
33 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
The Fallaga Team formed a loose collective called the Tunisian Cyber Resistance Al Fallaga Team, composed
of Tunisian hackers and actively supported by hackers from Anonymous Arabe, Algeria, and Indonesia.
They launched a defacement campaign with the hashtags #StopTheHolocaust, #AleppoIsBurning,
#SaveAleppo and #SaveSyria.
Albanian hacking groups KSG-CREW, kwgdeface and AlbanianHackers launched the #AntiSerbs
campaign a few months after the initial clashes. The campaign died down before the Brussels Agreement,
which involved the integration of Northern Kosovo into Kosovo and had Kosovo Serbs manning the police
and judiciary, was concluded.
400
200
0
11
11
11
12
12
12
2
4
01
01
01
01
01
01
01
01
01
01
01
01
20
20
20
20
20
20
/2
/2
/2
/2
/2
/2
/2
/2
/2
/2
/2
/2
1/
0/
1/
1/
0/
1/
31
29
31
19
31
31
31
31
30
31
28
31
/3
/3
/3
/3
/3
/3
1/
2/
3/
4/
5/
7/
1/
3/
6/
1/
2/
3/
10
11
12
10
11
12
The defacement pages showed support for Kosovo independence, and also mentioned contested towns
commonly involved in civil unrest. They listed Serbian-controlled territories bordering Kosovo with an
Albanian majority and declared their desire to separate from Serbia and join Kosovo.
34 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Figure 36. Web defacement pages supporting Kosovo
On May 10, 2013, people in Taiwan called for DDoS attacks against .gov.ph to force the Philippine
government into issuing an official apology. Many hackers responded, attacking more than 30 .gov.ph
sites21.
35 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Figure 37. Forum post mobilizing visitors to launch DDoS attack
On May 11, Filipino hacker "Pinoy Vendetta"22 sent a warning message to Taiwanese hackers by
defacing one Taiwan government site and several commercial sites. In response, AnonTaiwan launched
#OpPhilippines the next day.
36 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Figure 38. Web defacement page from "PinoyVendetta"
After the attack, AnonTaiwan posted leaked data from .gov.ph sites on Pastebin. One noteworthy victim
was dns.gov.ph, which is the .gov.ph domain registry website. More than 2,300 accounts, which were
possible admin accounts for .gov.ph domains, were leaked. These government sites faced a huge risk.
Potentially, attackers could change the name servers of domain names, government domain names would
have resolved to invalid IP addresses, and important sites would have been inaccessible to the public.
37 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Figure 39. Information leaked on Pastebin
On May 25, 2013, Filipino hackers attacked 31 .tw sites in a campaign titled #OpTaiwan as a response to
#OpPhilippines. The defaced pages displayed the messages, "Stop attacking our cyberspace" and "Let
our government handle this problem."
38 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Figure 40. Web defacement pages for #OpTaiwan
Over the last few years, the tension between China and Vietnam, and China and Philippines has increased.
China has taken aggressive action, from coast guard patrols to building facilities and installations in
various contested areas. This has sparked defacement activities by several groups from Philippines,
Vietnam, and China against their rival countries' websites.
Attacker Team
越南国宰相 1937cn
oaddah 1937cn
BloodSecurity BloodSecurity
AlfabetoVirtual 1937cn
Figure 41. Top defacers participating in South China Sea defacements, and the groups they belong to
39 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Early Attacks in 2011
Chinese marine surveillance vessels cut the cables of Vietnamese oil survey vessels in the South China
Sea23. This incident triggered defacement attacks that started on June 3, 2011. A Vietnamese defacer
'Mr.N - Cubi11' attacked Chinese government websites. The page displayed Vietnamese patriotic slogans
like "Vietnamese People is Willing to Sacrifice to Protect the Sea, Sky, and Nation." More Vietnamese
defacers joined this campaign after24.
From June 4, 2011, Chinese defacers started to retaliate by attacking .vn websites. Hongke Union (HUC),
a well-known Chinese hacktivist group, mobilized its members and launched a series of attacks. Over 30
.gov.vn sites were defaced.
40 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Figure 43. Chinese defacers retaliate
After completing the attacks, the HUC sent out a summary reporting that their attacks were from June 4
to June 5, two function groups were created (one for DDoS, one for defacement), and several QQ chat
groups and YY chat channels were created to coordinate attacks25.
Some non-HUC hackers also joined the attack, compromising over 1,000 sites. Most of the victims
suffered DDoS attacks and defacement. One popular Vietnamese search engine site was inaccessible for
five hours. During the attacks, HUC found Vietnamese defacers attacking .cn sites.
Chinese hacker group Silic also joined the retaliation. In their deface pages, Silic claimed that "(Vietnamese
defacers) first stir up trouble, we just attack back." This group attacked 98 .vn websites on June 8. Most
victims were .gov.vn sites26.
41 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Figure 44. Silic Group defacement page
OpChinaDown, 2012
On April 10, 2012, a standoff between the Philippine Navy and Chinese maritime surveillance ships over
the disputed Scarborough Shoal (Huangyan in Chinese) in the South China Sea caused tension between
the two countries. In response, Chinese defacers compromised the website of the University of the
Philippines on April 20, 2012, leaving a message that claimed, “We come from China! Huangyan Island
is Ours”.
42 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Figure 45. Defaced page of University of the Philippines
The defacer group "Anonymous #OccupyPhilippines" responded on the same day, compromising several
.cn sites. The statement "Scarborough Shoal is ours!" was prominent on the deface page27.
Three days later, on April 23, the government of the Philippines claimed that two of its sites suffered DDoS
attacks coming from Chinese IP addresses—an apparent retaliatory attack from China. Defacements
escalated quickly, triggered by the DDoS attacks28.
43 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Figure 46. Page from #OccupyPhilippines
On the same day, OccupyPhilippines and PrivateX launched a joint attack operation "#OpChinaDown".
They attacked .gov.cn sites and posted DB schema and login credentials of victim sites on Pastebin.
On April 25, the Silic group (the same organization that attacked .vn sites in 2011) joined the web
defacement campaign and targeted .gov.ph sites. Besides derogatory statements against Philippine
defacers, the page allowed visitors to leave messages on it. Over the course of 3 hours, over 30 visitors
left messages on the defaced pages29.
44 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Figure 47. Silic defacement page, where you can leave messages
Chinese hacktivism group 1937cn joined the defacement war on June 1, 2012. This group created a very
long deface page to convince viewers to believe in their message. 1937cn spread that page across 173
sites in five days.
China started reclamation and building on the Spratly archipelago of the South China Sea in April 201530.
This action caused a wave of defacement attacks. BloodSec, a Philippine defacer group, launched a
#StopReclamation campaign on April 26, 2015.
45 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Figure 48. BloodSec defacement page
Tensions escalated a month later. Posting on Pastebin31, defacers from the Philippines and Vietnam
declared the beginning of an #OpChina campaign on May 28, 2015. In the announcement, they called
themselves "the united hackers from the Philippines and Vietnam," aiming to "protest your (China) unjust
actions over the South China Sea". At the end of the announcement, they left a note that read "Expect
us! 5/30/2015".
Figure 49. Joint message from Vietnamese and Filipino hackers, and their defacement pages
This is the first time defacers from the two South East Asian countries united for a common political cause.
A series of attacks hit .cn sites on the date stated in their warning message—August 30, 2015. Most of
the victims were .gov.cn sites. The message left by the group Anonymous Philippines asked the Chinese
46 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
government to "stop the reclamation, do not put or establish any structure in that location." At the same
time, "AnonGhost" from Vietnam put out the message, "Stop the infringements of sovereignty island."
On the same day, Chinese defacer team "1937cn" retaliated by defacing .vn sites, and blamed it on the
joint action of defacers from Philippines and Vietnam. 1937cn also claimed that "South China Sea is
China's inherent territory." 1937cn's response was very quick—they likely noted the joint announcement
of the defacers from the Philippines and Vietnam, and carefully prepared the retaliation.
On July 12, 2016, the Hague Permanent Court of Arbitration ruled in favor of the Philippines against
China in an arbitration case about the disputes in the South China Sea. The ruling triggered a series of
cyberattacks against Vietnam32.
On July 29, 2016, the Chinese hacker group 1937cn attacked two major airports in Vietnam and the
website of Vietnam Airlines33. They defaced the home page with the same page used in 2015 during the
#OpChina defacement campaign. Then the hacker group leaked client information of Vietnam Airlines34.
This was not the first time 1937cn attacked Vietnam Airlines; the group also launched a similar attack on
May 30, 2015.
47 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Figure 51. Client information from Vietnam Airlines
The Civil Aviation Administration of Vietnam reported several attacks, supposedly from 1937cn team, on
two Vietnam airports within the same day. The IT system for the check-ins of Vietnam Airlines at Tan Son
Nhat International Airport was attacked and stopped working. The deface page, which was the same
page used on the Vietnam Airlines website, replaced the flight information screens at Noi Bai International
Airport. The speaker system at Noi Bai airport was also compromised by hackers for a few minutes,
during which the speakers broadcast an announcement against territory dispute. According to the Civil
Aviation Administration of Vietnam, the attack caused the delay of 100 flights, affecting thousands of
passengers35.
This incident might hint at future hacktivism trends: to reach a wider audience, hacktivists could potentially
broaden their targets from traditional websites to critical infrastructures such as airports.
48 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Hacking Groups’ Connections and Campaigns
Deface groups are formed by a loose affiliation between hackers. They can be defined as "loose" since
hackers can be affiliated with one or more of these hacking groups, even across territories.
As an example, see the group AnonCoders, which lists gunz_berry, Virus Noir, darkshadow-tn, Albania
Attacker and dr.t3rr0r as its core members. However, gunz_berry is also affiliated with Indonesian Code
Party, while Virus Noir is affiliated with Moroccan Ethical Hackers, darkshadow-tn with Fallaga Team, and
dr.t3rr0r with Myanmar Noob Hackers. Albania Attacker is affiliated with three other groups—Anonymous
Albania, Arab Warriors Team, and Anonghosts. AnonCoders shows how hackers can also be members of
various groups, and how hackers from different countries can form a group.
Other examples showing the liquidity of group membership are Pakistan's two biggest hacking groups:
ZCompany Hacking Crew and Muslim Liberation Army. Both have fairly large teams; ZCompany Hacking
Crew has at least 30 members, and Muslim Liberation Army has around 26. Below you can see seven
hackers who are members of both groups simultaneously, as we've seen defacements made by both
teams acknowledging the hackers in their defacement pages within the same time frame.
49 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Bozz error
Zolo
Silent Hell Toshiro
RoCk
MongoOse
Hard Hunter PCF
Bozz Hacker
ZCompany Don
Hacking Crew
Hothead Zulfi
Ibrar Buttz
Madni
Muslim Liberation
Army
Milan Milo
Killer Mind
Tazii
TriCk aka
MasterMind Saywhat?
Nabeel
Silence
Unknown Unknown Destiny
Xaha
Hax
De Decorum
KillerMind
Nabeel Haxor
Angel XtreMiSt (Master Mind)
Faisy Ali
fAchO
Pak Jaguars Hawk HyP3r-Boy Jerry Laghari
Hassan
Figure 53. Members of the ZCompany Hacking Crew and the Muslim Liberation Army
Collectives
Hacking groups can also band together to form bigger groups or collectives. The well-known group
Anonymous is a model for this. They can rightly be considered the biggest hacking collective in the
world based on the numerous hacking groups who identify and associate themselves with the name
“Anonymous”.
On a smaller scale, a collective can be formed simply to support a campaign. Take, for example, the
defacements done by Bangladeshi hackers against Indian websites, triggered by the Cricket World Cup.
The collective Rise of the Tigers was borne out of various Bangladeshi hacking groups working together:
3xp1r3 Cyber Army, Blacksmith Hacker's Team, Cyb3r Command0S, Bangladesh Grey Hat Hackers,
Bangladesh Black HAT Hackers, Cyber Sword and Bangladesh Script Kidde Hackers.
50 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Campaign Recruitment and Tools
Certain individuals or groups loosely organize hacktivism campaigns. They set time frames for a particular
campaign, and even use social media to coordinate and launch these campaigns.
Figure 55. Social media post used to spread templates for defacement scripts
51 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
They use calendar event features like Facebook Events to organize campaigns. They also advertise
campaigns on their team pages and actively recruit other hackers and hacking groups to participate.
Tools, targets, and defacement page templates are also shared openly by those participating in a campaign.
Figure 56. Tools spread through social media and sharing sites
52 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Certain groups also set up team websites to host content, post announcements, and facilitate discussions
through forums. These commonly have sections for tutorials, tools, and kits.
Figure 57. Different community sites hosting forums, downloads, news and more
53 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Auxiliary Activities of
Defacement Groups
Besides tools and defacement templates, these groups also share attack techniques. For example, groups
post hacking tutorials on GitHub and upload tutorial videos to streaming sites.
Figure 58. Tools and tutorials for different hacking activities shared by defacers
54 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Defacers are also contributing to Exploit-DB, which is is an open-source database for sharing exploit codes
and security papers. To find the number of defacers that are also active on Exploit-DB, we compared our
list of known defacers against this list of authors36 from Exploit-DB:
• Total defacer/hacker alias that are also listed as Exploit-DB authors: 790 of 7,858 (10.05%)
indoushka 294
ZoRLu 221
ajann 204
cr4wl3r 130
Hussin X 121
CWH Underground 115
t0pP8uZz 105
AtT4CKxT3rR0r1ST 96
JosS 74
HACKERS PAL 69
Mr.SQL 68
EgiX 67
bd0rk 65
CoBRa_21 64
InjEctOr5 63
DOS 5.63%
Local 4.26%
Shellcode 0.86%
55 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Escalating into Real-World Terrorism Activities
Hackers who participate in defacement and also other forms of hacking can also segue into more serious
crimes, possibly also driven by real-world disputes and political agendas. An example would be the case
of Team P0ison's founder Junaid Hussain (TriCk), who started notable defacements in 2010.
Figure 61. Sample of defaced pages done by TriCk supporting Free Kashmir
Hussain was arrested in 2014 for hacking into Katie Kay's (special advisor to British Prime Minister Tony
Blair) email account and leaking PM Blair's personal information37. After six months in jail, Junaid Hussain
traveled to Syria and joined ISIS. He took the name Abu Hussain al-Britani, and is believed to be the
person behind the hack of U.S. Central Command's Twitter and YouTube accounts. He is also believed to
have been killed in a US air strike in Syria in 201538.
Unfortunately, some defacers’ machines were infected by Ramnit and had their web defacement
templates infected to include the malicious VBscript. This, in turn, made their defacement pages unwitting
distributors of the Ramnit malware.
56 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Based on our records, 9,726 defacements were seen to include the Ramnit VBscript. Below are the top 30
defacers who were infected by Ramnit and had their compromised web defacement pages distribute the
malware. Most of the defacers were either from Arabic-speaking countries in the Middle East and North
Africa or from China. In a serendipitous turn of events, the top defacer that unwittingly spread Ramnit
goes by the nickname "stupid".
stupid 1,708
Cyb3r_Sw0rd 1,289
H.M.L-小北 310
gunz_berry 279
By:小康 276
BlackVirus 152
AnonGhost 145
Baws-DZ 136
Zalim 129
SnIpEr_SA 127
chinafans 127
UMCA 118
Turkhackteam.Org 95
By 刺心 93
MrCyberError404 87
HakANT 79
Team_CC 78
by:大 76
Sp@rK CoD3R 73
Anonymous Arabe 68
dulava! 62
fallaga team 61
xamd 56
KkK1337 55
ll_azab_siyah_ll 53
星 51
Figure 62. Defacers who were unknowingly spreading Ramnit through their defacement pages
57 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Conclusion
As seen in the examples above, real-world conflict can trigger web defacement on a large scale. One event
can lead to a campaign that brings hacking groups together, and large collectives can sustain defacement
campaigns for long periods of time. Most are politically or religiously motivated, and attackers are typically
keen to express fervent patriotism over specific causes. While these web defacement activities seem
relatively benign, it is plausible for defacers to move on to other hacking activities and criminal behavior.
58 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
The above screenshot shows a defaced router control panel, changing the title of the HTML page to "You
hacked from iraq(fb\arakan".
A lot of people may not realize that IoT devices have stripped down versions of web servers that host
their control panels and management consoles. The setup is something that would be relatively easy for
a defacer to exploit and compromise. In the case of the router defacement above, the attacker might not
even have known that he was able to deface a non-traditional/IoT website.
Exploits for vulnerabilities of common web applications or server components are also applicable and
effective on non-traditional/IoT websites. It would be simple for a defacer to transition into compromising
connected IoT devices. With the growing number of IoT devices, it might be appealing for defacers to
continue down that route.
Apart from individuals, defacement groups have yet to monetize their activities. According to our data,
99.9% of the web defacement pages are harmless. Pages found containing malicious code are mostly
infected by VBS_RAMNIT.SMC. These pages were unknowingly infected, and not intentionally put online
to spread malicious code. These defacers had their templates infected by the malware and unwittingly
spread the Ramnit malware.
A troubling scenario is if these defacement groups decide to monetize their successful hacks by, for
example, installing malicious redirections or exploit code in the defacement pages that would then install
ransomware. As previously mentioned, so far these defacements have been benign and motivated by
real-world conflicts or political agendas. However, cybercriminals could easily use hacks for profit-driven
criminal activities.
We have already seen some instances of this. There were reports of Indian hackers targeting Pakistani
servers and users to install ransomware for "patriotic" purposes39. If this continues and escalates, then the
line between defacers, hacktivists, and cybercriminals will become even more blurred.
59 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
How can enterprises protect their sites?
Based on the major vulnerabilities used by defacers, there are simple steps
that can secure servers against these threats. If practiced and deployed
consistently, these tips can help enterprises have long-term security:
• Ensure that basic security policies are employed and maintained long-
term: strong passwords, proper administration security policies, and
correct configuration.
60 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
References
1. Zone-H archives. (n.d.) Zone-H Unrestricted Information. Last accessed on 11 November 2017 at http://www.zone-h.org/
2. Ibid
4. http://www.mirror-zone.org (offline)
5. H4ck Mirror. (n.d.) Hack Mirror. Last accessed on 16 November 2017 at http://www.hack-mirror.com/.
6. http://www.mydeface.com (offline)
7. BBC Newsround. (20 February 2015). BBC Newsround. “Guide: Why are Israel and the Palestinians fighting over Gaza?” Last
accessed 16 November 2017 at http://www.bbc.co.uk/newsround/20436092.
8. Al-Islam. (n.d.) AI-Islam.org. “The Battle of Badr”. Last accessed 14 Nov 2017 at https://www.al-islam.org/articles/battle-badr.
9. Yifa Yaakov. (5 August 2014). The Times of Israel. “After 29 days, Operation Protective Edge by the numbers”. Last accessed
17 November 2017 at https://www.timesofisrael.com/after-29-days-operation-protective-edge-by-the-numbers/.
10. ABC. (8 January 2015). ABC News. “Charlie Hebdo shooting: 12 people killed, 11 injured, in attack on Paris offices of
satirical newspaper”. Last accessed 14 November 2017 at http://www.abc.net.au/news/2015-01-07/charlie-hebdo-satirical-
newspaper-shooting-paris-12-killed/6005524.
11. AFP/Reuters. (16 July 2017). Deutsche Welle. “'Cyber Army' hacker arrested, says Bulgaria”. Last accessed 17 November
2017 at http://www.dw.com/en/cyber-army-hacker-arrested-says-bulgaria/a-18586433.
12. Rifat Fareed. (27 Ovtober 2017) Al Jazeera. “'Black day' in Kashmir marks 1947 Indian army arrival”. Last accessed 17 November
2017 at http://www.aljazeera.com/news/2017/10/day-kashmir-marks-1947-indian-army-arrival-171027122649223.html.
13. Maps of India. (n.d.) Maps of India. “26th October 1947: Maharaja Hari Singh agrees to the accession of Jammu and Kashmir
to India” Last accessed 16 November 2017 at https://www.mapsofindia.com/on-this-day/26th-october-1947-maharaja-hari-
singh-agrees-to-the-accession-of-jammu-and-kashmir-to-india.
14. Aijaz Hussain. (10 December 2013). The San Diego Union Tribune. “Activists, families protest Kashmir disappearances”.
Last accessed 13 November 2017 at http://www.sandiegouniontribune.com/sdut-activists-families-protest-kashmir-
disappearances-2013dec10-story.html.
15. Rupam Jain. (19 December 2016) Reuters. “India indicts Pakistan-based militants over Pathankot air base attack” Last
accessed 17 November 2017 at http://in.reuters.com/article/india-pakistan-attack/india-indicts-pakistan-based-militants-
over-pathankot-air-base-attack-idINKBN1480QO.
16. Hari Kumar and Geeta Anand. (18 September 2016). The New York Times. “17 Indian Soldiers Killed by Militants in Kashmir”
Last accessed 17 November 2017 at https://www.nytimes.com/2016/09/19/world/asia/17-indian-soldiers-killed-by-militants-
in-kashmir.html.
17. Shubhajit Roy. (24 September 2015). The Indian Express. “Make seven changes to your Constitution: India tells Nepal”. Last
accessed 2 November 2017 at http://indianexpress.com/article/world/neighbours/make-seven-changes-to-your-constitution-
address-madhesi-concerns-india-to-nepal/.
18. Medecins Sans Frontieres. (26 April 2016). MSF.org. “Syria: Update on airstrike at Al Quds hospital”. Last accessed 17
November 2017 at http://www.msf.org/en/article/syria-update-airstrike-al-quds-hospital.
61 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
19. Die Morina. (2 Match 2017) Balkan Transitional Justice. “Mitrovica’s Flashpoint Bridge Symbolises Kosovo’s Divisions”. Last
accessed 17 November 2017 at http://www.balkaninsight.com/en/article/mitrovica-s-flashpoint-bridge-symbolises-kosovo-s-
divisions-03-01-2017.
20. Tarra Quismundo. (16 April 2016). Inquirer. “PCG men ordered to pay Taiwan family”. Last accessed 17 November 2017 at
http://globalnation.inquirer.net/138653/pcg-men-ordered-to-pay-taiwan-family.
21. Sofia Wu. (13 May 2013) Focus Taiwan. “Shooting ignites Taiwan-Philippines cyber war “, Last accessed 16 November 2017
at http://focustaiwan.tw/news/atod/201305130041.aspx.
22. Clifford Trigo. (11 May 2013). Pinoy Hack News. “Pinoy Vendetta sends warning message to Taiwan, defaces 5 websites”.
Last accessed 17 November 2017 at https://www.pinoyhacknews.com/pinoy-vendetta-sends-warning-message-to-taiwan-
defaces-5-websites.
23. Petro Vietnam. (1 June 2011) PetroVietnam. “Chinese ships destroy Vietnam sea cable”. Last accessed 17 November 2017 at
https://www.youtube.com/watch?v=w1H6zcuXjJ8.
24. ChinaAZ. (8 June 2011). Cheng Cold Blog. “Many websites in the South China Sea were attacked by Vietnamese hackers and
Chinese hijackers counterattacked”. Last accessed 17 November 2017 at http://www.bj3gweb.com/Link201106_WebAttack_
ChinaAndVietnam.html.
25. Ibid
26. Kafan. (5 June 2011) Kafan.cn. “Many domestic websites were attacked by Vietnamese hackers”. Last accessed on 16
November 2017 at http://bbs.kafan.cn/thread-999960-1-1.html.
27. Xiao Bian. (6 May 2012). Freebuf. “My Filipino Maid is a Hackers - China and the Philippines network war”. Last accessed 16
November 2017 at http://www.freebuf.com/news/913.html.
28. Edwin Lacierda. (23 April 2012). Official Gazette. “Statement of Presidential Spokesperson Edwin Lacierda”. Last accessed
on 16 November 2017 at http://www.officialgazette.gov.ph/2012/04/23/statement-of-the-presidential-spokesperson-on-the-
denial-of-service-attack-on-pcdspo-maintained-websites-april-23-2012/.
29. Rappler. (25 April 2012) Rappler. “DBM website hacked”. Last accessed on 24 November 2017 at https://www.rappler.com/
nation/4341-dbm-website-hacked.
30. Reuters. (9 April 2015) CNBC. “China mounts detailed defence of South China Sea reclamation”. Last accessed on 223
November 2017 at http://www.cnbc.com/2015/04/09/china-mounts-detailed-defence-of-south-china-sea-reclamation.html.
31. Pastebin. (28 May 2015) #OpChina Official Index. Last accessed 15 November 2017 at https://pastebin.com/xii97KNy.
32. Anni Piiparinen. (22 July 2016). The Diplomat. “China’s Secret Weapon in the South China Sea: Cyber Attacks”. Last accessed
18 November 2017 at https://thediplomat.com/2016/07/chinas-secret-weapon-in-the-south-china-sea-cyber-attacks/.
33. Vietnam News (29 July 2016). Vietnam News. “Chinese hackers attack VN’s airports and Vietnam Airlines’ website”. Last
accessed 16 November 2017 at http://vietnamnews.vn/society/300416/chinese-hackers-attack-vns-airports-and-vietnam-
airlines-website.html#vecZdAWfcqd8iKGz.97.
34. Tara Seals. (29 July 2016). Info-Security Magazine. “Chinese Hackers Attack Airports Across Vietnam”. Last accessed 15
November 2017 at https://www.infosecurity-magazine.com/news/chinese-hackers-attack-airports/.
35. Vietnam News (29 July 2016). Vietnam News. “Chinese hackers attack VN’s airports and Vietnam Airlines’ website”. Last
accessed 16 November 2017 at http://vietnamnews.vn/society/300416/chinese-hackers-attack-vns-airports-and-vietnam-
airlines-website.html#vecZdAWfcqd8iKGz.97.
62 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
36. GitHub. The Official Exploit Database Repository. Last accessed on 16 November 2017 at https://github.com/offensive-
security/exploit-database.
37. Gianlucca Mezzofiore. (2 July 2014). International Business Times. “Team Poison's Junaid Hussain Jailed for Tony Blair Hack
and Phone Bombing Anti-Terror Hotline”. Last accessed on 20 November 2017 at http://www.ibtimes.co.uk/team-poison-
phone-bomb-hacker-anti-terror-367660.
38. Spencer Ackerman, Ewan MacAskillin and Alice Ross. (27 August 2015). The Guardian. “Junaid Hussain: British hacker for Isis
believed killed in US air strike”. Last accessed 16 November 2017 at https://www.theguardian.com/world/2015/aug/27/junaid-
hussain-british-hacker-for-isis-believed-killed-in-us-airstrike.
39. India Defense News. (7 October 2016). India Defense News. "‘Patriotic’ Indian Hackers Lock Pakistani Websites and Refuse
to Give Back the Key". Last accessed on November 17 at http://www.indiandefensenews.in/2016/10/patriotic-indian-hackers-
lock-pakistani.html.
63 | A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks
Created by:
TREND MICROTM
Trend Micro Incorporated, a global cloud security leader, creates a world safe for exchanging digital information with its Internet content security and
threat management solutions for businesses and consumers. A pioneer in server security with over 20 years experience, we deliver top-ranked client,
server, and cloud-based security that fits our customers’ and partners’ needs; stops new threats faster; and protects data in physical, virtualized, and
cloud environments. Powered by the Trend Micro™ Smart Protection Network™ infrastructure, our industry-leading cloud-computing security technology,
products and services stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe.
For additional information, visit www.trendmicro.com.
www.trendmicro.com
©2018 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of
Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.