Alongside military jihad, which has been gaining momentum and extracting an ever growing price from many countries around the globe, Islamists have been developing a new form of warfare, termed "electronic jihad," which is waged on the Internet. This new form of jihad was launched in recent years and is still in its early stages of development. However, as this paper will show, Islamists are fully aware of its destructive potential, and persistently strive to realize this potential.
Electronic jihad is a phenomenon whereby mujahideen use the Internet to wage economic and ideological warfare against their enemies. Unlike other hackers, those engaged in electronic jihad are united by a common strategy and ideology which are still in a process of formation.
This paper aims to present the phenomenon of electronic jihad and to characterize some of its more recent developments. It lays out the basic ideology and motivations of its perpetrators, describes, as far as possible, its various operational strategies, and assesses the short and long-term dangers posed by this relatively new phenomenon. The paper focuses on electronic jihad waged by organized Islamist groups that mobilize large numbers of hackers around the world to attack servers and Web sites owned by those whom they regard as their enemies.
Organized Electronic Jihad
In the past few years Islamist Web sites have provided ample evidence that Islamist hackers do not operate as isolated individuals, but carry out coordinated attacks against Web sites belonging to those whom they regard as their enemies. As evident from numerous postings on the Islamist Web sites, many of these coordinated attacks are organized by groups devoted to electronic jihad. Six prominent groups of this sort have emerged on the Internet over the past few years: Hackboy, Ansar Al-Jihad LilJihad Al-Electroni, Munazamat Fursan Al-Jihad Al-Electroni, Majmu'at Al-Jihad Al-Electroni, Majma' Al-Haker Al-Muslim, and Inhiyar AlDolar. All these groups, with the exception of Munazamat Fursan Al-Jihad and Inhiyar alDolar, have Web sites of their own through which they recruit volunteers to take part in electronic attacks, maintain contacts with others who engage in electronic jihad, coordinate their attacks, and enable their members to chat with one another anonymously.
The Majmu'at Al-Jihad Al-Electroni Web site, for example, includes the following sections: a document explaining the nature of electronic jihad, a section devoted to electronic jihad strategy, a technical section on software used for electronic attacks, a section describing previous attacks and their results, and various appeals to Muslims, mujahideen, and hackers worldwide.
A more recent indication of the increasingly organized nature of electronic jihad is an initiative launched January 3, 2007 on Islamist Web sites: mujahideen operating on the Internet (and in the media in general) were invited to sign a special pact called "Hilf Al-Muhajirin" (Pact of the Immigrants). In it, they agree "to stand united under the banner of the Muhajirun Brigades in order to promote [cyber-warfare]," and "to pledge allegiance to the leader [of the Muhajirun Brigades]." They vow to "obey [the leader] in [all tasks], pleasant or unpleasant, not to contest [his] leadership, to exert every conceivable effort in [waging] media jihad...[and to persist] in attacking those websites which do harm to Islam and to the Muslims..."
This initiative clearly indicates that the Islamist hackers no longer regard themselves as loosely connected individual activists, but as dedicated soldiers who are bound by a pact and committed to a joint ideological mission.
The Ideology and Ethical Boundaries of Electronic Jihad
Mission statements posted on the Web sites of electronic jihad groups reveal that just like the mujahideen on the military front, the mujahideen operating on the Internet are motivated by profound ideological conviction.
They despise hackers who "engage in purposeless and meaningless sabotage" or are motivated by desire for publicity or by any other worldly objective. They perceive themselves as jihad-fighters who assist Islam and promote (monotheism) via the Internet.
More importantly, they view cyberspace as a virtual battlefield in which the mujahideen can effectively defeat the West.
That the mujahideen operating in cyberspace are motivated by ideology, in contrast to many hackers, is illustrated by the following example. Recently, a participant on an Islamist forum posted instructions for breaking into a UK-based commercial Web site and stealing the customers' credit card information in order to inflict financial damage on the "unbelievers" (i.e. on the non-Muslims customers and retailers). His initiative sparked a fierce debate among the forum participants, the dominant opinion being that this initiative falls outside the boundaries of legitimate cyberjihad. One forum participant wrote: "Oh brother, we do not steal... We attack racist, American and Shi'ite [websites] and all corrupt websites." Another participant reminded the forum members that stealing from unbelievers is forbidden.
One objective of electronic jihad which is frequently evoked by the mujahideen is assisting Islam by attacking Web sites that slander Islam or launch attacks against Islamic Web sites, or by attacking websites that interfere with the goal of rendering Islam supreme (e.g. Christian Web sites). More recently, however, the mujahideen have begun to cite additional objectives: avenging the death of Muslim martyrs and the suffering of Muslims worldwide (including imprisoned jihad fighters); inflicting damage on Western economy; affecting the morale of the West; and even bringing about the total collapse of the West.
The following excerpts from Arabic messages posted by Islamist hackers exemplify each of these objectives.
Eliminating Websites That Harm Islam
"The administration wishes to inform you of the following so that you understand our operational methods and our jihad strategy. My brothers, our operational methods are not only to assault... and target any website that stands in the way of our victory... We are indeed victorious when we disable such [harmful] websites, but the matter is not so simple. We target...websites that wage intensive war [against us]... We target them because they are the foremost enemies of jihad in cyberspace; their existence threatens Islamic and religious websites throughout the Internet..."
Avenging the Death of Martyrs and the Suffering of Muslims and Imprisoned Mujahideen Worldwide
"We shall say to the Crusaders and their followers: We take an oath to avenge the martyrs' blood and the weeping of Muslim mothers and children. The Worshipers of the Cross and their followers have already been warned that their websites may be broken into and destroyed. We must not forget our leaders, our mujahideen, our people and our children who were martyred in Palestine, Iraq, Afghanistan, Chechnya and in other places. We shall take revenge upon you, O' Zionists and Worshipers of the Cross. We shall never rest or forget what you did to us. [There are only two options] in electronic jihad for the sake of Allah: Victory or death.
We dedicate these [operations of] hacking [into enemy websites] to the martyr and jihadfighter sheikh Abu Mus'ab Al-Zarqawi, to the jihad-fighter Sheikh Osama bin Laden, to the imprisoned fighter of electronic jihad Irhabi 007, to the fighter of electronic jihad Muhibb Al-Shaykhan and to all the mujahideen for the sake of Allah..."
Inflicting Economic Damage on the West and Damaging its Morale
"Allah has commanded us in various Koranic verses to wage war against the unbelievers... Electronic jihad utilizes methods and means which inflict great material damage on the enemy and [which also] lower his morale and his spirits via the Internet. The methods of [hacking] have been revealed [to us] by expert [hackers] on the Internet and networks... many of whom engage in purposeless and meaningless sabotage. These lethal methods will be harnessed [for use] against our enemies, so as to inflict the greatest [possible] financial damage [upon them] - which can amount to millions - and [in order] to damage [their] morale, so that [they] will be afraid of the Muslims wherever they go and even when they are surfing the Web."
Bringing About the Total Collapse of the West
"I have examined most of the material [available] in hacking manuals but have not found articles which discuss... how to disable all the [electronic] networks around the world. I found various articles which discuss how to attack websites, e-mails, servers, etc., but I have not read anything about harming or blocking the networks around the world, even though this is one of the most important topics for a hacker and for anyone who engages in electronic jihad. Such [an attack] will cripple the West completely. I am not talking about attacking websites or [even] the Internet [as a whole], but [about attacking] all the [computer] networks around the world including military networks, and [networks] which control radars, missiles and communications around the world... If all these networks stop [functioning even] for a single day... it will bring about the total collapse of the West... while affecting our interests only slightly. The collapse of the West will bring about the breakdown of world economy and of the stock markets, which depend on [electronic] communication [for] their activities, [e.g.] transfers of assets and shares. [Such an attack] will cause the capitalist West to collapse."
Actual Attacks and Their Effects
Reports on Islamist Web sites indicate that most of the hacking operations carried out by mujahideen have been aimed at three types of Web sites: a) Ideological Web sites which promote beliefs, doctrines and ideologies which the mujahideen perceive as incompatible with Sunni Islam, such as Christianity, Shi'ism and Zionism. b) Web sites which the mujahideen perceive as defamatory or harmful to Islam. Many of these are private blogs, news blogs and non-Islamic forums (e.g., http://answering-islam.org.uk ). c) Web sites which promote behavior that is contrary to the mujahideen's religious worldview (e.g., http://www.nscrush.org/news/journal, a Web site associated with a girls' sports team).
As for Web sites associated with governments, defense systems, and Western economic interests - Islamist Web sites present little or no evidence that mujahideen have actually attacked them. There is, however, sufficient evidence to suggest that such sensitive targets continue to be of intense interest to the mujahideen. For example, an Islamist forum recently conducted a survey among its participants regarding the targets they would like to attack. Among the targets suggested were Western financial Web sites and Web sites associated with the FBI and CIA. Moreover, in September 2006, an Islamic Web site posted a long list of IP addresses allegedly associated with key governmental defense institutions in the West, including "the Army Ballistics Research Laboratory," "the Army Armament Research Development and Engineering Center," "the Navy Computers and Telecommunications Station," "the National Space Development Agency of Japan," and others. The title of the message indicates that the list is meant for use in electronic attacks.
Another message, posted on an Islamist Web site on December 5, 2006, stated that Islamist hackers had cancelled a planned attack, nicknamed "The Electronic Guantanamo Raid," against American banks. The posting explained that the attack had been cancelled because the banks had been warned about the attack by American media and government agencies. It stated further that the panic in the media shows how important it is "to focus on attacking sensitive economic American websites [instead of] other [websites, like those that offend Islam]..." The writer added: "If [we] attack websites associated with the stock[market] and with banks, disabling them for a few days or even for a few hours, it will cause millions of dollars' worth of damage... I [therefore] call upon all members [of this forum] to focus on these websites and to urge all Muslims who are able to participate in this [type of] Islamic Intifada to attack websites associated with the American stock[market] and banks..."
A General Call to Participate in a Virus Attack
Postings on Islamist Web sites reveal that the cyberspace mujahideen favor two main strategies. The first is to paralyze sites by "swarming," i.e., flooding them with hits and thus creating a traffic overload. When traffic to the site exceeds the Web site's or server's capacity, the site is blocked to additional users, and in some cases it even crashes. The second strategy is called "ping attack": special programs are used to flood a Web site with thousands of emails, sometimes containing viruses, thus clogging the Web site and infecting it. The programs utilized by mujahideen in these attacks are either programs available to the hacker community at large or programs created especially for Islamist hackers.
Reports posted by the mujahideen after attacks on Web sites indicate that these cyberassaults affect the Web sites only temporarily, if at all. In many cases the mujahideen themselves admit that their attack was ineffective and that the Web site returned to normal functioning only minutes or hours after the attack. In light of this, the mujhahideen often resort to another method in an attempt to completely eliminate the targeted site.
An Islamist hacker explained the method as follows: "We contact... the server [which hosts the target website] before and after the assault, and threaten [the server admin] until they shut down the target website. [In such cases], the 'host' [i.e., server] is usually forced to shut down the website. The battle continues until the enemy declares: 'I surrender.'"
Islamist Web sites present very little evidence of more sophisticated attacks utilizing actual hacking techniques (i.e., obtaining the admin password and using admin privileges to corrupt data or damage the server itself).
However, two examples do indicate that the cyberspace mujahideen may possess the capability to carry out such attacks. On October 17, 2006, an Islamist Web site posted a message containing a link to what appeared to be live pictures of Anchorage International Airport taken by the airport's security cameras. There was also a link to an admin control program allowing surfers to control the airport's security cameras. If this was an authentic break-in, it indicates that Muslim hackers are capable of hacking even into highly secure servers.
Another example which illustrates the extent of the mujahideen's hacking skills is the story of 22-year-old Younis Tsouli from West London, better know as Irhabi 007, who was arrested in 2005 by Scotland Yard. In his short but rich hacking career, Irahbi 007 wrote a hacking manual for mujahideen, instructed Islamist hackers online, and broke into servers of American universities, using them to upload shared files containing jihad-related materials.
Coordination of Attacks
Islamist Web sites provide extensive evidence that Islamist cyber-attacks are not random initiatives by individual mujahideen, but are steadily becoming more coordinated. Firstly, announcements of imminent attacks, which appear almost daily, are posted on numerous sites simultaneously. Participants are instructed to look out for postings specifying the time of attack, the URL of the target (usually posted some 30 minutes before the attack itself) and the program to be used for carrying out the attack. Secondly, before the attacks, Web sites have lately begun to post messages addressed to specific individuals referred to as "attack coordinators," each of whom is associated with a specific Islamist site. Finally, there is a significant increase in response to the calls for participation in electronic attacks.
Recently, for example, a message announcing an attack on a Shi'ite Web site received 15,000 hits, and approximately 3,000 forum members responded to the message. The attacks, then, seem to be well-organized and supervised by a network of specially appointed individuals on various sites, and they appear to generate high participation levels among forum members.
The following three examples demonstrate the coordinated nature of the attacks.
Instructions for Attack Coordinators
On December 21, 2006, the Al-Muhajirun Web site posted the following message regarding a planned attack: "Our attack will take place this coming Friday... I remind you that the name of the program to be used will not be posted until half an hour to an hour before the attack... Attack coordinators, you worked hard last week... and I ask you to display the same zeal in this [upcoming] attack. I ask [each] individual who intends to serve as attack coordinator on [his] website to reply [to this posting with the message]: "I will be the attack coordinator for this network..." [The coordinator] will be responsible for the following: ...urging forum participants [to take part in the attack], while [taking care] not to mention names of 'Hilf Al-Muhajirin' members and the names of those who take part in the attack... [The coordinators] must be online at least one full hour before the attack... in order to post links to the programs that will be used and to the [intended target] websites. [They are also] responsible for posting the code-name of the attack, along with the text shown below [which presents some general information about the attack]... "
Announcement of a Ping Attack Against a Web site That Harms Islam
The following message was posted November 23, 2006 on the website Majmu'at Al-Jihad Al-Electroni: "...An attack is about to be carried out by all the Internet mujahideen, may Allah accept it as jihad for His sake... [The targets are] websites that do harm to Islam... The attacks will take place on Saturday, Monday, and Thursday, between 6:00 p.m. and 10:00 p.m., Mecca time, or between 5:00 p.m. and 9:00 p.m. Jerusalem time... The primary [computer] program to be used is Al-Jihad Al-Electroni 1.5... We have been able to create a better version of the [program]... and eliminate most of the problems that were encountered by members [in the past]. [The new version] is much lighter and is capable of producing a much more powerful attack..." "This action is a rapid [response] to [a website] that has annoyed us. This is war... Who is with me and who is against me? Allah is with me... and the Crusader Jew and his followers... are against me. I have... uploaded three viruses and a file which can disable firewalls. I will inform you of the time of the attacks... Whoever wishes to participate in the raid should download the virus he wishes to use and [then] send it [to the target]... I ask that before you do anything on the Internet... my mujahid brother, [please] place your trust in Allah."
Electronic Jihad: A Nuisance or a Real Threat?
The evidence presented here shows that electronic jihad is a form of cyber-warfare with ideological underpinnings and defined goals, which manifests in well-coordinated cyber-attacks. Examination of the Web sites reveals that the Islamist hackers maintain constant communication among themselves, share software and expertise and conduct debates on strategy and legitimate targets. There is also evidence of increasingly efficient coordination of attacks. The mujahideen's own statements show that they mean to position themselves as a formidable electronic attack force which is capable of inflicting severe damage - greater even than the damage caused by conventional terror-ist attacks.
At the same time, however, the information presented here reveals a significant gap between the mujahideen's aspirations and their actual capabilities. Despite their selfproclaimed intention to target key economic and government systems and Web sites in order to bring about a total economic collapse of the West, Islamist Web sites provide no evidence that such targets have indeed been attacked. In actuality, most of the attacks documented on Islamist Web sites were aimed at sites that are seen by the mujahideen as morally corrupt or offensive to Islam. In addition, most of the attacks were carried out using unsophisticated methods which are not very likely to pose a significant threat to Western economic interests or sensitive infrastructure. In this respect, electronic jihad can still be seen, at least present, as a nuisance rather than a serious threat.
Nevertheless, it is important not to underestimate the potential danger posed by this phenomenon. First, as shown above, at least two examples indicate that the mujahideen are already capable of compromising servers, even highly secure ones. Given the increasing communication and the constant sharing of expertise among Islamist hackers, the gap between their goals and their actual capabilities is bound to narrow down. In other words, the mujahideen's persistent pursuit of expertise in the area of hacking, as reflected in numerous Web site postings, may eventually enable them to compromise Western Web sites of a highly sensitive nature.
Second, past experience has shown that even primitive attacks, which do not damage servers, can cause substantial financial damage. For example, after a midair collision between a Chinese fighter jet and an American spy plane on April 1, 2001, Chinese hackers spread a malicious "worm," known as the "Code Red Worm," which infected about a million US servers in July 2001 and caused some $2.6 billion worth of damage to computer hardware, software, and networks. On another occasion, a ping attack against the retail giants Yahoo, eBay, and Amazon in February 2000 was estimated to have caused Yahoo alone a loss of $500,000 due a decrease in hits during the attack.
In conclusion, electronic jihad, in its current state of development, is capable of causing some moderate damage to Western economy, but there is no indication that it constitutes an immediate threat to more sensitive interests such as defense systems and other crucial infrastructure. Nevertheless, in light of rapid evolving of this phenomenon, especially during the recent months, the Western countries should monitor it closely in order to track the changes in its modes of operation and the steady increase in its sophistication.
The author is director of MEMRI's Jihad and Terrorism Studies Project