The 11-Month Evolution of An0nGhost

October 9, 2013 • Chris

Hacktivist teams have garnered much attention in recent years from the threat intelligence community, and to some degree, the mainstream media. This coverage has produced a trove of information on some organizations allowing us to observe how their networks evolved via open source media analysis.

The most notorious and most amorphous collective, Anonymous, remains highly active several years after its inception. Its emergence in early 2008 serves as an epoch to the modern era of hacktivism, which Professor Gabriella Coleman at McGill University details in her excellent profile of the group.

An0nGhost is another globally distributed collective of hackers. In contrast to Anonymous, it has a recognized head figure in Mauritania Attacker and a relatively clearcut network of 25-30 affiliated hackers. The group’s entire existence has been chronicled, and we’ve described its evolution below using web intelligence and visualizations from Recorded Future.

This series of network and timeline pairings explain the evolution of An0nGhost, from the group’s foundation in November 2012 to its rumored dissolution in September 2013.

An0nGhost – August 2012 to December 2012

An0nGhost Evolution Stage 1

Click image for larger view
  • Pre-August 2012: Mauritania Attacker operates independently in addition to leading Mauritania Hacker Group. Both the individual and the group continue operations independent of An0nGhost.
  • August 2012: Members of Teamr00t (prominent members in Pakistan and Morocco) depart group and become early members of collective An0nGhost.
  • November 2012: First round of attacks claimed by new collective An0nGhost exclusively target Israeli websites.
  • December 2012: Anonymous launches OpIsrael attempting to piggyback on An0nGhost initiatives; An0nGhost publicly distances itself from the Anonymous campaign.

An0nGhost – January 2013 to March 2013

An0nGhost Evolution Stage 2

Click image for larger view
  • January 10, 2013: Days after defacing the Israeli Defence Forces website, An0nGhost claims its first non-Israeli target in the Export-Import Bank of the United States using a cross site scripting attack.
  • Early February, 2013: First coordination with Anonymous affiliates in defacement of and data dump from  Tunisian Agency of Internet.
  • Late February, 2013: Attacks by former Teamr00t members Spitefir3 and Virusa Worm claimed for An0nGhost.
  • Late March, 2013: Preparation for Anonymous organized OpIsrael campaign.

An0nGhost – April 2013 to June 2013

An0nGhost Evolution Stage 3

Click image for larger view
  • An0nGhost gains prominence and finds itself referenced in threat actor discussion with heavy hitters such as the Syrian Electronic Army, Qassam Cyber Fighters, and Parastoo. Definition of hacker network organized by Mauritania Attacker becomes more apparent.
  • April and May, 2013: Helps coordinate global, multifaceted operations in OpIsrael and OpUSA including open cooperation with network of hacktivist groups primarily operating out of the Middle East, North Africa, and Pakistan.
  • June 2013: Execution of OpPetrol, which targets oil and gas companies as well as the governments of countries that broadly support those industries.

An0nGhost – July 2013 to September 2013

An0nGhost Evolution Stage 4

Click image for larger view
  • After participating in several major campaigns with Anonymous members, the two organizations propaganda efforts are now tightly connected through social media channels. Several additional joint operations can be observed during this late summer /early fall period.
  • August 2013: Recruiting for a new phase of OpIsrael begins; An0nGhost fires first shots in attack on Indian Embassy in Israel.
  • August 20, 2013: Mauritania Attacker independently hacks and leaks thousands of OAuth tokens used as login credentials for Twitter accounts.
  • September 2013: Commencement of new OpIsrael phase (under hashtags such as #OpIsraelReloaded and #OpIsraelReborn); includes cache query injections and domain redirects on Google sub-domains in Israel and Palestine.
  • Late September, 2013: Various channels allege that An0nGhost has disbanded; however, the group continues to take credit for successful attacks via Twitter and Facebook as recently as October 8.

An0nGhost is one of the first non-state cyber organizations (distinct from groups such as the Syrian Electronic Army and Iran Cyber Army) during this era of heightened attention to hacktivism with both the ambitious targeting that warrants close examination and the regular disclosure of plans and successes that provide evidence for non-technical analysis of the open source.

Those non-technical insights such as patterns in targeting, methods of attack, and affiliations with other known organizations and individuals can then be leveraged by analysts in a second phase of research for technical attack indicators. You can get a taste for this next step by looking at indicators such as URLs, IPs, hashes, and more that have recently been linked to members of the An0nGhost collective.