The popular uprisings in the Middle East and North Africa (MENA) in 2011 polarized citizens in the region. People on both sides of the conflict took up their causes online, hacking and defacing websites, comment spamming on opponent Facebook pages, and using phishing URLs to gain access to targets’ online accounts. Website defacement activities during the Arab Spring have emerged as a common form of disruptive protest by rival groups—a way not only to sabotage opponents’ online presences but also to disrupt the flow of information and spread opposing messages during conflict.
Website defacements are not a new tactic in the region: these types of attacks took place earlier in the context of the Israeli-Palestinian conflict, in the antagonistic relationship between Morocco and Algeria over Western Sahara, and in the religiously motivated defacement of websites between Sunni and Shiite hacker groups. These activities were rare and limited in scope, but during the MENA uprisings, information operations conducted by politically motivated groups emerged online in a newly organized and intensive way.
One of the most widely active and visible of these groups is the Syrian Electronic Army (SEA). The SEA was organized in May 2011 and tends to target groups and individuals that the Syrian regime has singled out for supporting regime change.1 The SEA has defaced the websites of public figures such as political cartoonist and outspoken critic of the regime Ali Ferzat, Syrian composer Malek Jendali, and Syrian singer Asalah Nasri, all of whom have been harassed by Syrian security forces or the Syrian Ministry of Information. The SEA has also defaced independent news and opinion websites such as Transparent Sham and Hadatha for Syria. As the conflict in Syria came under closer international scrutiny in mid-2013, the SEA began to focus more on compromising the Twitter accounts and websites of high profile international media organizations, choosing targets such as the New York Times based on their perceived biased coverage of the events in Syria.
Anti-government groups took a similar course of action: in February 2012, anti-regime hackers defaced Syria's pro-regime Addounia TV website by replacing the content of the front page with a defacement message that included links to YouTube clips of the regime’s forces cracking down on protesters. Earlier in the same month, the TV’s mobile news service was compromised, with the perpetrators sending “news alerts” supporting the uprisings.2
In Yemen, a pro-revolution group called the Union of Yemeni Hackers targeted government-controlled media websites to protest their reporting on the uprising in March 2011. The group defaced the websites of two state TV channels, Yemen TV and Sheba TV, with messages criticizing their “distortion of the facts.”
In Egypt, Mubarak supporters exchanged attacks with pro-revolution websites and groups. One group known as Sons of Mubarak compromised several Facebook pages, including one run by the Muslim Brotherhood’s political organization, the Freedom and Justice Party. The group left a message on the compromised page that read, “Sons of Mubarak will punish the revolution supporters” and vowed to attack websites that refer to Mubarak as a “deposed president” and websites that produce content that “distort the history of Mubarak.” In July 2013, the website of Tamarod (an opposition group dedicated to forcing President Mohamed Morsi to call early elections) was defaced by supporters of the Muslim Brotherhood. The defacement contained a message linking to a live stream of pro-Morsi demonstrations in Cairo.
A number of other defacements have taken place in the region outside of the context of large-scale revolutionary movements. During the September 2013 protests in Sudan over fuel price increases, during which as many as 200 protesters were killed, a Sudanese government website was defaced. The defacement message criticized the governmental religious establishment’s stance that “disobeying the state head or president” via street protests was haram (forbidden by God). The message asked, “Isn’t killing protesters haram?” In the same month, the website of the Prime Minister of Jordan was defaced with a message protesting the increasing cost of living in the country. In October 2013, the website of an online campaign supporting the right of women to drive in Saudi Arabia was defaced with a message that claimed to reveal the name and address of the person behind the site. A later defacement message on the same site vowed to persecute those who support the campaign.
Hacking and defacing activities are not limited to internal targets. In 2011, Syrian-Turkish relations deteriorated after Syria accused Turkey of interfering in its internal affairs and supporting rebel activities; in response, Turkey accused the Syrian regime of killing civilian protesters. Syrian and Turkish hackers responded by defacing several government websites in both countries. The SEA has also defaced websites in Libya, Israel, and the United Kingdom, as well as websites outside of the region, in an attempt to disseminate Syrian regime’s version of the conflict. These targets include the websites of Harvard University, Purdue University, and the Lineberger Comprehensive Cancer Center at the University of North Carolina, as well as celebrity fan sites such as johnny-depp.org, ben-affleck.us, and bradpittweb.com.
Pro-revolution hackers in Syria have also attacked targets both inside and outside the region, including the site of an Iraqi oil company (mociraq.com), where they replaced the front page with a message reading, “The Iraqi regime, backed by the Iranian regime, is supporting the Syrian regime in oppressing Syrian people.” The hackers replaced the website’s banners with pro-revolution insignia, along with a photo of a child who—according to protesters—was killed by Syrian security forces during one of the demonstrations. They have also targeted the websites of the Russian Embassies in India and Singapore in protest of Russia’s veto of a UN Security Council resolution to condemn the Syrian government.
Many hacker forums set their own broad ethical guidelines, which are primarily based on political and religious considerations rather than national legal frameworks. These guidelines often argue that the incumbent regimes and their laws are part of the problem, and therefore can be legitimately ignored.3 Sometimes the discourse on what constitutes an appropriate act of hacking focuses on the “Islamicity” of the act, with hackers invoking Islamic legal code to determine which websites are permissible targets. Aside from Fatwa-backed near-consensus on the permissibility of defacing and even destroying websites perceived to be anti-Islamic,4 hackers generally interpret for themselves which targets are acceptable. Political, religious, and sectarian divides remain the main governing references used by the hackers, with hacking justified according to political grievances. Interestingly, forums where the hacking of certain political or religious sites is tolerated have themselves become targets of sabotage by rival political hackers, leading such forums to limit participation to trusted and invited members only.5
The groups behind the information operations described above appear to be grassroots, civilian efforts, many of which disband quickly and or go through long periods of inactivity. Linking these operations to formal entities is challenging, as most of these groups leave few digital traces. Most groups use Facebook or hacker forums to publicize their activities, claim responsibility for attacks, and recruit followers. The SEA, which has its own website, is an exception.
The SEA’s domain name and web hosting subscriber can both be traced to the Syrian Computer Society (SCS), which was founded by President Bashar al-Assad in 1989 and is currently run by his brother. This information suggests the SEA enjoys at least tacit support of the Syrian regime.6 Investigating other information operations is more challenging, though some clues exist. For example, a YouTube video exists that shows a group of young people who claim to be the Libyan Electronic Army being lectured to by an officer of the Libyan military, who tells the group that their electronic activities come second in importance only to the military itself.7
Verifying attribution for attacks can also be problematic, particularly as some websites show more than one defacement message claimed by different groups at the same time. For example, the website of Egypt’s Social Justice Party, defaced in August 2013, showed two claims of responsibility on two different pages: one from the Yemeni Electronic Army, and another from a Moroccan group.
Arab Spring fallouts are likely to fuel more defacement campaigns, the scope of which is likely to increase as related social and religious contentions increasingly manifest themselves online. At the same time, the continued growth in both the quantity and quality of Arabic hacker forums is likely to produce more computerized activism and to increase the level of sophistication and potential damage of that activism. Though signs of government complicity in the current defacement campaigns are limited, it is possible that government agencies will exploit to their advantage non-state hacker groups as a proxy to hide state information operations behind anonymous grassroots activism, and to crowdsource antagonism against state opponents.