F-Secure: Be Sure
F-Secure Logo - Be Sure
Select local site

Privacy Policy
Contact Us

Iraq War and Information Security       Finnish version

28th of March, 2003 (last update 5:30 PM EET)

The war in Iraq has several indirect effects to public data networks. These effects are not caused by the possible network warfare campaigns launched by US or Iraq armies, but by independent hackers who want to get their own message across.

These hackers can be divided to three groups:

  • US-based patriotic hackers, who want to join the war against Iraq but have no others means to do it except by attacking the virtual enemy through networks. This might mean launching a distributed denial-of-service attack against the e-mail server of Iraqi embassy or web sites of Iraqi companies.
  • Islamic extremist groups from around to world who are trying to fight back to the perceived enemy by launching attacks against US sites and especially .mil websites.
  • Peace activists who are not for USA or for Iraq but just against the war. For example, we've seen several computer viruses released which carry an anti-war message or are trying to use the situation otherwise for their own advantage.

  Viruses related to Iraq
  • Lioten, found December 17th, 2002
    Lioten, also known as Iraq_Oil, is a Windows network worm spreading through shared folders. The worm spreads using a file called iraq_oil.exe. For more information see the virus description.
  • Prune, found March 12th, 2003
    The Prune virus uses a war-related subject and attachment name to trick users to execute a file. This may be a very effective strategy, according to reports from US. Relatives to soldiers serving in the war are very keen to get any kind of information about the crisis. For more information see the virus description.
  • Ganda, found March 17th, 2003
    Ganda is an e-mail worm that uses a strategy similar to Prune. It replicates using mail messages with varying subjects and contents. Several of the alternative messages are directly related to the war. Ganda seems to be a protest against the Swedish school system rather than an anti-war protest. It just uses the public interest in the war to boost replication. For more information see the virus description.
  • Vote.D, original Vote found September 24th, 2001
    The first version of the Vote virus was released after the WTC terrorist strike September 11th 2001. It used the media hype to trick users into executing an e-mail attachment. A new version, Vote.D, was released during the Iraq war. The message used by the new version still refers to WTC and to the war. But the subjects are somewhat related and the new version may have been made as a war-related protest. For more information see the virus description.

Case Melhacker
Melhacker is a Malaysian virus writer who has released several viruses, including Nedal (Laden backwards) and Blebla. Melhacker gave an interview for the US-based Computerworld Magazine in November 2002. In the interview he described a new virus he's written, known as Scezda: "I will attack or launch this worm if America attacks Iraq. The worm has been ready and fully tested since August."

Wednesday, March 26th
The Swedish police is questioning a person that is suspected for writing and spreading the Ganda virus. The suspect is living in Härnösand and he has confessed the crime, according to the police.

  Denial of service attacks

Monday, March 24th
The British Prime Minister Tony Blair’s site at www.number-10.gov.uk was apparently attacked using DDoS (Distributed Denial of Service) during Sunday. The site was inaccessible for a short time, according to reports. There are also rumors about defacements of this site. These rumors are most likely not reliable.

Tuesday, March 25th
Qatar-based TV station Al-Jazeera (www.aljazeera.net) released pictures of war prisoners and received a very high number of hits. One of Al-Jazeera's spokesmen suspected that a distributed denial of service attack (DDoS) was conducted against their site. The server was inaccessible from Monday to early Tuesday. The attack cannot be confirmed and the service disruption may simply be caused by a high number of ordinary users.

Friday, March 28th
Hackers have hit the Qatar-based news network Al-Jazeera hard. Their sites have been unavailable for long periods and also the target for defacement attacks, see the defacement gallery for a screenshot. Many reports blame the disruptions on denial of service attacks. Al-Jazeera is a natural target for US patriotic hackers after releasing pictures of American prisoners of war in Iraq. Al-Jazeera is probably at this moment the organisation that has had most trouble because of war-related hacking.

  Defacements related to situation in Iraq

Thursday, March 20th
The number of web defacement is clearly rising because of the Iraq war. Hackers use defacing as a protest against USA, Iraq or the war in general. Several hundreds of clearly war-related defacements have been reported during 48 h preceding the attack on Iraq. War-related protests stand for the majority of all reported defacements.

Friday, March 21st
The number of hacked sites during Friday, March 21st, has been constantly increasing. The reporting systems have problems dealing with the load and the number of hacked sites can only be estimated. It's clear that over 1000 sites have been defaced between midnight and 3:00 PM EET. The actual number is probably much higher and keeps increasing.

Saturday, March 22nd
The rate of web defacements was still high on Saturday, March 22nd. Further, it was still impossible to give reliable numbers as the reporting systems are heavily overloaded and all reports can't be verified. Sources that watch the hacker community closely are talking about around 2500 reports per day. Sites related to the American military have, as expected, been subject to attack. But the increased hacking activity is not limited to the nations directly involved in the war. Sites in any country can be subject to attack as the hackers seek maximum publicity for their protest.

Sunday, March 23rd
The rate of reported defacements is still high and the reporting systems are finally starting to catch up. However, it is clear that many defacements remain unreported because of the overloaded system. One hacker group claims that they have defaced 3000 sites in addition to the verified statistics. A majority of the defacers seem to resist USA or the war in general. A smaller number of groups spread pro-US or anti-Iraq material.

US authorities, especially military organizations, are naturally a common target in this situation. The number of verified defacements of such organizations is however rather low. These organizations could easily predict a high rate of attacks and pay attention to security issues before the war. Administrators of these sites have also blocked access from organizations that are known to confirm defacement attacks. This means that many successful defacements of US sites may remain unconfirmed. One hacker group claims that they have defaced www.whitehouse.gov successfully. The site was apparently restored very quickly and independent observers were not able to confirm this defacement.

Monday, March 24th
The rate of new defacement reports remains high. However, it is clear that the actual number of defacements is much higher than the reported figures. The slow reporting system and the fact that many sites are restored before the defacement can be verified causes this. The number of reports and confirmed defacements do however clearly show that the hacking activity has increased significantly. Almost 10,000 defacements have been reported or confirmed during the past week and it is clear that the actual number is much higher.

Tuesday, March 25th
Zone-h, currently the best tracking system for defacement activities, has been down for more than 12 hours during March 25th. This makes it impossible to get reliable data for this date. However, the system has been up some time during the day and there are no signs of decreasing activity.

A clear trend is that the hacking groups select their targets using systematic methods. Whole domains are scanned and several vulnerable hosts in the domain tend to be hacked at the same time. Other domains remain unattacked, at least for the moment. But, there is naturally no guarantee that they will remain untouched forever. The hackers may attack any site to spread their message, regardless of nationality or religion.

Friday, March 28th
Defacement archive Zone-h is again accessible after long outages during Tuesday – Thursday. The rate of defacement reports is still high. Zone-h currently receives several reports every minute. The number of confirmed defacements during Friday exceeds 1500 already at 4 PM. The total number of defacements since the beginning of the war is however hard to estimate due to the long service disruption.

Graph 1. Defacements during weeks 10 – 12

  Examples of Iraq-related web defacements

(Note: Some of the screenshots are from Zone-h’s defacement archive. Please, click on the image to view it in a larger size)

A hacker group claims, according to ZATAZ.COM, that they have defaced www.whitehouse.gov. The site was apparently restored very quickly and independent observers were not able to confirm this defacement report (view ZATAZ’s screenshot on the left).


Subscribe to Press Release Mailing Lists
Media Inquiries
Information for media inquiries and technical interviews

  Top Threats