‘One need not destroy one’s enemy. One need only destroy his willingness to engage.’ – Sun Tzu
When I post links to news articles via my twitter, I often get asked about a previous operation I conducted in March 2011. The op in question has been reported on by numerous 3rd parties, but I have never openly mentioned it. So folks, understand that unless there is a ‘watermark’ or ‘other identifying feature’ inside a news article I link to – it is genuine straight from the source site.
If you are not quite sure WTF I am talking about, here’s what Mr Anthony M Freed had to say about it at the time.
This portion of this post is cross-posted from InfosecIsland.com
It appears as if the patriot hacker known as The Jester (th3j35t3r) may have embarked on his own psyops campaign aimed at breaking the spirit of the troops loyal to Libyan strongman Muammar Gaddafi.
On Thursday, March 28, The Jester tweeted three “bit.ly” links to articles reporting that Gaddafi’s troops were suffering from low morale and are deserting their posts.
Two of the links take readers to what appear to be articles in the The Tripoli Post, and the third link leads to what appears to be an article in The Malta Independent Online. Here is a screenshot of The Jester’s Tweets (click to enlarge):
Having followed The Jester’s activities for more than a year now, these three tweets struck me as being out of the ordinary. Aside from his recent effort to keep multiple websites of the controversial Westboro Baptist Church down and the attacks on the WikiLeaks website late last year, The Jester mainly sticks to intermittent attacks against various militant-jihadi websites.
For the most part, The Jester keeps his Twitter messaging simple and mission-specific, usually limiting them to announcements that he has targeted a pro-jihadi website with his XerXeS denial of service tool.
Occasionally The Jester will issue a tweet in response to the constant barrage of heckling he receives from a litany of detractors, and sometimes he will post a message to warn his equally fervent followers to be wary of the multiple “Jester” imposters that have popped up over the last year. But these three tweets stand out among all the rest, and so sparked my curiosity.
Upon closer examination, I noticed the articles in question were not listed among the others on the main pages of their respective publications, and they also did not appear in the archives. By dragging my cursor over part of the article in an effort to highlight a paragraph, I noticed that the entire text was being displayed as an image, unlike other articles from the same publications. Further examination revealed a big surprise – the articles in question had a very faint watermark of The Jester’s trademark harlequin icon behind the text of the first paragraph.
I immediately took screenshots of all three articles. The harlequin watermark is most clearly visible in The Malta Independent Online article.
Click on the following images to view them on Flickr, then view the images at an extreme angle (as in tilt your screen) to reveal The Jester’s calling card: Update: We have added some enhanced images below the screenshots that clearly show the watermark.
(Screenshot above – enhanced image below to show watermark)
the Tripoli Post
(Screenshot above – enhanced image below to show watermark)
To view the original images, go directly to The Jester’s Twitter page and click on the links as tweeted (before they disappear).
After finding the watermarks, I contacted a more technically knowledgeable colleague to get their opinion on the discovery. I copy/pasted the links and sent them via instant message. When my colleague clicked on the links, they did not lead to the articles in question, but instead called up the main pages of the publications.
I directed them to go to The Jester’s Twitter page and click the links contained in the tweets, which in turn did reveal the watermarked postings. My colleague surmised that The Jester was injecting the code for an image of the fabricated articles using “bit.ly” links and Twitter as vehicles for the task.
My colleague, who preferred to remain unnamed in this article, concluded that The Jester was performing some kind of “a bit.ly-obfuscated intermediary-based code injection, probably because the target websites (Tripoli Post and Malta Independent) don’t parse ‘get’ requests. Its looks like it was just a quick workaround.”
Update: Michael Menefee, Founder of Infosec Island, did some technical analysis and offers an explanation of the “non-persistent injection” technique The Jester is using:
The Jester’s twitter account has a link to a bit.ly url which redirects to http://newsportal.tekcities.com/malta.php the source code of that page is:
This is basically an automatic redirect to The Malta Independent Online, injecting the image as a search query, which gets returned as a result.
The image is only slightly visible on this one: http://tripolipost.tekcities.com/index3.php (another of his bit.ly requests) with roughly the same source code to facilitate an injection:
Understanding “how” is one thing, but we still need to know “why”. I sent a message to The Jester letting him know I was writing an article on the discovery, and gave him the opportunity to offer his own explanation. Given that I have not received a reply as of yet, I can only speculate as to The Jester’s motivation for the operation and what is intended to be accomplished.
Having conducted several interviews with the hacktivist, and spent dozens of hours in IM chats, I would venture to say that his motivation probably stems from his patriotism and oft expressed concern for the lives of European and American military personnel who may be in put harm’s way if the conflict in Libya persists.
Based on the contents of the planted articles, it seems the operation is intended to simply erode the morale of the Gaddafi loyalists and inspire some to either desert their posts or defect and join the opposition.
Only the Jester can tell us for sure. But one thing is for certain, The Jester continues to evolve in both his interests and his tactics, and has proven once again he is more than just a “one trick pony”.
Cross-posted from InfosecIsland.com
…..Later came a response from a commentator known as Render64 – here’s a link
Cross-posted from Render64’s Blog
Now let’s take a look at some modern military history. Specifically the Libyan revolution of 2012. (yeah, yeah, I know, it’s another Wikipedia link, like the others, it’ll have to do until the official history gets written) – We’re going to pay special attention to the events between March 7th and March 19th (the arrival of the first NATO air support).
Sometime on or around March 7th, the U.S. patriot hacker known as The Jester unleashed this little bit of military grade psy-ops.
Col. Qaddafi’s military was just like that of almost every other third-world dictatorship, in that military units that had the size and potential of overthrowing the dictatorship (armored, combat aircraft, artillery, foreign mercenaries), were almost always commanded by family members or close inner circle friends, whose own military expertise and capabilities are quite irrelevant when compared to their loyalty to the dictatorship. Jesters little psy-ops wouldn’t effect those leaders themselves, but it seems that it very much did cause Col. Qaddafi to question the loyalty of at least some of the Libyan military units not commanded by family or close friends. It may also have contributed to the decision making of at least some of the handful of Libyan military officers who actually did defect during this same time frame.
Whatever the actual effects of Jesters operation were at the time are unknown for now. What is known is that while Western governments were dithering, other third world dictatorships were backing Qaddafi, and factions of Anonymous were attacking NATO, almost nobody else did anything to help the Libyan rebels for as much as two almost crucial weeks.
Some further reading on this and slightly related subjects can be found in my own March of 2011 timeline (ayup, there is even a Scot Terbin linkie found in that month). Specifically this post, this post, this post, and this post.
Yes onliners, this means in other words, that The Jester trolled and pwned Col Qaddafi.
Is The Jester’s most recent Saladin project just more psy-ops or not? I don’t have the answer for that and as far as I know that answer can come from only one source, The Jester himself. What I do know is that like almost all such military and military related psy-ops programs and operations (even those run by civilians), it clearly has a specific target and strongly appears to have a limited operational time frame. This last is, of course, assuming that The Jesters detractors are correct about the details of Jester’s Saladin operation that they claim to have revealed, to the world, and most importantly, to the known targets of Saladin.
Let’s pose a hypothetical what-if here:
Let’s pretend, just for the moment, that The Jester is actually a small and very black US military intelligence project, designed to disrupt Islamic terrorist communications (among others).
If that is the case, (and it is extremely unlikely, but not entirely impossible), then The Jesters detractors would have interfered with an ongoing US military operation, in a time of war. It wouldn’t rise to the occasion of outright treason, but it would be somewhat similar to the actions of US East Coast city mayors in early 1942 refusing to shut down their cities lights at night, even though those lights made it easier for Nazi subs to spot unarmed cargo ships off the US East Coast.
Pretending that the jihadi terrorist groups don’t know who The Jester is and what he does won’t work for his detractors. Neither will pretending that the jihadi terrorist groups don’t have their own hackers, either as members or allies.
And assuming either of the above is just dumb at this point.
As I mentioned at the top of this post, the reason I have chosen to speak of this incident, is to lay to rest some of the suspicions folks have had when reading news articles that I post out via twitter, simple fact is if I injected the story I will leave a ‘calling card’ inside it. Or maybe…..this is a triple bluff, no calling card = no Jester???
Ahhhh…. the mindfuck of it all……