Operation Ababil began on September 18th, 2012 and continues to this day. It is the longest continuous cyber attack in history, comprised of multiple different waves and phases utilizing a variety of DDoS attack types. They were launched by the Cyber fighters of Izz Ad-Din Al Qassam, also known as the Qassam Cyber Fighters, in response to the anti-Islamic Innocence of Muslims video, denigrating the prophet Muhammad, released by controversial US pastor Terry Jones.
Phase I of the attack involved a particularly sophisticated bot, which was server based. It cleverly used trusted cloud environments of financial institutions, including JP Morgan Chase, which negated the bank’s ability to block the attacks with standard DDoS protection measures, IP blocking or rate limiting tools. Their targets also included the New York Stock Exchange. Several banks experienced disruptions in their online banking operations.
Following the major attack on US financial institutions, several newspapers and security experts questioned the idea that Islamic hactivists were solely behind Operation Ababil. Akamai helped some of the banks fend off the massive attacks on their servers. Michael Smith, senior security evangelist at Akamai, said the bank servers were hit with up to 65 gigabits of traffic per second, approximately 60 times greater than the typical size of DDoS attacks run by hactivists. “This isn’t consistent with what hacktivists are capable of,” Smith said, adding that it was more typical of a state actor (such as Iran).
Phase II was launched on December 10, 2012 and specifically targeted U.S. Bancorp, J.P. Morgan Chase, Bank of America, PNC Financial Services and SunTrust Bank. On January 29, 2013, the Qassam Cyber Fighters said they would cease this phase following the removal of the main copy of the video from YouTube, although in its announcement, the group identified additional copies still hosted on YouTube.
On February 12, 2013, they issued a warning stating that these copies should also be removed. Following a further warning and ultimatum, the Qassam Cyber Fighters announced the start of Phase III on their Pastebin page. Several of the financial institutions on their list reported website disruptions following the announcement.
Allegations of involvement by Iran were reported more widely with newspapers like The New York Times citing American officials who believed Ababil was the work of Iran, likely in retaliation for economic sanctions and online attacks by the US.
Operation Ababil used six different attack vectors. Two of which were volume based DDoS attacks, such as TCP and UDP floods. Four were non-volume DDoS attacks: server cracking DDoS attacks, SSL DDoS attacks, SSL re-negotiation DDoS attacks and directed DDoS attacks (vulnerability based DDoS). The non-volume based DDoS attacks were able to pierce through the ISP based protection sets as the volume-based scrubbers could not handle all four non-volume DDoS attacks.
Several cybersecurity firms, including Radware, Akamai and FireEye, worked to mitigate Operation Ababil, using a combination of different mitigation techniques, including cloud scrubbing and premise-based scrubbing. Radware says that Operation Ababil continues to this day.