Op Ababil/Alababil Preliminary Analysis

Note: these reports summarize the findings of the Bloodhounds research project.  Leave a comment if interested in our research, or to volunteer, or to see other collected materials.

See Index at: Smiling Mongoose

 

Who is Al- Qassam?

http://hilf-ol-fozoul.blogspot.com/  The main site for the group behind the attacks, which takes their name (but no apparent affiliation) from the infamous Hamas military wing.

A quick image search for the logo reveals:

https://plus.google.com/109097962477129099296/posts

and:

https://plus.google.com/115110198165460649173/posts

Hafsah is clearly the PR mover for the Op.  He/she also operates this account: https://plus.google.com/113762383593567428506/posts

Not much here; this is a bulletin board for propaganda, not a personal account.

Hafsah

“Hafsah”  has a facebook:

https://www.facebook.com/hafsah.allshari

Hafsah’s facebook avatar is stolen from a Kuwaiti fashion shoot. The profile is only a few months old, and most contacts are from the Indian Business School in Bahrain, with no profile interactions with anyone visible.  A fake persona.

Most of the posts are hokey generic propaganda, consisting of Anti-Saudi and anti-western posts, with a sprinkling of anti-semitic garbage.

The Gplus account is much more active, and mirrors posts from the hilf-ol-fozoul site. It links to several other very fake looking “Bahraini” profiles. The IBS connections are suspiciously missing, but they follow media outlets like Russia today, Occupy media accts., and hundreds of random profiles. (Update: the profile has now hidden its follow list, so it looks like an improbably popular account)

Hafsah doesn’t post much, and prefers to mirror posts from a couple other prominent accounts.  He/she prefers an account named “Bahrain.”

Nearly everyone in Bahrain’s gplus circle is Iranian:

https://plus.google.com/103682825379565976246

https://plus.google.com/113907657257645765356/posts

https://plus.google.com/113647627337209493920/posts

https://plus.google.com/108197389732067064704/posts

https://plus.google.com/113907657257645765356/posts <<UK resident

https://plus.google.com/109786848372268454364/posts <<Note the emphasis on Motahari, anti-Israel slogans. Iranian state actors, anyone?

These accounts all appear to be entrenched pro-State accounts. While the faux Bahrain acct has countless pictures of riots and protests, there is a notable lack of accounts or images of the Iranian uprising protests.  There are several cartoons lampooning the anti-Iran protests as fake or American sponsored.  Oddly, many of these are presented in rage-comic format:

)

“Bahrain,” links to an html based malware ddos tool:

https://plus.google.com/113762383593567428506/posts

Download page: http://www.herosh.com/download/10957090/youtube.zip.html <badware, click at your own risk.

 

The download originates with an Iranian, Marzi Mahdavi  Mahdavi’s Facebook appears to be real, and he/she posts in Farsi, mostly on religious topics.

Dancho’s analysis IDs the uploader of the Youtube LOIC as  Mahdavi, as well.

Note: Dancho is also suspicious of the unreal appearance of these profiles, but suggests manipulation.  Mahdavi seems to have a lot of interactions on facebook, often with other Iranians.  Clearly a real person, or at least established persona.

Mahdavi’s friends are political, make a lot of comments regarding Shia clerics, etc.  Examples: comments about Mehdi Hashemi, Azghadi, etc.  Given the language barriers, I don’t have any ability to gauge sincerity or authenticity.  These profiles do however contain real photos, travel photos, etc., and lack the artificial quality of the faux Bahrainian profiles.

Mahdavi also has a consistent circle of friends on other platforms, such as scribd.

Also interesting:

http://www.thenational.ae/business/banking/iranian-business-leader-takes-uae-banks-to-task

Conclusion: this is definitely an Iranian operation, without a doubt.  Also, curiously, these accounts do not appear to be hackers, and pro-Anonymous and pro hacking groups are notably absent from the genuine facebook groups/accounts, although they appear in increasing numbers moving through Google+ to Twitter.  Finding a point of contact would be helpful, but requires LE involvement.

Links:

http://byshr.org/?cat=117 Some interesting westerners, these pics getting a lot of spread

http://digital-intifada.blogspot.com/ Bills itself as a “Partner site” to Qassam, Anonymous Palestine, etc. Leaves comments on the other blog.

This one links a twitter site, anonymous Palestine: https://twitter.com/AnonPal Some of the interactions are predictable:

http://lilithlela.cyberguerrilla.org/
https://twitter.com/AymanSkul13yes
https://twitter.com/lilithlela Significant, first follower when OpPalestine is baited.  This is an alt-account for a well-known Anon.
https://twitter.com/indicahybrid (appears to be a site admin for Digital Intifadah)
https://twitter.com/AnonyOps (Neal.  Not sure if significant, but he’s around all of these.  likewise, there is now an “Anonymiss” Pakistan, et al)

http://www.youtube.com/watch?v=XmP1YOnXTYc&list=UUqeq_eUlwQIuOzvJUgs8z3Q&index=5 Anonyops.com produces slick “anonymous” style videos. This is notable because again we see promotion of the Bahrain revolution, but nothing whatsoever on the Iranian uprisings, which saw much more support from Anonymous, and comprised their first large post-Scientology operation. One of the more recent videos on the account is “Op Israel.” There are no mentions of Iran or the Green Revolution on this account.
 

 

HSBC upset

2 Comments to “Op Ababil/Alababil Preliminary Analysis

  1. [...] Protected: Op Ababil Preliminary Analysis [...]

  2. [...] available for public viewing: Operation Ababil ‹ Briefs, 11.19.2012 Posted in Bloodhounds, Mongoose Cancel [...]

Leave a Reply

You must be logged in to post a comment.