Op Ababil/Alababil Preliminary Analysis

Who is Al- Qassam?

http://hilf-ol-fozoul.blogspot.com/  The main site for the group behind the attacks, which takes their name (but no apparent affiliation) from the infamous Hamas military wing.

A quick image search for the logo reveals:




Hafsah is clearly the PR mover for the Op.  He/she also operates this account: https://plus.google.com/113762383593567428506/posts

Not much here; this is a bulletin board for propaganda, not a personal account.


“Hafsah”  has a facebook:


Hafsah’s facebook avatar is stolen from a Kuwaiti fashion shoot. The profile is only a few months old, and most contacts are from the Indian Business School in Bahrain, with no profile interactions with anyone visible.  A fake persona.

Most of the posts are hokey generic propaganda, consisting of Anti-Saudi and anti-western posts, with a sprinkling of anti-semitic garbage.

The Gplus account is much more active, and mirrors posts from the hilf-ol-fozoul site. It links to several other very fake looking “Bahraini” profiles. The IBS connections are suspiciously missing, but they follow media outlets like Russia today, Occupy media accts., and hundreds of random profiles. (Update: the profile has now hidden its follow list, so it looks like an improbably popular account)

Hafsah doesn’t post much, and prefers to mirror posts from a couple other prominent accounts.  He/she prefers an account named “Bahrain.”

Nearly everyone in Bahrain’s gplus circle is Iranian:





https://plus.google.com/113907657257645765356/posts <<UK resident

https://plus.google.com/109786848372268454364/posts <<Note the emphasis on Motahari, anti-Israel slogans. Iranian state actors, anyone?

These accounts all appear to be entrenched pro-State accounts. While the faux Bahrain acct has countless pictures of riots and protests, there is a notable lack of accounts or images of the Iranian uprising protests.  There are several cartoons lampooning the anti-Iran protests as fake or American sponsored.  Oddly, many of these are presented in rage-comic format:


“Bahrain,” links to an html based malware ddos tool:


Download page: http://www.herosh.com/download/10957090/youtube.zip.html <badware, click at your own risk.


The download originates with an Iranian, Marzi Mahdavi  Mahdavi’s Facebook appears to be real, and he/she posts in Farsi, mostly on religious topics.

Dancho’s analysis IDs the uploader of the Youtube LOIC as  Mahdavi, as well.

Note: Dancho is also suspicious of the unreal appearance of these profiles, but suggests manipulation.  Mahdavi seems to have a lot of interactions on facebook, often with other Iranians.  Clearly a real person, or at least established persona.

Mahdavi’s friends are political, make a lot of comments regarding Shia clerics, etc.  Examples: comments about Mehdi Hashemi, Azghadi, etc.  Given the language barriers, I don’t have any ability to gauge sincerity or authenticity.  These profiles do however contain real photos, travel photos, etc., and lack the artificial quality of the faux Bahrainian profiles.

Mahdavi also has a consistent circle of friends on other platforms, such as scribd.

Also interesting:


Conclusion: this is definitely an Iranian operation, without a doubt.  Also, curiously, these accounts do not appear to be hackers, and pro-Anonymous and pro hacking groups are notably absent from the genuine facebook groups/accounts, although they appear in increasing numbers moving through Google+ to Twitter.  Finding a point of contact would be helpful, but requires LE involvement.


http://byshr.org/?cat=117 Some interesting westerners, these pics getting a lot of spread

http://digital-intifada.blogspot.com/ Bills itself as a “Partner site” to Qassam, Anonymous Palestine, etc. Leaves comments on the other blog.

This one links a twitter site, anonymous Palestine: https://twitter.com/AnonPal Some of the interactions are predictable:

https://twitter.com/lilithlela Significant, first follower when OpPalestine is baited.  This is an alt-account for a well-known Anon.
https://twitter.com/indicahybrid (appears to be a site admin for Digital Intifadah)
https://twitter.com/AnonyOps (Neal.  Not sure if significant, but he’s around all of these.  likewise, there is now an “Anonymiss” Pakistan, et al)

http://www.youtube.com/watch?v=XmP1YOnXTYc&list=UUqeq_eUlwQIuOzvJUgs8z3Q&index=5 Anonyops.com produces slick “anonymous” style videos. This is notable because again we see promotion of the Bahrain revolution, but nothing whatsoever on the Iranian uprisings, which saw much more support from Anonymous, and comprised their first large post-Scientology operation. One of the more recent videos on the account is “Op Israel.” There are no mentions of Iran or the Green Revolution on this account.


HSBC upset

