Malicious Life Podcast: The Jester - Hacktivist for Good Transcript
On March 5th, 2012, one of the strangest cyber attacks in history took place – on Twitter. But some people claim it never really happened.
Here are the facts. A hacker who identifies as The Jester, known for claiming responsibility for attacks on anti-American targets, replaced his usual Twitter profile image – a drawing of a harlequin- with a QR code. Anyone who foolishly scanned the code, fell into a trap.
A few days after the attack, The Jester announced that he syphoned all the data on the mobile devices that scanned his QR code. If the information belonged to one of the “bad guys” – that’s how The Jester refers to his enemies – it was presumably sent to the FBI.
But the funny thing about this QR code attack, is that we don’t have any proof that it actually happened. For all we know, it could have been just a well told story, nothing more. In fact, The Jester himself didn’t seem interested in proving that he ever broke into anything using that QR code.
So, What happened on March 5th, 2012? Was it an actual attack, or simply a PR stunt?…
The Jester Appears
The Jester is a Hacktivist: a hacker with a political agenda. Most hacktivists are anti-government – like Chlsea Manning or Julian Assange, whose stories we covered in episode 10 of Malicious Life – or even just plain anarchists. The Jester, however, is an example, and probably the most famous one, of a patriotic, pro-American hacktivist.
As you may recall, 2009 was a very intense year for the U.S. army troops fighting in Afghanistan. In December 2009, the Taliban attacked Forward Operating Base Chapman, 2 miles east of the city of Khost in Afghanistan. The attack resulted in the deaths of at least 6 CIA officers. On January 1st, 2010, a Taliban’s website – alemarah.info – was taken down. A short time later, the Jester made his entrance on the hacktivism scene, and claimed responsibility for the toppled site. A myth was born.
“[Anthony] His original goal, he was developing a tool to help test and harden servers. And then when he became aware that jihadists were using public websites to hide information, to share information covertly and stuff. He identified a lot of these communications channels that they were using, and then would use that Xerxes denial-of-service tool to take them down intermittently. So I think he basically had it set up so they didn’t know when the site was going to go down or for how long, and so he was kind of creating an uncertainty, whether or not they can rely on these clandestine means of communications. And he was hoping to disrupt some of their operations. I don’t know how successful that was, but that’s where it started.”
That’s Anthony Freed. You may not have heard about him – but he plays an important role in the production of this podcast behind the scenes, since he is the Sr. Director of Corporate communications at Cybereason – our sponsor. Back in 2010, Anthony was a security journalist – and he is also one of the very few people who actually got to interview the Jester on several occasions.
“[Anthony] I think it was back in 2009-2010, a friend of mine Richard had run across one of jesters very early tweets and had engaged in a conversation with him and did a little blog post. I saw that and I was really interested so I reached out to him as well and we were having a series of IRC chats. We’d spend hours looking over things that he was looking at and interested in and I just had a couple blog posts. I thought it was just kind of an interesting story, it gave me a chance to coin the term Patriot Hacker and I just said it’s kind of…you know, it was a fun thing to be covered for the blog.”
Later that year, The Jester started a WordPress blog called “Jester’s Court”. In the “About” page he described himself as (quote): “Hacktivist for good. Obstructing the lines of communication for terrorists, sympathizers, fixers, facilitators, oppressive regimes and other general bad guys.” He also said he’s somewhere between the ages of 31 and 49. We can add 10 more years to that now.
In the following months, according to his own accounts, The Jester claimed responsibility for several high profile attacks.
“[Anthony] He took down several websites for group called Westboro Baptist Church, who are terrible, terrible people. They would go protest at soldier’s funerals, but what they were protesting…they were homophobic, so they’ve been holding up signs like “God Hates Fags” and just horrible stuff, and I can’t imagine the families and friends of these fallen soldiers, who had nothing to do with each other. But things like that really irks Jester.”
The Jester also attacked members of the LulzSec hacker group, as a retaliation for them taking down the CIA website, and he reported targeting Ecuadorian government sites, including the countries’ stock exchange, as a way to warn it against giving diplomatic shelter to NSA leaker, Edward Snowden.
“[Anthony] It was sometime around November of 2010 that I woke up one Sunday, and went to do some of my normal….it was November 10th 2010. And I checked the blog traffic and it was just like all of a sudden we were doing like 50,000 hits, and it was like eight in the morning on a Sunday! and I’m like – what is going on, you know? and, well, apparently Jester had taken down the Wikileaks site after Wikileaks had posted the a stolen US state department cables.”
“[Anthony] And I’m looking in my inbox and every major news Outlet from the US through Europe was trying to contact me, because I’ve been the one who’d at that point done about four or five interviews with him.
In 2016, he defaced a website belonging to the Russian Foreign Affairs Office, accusing the Russians of being responsible for the large DDoS attack on Dyn, a large DNS provider. In a message posted on the website, he insulted the Russian government – calling them F**kers – and wrote, quote:
“First that whole Wikileaks thing, then Snowden, after that all the politically motivated hacking, then you snuggled up with Trump and are openly and actively trying to influence another nation’s elections. And now you or your proxy buddies are hammering the Dyn DNS provider with a Yuge [sic] DDoS Attack, causing all manner of problems. […] so knock it off. You may be able to push around nations around you, but this is America. Nobody is impressed. […] I’m Jester, and I approve this message.”
As can be expected, the story was picked up by CNN, Fox News and many more media outlets worldwide, making the Jester even more famous. So famous, in fact, that his laptop is now on display at the International Spy Museum in Washington, DC.
The Jester’s success, in large part, is due to his Social Media skills. Take, for example, a typical operation from 2014. The Jester sent the following Twitter public message to GloboTech Communications, a Canadian hosting company:
“You are hosting fajer.info […] which provides material support (inc mobile apps) to #ISIS terrorists. On the same server you host 29 other websites.”
A few hours later, he posted another, more threatening message:
“I respectfully urge u to review my last 2 tweets. U should take action, or if you prefer, I can. #30mins #TickTock”
And indeed, 30 minutes later, fajer.info was knocked offline.
Another example of The Jester’s flair for psychological warfare is this hack from 2011. That year, armies from all around the globe, including the U.S, were conducting a war against Muammer Gaddafi’s forces in Libya. In a series of tweets, The Jester sent his followers to the pages of two websites, connected with the Libyan government: The Malta Independent Online and the Tripoli Post.
When readers reached these pages, they discovered news articles that seemed very much out of line with the rest of Kaddafi’s propaganda. Among other things, the pieces reported a decrease in troop morale among fighters loyal to Muammar Gaddafi, and incidents of soldiers abandoning their posts and fleeing. Clearly, the articles were forged, and were part of some psychological warfare attempt against Kaddafi’s forces. But that wasn’t necessarily the fun part.
Anthony Freed was chatting with the Jester, in real time, on an IRC channel, and The Jester kept insisting that Anthony should look at the website ‘from a different angle’. Anthony couldn’t figure out what the Jester was hinting at. But then..
“[Anthony] I swear, I spent hours trying to look at this at a different angle and everything. And at one point, I stood up for my desk, stretching and stuff, and I leaned the screen back on my laptop, and I caught a faint faint Watermark. And as I tilted more and more and more, I could see the Jester’s icon in watermark over the entire iFrame.”
Yup, each forged article was actually an image, with a watermark of The Jester at the background. It was an exercise in patriotic hacking, combined with a prank. The Jester’s unique tradition of having fun, playing games, while terrorizing his targets, was beginning to take shape.
There’s no doubt The Jester fully understood his fans. He knew what makes them tick, and realized he’s becoming a Superhero: Captain America with a keyboard.
So, what information do we have on the Jester’s real identity? According to The Jester’s own testimony, he is a former soldier who served in Afghanistan and elsewhere. He also confessed to being an airborne frontline combat trooper, twice.
Over the years, various attempts were made to find out exactly where he served, and whether his claims about his army service add up. One hypothesis was that he was part of the 75th Ranger Regiment, which operated both in Afghanistan and Iraq. The Jester never denied it. One thing is sure, though: in his tweets, when announcing that an anti-American website was taken down, The Jester often uses military jargon. “Tango Down”, for instance – a military expression that indicates a target had been successfully hit, and “Hooah”, a battle cry used by soldiers in the U.S. Army.
Which brings us to an interesting and perhaps troubling point. Anyone can shout “Hooah” or “Tango Down” on twitter, even if they’ve never seen a gun in their life. It’s a great way to make us believe there’s a real ex-soldier there who’s still into military lingo – but it doesn’t prove there is one.
In fact, it seems we can extend this line of thought to almost everything the Jester ever did.
For example, according to his own reports, the main weapon the Jester was using, during the early years of the 2010’s, was a tool called XerXeS, after XerXes the Great, the fourth King of Kings of the Achaemenid Empire, ruling in the 5th century BC, and mostly known for his massive invasion of Greece.
The modern day XerXeS is a software for performing Denial of Service (DoS) attacks – not to be confused with the much more prevalent Distributed Denial of Service attacks, with double D (DDoS). With it, you can perform a DoS attack without an army of bots: using only a single machine – a simple, off-the-shelf laptop, you can eliminate Greece! Sorry, a Jihadist website.
In one of his interviews with Anthony Freed, the Jester described XerXeS’ modus operandi:
“Once a single attacking machine running XerXeS has smacked down a box, it’s down, there’s no need for thousands of machines. […] Many people worry about the nodes between me and the target, This technique affects nobody but the intended target. All intermediaries remain unaffected. ”
It’s worth noting that the Jester did live demos of XerXes, taking down targeted websites such as Mahmoud Ahmadinejad’s website – then president of Iran.
“[Anthony] But no one was ever able to recreate the effect that he had,[…] You know, a lot of this is what he told me. I don’t have the technical capability to verify a lot of this stuff.”
So websites were definitely taken down, no doubt about that – but what proof do we have that the Jester was the one who really did it?… and there are those who claim that XerXes is nothing but an existing script that the Jester found online – and merely added a fancy GUI to.
It wasn’t the first thing that made some experts wonder about The Jester’s extraordinary capabilities, and whether they’re real or not.
The Russian Foreign Affairs Website Hack Revisited
Let’s have a second look at the 2016 hack of the Foreign Affairs Office website. One would assume that hacking a webserver – especially one hosting an official government website – would require substantial technical skills. But that assumption would rely on your definition of ‘hacking’.
In his Tweet announcing the hack, the Jester posted a link to the Foreign Affairs website, and invited his followers to click on that link to visit the hacked website. Except that the link he posted wasn’t the URL of the actual Foreign Affairs website: it was a link created by a URL shortener service. That is, it wasn’t something like www.foreignaffairs.ru – but rather a URL starting with bit.ly, followed by a string of random characters. When clicked, that bit.ly link was converted by the URL shortening service into a new URL that included the original Foreign Affairs website’s web address – plus some extra information provided by the Jester.
Apparently, The Jester found a weakness in the Foreign Affairs website: a Cross Site Scripting vulnerability. A XSS vulnerability allows an attacker to inject malicious code into a website, and so influence how that website is rendered on the user’s browser. In this case, it is the ‘extra information’ provided in the bit.ly link that is injected into the Foreign Affairs website, and forces it to display the Jester’s message.
Note a crucial point in this description: if someone was to browse directly to the said website – by clicking on a Google search result or even by typing www.foreignaffairs.ru into their browser’s address bar – nothing would happen. Only by clicking on the Jester’s own modified bit.ly link, would the offending message be displayed on the user’s screen.
Which begs the question: who did the Jester actually hack? I mean, it’s obvious that the website did have a vulnerability, and that the Jester did exploit it – but since the hack only works for someone who clicked the link posted on the Jester’s Twitter feed, there’s an argument to be made that it’s actually a Social Engineering attack, targeting the Jester’s followers… and even if we agree to define the attack as a bonafide ‘hack’, it’s quite obviously a very simple one that almost any script-kiddie could pull off.
In fact, the Jester himself said almost the same thing, in a post he published on his blog following the attack:
“It’s not rocket salad, but it is simple and effective. […] Now any security researcher who dissects this ‘attack’ will be able to tell you that while it was a valid exploitation of an XSS vulnerability, the target site was in no way damaged or breached. No credentials were stolen or cracked, and nothing was taken from, or put into the back-end database. In effect, no harm, no foul. Because who wants to spend the next 70 years in a Siberian gulag? Not fuckin’ me, that’s who. This was the cyber equivalent of driving by the Rooskie Embassy and flipping them the bird. […]
My end-game for this ‘episode’ was to draw fire from the RUSSIAN ‘cyber-machine of destruction’ (as they refer to it) in order to collect intel on their latest Tools, Techniques and Procedures.”
Apparently, many of the Jester’s “hacks” were such simple yet effective mind games. For example, in at least one case it was discovered that a long list of Jihadist websites the Jester claimed to take down – were actually old websites whose domain registration had already expired. Basically, it’s like saying you killed someone – when in reality, they died of old age…
Ars-Technica’s Sean Gallagher summed up the Jester’s history succinctly:
“If you are at all familiar with The Jester, you will know that this isn’t the first time he’s used Internet sleight-of-hand for propaganda and other purposes. In the past, he used web address shortener services and cross-site scripting to create the illusion that he had altered articles on the websites of the Malta Independent Online and the Tripoli Post. He’s also used various other tricks to mess with the minds of would-be Anonymous members.”
An Intelligence Operation?
So, there’s a real possibility that the Jester is not some ‘Uber’ hacker terrorizing bad guys – but a very effective internet troll, playing tricks on his followers on Social Media.
And there’s another possibility. For some of his alleged offensive actions, for instance, there was also a need for a relatively strong understanding of foreign languages, particularly Arabic. If the Jester was, as he claims, stationed in the Middle East for long periods – he may have picked the local language… but unless his work required that he learn Arabic, this is highly unlikely. After all, I lived in the Middle East for all my life – and I still can’t speak Arabic, apart from some pretty juicy profanities…
In recent years, ground breaking improvements in machine translation systems, like Google translate, can help one decipher languages he or she knows very little about. But a decade ago, that wasn’t the case, especially with regard to a language like Arabic, which is still a challenge for machine translation.
So, is The Jester a cyber genius and a polyglot – or maybe he was helped, at least for a while, by someone with relevant knowledge?
It’s clear now why some people claim that The Jester is nothing but a front for an ongoing American Intelligence operation, and if there really is a real person behind the Twitter profile pic – he’s working closely in cooperation with the army.
In any case, it is certain that we’re talking here about a person, or a group, with some very impressive skills: be it technical skills, or social engineering skills. A kind of cyber MacGyver.
Back To the QR Code Attack
Then came the QR code attack. The epitome of this play between real hacks and invented stories. What exactly happened there?
Obviously, The Jester was not the first hacker to understand the potential risk from QR codes. QR codes – the two dimensional black-and-white bar codes that we can often find on ads, packages, and print publications – are there in order to conveniently take you, with your smartphone or any other scanning device, to a website. It usually happens for promotional purposes, helping you get coupons or special offers. A single QR code can store more than 4000 characters. In most cases, they’re used to represent a URL, and by that, becoming a link between the physical world and the virtual world. A tunnel.
However, since we, as human beings, are not able to decipher the inscription on the door of this tunnel, we are at the mercy of whoever put it there. Theoretically, it can take us anywhere. Even to places we don’t really want to visit.
Attackers can hide malicious URLs in any innocent looking QR code, so when a user scans it, their mobile device could practically be hijacked. The Jester claimed this was exactly what he did, on March 5th, 2012.
“Anyone who scanned the QR code using their mobile device was taken to a jolly little greeting via their device’s default browser hosted on some free webspace […] The greeting featured my original profile pic and the word ‘BOO ! ‘ directly below it.”
The page also had malicious code embedded in it – code that exploits vulnerabilities in various mobile phone browsers.
Luckily for most of his Twitter followers, The Jester apparently wasn’t interested in everyone who scanned the malicious QR code. if you had no history of anti-American activity, or anti-Jester for that matter, you and your device were probably safe. But in case you did belong to a small group of people, or organizations, that The Jester was aiming at, then – bad luck.
Following the alleged attack, The Jester announced that the QR code he used as his Twitter icon had been scanned 1,200 times, while 500 mobile phones were compromised. But only a fraction of those devices meant anything to him. These were the devices used by the “bad guys”, and The Jester, so he claimed, knew who they were.
In order to hijack the mobile devices that scanned his QR code, The Jester said he took advantage of a vulnerability in an open source software called ‘Webkit’: a Browser Engine, which is a core component of many mobile browsers such as Apple’s Safari, Amazon’s Kindle and more. It wasn’t the first time hackers had used it, but The Jester, as always, did so in a unique style. That is, if we take his word for it.
It’s a stretch to think that the code was scanned by hardcore Jihadists. However, other hackers, The Jester’s rivals, following him online, probably couldn’t resist the temptation – and there are plenty of them, mainly from the ranks of Anonymous, the well known hacker collective. Anonymous and the Jester first clashed in 2010, after the Jester claimed he took down the WikiLeaks website. Since then, Members of Anonymous and other hacker groups such as LulzSec have been unsuccessfully trying to “dox” the Jester – that is, to expose his true identity – while he was trying to do the same to them. One particularly surprising name in The Jester’s hit list, was Senator Dan Gordon, a Libertarian who previously supported the Anonymous hacker group actions, and thus – became a “bad guy”.
How serious was the damage done in the QR code attack? Who knows. Perhaps very serious, perhaps – just a few embarrassed Twitter users. “Heise online” security magazine (shut down in 2013) went even further, and called The Jester’s attack (quote) “bluff and bluster”. Quote:
“The technical details of the hack given are [however] not credible. The security vulnerability he claims to have exploited [CVE-2010-1807] has been in the public domain since autumn 2010 and was fixed in most browsers shortly thereafter. That does not sit well with his claimed success rate of 40 percent of visitors. Similarly, he claims that a single exploit was able to bypass the security mechanisms present in multiple versions of iOS and Android. A more likely explanation is that The Jester is playing mind games with his enemies. “
Other experts said the break-in attack was entirely possible. Although patches to fix those vulnerabilities were indeed already being distributed at the time, prior to The Jester’s hack – it is a well known fact that many users don’t bother updating their operating system in a timely fashion.
And maybe, this kind of confusion was exactly what The Jester, whoever he is, was aiming for. “Fog of War”, as they call it in military intelligence terms.
Nowadays, on his Twitter account, The Jester seems more involved in American politics and in promoting some virtual reality projects, than in patriotic hacking. Which actually makes him much more of a real person than anything he has ever done before. Now he’s just an average joe, who spends way too much time on Twitter. But maybe it’s just part of the act. Another chapter in the story about “The Jester”.
How many more chapters are left in the Jester’s playbook? Anthony Freed asked him, in one of his interviews, how long will he go on.
“As long as my nerves will hold out. It’s a serious situation I find myself in, the bad guys want to slice my head off on YouTube with a rusty blade, and the good guys want to lock me up in an orange jumpsuit… along with the bad guys.”
The Jester made us BELIEVE there’s a hacker out there, a person, who’s doing all of this, by himself. And it is a great story: It’s intimidating for his enemies, those anti-American entities, and it’s captivating, for the cybersecurity community. Yet, No identity was uncovered. No one was arrested with their incriminating laptop. No one was sentenced to jail, or even gave an interview, showing their real face. In a way it was all smoke and mirrors, as they say. And it’s still smoke and mirrors today.
The funny thing is that even though we can’t say if there’s a specific person behind all of this, the result is pretty much the same. It created fear and excitement, depending on whose side you’re on. A successful hack, without the need for a real hack to take place.
Except there’s at least one person, who we’ve already mentioned, who was in some kind of personal contact with The Jester, according to his own reporting. Our very own Anthony Freed.
“[Anthony] At some point Anonymous was trying to dox me out as the Jester, but I thought that was kind of funny because, you know I couldn’t hack my way out of a wet paper bag.
[Ran] That’s what the Jester would say, I’m guessing. [laughing]
[Ran] You know, that’s a very interesting point. I mean, you could be his Clark Kent.
[Anthony] Yeah, I just think it’s so funny, because I’m not a technical person at all. I’m completely a Ludit at heart, as I said. “