Tunisia’s bitter cyberwar

Anonymous has joined Tunisian activists to call for end to the government’s stifling of online dissent.

Anonymous Operation Tunisia
Anonymous and Tunisian activists are calling for an end to government censorship [Image courtesy of Anonymous]

Thousands of Tunisians have taken to the streets in recent weeks to call for extensive economic and social change in their country.

Among the fundamental changes the protesters have been demanding is an end to the government’s repressive online censorship regime and freedom of expression.

That battle is taking place not just on the country’s streets, but in internet forums, blogs, Facebook pages and Twitter feeds.

The Tunisian authorities have allegedly carried out targeted “phishing” operations: stealing users passwords to spy on them and eradicate online criticism. Websites on both sides have been hacked.

Anonymous, the loosely-knit group of international web activists that drew world attention for their “distributed denial of service” (DDoS) attacks on the servers of companies that blocked payments and server access to the whistle-blowing website, WikiLeaks, joined the fray, in solidarity with the Tunisian uprising.

Most international news organisations have no presence in the country (and, some say, a lack of interest in the protests). Media posted online by Tunisian web activists has been some of the only material that has slipped through the blackout, even if their videos and photos haven’t generated quite the same enthusiastic coverage by Western media as the Iranian protest movement did in 2009.

Killing dissent

The attacks against some of the most vocal voices in the Tunisian cyber-community were sharp and swift.

Sofiene Chourabi, a journalist for Al-Tariq al-Jadid magazine and blogger known for his unabashed criticism of the Tunisian authorities, has been unable to recover his email and Facebook accounts after they were hijacked several days ago.

The first attempted hijacking of his Facebook account happened last week.

“Here we don’t really have Internet, we have a national intranet”

Azyz Amamy, Tunisian web activist

“My personal account on the Facebook, including around 4200 friends, was exposed to failed hacking attempt last Friday, but I quickly recovered it after an unidentified person had taken control of it,” he told Al Jazeera.

Then, on Monday, Chourabi was locked out of his Facebook and Gmail accounts.

Chourabi says he believes the Tunisian Internet Agency is responsible for hijacking his accounts. The agency has blocked access to his Facebook wall since October 2009, and his blogs are also unreachable from within Tunisia.

Several of his friends have contacted Facebook and Google asking for his accounts to be returned, to no avail. 

“I think it is high time for Facebook and Google to take serious steps to protect Tunisian activists and journalists,” he said in an interview via email, using a new account.

Facebook is working to ensure it can respond to all its users, Stefano Hesse, Facebook’s head of communications for Europe, the Middle East and Africa, told Al Jazeera.

“One thing needs to be clear: we, as Facebook, are not censoring any content, and we had not been approached by the local government in order to do anything regarding anyone,” Hesse said via email.

Google did not respond to requests for comment from Al Jazeera.

Lina Ben Mhenni also had her Facebook page and Yahoo email account pirated, although she managed to retain control of her blog.

She told Al Jazeera that, as of Wednesday, web users in Tunisia were unable to change their passwords for Facebook.

Another activist who was caught in the phishing campaign is a Tunis-based man, who goes by the name of Azyz Amamy in the online world.
Amamy told Al Jazeera in a phone interview that his Facebook and email accounts had been hijacked on Monday. Amamy was able to recover both accounts within two hours, after Facebook and Gmail responded to his request. The difference is that he had retained control of a separate email account with which he had registered both accounts.

Two hours was enough time for the authorities to get the login information for his four blogs from his email accounts, deleting all the content.

“When they took Lina [Ben Mhenni]’s account, and Sofiene Chourabi’s, within an hour all the Facebook pages they administrated had disappeared. And then their accounts were deleted,” Amamy explained.

The speed of the phishing operation, hitting several high-profile targets in a single day, demonstrated that it was exceptionally sophisticated, he said.

As well as Chourabi, Amamy and Ben Mhenni, those known to have been targeted include Med Salah M’Barek and Haythem El Mekki

Amamy suspects the phishing operation was far-reaching and that many more were hit, but are too scared to go public.

Several sources Al Jazeera spoke with said that web activists had been receiving anonymous phone calls, warning them to delete critical posts on their Facebook pages or face the consequences.

‘Phishing’ for dissent

The phishing was carried out by a malware code, several sources told Al Jazeera.

Sami Ben Gharbia, who monitors Tunisia’s web censorship for Global Voices, said that Google and Facebook were in no way complicit in the sophisticated phishing technique.


The initial signs that something was underway came on Saturday, he said, when the secure https protocol became unavailable in Tunisia. This forced web users to use the non-secure http protocol.

The government’s internet team then appears to have gone phishing for individuals’ usernames and passwords on services including Gmail, Facebook, Yahoo and Hotmail.

Web activists and journalists alerted others of the alleged hacking by the government via Twitter, which is not susceptible to the same types of operations.
“The goal, amongst others, is to delete the Facebook pages which these people administer,” a Tunisian internet professional, who has also been in contact with Anonymous, told Al Jazeera in an emailed interview.

The same source, who asked to remain unidentified due to the potential consequences for speaking out, said that in communication with the international group, he had come up with a Greasemonkey script for firefox internet browsers that deactivated the government’s malicious code.

The script had been installed 1,669 times at the time of writing.

“It isn’t like China and Gmail several months ago, where China attacked Gmail,” the web professional said in an email, referring to last year’s incident when Chinese hackers allegedly broke in the accounts of Chinese dissidents.

“This is much more intelligent (and I’m proud of this intelligence!). It’s the communication with Gmail [and the other sites] that is intercepted,” he said.

The Committee to Protect Journalists says there is clear proof that the phishing campaign was organised and co-ordinated by the Tunisian government, as did other sources that Al Jazeera spoke with.

Unexpected allies

Tunisian web activists found an ally in Anonymous, whose international activists have turned their attention to overthrowing the Tunisian regime of web censorship.

The group’s DDoS attacks, which began on Sunday night, local time, succeeded in taking at least eight websites, including those for the president, prime minister, the ministry of industry, the ministry of foreign affairs, and the stock exchange.

The web site of the government internet agency – known by Tunisian web dissidents ironically as “Ammar 404”, or “Page not found” for its oversight of censorship operations – was also targeted.

In email correspondence with Al Jazeera, one Anonymous activist described the group as a “hive mind,” centred on collective, rather than individual, identity. 

The activists, who prefer to go unnamed, co-ordinate their operations through discussions held in Internet Relay Chat (IRC) networks, a type of online discussion forum.

Al Jazeera discussed “OpTunisia” with a group of the online activists on Tuesday. The operation began when one Anon spent last weekend “spamming” the forum, drawing support from activists around the world.

The Tunisian government first drew the Anons’ ire, they say, when it extended its pervasive filtering to WikiLeaks.

“The thing that did it for us, was initially their censoring of WikiLeaks, when WikiLeaks reports on .tn came out,” one participant in the forum wrote in response to questions from Al Jazeera, referring the Tunisia-based website that had been set up to host the WikiLeaks memos.

With their collective gaze turned to Tunisia, the Anons came into contact with Tunisian web activists.

“We did initially take an interest in Tunisia because of WikiLeaks, but as more Tunisians have joined they care more about the general internet censorship there, so that’s what it has become,” another Anon said.

It is hard to generalise the Anons’ diverse range of motivations and ever-changing targets, but most appear to share an outrage over the Tunisian government’s censorship and phishing activities, and a sense of solidarity with Tunisian web users.

Attacking government-linked websites is much more dangerous for those living within Tunisia, they noted, who risk arrest if they are identitied by the authorities.

“Although many Tunisians understandably do not feel comfortable participating in this operation out of precaution, I estimate there [were] about 50 Tunisians participating, to whom we provide the means and knowledge to properly secure their online behaviour from exposure to their government,” one Anon activist wrote via email.

Ben Gharbia says he accessed IRC to observe the discussions, and that there were some people chatting in Tunisian dialect.

By Tuesday, the government appeared to have taken steps to protect its websites from attack by making them inaccessible from overseas. The same sites were available within Tunisia.

On Wednesday, Anonymous informed Al Jazeera that its own site was under DDoS attack. Anonymous was continuing its DDoS attacks on Thursday, and is likely to move on to another target now that momentum has gathered.

“We, as Anonymous, feel we have accomplished our mission with the major media now involved in Tunisia.  We will keep DDoS’ing that DNS server probably until after the [Thursday’s] strike,” wrote the source by email.

Government hacking, en masse

This is hardly the first time Tunisian censors have phished for dissidents’ private information, nor is its censorship anything new.

Most popular video-sharing websites have been blocked for years now. Facebook was completely blocked in 2008.

Tunisia no longer blocks the entire Facebook platform, and is one of the main ways people are able to share video.

Individual Facebook pages are quickly censored, however, often within an hour of going online, Ben Gharbia said.

“Once they identify a link that needs to be blocked, they block it instantly,” he said.

In the siege against cyber dissidence, Twitter has been a bastion for activists. Because people can access Twitter via clients rather than going through the website itself, many Tunisians can still communicate online. The web-savvy use proxies to browse the other censored sites.

Yet even if bloggers manage to maintain their blogging, the censorship deprives them of those readers who do not use proxies. The result is what Ben Gharbia described as the “killing” of the Tunisian blogosphere. 

Ben Mhenni said that the government’s biggest censorship of webpages en masse happened in April 2010, when more than 100 blogs were blocked, in addition to other websites.

She said the hijackings that had taken place in the past week, however, marked the biggest government-organised hacking operation. Most of the pages that had been deleted in recent days were already censored.

Amamy said the government’s approach to the internet policy is invasive and all-controlling.

“Here we don’t really have internet, we have a national intranet,” he said.

You can follow Yasmine on Twitter @yasmineryan

Updates:  Azyz Amamy was arrested on Thursday, sources in Tunisia told Al Jazeera. Another web activist, Slim Amamou was also taken by the authorities.

Amamy’s last Tweet prior to his arrest was published on Thursday morning, as was Amamou’s. (6 Jan 2011 21:03 GMT)

Source: Al Jazeera