The Libyan Electronic Army

Hacking for Gaddafi

The Libyan Electronic Army (LEA) was a hacking group operating during the First Libyan Civil War in support of, and directed by, the then-ruling Gaddafi regime. This post explores the history and capabilities of the LEA.

Emergence of the LEA

Small groups of pro-government hacking groups emerged in Libya during the 2000s at the urging of Mutassim Gaddafi (son of the ruling Colonel Muammar Gaddafi) charged with removing online content unfavourable to the family and their regime.

These groups initially conducted basic information operations, requesting the removal of anti-Gaddafi material by falsely claiming it infringed copyright law or represented inappropriate content, and promoting pro-Gaddafi narratives on social media. Over time they expanded, and enhanced their capabilities to include low-sophistication cyber attacks (also in support of the regime).

“Information operations and warfare, also known as influence operations, includes the collection of tactical information about an adversary as well as the dissemination of propaganda in pursuit of a competitive advantage over an opponent.” (RAND)

The 2011 Revolution provided the impetus for these loosely affiliated groups to formalise into the “Libyan Electronic Army”. The newly formed LEA was staffed by a mixture of both Libyan volunteers and paid hackers, and supplemented with foreign hackers who had skills and experience not available domestically.

The LEA also enjoyed increased support from the regime; a senior employee of Libya Telecom and Technology (the de-facto state-run primary ISP) was moved across to run the LEA, and premises were provided by the Interior Ministry.

LEA cyber operations

The LEA conducted a range of low-sophistication cyber attacks throughout the 2011 Libyan Civil War, targeting political dissidents, journalists, and supporters of the Libyan Rebels. These attacks were intended to increase the regime’s understanding of Rebel activities, and influence both Rebels and the wider population.

Key tools, techniques and procedures (TTPs) initially used by the LEA include:

• Online surveillance of rebel activities through social media.
• Distributed denial of service attacks (MITRE ATT&CK T1498, T1499) against, and defacement of (T1491.002), rebel websites.
• Mass telecommunications surveillance.

However, Libyan civilians rapidly became aware of these operations, and the corresponding tightening of their free and open access to the Internet.

In response to this, the use of satellite VSAT connections (which bypassed Libya’s telecommunications surveillance capabilities) became more common. In addition to this, Libya’s surveillance capability was unable to decrypt communication methods such as Skype, which were commonly used among the population.

As such, the LEA expanded its TTPs to include:

• Watering hole attacks (T1189).
• Spearphishing emails and messages (T1566).
• Use of low-sophistication commodity malware (for example, BLACKSHADES).

Effects and impacts

The LEA’s impact on the Civil War

Prior to, and throughout, the First Libyan Civil War, the LEA’s cyber operations enabled the Gaddafi regime to more effectively counter the threat posed by the Libyan rebels. For example:

• Online and telecommunications surveillance and malware allowed for intelligence to be gathered on rebel activities, and enabled targeting for further operations (for example, the arrest or kidnap of individual rebels, often leading to torture).
• Denial of service attacks against Rebel websites minimised their ability to communicate with the wider population and garner support.

Website defacements, malware and surveillance also enabled regime information operations; for example, the regime played intercepted Skype calls on television in order to intimidate rebels.

So what?

The LEA’s operations in Libya demonstrate the ease with which an unsophisticated adversary can conduct offensive cyber operations, especially where that adversary enjoys the benefits of being a ruling state power. Despite limited technical and organisational capabilities (for example, using low sophistication “commodity” malware), the LEA was broadly successful in its mission of targeting Rebels in cyberspace.

Royal Air Force GR4 Typhoon’s flying en-route to enforce UNSC 1973 over Libya (Source)

The LEA’s operations in Libya, and their seeming freedom of ability to do so, highlight the requirement for cyberspace operations to support humanitarian operations. UN Security Council Resolution 1973 authorised member states “to take all necessary measures… to protect civilians” in Libya (short of boots-on-the-ground occupation) and led to NATO’s Operation UNIFIED PROTECTOR.

In UNIFIED PROTECTOR the skies were dominated through bombing sorties and enforcement of a no-fly zone, and the seas dominated through sea-to-surface missile strikes and enforcement of the arms embargo through a naval blockade. While the nature of NATO’s involvement in the “fifth domain” during UNIFIED PROTECTOR is unknown (and such operations are typically shrouded in secrecy), the Gaddafi regime’s use of cyberspace to target civilians, and the broad UNSC mandate, clearly necessitated such operations.

References

Jamming Tripoli: Inside Moammar Gadhafi’s Secret Surveillance Network, by Matthieu Aikins, published by Wired in 2012

Revolutionary Risks: Cyber Technology and Threats in the 2011 Libyan Revolution, by John Scott-Railton, published by the US Naval War College in 2013

Blackshades — Coordinated Takedown Leads to Multiple Arrests, by A L Johnson, published by Broadcom in 2014

Cyberspace: Malevolent Actors, Criminal Opportunities, and Strategic Competition, by Phil Williams, published by the US Army Strategic Studies Institute in 2016