Patriot Hacker The Jester's Libyan Psyops Campaign

Patriot Hacker The Jester's Libyan Psyops Campaign


Wednesday, March 30, 2011



Anthony M. Freed

C70e8ed35fb5ca21f3b33e446090de25

It appears as if the patriot hacker known as The Jester (th3j35t3r) may have embarked on his own psyops campaign aimed at breaking the spirit of the troops loyal to Libyan strongman Muammar Gaddafi.

On Thursday, March 28, The Jester tweeted three "bit.ly" links to articles reporting that Gaddafi's troops were suffering from low morale and are deserting their posts.

Two of the links take readers to what appear to be articles in the The Tripoli Post, and the third link leads to what appears to be an article in The Malta Independent Online. Here is a screenshot of The Jester's Tweets (click to enlarge):

Jester Twitter Page - Tripoli Psy Op

Having followed The Jester's activities for more than a year now, these three tweets struck me as being out of the ordinary.

Aside from his recent effort to keep multiple websites of the controversial Westboro Baptist Church down and the attacks on the WikiLeaks website late last year, The Jester mainly sticks to intermittent attacks against various militant-jihadi websites.

For the most part, The Jester keeps his Twitter messaging simple and mission-specific, usually limiting them to announcements that he has targeted a pro-jihadi website with his XerXeS denial of service tool.

Occasionally The Jester will issue a tweet in response to the constant barrage of heckling he receives from a litany of detractors, and sometimes he will post a message to warn his equally fervent followers to be wary of the multiple "Jester" imposters that have popped up over the last year.

But these three tweets stand out among all the rest, and so sparked my curiosity.

Upon closer examination, I noticed the articles in question were not listed among the others on the main pages of their respective publications, and they also did not appear in the archives.

By dragging my cursor over part of the article in an effort to highlight a paragraph, I noticed that the entire text was being displayed as an image, unlike other articles from the same publications.

Further examination revealed a big surprise - the articles in question had a very faint watermark of The Jester's trademark harlequin icon behind the text of the first paragraph.

I immediately took screenshots of all three articles. The harlequin watermark is most clearly visible in The Malta Independent Online article.

Click on the following images to view them on Flickr, then view the images at an extreme angle (as in tilt your screen) to reveal The Jester's calling card:

Update: We have added some enhanced images below the screenshots that clearly show the watermark.

Malta Independent:

jester-malta-

(Screenshot above - enhanced image below to show watermark)

jester-malta-corrected

The Tripoli Post:

Jester Tripoli Psy Op 1

(Screenshot above - enhanced image below to show watermark)

jester-tripoli2

To view the original images, go directly to The Jester's Twitter page and click on the links as tweeted (before they disappear).

After finding the watermarks, I contacted a more technically knowledgeable colleague to get their opinion on the discovery. I copy/pasted the links and sent them via instant message. When my colleague clicked on the links, they did not lead to the articles in question, but instead called up the main pages of the publications.

I directed them to go to The Jester's Twitter page and click the links contained in the tweets, which in turn did reveal the watermarked postings. My colleague surmised that The Jester was injecting the code for an image of the fabricated articles using "bit.ly" links and Twitter as vehicles for the task.

My colleague, who preferred to remain unnamed in this article, concluded that The Jester was performing some kind of "a bit.ly-obfuscated intermediary-based code injection, probably because the target websites (Tripoli Post and Malta Independent) don't parse 'get' requests. Its looks like it was just a quick workaround."

Update: Michael Menefee, Founder of Infosec Island, did some technical analysis and offers an explanation of the "non-persistent injection" technique The Jester is using:

Malta Independent:

The Jester's twitter account has a link to a bit.ly url which redirects to http://newsportal.tekcities.com/malta.php the source code of that page is:

jester code 2

 

This is basically an automatic redirect to The Malta Independent Online, injecting the image as a search query, which gets returned as a result.

The Tripoli Post: 

The image is only slightly visible on this one: http://tripolipost.tekcities.com/index3.php (another of his bit.ly requests) with roughly the same source code to facilitate an injection:

Jester Code 1

Understanding "how" is one thing, but we still need to know "why".

I sent a message to The Jester letting him know I was writing an article on the discovery, and gave him the opportunity to offer his own explanation. Given that I have not received a reply as of yet, I can only speculate as to The Jester's motivation for the operation and what is intended to be accomplished.

Having conducted several interviews with the hacktivist, and spent dozens of hours in IM chats, I would venture to say that his motivation probably stems from his patriotism and oft expressed concern for the lives of European and American military personnel who may be in put harm's way if the conflict in Libya persists.

Based on the contents of the planted articles, it seems the operation is intended to simply erode the morale of the Gaddafi loyalists and inspire some to either desert their posts or defect and join the opposition.

Only the Jester can tell us for sure. But one thing is for certain, The Jester continues to evolve in both his interests and his tactics, and has proven once again he is more than just a "one trick pony".

Comments