Turkey’s band of pro-Erdoğan hackers keep trolling Europe

In September 2016, Austria started experiencing what its intelligence services have since described as the country’s first bout of cyberterrorism. In that month, there was a distributed denial of service (DDoS) attack on the Vienna Airport, followed by a paralysis of the National Bank (“the biggest attack in recent years,” a spokesperson said). In November, the websites of the Ministry of Foreign Affairs, the Ministry of Foreign Defense, and the Federal Army were all attacked.

Austrian Intelligence eventually traced the attack back to one individual, Arslan A., alias Osman T., aka General Osman, who was living in a bungalow in Bowling Green, Kentucky. General Osman is part of a Turkish nationalist group called Aslan Neferler Tim (ANT, or Lion Soldiers Team in Turkish).

The attacks on Austria were some of the most high-profile stunts by ANT to date, but they were hardly the last. Instead, as President Recep Erdoğan’s creep toward authoritarianism pushes him further out of favor with EU leaders in Brussels, ANT’s attacks are proliferating, placing further strain on an already frayed relationship.

“I would say they are the most prominent hacker group in Turkey,” Cosimo Mortola, a threat intelligence analyst with the cybersecurity company Fireeye, told VICE News. Mortola said that given ANT's focus on targeting EU countries at odds with Turkey, they’ve also become one of the most-watched groups in Europe.

Turkish hackers have long attacked European countries whose politicians espouse anti-Islamic views or criticism of Turkey. In 2009, a hacker self-identified as “aLpTurkTegin” hacked the website of the radical right-wing firebrand Dutch politician Geert Wilders, whose anti-Islamic, anti-EU stance led the U.K. to bar him from entry. During the cyberattack, Wilders’ face was replaced with a monkey.

“It’s very nasty indeed,” the politician told Reuters of the experience.

But ANT has grown more aggressive in recent years, especially as Turkey’s relationship with Brussels has grown more contentious. ANT, which subscribes to the strain of Turkish nationalism espoused by Erdoğan’s Justice and Development Party (AKP), emerged as a prominent hacking group in October 2015, as Turkey suffered a string of terrorist attacks and a breakdown in the Kurdish peace process. The upheaval spurred on Erdoğan’s aggressive clampdown on media and his political opposition, drawing concern from the EU.

Turkey and EU relations have only gotten worse since then, especially in the wake of the failed coup against Erdoğan in July 2016. Following the coup, Erdoğan unleashed a wide-ranging purge and threw tens of thousands of soldiers, teachers, and civil servants in jail. He followed the purge with a 2016 referendum that extended his powers and raised the specter of authoritarianism in a country that has long prided itself on its secular and democratic ideals.

Erdoğan's actions haven't gone over well in Europe. In April 2017, the EU Parliament voted to effectively freeze Turkey’s membership bid, citing the Turkish president's authoritarian crackdown. ANT, in turn, has made it clear they’re not pleased with Europe’s stance, and a pattern has since emerged: A foreign country or entity publicly discredits Turkey, then ANT quickly responds with embarrassing cyberattacks on government websites or infrastructure.

FireEye has been tracking ANT since its emergence. In the last three years, the collective has launched attacks against Austria, Belgium, Denmark, Germany, and the Netherlands — and that’s just in the EU. ANT has also launched attacks on Armenia, Iraq, Israel, and the United States. The group, Mortola explains, focuses on three types of attacks: DDoS, defacement, and occasional compromises of individual sites. They’ve also been involved in a handful of data leaks.

“Targeting a foreign government, especially one with which there is a background in hostilities, is common. This gives both veteran and new hackers an opportunity to get some recognition among their peers,” Turkish cybersecurity expert Alper Basaran said.

ANT’s affiliated membership (or “soldiers,” as they refer to themselves) is unknown, although Fireeye has tracked 50 names associated with the group.

There's no physical evidence that directly links the Turkish government to ANT or vice versa, but analysts believe there may be overlap.

“It is suspected that ANT may have some connection to the Turkish government given that they claim to be defending the Turkish nation and Islam, something that resembles very much the current government’s ideological rhetoric,” Zenonas Tziarras, a researcher at the University of Cyprus told Vice News.

ANT attacks do follow a specific form of Turkish nationalism. On Oct. 28, 2017, ANT launched a DDoS attack on the Belgian Ministry of Defense in reaction to a spate of riots that happened when a bus of Kurdistan Workers’ Party (PKK) supporters, escorted by local police, drove through a Turkish neighborhood in Antwerp. ANT publicly accused the Belgian government of supporting the PKK, the pro-Kurdish separatist group that Turkey and the U.S. have labeled a terrorist organization. Erdoğan has also accused Belgium of being a hub for PKK militants.

Basaran pointed out that while the attack was disruptive, “a state-sponsored attack would manifest itself in a more technically advanced format."

"At this stage it is impossible to say if either side is really engaged in APT (Advanced Persistent Threat) attacks for intelligence purposes," Basaran added. “[These] attacks seem to be planned and executed by hacker teams/groups that act alone either based on nationalist feelings or just to take advantage of the current political situation.”

Yet considering Turkey’s already tense relationship with the EU, these attacks don’t need to be advanced to cause diplomatic disorder. “Cyberattacks might not only impact the cyber domain but diffuse and escalate to other environments, in this case political,” said Pythagoras Petratos, a lecturer at the University of Oxford. “They can influence the accession process of Turkey.”

And while cyberattacks themselves can’t determine the outcome of Turkey’s EU bid, “they could aggravate an already bad situation,” said Tziarras.

ANT has also inspired the anger of other nationalistic hacker groups. Anonymous Greece, the local chapter of the global hacking collective, has been embroiled in a self-dubbed “cyber war” with ANT for years. It most recently claimed responsibility for hacking a Turkish municipal website on Jan. 9.

Screenshot of Turkish municipal website, Kazim Karabekir, which was hacked by Anonymous Greece as part of an ongoing self-dubbed “cyber war” with Turkish hacking group Aslan Neferler Tim (ANT, or Lion Soldiers Team in Turkish).

That day, visitors to the Kazim Karabekir were greeted with a surprising image of Erdoğan. The traditionally stern-looking Turkish strongman was uncharastically glowing, his face done up in pink eyeshadow and rouge that had been carefully, if a bit heavy-handedly, applied to his lips and cheeks. A pair of dangling pearl earrings framed his face, while an LGBT flag waved behind him.

The rainbow colors matched his tie.

Cover image: Turkish President Tayyip Erdogan addresses members of parliament from his ruling AK Party (AKP) during a meeting at the Turkish parliament in Ankara, Turkey, March 6, 2018. REUTERS/Umit Bektas