Security Experts:

Advanced Threat Protection & Visibility: Hacktivists

Advanced Threat Protection & Visibility Series – Part 3: Hacktivists

On Sunday April 7,2013, Anonymous continued ‘OpIsrael’, an operation focused on ‘erasing Israel from the cyber landscape’. The latest attack, which was in response to Israel’s recent airstrikes on Gaza, was responsible for hacking 60,000 websites, 40,000 Facebook pages, 5,000 twitter accounts and 30,000 Israeli bank accounts. The attack was also yet another example of just how much Anonymous has changed—and grown—since the days of its initial attacks. While the first two installments of my Advanced Threat Protection & Visibility Series focused on Nation States and Criminal Circuits, this article will focus on the evolution of hacktivists. Understanding the various types of malicious actors targeting your networks, including their motivations and modus operandi, is key to identifying, expelling and expunging them.

What Powers Hacktivists?

Unlike cybercriminals, hacktivists are not motivated by money or financial gain. Rather, they are motivated by ideology, activism and political causes. Hacktivism is the use of computers and computer networks to promote a political agenda or perceived moral ends. The hacktivists focus on perceived injustices and violations of free speech. This combined with a lack of faith in the national and geo-political machinery drives them to take action. Hacktivists firmly believe that the end justifies the mean, and that, retrospectively, their actions will be both forgiven and applauded. However, this view has somewhat undergone a reality check based on recent interactions with the judicial system.

HacktivismThe Rise of Anonymous

Hacktivism has existed as long as computers have, in various forms. Numerous DoS, DDoS and website defacements (5,000 reported by attrition.org between 1995-1999 alone) have littered Internet history as a demonstration of organized protestation and frustration with the status quo.

Today, the Anonymous collective is synonymous with global hacktivism, despite its leaderless and loose association. As a reporter for the Baltimore City Paper put it some time ago, “[Anonymous] is a group in the sense that a flock of birds is a group, where at any given moment, more birds could join, leave or peel off in another direction entirely.” It is impossible to 'join' Anonymous, as there is no leadership, no hierarchy and no single means of communication. Anonymous recruits people from all over the world—most of who have never met in real life and will go to extreme measures to ensure they never will. For this powerful class of hacker—whose motives are considered noble by some and criminal by others— striking back against injustice is a key driver.

OpIsrael

The origins of Anonymous can, arguably, be traced to the 4chan image board. The unique culture of Anonymous—including its many phrases, memes, rules and icons— are taken directly from its 4chan origins. Originally, 4chan users from the /b (random) board frequently complained about issues but had a concept of ‘not your personal army’—meaning they would not actively seek to fix whatever problem you put forth or complained about. However, they also had a culture of ‘Lulz,’ which is based on the concept of laughter at someone else's expense or simply causing mayhem for fun. Originally, Lulz activities by hacktivists involved pranks or attacks on a competing website. This all changed in 2008, with the targeted attack on the Church of Scientology. For Anonymous, the attack was in response to the perception that the Church of Scientology was attempting to restrict free speech and Internet censorship. The attacks, known as Project Chanology, started as phone harassments and DDoS attacks, but culminated in the physical picketing of the Church’s offices by 10,000 4Chan users in 90 cities—all wearing the signature Guy Fawkes masks from the movie V for Vendetta. The Anonymous movement had been born. Yet they were still—just as they are today— a leaderless collection of hackers and activists who would band together for specific ‘operations’ in response to perceived injustices. As a practice, 4chan users (who are, indeed, all anonymous) frequently attacked other similar sites in what they called ‘raids.’ They rarely, if ever, have a political agenda. However, the Wikileaks issue changed this. Forever.

Wikileaks

WikiLeaksIn 2010, Wikileaks released confidential communications between the United States State Department and U.S. overseas embassy staff. As a result, political pressure was put on PayPal, Visa and MasterCard to discontinue services that provided funding capabilities to the Wikileaks organization. To Anonymous, this was perceived as an attack on the truth and free speech. Subsequently, Anonymous began to launch DDoS attacks on PayPal—distributing the opt-in botnet Low Orbit Ion Cannon (LOIC) to its members as an attack tool. Use of the LOIC tool, however, exposed the IP addresses of the attackers and lead to the eventual arrest of several Anonymous members. Nonetheless, the DDoS attacks on PayPal, Visa and MasterCard were damaging and effective: PayPal stated that the attacks cost them alone $5M USD.

Later, the attacks on HBGary Federal caught the attention of the information security world. Rather than being easily dismissed as script kiddies, Anonymous launched a chain of events that compromised and damaged a trusted security company. Just prior to the 2011 RSA conference, HBGary Federal CEO Aaron Barr publically acknowledged that his firm had successfully unmasked the leadership of Anonymous—who had recently made headlines with their attacks on Visa, MasterCard and PayPal. Anonymous immediately launched a counterattack. HBGary’s servers were broken into, its website defaced, and many damaging emails were published to the Internet. Key to the success of the attack was the compromise of three basic information security controls that were not properly implemented, including (a) separation of duties, (b) use of complex passwords, and (c) limitation of password reuse. Once Anonymous compromised an HBGary server using SQL injection, they used rainbow tables to retrieve company passwords—including that of Aaron Barr (whose password was not complex). Unfortunately for HBGary, Barr was an administrator on the mail server (Google Apps) and had reused a recent password. This gave Anonymous full access to the company’s entire email system. Next, they used social engineering techniques to go even deeper, gaining more access and privileges. Within hours, HBGary’s most private communications were publically released to the Internet.

LulzSec

LulzSec LogoIn 2011, a splinter group called LulzSec appeared, attacking a wide-range of websites under a campaign named '50 Days of Lulz'. Their principal tool was SQL injection, coupled with checking other websites for password reuse. When required, they also leveraged DoS attacks. LulzSec’s targets included Sony, online game companies, Booz Allen Hamilton, the U.S. Senate, the CIA, Serious Organized Crime Agency of the United Kingdom and the FBI. The group also cooperated with Anonymous to launch ‘Operation AntiSec’, which targeted security organizations and law enforcement by publicly exposing their security flaws. LulzSec announced their wins via Twitter, stating in a published manifesto: “We do things just because we find it entertaining." Later, however, they expressed social change as being their key motivator. In the end—despite all their successes against law enforcement—a backlash was imminent. When it arrived, LulzSec’s leader Sabu was arrested. Sabu quickly turned on his colleagues, even attempting to trick Wikileak’s founder Julian Assange into making self-incriminating statements.

Sobering Arrests

Since 2010, more than 90 people have been arrested for online criminal activities related to Anonymous. Some of those arrested included kids as young as 16, or internal employees charged with leaking confidential information out of sympathy for the hacktivists’ cause. In the end, LulzSec was essentially destroyed.

There also has been a distinct change in how judges treat hacking in recent years. Originally, computers were seen as unstable opt-in activities and, as a result, the idea of data theft, website defacement or crashing devices was seen more akin to someone putting graffiti on a wall—and, sentencing at the time reflected that. However, since 2001, prosecutors have been successful in analogizing hacktivism as cyber terrorism while slowly persuading the judiciary on their way of thinking. What’s more, attacks by Anonymous have been characterized as threats to national infrastructure and national security—especially those attacks conducted in cooperation with Wikileaks. Consequently, many of those arrested in the Anonymous/LulzSec round-ups are facing sentences considered on par with the most heinous of traditional crimes.

Ultimately, the arrests, crackdowns and prosecutions have resulted in a major changing of the guard in hacktivist leadership. As well, many of the most-skilled hackers have decided they have too much to lose, and have either moved on or assumed a much lower profile. Given the overall leaderless culture of Anonymous, some members have attempted to entice the commencement of new operations and campaigns against targets like Zynga and Facebook. These have gained little momentum, however, and have generally quickly fizzled out.

Zetas Drug Cartel Goes After Anonymous

Of course, a key challenge for Anonymous has been their lack of centralized control—which essentially allows any group to carry out actions at any time under the banner of Anonymous. For example, various groups under the Anonymous banner have carried out a host of public operations against entities such as the Zetas drug cartel, Bay Area Rapid Transit District (BART), the Westboro Baptist Church, the Motion Picture Association of America (MPAA) and Recording Industry Association of America (RIAA). 

However, a more and more chaotic culture can arise with the desire by certain members to launch a new campaign whenever a social action event triggers a call-to-action. The current OpIsrael campaign, for example, appears to be an attempt to hijack the Anonymous brand by North African hacker groups. And, some Anonymous members believe that certain proposed operations are merely ruses by law enforcement agencies to entrap them. At present, Anonymous remains more dormant than active. Yet, it is only a matter of time until another proposed operation gains enough momentum to move forward and revive the effect and influence of Anonymous. Once awoken, they can gather momentum and wide support quickly—enticing many with capable and strong security skills to join the operation. They may even enlist ‘confederates’ within your own organizations. Either way, Anonymous should not be forgotten or dismissed. As they often proclaim: “Expect us.”

What Hacktivists Mean for Us

All large organizations have enemies—especially those in the public eye. Any action by any one of your employees or partners— even if misinterpreted—may cause a backlash. In general, hacktivists focus less on DDoS and more on stealing confidential and potentially embarrassing data. Email servers have proven to be a rich source of content for them. If targeted, an organization could potentially face tens of thousands of attackers simultaneously, as opposed to dealing with a small number of attackers in a criminal or State-sponsored targeted attack. As such, strong defensive and attack-preparedness measures should be implemented, in addition to breach detection and post-breach security technologies that can minimize damage once they get in.

A final Thought

In hindsight, enterprise users reusing passwords has been the cause of much of the carnage by hacktivists. While enterprises have rightly focused on integration with a single directory and eliminating standalone password systems, this generally only works well within the perimeter. Your employees and peers likely have dozens of external accounts—ranging from social media to webmail to online banking to anywhere they’ve ever ordered a product online. Given that many of these sites may be vulnerable to SQL injection, it is important to ensure the rotation of passwords (if multifactor authentication is not practicable) on a regular basis so as to minimize the likelihood of compromise via password reuse.

As mentioned in my previous columns, my next Series will focus on the CRIME methodology for dealing with advanced threats and targeted attacks on the network. CRIME includes Context, Root Cause, Impact, Mitigation and Eradication. It is built on the approach that, if you can have visibility and context of network events, anomalies and attacks, only then can you identify root cause, determine material impact and begin effective mitigation and eradication measures.

Related Reading: The Evolution of the Hacktivist Threat

view counter
John Vecchi is Vice President of Marketing at Solera Networks. He has more than 16 years of experience in high-tech marketing, product marketing, product management and consulting. Prior to Solera, John was Vice President of WW Marketing at Zscaler. Prior to Zscaler, he was Head of Global Product Marketing for Check Point Software—overseeing their enterprise and SMB solution portfolio. Before Check Point, John was an executive marketing consultant for Symantec, as well as Sr. Director of Product Marketing for McAfee’s Network Security Business Unit. John has a B.A. from the University of St. Thomas, St. Paul, MN, focusing on international business and foreign language.