Security Experts:

How Operation Payback and Hacktivism are Rocking the 'Net

"Hacktivisms are motivated by revenge, politics, ideology, protest and a desire to humiliate victims."

In my previous column I promised to dedicate this current column to Proxy Trojans. Yet with all the pro-Wikileaks hactivity of the past week, I found it much more appropriate to digress this time and discuss the threat-scape defined for "hacktivism" and their methods. We have discussed Industrialization of Hacking, Advanced Persistent Threats (APT) and now it’s time to add hacktivism to our taxonomy.

Hacktivism

Operation Payback - Hacktivism

Hacktivism uses cyber attacks based on political motivations who use cyber sabotage to promote a specific cause. Hacktivism is as old as the internet. Sole hacktivists demonstrate their protest using different attack methods. One popular attack is to deface websites. For example, Microsoft’s website was displaced with a Saudi Arabian flag. But when hacktivists group together, they may join forces to execute another favorite attack of theirs – Distributed Denial of Service (DDoS) attacks. With the increased number of participants, they are able to flood the website with too much traffic that the server could handle. As the site attempts to process the large volume of malicious traffic, it in effect denies access from legitimate users. At other times, the server just crashes as a result.

As opposed to the hacking industry intent on data theft, hacktivism is not motivated by money and high visibility is key. Hacktivisms are motivated by revenge, politics, ideology, protest and a desire to humiliate victims. Profit is not a factor. And visibility is key: what’s the point of embarrassing someone if you they didn’t know who performed the attack?

Let us not also confuse hacktivism with APT. APT is politically motivated – but mainly nation-state sponsored with the support of a large financial backing. An attack acting within the definition of APT can be seen when North Korea DDoSed South Korea and US sites. In APT the goal is control and as the name implies, the threat is persistent. Meaning, that if a certain attack does not succeed, the attacker will attempt to infiltrate in a different manner. Contrary to APT, in hacktivism, the goal is protest by means of the one single attack campaign which would bring the required attention to their cause.

The summer of 2009 provided us with a couple of high-profiled hacktivity campaigns:

• Hacktivists protesting against the Iranian election - In this DDoS attack, hacktivists operating from outside of Iran, targeted Iranian government and other state-sponsored websites. As a result, the Iranian government blocked access to different social network sites to prevent netizens from providing coverage regarding the current state of affairs on the street.

• Russian hacktivists targeting Social Networks hosting Georgian blogger – By employing DDoS attacks, Russian hacktivists were able to bring down social network services such as Facebook and Twitter. This was their retaliation campaign against a controversial Georgian blogger who had accounts on these networks. Operation Payback Operation Payback received much media attention in the past week due to their ability to bring down major industry players – Visa, Mastercard and Paypal. All these companies had severed ties with Wikileaks. Hacktivists, under the name of Anonymous, reacted with group effort to DDoS these companies against their so-called “Internet Censorship.”

Operation Payback – A series of cyber-attacks

This was not the first time this group formed together to retaliate against Internet “injustice.” In fact, this was only the lastest in a series of hacker protestors. In the beginning, members of Anonymous downloaded a piece of code which could be configured, or pre-configured, to DDoS a certain server (more details in the following section). So in effect, the individuals were knowingly engaging themselves in a “voluntary botnet”. The group had started off by DDoSing media and recording companies such as the Recording Industry Association of America (RIAA) and the Motion Pictures Association of America (MPAA), under the pretense of objecting to their copyright infringement enforcement. Anonymous has even gained more than they bargained for when they DDoSed the UK law firm ACS:Law in response to their activity of pursuing illegal file downloaders. In this case, as the law firm reconstructed its site the archives with the sensitive data were copied to publicly accessible locations. In effect, causing the firm to be in breach of UK regulation. Call that irony.

Operation Payback – The tools being used

There are three variants of the DDoS software being used by the attackers:

• A manual product called the LOIC (Low Orbit Ion Cannon). The user configures the target of the attack and other parameters. It then creates a DoS by sending a flood of TCP/UDP packets or HTTP.

• It was further developed by "NewEraCracker". It is the same program with the same DoS capabilities, but added was the ability to have a central Command and Control (C&C) server to control and synchronize the attack over IRC protocol.

• There also a Javascript version of LOIC that requires no software download at all. With this option, the hacktivist can just run the tool through the browser.

Operation Payback – Adopting methods of the Hacker Industry

Before Operation Payback gained much publicity due to its crippling of high-level institutions, there were a few hundred LOIC downloads per day. As media attention rose, the number of participants in the “voluntary botnet” increased, achieving a snowball effect. The numbers started to jump steadily. At first, over 3000 downloads. The following day the number tripled and started to increase in a rate of 1000 per hour. Although this is still speculation, the incredible surge in software downloads suggests that this campaign was no more run by “voluntary compromised” machines but rather involuntary infection. Meaning, this was no longer a social thing but a technical infection path. In fact, at a certain stage one of the campaign operators was requesting botnet farmers to donate their bots for this activity. One hacktivist offered his 30K botnet “horse power” for use in the campaign, while another claimed to add another 100K bot-size. In addition, the operators of the campaign started to camouflage the Javascript version behind appealing contents to lure users (such as porn) to unknowingly engage in the DDoS activity. With these evolving methods to conduct the DDoS attacks, it sounds like hacktivists are starting to learn from their counterparts, the industrialized hacking…

Advice - What can organizations do?

Implement security controls across all layers – The attack by Anonymous was carried out on the network layer. Implementing safety guards around this layer is necessary as it should stop the basic TCP flooding attacks. But what happens when the attacks proceed to other levels? HTTP flooding is one threat, while certain exploits in the business logic of an application, for example, could cripple a server.

Implement security controls across all servers – It was shown that this attack was very targeted against specific company sites. For example, the api.paypal.com server was a target. We can speculate that this server is PayPal’s weakest link and thus the easiest one to bring down. Attackers will always look for the easiest path to enter, so fortify your controls over all servers.

Next Column...

Pro-Wikileaks DDoS activity has died down some. When at its peak, the number of manual downloads per day reached over 27K. However, a week later there were less than 5K downloads. By then, 72% of Anti-Virus vendors marked LOIC as malicious. The Anonymous group has issued a statement that they are now going to focus on other campaigns to promote their protest. Until that happens, I’ll continue with the original intention. So stay tuned as I talk next column about Proxy Trojans.

Clarification

My previous column discussed interesting breaches of 2010. One of the featured items was FAA. This generated a lot of discussion due to its actual occurrence. The breach was a lead on an erroneously flagged 2010 breach at the Privacy Rights Clearinghouse (PRCH). The PRCH has rectified their report last week, on Dec. 2nd, 2010. I stand corrected too and thank you for pointing this out.

Further comments mentioned the much missing Wikileaks episode from the list. This was done deliberately as it is a breach caused by an Insider. This series of articles focuses on the external threat landscape.

view counter
Noa is a private consultant specializing in building thought leadership teams within tech companies. She is one of SecurityWeek’s first columnists with previous columns focusing on trends in the threat landscape. Her current interest lie on the business-side of security. Noa has worked for Imperva as a Sr. Security Strategist and before that, as a Sr. Security Researcher. She holds a Masters in Computer Science (specializing in information security) from Tel-Aviv University.