Security Experts:

Following LulzSec Arrests, AntiSec Supporters Attack Panda Security

After news of the FBI’s arrest of LulzSec’s leader Sabu became public, including the fact he was a cooperating witness in an ongoing criminal investigation, Panda Labs published a blog post titled “Where is the lulz now?” Not long after that post was made, AntiSec supporters attacked Panda Security, defacing more than 30 sub-domains used by the company.

In the message promoting the raid, AntiSec claimed that Panda’s anti-Virus offerings were compromised. Moreover, the statement left behind after the attack claimed that Panda “...has earning money working with Law Enforcement to lurk and snitch on anonymous activists (sic).”

Anonymous Hacks Panda SecurityHowever, the incident appeared to be triggered after the blog post was published. Written by Panda’s Technical Director, Luis Corrons, the offensive post reported the news of the FBI’s moves against LulzSec, and the status of its leader Sabu.

“I have just read that LulzSec members have been arrested and that their main head Sabu has been working as an informant for the FBI. It turns out he was arrested last year, and since then he has been working with Law Enforcement. As I said, really good news :),” Corrons wrote before the blog was attacked.

“Will this mean the end of Anonymous? No. It will mean the end of LulzSec, but Anonymous existed before LulzSec and will continue existing. However we probably won’t see any more hacks as the ones LulzSec had been perpetrating, and Anonymous will only use their known childish tactic of DDoS using their LOIC tool.”

The AntiSec defacement noted, “he asked for the lulz...,” and included details related to LogMeIn accounts, the contents of the server’s Shadow file, and dozens of email addresses and passwords.

Earlier this morning, Panda Security issued the following statement:

AntiSec Hits Panda Security SitesThis server (hosted outside of the Panda Security internal network ) was used only for marketing campaigns and to host some of the company's blogs. Neither the main website www.pandasecurity.com nor www.cloudantivirus.com were affected in the attack. The attack did not breach Panda Security's internal network and neither source code, update servers nor customer data was accessed. The only information accessed was related to marketing campaigns such as landing pages and some obsolete credentials, including supposed credentials for employees that have not been working at Panda for over five years.


We continue investigating the cause of the intrusion and will provide more details as soon as they become available.

That this attack happened so soon after the FBI’s announcement and confirmation that one of their own betrayed them (LulzSec was associated with Anonymous, and AntiSec is comprised of Anonymous supporters), is very likely a sign of things to come.

“Hacking, hacktivism and all things security threat related will not be going away no matter who is arrested, how many hackers are caught, or what the headlines read," commented HP’s Enterprise & Cloud Security Strategist, Rafal Los. "This is the nature of threat, and for better or worse, the human condition. There will always be more, new, bad people...This phenomenon is like a classic hydra where if you ‘chop off the head’ two more spring up in its place, and the threat continues.” 

Some experts have stated that Sabu’s betrayal will create trust issues between Anons and that things may slow down. That’s false hope.

While there may be trust issues within Anonymous because of what Sabu did, the fact remains that there has always been trust issues within Anonymous. It’s part of their culture. Business leaders and network defenders need to remember that just because they might have issues internally, Anonymous and those supporting them are still capable of ruining your day.

Even as this story was written, Anonymous is still active, defacing the Vatican’s website, in response to the Church’s conservative doctrine, and previous scandals within the Roman Catholic Church. “Today, Anonymous has decided to put your site under siege in response to your doctrine, liturgy and the absurd and anachronistic rules that your profit-making organization spreads around the world...,” the website’s defacement said.

At the time story was published, www.vatican.va remained offline.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.