One of the biggest data security stories to come out of 2011 is the persistent and dangerous threat presented by hacktivists. Though this form of protest – which combines hacking and activism – has been around for years, 2011 saw the practice taken to new heights with the emergence of several new groups dedicated to a cause or simply stirring up a bit of mayhem.
Hacktivism groups generally employ purposeful, targeted attacks aimed at specific organizations or institutions that they deem offensive for one reason or another. The attacks are often political in nature and carried out as a form of protest against the target.
The issue of hacktivism has been a contentious one, as several of the campaigns are easy to sympathize with. For example, in October, hacktivism group Anonymous launched Operation Darknet, a campaign dedicated to infiltrating and taking down one of the largest child pornography sharing rings on the web. In total, some 40 websites went offline as a result of the attack. Anonymous then publicly humiliated the offenders by publishing their names and other personal details online.
On the flip side, hacktivism groups have been involved in several less altruistic cases as well. In April, for example, Anonymous revealed that it would level attacks against several Sony websites in protest of the company’s lawsuit against blogger George Hotz, who was sued by the electronics giant for jailbreaking and reverse engineering the PlayStation 3. Anonymous claimed Sony had gained access to the IP addresses of the visitors of Hotz’s blog.
Though, again, Anonymous’ actions have a sympathetic angle – standing up for what it sees as an act against free speech and a violation of privacy – this attack seems to have a more personal and possibly vindictive intent than Operation Darknet. Such inconsistency is one aspect that makes hacktivism such a dangerous and troubling threat.
In addition to Anonymous, Lulz Security, or LulzSec, was one of the biggest names in hacktivism in 2011. The group, which first surfaced in May, was noted initially for its less political, but more prankster-style actions than Anonymous. Operating under the tagline “Laughing at your security since 2011!” LulzSec claimed responsibility for attacks against Sony Pictures, Fox.com, Bethesda Game Studios and others.
In late June, after 50 days of heavy activity, LulzSec – seemingly voluntarily – announced that it would end its rampage, which counted corporations, government agencies and private citizens among its victims. According to one member, the group was simply getting bored with the activity and had always intended to limit the length of its campaign.
But that wouldn’t be the last time people heard from LulzSec. Almost immediately after it disbanded, several LulzSec members teamed up with Anonymous in a newly launched AntiSec movement. The campaign seemed to be more in line with Anonymous’ mantra, taking on a decidedly more political feel than LulzSec’s earlier attacks.
LulzSec itself re-emerged briefly in August to wage an attack against the News Corporation-owned newspaper the Sun. The group managed to hack the Sun’s website and post a fake story about the death of News Corp CEO Rupert Murdoch, who had been receiving significant media attention at the time for his company’s involvement in several phone hacking incidents.
The hacker group also inspired a number of offshoots, including Script Kiddies, which claimed responsibility for hacking the Twitter account of NBC News and posting bogus information about an airline hijacking a few days before the September 11 anniversary.
Flaws in the system
Activity from LulzSec and Script Kiddies – and even the hacktivist movement as a whole – has cooled down considerably in recent months. One of the main reasons for this is likely the unorganized nature of the movement.
Anonymous, LulzSec and others pride themselves on having no central leadership, a characteristic that makes the groups difficult to predict and safeguard against. However, this can also cause internal problems, as some of the groups’ activities seem to be disjointed at times.
This may have been the case in the supposed attack against the New York Stock Exchange (NYSE). In October, Anonymous claimed in a YouTube video that it was planning to take down the NYSE’s website in support of the Occupy Wall Street movement. A few days later, the website did indeed go offline for about 30 minutes, though the damage from the attack appeared to be minimal – especially by Anonymous’ standards.
This caused some confusion around the incident, and people questioned if the NYSE had thwarted the attack or whether Anonymous was even involved at all. In another video, Anonymous claimed that it did not wage an attack against the NYSE website, and its earlier threat was intended to mislead the media.
Speculation arose immediately, as data security experts and media pundits alike wondered if the second video was just a move by Anonymous to cover its flub. Others pondered whether a few hackers had gone rogue from the main group and attempted to carry out the attack alone.
Whatever the reason, the lack of organization does occasionally seem to work against Anonymous and its fellow hacktivism groups. Security solutions provider McAfee has even gone so far as to predict that this disorganization could cause Anonymous to break up in 2012.
Although hacktivism attacks have slowed down in recent months, they have by no means dissipated. Just days before Christmas, Anonymous apparently struck again in an attack against security firm Stratfor, stealing email addresses and credit card information.
Prior to that, Anonymous had been linked to protests connected to the Stop Online Piracy Act (SOPA) and the Muslim Brotherhood.
At the same time, authorities have been cracking down on hactivism activity, arresting several members of Anonymous and others. In August, for example, U.K. law enforcement officials arrested an 18-year-old who allegedly operated under the name Topiary and was associated with Anonymous and LulzSec.
The FBI has also stepped up its efforts against hacktivism, launching in-depth investigations into a number of incidents and arresting a 23-year-old Phoenix man believed to be connected to LulzSec.
This increased focus from law enforcement officials is likely to come as good news for the corporations and government agencies that could unsuspectingly find themselves on the receiving end of hacktivism groups’ activities. Given that it is typically difficult to guard against hactivism hits – which often come in the form of distributed denial of service attacks – pressure from authorities may ultimately prove to be the best defense against these groups.
Security News from SimplySecurity.com by Trend Micro