2011: Year of the hacktivists

Stratfor.com remains inoperative nearly three weeks after a Christmas Eve hacktivist break-in.  To add insult to injury, a prankster has begun sending bogus e-mail messages to the online publication’s subscribers asking them to rate the company’s response to the breach, according to Sophos’ analyst Chet Wiesniewski.

The attack on Strategic Forecasting — which supplies its subscribers with independent analysis on global affairs — capped an unprecedented year for online shenanigans fueled by ideological ire.

Crippled website

Much like the Occupy Wall Street protesters, members of the loose-knit Anonymous and LulzSec hacking co-ops — so-called hacktivists — were motivated by political and personal beliefs, and sought no financial gain.

And their hacking escapades seemed to spontaneously combust in private online chat rooms and on Facebook and Twitter.

“We saw groups of like-minded individuals banding together to make their voices heard,” says Michael Sutton, research vice president at security firm Zscaler. “Technology played a critical role in allowing hacktivist groups to communicate, share ideas and quickly act – something that was not always possible.”

News of the Stratfor caper broke on pastebin.com, an open website where programmers store and share code. (Interestingly, pastebin last week had to defend itself against a denial of service attack.) In what has become a familiar pattern, the Stratfor hackers posted a breezy “press release,” claiming to be from Anonymous.

As proof of the hack, the culprits disclosed credit card details for thousands of subscribers to Stratfor’s daily newsletters. Three separate lists contained payment card data for 3,956, 13,191 and 30,726 customers, respectively, says Mikko Hypponen, senior research and antivirus firm F-Secure.

Digital Robin Hood

Next, the hackers used stolen card numbers to make large donations to Red Cross, CARE, Save The Children, the African Child Foundation and other charity groups, posting screenshots of the transactions. However, the credit card companies in most cases retrieved the cash and hit the charities with chargeback fees.

“At first this looked a bit like the actions of Robin Hood,” Hypponen says. “In this case, the poor didn’t get a dime.”

The hackers’ sole whimsical demand: a “delicious” Christmas meal for Bradley Manning, the army solider being held since May 2010 on suspicion of supplying the WikiLeaks website with classified material.

“While the rich and powerful are enjoying themselves with all their bourgeois gifts and lavish meals, our comrade Bradley Manning is not having that great of a time in federal custody,” the press release states. “We want him out on the streets at a fancy restaurant of his choosing, and we want this to happen in less than five hours.”

Manning has emerged as a hacktivist touchstone. In December 2010, Anonymous temporarily crippled the websites of Visa, MasterCard, PostFinace,and PayPal in retaliation for those companies refusing to process payments from Wikileaks. Those refusals stemmed from Manning’s arrest and the detention of Wikileaks founder Julian Assange.

Hacktivists gone wild

In the 12 months since then hacktivists have gone wild. A wise-cracking splinter group, LulzSec, emerged in early 2011. After Sony sued a young man for hacking the programming in his PlayStation gaming console both collectives jumped into action.

Anonymous pilfered and posted payment card data for 77 million PlayStation Network and 25 million Sony Online Entertainment subscribers. LulzSec and others disrupted Sony websites in Canada, Japan, Europe and the Middle East.

Attacks followed against Bank of America, the U.S. Chamber of Commerce, government and law enforcement agencies, financial institutions, media companies and even a Mexican drug cartel. During the summer, Anonymous and LulzSec merged into a co-op referred to as AntiSec.

“In-your-face arrogance backed up by stunning success made Anonymous and Lulzsec big tech news stories all year long,” says Josh Shaul, chief technology officer at Application Security. “Recruits were lining up, and hackers were teaching classes to get more people in on the action.”

Harms

And hacktivists’ level of skill advanced apace, says Kris Harms principal consultant at network security firm Mandiant.

“Hacktivists today are as capable as organized crime groups and nation states were in years past,” says Harms. “In 2011, we saw organized crime groups using malware than was historically used by nation state sponsored attack groups, and we’ve seen hacktivists using techniques more common to organized crime.”

Lessons learned

Harms says the lesson for corporations and governments is obvious: “Today’s hacking groups will only get better, and most likely at a rate that exceeds most organizations’ defensive improvements. This is because they are learning from each other. Corporations and governments need to recognize break-ins are inevitable. 2012 will be the year of detect-and- respond for organizations desiring to stay out of the spotlight.”

Sutton

Zscaler’s Sutton opines: “Arrests will be made and hacktivists will be outed, but it will have limited impact on the movements going forward. We’re not dealing with a structured entity where it is possible to cut the head off and slay the beast.

“Each subsequent attack discussed in the media inspires another wave of hactivists to conduct their own efforts. Whether the attacks are carried out in an ‘official’ capacity or by a rogue entity acting in the name of another, is of little consequence – the outcome is the same. Enterprises and government organizations are having the networks breached and confidential data that they were entrusted with, displayed for the world to see

“These attacks should serve as a wake up call to enterprises everywhere to revisit what they are doing to secure their data. Anonymous should be the least of their worries – at least Anonymous is letting them know about the breach once it is discovered. For every Anonymous, how many criminal enterprises are out their stealing data for profit and it is going undetected for years?”

Shaul

AppSec’s Shaul agrees: “All the success the hacktivists had using low-tech attack techniques in 2011 makes it clear just how vulnerable our sensitive data is. Attackers have turned their focus directly on to the databases, where the vast caches of information are stored.

“Information security teams need to shift their efforts to protect databases directly instead of the endless pursuit to seal off every endpoint and port on the network perimeter. While we’re all far more aware of the presence of hacktivists and the threat they represent, by and large, organizations continue to be far from ready to protect themselves in case of an attack. Anonymous is on everyone’s mind, but the it-won’t- happen-to-me attitude remains prevalent.”