Governments use hacktivist tools to squelch ‘Arab spring’ revolts

By Byron Acohido, USA TODAY cover story, p.1B, 25July2012

(See video) LAS VEGAS – Denial-of-service attacks are surging all across the Internet.

Individuals and groups have perfected the art of knocking websites offline for hours, days or sometimes much longer.

Such attacks surged nearly 70% in the first six months of 2012 vs. the same period in 2011, according to statistics released exclusively to USA TODAY by Prolexic, a Hollywood, Fla.-based website defense firm.

And it’s not just the usual suspects who are responsible. The attacks increasingly have a geopolitical bent.

Two prominent global hacktivist collectives — Anonymous and LulzSec — gained notoriety over the past two years for disrupting the Web presence of scores of corporations and government agencies, then bragging about it on Twitter, YouTube and Facebook. Their standing motive: Mete out punishment for perceived bad corporate practices and unfair government policies.

The FBI earlier this year coordinated the arrests of LulzSec’s alleged ring.

But the new twist on denial-of-service attacks is that they often appear to be carried out by governments bent on squelching online discussions of political corruption and human rights abuses in places such as Burma, North Korea, China, Russia and Africa, say tech-security and Internet experts.

Although the emerging evidence is largely anecdotal, it appears that entrenched governments in political hot spots are rapidly embracing the latest hacktivist techniques. Their endgame: Avoid a repeat of the Arab Spring uprisings in Egypt, Tunisia and elsewhere in which political reformers rallied supporters primarily over the Internet.

Supporters of established regimes are moving early and often to quash criticism in blogs, online publications and human rights websites with denial-of-service attacks before such discourse gets amplified on Facebook, Twitter and other social-media sites.

“We are seeing nation-states use such techniques as a precursor to physical warfare or as a way of silencing dissent,” says Harry Sverdlove, chief technology officer at tech security firm Bit9.

 Predictable patterns

This rising tide of denial-of-service attacks — in support of divergent motives — has surfaced as a hot topic at Black Hat security conference being held here this week at Caesars Palace.

In a Bit9 survey in April of 2,000 information technology professionals, 61% of respondents were concerned about their organization becoming the target of a hacktivist attack.

And some 35% of the respondents who participated in a February Arbor Networks survey of 114 Internet service providers globally reported dealing with denial-of-service attacks motivated by political or ideological beliefs.

“We are so networked and reliant on information technology that many more people and organizations can be hit,” says Chris Day, chief security architect at Terremark, a provider of IT infrastructure and cloud services.

Prince

The brief takedown of Eurovision.tv, the Swiss site supporting a long-running multinational singing contest, is a case in point. Held last year in Azerbaijan, the Eurovision contest finals drew the attention of an anti-gay rights group reportedly with close ties to Iran, says Matthew Prince, chief executive of CloudFlare, a website protection firm.

The group Cyberwarriors For Freedom launched a denial-of-service attack against Eurovision.tv to protest the inclusion of a gay singer in the finals, Prince says.

“Knocking a song contest offline doesn’t seem earth-shattering,” Prince says. “But the same resources had also been used to attack political organizations advocating for more liberal policies in the Middle East.”

Attacks intended to cripple the websites of groups aligned with liberal causes are on the rise and have begun to fall into a predictable pattern, says Thomas Hughes, managing director of VirtualRoad.org, a non-profit website-hosting company for 50 independent news publications and human rights groups in a dozen nations.

Reports of high-ranking officials caught in embarrassing situations as well as news coverage of the anniversaries of events with historical significance to the downtrodden are typical triggers for attacks, Hughes says.

A year ago, a typical denial-of-service attack against an independent news outlet or human rights group might have involved 500 computers sending nuisance requests to a targeted website, disrupting access to the site for a few hours. Now up to 5,000 computers might carry out such an attack, for days at a time, Hughes says.

“The key trend is the scaling up of these attacks, and the degree of sophistication,” Hughes says. “The Internet has become the new battleground for freedom of expression.”

 Tools of the trade

A denial-of-service attacker’s tool of choice is a botnet — a network of hundreds or thousands of infected PCs he or she controls that methodically bombards a website with nuisance requests, thereby cutting off public access to the site.

Criminals use botnets to spread viral spam, infect Web pages and search results, steal from online financial accounts, and sell bogus drugs and software.

One in three personal computers is infected with botnet malware, estimates network monitoring firm Damballa. And 22% of the approximately 1 billion PCs connected to the Internet are actively under control of a botnet operator, the firm says.

Gunter Ollmann, Damballa’s research director, says that many botnets exist solely to be hired out on an hourly basis to conduct denial-of-service attacks. “In the cybercrime ecosystem, this has become a separate service,” Ollmann says.

What’s more, Anonymous has popularized the use of a simple new tool that makes it easy for anyone to volunteer his or her PC to participate in an ongoing attack. Tens of thousands of individuals downloaded the simple tool to join the attacks that disrupted the websites of Visa and MasterCard. They were protesting the card companies’ decision to cut off services to WikiLeaks, the controversial disclosure website.

“One of the top factors contributing to the escalating threat is the availability of tools used to carry out these attacks,” says Carlos Morales, engineering vice president at Arbor Networks.

 Anatomy of an attack

Daniel Joseph, an official with the Junta Central Electoral (JCE) — the Dominican Republic federal agency responsible for running elections — knows all too well how much trouble it can be to defend against a well-planned denial-of-service attack.

In early spring, hacktivists referring to themselves as Anonymous Mexico began to call for Dominicans to boycott the nation’s May 20 presidential elections, while also vowing to knock down JCE’s website, Joseph says. Just a few minutes before the polls opened, the hacktivists began an intense attack to flood the electoral board’s website with nuisance requests, says Paul Sop, senior analyst at Prolexic, which helped deflect the assault and keep the agency’s website up.

When the flooding technique proved ineffective, the attackers shifted to an attempt to directly penetrate and overwhelm the agency’s Web server. The battle ensued throughout Election Day and for 12 hours after the polls closed. “But we were able to stop them,” Sop says.

Joseph notes that in addition to helping run elections, JCE’s website plays a pivotal role in supplying Dominicans with birth certificates and other important services.

“If Anonymous would have been successful, the impact would have been tremendous,” Joseph says. “That’s why we decided to keep the website online and very well protected.”

Security and Internet experts anticipate that many more companies, non-profits and government agencies globally could be facing similar decisions in the months to come.

Cross

“Hacktivism is a chaotic element,” observes Tom Cross, research director at network monitoring firm Lancope. “It’s hard to predict exactly where it will strike, and there’s a wide variety of people with differing motives who could pull off a denial-of-service attack.”

Cross believes an Election Day attack in South Korea late last year on a website providing information about polling locations, and similar election-related attacks in Russia and Hong Kong, could be harbingers of things to come.

“I hope that we don’t see denial-of-service attacks in association with the U.S. presidential elections, but it’s a distinct possibility, and we need to be prepared for it,” he says.