LulzSec declares hacktivist war on corporations & governments

June 20th, 2011

By Byron Acohido

USA TODAY, 20June2011, P1B

LulzSec, the upstart hackitivist group, was busy over the weekend. First, it disavowed responsibility for the hacking of video game company Sega. In fact it added a new twist by offering to help Sega (once long ago a big name in video games) track down the perpetrators.

And this morning, the group announced that it was partnering with the long established hacktivist crew, Anonymous, in launching what the two headline-grabbing gangs dub: Operation Anti-Security.

Related story: Who’s who in LulzSec

Essentially, LulzSec and Anonymous have just declared open cyberwarfare against big governments and giant corporations. An excerpt from LulzSec’s  declaration:

Welcome to Operation Anti-Security (#AntiSec) – we encourage any vessel, large or small, to open fire on any government or agency that crosses their path…Top priority is to steal and leak any classified government information, including email spools and documentation. Prime targets are banks and other high-ranking establishments.

The rapid ascension of the hacker group LulzSec, if sustained, could signal a revival of cyberattacks carried out primarily to humiliate companies and government agencies.

“We’ve got some very powerful hackers apparently showing the world they’re powerful enough to break into any organization they want to,” says Josh Shaul, CTO at Application Security. “So why are they doing that? The best answer is because right now they can. And who knows what they’re setting themselves up to do in the future.”

Recent targets

After twice disrupting the U.S. Senate’s website last week, then knocking the CIA’s website off line, LulzSec on Friday issued a press release via Twitter declaring: “This is the Internet, where we screw each other over for a jolt of satisfaction.”

It’s no idle rant. LulzSec — which appears to have splintered from the renowned hacktivist group, Anonymous — has also successfully hacked Sony several times, as well as the FBI, Fox, PBS, Nintendo and others.

Hotz

The Sony hacks stemmed from the entertainment giant suing a young hacker, George Hotz, for reprogramming his PlayStation 3 gaming console; the PBS hack followed the network’s airing of a Frontline documentary LulzSec deemed unfair to WikiLeaks, the anti-secrecy group.

According to its press release, LulzSec is not seeking criminal profit nor participating in cyber espionage. “We do things just because we find it entertaining.” The group’s name is a play on LOL (laugh out loud) Security. It issues bombastic press releases, produces animated videos, and uses a mustachioed cartoon character as a logo.

“The organizations have mostly been targeted for political reasons and the data release or defacement is to display scorn for and humiliate the target,” says Kurt Baumgartner, senior researcher at Kaspersky Lab. “Sometimes  they claim they like the games too much and the hack is for pure sport. In other words, they feed on the public attention for their activity and are fairly eccentric.”

Smooth operations

Yet behind the surface frivolity lies a smootth running campaign orchestrated by highly-skilled programmers and creative multi-media artists, security analysts say.

The group maintains an impregnable website, lulzsecurity.com, where it posts data stolen as part of its escapades. Indeed, on Friday the group posted 62,000 random e-mail and social network account logons — with passwords. In the accompanying statement, LulzSec appears to encourage folks to use the logons to access the accounts and play practical jokes on the account holders.

“It’s a good reminder that we need to use strong passwords for all of the online systems that are important to us,” says Shaul.

Sutton

Groups like Anonymous and LulzSec are viable due to a confluence of developments, says Michael Sutton, vice president of research at security firm Zscaler. Role-paying video games and social networking has made collaborating with complete strangers second-nature; powerful, easy-to-use hacking and hiding programs are readily available; and corporations haven’t kept up, he says.

“Anonymous and LulzSec are determined and they have ignificant numbers,” says Sutton. “And when attackers band together with a common goal they often succeed.”

As hacktivist groups rise in profile, copycats will likely emerge, says Marcus Ranum, chief security officer of Tenable Network Security. “That’s part of the transition were seeing,” says Ranum. “There’s a tremendous amount of resentment against this idea that corporations own the Internet.”

‘Leaving breadcrumbs’

Frank Kenney, VP of Global Strategy at Ipswitch, says the more active the hacktivists become, the more likely some of them will be caught — and be made an example of.

Kenney

“When you impede the ability of a company to make money, when you put up a web site and start to have Twitter feeds, you start to leave enough breadcrumbs,” says Kenney. “This could lead to a very high-profile, I’m-going-to-make-an-example-of-you type of prosecution.”

Meanwhile, organizations would do well to keep LulzSec and Anonymous on their radar screen, says Mike Paquette, chief strategy officer at Top Layer Security.

Opines Paquette: “In general, if your organization has information that could be considered valuable by any group, or is doing anything that may be considered controversial amongst any constituent or affected community, and you’re not prepared for a cyber response, you’re probably not taking this seriously enough.”

-While this recent activity seems to be motivated by ideology, I would not yet call this a “shift.”   Organizations must continue to plan their security strategy assuming t

-While this recent activity seems to be motivated by ideology, I would not yet call this a “shift.” Organizations must continue to plan their security strategy assuming that attackers may be motivated by financial gain or by political activism. In general, if your organization has information that could be considered valuable by any group, or is doing anything that may be considered controversial amongst any constituent or affected community, and you’re not prepared for a cyber response, you’re probably not taking this seriously enough.

Mike Paquette, chief strategy officer at Top Layer Security

hat attackers may be motivated by financial gain or by political activism.   In general, if your organization has information that could be considered valuable by any group, or is doing anything that may be considered controversial amongst any constituent or affected community, and you’re not prepared for a cyber response, you’re probably not taking this seriously enough.

Mike Paquette, chief strategy officer at Top Layer Security