Cyber-attackers are hitting higher-profile targets for financial gain, for “hacktivist” causes or just for fun
Cyber-attacks have dominated headlines this summer as government agencies, large organisations and small businesses have been hit by malware, distributed-denial-of-service attacks and network intrusions. On the personal front,individuals’ email and social networking accounts have been hijacked.
Most cyber-attackers are motivated by money, whether it’s by looting bank accounts or selling stolen information to other criminals, said Josh Shaul, CTO of Application Security. However, there’s been a surge in politically motivated attacksin the past few months as a number of groups—including the notorious hacker collective Anonymous—turned to cyber-attacks as a form of protest.
PandaLabs researchers predicted last December that the cyber-protests that have added the word “hacktivism” to the English language will continue to grow in frequency because it’s been so effective in getting attention.
In the past few months, even hacktivism has been transformed as tactics and motivations have evolved. In the past, cyber-protesters generally defaced Websites or launched DDoS attacks to express their discontent.
In these DDoS attacks, Websites were overwhelmed with large volumes of server and database requests and became inaccessible to legitimate site visitors. For the most part, the majority of hacktivism relied on low-tech techniques for its activities, Shaul said.
Anonymous encouraged supporters to download theLow Orbit Ion Cannon tool and to “fire” millions of packets at the targeted site. The program didn’t do anything overly complex other than to use an automated script to repeatedly send a simple request to the target Web server in a very short period of time.
Some of their past targets included “anti-piracy groups,” such as the Motion Picture Association of America and the Recording Industry Association of America; businesses that cut off ties with WikiLeaks; or even the totalitarian regimes in North Africa facing pro-democracy demonstrations.
Provoking the beast
Things changed when Aaron Barr, then-CEO of HBGary Federal, bragged about having unmasked the identities of several Anonymous members. Some members breached HBGary Federal’s email server in February and posted stolen emails and sensitive documents onto a wiki, WikiLeaks-style.
Several researchers told eWEEK Europe UK that the attack on HBGary Federal was a sign of hacktivists adopting new and more aggressive tactics to express their displeasure.
The shift to data theft was even more pronounced as a group of six individuals, under the name of LulzSecurity, went on a hacking spree for 50 days from May to June this year. LulzSec went after various Sony properties to expose the poor security practices still prevalent after the massive PlayStation Networkand Sony Online Entertainment breach in April.
In subsequent attacks, LulzSec breached insecure servers at various media and software companies to harvest user names and passwords. The group publicised the information by posting it on Twitter, sharing it on Pastebin or creating torrent files for download.
While it continued to deface Websites (such as PBS.org and the Westboro Baptist Church) and launch DDoS attacks (on sites such as Britain’s Serious Organised Crime Agency and theUnited States Senate), LulzSec was increasingly stealing user data in the name of “lulz,” or entertainment. In its press releases publicising its attacks, LulzSec regularly chided government and big businesses for failing at basic security.
“What’s disturbing is that so many Internet users appear to support LulzSec as it continues to recklessly break the law,” said Chester Wisniewski, senior security adviser at Sophos.
The attack methods used by Anonymous and LulzSec “aren’t particularly sophisticated,” as they are using well-known methods and readily accessible penetration testing tools to find and exploit vulnerabilities, said Roel Schouwenberg, senior antivirus researcher at Kaspersky Lab. “Yet, they’ve managed to hit high-profile targets.”
“The one good thing coming from these hacktivist attacks is that they highlight the current state of security technology in organizations that are believed to have the highest level of security”, said Anup Ghosh, founder and chief scientist at Invincea.
Power without responsibility
LulzSec also blurred the line between exposing security issues and malicious activity, as the group came under fire for publicizing the personal information it had stolen after breaching Sony Pictures Entertainment and other targets. The individuals were victimized twice, first by having their accounts compromised and then by having their sensitive data leakedfor other malicious parties to steal their identity.
“There are responsible ways to inform a business that its Website is insecure, or that it has not properly protected its data; you don’t have to put innocent people at risk,” pointed out Wisniewski of Sophos.
LulzSec and Anonymous also encouraged supporters to hack into, steal and publish classified government information from any source. On Twitter, various members claimed the attacks were necessary to expose the alleged lies and illegal activities governments were covering up.
After LulzSec disbanded, Anonymous took up where the group had left off, going after government agencies and defense contractors to punish them for certain activities. Anonymous targeted Booz Allen Hamilton partially for its participation in government surveillance and intelligence-gathering programs. Attackers stole and dumped log-in credentials for 90,000 military employees from the consulting firm.
Anonymous also hit FBI contractors after law enforcement authorities arrested several people suspected of taking part in the group’s DDoS campaigns.
Even though hacktivists are increasingly targeting defense contractors and government agencies, they aren’t the only ones doing so, said Invincea’s Ghosh. These types of cyber-incidents can obscure the fact that these organisations are targeted and routinely compromised by aggressive cyber-campaigns carried out on behalf of nation-states, he added.
Invincea Labs researchers have uncovered and analysed “sophisticated spear-phish” attacks that targeted the defense and intelligence community, which likely had nation-state involvement, Ghosh reported.
These kinds of spear-phishing attacks are on the rise as adversaries target the most inviting vulnerability: human curiosity, Ghosh said. A large percentage of the high-profile breaches disclosed over the past two years—including Night Dragon, Google, RSA Security and Oak Ridge National Labs—engaged some spear-phishing elements, according to Invincea.
An eye-opening experience
While there have always been cyber-criminals, people generally were not aware of what was happening or exactly what was being stolen, said Samuel Lellouche, a senior product line manager at ActivIdentity. He added that, thanks to social networking, mobility, e-banking and cloud services, there’s more and more data “out there to steal,” so there will be increased cyber-activity.
The increase in data breaches and cyber-attacks is also making it easier for organizations to admit that they’ve been hit.
“The hacktivist’s goal is to bring their actions to the public, which is why we hear so much more about these attacks,” Lellouche said. In contrast, cyber-criminals want to stay unnoticed so that they can keep stealing.