NEW YORK — LulzSec took down the CIA’s website in mid-June in an effort to prove to the world that the hacker group should be taken seriously.
But in the truly grand ecosystem of cybercriminals, LulzSec, Anonymous, AntiSec and other so-called “hacktivist” organizations are much more of a nuisance than a serious threat. They’re fringe groups that are by far the least worrisome of all cyber attackers.
“This isn’t juicy stuff that they’re getting from their attacks,” said Eric Fiterman, founder of Rogue Networks, a security startup housed in an incubator backed by the University of Maryland Baltimore County. “They themselves don’t know the full cybercrime ecosystem, and they tend to over-inflate their position in the hierarchy.”
The global cybercrime universe is terrifying: Cybercrooks often work in organized crime syndicates like the Mafia. Some defraud banks, and many others are government agents that spy on foreign entities and corporations. They threaten our financial systems, our economy, and our national security.
Comparatively, hacktivists groups are the equivalent of graffiti artists, prank callers, hazers and bullies. Like pranksters, they tend to be young, poorly funded and immature. They seek to embarrass companies, individuals, and government agencies in order to make a statement.
They’re also extremely disorganized — the name “Anonymous” is much more of a brand than an actual organization. Solo hacktivists and independent, small groups often band together under its banner. One of the loudest of those groups became LulzSec.
That’s not to say Anonymous and its offshoots should be ignored. Its ranks include many skilled hackers who have been able to steal informationfrom the Senate and Arizona state police websites, as well as data from major corporations like Sony (SNE), Bank of America (BAC,Fortune 500) and Nintendo. They’ve also successfully blocked access to the websites of Visa (V, Fortune 500), MasterCard (MA,Fortune 500), the CIA — and, most recently, several News Corp. (NWS)newspaper websites.
LulzSec and Anonymous often gain entry through the same methods that the real bad guys use. Typically, they use so-called “SQL injections,” an attack method that has been around for more than a decade. Those attacks exploit vulnerabilities like coding errors in websites’ internal databases in order to uncover information.
The key difference between hacktivists and more serious criminals lies in their motivation. Anonymous isn’t interested in stealing for profit data like credit cards, payroll information or information critical to national security. Instead, they hack to gain attention for themselves and their causes.
Hacktivists go in, get out, and post whatever they were able to find quickly. They don’t take the months or years it would take to really do significant damage.
Typically, hacktivists have gone after lists of usernames and e-mailsassociated with a particular site, but in some cases they’ve been able to access — and make public — embarrassing internal corporate e-mails.
If they can’t quickly hack a site, they have also been known to launch “denial of service” (DOS) attacks that overload a website’s server. That kind of attack isn’t technically a hack, since it never compromises a site — DOS attacks just prevent people from accessing the targeted website.
Hacktivists can be obnoxious. But dangerous?
Right before Karim Hijazi was contacted by LulzSec in late May, he knew something was coming.
Hijazi runs a company called Unveillance, which monitors and attempts to commandeer botnets — large groups of infected computers that cybercriminals use to perform malicious acts, ranging from sending spam to launching DOS attacks to disguising their location and identity.
On May 25, Unveillance’s servers started to get hit with an unusually high level of activity from offenders attempting to break in. Hijazi took extra precautions to ramp up security and keep the attackers out. It worked, and he thought he was secure.
But what Hijazi didn’t realize was that LulzSec was playing with loaded dice. From an attack LulzSec had previously launched against the website of Infragard Atlanta, a cybersecurity alliance Hijazi participates in, the hacking group was able to get Hijazi’s personal e-mail address and the password to that account.
Unable to break into Unveillance’s systems, LulzSec contacted Hijazi in an e-mail and put his password in the subject line. Hijazi said the group demanded money or access to a botnet, which it planned to use for future attacks.
Hijazi didn’t comply. Soon after, LulzSec posted his work and personal e-mails online for all to see. They further embarrassed Hijazi by claiming that he had paid them to attack his competitors.
In the end, Hijazi’s reputation was damaged, but LulzSec didn’t get their hands on a botnet.
Muckraking and smear campaigns have so far been hacktivists’ most successful method of attack.
For instance, LulzSec — then operating under the Anonymous banner — couldn’t penetrate the systems of security contracting firm HBGary Federal. But it was able to crack open corporate e-mails and found some pretty salacious stuff, including plans to help the U.S. Chamber of Commerce, an industry trade group, undermine its political opponents through a sabotage campaign. That led to the resignation of HBGary Federal’s CEO, Aaron Barr.
HBGary CEO Greg Hoglund acknowledged that hacktivists can indeed cause damage, but his view is that their capabilities are still very limited compared to their much more sophisticated cybercrime peers.
“What happened at HBGary pales in comparison to what happened to Sony,” Hoglund said. “I was quite embarrassed that my e-mail was put online, but that was really the extent of it.”
The attention hacktivists get is often far out of proportion to the the scale of their exploits.
“When the CIA’s site went down, it was just a public facing site with no significant information,” Hijazi said. “A denial of service attack is not a big deal. But to most people, hearing that the CIA went down sounds scary.”
And that’s exactly what LulzSec wanted. They love the attention. In fact, the CIA DOS attack was done because a Twitter follower accused them of taking on targets of little consequence. So they aimed for a high-profile victim — with a low-tech attack. Even LulzSec acknowledged the trick’s ease, tweeting, “People are saying our CIA attack was the biggest yet, but it was really a very simple packet flood.”
If there’s anything positive to come from all the attention they’ve been getting, it’s that hacktivists have rattled the apple cart enough to shine a light on the global cybersecurity problem.
“The great irony of all of this is that LulzSec has had a positive effect on security,” said Deepak Taneja, chief technology officer of Aveksa, a security software company. “They’re nothing, they’re pranksters. But all the press that they’re getting has helped security permeate the C-suite level at companies. Now, they’re waking up to the risk management they really need to defend against the more serious threats.”
But hacktivists are just the very tip of the iceberg. The most serious threats are powerful, dangerous, and loaded with cash — and they’re operating in the shadows.
This is part one of a week-long series on the ecosystem of cybercrime.