Attacks/Breaches
2/5/2014
11:26 AM
Connect Directly
RSS
E-Mail
50%
50%

British Spies Hit Anonymous With DDoS Attacks

British cyber agents attacked Anonymous chat rooms, leaked intelligence documents show.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(click image for larger view and for slideshow)

The British government targeted Anonymous and LulzSec by launching distributed denial-of-service (DDoS) attacks against chat rooms used by those groups' members.

The existence of the attack campaign, which was dubbed "Rolling Thunder," was first reported by NBC News, which published a secret intelligence presentation that was leaked by former National Security Agency (NSA) contractor Edward Snowden.

"This makes British government the only Western government known to have launched DDoS attacks," tweeted Mikko Hypponen, chief research officer at F-Secure.

The attacks occurred in Sept. 2011, according to the presentation, which was prepared for a 2012 conference called SIGDEV (short for "signals development"). The document itself, which NBC partially redacted, is labeled "top secret" and says it's restricted to the United States, Australia, Canada, Great Britain, and New Zealand. Not coincidentally, those are the countries that comprise the so-called "Five Eyes" intelligence-sharing alliance.

According to an undated "irc.anonops" chat log included in the presentation, a chat room participant said that the IRC network had been hit by a SYN flood, referring to a type of denial-of-service (DoS) or DDoS attack that subverts the usual three-way TCP handshake -- used when establishing a connection to a server -- by not responding, or else directing the server to a fake IP address. With a sufficient number of SYN floods, the server can choke, thus denying service to anyone who wanted to use it.

According to the presentation, which detailed how "online covert action techniques can aid cyber threat awareness," the DDoS attacks were part of a broader effort to scare people away from the Anonymous and LulzSec boards. The effort was run by Britain's Government Communications Headquarters (GCHQ), which is its equivalent to the NSA. In particular, a previously undocumented GCHQ unit called the Joint Threat Research Intelligence Group, or JTRIG, was running the program, which appeared to have been launched to respond to a spike in the volume of Anonymous and LulzSec attacks.

Why did British spooks name the operation Rolling Thunder? They appear to have been referencing the sustained US Vietnam War aerial bombardment campaign of the same name, although Rolling Thunder was also the name of a 1972 solo album by Grateful Dead drummer Mickey Hart.

News of the covert DDoS campaign against Anonymous and LulzSec participants sparked questions about whether the British government's efforts were appropriate, or even legal. Perhaps predictably, one Anonymous channel also tweeted: "Remember you cant ddos an idea."

[Do you use Yahoo Mail? Read Yahoo Mail Passwords: Act Now.]

But Michael Leiter, the former head of the US government's National Counterterrorism Center, defended the UK government's DDoS attack campaign. "While there must of course be limitations," he told NBC, where he now works as an analyst, "law enforcement and intelligence officials must be able to pursue individuals who are going far beyond speech and into the realm of breaking the law: defacing and stealing private property that happens to be online."

The British government's IRC-attack campaign, however, likely affected not just rule breakers, but also a number of people who were engaged solely in political or even unrelated discussions.

The attacks have also now set a dangerous precedent. "Whether you agree with the activities of Anonymous or not -- which have included everything from supporting the Arab Spring protests to DDoSing copyright organizations to doxing child pornography site users -- the salient point is that democratic governments now seem to be using their very tactics against them," Gabriella Coleman, a professor at Canada's McGill University and expert in all things Anonymous, wrote in an opinion piece for Wired.

"The key difference, however, is that while those involved in Anonymous can and have faced their day in court for those tactics, the British government has not," she said.

Jake Davis, the former LulzSec participant known as "Topiary" who served jail time and is now on parole, echoed her assessment via Twitter: "I plead guilty to two counts of DDoS conspiracy and to my face these GCHQ bastards were doing the exact same thing."

He added: "The UK government banned a 16-year-old boy (@musalbas) from the Internet for 2 years while they themselves were launching illegal attacks."

The anti-Anonymous campaign relied on more than just DoS or DDoS attacks. The SIGDEV presentation also appears to document the use of covert human intelligence sources (CHIS) -- referring to the creation of covert relationships that are meant to gather intelligence or effect a desired outcome -- and notes that "80% of those messaged where [sic] not in the IRC channels 1 month later." That suggests anonymous JTRIG operatives were sending IRC messages to participants inside known Anonymous and LulzSec chat boards, warning that they ran the risk of violating British computer crime laws and thus facing jail time.

Some critics have accused the British government's anti-hacktivist campaign of trampling on the free-speech rights of its citizens. But unlike the United States, Britain has no laws that explicitly and clearly grant its citizens the right to free speech.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
2/6/2014 | 1:04:59 PM
Re: Rules for thee but not for me
Governments regularly take actions that would be illegal for citizens, from imposing the death penalty to waging war to seizing assets to issuing currency. Offensive security as a tactic is on the horizon. Anyone who thinks governments won't -- and aren't -- using it now is naive.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
2/6/2014 | 9:57:30 AM
Re: Rules for thee but not for me
I agree, it makes the British government look silly. If you're going to punish people for launching DDoS attacks, it's hypocritical to launch one yourself. In addition, as a mechanism to stifle Anonymous activity or deter participation, it's absolutely useless.
Whoopty
50%
50%
Whoopty,
User Rank: Strategist
2/6/2014 | 9:14:56 AM
Freedom of Speech
British intelligence should be very careful with this sort of thing. It's dangerously close to infringing on human rights by denying the freedom of speech to those they attacked. They're in enough trouble with EUCHR due to Tempora. 
Mathew
50%
50%
Mathew,
User Rank: Apprentice
2/6/2014 | 4:26:49 AM
Re: Rules for thee but not for me
But it was 2011 and hackers were running amok! Something Had To Be Done.

But of course after they'd arrested a bunch of (mostly) teenagers, in retrospect the British government looks a bit silly -- for starters.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
2/5/2014 | 5:00:06 PM
Re: Rules for thee but not for me
The double standard here is troubling.
asksqn
50%
50%
asksqn,
User Rank: Apprentice
2/5/2014 | 3:33:01 PM
Rules for thee but not for me
LOL so then since the British government has launched its own DDoS attack does that then mean it's OK for anyone else to do so?  Pardon me, but this smacks very much of the same thought process the US government has. It is childish and not a constructive use of resources.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0607
Published: 2014-07-24
Unrestricted file upload vulnerability in Attachmate Verastream Process Designer (VPD) before R6 SP1 Hotfix 1 allows remote attackers to execute arbitrary code by uploading and launching an executable file.

CVE-2014-1419
Published: 2014-07-24
Race condition in the power policy functions in policy-funcs in acpi-support before 0.142 allows local users to gain privileges via unspecified vectors.

CVE-2014-2360
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules allow remote attackers to execute arbitrary code via packets that report a high battery voltage.

CVE-2014-2361
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules, when BreeZ is used, do not require authentication for reading the site security key, which allows physically proximate attackers to spoof communication by obtaining this key after use of direct hardware access or manual-setup mode.

CVE-2014-2362
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.