Attacks/Breaches

2/5/2014
11:26 AM
50%
50%

British Spies Hit Anonymous With DDoS Attacks

British cyber agents attacked Anonymous chat rooms, leaked intelligence documents show.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(click image for larger view and for slideshow)

The British government targeted Anonymous and LulzSec by launching distributed denial-of-service (DDoS) attacks against chat rooms used by those groups' members.

The existence of the attack campaign, which was dubbed "Rolling Thunder," was first reported by NBC News, which published a secret intelligence presentation that was leaked by former National Security Agency (NSA) contractor Edward Snowden.

"This makes British government the only Western government known to have launched DDoS attacks," tweeted Mikko Hypponen, chief research officer at F-Secure.

The attacks occurred in Sept. 2011, according to the presentation, which was prepared for a 2012 conference called SIGDEV (short for "signals development"). The document itself, which NBC partially redacted, is labeled "top secret" and says it's restricted to the United States, Australia, Canada, Great Britain, and New Zealand. Not coincidentally, those are the countries that comprise the so-called "Five Eyes" intelligence-sharing alliance.

According to an undated "irc.anonops" chat log included in the presentation, a chat room participant said that the IRC network had been hit by a SYN flood, referring to a type of denial-of-service (DoS) or DDoS attack that subverts the usual three-way TCP handshake -- used when establishing a connection to a server -- by not responding, or else directing the server to a fake IP address. With a sufficient number of SYN floods, the server can choke, thus denying service to anyone who wanted to use it.

According to the presentation, which detailed how "online covert action techniques can aid cyber threat awareness," the DDoS attacks were part of a broader effort to scare people away from the Anonymous and LulzSec boards. The effort was run by Britain's Government Communications Headquarters (GCHQ), which is its equivalent to the NSA. In particular, a previously undocumented GCHQ unit called the Joint Threat Research Intelligence Group, or JTRIG, was running the program, which appeared to have been launched to respond to a spike in the volume of Anonymous and LulzSec attacks.

Why did British spooks name the operation Rolling Thunder? They appear to have been referencing the sustained US Vietnam War aerial bombardment campaign of the same name, although Rolling Thunder was also the name of a 1972 solo album by Grateful Dead drummer Mickey Hart.

News of the covert DDoS campaign against Anonymous and LulzSec participants sparked questions about whether the British government's efforts were appropriate, or even legal. Perhaps predictably, one Anonymous channel also tweeted: "Remember you cant ddos an idea."

[Do you use Yahoo Mail? Read Yahoo Mail Passwords: Act Now.]

But Michael Leiter, the former head of the US government's National Counterterrorism Center, defended the UK government's DDoS attack campaign. "While there must of course be limitations," he told NBC, where he now works as an analyst, "law enforcement and intelligence officials must be able to pursue individuals who are going far beyond speech and into the realm of breaking the law: defacing and stealing private property that happens to be online."

The British government's IRC-attack campaign, however, likely affected not just rule breakers, but also a number of people who were engaged solely in political or even unrelated discussions.

The attacks have also now set a dangerous precedent. "Whether you agree with the activities of Anonymous or not -- which have included everything from supporting the Arab Spring protests to DDoSing copyright organizations to doxing child pornography site users -- the salient point is that democratic governments now seem to be using their very tactics against them," Gabriella Coleman, a professor at Canada's McGill University and expert in all things Anonymous, wrote in an opinion piece for Wired.

"The key difference, however, is that while those involved in Anonymous can and have faced their day in court for those tactics, the British government has not," she said.

Jake Davis, the former LulzSec participant known as "Topiary" who served jail time and is now on parole, echoed her assessment via Twitter: "I plead guilty to two counts of DDoS conspiracy and to my face these GCHQ bastards were doing the exact same thing."

He added: "The UK government banned a 16-year-old boy (@musalbas) from the Internet for 2 years while they themselves were launching illegal attacks."

The anti-Anonymous campaign relied on more than just DoS or DDoS attacks. The SIGDEV presentation also appears to document the use of covert human intelligence sources (CHIS) -- referring to the creation of covert relationships that are meant to gather intelligence or effect a desired outcome -- and notes that "80% of those messaged where [sic] not in the IRC channels 1 month later." That suggests anonymous JTRIG operatives were sending IRC messages to participants inside known Anonymous and LulzSec chat boards, warning that they ran the risk of violating British computer crime laws and thus facing jail time.

Some critics have accused the British government's anti-hacktivist campaign of trampling on the free-speech rights of its citizens. But unlike the United States, Britain has no laws that explicitly and clearly grant its citizens the right to free speech.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
2/6/2014 | 1:04:59 PM
Re: Rules for thee but not for me
Governments regularly take actions that would be illegal for citizens, from imposing the death penalty to waging war to seizing assets to issuing currency. Offensive security as a tactic is on the horizon. Anyone who thinks governments won't -- and aren't -- using it now is naive.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
2/6/2014 | 9:57:30 AM
Re: Rules for thee but not for me
I agree, it makes the British government look silly. If you're going to punish people for launching DDoS attacks, it's hypocritical to launch one yourself. In addition, as a mechanism to stifle Anonymous activity or deter participation, it's absolutely useless.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
2/6/2014 | 9:14:56 AM
Freedom of Speech
British intelligence should be very careful with this sort of thing. It's dangerously close to infringing on human rights by denying the freedom of speech to those they attacked. They're in enough trouble with EUCHR due to Tempora. 
Mathew
50%
50%
Mathew,
User Rank: Apprentice
2/6/2014 | 4:26:49 AM
Re: Rules for thee but not for me
But it was 2011 and hackers were running amok! Something Had To Be Done.

But of course after they'd arrested a bunch of (mostly) teenagers, in retrospect the British government looks a bit silly -- for starters.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
2/5/2014 | 5:00:06 PM
Re: Rules for thee but not for me
The double standard here is troubling.
asksqn
50%
50%
asksqn,
User Rank: Ninja
2/5/2014 | 3:33:01 PM
Rules for thee but not for me
LOL so then since the British government has launched its own DDoS attack does that then mean it's OK for anyone else to do so?  Pardon me, but this smacks very much of the same thought process the US government has. It is childish and not a constructive use of resources.
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
To Be Ready for the Security Future, Pay Attention to the Security Past
Liz Maida, Co-founder, CEO & CTO, Uplevel Security,  9/18/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Jan, check this out! I found an unhackable PC.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.