Attacks/Breaches
2/5/2014
11:26 AM
50%
50%

British Spies Hit Anonymous With DDoS Attacks

British cyber agents attacked Anonymous chat rooms, leaked intelligence documents show.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(click image for larger view and for slideshow)

The British government targeted Anonymous and LulzSec by launching distributed denial-of-service (DDoS) attacks against chat rooms used by those groups' members.

The existence of the attack campaign, which was dubbed "Rolling Thunder," was first reported by NBC News, which published a secret intelligence presentation that was leaked by former National Security Agency (NSA) contractor Edward Snowden.

"This makes British government the only Western government known to have launched DDoS attacks," tweeted Mikko Hypponen, chief research officer at F-Secure.

The attacks occurred in Sept. 2011, according to the presentation, which was prepared for a 2012 conference called SIGDEV (short for "signals development"). The document itself, which NBC partially redacted, is labeled "top secret" and says it's restricted to the United States, Australia, Canada, Great Britain, and New Zealand. Not coincidentally, those are the countries that comprise the so-called "Five Eyes" intelligence-sharing alliance.

According to an undated "irc.anonops" chat log included in the presentation, a chat room participant said that the IRC network had been hit by a SYN flood, referring to a type of denial-of-service (DoS) or DDoS attack that subverts the usual three-way TCP handshake -- used when establishing a connection to a server -- by not responding, or else directing the server to a fake IP address. With a sufficient number of SYN floods, the server can choke, thus denying service to anyone who wanted to use it.

According to the presentation, which detailed how "online covert action techniques can aid cyber threat awareness," the DDoS attacks were part of a broader effort to scare people away from the Anonymous and LulzSec boards. The effort was run by Britain's Government Communications Headquarters (GCHQ), which is its equivalent to the NSA. In particular, a previously undocumented GCHQ unit called the Joint Threat Research Intelligence Group, or JTRIG, was running the program, which appeared to have been launched to respond to a spike in the volume of Anonymous and LulzSec attacks.

Why did British spooks name the operation Rolling Thunder? They appear to have been referencing the sustained US Vietnam War aerial bombardment campaign of the same name, although Rolling Thunder was also the name of a 1972 solo album by Grateful Dead drummer Mickey Hart.

News of the covert DDoS campaign against Anonymous and LulzSec participants sparked questions about whether the British government's efforts were appropriate, or even legal. Perhaps predictably, one Anonymous channel also tweeted: "Remember you cant ddos an idea."

[Do you use Yahoo Mail? Read Yahoo Mail Passwords: Act Now.]

But Michael Leiter, the former head of the US government's National Counterterrorism Center, defended the UK government's DDoS attack campaign. "While there must of course be limitations," he told NBC, where he now works as an analyst, "law enforcement and intelligence officials must be able to pursue individuals who are going far beyond speech and into the realm of breaking the law: defacing and stealing private property that happens to be online."

The British government's IRC-attack campaign, however, likely affected not just rule breakers, but also a number of people who were engaged solely in political or even unrelated discussions.

The attacks have also now set a dangerous precedent. "Whether you agree with the activities of Anonymous or not -- which have included everything from supporting the Arab Spring protests to DDoSing copyright organizations to doxing child pornography site users -- the salient point is that democratic governments now seem to be using their very tactics against them," Gabriella Coleman, a professor at Canada's McGill University and expert in all things Anonymous, wrote in an opinion piece for Wired.

"The key difference, however, is that while those involved in Anonymous can and have faced their day in court for those tactics, the British government has not," she said.

Jake Davis, the former LulzSec participant known as "Topiary" who served jail time and is now on parole, echoed her assessment via Twitter: "I plead guilty to two counts of DDoS conspiracy and to my face these GCHQ bastards were doing the exact same thing."

He added: "The UK government banned a 16-year-old boy (@musalbas) from the Internet for 2 years while they themselves were launching illegal attacks."

The anti-Anonymous campaign relied on more than just DoS or DDoS attacks. The SIGDEV presentation also appears to document the use of covert human intelligence sources (CHIS) -- referring to the creation of covert relationships that are meant to gather intelligence or effect a desired outcome -- and notes that "80% of those messaged where [sic] not in the IRC channels 1 month later." That suggests anonymous JTRIG operatives were sending IRC messages to participants inside known Anonymous and LulzSec chat boards, warning that they ran the risk of violating British computer crime laws and thus facing jail time.

Some critics have accused the British government's anti-hacktivist campaign of trampling on the free-speech rights of its citizens. But unlike the United States, Britain has no laws that explicitly and clearly grant its citizens the right to free speech.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
2/6/2014 | 1:04:59 PM
Re: Rules for thee but not for me
Governments regularly take actions that would be illegal for citizens, from imposing the death penalty to waging war to seizing assets to issuing currency. Offensive security as a tactic is on the horizon. Anyone who thinks governments won't -- and aren't -- using it now is naive.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
2/6/2014 | 9:57:30 AM
Re: Rules for thee but not for me
I agree, it makes the British government look silly. If you're going to punish people for launching DDoS attacks, it's hypocritical to launch one yourself. In addition, as a mechanism to stifle Anonymous activity or deter participation, it's absolutely useless.
Whoopty
50%
50%
Whoopty,
User Rank: Moderator
2/6/2014 | 9:14:56 AM
Freedom of Speech
British intelligence should be very careful with this sort of thing. It's dangerously close to infringing on human rights by denying the freedom of speech to those they attacked. They're in enough trouble with EUCHR due to Tempora. 
Mathew
50%
50%
Mathew,
User Rank: Apprentice
2/6/2014 | 4:26:49 AM
Re: Rules for thee but not for me
But it was 2011 and hackers were running amok! Something Had To Be Done.

But of course after they'd arrested a bunch of (mostly) teenagers, in retrospect the British government looks a bit silly -- for starters.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
2/5/2014 | 5:00:06 PM
Re: Rules for thee but not for me
The double standard here is troubling.
asksqn
50%
50%
asksqn,
User Rank: Ninja
2/5/2014 | 3:33:01 PM
Rules for thee but not for me
LOL so then since the British government has launched its own DDoS attack does that then mean it's OK for anyone else to do so?  Pardon me, but this smacks very much of the same thought process the US government has. It is childish and not a constructive use of resources.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

CVE-2014-7880
Published: 2014-12-17
Multiple unspecified vulnerabilities in the POP implementation in HP OpenVMS TCP/IP 5.7 before ECO5 allow remote attackers to cause a denial of service via unspecified vectors.

CVE-2014-8133
Published: 2014-12-17
arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in the Linux kernel through 3.18.1 allows local users to bypass the espfix protection mechanism, and consequently makes it easier for local users to bypass the ASLR protection mechanism, via a crafted application that makes a set...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.