Attacks/Breaches
5/7/2013
06:21 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'OpUSA' Hacktivist Attacks Fall Short

Anonymous groups wage ad-hoc defacements, data dumps from a few lesser-known sites -- not the planned attacks on major U.S. government agencies, banks

Hacktivist groups under the Anonymous umbrella had warned they would take down major U.S. government and financial websites today in what they dubbed the OpUSA hacking campaign. But in the end, it was just a few defacements of lesser-known websites and seemingly random dumps of personal information online.

As of this posting, there were no reports of any major site disruptions or distributed denial-of-service (DDoS) attacks. According to Radware's Emergency Response Team, which kept a running report on the attacks updated on its website today there were at least a handful of victims, including the website of a small community bank in Arkansas, which got defaced by the attackers, and a database dump of users of the Bloodbanker.com website. Yesterday, the Embassy of Cape Verde in the U.S. suffered a defaced website, plus a few other isolated incidents occurred today in the name of OpUSA, including a dump of 10,000 alleged stolen Visa card accounts.

[Hacktivist groups plan denial-of-service attacks on banks, government sites. See Anonymous, LulzSec, OpUSA Plan Broad Attacks On Government Agencies, Banks On Tuesday.]

The seemingly disjointed campaign was a reflection of the evolving state of hacktivism and Anonymous, which is not one group with a common agenda, security experts say -- and possibly a lack of resources to pull off the effort. What was most striking about the lack of shock and awe of today's campaign was that it actually registered less hacktivist activity than when the hacktivist group Izz ad-Din al-Qassam Cyber Fighters were actively and successfully waging DDoS attacks on major financial institutions, notes Carl Herberger, vice president of security solutions for Radware. The Izz ad-Din al-Qassam Cyber Fighters went dark for a few days in deference to OpUSA and in order to avoid any confusion about their different motivations.

"When the Izz ad-Din al-Qassam Cyber Fighters decided to take a pass this week ... the level of attack activity dropped," Herberger says. "Our devices are under less load today than when [the Cyber Fighters were in action] last week."

The Cyber Fighters have more firepower and are more organized than the groups behind OpUSA appear to have, he says.

"There were some [OpUSA] attacks, and they were pedestrian in nature relative to what we've become used to and humbled with operations by [the Cyber Fighters]," he says. "The tools and techniques here were reminiscent of attacks 18 to 24 months ago."

Anonymous, under the guise of N4m3le55 Cr3w, AnonGhost and other groups, said May 7 would represent day one of the operation, which is in apparent protest to U.S. policies on Iraq, Afghanistan, and Pakistan. "You can not stop the internet hate machine from doxes, DNS attacks, defaces, redirects, ddos attacks, database leaks, and admin take overs. Greetings to Anonghost, Mauritania hackers, Ajax team, Muslim liberation army, ZHC, antisec, lulzsec, Redhat, team poison reborn and any other hackers joining operation USA," the attackers said in a post.

Among the list of U.S. government takedown targets were the websites of the Defense Department, NSA, the FBI, and the White House. Some 130 banks and credit unions were also listed, including Bank of America, Chase, Citibank, SunTrust, Wells Fargo, and nearly all major banks. None of the targets reported a DDoS attack as of this posting.

In a new Pastebin post this afternoon, the AnonGhost team listed successful OpUSA hacks today, including more than 100,000 email accounts, 60 U.S websites, 5,000 U.S. Facebook accounts, and an "agent from the U.S. House of Representatives," but it was unclear whether these were all confirmed attacks.

So why did the OpUSA DDoS operation fizzle? Sorin Mustaca, a security expert for Avira, says the attackers would need heavy botnet backing to wage the massive DDoS attacks they had promised. "You would have to have a very serious botnet at your disposal, which is not that complicated these days. If you don't own it, you have to pay for it," he says. "Then who is going to pay for those expenses? Why I don't really think anything is going to happen [today] is I'm not aware of any major botnets being online and used remotely" for this, he says.

Mustaca says one explanation could be that the hacktivists ultimately were looking to get hired for their services. "They might create the market so they could get paid," he says. "Somebody has to pay for" the botnet and other resources, he says, so they were attempting to demonstrate their capabilities.

Radware's Herberger says it's more of an indication of how different the OpUSA hacktivists are from the Izz ad-Din al-Qassam Cyber Fighters. OpUSA was only successful thus far at defacing a few small banks, he says. "The Cyber Fighters have the attribute of offensive cyberwar," he says. "These guys here are not clearly organized or skilled and don't have the choreography."

Even so, Herberger says he knows of at least two major U.S. investment banks that had not yet been attacked that experienced attack attempts last week. "It looked like they were testing [attack] tools and techniques" on the banks, he says.

Either way, you always take any attack threats seriously, experts say. "We should take all of these things very seriously and be glad when nothing happens," Herberger says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant