Attacks/Breaches
5/7/2013
06:21 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'OpUSA' Hacktivist Attacks Fall Short

Anonymous groups wage ad-hoc defacements, data dumps from a few lesser-known sites -- not the planned attacks on major U.S. government agencies, banks

Hacktivist groups under the Anonymous umbrella had warned they would take down major U.S. government and financial websites today in what they dubbed the OpUSA hacking campaign. But in the end, it was just a few defacements of lesser-known websites and seemingly random dumps of personal information online.

As of this posting, there were no reports of any major site disruptions or distributed denial-of-service (DDoS) attacks. According to Radware's Emergency Response Team, which kept a running report on the attacks updated on its website today there were at least a handful of victims, including the website of a small community bank in Arkansas, which got defaced by the attackers, and a database dump of users of the Bloodbanker.com website. Yesterday, the Embassy of Cape Verde in the U.S. suffered a defaced website, plus a few other isolated incidents occurred today in the name of OpUSA, including a dump of 10,000 alleged stolen Visa card accounts.

[Hacktivist groups plan denial-of-service attacks on banks, government sites. See Anonymous, LulzSec, OpUSA Plan Broad Attacks On Government Agencies, Banks On Tuesday.]

The seemingly disjointed campaign was a reflection of the evolving state of hacktivism and Anonymous, which is not one group with a common agenda, security experts say -- and possibly a lack of resources to pull off the effort. What was most striking about the lack of shock and awe of today's campaign was that it actually registered less hacktivist activity than when the hacktivist group Izz ad-Din al-Qassam Cyber Fighters were actively and successfully waging DDoS attacks on major financial institutions, notes Carl Herberger, vice president of security solutions for Radware. The Izz ad-Din al-Qassam Cyber Fighters went dark for a few days in deference to OpUSA and in order to avoid any confusion about their different motivations.

"When the Izz ad-Din al-Qassam Cyber Fighters decided to take a pass this week ... the level of attack activity dropped," Herberger says. "Our devices are under less load today than when [the Cyber Fighters were in action] last week."

The Cyber Fighters have more firepower and are more organized than the groups behind OpUSA appear to have, he says.

"There were some [OpUSA] attacks, and they were pedestrian in nature relative to what we've become used to and humbled with operations by [the Cyber Fighters]," he says. "The tools and techniques here were reminiscent of attacks 18 to 24 months ago."

Anonymous, under the guise of N4m3le55 Cr3w, AnonGhost and other groups, said May 7 would represent day one of the operation, which is in apparent protest to U.S. policies on Iraq, Afghanistan, and Pakistan. "You can not stop the internet hate machine from doxes, DNS attacks, defaces, redirects, ddos attacks, database leaks, and admin take overs. Greetings to Anonghost, Mauritania hackers, Ajax team, Muslim liberation army, ZHC, antisec, lulzsec, Redhat, team poison reborn and any other hackers joining operation USA," the attackers said in a post.

Among the list of U.S. government takedown targets were the websites of the Defense Department, NSA, the FBI, and the White House. Some 130 banks and credit unions were also listed, including Bank of America, Chase, Citibank, SunTrust, Wells Fargo, and nearly all major banks. None of the targets reported a DDoS attack as of this posting.

In a new Pastebin post this afternoon, the AnonGhost team listed successful OpUSA hacks today, including more than 100,000 email accounts, 60 U.S websites, 5,000 U.S. Facebook accounts, and an "agent from the U.S. House of Representatives," but it was unclear whether these were all confirmed attacks.

So why did the OpUSA DDoS operation fizzle? Sorin Mustaca, a security expert for Avira, says the attackers would need heavy botnet backing to wage the massive DDoS attacks they had promised. "You would have to have a very serious botnet at your disposal, which is not that complicated these days. If you don't own it, you have to pay for it," he says. "Then who is going to pay for those expenses? Why I don't really think anything is going to happen [today] is I'm not aware of any major botnets being online and used remotely" for this, he says.

Mustaca says one explanation could be that the hacktivists ultimately were looking to get hired for their services. "They might create the market so they could get paid," he says. "Somebody has to pay for" the botnet and other resources, he says, so they were attempting to demonstrate their capabilities.

Radware's Herberger says it's more of an indication of how different the OpUSA hacktivists are from the Izz ad-Din al-Qassam Cyber Fighters. OpUSA was only successful thus far at defacing a few small banks, he says. "The Cyber Fighters have the attribute of offensive cyberwar," he says. "These guys here are not clearly organized or skilled and don't have the choreography."

Even so, Herberger says he knows of at least two major U.S. investment banks that had not yet been attacked that experienced attack attempts last week. "It looked like they were testing [attack] tools and techniques" on the banks, he says.

Either way, you always take any attack threats seriously, experts say. "We should take all of these things very seriously and be glad when nothing happens," Herberger says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.