Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

British Spies Hit Anonymous With DDoS Attacks

British cyber agents attacked Anonymous chat rooms, leaked intelligence documents show.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(click image for larger view and for slideshow)

The British government targeted Anonymous and LulzSec by launching distributed denial-of-service (DDoS) attacks against chat rooms used by those groups' members.

The existence of the attack campaign, which was dubbed "Rolling Thunder," was first reported by NBC News, which published a secret intelligence presentation that was leaked by former National Security Agency (NSA) contractor Edward Snowden.

"This makes British government the only Western government known to have launched DDoS attacks," tweeted Mikko Hypponen, chief research officer at F-Secure.

The attacks occurred in Sept. 2011, according to the presentation, which was prepared for a 2012 conference called SIGDEV (short for "signals development"). The document itself, which NBC partially redacted, is labeled "top secret" and says it's restricted to the United States, Australia, Canada, Great Britain, and New Zealand. Not coincidentally, those are the countries that comprise the so-called "Five Eyes" intelligence-sharing alliance.

According to an undated "irc.anonops" chat log included in the presentation, a chat room participant said that the IRC network had been hit by a SYN flood, referring to a type of denial-of-service (DoS) or DDoS attack that subverts the usual three-way TCP handshake -- used when establishing a connection to a server -- by not responding, or else directing the server to a fake IP address. With a sufficient number of SYN floods, the server can choke, thus denying service to anyone who wanted to use it.

According to the presentation, which detailed how "online covert action techniques can aid cyber threat awareness," the DDoS attacks were part of a broader effort to scare people away from the Anonymous and LulzSec boards. The effort was run by Britain's Government Communications Headquarters (GCHQ), which is its equivalent to the NSA. In particular, a previously undocumented GCHQ unit called the Joint Threat Research Intelligence Group, or JTRIG, was running the program, which appeared to have been launched to respond to a spike in the volume of Anonymous and LulzSec attacks.

Why did British spooks name the operation Rolling Thunder? They appear to have been referencing the sustained US Vietnam War aerial bombardment campaign of the same name, although Rolling Thunder was also the name of a 1972 solo album by Grateful Dead drummer Mickey Hart.

News of the covert DDoS campaign against Anonymous and LulzSec participants sparked questions about whether the British government's efforts were appropriate, or even legal. Perhaps predictably, one Anonymous channel also tweeted: "Remember you cant ddos an idea."

[Do you use Yahoo Mail? Read Yahoo Mail Passwords: Act Now.]

But Michael Leiter, the former head of the US government's National Counterterrorism Center, defended the UK government's DDoS attack campaign. "While there must of course be limitations," he told NBC, where he now works as an analyst, "law enforcement and intelligence officials must be able to pursue individuals who are going far beyond speech and into the realm of breaking the law: defacing and stealing private property that happens to be online."

The British government's IRC-attack campaign, however, likely affected not just rule breakers, but also a number of people who were engaged solely in political or even unrelated discussions.

The attacks have also now set a dangerous precedent. "Whether you agree with the activities of Anonymous or not -- which have included everything from supporting the Arab Spring protests to DDoSing copyright organizations to doxing child pornography site users -- the salient point is that democratic governments now seem to be using their very tactics against them," Gabriella Coleman, a professor at Canada's McGill University and expert in all things Anonymous, wrote in an opinion piece for Wired.

"The key difference, however, is that while those involved in Anonymous can and have faced their day in court for those tactics, the British government has not," she said.

Jake Davis, the former LulzSec participant known as "Topiary" who served jail time and is now on parole, echoed her assessment via Twitter: "I plead guilty to two counts of DDoS conspiracy and to my face these GCHQ bastards were doing the exact same thing."

He added: "The UK government banned a 16-year-old boy (@musalbas) from the Internet for 2 years while they themselves were launching illegal attacks."

The anti-Anonymous campaign relied on more than just DoS or DDoS attacks. The SIGDEV presentation also appears to document the use of covert human intelligence sources (CHIS) -- referring to the creation of covert relationships that are meant to gather intelligence or effect a desired outcome -- and notes that "80% of those messaged where [sic] not in the IRC channels 1 month later." That suggests anonymous JTRIG operatives were sending IRC messages to participants inside known Anonymous and LulzSec chat boards, warning that they ran the risk of violating British computer crime laws and thus facing jail time.

Some critics have accused the British government's anti-hacktivist campaign of trampling on the free-speech rights of its citizens. But unlike the United States, Britain has no laws that explicitly and clearly grant its citizens the right to free speech.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
2/6/2014 | 1:04:59 PM
Re: Rules for thee but not for me
Governments regularly take actions that would be illegal for citizens, from imposing the death penalty to waging war to seizing assets to issuing currency. Offensive security as a tactic is on the horizon. Anyone who thinks governments won't -- and aren't -- using it now is naive.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
2/6/2014 | 9:57:30 AM
Re: Rules for thee but not for me
I agree, it makes the British government look silly. If you're going to punish people for launching DDoS attacks, it's hypocritical to launch one yourself. In addition, as a mechanism to stifle Anonymous activity or deter participation, it's absolutely useless.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
2/6/2014 | 9:14:56 AM
Freedom of Speech
British intelligence should be very careful with this sort of thing. It's dangerously close to infringing on human rights by denying the freedom of speech to those they attacked. They're in enough trouble with EUCHR due to Tempora. 
Mathew
50%
50%
Mathew,
User Rank: Apprentice
2/6/2014 | 4:26:49 AM
Re: Rules for thee but not for me
But it was 2011 and hackers were running amok! Something Had To Be Done.

But of course after they'd arrested a bunch of (mostly) teenagers, in retrospect the British government looks a bit silly -- for starters.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
2/5/2014 | 5:00:06 PM
Re: Rules for thee but not for me
The double standard here is troubling.
asksqn
50%
50%
asksqn,
User Rank: Ninja
2/5/2014 | 3:33:01 PM
Rules for thee but not for me
LOL so then since the British government has launched its own DDoS attack does that then mean it's OK for anyone else to do so?  Pardon me, but this smacks very much of the same thought process the US government has. It is childish and not a constructive use of resources.
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10560
PUBLISHED: 2020-03-30
An issue was discovered in Open Source Social Network (OSSN) through 5.3. A user-controlled file path with a weak cryptographic rand() can be used to read any file with the permissions of the webserver. This can lead to further compromise. The attacker must conduct a brute-force attack against the S...
CVE-2020-5527
PUBLISHED: 2020-03-30
When MELSOFT transmission port (UDP/IP) of Mitsubishi Electric MELSEC iQ-R series (all versions), MELSEC iQ-F series (all versions), MELSEC Q series (all versions), MELSEC L series (all versions), and MELSEC F series (all versions) receives massive amount of data via unspecified vectors, resource co...
CVE-2020-5551
PUBLISHED: 2020-03-30
Toyota 2017 Model Year DCU (Display Control Unit) allows an unauthenticated attacker within Bluetooth range to cause a denial of service attack and/or execute an arbitrary command. The affected DCUs are installed in Lexus (LC, LS, NX, RC, RC F), TOYOTA CAMRY, and TOYOTA SIENNA manufactured in the re...
CVE-2020-10940
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
CVE-2020-10939
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.