Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

British Spies Hit Anonymous With DDoS Attacks

British cyber agents attacked Anonymous chat rooms, leaked intelligence documents show.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(click image for larger view and for slideshow)

The British government targeted Anonymous and LulzSec by launching distributed denial-of-service (DDoS) attacks against chat rooms used by those groups' members.

The existence of the attack campaign, which was dubbed "Rolling Thunder," was first reported by NBC News, which published a secret intelligence presentation that was leaked by former National Security Agency (NSA) contractor Edward Snowden.

"This makes British government the only Western government known to have launched DDoS attacks," tweeted Mikko Hypponen, chief research officer at F-Secure.

The attacks occurred in Sept. 2011, according to the presentation, which was prepared for a 2012 conference called SIGDEV (short for "signals development"). The document itself, which NBC partially redacted, is labeled "top secret" and says it's restricted to the United States, Australia, Canada, Great Britain, and New Zealand. Not coincidentally, those are the countries that comprise the so-called "Five Eyes" intelligence-sharing alliance.

According to an undated "irc.anonops" chat log included in the presentation, a chat room participant said that the IRC network had been hit by a SYN flood, referring to a type of denial-of-service (DoS) or DDoS attack that subverts the usual three-way TCP handshake -- used when establishing a connection to a server -- by not responding, or else directing the server to a fake IP address. With a sufficient number of SYN floods, the server can choke, thus denying service to anyone who wanted to use it.

According to the presentation, which detailed how "online covert action techniques can aid cyber threat awareness," the DDoS attacks were part of a broader effort to scare people away from the Anonymous and LulzSec boards. The effort was run by Britain's Government Communications Headquarters (GCHQ), which is its equivalent to the NSA. In particular, a previously undocumented GCHQ unit called the Joint Threat Research Intelligence Group, or JTRIG, was running the program, which appeared to have been launched to respond to a spike in the volume of Anonymous and LulzSec attacks.

Why did British spooks name the operation Rolling Thunder? They appear to have been referencing the sustained US Vietnam War aerial bombardment campaign of the same name, although Rolling Thunder was also the name of a 1972 solo album by Grateful Dead drummer Mickey Hart.

News of the covert DDoS campaign against Anonymous and LulzSec participants sparked questions about whether the British government's efforts were appropriate, or even legal. Perhaps predictably, one Anonymous channel also tweeted: "Remember you cant ddos an idea."

[Do you use Yahoo Mail? Read Yahoo Mail Passwords: Act Now.]

But Michael Leiter, the former head of the US government's National Counterterrorism Center, defended the UK government's DDoS attack campaign. "While there must of course be limitations," he told NBC, where he now works as an analyst, "law enforcement and intelligence officials must be able to pursue individuals who are going far beyond speech and into the realm of breaking the law: defacing and stealing private property that happens to be online."

The British government's IRC-attack campaign, however, likely affected not just rule breakers, but also a number of people who were engaged solely in political or even unrelated discussions.

The attacks have also now set a dangerous precedent. "Whether you agree with the activities of Anonymous or not -- which have included everything from supporting the Arab Spring protests to DDoSing copyright organizations to doxing child pornography site users -- the salient point is that democratic governments now seem to be using their very tactics against them," Gabriella Coleman, a professor at Canada's McGill University and expert in all things Anonymous, wrote in an opinion piece for Wired.

"The key difference, however, is that while those involved in Anonymous can and have faced their day in court for those tactics, the British government has not," she said.

Jake Davis, the former LulzSec participant known as "Topiary" who served jail time and is now on parole, echoed her assessment via Twitter: "I plead guilty to two counts of DDoS conspiracy and to my face these GCHQ bastards were doing the exact same thing."

He added: "The UK government banned a 16-year-old boy (@musalbas) from the Internet for 2 years while they themselves were launching illegal attacks."

The anti-Anonymous campaign relied on more than just DoS or DDoS attacks. The SIGDEV presentation also appears to document the use of covert human intelligence sources (CHIS) -- referring to the creation of covert relationships that are meant to gather intelligence or effect a desired outcome -- and notes that "80% of those messaged where [sic] not in the IRC channels 1 month later." That suggests anonymous JTRIG operatives were sending IRC messages to participants inside known Anonymous and LulzSec chat boards, warning that they ran the risk of violating British computer crime laws and thus facing jail time.

Some critics have accused the British government's anti-hacktivist campaign of trampling on the free-speech rights of its citizens. But unlike the United States, Britain has no laws that explicitly and clearly grant its citizens the right to free speech.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
asksqn
50%
50%
asksqn,
User Rank: Ninja
2/5/2014 | 3:33:01 PM
Rules for thee but not for me
LOL so then since the British government has launched its own DDoS attack does that then mean it's OK for anyone else to do so?  Pardon me, but this smacks very much of the same thought process the US government has. It is childish and not a constructive use of resources.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
2/5/2014 | 5:00:06 PM
Re: Rules for thee but not for me
The double standard here is troubling.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
2/6/2014 | 4:26:49 AM
Re: Rules for thee but not for me
But it was 2011 and hackers were running amok! Something Had To Be Done.

But of course after they'd arrested a bunch of (mostly) teenagers, in retrospect the British government looks a bit silly -- for starters.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
2/6/2014 | 9:14:56 AM
Freedom of Speech
British intelligence should be very careful with this sort of thing. It's dangerously close to infringing on human rights by denying the freedom of speech to those they attacked. They're in enough trouble with EUCHR due to Tempora. 
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
2/6/2014 | 9:57:30 AM
Re: Rules for thee but not for me
I agree, it makes the British government look silly. If you're going to punish people for launching DDoS attacks, it's hypocritical to launch one yourself. In addition, as a mechanism to stifle Anonymous activity or deter participation, it's absolutely useless.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
2/6/2014 | 1:04:59 PM
Re: Rules for thee but not for me
Governments regularly take actions that would be illegal for citizens, from imposing the death penalty to waging war to seizing assets to issuing currency. Offensive security as a tactic is on the horizon. Anyone who thinks governments won't -- and aren't -- using it now is naive.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9079
PUBLISHED: 2020-08-11
FusionSphere OpenStack 8.0.0 have a protection mechanism failure vulnerability. The product incorrectly uses a protection mechanism. An attacker has to find a way to exploit the vulnerability to conduct directed attacks against the affected product.
CVE-2020-16275
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-16276
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16277
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16278
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.