Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


What's Next For Anonymous After Sabu Arrest?

Members of the hacktivist collective have defaced websites, and taunted LulzSec leader Sabu for turning informer. But will he have company?

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
After the Department of Justice Tuesday announced the arrest of 28-year-old Hector Xavier Monsegur, better known as LulzSec leader "Sabu," hacktivists responded quickly.

One of the first targets was antivirus vendor Panda Labs--which had helped authorities arrest 25 alleged Anonymous hackers last month--which saw its website defaced with an open statement, issued by the Anonymous and Lulzsec-offshoot group AntiSec, accompanied by a previously released LulzXmas video recapping the top exploits of Anonymous in 2011.

In the missive, AntiSec claimed to have built a back door into Panda's antivirus software. "Hello friends! pandasecurity.com, better known for its ... ANTIVIRUS WE HAVE BACKDOORED, has earning money working with Law Enforcement to lurk and snitch on anonymous activists," it read. "They helped to jail 25 anonymous in different countries and they were actively participating in our IRC channels trying to dox many others."

[ For more on the arrest, see LulzSec Sabu Arrest: Don't Relax Yet, IT. ]

AntiSec also released numerous employee access credentials, and said it had "owned" 35 different Panda websites. But Panda Labs technical director Luis Corrons said via Twitter that attackers had only accessed non-critical company websites. "It was only an external server with blogs and marketing sites."

According to a statement released by Panda, "On March 6th the hacking group LulzSec, part of Anonymous, obtained access to a Panda Security webserver hosted outside of the Panda Security internal network." (Despite that statement, the website defacement text said the attack had been conducted by AntiSec, although "DeathToSnitches" and "LulzSec" were mentioned in the heading.)

Panda said that only marketing-related data and outdated user credentials--from employees who'd left the company at least five years prior--were accessed, and that "the attack did not breach Panda Security's internal network and neither source code, update servers, nor customer data was accessed."

One targeted Panda marketing site had included a blog posted Tuesday with the title "Where is the lulz now?" that discussed the "really good news ... that LulzSec members have been arrested." As of press time, the company's blog and press pages, amongst other parts of its website, remained unreachable. According to a post made to the AnonymousIRC Twitter channel, "http://pandalabs.pandasecurity.com ... they're still locked out from their own servers."

Meanwhile, AntiSec Tuesday also announced that it had hacked the Delaware Correctional Officer's Forum website. It remained offline Wednesday.

In the wake of the apparent LulzSec takedown, what's next for Anonymous and its affiliates? "Anyone who trusted Sabu is going to be in a panic right now," Jennifer Emick, a former member of Anonymous who began working against it after it switched to attacking the U.S. government, told Reuters. "Hard drives are being deleted."

But although federal authorities might have arrested the alleged core members of LulzSec, other hacktivists appear to still be operating with abandon, and security experts have said that aside from the threat of being arrested, there's little to stop them from doing so.

In its Panda-delivered missive, for example, AntiSec sounded brazen, giving a shout-out to LulzSec and "Antisec fallen friends," taunting the FBI and other law enforcement organizations--"come at us bros ... we are waiting for you"--and including a somewhat poignant reference to Sabu, who authorities said had helped to put away five other hackers after he turned informant in June 2011. "As usually happens FBI menaced him to take his sons away we understand, but we were your family too (remember what you liked to say?). It's sad and we cant imagine how it feels having to look at the mirror each morning and see there the guy who shopped their friends to police," read the website defacement.

Accordingly, despite the LulzSec arrests, "the barrier to entry for imitators and at-large members of these groups to research, surveil and carry out attacks against cyber targets remains unacceptably low," said Nick Selby managing director of TRM Partners, on his Police-Led Intelligence blog.

"While this may be the end or a serious blow to the LulzSec crowd, groups of hackers intent on causing damage pre-date and will certainly post-date these events. Don't bet that attacks will stop"--or that many website and database administrators will take the time to properly lock down their systems, which would block these types of attacks.

Until that happens, expect ongoing hacktivist attacks, as well as efforts by law enforcement agencies to corral the worst offenders. Notably, authorities have said that Sabu isn't the only member of Anonymous who's turned informer.

Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud. In our Cloud Security report, we explain the risks and guide you in setting appropriate cloud security policies, processes, and controls. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
3/15/2012 | 1:59:02 AM
re: What's Next For Anonymous After Sabu Arrest?
@readers: Do you think this will serve as a deterrent for some of the people who are not the core people orchestrating hacks but still participate in some of the DDoS attacks?
Brian Prince, InformationWeek/Dark Reading Comment Moderator
User Rank: Apprentice
3/7/2012 | 10:59:44 PM
re: What's Next For Anonymous After Sabu Arrest?
unless you acquiesce to living in a totalitarian society the actions of groups like anonymous are imperative. the government is as fallible as the systems we have created. anonymous may not be "right" but they are "necessary" for society to continue to evolve.

sabu is simply a disgrace.

A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.