Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


What's Next For Anonymous After Sabu Arrest?

Members of the hacktivist collective have defaced websites, and taunted LulzSec leader Sabu for turning informer. But will he have company?

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
After the Department of Justice Tuesday announced the arrest of 28-year-old Hector Xavier Monsegur, better known as LulzSec leader "Sabu," hacktivists responded quickly.

One of the first targets was antivirus vendor Panda Labs--which had helped authorities arrest 25 alleged Anonymous hackers last month--which saw its website defaced with an open statement, issued by the Anonymous and Lulzsec-offshoot group AntiSec, accompanied by a previously released LulzXmas video recapping the top exploits of Anonymous in 2011.

In the missive, AntiSec claimed to have built a back door into Panda's antivirus software. "Hello friends! pandasecurity.com, better known for its ... ANTIVIRUS WE HAVE BACKDOORED, has earning money working with Law Enforcement to lurk and snitch on anonymous activists," it read. "They helped to jail 25 anonymous in different countries and they were actively participating in our IRC channels trying to dox many others."

[ For more on the arrest, see LulzSec Sabu Arrest: Don't Relax Yet, IT. ]

AntiSec also released numerous employee access credentials, and said it had "owned" 35 different Panda websites. But Panda Labs technical director Luis Corrons said via Twitter that attackers had only accessed non-critical company websites. "It was only an external server with blogs and marketing sites."

According to a statement released by Panda, "On March 6th the hacking group LulzSec, part of Anonymous, obtained access to a Panda Security webserver hosted outside of the Panda Security internal network." (Despite that statement, the website defacement text said the attack had been conducted by AntiSec, although "DeathToSnitches" and "LulzSec" were mentioned in the heading.)

Panda said that only marketing-related data and outdated user credentials--from employees who'd left the company at least five years prior--were accessed, and that "the attack did not breach Panda Security's internal network and neither source code, update servers, nor customer data was accessed."

One targeted Panda marketing site had included a blog posted Tuesday with the title "Where is the lulz now?" that discussed the "really good news ... that LulzSec members have been arrested." As of press time, the company's blog and press pages, amongst other parts of its website, remained unreachable. According to a post made to the AnonymousIRC Twitter channel, "http://pandalabs.pandasecurity.com ... they're still locked out from their own servers."

Meanwhile, AntiSec Tuesday also announced that it had hacked the Delaware Correctional Officer's Forum website. It remained offline Wednesday.

In the wake of the apparent LulzSec takedown, what's next for Anonymous and its affiliates? "Anyone who trusted Sabu is going to be in a panic right now," Jennifer Emick, a former member of Anonymous who began working against it after it switched to attacking the U.S. government, told Reuters. "Hard drives are being deleted."

But although federal authorities might have arrested the alleged core members of LulzSec, other hacktivists appear to still be operating with abandon, and security experts have said that aside from the threat of being arrested, there's little to stop them from doing so.

In its Panda-delivered missive, for example, AntiSec sounded brazen, giving a shout-out to LulzSec and "Antisec fallen friends," taunting the FBI and other law enforcement organizations--"come at us bros ... we are waiting for you"--and including a somewhat poignant reference to Sabu, who authorities said had helped to put away five other hackers after he turned informant in June 2011. "As usually happens FBI menaced him to take his sons away we understand, but we were your family too (remember what you liked to say?). It's sad and we cant imagine how it feels having to look at the mirror each morning and see there the guy who shopped their friends to police," read the website defacement.

Accordingly, despite the LulzSec arrests, "the barrier to entry for imitators and at-large members of these groups to research, surveil and carry out attacks against cyber targets remains unacceptably low," said Nick Selby managing director of TRM Partners, on his Police-Led Intelligence blog.

"While this may be the end or a serious blow to the LulzSec crowd, groups of hackers intent on causing damage pre-date and will certainly post-date these events. Don't bet that attacks will stop"--or that many website and database administrators will take the time to properly lock down their systems, which would block these types of attacks.

Until that happens, expect ongoing hacktivist attacks, as well as efforts by law enforcement agencies to corral the worst offenders. Notably, authorities have said that Sabu isn't the only member of Anonymous who's turned informer.

Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud. In our Cloud Security report, we explain the risks and guide you in setting appropriate cloud security policies, processes, and controls. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
3/15/2012 | 1:59:02 AM
re: What's Next For Anonymous After Sabu Arrest?
@readers: Do you think this will serve as a deterrent for some of the people who are not the core people orchestrating hacks but still participate in some of the DDoS attacks?
Brian Prince, InformationWeek/Dark Reading Comment Moderator
User Rank: Apprentice
3/7/2012 | 10:59:44 PM
re: What's Next For Anonymous After Sabu Arrest?
unless you acquiesce to living in a totalitarian society the actions of groups like anonymous are imperative. the government is as fallible as the systems we have created. anonymous may not be "right" but they are "necessary" for society to continue to evolve.

sabu is simply a disgrace.

COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-29
Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s pass...
PUBLISHED: 2020-10-29
A flaw was found in Ansible Collection community.crypto. openssl_privatekey_info exposes private key in logs. This directly impacts confidentiality
PUBLISHED: 2020-10-29
Sal is a multi-tenanted reporting dashboard for Munki with the ability to display information from Facter. In Sal through version 4.1.6 there is an XSS vulnerability on the machine_list view.
PUBLISHED: 2020-10-29
A null pointer dereference flaw was found in samba's Winbind service in versions before 4.11.15, before 4.12.9 and before 4.13.1. A local user could use this flaw to crash the winbind service causing denial of service.
PUBLISHED: 2020-10-29
An issue was discovered in EyesOfNetwork eonweb 5.3-7 through 5.3-8. The eonweb web interface is prone to a SQL injection, allowing an unauthenticated attacker to exploit the username_available function of the includes/functions.php file (which is called by login.php).