Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:21 PM
Connect Directly

'OpUSA' Hacktivist Attacks Fall Short

Anonymous groups wage ad-hoc defacements, data dumps from a few lesser-known sites -- not the planned attacks on major U.S. government agencies, banks

Hacktivist groups under the Anonymous umbrella had warned they would take down major U.S. government and financial websites today in what they dubbed the OpUSA hacking campaign. But in the end, it was just a few defacements of lesser-known websites and seemingly random dumps of personal information online.

As of this posting, there were no reports of any major site disruptions or distributed denial-of-service (DDoS) attacks. According to Radware's Emergency Response Team, which kept a running report on the attacks updated on its website today there were at least a handful of victims, including the website of a small community bank in Arkansas, which got defaced by the attackers, and a database dump of users of the Bloodbanker.com website. Yesterday, the Embassy of Cape Verde in the U.S. suffered a defaced website, plus a few other isolated incidents occurred today in the name of OpUSA, including a dump of 10,000 alleged stolen Visa card accounts.

[Hacktivist groups plan denial-of-service attacks on banks, government sites. See Anonymous, LulzSec, OpUSA Plan Broad Attacks On Government Agencies, Banks On Tuesday.]

The seemingly disjointed campaign was a reflection of the evolving state of hacktivism and Anonymous, which is not one group with a common agenda, security experts say -- and possibly a lack of resources to pull off the effort. What was most striking about the lack of shock and awe of today's campaign was that it actually registered less hacktivist activity than when the hacktivist group Izz ad-Din al-Qassam Cyber Fighters were actively and successfully waging DDoS attacks on major financial institutions, notes Carl Herberger, vice president of security solutions for Radware. The Izz ad-Din al-Qassam Cyber Fighters went dark for a few days in deference to OpUSA and in order to avoid any confusion about their different motivations.

"When the Izz ad-Din al-Qassam Cyber Fighters decided to take a pass this week ... the level of attack activity dropped," Herberger says. "Our devices are under less load today than when [the Cyber Fighters were in action] last week."

The Cyber Fighters have more firepower and are more organized than the groups behind OpUSA appear to have, he says.

"There were some [OpUSA] attacks, and they were pedestrian in nature relative to what we've become used to and humbled with operations by [the Cyber Fighters]," he says. "The tools and techniques here were reminiscent of attacks 18 to 24 months ago."

Anonymous, under the guise of N4m3le55 Cr3w, AnonGhost and other groups, said May 7 would represent day one of the operation, which is in apparent protest to U.S. policies on Iraq, Afghanistan, and Pakistan. "You can not stop the internet hate machine from doxes, DNS attacks, defaces, redirects, ddos attacks, database leaks, and admin take overs. Greetings to Anonghost, Mauritania hackers, Ajax team, Muslim liberation army, ZHC, antisec, lulzsec, Redhat, team poison reborn and any other hackers joining operation USA," the attackers said in a post.

Among the list of U.S. government takedown targets were the websites of the Defense Department, NSA, the FBI, and the White House. Some 130 banks and credit unions were also listed, including Bank of America, Chase, Citibank, SunTrust, Wells Fargo, and nearly all major banks. None of the targets reported a DDoS attack as of this posting.

In a new Pastebin post this afternoon, the AnonGhost team listed successful OpUSA hacks today, including more than 100,000 email accounts, 60 U.S websites, 5,000 U.S. Facebook accounts, and an "agent from the U.S. House of Representatives," but it was unclear whether these were all confirmed attacks.

So why did the OpUSA DDoS operation fizzle? Sorin Mustaca, a security expert for Avira, says the attackers would need heavy botnet backing to wage the massive DDoS attacks they had promised. "You would have to have a very serious botnet at your disposal, which is not that complicated these days. If you don't own it, you have to pay for it," he says. "Then who is going to pay for those expenses? Why I don't really think anything is going to happen [today] is I'm not aware of any major botnets being online and used remotely" for this, he says.

Mustaca says one explanation could be that the hacktivists ultimately were looking to get hired for their services. "They might create the market so they could get paid," he says. "Somebody has to pay for" the botnet and other resources, he says, so they were attempting to demonstrate their capabilities.

Radware's Herberger says it's more of an indication of how different the OpUSA hacktivists are from the Izz ad-Din al-Qassam Cyber Fighters. OpUSA was only successful thus far at defacing a few small banks, he says. "The Cyber Fighters have the attribute of offensive cyberwar," he says. "These guys here are not clearly organized or skilled and don't have the choreography."

Even so, Herberger says he knows of at least two major U.S. investment banks that had not yet been attacked that experienced attack attempts last week. "It looked like they were testing [attack] tools and techniques" on the banks, he says.

Either way, you always take any attack threats seriously, experts say. "We should take all of these things very seriously and be glad when nothing happens," Herberger says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-17
Adobe Download Manager versions have an insecure file permissions vulnerability. Successful exploitation could lead to privilege escalation.
PUBLISHED: 2019-10-17
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
PUBLISHED: 2019-10-17
An issue was discovered in Bitdefender BOX firmware versions before that affects the general reliability of the product. Specially crafted packets sent to the miniupnpd implementation in result in the device allocating memory without freeing it later. This behavior can cause the miniupn...
PUBLISHED: 2019-10-17
CA Performance Management 3.5.x, 3.6.x before 3.6.9, and 3.7.x before 3.7.4 have a default credential vulnerability that can allow a remote attacker to execute arbitrary commands and compromise system security.
PUBLISHED: 2019-10-17
The Deep Security Manager application (Versions 10.0, 11.0 and 12.0), when configured in a certain way, may transmit initial LDAP communication in clear text. This may result in confidentiality impact but does not impact integrity or availability.