What's Next For Anonymous After Sabu Arrest?

Members of the hacktivist collective have defaced websites, and taunted LulzSec leader Sabu for turning informer. But will he have company?

Mathew J. Schwartz, Contributor

March 7, 2012

4 Min Read

Anonymous: 10 Facts About The Hacktivist Group

Anonymous: 10 Facts About The Hacktivist Group

Anonymous: 10 Facts About The Hacktivist Group (click image for larger view and for slideshow)

After the Department of Justice Tuesday announced the arrest of 28-year-old Hector Xavier Monsegur, better known as LulzSec leader "Sabu," hacktivists responded quickly.

One of the first targets was antivirus vendor Panda Labs--which had helped authorities arrest 25 alleged Anonymous hackers last month--which saw its website defaced with an open statement, issued by the Anonymous and Lulzsec-offshoot group AntiSec, accompanied by a previously released LulzXmas video recapping the top exploits of Anonymous in 2011.

In the missive, AntiSec claimed to have built a back door into Panda's antivirus software. "Hello friends! pandasecurity.com, better known for its ... ANTIVIRUS WE HAVE BACKDOORED, has earning money working with Law Enforcement to lurk and snitch on anonymous activists," it read. "They helped to jail 25 anonymous in different countries and they were actively participating in our IRC channels trying to dox many others."

[ For more on the arrest, see LulzSec Sabu Arrest: Don't Relax Yet, IT. ]

AntiSec also released numerous employee access credentials, and said it had "owned" 35 different Panda websites. But Panda Labs technical director Luis Corrons said via Twitter that attackers had only accessed non-critical company websites. "It was only an external server with blogs and marketing sites."

According to a statement released by Panda, "On March 6th the hacking group LulzSec, part of Anonymous, obtained access to a Panda Security webserver hosted outside of the Panda Security internal network." (Despite that statement, the website defacement text said the attack had been conducted by AntiSec, although "DeathToSnitches" and "LulzSec" were mentioned in the heading.)

Panda said that only marketing-related data and outdated user credentials--from employees who'd left the company at least five years prior--were accessed, and that "the attack did not breach Panda Security's internal network and neither source code, update servers, nor customer data was accessed."

One targeted Panda marketing site had included a blog posted Tuesday with the title "Where is the lulz now?" that discussed the "really good news ... that LulzSec members have been arrested." As of press time, the company's blog and press pages, amongst other parts of its website, remained unreachable. According to a post made to the AnonymousIRC Twitter channel, "http://pandalabs.pandasecurity.com ... they're still locked out from their own servers."

Meanwhile, AntiSec Tuesday also announced that it had hacked the Delaware Correctional Officer's Forum website. It remained offline Wednesday.

In the wake of the apparent LulzSec takedown, what's next for Anonymous and its affiliates? "Anyone who trusted Sabu is going to be in a panic right now," Jennifer Emick, a former member of Anonymous who began working against it after it switched to attacking the U.S. government, told Reuters. "Hard drives are being deleted."

But although federal authorities might have arrested the alleged core members of LulzSec, other hacktivists appear to still be operating with abandon, and security experts have said that aside from the threat of being arrested, there's little to stop them from doing so.

In its Panda-delivered missive, for example, AntiSec sounded brazen, giving a shout-out to LulzSec and "Antisec fallen friends," taunting the FBI and other law enforcement organizations--"come at us bros ... we are waiting for you"--and including a somewhat poignant reference to Sabu, who authorities said had helped to put away five other hackers after he turned informant in June 2011. "As usually happens FBI menaced him to take his sons away we understand, but we were your family too (remember what you liked to say?). It's sad and we cant imagine how it feels having to look at the mirror each morning and see there the guy who shopped their friends to police," read the website defacement.

Accordingly, despite the LulzSec arrests, "the barrier to entry for imitators and at-large members of these groups to research, surveil and carry out attacks against cyber targets remains unacceptably low," said Nick Selby managing director of TRM Partners, on his Police-Led Intelligence blog.

"While this may be the end or a serious blow to the LulzSec crowd, groups of hackers intent on causing damage pre-date and will certainly post-date these events. Don't bet that attacks will stop"--or that many website and database administrators will take the time to properly lock down their systems, which would block these types of attacks.

Until that happens, expect ongoing hacktivist attacks, as well as efforts by law enforcement agencies to corral the worst offenders. Notably, authorities have said that Sabu isn't the only member of Anonymous who's turned informer.

Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud. In our Cloud Security report, we explain the risks and guide you in setting appropriate cloud security policies, processes, and controls. (Free registration required.)

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights