According to a recent government report, the group may well be able to launch a distributed denial of service attack against critical infrastructure. But the likelihood of Anonymous developing bespoke critical infrastructure attacks--on par with Stuxnet--is slim.
The Department of Homeland Security (DHS) study, "Assessment of Anonymous Threat to Control Systems," evaluated the group's potential to disrupt the critical infrastructure. A copy of the four-page report, marked as unclassified but "for official use only" and dated September 16, 2011, was published on Monday by the Public Intelligence website.
[ The Feds are moving aggressively to bust hackers. Read FBI Busts Suspected LulzSec Hacker In Sony Breach ]
The report's creation was spurred in part by a July 19 post on Twitter by a known Anonymous member, which listed a directory tree for Siemens SIMATIC control system software. "This is an indication in a shift toward interest in control systems by the hacktivist group" according to the government report.
The report noted that Anonymous has also called on its members to target energy companies. In addition, a Pastebin post made on July 11, detailed an attack against biotech seed producer--and control system user--Monsanto. Signed with the Anonymous tagline "expect us," the post claimed that Monsanto's Web infrastructure had been disabled for two days, and its email servers disabled for three days, and that attackers had stolen data on 2,500 company employees and business partners. According to news reports, Monsanto confirmed that its servers had been attacked.
The so-called critical infrastructure refers to the nation's communications, energy, finance, food, government, health, transport, and water providers. Despite recent discussion on the part of lawmakers and government agencies about the extent to which the government should be involved in protecting that critical infrastructure, it's currently controlled almost entirely by private businesses.
Furthermore, according to a survey of those businesses conducted last year by Symantec, half said they've seen politically motivated attacks against their networks. But such attacks seemed to focus on intelligence-gathering or stealing intellectual property, rather than disrupting their control systems outright.
Despite the rise of hacktivist groups such as Anonymous and LulzSec, the DHS report said that threats to control systems don't seem to have increased. Notably, it said, all information released publicly by Anonymous shows "no indication of exploitation capability" when it comes to control systems. Of course, members of Anonymous could study up on control system software, and develop malware aimed at disabling control systems. "However, the lack of centralized leadership/coordination and specific expertise may pose challenges to this effort," according to the report.
Despite some Anonymous-related chatter over control systems, would the group really bother to attack critical infrastructure, or design the required malware? "You have to think of intent: What's the ultimate goal of Anonymous? Is it to cause massive damage to our critical infrastructure? It doesn't seem to be," said Eric Knapp, director of critical infrastructure markets for security intelligence and event management vendor NitroSecurity, in an interview.
The DHS report does, however, warn that even if Anonymous doesn't pose a risk to control systems, all businesses with Internet-connected control systems should ensure that they're protected. "There are control systems that are currently accessible directly from the Internet and easy to locate through Internet search engine tools and applications," according to the report. "These systems could be easily located and accessed with minimal skills in order to trespass, carry out nefarious activities, or conduct reconnaissance activities to be used in future operations."
Knapp notes that "the moral of the story is that if you're operating a critical network that includes a control system, you need to secure and separate it from access, as much as possible, but also secure it, because there are threats out there aside from Anonymous, such as disgruntled insiders, or outside parties."
But since Stuxnet, he said that businesses that run critical infrastructure are much more aware of threats to and security risks involving control systems. "Everybody is at least thinking about it, and that's good," he said. "Stuxnet has been out there, and a lot of the code is available, so the probability of a Stuxnet-type attack occurring is not science fiction. It's not terribly difficult to do. So [businesses] have to be thinking about how to improve their security, and they are."