Cyber Guerillas’ Attacks Present Security Risk

January 25, 2011

If anyone needed proof that cyber activists can create havoc in the real world, the last few weeks have provided evidence in megabytes.

Rallying behind WikiLeaks, the thousands of internet activists who made headlines in December by bringing down the websites of MasterCard and Visa have been branching out.

Operating under the banner “Anonymous,” their other forms of action have included hacker defacements of websites, real-life protests such as mass leafleting, and a role in Tunisia’s “Jasmine Revolution”.

Anonymous activists attacked and shut down several government websites before the ouster of former President Zine al Abedine Ben Ali. They have also targeted governments they see as enemies of free speech. Last month the website of Zimbabwe’s finance ministry was hacked and the homepage replaced by a message from Anonymous.

A report by the Organisation for Economic Cooperation and Development (OECD) this week said such attacks on computer systems are unlikely to cause a global shock on their own, though could do if launched in the midst of a natural disaster such as a large solar flare that wipes out satellites and other key communications hardware.

But this misses the point. Global chaos is not Anonymous’ aim. As the WikiLeaks and Tunisia cases show, the group targets specific institutions and its attacks are designed to temporarily delay more than destroy. Think of them not as acts of cyber war but as high-profile guerrilla strikes.

CATALYSTS

A look inside some of the main online forums suggests that those behind the WikiLeak-inspired attacks are patient, coordinate almost organically, and remain wary of outsiders. That all means that their next moves remain unpredictable.

In the Internet Relay Chat (IRC) channels — chat rooms where up to 3,000 participants at a time can discuss strategy and plot attacks — reporters are treated with suspicion. Over the past few weeks, though, a few Anons — as activists refer to themselves online — agreed to talk to Reuters.

There is anecdotal evidence that Anonymous is growing stronger. Several Anons told Reuters the arrest of Assange and the distributed denial of service (DDoS) attacks against Visa and Mastercard — in which company websites were bombarded with so many requests they crashed — inspired them to join the group.

“Saw it on a news article, joined the IRC, and things went on from there. 4 months ago,” one Anon nicknamed “tflow” told Reuters in a private message on the IRC channel.

“I was angry at the arrest of Assange and how the credit card companies shut down WikiLeaks’ accounts. Been here since,” said another, going by the name of Noms9001, referring to the arrest of WikiLeaks founder Julian Assange in Britain.

“I’m not a rebel, I can say that. For me, it’s been an issue of governments and corporations attempting to control what we say and hear online.”

One said they had been involved with Anonymous since the group’s Project Chanology protests against the Church of Scientology in 2008. Another blamed a failed late December attack on Bank of America on a splinter group of Anonymous, and said an expected drop by WikiLeaks of documents related to the bank could provide an opportunity for a renewed effort to bring down its site.

MONITORING

Targets are chosen by consensus and can be attacked by as many as 10,000 computers simultaneously. Communication is mainly through IRC but supporters also use micro-blogging site Twitter and video-sharing site YouTube to release information.

The activists claim to come from all over — Europe, the United States, China and elsewhere in Asia — and share an almost paranoid concern with covering the tracks left by the software they use.

During the attacks on Tunisian government websites over the past couple of weeks, activists warned Tunisian citizens in the OpTunisia IRC channel against joining an assault on local internet hosting organisation ATI.

“If you are Tunisian, do not participate in the DDoS attack. Chances are that you will get traced and arrested. Unless you have means to conceal your IP and know what you are doing, do NOT attack,” warned one activist.

“Do NOT give out any personal information on this IRC network. This is a public chat and you can be sure that it is monitored,” the activist added.

There’s a good reason for the caution. Two Dutch teenagers were arrested in December in connection with cyber attacks by WikiLeaks supporters. Both have been released and are awaiting trial.

And the U.S. Federal Bureau of Investigation raided a Texas server-hosting company last month looking for evidence that Anonymous had used its servers to launch attacks on PayPal, according to an affidavit obtained by The Smoking Gun website.

Some activists hope their sheer numbers will prevent authorities from trying to trace them. “Imagine tracking 9,000 plus computers across the planet for an arrest,” Calgarc said in the IRC channel in reply to a question on how an attacker can hide his tracks.

FIRE YOUR CANNON

All you need to wage cyber war is a fast-paced internet forum packed with hundreds of determined activists and a simple piece of software called a Low Orbit Ion Cannon. Activists download the LOIC — initially developed to help internet security experts test website vulnerability to DDoS attacks — and start firing packets of data at the targeted website.

If enough people join in, a DDoS attack prevents the overloaded server from responding to legitimate requests and slows the website to a crawl or shuts it down totally.

Attackers can even listen to a dedicated internet radio station, Radiopayback, during attacks.

A quarter of a million copies of the LOIC software have been downloaded from sourceforge.net so far, more than half of them since November when Web hosting and banking organisations began withdrawing support from WikiLeaks.

One in five downloads since the start of November was in the United States, with a few hundred in Tunisia, and a handful in bandwidth-deprived Zimbabwe.

Users of the software can be traced. A study by Dutch researchers found last year that the tool did not mask the host computer’s internet protocol (IP) address.

Barrett Lyon, a security expert who specialises in protecting companies against denial of service attacks, said the LOIC program is fairly rudimentary but effective if used by thousands of people. “It doesn’t have a lot of bells and whistles. It’s not as focused as it could have been. If they got their software together in a more sophisticated kind of way, this kind of thing could have gotten easier with more violence.”

Lyon said depending on the time of day there were 500-10,000 computers involved in the attacks.

“10,000 people have quite a bit of fire power,” he added.

CREDIBLE COUNTERFORCE

Digital activism is not new. Activists slowed police websites in the Philippines in 2006 and DDoS attacks have been used previously in real conflicts.

In 2007, a series of attacks targeted websites of the Estonian parliament, government ministries, banks and media organisations, sparked by a row between Russia and Estonia over the removal of a Soviet World War Two memorial.

And during the brief 2008 war between Georgia and Russia over breakaway South Ossetia, attacks disabled and took offline websites in all the countries involved.

“This (the WikiLeaks-inspired action) may be the biggest of its kind, it may be the most important, but it’s certainly not the first,” said Ben Edelman, an assistant professor at Harvard business school, and an expert on the economics of computer security.

So is the cyber-activism of Anonymous akin to a virtual war? Activists Reuters spoke to seemed happier to compare it with a student or worker sit-in. “Yes, I think it is like a sit-in, not a cyberwar,” said tflow.

But the broad grouping and loose leadership structure of Anonymous also causes some concern in its ranks.

“Things are so unorganised here… frustrating watching it,” said Noms9001. “Anonymous as a whole is a beautiful concept. But I think these operations can be run better… There has to be a balance between control and anarchy, too much of both within Anonymous derails everything.”

(Additional reporting by Jim Finkle in Boston and Aaron Gray-Block in Amsterdam; Editing by Simon Robinson and Sara Ledwith)