The hacking group said it rendered the CIA's public website inaccessible and launched phone DDoS attacks on FBI's Detroit office and other groups suggested by followers.
The hacking group LulzSec, aka the Lulz Boat, on Wednesday claimed to have rendered the CIA's public website inaccessible.
"Tango down - cia.gov - for the lulz," said a tweet on the LulzSec Twitter feed. ("Tango down" is a phrase from the Tom Clancy videogame Rainbow Six, uttered after an enemy's been killed.) For at least part of the day, the CIA website couldn't be reached, or was only sporadically accessible. Some Internet watchers said the site could have been unreachable simply because LulzSec tweets led so many people to try and access the site at once, leading to its becoming slashdotted.
But LulzSec claimed to have used a distributed denial of service (DDoS) attack. "People are saying our CIA attack was the biggest yet, but it was really a very simple packet flood," said a LulzSec tweet.
That apparent attack--according to news reports, the CIA said it's still investigating--followed the group's requests, earlier in the day, for suggested targets. As part of that campaign, the group also released a phone number, which it rerouted for "phone DDoS" attacks. "Our number literally has anywhere between 5-20 people ringing it every single second. We can forward it anywhere in the world. Suggestions?" said a LulzSec tweet.
Suggestions in hand, LulzSec launched phone DDoS attacks against a website that manufacturers custom magnets, the customer service lines for massive multiplayer online game EVE Online and World of Warcraft, and the FBI's Detroit office.
Further continuing in that vein, LulzSec apparently hacked the CIA to impress a Twitter user, Quadrapodacone, who had lambasted the group for only attacking "soft targets" such as PBS and Nintendo, noted Gawker. "Stop calling yourself hackers, you're giving real hackers a bad name," Quadrapodacone said. "Here's a challenge ... fbi.gov or cia.gov try changing text or something." (Both sides of the exchange now appear to have been deleted from Twitter.)
LulzSec's DDoS attack against the CIA followed the group's breach of an FBI-affiliated InfraGard membership database, the contents of which it posted online. The group has similarly targeted Sony and the PBS website, amongst other organizations.
If using DDoS to render websites sounds familiar, that's because the "hacktivist" collective known as Anonymous--from which LulzSec is rumored to have originated--used such attacks as part of Operation Payback. That campaign targeted organizations perceived to be unfriendly to WikiLeaks. According to security experts, DDoS attacks can be easy to launch, but quite difficult to counter.
Beyond this DDoS attack, LulzSec's overall success at breaking into websites seems to stem from poor preparation on the part of targeted organizations, including government agencies. Security experts also suspect that the group's members have been part of the hacking underground for some time, and have the skills and savvy to hide their tracks.
Public opinion over LulzSec's activities appears to be quite divided, with online comments on the group's activities ranging from "it's not real hacking" to comparing LulzSec's CIA website takedown to "a cat with a yarn ball."
According to a poll conducted by antivirus vendor Sophos on its website, 43% of more than 1,500 respondents said they disapprove of what LulzSec is doing, 40% approve, and 17% think it's funny--but they don't approve.
"While some people think this is a fun game that can also help point out corporate security weaknesses, the truth is that companies and innocent customers are--in the worst cases--having their personal data exposed," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "There are responsible ways to inform a business that its website is insecure, or that it has not properly protected its data. What's disturbing is that so many Internet users appear to support LulzSec."
Furthermore, he said, "in case anyone's in any doubt, a denial of service attack, like that which appears to have hit the CIA website, is against the law."
In the new, all-digital Dark Reading supplement: What industry can teach government about IT innovation and efficiency. Also in this issue: Federal agencies have to shift from annual IT security assessments to continuous monitoring of their risks. Download it now. (Free registration required.)
Security Job #1 For FedsThe 2014 InformationWeek Government IT Priorities Survey shows federal IT pros care about security - itís rated as very important by 69% of respondents, 30 percentage points ahead of the No. 2 priority, disaster recovery. Will the upcoming NIST cyber-security framework help manage risk?