DHS Issues Security Bulletin on Anonymous Hackers

Tuesday, September 06, 2011



The Department of Homeland Security (DHS) has issued a security bulletin warning those charged with cybersecurity to be increasingly vigilant in anticipation of the release of a new attack tool known as RefRef by the rogue hacker collective Anonymous.

Federal law enforcement authorities are continuing their investigations into attacks claimed by the hacktivists, including those against PayPal, Visa, MasterCard, PostFinance Bank, Amazon, Bank of America, the U.S. Chamber of Commerce website, as well as for having breached the systems of security consultants HBGary Federal.

The DHS advisory warns of potential targets, techniques, and risk mitigation advice. An excerpt of the DHS bulletin is as follows:


This Bulletin is being provided for your Executive Leadership, Operational Management, and Security Administrators situational awareness. The actors who make up the hacker group “Anonymous” and several likely related offshoots like “LulzSec”, continue to harass public and private sector entities with rudimentary exploits and tactics, techniques, and procedures (TTPs) commonly associated with less skilled hackers referred to as “Script Kiddies”.

Members of Anonymous routinely claim to have an overt political agenda and have justified at least a portion of their exploits as retaliation for perceived ‘social injustices’ and ‘freedom of speech’ issues. Attacks by associated groups such as LulzSec have essentially been executed entirely for their and their associates’ personal amusement, or in their own hacker jargon “for the lulz”.

Anonymous insist they have no centralized operational leadership, which has been a significant hurdle for government and law enforcement entities attempting to curb their actions. With that being said, we assess with high confidence that Anonymous and associated groups will continue to exploit vulnerable publicly available web servers, web sites, computer networks, and other digital information mediums for the foreseeable future.

So far, Anonymous has not demonstrated any capability to inflict damage to critical infrastructure, instead choosing to harass and embarrass its targets. However, some members of LulzSec have demonstrated moderately higher levels of skill and creativity, evidenced in attacks using combinations of methods and techniques to target multiple networks. To date, their attacks have largely resulted in the release of sensitive documents and personally identifiable information.

These attacks have the potential to result in serious harm, particularly to Law Enforcement and other Federal, State and Local Government personnel who may be targeted as a result. Also, this assessment does not take into account the possibility of a higher-level actor providing Anonymous, LulzSec or a similar group with more advanced capabilities.


Anonymous utilizes the internet to recruit and train new personnel, conduct reconnaissance on potential targets, exploit vulnerabilities found in information systems, deny access to resources, alter information presented by organizations, and steal sensitive information. Though the TTPs and tools employed by Anonymous are commonly thought to be rudimentary and unsophisticated, their success to date executing operations and gaining media attention is on par with high profile incidents allegedly involving sophisticated “Advanced Persistent Threat” (APT) actors.

They have relied on taking advantage of weaknesses in applications, thus allowing them to bypass, at least initially, conventional network defenses such as firewalls and anti-virus applications to access sensitive data. Additionally, Anonymous and closely associated groups appear to be building upon recent successes by conducting highly visible messaging campaigns over publicly available social media forums such as Twitter(USPER), YouTube(USPER), and Facebook(USPER).

Anonymous and associated groups pride themselves on being ‘social media’ savvy, and routinely use forums such as Twitter, Facebook, and public web pages to announce intended targets, ongoing attack results, and post files stolen from victim computer networks. These announcements can provide computer network defenders the opportunity to pro-actively supplement their computer network defenses and provide awareness to management, employees, and partners.


Members of the group LulzSec were possibly associated with the 15 June 2011 DDOS attack on the Central Intelligence Agency’s (CIA) public-facing website. Although no information was stolen or released to the public, and the website was not defaced, the site was targeted in a manner consistent with other LulzSec and Anonymous attacks.

Anonymous also declared that the group was at “war” with the Intelligence Community (IC) and has identified it as a future target. Anonymous is likely targeting the IC because it views it as violating its core belief in total freedom of information. Additionally, following the release of government e-mail account data from the July 2011 Booz Allen compromise, an Anonymous operator stated on Twitter that, “We are working on two of the biggest releases for Anonymous in the last 4 years. Put your helmets on. It is war.”

Anonymous has also stated its intent to target companies related to certain Critical Infrastructure / Key Resources sectors. On 12 July 2011, Anonymous released personally identifiable information of approximately 2500 employees of U.S. Agricultural Company Monsanto, and claimed to have taken down corporate web assets and mail servers. Additionally, in a separate statement on 12 July 2011, Anonymous declared their intention to attack several U.S., Canadian, and British companies, including Exxon Mobil and ConocoPhillips, who were associated with development of oil sands in Alberta, Canada.

Future attacks are likely to continue but will likely remain limited in scope due to a lack of advanced capabilities. These attacks are also likely to target the Federal government and critical infrastructure sectors, particularly in response to publicized events relating to civil liberties, cyber security, or allegations of censorship (online or otherwise).


The NCCIC recommends that U.S., Federal/State/local/Tribal/Territorial Departments and Agencies, and private sector partners ensure they have processes in place to notify their leadership and network operators if their organization becomes a possible target by hacktivists or other malicious actors, and what notifications they are required or plan to make in the event of an attack.

Should a cyber attack occur, ensure backup and recovery procedures are in place and enabled. Be prepared to execute a full spectrum defensive plan that includes contact information for external sources to draw on for assistance. Collect and centrally manage detailed aspects of the attack so you can provide accurate information to Operations, Security, and Law Enforcement personnel as necessary.

Such a plan may also include materials identifying who to contact at your Internet service provider, possibly via alternate means, and at any time of day or night to minimize the duration and effect of a cyber attack. Similarly, have contact information readily available for public and private entities to draw on for assistance: the NCCIC, US-CERT, FBI Joint Terrorism Task Force, local FBI Field Office, applicable Information Sharing Analysis Center (ISAC), and Sector Specific Agency.

The full DHS bulletin can be viewed here:

Source:  http://info.publicintelligence.net/NCCIC-Anonymous.pdf

Possibly Related Articles:
Headlines DHS Anonymous Hacktivist National Security Advisory Lulzsec AntiSec RefRef
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.