Prepare for #OpPetrol Targeting Gas and Oil

On June 20, Anonymous will launch the #OpPetrol campaign against international gas and oil companies. It was announced on May 11, shortly after the campaign called #OpUSA began.

These types of organized attacks are often similar, as we have seen in previous operations, and may include:

  • Distributed denial-of-service (DDoS) attacks
  • Hacking and defacing social media accounts or posting fake messages
  • Hacking and defacing organization websites or stealing information and posting it as "proof" of breach
  • Hacking organization servers and attempting sabotage, such as planting disk wiping malware

There are various ways attackers may target these organizations, including using tools like the LOIC (Low Orbit Ion Cannon) or phishing emails to trick recipients into revealing account login details.

Symantec advises organizations to be prepared for attacks in the coming days.

Organizations should monitor for unusual activities in their networks, particularly any attempts to breach the perimeters. Staff members should be specifically trained on social engineering mitigation tactics along with regular security awareness training. As always, we continue to stress the importance implementing a multi-layered approach to defense.

These recommendations apply to all organizations as best practices that should be carried out regularly as most attackers do not provide warnings in advance to targets.

OpUSA Begins Today, Is Your Organization Ready?

Following on from recent concerted campaigns by Anonymous against Israel on April 7 and Facebook on April 5, the latest target for the online hacktivist collective is the USA and American online interests. Today, hackers and script kiddies of various affiliations are expected to begin a campaign of hack attacks and general online disruption against any target that is related to the USA. From previous activity of this sort, the attackers are generally opportunistic in nature and will aim for the low hanging fruit. Attacks may take various forms including the following:

  • DDoS attacks
  • Hack social media accounts and deface or post fake messages
  • Hack organization websites and deface or steal information and post it as “proof” of breach
  • Hack organization servers and attempt sabotage such as planting disk wiping malware
  • Less likely but plausible scenarios could include attacks against ICS/SCADA systems causing real-world impacts, for example disruptions of traffic control systems or electrical grid/power generation

Attackers may use any number of means to gain access or carry out their attacks, the favored methods include:

  • Password brute-forcing as seen against WordPress sites recently
  • Phishing emails to trick recipients into revealing account login details
  • Use of distributed botnets to perform DDoS attacks. Recent high-profile attacks against US financial institutions were performed by using web server based botnets running PHP.Brobot allowing for increased attack bandwidth. Opportunistic attackers will use tools such as  LOIC to participate in DDoS attacks.
  • Traditional targeted attack methods involving the use of emails with exploit laden attachments or links to exploit kit websites

OpUSA was first announced back in April and it is quite possible that attackers have been preparing for this event for some time. For example, the recent mass attacks against WordPress sites may have netted attackers a large number of compromised webservers which may now be leveraged to perform large scale attacks for an event such as this one. The initial pastebin announcement included a wish-list of targets, indicating that US government and financial related sites are high on the agenda. We know that other US organizations will also be targeted as a large number of participants may not have the necessary skills or wherewithal to perform attacks against high-profile targets. These attackers with limited skills may perform opportunistic attacks against less protected organizations using basic techniques or toolkits widely available.

The much publicized activities of OpIsrael has shown that these concerted campaigns can have some level of success. Clearly, OpIsrael never lived up to its claim of “wiping Israel off the internet” but it did result in an increased number of organizations coming under attack. Another observation from OpIsrael is that attacks often started earlier than planned as some hacktivists either jump the gun or perhaps May 7 comes earlier for them depending on where they are based in the world. The same thing is happening this time and already some reports of site defacements and database leaks are trickling in.

Organizations with American interests should be prepared for attacks in the coming days and monitor for unusual activities in their networks and any attempts to breach their perimeters. Staff should also be trained on social engineering mitigation tactics and provided security awareness training. As usual, increased vigilance and a multi-layered approach to defense should help to ward off all but the most determined attackers.

Anonymous hackers take control of North Korean propaganda accounts

One of the images posted to North Korea's Flickr account.

A Twitter and Flickr account associated with a North Korean news agency has been taken over by hackers claiming to be from the hacktivist collective Anonymous. Instead of pro-North Korea propaganda, the accounts are now criticizing North Korea and its leader Kim Jong-un for building nuclear weapons. The hackers controlling the Twitter account also claimed to have hacked the news agency's website and other North Korean websites, which appear to be offline.

The Twitter and Flickr accounts represent Uriminzokkiri (meaning "Our Nation"), a North Korean news and propaganda site. When Uriminzokkiri established a Twitter account in 2010, the IDG News Service described the news site as "the closest thing North Korea has to an official home page" and "one of the few Web sites believed to be run from the secretive nation."

The Twitter page, with 14,000 followers, switched from posting in Korean to English this morning. The profile picture was changed to an illustration of two dancers wearing Guy Fawkes masks. The hackers of the Flickr account are posting various pro-Anonymous and anti-North Korea pictures. One depicts Kim Jong-un with pig ears and a Mickey Mouse picture on his chest and says he is "threatening world peace with ICBMs and Nuclear weapons."

Read 3 remaining paragraphs | Comments

Reuters social media editor charged over Anonymous hack of LA Times

Matthew Keys, deputy social media editor for Reuters, has been charged with conspiring with members of Anonymous to hack into the website of the Los Angeles Times in December 2010.

Keys, 26, was charged with one count each of conspiracy to transmit information to damage a protected computer, transmitting information to damage a protected computer, and attempted transmission of information to damage a protected computer. The crimes carry sentences of up to ten years and fines of up to $250,000, though any actual sentences are likely to be a small fraction of these.

Keys was a former employee of California television station KTXL Fox 40. Fox 40 and the LA Times are both owned by media conglomerate the Tribune Company. Through his employment, he had credentials to the Tribune Company's content management system (CMS).

Read 2 remaining paragraphs | Comments