Mark Russinovich
Operation Desolation
Digital Security News
Cyber Threats More Serious than Terrorism
By Wilson X. Heller
FBI Deputy Director Walter Chase argued Friday that cyber-security attacks will soon be a greater threat than terrorism. “Though terrorism remains the FBI’s top priority, it is now apparent that cyber threats will soon pose the primary menace to our national security,” Chase said in a speech before the American Cyber-Security Conference.
As a result, he added that the FBI “is taking lessons it has learned from fighting traditional terrorism and applying them to cyber-crime.” The FBI agents specializing in cyber-attacks will have the most “sweeping skill set in the bureau.” He urged attendees to consider a career with the FBI.
At the desk in his San Diego hotel room, Jeff Aiken stared at his computer screen. He had fifty-five minutes. CyberCon was being held just around the corner, not five minutes away. He’d started this current project from his home office in Georgetown, D.C., and brought it to an initial point of conclusion. On the cross-country flight, he’d expanded his work and now was busy completing another fix. For some weeks his client, RegSec, had been threatened by the hacktivist group Anonymous. “Justice will be swift!” had read one posting. “Prepare to be extinguished!!!” read another. Anonymous had even named their attack “Operation Desolation”. Given their track, RegSec’s management had every reason to be concerned.
RegSec, a major investment group and bank, was in the news, having just been cleared by a federal court for its part in the financial meltdown. Through their vast offshore holdings RegSec had been short-selling derivatives under suspect circumstances in the months leading up to the financial collapse. The Court of Appeals had reversed the earlier adverse verdict, ruling that the offshore entities were sufficiently independent of corporate control as to not violate United States law. There was no doubt that RegSec had engaged in unethical and contemptible conduct, amassing billions at the expense of hapless homeowners lured into overpriced houses, but legally — technically — the company had broken no law.
The flamboyant founder and principal owner of RegSec, Reginald Hinton, had celebrated the victory in typical style by flying a bevy of Las Vegas showgirls to his private Bahamas island for a party and making a series of off-the-cuff media statements.
That was when Anonymous had announced its cyberattack. Anonymous was the name given to an Internet meme that originated online in 2003. The concept was for a multitude of committed hackers to act simultaneously to form a vast anarchic, digitized, global brain trust, which would crush targets. Though primarily concerned with antidigital piracy laws, Anonymous had evolved into a broader based, international organization, if the word even applied to such a disparate group.
They’d been roundly criticized in the mainstream media, called “hackers on steroids” and even “domestic terrorists.” Unfazed and undaunted, they’d continued their assaults on select targets. Because of its aggressiveness and notoriety, Anonymous was the epitome of hacktivism, which was the general theme of this CyberCon. Jeff was going to make a presentation later in the afternoon at the conference, but a good friend from his days with the CIA was appearing in a panel discussion in — he glanced at his wristwatch again — forty-nine minutes, and if rumor was true, even Anonymous itself planned to take part in it.
Comprised primarily of teenagers, though with a number of gifted adult hackers, Anonymous lacked any central control. Proposed targets were posted online and if a sufficient number of hackers in sympathy with the operation joined in, the subsequent attack could be digitally devastating. In recent years Anonymous had successfully penetrated the United Nations’s databases, those of the Bank of America, and even the U.S. Department of Defense (DOD).
As part of its antisecurity effort the group had stolen a gigabyte of data from NATO, posting on a Twitter account “Hi NATO. Yes we haz more of your delicious data. You wonder where from? No hints, your turn. You call it war; we laugh at your battleships.” Juvenile, yes, but the group had successfully stolen highly confidential information.
Anonymous also had launched a cyber-attack on media giant Sony as part of its self-described Operation PayBack. This was done reportedly as retaliation for Sony taking legal action against the man who’d engineered the successful jailbreak of Sony’s PlayStation 3. Waves of Anonymous attacks against Sony began with a distributed denial-of-service (DDoS) attack that temporarily took offline several Sony Web sites and continued with breaches of the Sony Online Entertainment and the Sony PlayStation Network sites. This resulted in the theft of account details for over 70 million Sony customers.
In one of its most embarrassing attacks, Anonymous had secretly recorded a conference call between the FBI and Scotland Yard in which they discussed their investigation into Anonymous hackers. Anonymous then published the call on the Internet. It developed that they’d gained access by hacking the personal e-mail account of one of the intended participants and lifting the log-in information from him. Most recent, they’d accessed local and state police records, making them available online. In addition, Anonymous was commonly believed to work hand-in-glove with WikiLeaks.
For all their vaunted successes, not every operation succeeded — most in fact did not, but when highly motivated, Anonymous had proven itself capable of widespread destruction against its targets. They subjected companies to relentless probes, searching for any weakness. Once they had their foot in the door anything was possible. This could include defacing the company’s Internet Web site, stealing customer financial information, disclosing confidential management information, even looting accounts.
The RegSec CEO had tossed kerosene on the fire by publicly condemning Anonymous and demanding the Department of Justice take criminal action against the group for its efforts at intimidation against his company. He’d gone on to brag that the company’s Web site was impervious to hackers and to DDoS attacks. This had only served to increase the threats against the company and to make a concerted attack more likely.
For nearly three weeks following the court decision, Anonymous had drummed up support on the Internet by posting YouTube videos in support of its plan and spreading word through Twitter. Then they’d launched a DDoS attack, bringing on board hundreds of sympathetic volunteers in the effort.
The plan had succeeded for two hours, bringing the Web site crashing down, and that was when Jeff received a frantic call from the IT director at RegSec, hiring him to stiffen its Web site defenses in preparation for the next phase of the ongoing effort by Anonymous. That phase would involve stealing of information, then the public disclosure of it. Failing that, Anonymous would be content with simply defacing the Web site. Either would create a loss of confidence with the public and cost the company tens of millions in lost revenue, as well as drive down the stock price.
Jeff found the antics of the company CEO intolerable. He’d been sorry to see the court case dropped when he’d read about it. Exploiting corporate law loopholes for gain was not only immoral, it should be illegal. Still, in his line of work, this was a situation in which he occasionally found himself. While he had no regard for the corporation or its ostentatious founder — indeed, nothing but contempt — he was concerned for its millions of innocent customers. He couldn’t control the irresponsible behavior of the company’s founder, but now that he was on the job Jeff took keeping the site and its customers secure as a personal mission. He didn’t like failure and it was now him versus Anonymous.