X

Who is behind the hacks? (FAQ)

Several hacking groups have taken credit for recent attacks on Sony and others. Who are they and why are they doing it?

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
7 min read

Every day there's another report of a computer hack. Yesterday it was a video game company and a U.S. Senate database. And today it could be the Federal Reserve. There's no doubt that there's a wave of attacks going on right now, against different targets and with seemingly different motives.

The questions on everyone's mind are who is behind these computer attacks and why are they doing it. This FAQ will help answer those questions in at least some of the cases.

Update: A 19-year-old man was arrested June 21 in the U.K. and is believed to be formerly associated with the Anonymous hacker group and part of the LulzSec hacker group, although LulzSec denies that.

Who is Anonymous?
Anonymous is the best known of the groups that are currently active and publicly taking credit for, even publicizing in advance, attacks on Web sites. It's a decentralized group that specializes in organizing distributed denial-of-service (DDoS) attacks designed to shut down sites, particularly in support of freedom of speech. Past targets have included the Church of Scientology, BMI, the governments of Egypt and Iran, and companies owned by conservative activist billionaires Charles and David Koch. They also conducted a massive compromise of the security firm HBGary Federal, which had reportedly been working with the FBI to identify the leaders of Anonymous.

They launched a series of effective DDoS attacks against PayPal, Visa, and MasterCard late last year after the companies stopped enabling WikiLeaks to receive contributions through those means. Sources told CNET that the group has undergone a loss of membership and radical shift in direction and organizational participation since the arrest of a 16-year-old alleged member in the Netherlands late last year, the arrest of five people (ages 15-26) in the U.K. in January, and the issuing of more than 40 arrest warrants in the U.S. Member identities were reportedly leaked on the Internet as well. The group's strong anti-establishment and political messages have led some to call them hacktivists, which refers to activists who hack. It's unclear how many people participated in their campaigns, which they call "operations," because their system is designed to allow for confidential participation.

Who have they targeted recently and why?
Anonymous pretty much started the recent spate of hackings against Sony, hitting several Sony sites with a DDoS in early April in retaliation for Sony taking several PlayStation 3 hackers to court. PS3 "modder" George Hotz and Sony eventually settled out of court. But attacks on Sony continued, with a major breach at the PlayStation Network that exposed 77 million customer records and at Sony Online Entertainment where more than 24 million records were exposed. Sony has suggested connections between Anonymous and the breaches. While Anonymous was admittedly behind the initial DDoS, it says it wasn't behind the PSN and Sony Online Entertainment breaches, and hasn't claimed credit for any other Sony attacks. Last week, Spanish police arrested three people accused of taking part in Anonymous activities and Anonymous members retaliated by hitting the Spanish National Police Web site. This week, Turkish police arrested 32 people, including eight who were teens, within days of the group launching a campaign to shut down a Turkish government site in response to new Internet filtering laws. Yesterday, Anonymous was planning an attack on the site of the Federal Reserve for today.

Who is LulzSec?
LulzSec first popped up in early May seemingly out of nowhere. But sources told CNET that the group is a spinoff from Anonymous ranks, but with no pretense of having a political message or moral principle. Indeed, the group's name, LulzSec--a derivative of LOL (laugh out loud) combined with security--is a strong indication that the group's motivation is to just hack for kicks and entertainment. The group makes a lot of jokes and taunts on Twitter and today said it would take hacking target requests. "Pick a target and we'll obliterate it. Nobody wants to mess with The Lulz Cannon - take aim for us, twitter."

Who have they targeted?
LulzSec began publicizing its hacking in May with the compromise of the Web site of the Fox TV show "X Factor" and exposed personal information of contestants, followed by release of internal Fox data. The group also has taken credit for hacks of Sony Music Japan, Sony Pictures, Sony BMG Belgium and Netherlands, Sony Computer Entertainment Developer Network (allegedly stealing source code) and Sony BMG, according to this timeline.

LulzSec hacked the site of PBS.org late last month, leaked passwords, and pasted a spoof news article on the site claiming that deceased rappers Tupac Shakur and Biggie Smalls were alive and residing in New Zealand. The group claimed they were punishing PBS for a Frontline program on WikiLeaks that they claimed was biased against the whistleblower site. LulzSec also has targeted Nintendo and the Web site of FBI partner Infragard in an attempt to embarrass the agency. LulzSec said it took the action against Infragard because of a plan by the Obama administration to classify cyberattacks as acts of war. Among the passwords on the Infragard site was one used by the CEO of botnet tracking firm Unveillance. The CEO told CNET that the hackers used the password to read his e-mails and listen in on conference calls and that they threatened to extort money and botnet data from him. Botnets composed of compromised computers are typically used to send spam and to launch DDoS attacks.

LulzSec recently went public with data stolen from a U.S. Senate Web site and released data stolen from the site of Bethesda Softworks, a subsidiary of gaming company ZeniMax Media. The group also recently compromised a site at the U.K. National Health Services. LulzSec did not release the information publicly, but sent an e-mail to the agency warning them about the problem and then released a redacted version of the e-mail to the public.

Who is Idahc?
Another hacker who has taken credit for attacking Sony is known as Idahc. He has identified himself as a 18-year-old Lebanese computer science student. In an interview this week with Andy Greenberg at Forbes, Idahc said he began hacking for "justice," then it became a game and now he's trying to prompt organizations to improve the security of their Web sites. "I don't hack for 'lulz' but for moral reasons," he said in the interview, adding that he considers groups like LulzSec to be "black hat," or criminal, hackers, and that he is a "gray hat" hacker.

Who has Idahc targeted?
Idahc claims to have stolen 2,000 records from Sony Ericcson's e-commerce site in Canada, leaked a database from Sony Europe, and compromised a Sony Portugal site. Meanwhile, there have been other copycat-type attacks on Sony, specifically a hacker with the alias "k4L0ng666" took credit for hacking Sony Music Indonesia and has reported a long list of other Web site defacements to cybercrime archive Zone-H. And someone with the handle "b4d_vipera" claimed responsibility for hacking Sony BMG Greece.

What about other big recent attacks? Are these all related?
In the past few months there have been a string of other computer hacking incidents, but they are not all linked. Unlike the Sony and other attacks conducted by Anonymous and LulzSec which were done to expose security weaknesses and embarrass a target and get publicity, other types of attacks are more malicious.

For instance, the networks of Citigroup and the International Monetary Fund were compromised recently. Reports have speculated that the IMF was targeted by a foreign government possibly wanting access to insider information that could affect financial markets. It's also unknown who is behind the Citigroup incident, although The New York Times reported that whoever did it managed to get in through the main customer Web site and then leapfrogged between different customers by inserting various account numbers into the browser address bar repeatedly. The data from accounts could be used for financial fraud, although the thieves apparently did not get card expiration dates or security codes, which will make the data more difficult to use.

Then RSA warned customers in March that its system had been compromised and data was stolen related to its SecurID two-factor authentication devices, which are widely used by U.S. government agencies, contractors, and banks to secure remote access to sensitive networks. Within a few months, reports trickled out about breaches at three defense contractors: Lockheed Martin, L-3 Communications, and Northrop Grumman, the first two of which confirmed that the attacks were related to SecurIDs. It's unclear who is behind the attacks, but when it comes to military espionage foreign governments or nation states are often suspected. In this case several experts speculated it could be China.

Google announced earlier this month that it had thwarted an attack aimed at snooping on hundreds of Gmail accounts owned by U.S. and other government officials, journalists, and political activists that appeared to originate in China. Chinese representatives have denied any involvement.

There was also a breach at e-mail marketing service provider Epsilon in April that prompted big companies like Citibank, Chase, Capital One, Walgreens, Target, Best Buy, TiVo, TD Ameritrade, and Verizon to warn customers that their e-mail addresses had been exposed.

And in March someone stole digital certificates from registration authorities associated with Comodo and could have used them to spoof sites like Google, Yahoo, Live.com, and Skype. A 21-year-old Iranian patriot claimed responsibility for the attacks, saying he was protesting U.S. policy and was taking revenge for last year's Stuxnet malware that experts believe was created to shut down Iran's nuclear program.

Updated June 21 at 9:40 a.m. PT with arrest of suspect in U.K. believed to be associated with both Anonymous and LulzSec.