Anonymous gets analyzed

Security outfit Imperva has published a report that purportedly reveals 
a number of strategic details behind an Anonymous attack against the Vatican during a 25-day period in 2011.

“Our research shows that Anonymous generally mimics the approach used by for-profit hackers, leveraging widely known methods – SQL injection and DDoS – to carry out their attack,” explained Imperva CTO Amichai Shulman.

“We found that Anonymous, although it has developed some custom attack tools, generally uses inexpensive, off-the-shelf tools as opposed to developing complex attacks. Our research further shows that Anonymous will try to [extract] data first and, if that fails, attempt a DDoS attack.”

According to Shulman, the Vatican campaign comprised three distinct phases: recruitment and communication, reconnaissance and application layer attacks and, finally, a distributed denial of service (DDoS) attack.

Unsurprisingly, social media channels – such as Twitter, Facebook and YouTube – were the predominant means for suggesting a target and justifying the attack, as well as recruiting volunteers to participate in the hacking campaign.

Interestingly enough, sophisticated hackers made up only a small portion of the volunteers and were primarily active during the reconnaissance and application attack phase, tasked with probing for vulnerabilities and waging application attacks like SQL injection to attempt to lift data from targets.

Masses of Anonymous supporters were called in during the third phase to help execute a coordinated DDoS attack, in the wake of attempt to extract data via application attacks – which allegedly failed.

“Anonymous can’t attack at will. Rather, Anonymous is subject to the dynamics of crowd-sourced hacking. This means someone must make a compelling case for attack, which requires persuasion and recruitment. This takes time – and if there’s a specific event to disrupt – then a deadline looms,” claimed Shulman.

“From a hacking perspective, this restricts the available hacking activity to taking targeted shots as opposed to setting cyber traps. This is in strong contrast to the hacking methods of government-sponsored hackers who can be more patient. For example, these groups rely heavily on phishing, whereas Anonymous does not.”

Shulman reiterated that Anonymous has developed “some” custom attack tools, including the low orbit ion cannon (LOIC) for DDoS attacks that can be executed across various devices and operating systems. 

However, the group also relies on widely available tools for identifying and exploiting web application vulnerabilities during the reconnaissance and application attack phase. Yet, unlike for profit hackers, Anonymous rarely engages in common hacking techniques such as botnets, malware, phishing or spear phishing.

“[We were] able to witness and report on an Anonymous attack from start to finish. The analysis of this attack provides useful insight into how Anonymous recruits participants and wages an attack.

.. We believe these details will help organizations prepare for and respond to a potential attack, as well as offer the greater security community a deeper understanding of how hacktivists operate,” he added.