Feeds

Snowden leak: GCHQ DDoSed Anonymous & LulzSec's chatrooms

'I plead guilty to 2 counts of conspiracy and these b*st*rds were doing the ... same thing?'

Internet Security Threat Report 2014

British intelligence ran denial-of-service attacks against chatrooms used by Anonymous and LulzSec, according to an investigation by NBC News involving Snowden confidante Glenn Greenwald.

Documents leaked by the NSA whistleblower record how a GCHQ unit known as the Joint Threat Research Intelligence Group, or JTRIG, used a packet flood operation dubbed Rolling Thunder to "scare away 80 per cent of the users of Anonymous internet chat rooms," NBC reports.

Intelligence agents also infiltrated chatrooms in an operation that successfully identified a hacktivist who siphoned off confidential data from PayPal and also picked up another who had participated in attacks on government websites.

The leaked slides from GCHQ boast that the operation allowed the authorities to identify Edward Pearson (aka GZero), 25, from York, who was convicted and sentenced to 26 months in prison for stealing information from 200,000 PayPal accounts. Pearson and his then girlfriend were both convicted of using stolen credit card details to pay for a hotel stay.

Details of how the g-men's evidence against Pearson was put together were among two case studies included in the leaked GCHQ presentation. The other case cited is partially redacted.

The whole GCHQ counter-offensive operation took place in September 2011, around two or three months after malicious activities spearheaded by LulzSec and other hacktivists reached their zenith.

Hacktivists from LulzSec launched DDoS – as distinct from your common or garden denial-of-service attacks – on the website of the Serious and Organised Crime Agency in June 2011. They also ran a DDoS attack against the US Central Intelligence Agency at around the same time. It's hard to believe either of these actions had much of an effect on the agencies concerned beyond possibly slowing the delivery of emails, and even that's a bit improbable.

A greater concern ought to have been boasts by LulzSec that it had hacked into InfraGard chapters' websites, a non-profit organisation affiliated with the FBI. These claims were supported by the leak of InfraGard member emails and a database of local users.

An attack on Senate.gov that reportedly led to the leaks of internal data ought to have also ought to have set off warnings.

Members of the wider Anonymous movement ran DDoS attacks as part of online protests against the WikiLeaks banking blockade against PayPal and Mastercard as part of OpPayback in late 2010.

Responses to DDoS attacks normally involve setting up mitigation technologies on a technical level while using law enforcement to identify and arrest the perpetrators. The GCHQ division seemingly decided to fight fire with fire by launching a packet flood at IRC servers used by Anonymous.

Security experts, such as Robert Graham of Errata Security, have slammed NBC by confusing Distributed Denial of Service attacks with Denial of Service attacks.

"Assuming the target was an IRC server in a colo, then it's trivially easy to DoS with a SYN-flood without effecting nearby machines," Graham writes.

The leaked (partially redacted) slides - put together for a presentation delivered by GCHQ in 2012 - do contain a page about Rolling Thunder headed "DDoS" (page 13 of 15) but Graham's explanation makes more sense from the technical point of view.

"The GCHQ doc admits doing "denial of service", but then later uses the DDoS acronym as a title," Graham said in a Twitter update.

Security advocates had already begun questioned the legality of GCHQ's ops against LulzSec and elements of Anonymous.

Spyblog tweeted:

Andrew Miller, chief operating officer at Corero Network Security, said that since some of the victims of LulzSec’s attacks included the CIA and SOCA, it is not altogether surprising that the hacktivists would themselves become a target.

"We have to remember that cyber-spooks within GCHQ are equally if not more skilled than many black hat hackers, and the tools and techniques they are going to use to fight cybercrime are surely going to be similar to that of the bad guys," Miller said. "Legally, we enter a very grey area here; where members of Lulzsec were arrested and incarcerated for carrying out DDoS attacks, but it seems that JTRIG are taking the same approach with impunity.”

Convicted LulzSec hacker Jake Davis (Topiary) has reacted with disbelief to reports of GCHQ's shenanigans. "I plead guilty to two counts of DDoS conspiracy and to my face these GCHQ bastards were doing the exact same thing," he said in an update to his personal DoubleJake Twitter account.

Security experts, more personally removed from the situation, have used the whole business as an opportunity to crack some funnies, as well as making more serious points questioning the thinking behind the operation.

"This is what happens when you staff your cyber ops group with ex-hackers," wrote thegrugq. "They go back to their old tricks, ddosing IRC channels and doxing."

"Remember how outrageous it was when China used their control over their citizen's Internet infrastructure to stifle dissent?" he later added. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
How to simplify SSL certificate management
Simple steps to take control of SSL certificates across the enterprise, and recommendations centralizing certificate management throughout their lifecycle.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.