US-based security firm, Imperva witnessed an attack carried out by the hacktivist group first-hand in 2011 and have published a 17-page analysis on what is believed to be the first end-to-end record of a full Anonymous attack.
The attack observed by Imperva lasted 25 days and even though Imperva did not name the target in their analysis, the New York Times states that the Vatican was the focus of the attack.
So what did they learn?
Types of Anonymous Attacks
There are two types of attacks: reactive and proactive.
Reactive attacks come about when an event inspires Anonymous members to attack a target. An example of a reactive attack would be when Anonymous hacked into BART systems in August of 2011 after BART police blocked the use of cellphones in certain stations.
Proactive attacks are not as common and they only come about when Anonymous hints at the intent of going after a target. It’s difficult to judge the number of proactive attacks since the attack wouldn’t become public unless it was successfully carried out.
The attack witnessed by Imperva was a proactive one.
Anonymous vs. The Vatican
The attack against the Vatican consisted of three phases:
- Recruiting and communications (Day 1-18) – Anonymous took to popular social media sites (Facebook, Twitter & YouTube) in order to generate support for the cause and recruit both skilled hackers and laypeople to participate in the attack.
- Reconnaissance and application attack (Day 19-22) – After carefully hiding their true identities and place of operation, the skilled hackers go to work and start poking around the target site and applications in search for vulnerabilities that could expose sensitive data. An assortment of “off-the-shelf” vulnerability assessment tools are used for this, including Havij, Acunetix and Nikto Scanners, which check for SQL Injection, XSS and Directory Transversal vulnerabilities.
- DDoS Attack (Day 24-25) - When the hackers were unable to find any vulnerabilities, they turned to the non-technical participants to assist in carrying out a DDoS attack. Participants helped by either downloading attack software or by visiting a specially crafted website that carried out the DDoS attack as long as the page was open in the browser.
As you can see, Anonymous attacks differ greatly from for-profit hacking since they don’t rely on malware, (spear) phishing techniques and rarely use bots. Not to mention they’re anything but shy about announcing their targets to the world via social media outlets, whereas for-profit hackers typically use hacker forums to discuss their targets and recruit participants.
Surviving an Anonymous Attack
Imperva advises any company that feels that they may be a target to:
- Monitor social media outlets for signs of an oncoming attack
- Make sure they have a strong application security program in place, consisting of web application firewalls, vulnerability assessments and code reviews to prevent a data breach. DDoS attacks are a last resort, so address application vulnerabilities first.
- Closely monitor alert messages to prepare for the next phase of an ongoing attack.
- Use IP reputation to thwart attacks during the reconnaissance phase.
Feel free to check out the report by Imperva, “The Anatomy of an Anonymous Attack” [PDF].
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.