Snowden leak: GCHQ DDoSed chatrooms of Anonymous, LulzSec
British intelligence ran denial-of-service attacks against chatrooms used by Anonymous and LulzSec, according to an investigation by NBC News involving Snowden confidante Glenn Greenwald.
Documents leaked by the NSA whistleblower record how a GCHQ unit known as the Joint Threat Research Intelligence Group, or JTRIG, used a packet flood operation dubbed Rolling Thunder to “scare away 80 per cent of the users of Anonymous internet chat rooms,” NBC reports.
Intelligence agents also infiltrated chatrooms in an operation that successfully identified a hacktivist who siphoned off confidential data from PayPal and also picked up another who had participated in attacks on government websites.
The leaked slides from GCHQ boast that the operation allowed the authorities to identify Edward Pearson (aka GZero), 25, from York, who was convicted and sentenced to 26 months in prison for stealing information from 200,000 PayPal accounts. Pearson and his then girlfriend were both convicted of using stolen credit card details to pay for a hotel stay.
Details of how the g-men’s evidence against Pearson was put together were among two case studies included in the leaked GCHQ presentation. The other case cited is partially redacted.
The whole GCHQ counter-offensive operation took place in September 2011, around two or three months after malicious activities spearheaded by LulzSec and other hacktivists reached their zenith.
Hacktivists from LulzSec launched DDoS – as distinct from your common or garden denial-of-service attacks – on the website of the Serious and Organised Crime Agency in June 2011. They also ran a DDoS attack against the US Central Intelligence Agency at around the same time. It’s hard to believe either of these actions had much of an effect on the agencies concerned beyond possibly slowing the delivery of emails, and even that’s a bit improbable.
A greater concern ought to have been boasts by LulzSec that it had hacked into InfraGard chapters’ websites, a non-profit organisation affiliated with the FBI. These claims were supported by the leak of InfraGard member emails and a database of local users.
An attack on Senate.gov that reportedly led to the leaks of internal data ought to have also ought to have set off warnings.
Members of the wider Anonymous movement ran DDoS attacks as part of online protests against the WikiLeaks banking blockade against PayPal and Mastercard as part of OpPayback in late 2010.
Responses to DDoS attacks normally involve setting up mitigation technologies on a technical level while using law enforcement to identify and arrest the perpetrators. The GCHQ division seemingly decided to fight fire with fire by launching a packet flood at IRC servers used by Anonymous.
Security experts, such as Robert Graham of Errata Security, have slammed NBC by confusing Distributed Denial of Service attacks with Denial of Service attacks.
“Assuming the target was an IRC server in a colo, then it’s trivially easy to DoS with a SYN-flood without effecting nearby machines,” Graham writes.
The leaked (partially redacted) slides – put together for a presentation delivered by GCHQ in 2012 – do contain a page about Rolling Thunder headed “DDoS” (page 13 of 15) but Graham’s explanation makes more sense from the technical point of view.
“The GCHQ doc admits doing “denial of service”, but then later uses the DDoS acronym as a title,” Graham said in a Twitter update.
Security advocates had already begun questioned the legality of GCHQ’s ops against LulzSec and elements of Anonymous.
— Spy Blog (@spyblog) February 5, 2014
Andrew Miller, chief operating officer at Corero Network Security, said that since some of the victims of LulzSec’s attacks included the CIA and SOCA, it is not altogether surprising that the hacktivists would themselves become a target.
“We have to remember that cyber-spooks within GCHQ are equally if not more skilled than many black hat hackers, and the tools and techniques they are going to use to fight cybercrime are surely going to be similar to that of the bad guys,” Miller said. “Legally, we enter a very grey area here; where members of Lulzsec were arrested and incarcerated for carrying out DDoS attacks, but it seems that JTRIG are taking the same approach with impunity.”
Convicted LulzSec hacker Jake Davis (Topiary) has reacted with disbelief to reports of GCHQ’s shenanigans. “I plead guilty to two counts of DDoS conspiracy and to my face these GCHQ bastards were doing the exact same thing,” he said in an update to his personal DoubleJake Twitter account.
Security experts, more personally removed from the situation, have used the whole business as an opportunity to crack some funnies, as well as making more serious points questioning the thinking behind the operation.
“This is what happens when you staff your cyber ops group with ex-hackers,” wrote thegrugq. “They go back to their old tricks, ddosing IRC channels and doxing.”
“Remember how outrageous it was when China used their control over their citizen’s Internet infrastructure to stifle dissent?” he later added. ®