LulzSec
Chapter 1: What Is LulzSec?
LulzSec is a group of Web hackers who made themselves famous for their barrage of attacks and their sarcastic taunting of victims during the summer of 2011. Members of LulzSec, short for Lulz Security, committed many well-publicized online attacks in the span of several weeks. The successful attacks included publicizing hundreds of thousands of passwords and user names from customers of supposedly secure Web sites.
LulzSec's history is a short, busy one. The group's first known attack occurred in May 2011. By July 2011, 50 days after its first publicized hack, Lulz Security released a statement saying it would be disbanding. In between, LulzSec was in the news almost daily.
Lulz Security's members certainly were not the first hackers to take down a Web site or steal data. However, the group received quite a bit of publicity for its attacks because of the contemptuous messages left behind on the Web sites after the attacks.
The group also grew in fame for its brash nature in announcing the attacks through Twitter. By carrying out cyber-attacks on high-traffic Web sites, LulzSec grabbed additional headlines.
Lulz Security's mascot is a snooty millionaire who wears a monocle while holding a glass of wine. The black and white line drawing appeared on LulzSec's Twitter page and its Web page. The group often inserted the mascot into photos of various locations, which it then posted on sites that it hacked.
You can see the mascot at: www.en.wikipedia.org/wiki/File:Lulz_Security.svg
Considering its list of online attacks, it's no surprise that the Arizona Dept. of Public Safety listed Lulz Security as a cyber-terrorist group. The FBI and British law enforcement officials doggedly pursued LulzSec members. Various arrests have been linked to LulzSec associates, but it's unknown whether any of the arrests so far actually involve core Lulz Security group members.
LulzSec also seemed to attack the very community from which it originated. Notorious forum board 4chan and the 4chan community may have played a role in helping connect those in the LulzSec group. (www.4chan.org/) The group's name - lulz - comes from a phrase commonly used at 4chan.
Despite these ties, LulzSec later specifically attacked 4chan users, turning their computers into zombies and crashing gaming sites 4chan users frequent. Lulz Security's short history included many instances where group members fought with former allies and teamed up with former enemies.
Denial of service (DoS) attacks were among the most popular that LulzSec performed in the summer of 2011. In an act of boldness in mid-June, Lulz Security actually set up a telephone number that allowed people to make suggestions for sites it should hack with a DoS attack. The number had a 614 area code, making it appear to originate from Ohio. Someone called Pierre Dubois, who had a fake French accent, greeted callers, asking them to leave a message.
LulzSec claimed to make eight DoS attacks against targets suggested by callers: www.pcmag.com/article2/0,2817,2386959,00.asp.
Such brashness caused victims of the attack to seethe. Such brashness caused those watching from the outside to "LOL" at the group's antics … which was the group's goal all along.
Denial of service attacks involve overloading a Web site hosting server with more requests than it can handle. Usually, a hacker uses a group of computers he has secretly overtaken, turning them into “zombie computers†to create the flood of requests. To legitimate site visitors, the Web site suffering from a DoS attack will not load or will appear to load very slowly. Sometimes these attacks are called DDoS (distributed DoS).
To take over these computers, a hacker will upload a small piece of software to the host computer. The hacker then can take remote control of these computers at any time. Many times, a hacker will trick the victim into downloading the remote control software, usually through a fake Web site or through fake photo or video links.
You can learn more about DoS attacks here: nakedsecurity.sophos.com/2011/06/15/cia-website-down-hackers-lulzsec/.
An anti-virus program or firewall should prevent such software from working. Therefore, hackers will seek out computers with high-speed Internet connections and with weak anti-virus protection. High-speed Internet connections are desirable for a DoS attack because of the always-on connection.
After hackers put together a large number of these computers they can control remotely, the hackers are ready to make a DoS attack. This network of controlled computers is called a botnet. These fake requests from the botnet prevent many legitimate visitors from gaining access for the duration of the DoS attack.
LulzSec made specific use of 4chan user computers in carrying out its DoS attacks. According to a Lulz Security Twitter post, they especially enjoy hijacking the computers of 4chan users, specifically those on the /b/ (Random) board, turning the machines into a zombie computer botnet.
“The best part about making 50% of all /b/tards our bots is that they leave their daddy's laptops on 24/7, more bandwidth for us,†the Twitter post said. LulzSec members and 4chan members often use a term — /b/tards — to refer to those using the 4chan /b/ board.
Learn more about the term /b/tards at: www.urbandictionary.com/define.php?term=%2Fb%2Ftard.
On occasion, LulzSec did make political statements with its attacks. However, the primary political-themed attacks occurred as part of Operation Anti-Security (AntiSec), where LulzSec teamed up with hacker group Anonymous. Operation AntiSec ran from June 20-25, and it involved attacking government targets.
Mostly, though, LulzSec members just seemed to be having fun. LulzSec often taunted its victims as part of the attack. Through its Twitter site, LulzSec posted: “[We] release personal data so that equally evil people can entertain us with what they do with it. … You find it funny to watch havoc unfold, and we find it funny to cause it.â€
The group never accepted blame for any misuse of such information, as shown here: http://arstechnica.com/tech-policy/news/2011/06/lulz-sony-hackers-deny
In the end, LulzSec released quite a bit of sensitive information and passwords collected during its attacks. Lulz Security's members claimed the fault rested with those entities with poor security that the group could exploit … while laughing the entire time.
Chapter 2: LulzSec's Motivations
Determining what motivated LulzSec to unleash its series of hacks in the summer of 2011 was a difficult process. Debate still continues on just how serious LulzSec's attacks were.
Part of the group's name is a play on an Internet acronym. The term Lulz is a phonetic spelling of the Internet term LOLs, which is short for laughing out loud. (en.wikipedia.org/wiki/LOL)
Multiple posts stating LOL might be made on an Internet message board or on Facebook. Most of the time, LOLs are used when an Internet prank is particularly successful. Because many of the LulzSec attacks had a humorous or prank-like slant, they might have generated many LOLs from the group's members and fans, hence the name.
The term Sec is short for security. Computing, network, and Internet security personnel often shorten security to sec in everyday conversations. However, the group does not always use sec. In fact, the group's Web site – www.lulzsecurity.com – spells out security in its entirety.
When you combine the two terms, you end up with LulzSec. The term could be read as laughing out loud at security. The group created a motto – Laughing at your security since 2011! – that continues this theme.
You can read more about the group's motto, and a famous attack against PBS, at: www.stuff.co.nz/entertainment/music/5079309/Hackers-claim-Tupac-alive-in-NZ.
By including the idea of laughing at victims in its name, some people labeled Lulz Security's members as pranksters. The group, at times, did not appear to be serious hackers bent on causing destruction and significant financial losses. Security personnel pointed at the group's unsophisticated methods of attack as another sign that its members were little more than pranksters posing as serious hackers.
The group's behavior at times seemed to strengthen this argument. Lulz Security has never listed one specific motivation for the attacks. In its various statements, LulzSec used humor, political statements, revenge against other hackers, calling attention to lax security, and support for WikiLeaks director Julian Assange as explanations for its motivation behind its attacks.
To learn more about Julian Assange, visit here: www.guardian.co.uk/media/julian-assange.
Lulz Security usually claimed credits for its attacks using Twitter, which isn't the most serious form of communication. Using Twitter added to the general feeling that the group was pulling pranks.
Visitors to the LulzSec Web site were greeted with the theme from the 1980s television show, The Love Boat. The group's Twitter site (twitter.com/#!/LulzSec) is called The Lulz Boat and states: “Lulz Security (LulzSec), the world's leaders in high-quality entertainment at your expense –â€
The group's Web site encouraged visitors to make a donation to the group, which doesn't exactly portray a well-funded, serious, secret organization. The donation system seemed to work, though, as LulzSec often sent Twitter posts with funding updates.
The group announced through Twitter that it received a single $7,200 donation in early June. Lulz Security had nearly 400,000 Twitter followers at one time. (twitter.com/#!/LulzSec/followers)
By taking credit for its attacks with flair and humor, LulzSec seemed to encourage the idea that it was just playing pranks. This situation caused some people to not take the group's threats seriously. Although the group did nothing to downplay its humorous nature, it also claimed it had the ability to perform more serious attacks, if it so desired.
Even though Lulz Security is branded by law enforcement as a group that committed cyber-terrorism, some in the computer security industry don't agree. Some applauded LulzSec's ability to find and publicize holes in security protocols. The LulzSec attacks placed public attention onto the holes, forcing them to be fixed immediately.
You can learn more about how some security professionals felt about LulzSec at: www.dailymail.co.uk/sciencetech/article-2006118/Ryan-Cleary-charged-cyber-attack-CIA-LulzSec-takes-revenge.html.
Other security professionals appreciated the attention shone on the problem, but they would've preferred LulzSec's members used a different method of publicizing the security holes.
A month after its first attack, LulzSec released a document that discussed the motivation behind its attacks. This manifesto discussed how the members of the group enjoyed hacking because of the mayhem that resulted. Attacks occurred for fun, the manifesto said.
You can see the LulzSec manifesto at: www.pastebin.com/HZtH523f.
According to the manifesto, LulzSec claimed it was doing businesses a favor by revealing security flaws. If businesses didn't know about the flaws, hackers looking to do serious harm could exploit them instead. By revealing the group's methods of attack and results from the attacks, according to LulzSec's manifesto, the public could learn about vulnerable Web sites.
Chapter 3: LulzSec's Team Members
Even after several weeks of hacking and plenty of media attention, LulzSec's team members remain mysterious. Specific information about the group had been difficult to find. However, through its various Twitter and Web site posts, the group revealed some details about its makeup. Other hackers also have unveiled information about LulzSec.
Many of LulzSec's team members appear to have a connection to the hacking group Anonymous, which has its roots it 4chan. It appears some LulzSec members had a disagreement with some Anonymous members, causing a feud involving the two groups. However, they later teamed up in a series of hacks in late June.
You can read more about Anonymous' plans here: www.foxnews.com/scitech/2011/08/09/hacking-group-anonymous-plans-to-kill-facebook-on-nov-5/.
Whatever disagreement existed between LulzSec and Anonymous in the early days was never publicized by LulzSec members. However, after a hack against PBS in May, LulzSec claimed it was paid by Branndon Pike, 21, of Daytona Beach, Fla., to attack PBS. Pike denied the claim in an interview, saying LulzSec was striking back at him because he had hinted in a news interview that LulzSec and Anonymous were linked.
“I pissed 'em off,†Pike told FoxNews.com in an interview. You can read the full interview at: www.foxnews.com/scitech/2011/06/02/man-denies-paying-group-to-hack-pbsorg/.
This was a common theme in LulzSec's history — when someone or some entity “pissed them off,†they tended to strike back with a hack. In this case, though, Lulz Security never specified why it would be angry about being linked to Anonymous.
A couple of weeks later, LulzSec made a specific declaration that Anonymous and 4chan were two different entities. “To confirm, we are not going after Anonymous. 4chan isn't Anonymous to begin with, and /b/ is certainly not the whole of 4chan,†the group posted on Twitter June 17.
This declaration may have been a precursor to the plan that Anonymous and LulzSec were going to work together on a series of hacks, while allowing LulzSec to continue feuding with 4chan /b/ users.
As law enforcement officials are finding out, it's often difficult to pin down specific information about members of hacker groups. Such people can operate from anywhere in the world. People in such groups usually are loosely connected, likely never meeting in person. The use of aliases and multiple screen names adds to the confusion. Using a variety of sources, here's what's known about some of the members of LulzSec, based on their online screen names, beginning with the six primary members:
Sabu is the leader of Lulz Security, as well as a founder and a member of the core group of six. Sabu seemed to make the final decisions on which targets the group would attack, as well as the types of attacks that would occur. Some media sources say Sabu has been a member of Anonymous in the past. If so, Sabu likely participated in a famous Anonymous attack in February 2011 against HBGary, which is a technology security company with several U.S. federal government contracts. Because of the timing of some of Sabu's Twitter posts, he likely lives on the U.S. east coast.
Learn more about Sabu at: www.pcmag.com/slideshow/story/266414/who-is-lulzsec/1.
Topiary is another member of LulzSec who is a suspected past member of Anonymous and who likely handled that group's media relations responsibilities for a while. Topiary, who was a LulzSec founder and a member of the core group of six, apparently handled the Twitter releases for Lulz Security. On July 27, authorities in the United Kingdom arrested a man suspected to be Topiary. Interestingly, the last Twitter post from Lulz Security also occurred on July 27.
Learn more about Topiary at: www.pcmag.com/slideshow/story/266414/who-is-lulzsec/2.
Kayla, a founding member and a “core six†group member, sometimes uses the online screen name “lol,†according to pirated LulzSec chat logs. Kayla is suspected of being a member of Anonymous in the past. The LulzSec group often made use of a botnet provided by Kayla in its DoS attacks. Internet rumors say Kayla is a 16-year-old female … or a 20-something male pretending to be a 16-year-old female.
Learn more about Kayla at: www.pcmag.com/slideshow/story/266414/who-is-lulzsec/3.
T-flow apparently handled security for the group's lulzsecurity.com Web site. T-flow, who was a LulzSec founder and a member of the core six, is suspected of committing scams on PayPal. London police announced on July 19 that they had arrested a 16-year-old who used the online handle T-flow, which may be short for Timeflow.
Learn more about T-flow at: www.pcmag.com/slideshow/story/266414/who-is-lulzsec/4.
Avunit did not participate in the founding of the LulzSec group. However, Avunit quickly became one of the group's six primary core members. Avunit, who also is thought to have roots in Anonymous, left Lulz Security over a dispute regarding attacks against the FBI. In early June, LulzSec declared “Fuck the FBI Friday,†and Avunit appeared to leave the group because of this set of attacks, which led to an attack against a non-profit group associated with the FBI, InfraGard.
Pwnsauce, like Avunit, was not a founding member. Pwnsauce joined Lulz Security about the same time as Avunit, becoming one of the six core members. Little else is known about Pwnsauce.
Learn more about Avunit and Pwnsauce at: www.pcmag.com/slideshow/story/266414/who-is-lulzsec/5.
In addition to these six core members, there are many hackers affiliated with Lulzsec:
M_nerva, who sometimes uses the online handles trollpoll, cimx, rq42, and hann, isn't considered a member of core group of six for LulzSec. In fact, M_nerva was ostracized by the group, after being suspected of leaking chat room logs to The Guardian. The group accused M_nerva of causing Ryan Cleary to be arrested, too. It's also likely M_verva used the online handle Lorelai.
Learn more about Lorelai/M_nerva at: www.pcmag.com/slideshow/story/266414/who-is-lulzsec/6.
LulzSec's members responded to the leak by releasing records of M_nerva's personal information. As part of this information, LulzSec revealed that M_nerva had been part of the Fox.com Web site attack. LulzSec taunted M_nerva, ridiculing the hacker for begging LulzSec not to release information about M_nerva's role in attacks. “Remember this tweet, m_nerva, for I know you'll read it: Your cold jail cell will be haunted with our endless laughter,†the group posted on Twitter on June 21.
Ryan Cleary was never really considered a member of Lulz Security, according to a Twitter post by the group. However, the group did reveal that Ryan Cleary aided the group with communications through IRC (internet relay chat) channels. “Clearly the UK police are so desperate to catch us that they've gone and arrested some who is, at best, mildly associated with us. Lame,†the group posted on Twitter June 21.
It's possible that he never had time to become a full-fledged LulzSec member, because he was arrested June 20 by U.K. authorities for various computer related crimes. LulzSec didn't show much sympathy for Cleary, preferring to taunt law enforcement officials. “Seems the glorious leader of LulzSec got arrested, it's all over now … wait … we're all still here! Which poor bastard did they take down?†the group posted on Twitter June 20.
Read LulzSec's full Twitter posts about Cleary's arrest at: www.bgr.com/2011/06/21/lulzsec-denies-reports-of-leaders-arrest/.
Storm, according to the leaked chat logs, likely participated in the HBGary hack. Storm isn't a member of the core group of six. The logs indicate Storm has been participating in attacks, specifically DoS attacks, for at least 10 years, with various hacking groups, probably including Anonymous.
Whirlpool participated in a Q&A online chat with BBC News June 24. Whirlpool said the group's goals changed during the 50 days of hacking, migrating from hacking for laughs because “politically motivated ethical hacking is more fulfilling.†It's possible Whirlpool is another online handle for Sabu, as Whirlpool described himself as the “captain†of LulzSec.
Read Whirlpool's full chat at: www.bbc.co.uk/news/technology-13912836.
The Lulz Security group had some additional members, although they are not considered primary members. Such associates helped carry out some attacks or provided software. Some of the screen names for these other group associates include Devrandom, Foolish, Hsien, Io, Joepie91, Kl0ps, Neuron, Palladium, Recursion, and Virtual. It's also possible some of these screen names are secondary names for some of the LulzSec's primary members.
Learn more about the other LulzSec members at: www.pcmag.com/slideshow/story/266414/who-is-lulzsec/7.
Chapter 4: Early LulzSec Attacks
Lulz Security announced itself to the world with an attack against the Fox television network's Web site, beginning around May 7, 2011. The group attacked Fox after a Fox News Channel report that called rapper Common “vile.†The group never mentioned Common in another Twitter post or media release, and the connection between the two is not clear. This is yet another instance where the group's motivations for attacks seemed to be random and to change on an almost daily basis.
At www.fox.com, the hackers obtained contact information from the more than 70,000 contestants on the reality show, X Factor. LulzSec released that contact information publicly. The group also hacked the Linkedin profiles and passwords of several Fox employees. On its Twitter site, LulzSec taunted each Fox employee individually as it released the passwords and information.
Another famous attack, on May 30, involved infiltrating the Web site for the Public Broadcasting System (PBS) in the United States. LulzSec posted a fake news story on the site, claiming deceased rapper Tupac Shakur was actually alive in New Zealand.
See the an archived image of the hacked PBS page at: http://www.techi.com/2011/05/pbs-hacked-posts-that-tupac-is-still-alive/.
The hacker group also grabbed personal data from those who had registered with the PBS Web site. LulzSec provided Forbes.com with some insight into the attack in an interview with Whirlpool.
See the full interview at : /www.forbes.com/sites/parmyolson/2011/05/31/interview-with-pbs-hackers
In a Twitter post, LulzSec said the PBS attack was retaliation for an unflattering May 24, 2011, Frontline documentary on Bradley Manning, a U.S. military intelligence analyst who provided sensitive documents to WikiLeaks. The military arrested Manning May 26, 2010, for stealing the documents, and he remains in a medium-security prison at Fort Leavenworth, Kan.
One of Lulz Security's biggest attacks occurred in early June 2011, when the group hacked the Sony Pictures Entertainment Web site. Sony Pictures Entertainment involves the company's motion pictures and television production. The LulzSec attack against Sony involved releasing some of the source code for Sony's internal networks.
LulzSec's attack was aimed at punishing Sony for its legal action taken against a hacker. The hacker had posted codes for bypassing digital rights management with the Sony PlayStation 3 gaming console. Sony had suffered more than a dozen attacks before the June attack, including a hack in April at the hands of Anonymous, a group with which a few LulzSec members had been affiliated in the past. After its June attack, Lulz Security posted on its Twitter site: “That's hackers 16, Sony 0. Your move!â€
Learn more about the Sony attack at: www.physorg.com/news/2011-06-hackers-sony.html.
The LulzSec attack against Sony involved an SQL injection (SQLi) attack, which LulzSec used quite often. In this type of hack, the hacker types commands requesting data into user name and password fields, tricking the system into supplying the data, including lists of user names and passwords. Lulz Security said Sony had not encrypted any of the user names or password data.
Through its attack against Sony, LulzSec gained access to personal information for thousands of Sony customers. The hacker group grabbed e-mail addresses, home addresses, and birthdates, as well as 75,000 music redemption codes. LulzSec claimed to have accessed 1 million accounts, but it could not download all of the data because of a lack of resources. Sony claimed the number of hacked accounts was closer to 37,500.
By contrast, LulzSec also hacked into a server from game manufacturer Nintendo. However, Lulz Security did not take any data. Instead, LulzSec members just posted notification of the hack on their Twitter feed, saying they “like the N64†from Nintendo and “didn't mean any harm.â€
Read more about the Nintendo attack here: www.thetechherald.com/article.php/201123/7235/Nintendo-addresses-LulzSec-server-breach
The motivation behind another of Lulz Security's early June attacks is easy to define: They asked for it. A network security company, Black & Berg Cybersecurity Consulting taunted hackers with a project called Cybersecurity for the 21st Century, Hacking Challenge. Black & Berg challenged any hacker to infiltrate its Web site and change the company logo, offering a $10,000 prize.
Black & Berg was later accused of being a fraudulent company, as shown at: www.cyberwarzone.com/cyberwarfare/black-and-berg-cybersecurity-llc-fraud?page=3.
In addition, Black & Berg made things personal with LulzSec. Black & Berg sent a Twitter message to LulzSec, including the phrase: “Your hacking = clients for us.†The personal challenge only made it easier for LulzSec to select a target.
Lulz Security hacked the Black & Berg Web site on June 8. The hacking group declined the $10,000 prize, though. LulzSec changed the Black & Berg home page, adding a message, “DONE, THAT WAS EASY, KEEP THE MONEY, WE DO IT FOR THE LULZ.â€
You can see a cached version of the defaced Web site at: www.webcitation.org/5zI5xWAm8
Lulz Security's members changed tactics again June 9. The group notified the British National Health Service of a security hole. However, LulzSec said it did not plan to exploit the hole. Instead, it wanted to just let the service fix the problem.
The next day, Lulz Security hacked as many as 55 pornographic Web sites, primarily pron.com, stealing e-mail addresses and passwords. LulzSec then publicized those addresses and passwords, asking people to try those combinations at other Web sites.
One of the hacking group's consistent ploys was to ridicule those who use the same user names and passwords at multiple Web sites. The group also embarrassed government officials again by emphasizing that many of the e-mail addresses they accessed had .gov and .mil extensions, indicating government employees were using official e-mail addresses to log into pornographic Web sites.
Chapter 5: LulzSec's Attacks Increase
On June 13, the group reverted to its hacks aimed specifically against the U.S. government. The LulzSec group released e-mail addresses and passwords of people who had registered with the Senate.gov Web site. As part of the hack, LulzSec sarcastically asked on Twitter whether its actions represented an “act of war.â€
Another LulzSec hack took place June 13. The group accessed a reported 200,000 accounts at Bethesda Game Studios. However, in a change from its normal mode of operation, Lulz Security did not publicize the e-mail addresses and passwords it stole. Instead, the hacking group used a Twitter message to tell Bethesda that it had hacked the site several weeks earlier, and that the security holes still existed.
Lulz Security followed that attack with a June 14 hack it called “Titanic Takedown Tuesday,†where it attacked several multi-player online gaming sites. The attacked sites included: EVE Online, League of Legends, and Minecraft. Other hacked sites included gaming magazine The Escapist and IT security company Finfisher. LulzSec used denial of service attacks to prevent visitors from logging into the sites.
Learn more about the Tuesday attacks at: http://arstechnica.com/tech-policy/news/2011/06/titanic-takeover-tuesday-lulzsecs
The reasoning behind these DoS attacks had its roots in LulzSec's feud with some 4chan users, many of who use the online gaming sites. Those who frequented the 4chan Web site often are fans of the Anonymous hacking group, which fuels speculation that Anonymous and LulzSec were feuding.
“Civil wars†among 4chan users are fairly common. These DoS attacks sparked a firestorm on the 4chan /b/ board (boards.4chan.org/b/), causing many posters to demand that LulzSec be stopped and that the members' identities be revealed.
LulzSec followed Titanic Takedown Tuesday with two more DoS attacks the following day (June 15). The hackers struck the Heroes of Newerth gaming Web site. A graffiti message on the site claimed that Defense of the Ancients is a better game.
The group also took down the CIA's public website (www.cia.gov) for about two hours using DoS methods. LulzSec announced the attack on its Twitter site: “Tango down – cia.gov – for the lulz.†Some of the spotty performance of the CIA Web site could have been attributed to a flood of people checking the site after LulzSec announced the hack on Twitter.
Read more about the CIA hack at: www.independent.co.uk/news/world/americas/who-are-the-group-behind-this-weeks-cia-hack-2298430.html.
The hacker group was back to releasing e-mail addresses and passwords on June 16. Lulz Security posted information from more than 60,000 accounts onto the file-hosting Web site, MediaFire. However, LulzSec slightly twisted its mode of operation.
This time, LulzSec didn't tell people which Web sites it hacked. Instead, the hacker group encouraged anyone who saw the information to try it at random Web sites, trying to gain access. Some Facebook accounts and Amazon.com accounts were then accessed, using the information.
One of LulzSec's Twitter followers claimed to have hacked an “old lady's†Amazon account, ordering a large pack of condoms to be delivered to her. The Web site Writerspace.com later admitted that the information had come from its users' accounts.
Read more about the Writespace.com hack here: www.theinquirer.net/inquirer/news/2079740/passwords-leaked-lulzsec-writerspace.
Lulz Secuirty didn't limit its cyber-attacks to Web sites. For example, the group used an attack style similar to DoS with customer service telephone calls. This attack overwhelmed the telephone systems, leaving the entities unable to communicate with customers. These telephone attacks included strikes against the FBI in Detroit and World of Warcraft.
One attack that did not take place became almost as well known as some of the attacks that did occur. In a public war of words with Unveillance CEO Karim Hijazi, both sides accused the other of blackmail. Hijazi accused LulzSec of demanding money from his security company in exchange for protection from attack. Lulz Security's side of the story claimed Hijazi offered to pay the group to attack his business rivals' Web sites.
Read about Hijazi's side of the story at: www.unveillance.com/latest-news/unveillance-official-statement/.
Some attacks attributed to LulzSec were denied by the group, too. An online claim that LulzSec had hacked the U.K. Office for National Statistics and had stolen census data was false.
Learn more about the fake census hack at: www.guardian.co.uk/technology/2011/jun/22/lulzsec-census-hacking-claims-a-hoax.
It appears LulzSec inspired some copycat attacks in Canada and Brazil. A group called LulzRaft began committing similar types of Web site attacks against Canadian entities in the summer of 2011. For example, one of LulzRaft's first attacks involved posting a false story claiming Canadian Prime Minister Stephen Harper had been hospitalized after choking on a hash brown potato. The Brazilian hacker group broke into a couple of Brazilian government sites, and some media reports refer to this group as LulzSecBrazil.
Chapter 6: Operation AntiSec
Operation AntiSec, short for Operation Anti-Security, represented LulzSec's most ambitious set of attacks in its short lifespan.
Operation AntiSec, sometimes called #AntiSec, involved a set of politically motivated attacks against law enforcement entities, military units, and governments. LulzSec formulated these attacks as a protest against government laws that restrict free speech and that enforce tight copyright laws on the Internet.
You can see the AntiSec statement at: www.content.usatoday.com/lulzsec-anonymous-declare-war.
For AntiSec, Lulz Security teamed up with Anonymous. The group Anonymous, originating in 2003, uses the Internet to spark civil unrest and organize protests. In the past few years, Anonymous began participating in hacktivism, which is the use of computing networks and hacking as a way to promote political points of view.
Operation AntiSec ran from June 20 through June 25. Anonymous and LulzSec encouraged their supporters to perform a variety of hacks against government entities as part of the operation. In turn, the hackers were asked to post “AntiSec†onto the Web sites to provide evidence of the hack.
On its Twitter account, LutzSec announced the project. “Welcome to Operation Anti-Security (#AntiSec) – we encourage any vessel, large or small, to open fire on any government or agency that crosses their path. … We encourage you to spread the word of AntiSec far and wide, for it will be remembered.â€
Operation Anti-Security began with an attack against a U.K. law enforcement organization on June 20. The Web site for SOCA (Serious Organized Crime Agency) had spotty performance during the day, before SOCA took the site down itself to limit the impact of the hack. The attack appeared to be a DoS attack. Additional denial of service attacks on the first day included those against Web sites for the Brazilian government and a district government office in China.
Read more about the SOCA hack at: www.zdnet.co.uk/blogs/communication-breakdown-10000030/lulzsec-claims-soca-site-takedown-10022772/.
A June 23 attack as part of AntiSec involved the Arizona Dept. of Public Safety. LulzSec released several documents as a result of the attack. The LulzSec releases included e-mail addresses, passwords, and documents that the Arizona Dept. of Public Safety had marked as sensitive.
LulzSec titled the release with a derogatory slogan aimed at the U.S. Customs and Border Protection service. The Spanish slogan roughly translates to “fuck the border police.†The hacker group stated the attack was a protest against the Arizona law requiring aliens to carry their federal registration documents with them at all times. Some critics have said the law encourages racial profiling among law enforcement officials.
Read more about the Arizona hack here: www.theatlanticwire.com/technology/2011/06/lulzsec-attacks-border-patrol
Operation AntiSec concluded on June 25 with LulzSec's release of a collection of data hacks. The data came from a variety of sources. Lulz Security announced the June 25 release would be its last act as part of AntiSec.
The releases included internal data from AT&T, regarding the upcoming release of its 4G LTE technology, which is a new wireless broadband network.
Learn more about the AT&T hack at: www.cultofmac.com/102588/lulzsec-hack-proves-att-is-testing-ipads-on-their-4g-lte-network/.
Additionally, LulzSec unveiled personal data from almost 100,000 cell phones used by IBM employees. Passwords and e-mail addresses from a variety of Web sites, including Battlefield Heroes and hackforums.net were part of the release.
Other information in the June 25 data release came from military sites. LulzSec released personal data from customers at the online bookshop for NATO. Another document featured a screen shot from the U.S. Navy Web site (www.navy.mil/swf/index.asp), showing a defaced Web site.
Additionally, some of the work associated with AntiSec involved physical attacks. For example, taggers struck public areas in San Diego. The taggers vandalized properly with graffiti phrases including “AntiSec.â€
Chapter 7: 50 Days Of Lulz
After Operation AntiSec, the group released a statement on June 26, essentially telling the world the group was disbanding after 50 days of hacking. The statement, titled “50 days of lulz,†came as quite a surprise. Most security professionals did not expect the group to disband so suddenly.
The announcement was also a surprise because it came on the heels of a successful set of hacks during Operation AntiSec. On the group's Twitter account, it posted a statement, which included: “… [I]t's time to say bon voyage. Our planned 50-day cruise has expired. … Lulz Security – our crew of six wishes you a happy 2011.†Just like that, LulzSec's 50 days of chaos were completed.
The statement revealed a few details about Lulz Security, including that the group consisted of six members. The “50 days of lulz†statement claimed that it would be the final release from the group. The statement appeared to be authentic, because it included many passwords and account names that had been hacked but not previously publicized.
You can see the statement at: www.businessinsider.com/lulzsec-finished-2011-6.
However, less than a month later, the group contradicted the statement. LulzSec claimed responsibility for the attack against the News Corp. newspaper Web sites. The attack included Web sites for British newspapers, The Sun and The Times.
During this highly publicized attack on July 18, LulzSec posted false news articles claiming News Corp. founder Rupert Murdoch had died of an overdose of palladium. Lulz Security redirected The Sun Web site to The Times Web site, where the fake articles appeared. Later, The Sun Web site was redirected again, this time to the Twitter feed of the LulzSec group.
The hacked news article and page can be seen at: www.webcitation.org/60HLGySde.
Eventually, News Corp. issued a statement on its Web site concerning the attacks. LulzSec attacked the page with the statement, too, again redirecting that page to the hacker group's Twitter page. News Corp. responded by taking both Web sites completely offline.
Lulz Security performed the attack against News Corp. to protest the role the corporation had in a phone hacking scandal. The scandal involved some British tabloid newspapers that used phone hacking in an attempt to create and find stories. When the scandal was publicized early in July, a public outcry occurred against Murdoch and News Corp. Both The Sun and The Times are part of the News Corp. conglomerate.
Learn more about the News Corp. phone hacking scandal at: theweek.com/article/index/217378/rupert-murdochs-phone-hacking-scandal-a-timeline.
After the FBI released a statement July 20 saying hacking Web sites was unacceptable, and it would find and prosecute anyone who hacks Web sites, LulzSec reanimated its Twitter site the following day to respond. “Let us tell you want we find unacceptable,†the Twitter post said. LulzSec then listed several issues it was trying to fight through its hacking, including governments lying to citizens and corporations pushing profits with the help of corrupt governments.
Chapter 8: Hackers Against LulzSec
Although Lulz Security received plenty of publicity, the hacking community's response was mixed. Some hackers admired the group's activities, spawning some copycat attacks for which LulzSec later denied involvement. Other hackers actively worked against LulzSec.
Because many of LulzSec's attacks looked and felt like pranks, it's tough to label the type of hacking the group used. With LulzSec often operating in a “gray†area, the group alienated some hackers, who wanted the group to promote a different agenda. Other hackers didn't appreciate the group publicizing security holes without taking advantage financially.
Inside the hacking community, a white hat hacker usually refers to someone who privately alerts a business or entity to security problems, hoping to help them fix the problems before someone can exploit them.
A black hat hacker, meanwhile, looks to exploit all security holes for personal gain, never notifying a business or entity about the problem. Essentially, a black hat hacker is a computer criminal.
Learn more about hacking at: en.wikipedia.org/wiki/Hacker_(computer_security).
Some hackers, however, fall into the area between those labels. You can think of such hackers as gray hat hackers. They typically aren't looking to cause damage or profit personally from the hacks. Gray hat hackers sometimes exploit the security holes just for the thrill of hacking, sometimes committing crimes in the process.
However, the gray hat hackers also aren't necessarily going to notify the businesses or entities about the problems quietly. In fact, they're more likely to announce security holes on hacker Web sites, or even publicly. Such announcements allow others to attempt to exploit the security holes. At the same time, tech security personnel can then try to prevent the hacking, as, often times, they only discover the security holes after the announcements appear on the Web sites.
Because LulzSec did not steal data for financial gain or commit serious criminal acts, the group doesn't really fit into the black hat hacker designation. On the other hand, during some of its statements, the Lulz Security group mocked white hat hackers. That leaves LulzSec inside the gray hat criteria. In an online chat with BBC News, however, a LulzSec member said the group fits under all three descriptions. (www.bbc.co.uk/news/technology-13912836)
LulzSec also fits into the definition of hacktivism. The term hacktivism is a combination of hacker and activism. Hacktivism is the use of computing networks to emphasize and promote a political agenda, generally used by non-traditional activists.
One group labeled as a rival hacking group to Lulz Security is called TeaMp0isoN. This group decided to work against Lulz Security because it did not respect LulzSec's hacking choices. In an interview, TeaMp0isoN members said their opposition to LulzSec results from the poor hacking skills of the group.
See more about the “team poison†response here: www.foxnews.com/scitech/2011/06/23/hacker-vs-hacker-group-races-police-to-expose-lulzsec/
To counteract LulzSec, TeaMp0isoN publicly released the actual name and personal information of Joepie91 in June. TeaMp0isoN accused Joepie91 – real name, Sven Slootweg – of being a Lulz Security member, although not a member of the core group of six, and hacked Slootweg's personal Web site. Slootweg denied the accusation: “I am not a member of LulzSec.†TeaMp0isoN threatened to release the name of every Lulz Security member, although that did not happen.
The Jester, a well-known hacker, released a statement in June, pledging to expose members of Lulz Security. The Jester called LulzSec's hacks “childish†in a statement. The Jester claimed to have identified the leader of LulzSec – Sabu – as an IT professional in New York City with the actual first name of Xavier, but law enforcement authorities there have not announced any arrest. Another individual hacker, TriCk, also vowed to work to identify the group members.
Read more about The Jester and TriCk at: www.guardian.co.uk/technology/2011/jun/24/lulzsec-members-and-enemies.
As mentioned earlier, one of LulzSec's own members apparently worked against the group. M_nerva released records from online chats among the members to The Guardian Web site on June 24. Some of the chats revealed key information about the group.
June 24 was not a good day for LulzSec, as its Web and Twitter accounts also may have been hacked that day. A hacker with an online name of On3iroi claimed to have taken down LulzSec's Web site and Twitter pages for a short time. On3iroi called his attack Operation Supernova, but LulzSec's digital properties were restored relatively quickly.
Learn more about On3iroi's attack at: https://on3iroi.wordpress.com/2011/06/23/21/.
Two new hacking group appeared in June to counteract Lulz Security. The seperate groups, called Team Web Ninjas and the A-Team, both claimed to have information on numerous LulzSec members and to have provided the information to law enforcement.
The claims were not verified, though. Team Web Ninjas stated it disagreed with LulzSec's release of personal information from average Internet users as part of its hacks. Another existing hacker group, Th3j35t3r, also has worked against LulzSec.
Ultimately, the various efforts from rival hackers likely contributed to LulzSec's decision to disband. As more hackers spoke out against the group and with more threats to release information, Lulz Security members may have decided to halt their activities before they could be caught. However, LulzSec has never stated fear of being caught as a specific reason for its disbandment.
Chapter 9: The LulzSec Arrests
Law enforcement officials have had some frustration in trying to nail down members of Lulz Security. The nature of these types of hacker groups – loosely connected people operating anywhere in the world – has complicated things for law enforcement.
Specifically with LulzSec, the eccentric nature of the group and the seemingly random list of targets has made it difficult to track down group members. However, law enforcement has made some arrests of hackers it suspects have worked with LulzSec or who may be core group members.
The first arrest of anyone thought to be associated with LulzSec occurred June 20. Police officials announced an arrest in Wickford, Essex, England of a 19-year-old man, Ryan Cleary.
The English police worked together with the American FBI in Cleary's arrest, as shown at:. www.guardian.co.uk/technology/2011/jun/22/ryan-cleary-charged-lulzsec-hacking.
He was arrested on suspicion of computer fraud. Cleary eventually was charged under the British Computer Misuse Act. He received five counts of computer hacking.
Although Cleary was suspected of being a primary LulzSec member at the time of the arrest, such an association hasn't yet been proven by law enforcement officials. In a Twitter post, LulzSec has denied Cleary's direct involvement with the group. However, the group did say Cleary hosted an IRC channel for Lulz Security on his server.
For more about what LulzSec had to say about Cleary, see: latimesblogs.latimes.com/technology/2011/06/lulzsec-outs-snitches.html.
British police admitted to questioning Cleary regarding a LulzSec attack against the U.K. Serious Organized Crime Agency. After questioning, Cleary was released on bail and into his mother's custody. Cleary was diagnosed with Asperger syndrome after his arrest.
Another crack in the Lulz Security secrecy came about June 24 when The Guardian newspaper Web site (guardian.co.uk) revealed some information about the group. The Guardian unveiled a record of a Web chat between group members. The chat showed some of LulzSec's affiliations and member screen names, including the leader, Sabu. The chats showed that Sabu held a lot of power over the other members and played a large role in organizing and selecting the attack targets.
In addition, the chats indicated that LulzSec had an affiliation with Anonymous beyond Operation AntiSec. However, in some statements LulzSec has said it was not affiliated with Anonymous. It's difficult to pin down the exact connection between the two groups, although it's certain that some members of LulzSec were members of Anonymous in the past.
You can see the full chat transcripts at: www.guardian.co.uk/technology/2011/jun/24/inside-lulzsec-chatroom-logs-hackers.
The FBI conducted a few raids in the United States in late June. Because of the timing of the raids, some media reports linked the raids with LulzSec's attacks. However, the FBI has made no arrests in connection with those raids.
A publicized FBI raid took place in Iowa against Laurelai Bailey. According to a media report, Bailey told the FBI she had chatted with LulzSec members. She was not arrested, although she said the FBI asked her to consider trying to infiltrate the organization.
“I told them these people hate me … it wouldn't do any good,†Bailey said in an interview, because she had leaked the logs of the chats to The Guardian. (gawker.com/laurlai-bailey/) It's possible Bailey used the online handles Lorelai and M_nerva.
In addition, the FBI raided buildings in Reston, Va., and Hamilton, Ohio. The FBI has not commented on either raid. Search warrants in both cases have been sealed.
Law enforcement work against potential Lulz Security targets was quiet until late July. At that point, officers in England and the United States became active again. Officers arrested a few more hackers, some of whom have LulzSec connections.
The FBI made an arrest of Scott Arciszewski at the University of Central Florida in Orlando on July 19. Arciszewski, 21, is suspected of infiltrating the InfraGard Web site, uploading files that caused security holes. He then allegedly informed Lulz Security of the vulnerabilities, allowing the group to hack the site on June 4.
Read more about Arciszewski's arrest at: articles.orlandosentinel.com/2011-07-20/news/os-fbi-ucf-police-cyber-investigation20110719_1_fbi-agents-ucf-student-fbi-program
Another FBI arrest occurred on the same day in Las Cruces, N.M. The FBI accused 21-year-old Lance Moore of stealing documents from AT&T. Those documents appeared in LulzSec's June 25 release of a large amount of hacked information associated with the end of Operation AntiSec.
Read more about Moore's arrest at: articles.latimes.com/2011/jul/20/business/la-fi-hacker-arrests-20110720
The London Metropolitan Police in England also made an arrest on July 19. At the time of the arrest, police said the 16-year-old was named T-flow, a member of LulzSec. Police charged the 16-year-old with violating the Computer Misuse Act in the United Kingdom. Ultimately, authorities around the world made more than a dozen hacker-related arrests on July 19. However, LulzSec quickly answered the arrests by issuing a statement saying none of its six core members had been arrested.
See more about the arrests at: http://www.zeropaid.com/news/94593/high-ranking-lulzsec-members-arrest
Arrests on computer hacking charges occurred in the Netherlands on July 19, too, that were related to a LulzSec-inspired group, called AntiSec NL. Dutch authorities arrested four males, ranging in age from 17 to 35. The four used the screen names Calimero, DutchD3V1L, Time, and Ziaolin.
A little over a week later, a special unit of the London Metropolitan Police made an arrest. Jake Davis, 18, was arrested in the Shetland Islands of Great Britain. Davis was accused of being Lulz Security member Topiary.
Read more about Davis' arrest at: pulse2.com/2011/08/01/british-police-arrest-jake-davis-of-hacker-group-lulzsec/
Police charged Davis with a variety of computer hacking-related crimes. Officers also confiscated a laptop computer from Davis that ran a botnet of 16 virtual machines. Davis' lawyer has said he is not a skilled enough hacker to be a LulzSec member. Davis was released on bail into the custody of his parents.
Another month later, more arrests associated with LulzSec occurred. In early September, Scotland Yard made two arrests. Officials arrested two males, 20 and 24 years old, who police said were linked to Lulz Security member Kayla.
The FBI followed with an arrest on Sept. 22 in Phoenix, Ariz., associated with the Sony Pictures hack. Cody Kretsinger, 23, was accused of helping LulzSec carry out its attack against Sony, while using the screen name recursion. Kretsinger was released on his own recognizance.
Learn more about Kretsinger's arrest here: www.computerweekly.com/FBI-arrests-Lulzsec-hacker
After the attack against the Arizona Dept. of Public Safety by LulzSec, Arizona's Counter Terrorism Information Center began an investigation. The center listed Lulz Security as a cyber-terrorist organization. Although LulzSec has since disbanded, the Arizona Counter Terrorism Information Center vows that its investigation will continue and LulzSec members will be pursued.
Whether the members will actually be caught – or already have been caught – is another story. LulzSec has been quiet for quite a while, but a restart for the group isn't out of the question, as shown by the July attacks against News Corp. LulzSec's version of anarchy in the 21st century remains dormant … for now.
Additional Reading
Ars Technica: Lulz? Sony hackers deny responsibility for misuse of leaked data
BBC News: BBC Newsnight online "chat" with Lulz Security hacking group
Business Insider: Notorious Hacker Group LulzSec Just Announced That It's Finished
Forbes: Hacker Arrests May Have Included Core Member Of LulzSec
Forbes: Interview With PBS Hackers: We Did It For "Lulz And Justice"
Fox News: Exclusive: Rival Hacker Group Racing Police to Expose LulzSec
Fox News: Group Claims It Was "Paid to Hack PBS," Then Leaks a Million Sony User IDs
The Guardian: Inside LulzSec: Chatroom logs shine a light on the secretive hackers
The Guardian: LulzSec: the members and the enemies
The Guardian: Teenager Ryan Cleary charged over LulzSec hacking
The Independent: Who are the group behind this week's CIA hack?
Linear Fix: Why LulzSec Hacks: A Timeline of Major Hacks
Los Angeles Times: LulzSec says it's outing two who may have led to arrest of an alleged hacker
Pastebin: LulzSec Manifesto
PC Magazine: LulzSec Call-In Line Taking Hacking Requests
PC Magazine: Who Is LulzSec?
PC World: Lulz Boat Hacks Sony's Harbor: FAQ
USA Today: LulzSec, Anonymous declare war against governments, corporations
Web Citation: LulzSec Hack, "Media moguls body discovered"
On June 3, LulzSec struck the InfraGard Atlanta Web site. InfraGard, which is affiliated with the FBI, is a non-profit company. Lulz Security said its attack against InfraGard was retaliation for initiatives taken by the U.S. federal government against hackers and by calling hacking an act of war. This attack was part of LulzSec's “Fuck the FBI Friday†announcement on Twitter.
http://arstechnica.com/tech-policy/news/2011/06/lulz-sony-hackers-deny-responsibility-for-misuse-of-leaked-data.ars
http://www.bbc.co.uk/news/technology-13912836
http://www.businessinsider.com/lulzsec-finished-2011-6
http://www.forbes.com/sites/andygreenberg/2011/07/19/hacker-arrests-may-have-included-core-member-of-lulzsec/
http://www.forbes.com/sites/parmyolson/2011/05/31/interview-with-pbs-hackers-we-did-it-for-lulz-and-justice/
http://www.foxnews.com/scitech/2011/06/23/hacker-vs-hacker-group-races-police-to-expose-lulzsec/
http://www.foxnews.com/scitech/2011/06/02/man-denies-paying-group-to-hack-pbsorg/
http://www.guardian.co.uk/technology/2011/jun/24/inside-lulzsec-chatroom-logs-hackers
http://www.guardian.co.uk/technology/2011/jun/24/lulzsec-members-and-enemies
http://www.guardian.co.uk/technology/2011/jun/22/ryan-cleary-charged-lulzsec-hacking
http://www.independent.co.uk/news/world/americas/who-are-the-group-behind-this-weeks-cia-hack-2298430.html
http://linearfix.wordpress.com/2011/06/15/why-lulzsec-hacks-a-timeline-of-major-hacks/
http://latimesblogs.latimes.com/technology/2011/06/lulzsec-outs-snitches.html
http://pastebin.com/HZtH523f
http://www.pcmag.com/article2/0,2817,2386959,00.asp#fbid=W7uF8mpFMvv
http://www.pcmag.com/slideshow/story/266414/Who-Is-LulzSec
http://www.pcworld.com/article/229316/lulz_boat_hacks_sonys_harbor_faq.html
http://content.usatoday.com/communities/technologylive/post/2011/06/lulzsec-anonymous-declare-war-against-governments-corporations/1
http://www.webcitation.org/60HLGySde
