Anonymous Continues FBI Attacks

Anonymous’ latest attack on the FBI has apparently hit security contractor ManTech International

As promised, Anonymous has sought to embarrass the FBI with a network attack, this time going after defense contractor ManTech International.

“Hacktivist” collective Anonymous claims to have “owned” the defense contractor ManTech International and promised to release the stolen information within 24 hours, according to a post on Twitter that appeared shortly after midnight on 29 July.

Retaliation

Some documents have already been posted as “teasers”, including a resume of an individual with significant military and law enforcement background and a statement of work memo for NATO Communication & Information Systems Services Agency. About 500MB of files are expected to be released.

This latest attack is in apparent retribution for the 20 July arrests of individuals who are accused of participating in Anonymous group hacking attacks.

Earlier this week, in the midst of news reports about British police arresting a suspected member of hacker group LulzSec and regular updates on Twitter about people canceling PayPal accounts in protest, Anonymous posted the following warning on Twitter, “Also, tomorrow: Expect something nice. Looks like the FBI asked for a slap in the face. Well, we can deliver. #FFF (On Thursday, who cares).”

About 14 individuals were arrested on 20 July in the United States for participating in the Anonymous DDOS (distributed denial-of-service) campaign against PayPal in Operation Payback in December. The FBI also arrested one person accused of hacking into InfraGard Tampa and a customer support contractor who downloaded confidential AT&T documents and provided them to LulzSec.

Attacks set to continue

The group said the attacks will continue regardless of the arrests. “We are not scared anymore. Any threats to arrest us are meaningless. We are past threats. We just act. #AntiSec #FFFriday,” the group posted via Twitter.

British police also arrested two alleged members of LulzSec, and the Dutch National Police Agency arrested four Anonymous members this month. In June, Spanish authorities arrested three members and claimed to have shut down Anonymous within the country, and Turkish police detained 32 individuals with alleged links to the group.

ManTech provides cyber-security services such round-the-clock intrusion-detection monitoring, security engineering, and incident identification and response. It’s providing these services to the FBI’s security division as part of a $99.5 million (£60m) five-year contract. The company also provides vulnerability assessment and penetration testing, cyber-threat analysis and specialised cyber-training services.

Other clients include the National Security Agency and the departments of Defense, State and Homeland Security, among others.

“The latest attack against ManTech following a string of attacks against other defense and national security contractors shows that those charged with defending our nation are also susceptible to the same attacks,” Anup Ghosh, chief executive of Invincea, told eWEEK. “Make no mistake – this is a failure of the security industry more than it is a failure of ManTech, Booz Allen, Northrup Grumman, and the National Labs,” Ghosh added.

Military passwords

Anonymous dumped 90,000 passwords belonging to military personnel from consulting firm Booz Allen Hamilton, exposed sensitive information belonging to agricultural chemical and biotechnology company Monsanto employees and stole more than 8GB of internal data from Italy’s cyber-crime police unit. Before it disbanded, LulzSec lifted and published internal documents obtained during its attack on the Arizona Department of Public Safety, breached two websites belonging to FBI partners InfraGard Atlanta and InfraGard Connecticut, and broke into surveillance company Unveillance chief executive’s personal email account.

In a recent interview with National Public Radio in the US, FBI Director Steve Chabinsky discussed the recent arrests. “We want to send a message that chaos on the Internet is unacceptable. [Even if] hackers can be believed to have social causes, it’s entirely unacceptable to break into websites and commit unlawful acts,” Chabinsky said.

The charge of intentional damage to a protected computer carries a maximum penalty of 10 years in prison and a $250,000 fine, and each count of conspiracy carries a maximum penalty of five years in prison and a $250,000 fine, according to the FBI. Anonymous “suspects” may face a fine of up to $500,000, with the addition of 15 years’ jail time even if all they did was download the Low-Orbit Ion Cannon software to take part in the DDOS attack.

Some Internet users forget that participating in DDOS attacks against websites and online organisations for whatever reason is against the law, Graham Cluley of Sophos, told eWEEK. “If found guilty, most of these individuals are likely to turn out to be foot soldier volunteers in a much bigger Internet conflict, and yet by knowingly participating in a denial-of-service attack it’s unlikely that they will be looked upon kindly by the courts,” Cluley said.

Civil protest

Anonymous claims there is a “vast difference” between participating in a civil protest and cyber-criminals running a large botnet.

“The end doesn’t justify the means. Time spent throwing bricks through other people’s digital windows doesn’t actually teach anyone anything about glassmaking, glazing or civil engineering,” Paul Ducklin, head of technology for the Asia Pacific group at Sophos, wrote on the NakedSecurity blog in June.