Even though LulzSec has officially called off its hacking mission and gone back to Anonymous, security experts say organizations remain vulnerable to other groups.
The hacking group LulzSec ended its 50-day hacking spree the
same way it began, with a post on Twitter and text-sharing site Pastebin.
Organizations should not breathe a sigh of relief, because
these kinds of attacks will still continue, launched by countless other groups
who do the same thing for a variety of motivations, Andrew C. Herlands,
director of security strategy at Application Security, wrote on the Team
blog on June 27.
After 50 days of "disrupting and exposing corporations,
governments, often the general population itself," LulzSec said will cease
its online mayhem under the "LulzSec" identity, the group of hackers
said in a statement posted on Pastebin
June 25. The group claimed it was disbanding so that its six members could
pursue other interests, but called for others to carry on, encouraging more
groups to expose security issues and hidden information.
"We hope, wish, even beg, that the movement manifests
itself into a revolution that can continue on without us," LulzSec said in
its letter to followers.
On Twitter, the message was far simpler: "Thank you, gentlemen
As part of its final act, LulzSec also released a fresh set
of stolen documents and files on file sharing network BitTorrent, such as
details on AT&T's forthcoming wireless network rollout, proof LulzSec had
hacked into a U.S. Navy job search Website, 50,000 user credentials from
"random gaming forums," personal information belonging to 200,000
Hackforums.net users, and details on 12,000 NATO bookshop users.
LulzSec previously released several internal Arizona law
enforcement documents on June 24 to protest the state's controversial
immigration laws. During its 50-day spree, the group was behind a string of
high-profile attacks, including attacks on Sony, the FBI's Infraguard
servers belonging to the U.S. Senate, the CIA as well as security and gaming
firms, among others
. They were all carried out for fun, to
"entertain" and supposedly was not financially motivated.
"While we are responsible for everything that The Lulz
Boat is, we are not tied to this identity permanently," the group said.
While the group's dissolution may or may not be legitimate,
these types of attacks will continue, Herlands said. LulzSec and other
"makeshift collaboratives" have proven how easy it is to take down
Websites, embarrass organizations and steal confidential data, he said.
"Whether for fame, fortune, political agenda, or just
for the lulz, hackers will continue to probe computer systems on the
Internet," Herlands said, noting that Websites and databases have been
under attack for years and many of the existing vulnerabilities are
well-documented. Attackers will continue targeting users with spear-phishing
and malware attachments to trick employees into giving attackers access to
internal systems. Attackers will continue to breach systems, steal information
and leave, long before the organization even finds out what happened.
"Make no mistake, no matter how high, deep, or wide
your outer defenses may be, attackers WILL find a way over, under, or around
them," Herlands wrote.
Some security experts speculated that the group decided to
disband because of increasing pressure from law enforcement agencies,
especially after British
arrested a 19-year old male who had some ties to the group. A
number of rival groups, such as Web Ninjas, had also been posting information
supposedly identifying the members. Internal chat room logs have also been
"Maybe, quite simply, LulzSec was worried that the heat
was intensifying-and it was time for them to get out of the kitchen before the
computer crime authorities caught up with them," said Graham Cluley,
senior technology consultant at Sophos, on the NakedSecurity blog.
At least one member of the group took exception to the
speculation. Sabu, a member of the group, posted on Twitter that many members
did not "run" but joined hacktivist collective Anonymous instead. "We
retired lulzsec at its peak. We are smart," Sabu wrote on Twitter.
Imperva's Tal Be'ery had speculated that LulzSec members
were originally a breakaway group from Anonymous.