The Department of Homeland Security has evaluated Anonymous and found that while the collective currently may not be able to take over critical IT infrastructure today, they may be able to someday.
The "hacktivist" collective Anonymous is capable of crippling
critical infrastructure, but the odds of developing a Stuxnet-style
attack on industrial Supervisory Control and Data Acquisition systems were slim, according to a Department of Homeland Security
The four-page report from the department's National Cyber-Security and
Communications Integration Center was posted on the Public Intelligence
Website on Oct. 17. The Department of Homeland Security evaluated the
collective's potential to disrupt critical infrastructure in the
"Assessment of Anonymous Threat to Control Systems" report, dated Sept.
Even though hacktivist groups are increasingly more active in their
attacks, DHS said actual threats to control systems don't seem to have
increased. Anonymous currently has a "limited ability" to conduct
attacks that target industrial control systems, the DHS found. The
group has the capability to disrupt operations with distributed
denial-of-service attacks, but it doesn't currently have the necessary
to take over critical infrastructure, according to the DHS.
"However, experienced and skilled members of Anonymous...could be able to
develop capabilities to gain access and trespass on control system
networks very quickly," according to the DHS bulletin.
DHS evaluated the group after a known Anonymous member posted on
Twitter on July 19 a directory tree for Siemens SIMATIC control system
software, according to the report. "This is an indication in a shift
toward interest in control systems by the hacktivist group," the report
Critical infrastructure refers to the systems and networks that power
communications, energy, financial systems, food, government operations,
health care systems, transportation and water.
The vast majority of the infrastructure is currently controlled by the
private sector. There are several bills in Congress proposing some form
of government oversight to protect critical infrastructure, but
disagreements remain as to who should be in charge and the role
government should play.
The idea that Anonymous might target critical infrastructure is not
far-fetched. Members have called for attacking energy companies and on
July 11, some members of the collective attacked biotechnology seed
company Monsanto. As part of the attack, Monsanto's Web infrastructure
had been disabled for two days, email servers disabled for three days
and data on 2,500 employees and partners stolen.
Groups such as Anonymous and LulzSec choose to "harass and embarrass their
targets using rudimentary attack methods," DHS said. All the
information released by Anonymous and LulzSec indicated that the groups
showed "no indication of exploitation capability," according to the
While the risks currently are low, there was a "moderate likelihood"
that future protests could be accompanied by attacks on core
infrastructure in the future.
The group can become more interested, especially as they realize how
poorly these systems are secured in the first place, the report warned.
Members can study industrial control systems using publicly available
information and develop malware to exploit well-known vulnerabilities,
according to the federal agency.
The DHS report still warned that even though Anonymous may not attack
the control systems, all businesses should still make sure their IT
systems are protected. Attackers can easily locate and access
industrial control systems with "minimal skills" using Internet search
engine tools and applications to carry out "nefarious activities" or
conduct reconnaissance activities to launch other attacks, the
Oil and gas companies are potentially attractive targets as the
collective supports the "green energy" agenda and has opposed pipeline
projects in the past.