Hacktivists’ threat to wreak digital havoc on U.S. government sites and financial institutions fell well short of the mark on May 7, the first day of the so-called “OpUSA” attack.
On April 21, hacktivists calling themselves the N4m3le55 cr3w and affiliating themselves with the Anonymous movement promised in a Pastebin post to attack nine government sites—including those of the White House, Pentagon and the National Security Agency along with more than 120 banking sites on May 7.
Yet, the group appeared to hit only a handful of sites, and none from its list of targets, according to network-security firm Radware, which tracked the attack. A separate Pastebin post bragged of hundreds of defaced sites, most located in other countries and likely the victims of a single vulnerability that facilitated a mass defacement.
“The attack had a fairly robust target list, but fell short of expectations,” Ronen Kenig, director of security solutions at Radware, said in an email interview with eWEEK. “It seems that only smaller scaled sites took the brunt of the attack.”
The U.S. government took the threat seriously. On May 6, the U.S. Department of Homeland Security warned businesses of the attack threat and circulated a list of tools publicized by the hacktivists, intended to be used in the attacks.
“Individual hacker groups seem to be conducting attacks independently, each claiming responsibility for individual defacements and data breaches that have supposedly recently taken place,” the advisory warned.
Some security experts worried that the size and scope of the attacks could rival the distributed denial-of-service attacks that have disrupted financial sites on and off for nine months.
The reasons for the attack are unclear, but the hackers railed against the U.S. government in a venomous rant posted to Pastebin.
“America you have committed multiple war crimes in Iraq, Afghanistan, Pakistan, and recently you have committed war crimes in your own country,” the group stated in the post. “You have killed hundreds of innocent children and families with drones, guns, and now bombs. America you have hit thousands of people where it hurts them, now it is our time for our Lulz.”
Security experts had a variety of opinions about why the attack did not take off on the first day.
Possible reasons range “from it being too loosely organized to be truly effective to it was just a group claiming Anonymous affiliation trolling everyone to see what the reaction would be,” Vann Abernethy, product manager for distributed denial-of-service firm NSFOCUS, said in an e-mail interview with eWEEK.
Others theorized that the group just did not get enough participation or commitment from other hackers and activists to make much difference.
“The small impact could have been attributed to a similar problem during OpIsrael—little manpower for a herculean task,” Radware’s Kenig said. “More than likely, they weren’t able to recruit enough ‘boots on the ground’ or have a large enough botnet to execute a large-scale cyber-attack.”