LulzSec Dissolution Won't Reduce Threat of High-Profile Cyber-Attacks

Even though LulzSec has officially called off its hacking mission and gone back to Anonymous, security experts say organizations remain vulnerable to other groups.

The hacking group LulzSec ended its 50-day hacking spree the same way it began, with a post on Twitter and text-sharing site Pastebin.

Organizations should not breathe a sigh of relief, because these kinds of attacks will still continue, launched by countless other groups who do the same thing for a variety of motivations, Andrew C. Herlands, director of security strategy at Application Security, wrote on the Team SHATTER blog on June 27.

After 50 days of "disrupting and exposing corporations, governments, often the general population itself," LulzSec said will cease its online mayhem under the "LulzSec" identity, the group of hackers said in a statement posted on Pastebin June 25. The group claimed it was disbanding so that its six members could pursue other interests, but called for others to carry on, encouraging more groups to expose security issues and hidden information.

"We hope, wish, even beg, that the movement manifests itself into a revolution that can continue on without us," LulzSec said in its letter to followers.

On Twitter, the message was far simpler: "Thank you, gentlemen."

As part of its final act, LulzSec also released a fresh set of stolen documents and files on file sharing network BitTorrent, such as details on AT&T's forthcoming wireless network rollout, proof LulzSec had hacked into a U.S. Navy job search Website, 50,000 user credentials from "random gaming forums," personal information belonging to 200,000 users, and details on 12,000 NATO bookshop users.

LulzSec previously released several internal Arizona law enforcement documents on June 24 to protest the state's controversial immigration laws. During its 50-day spree, the group was behind a string of high-profile attacks, including attacks on Sony, the FBI's Infraguard program, servers belonging to the U.S. Senate, the CIA as well as security and gaming firms, among others. They were all carried out for fun, to "entertain" and supposedly was not financially motivated.

"While we are responsible for everything that The Lulz Boat is, we are not tied to this identity permanently," the group said.

While the group's dissolution may or may not be legitimate, these types of attacks will continue, Herlands said. LulzSec and other "makeshift collaboratives" have proven how easy it is to take down Websites, embarrass organizations and steal confidential data, he said.

"Whether for fame, fortune, political agenda, or just for the lulz, hackers will continue to probe computer systems on the Internet," Herlands said, noting that Websites and databases have been under attack for years and many of the existing vulnerabilities are well-documented. Attackers will continue targeting users with spear-phishing and malware attachments to trick employees into giving attackers access to internal systems. Attackers will continue to breach systems, steal information and leave, long before the organization even finds out what happened.

"Make no mistake, no matter how high, deep, or wide your outer defenses may be, attackers WILL find a way over, under, or around them," Herlands wrote.

Some security experts speculated that the group decided to disband because of increasing pressure from law enforcement agencies, especially after British authorities arrested a 19-year old male who had some ties to the group. A number of rival groups, such as Web Ninjas, had also been posting information supposedly identifying the members. Internal chat room logs have also been recently leaked.

"Maybe, quite simply, LulzSec was worried that the heat was intensifying-and it was time for them to get out of the kitchen before the computer crime authorities caught up with them," said Graham Cluley, senior technology consultant at Sophos, on the NakedSecurity blog.

At least one member of the group took exception to the speculation. Sabu, a member of the group, posted on Twitter that many members did not "run" but joined hacktivist collective Anonymous instead. "We retired lulzsec at its peak. We are smart," Sabu wrote on Twitter.

Imperva's Tal Be'ery had speculated that LulzSec members were originally a breakaway group from Anonymous.