Inside the Anonymous Army of ‘Hacktivist’ Attackers
by Cassell Bryan-Low and Siobhan Gorman
Wall Street Journal
June 24, 2011
Hoogezand-Sappemeer, Netherlands””In this sleepy Dutch town last December, police burst into the bedroom of 19-year-old Martijn Gonlag as he hurriedly pulled on jeans over his boxer shorts. He was hauled away on suspicion of taking part in cyber attacks by the online group calling itself Anonymous.
Mr. Gonlag admits taking part in several attacks on websites, but he recently had a change of heart as some hackers adopted increasingly aggressive tactics.
“People are starting to grow tired of” the hackers, he said in an interview. “People are also starting to realize that Anonymous is a loose cannon.”
Now he appears to be a target himself. A chat room he hosts faces frequent hack attacks, he says.
Mr. Gonlag’s role reversal provides a glimpse of the unruly hunt-or-be-hunted world underpinning a string of online attacks against major companies and government bodies””incidents that have sparked a digital manhunt by law-enforcement agencies in several countries.
What once was just righteous rabble-rousing by Anonymous in the name of Internet freedom has mutated into more menacing attacks, including by a splinter group of Anonymous called LulzSec, which is alleged to have moved beyond paralyzing websites to breaking in to steal data.
The tumult over online agitators like Anonymous comes at a time when the world’s computers are under unprecedented attack. Governments suspect each other of mounting cyber espionage and attacks on power grids and other infrastructure. Criminal gangs using sophisticated viruses cull credit-card and other sensitive data to steal from bank accounts.
Now “hacktivists” who populate groups like Anonymous and LulzSec, mostly young males from their teens to early 30s, have also ignited increasing concern among computer experts over the security of corporate and government systems.
Authorities in the U.K., Netherlands, Spain and Turkey have made more than 40 arrests of alleged Anonymous participants. In the U.S., the Federal Bureau of Investigation has conducted sweeping searches as part of a continuing probe into various attacks. On Wednesday, U.K. police charged a 19-year-old believed to have ties with both Anonymous and LulzSec, a group whose name is a blend of “lulz,” or laughs, and “security.”
Anonymous and LulzSec pose a problem for law enforcement partly because their membership and operations are difficult to pin down. They are amorphous entities with scant leadership structure or formal process for making decisions.
Anonymous is “an idea” rather than a group, said Gregg Housh, a 34-year-old Web designer from Boston. “There is no one group, no one website. That is what makes it so powerful in my eyes.” Mr. Housh said he helps Anonymous with logistics but doesn’t take part in attempts to shut down websites or do anything illegal.
Waves of infighting spring up periodically within Anonymous, Mr. Housh added. “This is very natural. It’s what happens.”
A watershed in its tactics came in February when it hacked a California-based Internet-security firm called HB Gary Federal LLC, which sells investigative services to companies and government agencies, and released tens of thousands of internal emails.
The incident sent a chill through the security industry. “Computer-security specialists are afraid to challenge Anonymous,” said Mikko Hypponen, of computer-security firm F-Secure Corp. “No one is that confident in their own systems.”
Some participants involved in that hack formed the LulzSec splinter group, according to security specialists and participants. LulzSec has claimed credit for a string of computer break-ins, intensifying the response from law-enforcement groups.
Anonymous grew out of an online message forum formed in 2003 called 4chan, a destination for hackers and game players fond of mischievous pranks. Its followers became more politically focused, embracing an ideology of Internet freedom. In 2008, it made headlines with a campaign against the Church of Scientology, protesting what Anonymous claimed was the religious group’s effort to control information about itself online.
The campaign included “denial-of-service” attacks””bombarding websites with data to try to knock them offline. Later attacks targeted the movie and music industries, because of their efforts to stop piracy.
In December, the group hit on a cause that propelled it into the spotlight: WikiLeaks. Anonymous began attacking organizations and people who tangled with WikiLeaks and founder Julian Assange, who had been arrested in London over sexual-misconduct allegations in Sweden, which he denies.
Anonymous attacks shut or slowed websites of businesses that had cut ties with WikiLeaks, including MasterCard Inc., Visa Inc. and PayPal, a unit of eBay Inc. All said their systems weren’t compromised. PayPal said the attacks temporarily slowed payments via its website but not significantly.
The campaign, Operation Payback, brought Anonymous new followers from around the world. Via online chat forums and social-media websites, participants disseminated instructions about how to download attack software and about sites to target. Software called LOIC, or low-orbit ion canon, was downloaded tens of thousands of times, security specialists say.
Among recruits was Mr. Gonlag, under the nickname Awinee, an online handle the Dutch youth had used during a lifetime of intensive video-game playing. Spurred by talk of the WikiLeaks campaign in chat rooms, he piled in, at one point writing: “Fire, fire fire.”
Mr. Gonlag has admitted he participated in attacks including one against the website of a Dutch prosecutor who announced the arrest of a 16-year-old in connection with the WikiLeaks campaign.
Returning home in the early hours of Dec. 10, Mr. Gonlag said in an interview, he typed the address of the prosecutor’s website into the attack software and let his computer fire data for about half an hour. That afternoon, Dutch police arrested him and seized his desktop computer and phone.
Mr. Gonlag, who awaits trial, is charged with crimes related to destroying a computer network and inciting others to cause an attack, which carry a possible six years in prison.
Tapping at his keyboard recently in jeans and a green T-shirt, Mr. Gonlag said that he took part in several pro-WikiLeaks attacks, which he likened to a “digital sit-in,” but that he wasn’t guilty of the charges because he didn’t destroy or steal anything.
He indicated he grew disenchanted as some arms of Anonymous allegedly moved from paralyzing websites to stealing from them, putting the group in “a very, very bad position.”
Alluding to the cyber attacks he himself now faces, he said that when his computer server that powers the online chat rooms comes under fire, he takes the server offline and waits until his attackers tire of the effort. Then he connects back online again.
Each online Anonymous forum, such as AnonOps and AnonNet, has multiple chat rooms or “channels,” typically focused on a particular operation or theme.
While there may be a hundred or so active followers of a network on a regular basis, numbers swell into the thousands during popular campaigns.
Many channels are public, but participants can also set up invitation-only chat rooms or send each other private messages. Participants often speak online using audio or camera software, and they also can share videos and other files. Many participants are U.S.-based but there is also a significant following in Europe and elsewhere.
Discussion ranges from political theory to technical chatter to juvenile banter. In one chat log, a participant promised to push a company “so far into orbit that they’ll transmute into a gravitational dip and exude Hawking radiation.”
Anonymous does have a hierarchy of sorts, with a core group of about 15 leaders who run the online chat rooms, participants say. They can issue sanctions, including banning someone from a channel or an entire network.
“There are nodes of power and authority, but it is pretty decentralized, and no one is calling the shots for all the operations,” said Gabriella Coleman, a New York University academic who follows Anonymous.
The Anonymous attacks turned more ominous in February, when some members broke into HB Gary Federal’s systems.
The Internet-security company’s then-chief executive, Aaron Barr, noticed the problem one morning when he was unable to access corporate email via an iPhone.
He instantly suspected Anonymous, as he had been quoted in a newspaper article saying he had uncovered key participants. Soon, his Twitter account was hijacked and used to post racial slurs and his Social Security number. Then Anonymous announced it had hacked his email and would make the contents public.
“I was shocked and consumed by it,” Mr. Barr said.
By hacking into the company’s public Web page and stealing passwords, attack participants obtained about 70,000 emails, which they posted online. The traffic included details of a proposed effort to gather information on critics of the U.S. Chamber of Commerce in an attempt to prove illegal activity by labor-union members. Mr. Barr said the initiative was only intended to show what information could be retrieved.
The attackers also exposed minutiae of Mr. Barr’s marital issues. He said the personal communications were taken out of context.
Mr. Barr stepped down from his job in late February.
Anonymous participants say the attacks expose weaknesses in the systems of computer-security companies and large organizations. “They should be scared,” said Corey Barnhill, a 23-year-old New Jersey native who uses the online nickname Xyrix and who said he took part in the attack on HB Gary Federal. “You’re college-educated and you can’t secure a server? How hard is it? They can’t keep a kid out?”
Mr. Barnhill said the HB Gary Federal hack was designed to teach Mr. Barr a lesson for suggesting he could unmask Anonymous. “Whacking him down a peg was pretty funny,” he said.
In April, an Anonymous denial-of-service attack against Sony Corp. was followed by a breach of its computer system that resulted in the theft of names and birth dates and other personal information on about 100 million people who play online video games through Sony’s online gaming services.
Sony shut down its PlayStation online network for nearly a month and has estimated the attack cost it $171 million, including costs for enhanced security.
Sony has said that it isn’t clear that any credit-card data were ever accessed. The company said it has added security to its systems.
Sony told U.S. lawmakers it found a file left on its servers called “Anonymous,” the contents of which said “We are Legion,” a tagline often used by Anonymous.
Anonymous participants claim responsibility for the denial-of-service attacks, in press releases and via their Twitter account. They said the group didn’t orchestrate the data breach but didn’t rule out that someone from the group could have been involved. Meanwhile, the LulzSec group formed.
Security experts who follow LulzSec say it has about 10 core participants and is known for its hacking expertise. In recent weeks it has claimed responsibility for breaking into computer systems of several organizations, including the U.S. Senate and an FBI affiliate called InfraGard.
Last week, LulzSec said it had knocked the Central Intelligence Agency’s website offline for about an hour. The CIA said no internal or classified networks were affected.
A call to a phone number set up by the group, 614-LULZSEC, wasn’t returned. One LulzSec follower called “tflow” responded to a Wall Street Journal reporter in an online chat room, saying: “Unfortunately the gnomes are too busy to pick up your clearly inferior call.”
“For the past month and a bit, we’ve been causing mayhem and chaos throughout the Internet, attacking several targets,” LulzSec said in a statement last week. “This is the Internet, where we screw each other over for a jolt of satisfaction.”
This week, LulzSec claimed to rat out a couple of individuals it said had “tried to snitch” on it. In a document addressed to the “FBI & other law enforcement clowns,” the group appeared to reveal the full names, addresses and other contact information of two U.S. men it claims were involved in some hacks. “These goons begged us for mercy after they apologized to us all night for leaking some of our affiliates’ logs,” according to the document, accessed via a link on LulzSec’s twitter page. “There is no mercy on the Lulz Boat.”
“”Ian Sherr contributed to this article.