OpUSA Analyzed – Systems Compromised, Little DDoS but Hundreds of Defacements

Thus far, DDoS has been lacking, according to the analysis
Thus far, DDoS has been lacking, according to the analysis

Solutionary SERT has been monitoring the events associated with OpUSA, which has targeted US organizations in the retail, financial and government sectors. Three attack techniques were monitored: SQL injection, cross-site scripting, and distributed denial-of-service (DDoS) attacks.

Surprisingly, perhaps, DDoS has been lacking. "Solutionary has not received any reports to validate that any such targeted attacks took place before, during or after the May 7, 2013 launch date," says the report. But, it adds, "several hundred defaced domains were discovered in posts on or after May 7, 2013 — all of which were associated with OpUSA."

The majority of defacements did not adhere to the conventional methodology of modifying the front page, "rather," says the report, "a new page was added to the website to promote the hacktivists’ message." Solutionary conjectures that the combination of scaling back DDoS and increasing defacements was a conscious plan for "a concerted graffiti campaign designed to spread their message and attempt to raise awareness of what they view as injustices."

Overall, although the number of website compromises has been high, the damage done has been low. "However, Solutionary cautions that the true nature of these attacks cannot be verified at this time, so organizations should be aware that the OpUSA event could have been used to gather additional system information and stage future attacks."

One of the most striking elements of the research is an analysis of the servers that have been compromised. Seventy-three percent of the compromised sites were hosted on Microsoft IIS servers. Seventeen percent were running IIS versions 5.0 and 5.1 – which are over ten years old and no longer supported by Microsoft.

This more than anything leads to Solutionary's primary recommendation for fending off hacktivist attacks: verify "that appropriate security patches are applied to systems and Web servers in a timely manner."

While monitoring OpUSA, Solutionary also looked for any hacktivist fallout from Edward Snowden's PRISM revelations last month. "At this time," it says, "Solutionary has not seen indications that any organizations have been breached as part of, or in retaliation for, the PRISM data collection program." 

The reality, however, is that it may be too soon. Furthermore, PRISM-related hacktivism is easily appended to many other existing hacktivist operations without the need for a new name. Gizmodo reports, "On Monday night, the affiliate account @AnonLastResort [almost certainly a typo for '@OpLastResort'] tweeted a link to a document 2,000 email addresses long. The vast majority of them come from the House of Representatives, though there are some gems in there from the U.S. Attorney General's office, the Senate and even New York's comptroller."

The tweet refers to OpLastResort, an operation originally designed to protest prosecutorial overreach. However, it includes the hashtags #Congress, #Senate, #FISA and #PRISM. Prism-based hacktivism may only just be starting.

What’s Hot on Infosecurity Magazine?