On 7 March, vatican.va, the official site of the Vatican, suffered a DDoS attack from Anonymous. “Anonymous has now decided to lay siege to your site in response to the doctrines, liturgies and the precepts absurd and anachronistic that your organization is for profit (Roman Apostolic Church) propagates and spreads worldwide,” announced the hacktivist organization, adding “This is NOT intended to attack the true Christian religion and the faithful around the world, but to the corrupt Roman Apostolic Church and all its emanations.”
Less than a week later, a hacker calling himself Agent_Anon hacked catholica.va via a sql-injection vulnerability. Both of these attacks followed an analysis from security firm Imperva (believed to be an analysis of an earlier attack on the Roman Church) which implies that the greater part of Anonymous is not that clever – mirroring a common suggestion that it comprises a few geniuses surrounded by a hive of idiots. In reality, the report says that Anonymous comprises ‘a small group of skilled hackers’ supported by a larger band of ‘laypeople’ whose “role is primarily to conduct DDoS attacks by either downloading and using special software or visiting websites designed to flood victims with excessive traffic,” and whose skill is from ‘very low to modest.’ But more particularly, the report suggests that Anonymous first seeks to breach its targets, and then falls back on DDoS attacks when it fails.
Anonymous has interpreted Imperva’s analysis is damning with faint praise. And it has taken exception. “This is a message to the Imperva security firm,” Anonymous announced last week. “Although we do not see you as any form of threat we have concluded that your interest and views may become a mild nuisance in the future. Therefore you, yourself, will now become a target. You have angered the hive and the hive has spoken. Now you will feel the full fury of Anonymous... Imperva – expect us.”
The problem with any ‘announcement’ from Anonymous is that it cannot be truly verified. If this is genuine, it is a new development – this is revenge rather than hacktivism. Imperva declined to comment on Operation Imperva. But security commentators will be watching with interest to see if anything develops, and how Anonymous fares against a security company.