Tuesday, May 7, 2013

OpUSA and HTP5: Winners and Losers

We were warned.

MAN were we warned.

On May 7th, some serious shit was going down.

*** Part1: The Losers ***
The warnings started going out weeks ago. Banks and other financial institutions on the Anonymous "hit list" were warned ahead of time. Some took services offline as a preventative measure. As it turns out, these self-inflicted "lock downs" appeared to be the only damage done. I've seen no reports of any of organizations on the target list being affected by #OpUSA.

It started out with some dire warnings, a hit list and a lot of talk. Tweets like this were a common sight:

#OpUSA Hackers plan "Day to Remember" with May 7 attacks on banks, government agencies

Thousands of sites hacked, defaced and down during #OpUSA. Here's an update list.

The only thing likely to be remembered about this day though, is how the boasts were quickly overshadowed by sarcasm and jeers:

At this point I doubt #OpUSA could shut down their own computers. Using the power button.

#OpUSA hits an online bakery, but banks and the FBI are safe

Their own attempts to brag were more entertaining than some of the jokes going around. They hacked an unused Kansas pawn shop website. Someone spitting in the local Taco Bell's sour cream would be more newsworthy.

Patriot Pawn & Gun of USA Fucked by AnonGhost for #OpUSA


The hackers also have a site set up to act as a running tally of their accomplishments. By midday, the
list looked pretty impressive. That is, until you started digging into the details.
  • For an attack on the US, they reported hitting quite a few non-US websites, and much of the breached data was international.
  • The 100k breached accounts appeared to be from a 2009 breach
  • The ~12k breached accounts appeared to be from a 2005 breach
  • All breached credit cards were long expired
  • Many websites were misrepresented. One that appeared to be a Dallas criminal attorney's office was actually an abandoned WordPress blog with a few criminal law-related posts.
  • Another, completeharleydavidson.us, didn't even pass as believable, and I couldn't find any evidence it existed before a few days ago. I suspect they might even be registering domains and setting up sites just to make it look like they were hacked.
  • Little to no notable websites appear to have been affected
  • A XSS vuln found in the "Municipal Chambers of Brasil" website. As part of #OpUSA? Really?
Why so lame? I see three possibilities: These "hackers" really are that incapable, that their activities were only meant to cause fear and an overreaction (which worked, to a small extent), or that this whole thing was an intentional diversion from something more devious going on. I doubt the latter, but I'm no threat intel expert. I just know what I've seen.

Jaeson Schultz of Cisco touches on another possibility: that #OpUSA is a sting of sorts, set up to help law enforcement catch members of anonymous. It would be interesting to test the claim that the tools linked for this operation are backdoored.