OpUSA: A Lackluster DDoS OperationPlanned Attacks Have Little Impact on U.S. Websites
The OperationUSA attack that the hacktivist group Anonymous announced would hit U.S. government and banking institution websites on May 7 apparently never gained traction.
As of early evening May 7, the Department of Homeland Security said no federal government websites had so far experienced problems from the threatened distributed-denial-of-service attacks. Homeland Security's National Cybersecurity and Communications Integration Center also had not received any valid reporting of any government website being affected by DDoS attacks.
Rodney Joffe, senior technologist for online security provider Neustar Inc., says OpUSA was over before it ever really started, with no evidence of an impact on banks that were named as targets. But the hackers who had planned to join forces for OpUSA could still rally for a new cause or attack, he cautions.
Nine federal government websites, in addition to 133 U.S. banking institutions, were named by Anonymous on April 24 as targets for attack. Earlier this week, the Department of Homeland Security said the attacks were expected to be more of a nuisance than a serious threat (see DHS: OpUSA to Cause Limited Disruptions).
A Key Factor
What's clear is that the refusal of Izz ad-Din al-Qassam Cyber Fighters - the group behind the DDoS attacks against U.S. banks since last September - to join the OpUSA effort likely severely crippled the attack's impact, Joffe says.
"When these guys decided to go with their attack on Tuesday, they wanted to piggyback on al-Qassam," he says. "So when al-Qassam canceled, they knew OpUSA was a bust" (see OpUSA: Sizing Up the Threat).
On May 6, Izz ad-Din al-Qassam Cyber Fighters announced on the open forum Pastebin that it would not be taking part in OpUSA. The group noted, however, that its attacks would cease for the week of May 7, out of respect for the OpUSA effort.
Ronen Kenig, director of security solutions for online-security provider Radware, says OpUSA appeared to be an unorganized attack that relied on unsophisticated tools, relative to the attack power Izz ad-Din al-Qassam Cyber Fighters has been using.
"al-Qassam is bringing a new level to this game, which we are not seeing from other hacking groups," he says. "In OpUSA, I believe the main thing is that they were not organized and could not recruit any botnet to conduct the attacks."
Lack of Coordination
Like Operation Israel, which members of Anonymous unsuccessfully waged against Israeli government and business sites last month, the OpUSA attack appears to have lacked coordination and purpose, Kenig says.
"This attack looks even less significant than OpIsrael," he says. "The attack tools and volume of the attacks were all significantly lower. And it's really hard to define what Anonymous is. There are so many groups. How do you know exactly who is involved?"
Jim Riva of online security provider Check Point Software Technologies says OpUSA was likely unsuccessful for a number of reasons "having to do with the complexity of attack methods and the preparedness of target networks."
Researcher Gary Warner of the University of Alabama at Birmingham, where he tracks cyber-attacks, says the online takedowns so far attributed to OpUSA have been minimal.
"[They've] had a couple moderately interesting successes, such as adding a host to Microsoft's Republic of the Congo domain name and the very short-lived defacement of a small bank in Arkansas," he says. The group also appears to have mistakenly targeted a blood-bank site, which a non-English-speaking hacker apparently thought was Bank of America, he adds.
John Walker, the chairman of ISACA's Security Advisory Group in London, who's been tracking international DDoS activity since the fall of last year, says OpUSA's perceived failure should not be taken as a sign that hacktivist attacks can be ignored. All attacks and campaigns such as this have to be taken seriously, he says.
"There is also the matter of the distraction attacks, which are employing DDoS as the noisy knock on the door, whilst the real business is taking place at some other logical place within the organization," Walker says. "No matter what statements are made by any attacker, businesses should not allow any information, or disinformation, to sway their judgment to stand down, or to reduce their defense, for that could prove to be the biggest mistake they could make in the face of dynamic adversity."