AntiSec Exposes U.S. Soldiers’ S/Ns, Passwords, Vows Attack on Monsanto

AntiSec, first a project launched by infamous hacker group LulzSec [1][2][3][4][5][6][7][8][9][10][11][12][13][14], and later the name of a new hacker collective formed by members of the now-defunct LulzSec, continues to strike.  Its mission is to attack international governments and corporate interests.

I. Who is Booz Hamilton and Why Were They Hacked?

Much like the February attack on HBGary by Anonymous, or the late May attack on Infragard — a private sector affiliate of the U.S. Federal Bureau of Investigation — the latest attack focused not on official government servers, but on a contractor with weaker security.

This time around AntiSec‘s victim was Booz Allen Hamilton, a prestigious contractor with hundreds of millions of dollars of contracts in its name.  Booz Hamilton employs former U.S. Central Intelligence Agency director Robert James Woolsey Jr. and former U.S. National Security Agency director John Michael “Mike” McConnell.

AntiSec says it targeted the group for a couple of reasons.  First, it points to the company’s alleged complicity in monitoring private sector financial transactions during the SWIFT investigation.  Second, it writes about a secret social engineering project which HBGary and Booz Hamilton cooperated on, stating:

One of the more interesting, and sadly overlooked, stories to emerge from HBGary’s email server (a fine example to its customers of how NOT to secure their own email systems) was a military project – dubbed Operation Metal Gear by Anonymous for lack of an official title – designed to manipulate social media. The main aims of the project were two fold: Firstly, to allow a lone operator to control multiple false virtual identities, or “sockpuppets”. This would allow them to infiltrate discussions groups, online polls, activist forums, etc and attempt to influence discussions or paint a false representation of public opinion using the highly sophisticated sockpuppet software. The second aspect of the project was to destroy the concept of online anonymity, essentially attempting to match various personas and accounts to a single person through recognition shared of writing styles, timing of online
posts, and other factors. This, again, would be used presumably against any perceived online opponent or activist.

HBGary Federal was just one of several companies involved in proposing software solutions for this project. Another company involved was Booz Allen Hamilton. Anonymous has been investigating them for some time, and has uncovered all sorts of other shady practices by the company, including potentially illegal surveillance systems, corruption between company and government officials, warrantless wiretapping, and several other questionable surveillance projects. All of this, of course, taking place behind closed doors, free from any public knowledge or scrutiny.

II. What Was Stolen?

So what did AntiSec take from Booz Hamilton?  The contents of the heist are available here, courtesy of a torrent hosted by The Pirate Bay.

First, AntiSec made off with 90,000 logins of both private and public sector employees, which include members of the U.S. Military.  Members of US CENTCOM, SOCOM, the Marine Corps, various Air Force facilities, Homeland Security, State Department staff, and what looks like private sector contractors were all exposed.

The passwords are hashed, but they use a very weak unsalted MD5 hash (128-bit), meaning that they should be available in rainbow tables, which these days are even available online.

This breach is very serious, given how people recycle their passwords in numerous locations.  Given the number of exposed logins, it’s likely that it will expose at least some soldiers to possible malicious attacks.

Additionally AntiSec claims to have run a shell and used it to delete source code on the company’s SVN server.  Honestly, this isn’t exactly something they should be lauding, as virtually all defense contractors use extensive tape backups and likely can restore the code without much difficulty.  Ultimately this amounts to a mere annoyance, and perhaps a few lost hours of productivity.

In the more significant department, AntiSec claims to have obtained “maps and keys” to other security contractors.  This could lead to additional attacks, so contractors who could be a target should definitely take a look at the distributed file.

III. Hacktivism?

Again it’s hard to condone the kind of social engineering that Booz Hamilton is accused of conducting, but the way that AntiSec went about its intrusion seems rather unfortunate and childish.  Rather than gain access to email, which could actually prove such allegations and put them in context, it instead attacked U.S. soldiers, who already have their hands full.

Even if Booz Hamilton indeed engaged in social engineering, it’s unclear who exactly it directed those efforts against.  Obviously, if it was trolling jihadist forums in an attempt to subvert them, that would be significantly different than, say, trolling U.S. political forums.

So was the attack on Booz Hamilton justified?  That depends on your perspective.

That said, Booz Hamilton committed some very poor practices here, which should bring its contracts into question.  First, it clearly did not properly protect its gateway machine.  Second, much like Bitcoin-mega exchange Mt. Gox, it used an unacceptably weak level of encryption, exposing its users to harm.  Third, it failed to code its databases to avoid SQL injection attacks, which should be mandatory for any contractor working with classified materials.

IV. Monsanto Attacked

In related news, Anonymous vowed Monday to step up attacks on contractor Monsanto Comp. (MON).  

Monsanto is a firm with a long and controversial history.  It is accused of abusing intellectual property rights to sue small farms (allowing its patented crops to blow seeds onto their properties, then suing them); trying to bribe officials in Canada and Indonesia [1][2]; and suing dairy farmers who advertise that their milk doesn’t contain growth hormones.  And they also were the company responsible for spraying Agent Orange all over soldiers in Vietnam, which is thought to have led to cancer and other ailments.

Anonymous broke the news of new possible attacks, writing:

@MonsatoCo is now suing small dairy farmers for advertising that they use no growth hormones.  For NOT using their product.

The operation’s Twitter account “OpMonsanto”, posted on June 26:

We’re going to hit @MonsantoCo with something a little bit more serious than a DDoS this time around. Fuck ’em. #ExpectUs

It posted a brief press release, writing:

Over the last 2 months we have pushed the exposure of hundreds of pages of articles detailing Monsanto’s corrupt, unethical, and downright evil business practices. We’ve created a nice go-to reference guide on piratepad/anonpad(, backed up elsewhere), where anyone can read up on and add their own info about MonsantoCo.

We blasted their web infrastructure to shit for 2 days straight, crippling all 3 of their mail servers as well as taking down their main websites world-wide. We dropped dox on 2500+ employees and associates, including full names, addresses, phone numbers, and exactly where they work. We are also in the process of setting up a wiki, to try and get all collected information in a more centralized and stable environment. Not bad for 2 months, I’d say.

What’s next? Not sure… it might have something to do with that open 6666 IRC port on their nexus server though 😉

Expect Us

It indeed “doxed” Monsanto’s employees — in fact it appears to have exposed the names and addresses of 2,500+ of them.  How this information might be used/abused is unknown, but it could lead to at least some minor harassment.

V. Who is Anonymous/AntiSec/Etc. Again?

Anonymous is a group without a leader.  The group has tens of thousands of members worldwide.  However, not all members are skilled hackers.

Hackers with Anonymous have a tendency to break off into smaller subgroups.  For example LulzSec, who conducted much griefing of gamers in recent months, was one such group.  AntiSec, who targets governments and corporations, is another such group.

Nobody “leads” Anonymous or its subgroups.  Someone simply suggests a target and willing members participate in the attack.

The mass media has had much difficulty wrapping its head around the concept of Anonymous, though it appears most are finally starting to get it.

Anonymous arose via people who met via the image-board site 4Chan, but today the group has grown well outside the confines of that site.  The tricky thing when dealing with Anonymous or its subgroups is that the opinions or actions of one member are not necessarily those shared by another member.

This year Anonymous has been extremely active.  Among other efforts, it helped to influence the revolutions in the Middle East and drive them along.

Ultimately much of what Anonymous and its subgroups do can be viewed as hacktivism of sorts.  However, whether the ends justify the means is a topic of much debate.