The Department of Homeland Security characterizes as a nuisance the threatened May 7 Operation USA attack against U.S. federal government and banking websites, contending some of the participants possess only rudimentary hacking skills.
Still, if the attack is perceived as a success in the hacking community, more nefarious actors could try more vicious disruptions against U.S. sites, DHS says in an alert.
The hacktivist group Anonymous, in a posting on the website Pastebin, says OpUSA will target nine U.S. federal government websites, including the White House and Defense Department, as well as 133 financial institutions on May 7 [see OpUSA Threatens Banks, Government].
A government official says DHS is fully aware of this threat and is working with federal and private-sector partners to put in place mitigation strategies. Homeland Security, in the alert, says it expects the hacktivists to attempt distributed-denial-of-service attacks that could temporarily halt or slow down website traffic. The alert also notes the hacktivists could attempt homepage defacement and data leaks.
According to the DHS alert, first reported by IT security blogger Brian Krebs and confirmed by a DHS official, the attacks likely would result in limited disruptions and mostly consist of nuisance-level attacks against public accessible webpages and possibly data exploitation.
A Nuisance with a Caveat
Former CIA Chief Information Security Officer Robert Bigman says that DDoS attacks are largely a nuisance, but adds a caveat: "If the DDoS attacks continue and veterans can't file claims and travelers can't get passports, then the public will motivate Congress to address the problem. Short of that, things will not change."
Another IT security expert, though, contends attacks such as those threatened by Anonymous could prove more damaging. "Some DDoS attacks are only a nuisance, but, as we've seen in the DDoS attacks on banks, these kinds of attacks are often just a smokescreen to distract from real damage elsewhere," says Dwayne Melancon, chief technology officer at IT security provider Tripwire. "Writing off DDoS attacks as merely a nuisance is irresponsible, without data to substantiate that disposition."
DDoS attacks, indeed, have taken a toll on American banks. Since last September, the FBI counts more than 200 separate DDoS attacks on at least 46 financial institutions [see FBI: DDoS Botnet Has Been Modified].
Bigman, who retired last year from the CIA after 30 years, says federal agencies that deem their public-facing websites as mission-critical should be better prepared to defend their sites against the attacks. "The ones who use the website largely as an information serving platform - most of the intelligence community - are, ironically, less well protected," he says.
Assessing Hackers' Skills
The alert, prepared by Cyber Intelligence Analysis Division within DHS's Office of Intelligence and Analysis, says the actors behind OpUSA most likely will rely on commercial tools to exploit known vulnerabilities rather than develop their own tools and exploits.
"This suggests some of the participants possess only rudimentary hacking skills capable of causing only temporary disruptions of targeted websites," the alert says. "Nevertheless, OpUSA participants likely will exaggerate the scope and impact of their attacks as a way to attract attention and draw more capable criminal hackers to future hacking efforts."
Tripwire's Melancon cautions against underestimating the sophistication of the expected May 7 attack, saying that attitude is risky. "It is better to prepare for a strong attack than to be caught flat-footed because you expected an amateurish attack, but ended up being confronted by a competent attacker," he says.
Lessons to Be Learned
Even if the attacks are somewhat successful, they could help website operators defend against future attacks. "OpUSA, if launched, will actually expose vulnerabilities and help to reduce the number of targets that are susceptible to easy exploitation by more targeted adversaries," says Richard Stiennon, an IT security analyst and author of the book "Surviving Cyberwar."
The DHS alert says promoters of OpUSA, though not necessarily its instigators, include individuals linked to websites that host violent extremist content, including a member of a web forum that hosts al-Qaida-inspired content.
Anticipating the attack, the Credit Union National Association is alerting its members of the "chatter" tied to OpUSA.
"It is not possible to assess the veracity of the threat at this time, but it is important that credit unions be aware and prepared at all times," Tom Nohelty, vice president of information technology at CUNA, says in a statement. "Some of the largest credit unions are included in a list of targets for the purported May attack so heightened awareness is warranted."
Among the targets mentioned in the Anonymous posting are the American Airlines and Alliant credit unions.
Being on Guard
The credit union association offered this advice to defend against the potential May 7 digital assault:
- Actively monitor in-bound Internet traffic that day. Network teams should be prepared to block traffic from specific IP addresses in an effort to maintain their website's ability to respond to normal business requests;
- Alert members about the OpUSA threat and ask them to execute critical online banking business on a different day or come into the credit union office; and
- Educate call-center staff on the symptoms of a DDoS attack so they can better serve the members and notify their network teams if an attack is under way.
A DHS spokesperson says the department is sharing information with industry, state and local governments and international partners to address cyberthreats and develop effective security responses.