LulzSec announced their disbanding via Twitter on Saturday, exactly fifty days after the Fox.com leak on the seventh of May that opened the campaign. The closing message — "Behind the smoke and mirrors of misdirection, the most exclusive and brilliant of crews has decided to put down its tools" — is the same hectoring tone they had run all fifty days, with the addition of a final document dump containing AT&T internal data, AOL internal email, FBI affiliate Sentinel data, and several other incomplete client records. The pretence that they were going out on a high is undermined by Ryan Cleary's arrest in Wickford the previous Tuesday and the various reports of internal disagreement within the group, but it is also probably true that fifty days of operationally relentless activity is approximately the duration that loose hacker collectives sustain before exhaustion or arrest catches up.
I want to write the campaign down now while it is still fresh, because the pattern is going to recur, possibly within the year, and I want a coherent record of what fifty days of LulzSec actually consisted of rather than the disjointed press coverage. From memory and notes: 7 May, Fox.com — usernames and passwords for X Factor contestants, defacement, the first announcement that they were operating under the LulzSec banner. Late May, the PBS Frontline hack with the fake story claiming Tupac Shakur was alive in New Zealand. The second of June, Sony Pictures, with a million user accounts dumped including names, dates of birth and email addresses, alongside the claim that the Sony database was unencrypted. Through early June, a series of escalating dumps — Bethesda Softworks user data, Sony BMG internal data, Sony Pictures employees' email accounts. The thirteenth of June, Senate.gov defaced and an internal-server file listing dumped. The fifteenth, the CIA's public website pushed offline by DDoS for a couple of hours. The twentieth of June, SOCA — the UK Serious Organised Crime Agency — taken offline by DDoS for the same kind of duration. The same day, the announcement of "Operation Anti-Security" jointly with Anonymous, framed as a campaign against "any government or agency that crosses our path". The twenty-third, Arizona Department of Public Safety internal documents leaked under the AntiSec banner. Twenty-fifth, AT&T internal data. Twenty-sixth, the disbanding announcement.
The pattern that interests me more than any individual target is the operational tempo. LulzSec ran for fifty days at approximately one significant incident every other day. Each incident required either active exploitation (against Sony's web-application stack, against the Senate.gov vulnerability, against PBS) or a credential-stuffing-style attack against a target whose credentials had leaked elsewhere. The technical sophistication varied widely across the campaign — the Sony Pictures incident relied on a SQL-injection vulnerability in a Sony content-management application that was approximately the same level of difficulty as the HBGary Federal entry vector, while the Senate.gov incident exploited an Apache misconfiguration and the CIA DDoS was the standard volunteer-LOIC pattern. There is no single technical signature to LulzSec; what is consistent is the attack-rate and the operational discipline of choosing targets that produce maximum public-relations impact for minimum technical effort.
The targets that interest me operationally are the law-enforcement ones. SOCA being taken offline is a less interesting incident than it sounds, because the SOCA public website is essentially a brochure and was not connected to any operational systems. But the symbolic effect was significant, and the SOCA-Wickford-arrest sequence — the Met Police arrested Ryan Cleary on the Tuesday after SOCA went offline on the Monday, alleging him as the operator of the IRC infrastructure used in the SOCA DDoS — illustrates the broader pattern. UK law enforcement has been substantially more responsive than the US equivalents in this campaign, and I think this is because SOCA's operational mandate and the Met's e-Crime Unit have been positioned closer to the technical end than the equivalent US arrangements. The US-side responses — the FBI's investigation of the Sony Pictures incident, the various Department of Justice noises — have been visibly slower.
For the engagements, the LulzSec campaign has changed two things. First, the question "are we a LulzSec target" has been asked by every board I have spoken to since June. The honest answer is "you do not know, because LulzSec's target selection has been substantially driven by what they could find vulnerable in the moment rather than by pre-existing target lists". The defensive posture is therefore the same as the defensive posture against any opportunistic external attacker, which is to say: do the basics well, audit your web-application stack, look at your authentication and credential-storage carefully, and assume that if a vulnerability is detectable from outside it will be found. Second, the publication-by-dump pattern — where compromise leads not to silent exploitation but to immediate public release of the exfiltrated material — has changed the cost calculus of breach response. The window between compromise and public exposure is now hours rather than weeks for high-profile targets. Communications planning has to be considerably faster than it used to be.
Where this campaign sits in the longer history is something I will think about when there is more distance. The closest precedents are the Operation Payback work in December and the Operation Tunisia activity in January. Each represents a step in the operational maturation of activist-aligned offensive work. LulzSec has been less politically coherent than either of those — at points it has read as straightforwardly nihilistic — but the technical cadence has been higher, the public-relations sophistication has been greater, and the targets have been larger. If Anonymous-and-aligned operators sustain this cadence into the autumn, the implications for any organisation with a public web presence are operationally meaningful.
The next post will probably be the AntiSec dump as it gets fully analysed, or the next thing the Operation Anti-Security campaign does, depending which turns out to be more substantive. There is also a Murdoch-related newspaper hacking story that has been building over the past fortnight that I think may be more material than the press coverage so far has suggested — but that is for next week.