After high-profile attacks on, among others, Nintendo, Sony, Bethesda, Codemasters and Minecraft, Keith Stuart looks into the motivations behind hacking groups like the Anyonymous collective and finds there’s both more and less to it than meets the eye.
They called it Titanic Takeover Tuesday. Over the course of several hours on 14 June, the hacker group Lulzsec orchestrated distributed denial of service (DDoS) attacks against three online games – Minecraft, Eve Online and League of Legends – as well as the gaming news site, Escapist.
The victims were knocked offline, websites went down, login servers collapsed, and via its Twitter feed, the culprit(s) reported on the chaos with undisguised glee.
Lulzsec is on a roll. Earlier this month the team broke into the Sony Pictures website and took the personal details of 1 million customers (although Sony later claimed it was closer to 40,000).
This was followed by a breach of Nintendo’s site, and then a more concerted onslaught against game publisher Bethesda. This time, Lulzsec kicked off with a DDoS attack, but when the inherent weakness of the system became clear, the team shifted into a more penetrative smash-and-grab raid.
A press release issued on the group’s website goaded: “After mapping their internal network and thoroughly pillaging all of their servers, we grabbed all their source code and database passwords, which we proceeded to shift silently back to our storage deck.”
And that’s besides their apparent attack against the CIA’s website, which they claimed to have brought down on Wednesday evening.
In the meantime, UK publisher Codemasters and the Gears of War series creator Epic Games have also had their websites compromised by unknown hackers. Some have blamed Lulzsec, but it is unlikely they were involved – they haven’t had a laugh about it on Twitter yet. Another group could well be at work out there.
So what is going on? And why is it happening now?
Hotz to trot
The answer to the latter question almost certainly lies with one company, Sony. Earlier this year, the consumer electronics giant brought a court case against hacker George Hotz, a leading light in the jailbreak community, for circumnavigating the security systems of the PlayStation 3 console and potentially opening the machine to pirated software.
The move generated considerable anger within the hacking underground, especially when Sony gained access to the IP addresses of visitors to George Hotz’ website.
Calling this move an “unforgivable offence against free speech and internet freedom” the hacker group Anonymous effectively declared a cyber-war on the company. Two weeks later, the PlayStation Network suffered a major intrusion, and the service was offline for more than a month.
Anonymous claimed not have been responsible, but it certainly helped put Sony on the hacking agenda. Lulzsec’s own campaign, wittily titled Sownage, kicked off in late April with the Sony Pictures attack.
Some theorise that Lulzsec is an offshoot of Anonymous, a splinter group tired of the politicising of the older organisation. It certainly carries the same anti-Sony resentment. A later hack was accompanied by the press release declaration: “Konichiwa from LulzSec, Sony bastards!”
Of course, the video games industry has faced hackers for many years, and the security systems of its consoles and web infrastructures have always faced attack. But this new wave is different.
“What Anonymous brought to the online party was the democratisation of hacking,” says Steve Gold, editor of Infosecurity magazine (and himself famous as a former hacker in more innocent times). “The collective developed various hacking tools, starting with a distributed denial of service package called LOIC (Low Earth Orbit Cannon) late last year. This allowed the Anonymous collective to automatically pool their computing power to wage attacks on companies the collective did not like – Sony, Visa, MasterCard etc.
“LulzSec is the natural evolution of the trend that Anonymous started – focused online hactivism. Its membership is born from the online gaming community, and guess what – they resent large corporations like Sony charging them for services and ‘ripping them off’ as they perceive it. So they stage collective hacking attacks. The collective decides on the targets, votes on it, and takes action.”
So what we have is a loose, decentralised group of like-minded computer users, who are almost impossible to track down (although hacker arrests in Holland, Spain, Turkey, the UK and US suggest that’s not completely impossible). They communicate via arcane forums and Internet Relay Chat, they use the anonymous site Pastebin to post images and “press releases”, and they speak through websites and Twitter accounts that will no doubt prove untraceable.
Cheekily, Lulzsec has even set up a phone line through which angry gamers and interested journalists are invited to talk to its “French elitists” whose given names are Pierre Dubois and Francois Deluxe. On Wednesday, it claimed to have 5,000 missed calls and 2,500 voicemails.
They’re self-publicists, in a sense, with a chaotic sense of humour – the group’s website plays the theme tune from 1970s series Love Boat, and their tweets are peppered with references to piracy (of the nautical rather than software kind). The group has a logo, a monocled gentleman, which reflects their self-consciously austere communications.
There are also interesting parallels here with the imagery used by Anonymous. In a YouTube video publicising that group’s war on Sony, a character on screen is dressed as V, the masked anarchist from Alan Moore’s dystopian comic book V for Vendetta. Here too, is the subversive mix of anarchy, historical allegory and twisted humour. In a way, Lulzsec has become a self-perpetuating graphic novel, an alternative reality game that’s somehow segued into real life.
But it isn’t a fiction and it certainly isn’t a game. “One of the attributes of hacker groups is a fairly firm understanding of what it is they believe in and what they don’t,” says Dr. Tim Watson, head of De Montfort University’s computer forensics and security group.
“As a hacking group you have to be both creative and precise in the work you’re doing with computer programming, and you tend to let that spill out into the rest of your life; you form views about what’s right and what isn’t. More than most social groups, these are ones that will embrace activism.
“If you look at groups like Anonymous and Lulzsec, only a small part of what they’re doing is with the games industry. With these particular groups, profile raising and publicity seeking activities is more likely to be about raising issues that they have concerns about. Just like journalists, hackers need to find a forum that’s going to connect with as many people as possible, and the sweet spot is gaming. Millions of people are connected online via games, and these aren’t like online banks: the security isn’t as good, yet you give them a lot of personal details.”
Indeed, it would seem that Lulzsec’s modus operandi is to raise awareness about lax security rather than to destroy games companies or steal and sell credit card numbers. After the raid on Bethesda, the group stated on its website that it would withhold from publication the personal details of more than 200,000 gamers: “We actually like this company and would like for them to speed up the production of Skyrim, so we’ll give them one less thing to worry about.”
Later, its DDOS attacks on Eve Online and Minecraft were designed to disrupt services rather than break them completely (“We didn’t hack any games,” went one tweet. “We just DDoS’d them with our not-to-be-messed-with Lulz Cannon.”)
So is Lulzsec a sort of vigilante group, out to secure online safety for gamers? Or is it just a laugh at the expense of gamers as they sometimes claim?
Certainly the Titantic Takeover Tuesday attacks had no altruistic motives (“let’s all laugh together at butthurt gamers” one Tweet on Tuesday night declared). Whatever the case, the organisation has highlighted the possibility of security deficiencies.
As Sanjay Sarathy of Vindicia, a company that creates billing systems for various games publishers, argues: “If what I’m reading is true, particularly about the second Sony breach in June, LulzSec are outraged at the poor security standards of game publishers. They’re quoted as saying, ‘Every bit of data we took wasn’t encrypted. Sony stored over 1 million customer passwords in plaintext, which means it’s just a matter of taking it.’ And this, just after millions of credit card numbers were stolen through Sony’s PlayStation Network in April.
“It’s mind boggling to think that a company like Sony is not meeting basic security standards. How is it possible, in the digital age, for corporate culture around security to be so lax? Whether we agree with the vigilante activity or not, the hackers have sent a lot of senior level-types back to double-check what level of security their business provides customers. This is outrageous – they should know, they should be sure their company is Level 1 PCI DSS compliant (Payment Card Industry Data Security Standard).”
Watson agrees, and predicts significant ramifications for games publishers. “We’re going to see – excuse the pun – some game-changing activity. The people running online games have realised now that security is a competitive advantage. If you’re trying to persuade someone to type in their credit card details in order to play a game, being able to say our game is safer than the next company’s is a selling point that’s on the public consciousness. So what we should see is what Lulzsec and Anonymous wanted all along, which is more secure environments for people to play safely online.”
The problem is, that hacker groups tend to mutate and evolve quickly and their impersonal, dislocated nature means keeping tabs on members – and their motivations – is all but impossible, even from the inside.
As Watson says: “The difficulty is, this is not a highly organised group that meets up in a room above a pub and comes up with a manifesto and a series of collective agreed beliefs. It’s much more of a cloud organisation – not just because they’re all on the internet, but because you may find two people within the organisation who will have remarkably different views.
“It’s like any organisation that strays into the public arena where governments get involved; if you think about something like CND [the Campaign for Nuclear Disarmament], for example, you may have fantastically well-meaning people who are trying to do the right thing, mixed in with terrorists and subversives. And of course, it’s far easier for infiltrators to come into groups like Anonymous or Lulzsec.”
Gold agrees: “What we are seeing is the true democratisation of the internet. The power is truly in the hands of users who are young, enthusiastic and pissed off. Instead of demonstrating, however, they cause trouble online. The danger with this is that – like demos, which can turn into riots – online trouble can escalate, especially if various political factions infiltrate the collective and quietly steer or even take control.
“The ,000 question, of course, is where the evolution of Anonymous and LulzSec ends. Like all collectives, as the authorities arrest one batch of malcontents, others step in to fill the breach. Furthermore, governments do not truly understand the rapid evolution that is happening on the internet.”
Presently, Lulzsec is laughing about infiltrating game sites and upsetting a few role-playing fans. But the group has also recently gained access to the US Senate website and then some passwords in the NHS.
If security is tightened within the games industry, and if Lulzsec can spin it into a success story, where do they go next? It might not be so benign; the darker forces within this ghostly democracy may win out.
And if it is not Lulzsec it will be a splinter group, or a rival looking to piggyback its way into notoriety. Today, this is a story about MMORPGs providing better customer security. Tomorrow? Who knows where hackers will get their lulz.
guardian.co.uk © Guardian News & Media Limited 2010