Can Anonymous Cripple Critical U.S. Infrastructure?

Homeland Security says Anonymous can cause DDoS attacks, but says chance of attack on scale of Stuxnet is slim.

10 Companies Driving Mobile Security (click image for larger view and for slideshow)
Does the hacktivist collective known as Anonymous pose a threat to the nations critical infrastructure security?
According to a recent government report, the group may well be able to launch a
distributed denial of service
attack against critical infrastructure. But the likelihood of Anonymous developing bespoke critical infrastructure attacks--on par with
Stuxnet
--is slim.
The Department of Homeland Security (DHS) study, Assessment of Anonymous Threat to Control Systems, evaluated the groups potential to disrupt the critical infrastructure. A copy of the four-page report, marked as unclassified but for official use only and dated September 16, 2011, was
published
on Monday by the Public Intelligence website.
[ The Feds are moving aggressively to bust hackers. Read
FBI Busts Suspected LulzSec Hacker In Sony Breach
]
The reports creation was spurred in part by a July 19 post on Twitter by a known Anonymous member, which listed a directory tree for Siemens SIMATIC control system software. This is an indication in a shift toward interest in control systems by the hacktivist group according to the government report.
The report noted that Anonymous has also called on its members to target energy companies. In addition, a
Pastebin post
made on July 11, detailed an attack against biotech seed producer--and control system user--Monsanto. Signed with the Anonymous tagline expect us, the post claimed that Monsantos Web infrastructure had been disabled for two days, and its email servers disabled for three days, and that attackers had stolen data on 2,500 company employees and business partners. According to news reports, Monsanto confirmed that its servers had been attacked.
The so-called
critical infrastructure
refers to the nations communications, energy, finance, food, government, health, transport, and water providers. Despite
recent discussion
on the part of lawmakers and government agencies about the extent to which the
government should be involved
in protecting that critical infrastructure, its currently controlled almost entirely by private businesses.
Furthermore, according to a survey of those businesses conducted last year by Symantec, half said theyve seen
politically motivated attacks
against their networks. But such attacks seemed to focus on intelligence-gathering or stealing intellectual property, rather than disrupting their control systems outright.
Despite the rise of hacktivist groups such as
Anonymous and LulzSec
, the DHS report said that threats to control systems dont seem to have increased. Notably, it said, all information released publicly by Anonymous shows no indication of exploitation capability when it comes to control systems. Of course, members of Anonymous could study up on control system software, and develop malware aimed at disabling control systems. However, the lack of centralized leadership/coordination and specific expertise may pose challenges to this effort, according to the report.
Despite some Anonymous-related chatter over control systems, would the group really bother to attack critical infrastructure, or design the required malware? You have to think of intent: Whats the ultimate goal of Anonymous? Is it to cause massive damage to our critical infrastructure? It doesnt seem to be, said Eric Knapp, director of critical infrastructure markets for security intelligence and event management vendor NitroSecurity, in an interview.
The DHS report does, however, warn that even if Anonymous doesnt pose a risk to control systems, all businesses with Internet-connected control systems should ensure that theyre protected. There are control systems that are currently accessible directly from the Internet and easy to locate through Internet search engine tools and applications, according to the report. These systems could be easily located and accessed with minimal skills in order to trespass, carry out nefarious activities, or conduct reconnaissance activities to be used in future operations.
Knapp notes that the moral of the story is that if youre operating a critical network that includes a control system, you need to secure and separate it from access, as much as possible, but also secure it, because there are threats out there aside from Anonymous, such as disgruntled insiders, or outside parties.
But since Stuxnet, he said that businesses that run critical infrastructure are much more aware of threats to and security risks involving control systems. Everybody is at least thinking about it, and thats good, he said. Stuxnet has been out there, and a lot of the code is available, so the probability of a Stuxnet-type attack occurring is not science fiction. Its not terribly difficult to do. So [businesses] have to be thinking about how to improve their security, and they are.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps