Anonymous’ ‘Operation Last Resort’ has published a new document revealing that the hacking collective has had an astonishing amount of access to The Fed’s internal files and servers.
The new attack is Anonymous’ response to the information security community’s anger at the Federal Reserve (”The Fed”) for its dismissive attitude and lack of transparency around Sunday’s emergency contact system hack.
Anonymous has compromised the Grand Banks Yachts Web site to host this new file—Grand Banks Yachts, Ltd.—which manufactures and sells luxury yachts worldwide.
The URL filename ominously reads, ”dorner-is-a-symptom-not-the-syndrome.”
The Anonymous ‘Operation Last Resort’ action last Sunday exposed over 4,600 bank executive credentials for The Fed’s expanding nationwide program, the Emergency Communications System.
The FBI has now begin to respond—at least to the bank hack—by opening a fresh criminal investigation into Anonymous ‘Operation Last Resort.’
— OpLastResort (@OpLastResort) 8 février 2013
The new document essentially shows that Anonymous had access to several of The Fed’s servers and internal documents.
Like everything we’ve seen so far in Anonymous’ ‘Operation Last Resort’ actions, the details of the hack appear to be symbolic.
The new attack’s filename refers to Christopher Dorner, an ex-LAPD police officer that killed three people, ”declared war on the LAPD” and is currently the target of a California state-wide manhunt.
Dorner published a lengthy manifesto to Facebook stating that his murderous mission—to avenge corruption within the LAPD that ruined his life—was his only remaining path to justice.
Despite Dorner’s public status as a fugitive and an alleged murderer, Dorner has been characterized by some Anons as ”an avatar of the man of conscience pushed to the point of desperate action.”
On Twitter, Anonymous’ ‘Operation Last Resort’ directed the latest drop to Veracode chief technology officer and L0pht alum Chris Wysopal, in an apparently friendly acknowledgment of the Veracode CTO’s analysis and comments about the technical details surrounding the recent Federal Reserve bank hack.
— OpLastResort (@OpLastResort) 8 février 2013
The new breadcrumb from Anonymous provides more clues into the Federal Reserve bank hack that resulted in the leaking of personal information of more than 4,600 bankers.
If it appeared that while Anonymous was tap dancing on the Department of Justice’s property as the federal authorities casually dismissed the serious attacks and exposures, the feds are now making a move.
Federal Reserve spokesman Jim Strader told the Reuters news agency yesterday: ””This incident is the subject of an active criminal investigation with the FBI and we cannot comment further.”
Reuters also reported that The Fed declined to comment on when the attack took place, how long it took for the breach to be discovered, and what type of system or vulnerability was exploited.
”The Fed statement on Thursday was its first explicit acknowledgment that it did not yet know the extent of the security breach,” the news agency said.
Infosec community serious; Feds cavalier attitude
It has been difficult to tell if the Justice Department or The Fed have taken the attacks seriously.
In contrast, the information security industry sees the attacks and exposures as very serious, and have loudly called on The Fed to reduce mounting harm by sharing key information about the attacks.
A Federal Reserve spokesperson told reporters that Anonymous’ claim to the hack’s importance was ”overstated,” yet information security professionals that serve financial institutions said the exact opposite—and were angry with the Federal Reserve for downplaying the incident.
Veracode’s Wysopal unpacked the hack and calls it ”a spearphishing bonanza,” and ”the most valuable account dump by quality I have seen in a while,” in a recent company blog post.
Wysopal’s post pointed out that while it was still speculative what the compromised vendor software was, the application on The Fed’s side that was exploited by Anonymous to gain access was programmed in Adobe ColdFusion.
Wysopal also suggested that the cost of the bank hack would be at least $1,137,929, based on average costs per financial services record breached. But he also believes a breach of this type will actually cost ”much, much more.”
There are several well-known security flaws in Adobe Systems, Inc.’s ($ADBE) ColdFusion suite.
In mid-January, just before the attack, Adobe had issued patches for several critical security flaws that allowed malicious access to restricted files and servers.
In the press release for the patch, Adobe stated:
This hotfix addresses vulnerabilities that could permit an unauthorized user to remotely circumvent authentication controls, potentially allowing the attacker to take control of the affected server… Adobe is aware of reports that four vulnerabilities (CVE-2013-0625, CVE-2013-0629, CVE-2013-0631 and CVE-2013-0632, referenced in Security Advisory APSA13-01) are being exploited in the wild against ColdFusion customers.
DailyTech wrote today: ”A 2012 audit at the Fed suggested that a monitoring system be put in place to review security at third-party systems. It’s possible the ECS system may fall under that category.”
”You have misjudged a sleeping giant.”
As the basis for this ‘Operation Last Resort’ campaign, Anonymous cited the recent suicide of hacktivist Aaron Swartz as a ”line that has been crossed.”
Anonymous’ comments states the campaign in retaliation for Swartz’s suicide, which many—including the Swartz family—believe was a result of overzealous prosecution by the Justice Department, and what the family deemed a ”bullying” use of outdated computer crime laws.
Today’s document release is the latest in an unprecedented display of access that Anonymous factions in ‘Operation Last Resort’ seem keen to display.
‘Operation Last Resort’ launched late evening on January 25 when Anonymous hacked the U.S. Sentencing Commission Web site and turned the site into a distribution hub for encrypted files.
‘Operation Last Resort’ called the files ”warheads,” named after each of the Supreme Court Justices, saying the files contained dangerously sensitive data—and that if there was not immediate action from the U.S. government for legal reform, Anonymous would make file decryption keys publicly available.
The federal authorities wrestled all weekend with Anonymous to try and regain control of the Web site, and were able to restore the site temporarily.
Anonymous had the last laugh on the afternoon of January 27 when it whimsically transformed the U.S. Sentencing Commission Web site into an interactive video game of ”Asteroids.”
At this time it is unknown why the new attack is hosted on the Grand Banks Yachts site, other than its ”Banks” name, perhaps in a symbolic tie to Sunday’s Fed bank hack.
Interestingly, Grand Banks Yachts chief executive and chief financial officer Peter Poli has a background in financial securities.
Before working for Grand Banks, Poli spent twelve years in the securities business, the last three of which as the chief financial officer for a Morgan Stanley subsidiary. He also oversees the yacht company’s IT departments.
The nod to fugitive and alleged murderer Chris Dorner may be a small detail. But—at least to me—it’s a riveting detail wherein Anonymous may be suggesting that the very system Dorner seeks to destroy is to blame for turning Dorner from proud patriot to lethal product.
Before the LAPD, Dorner had served in the U.S. Naval Reserves, where he earned a rifle marksman ribbon and pistol expert medal. Dorner had been assigned to a naval undersea warfare unit, various aviation training units, and took a leave from the LAPD and deployed to Bahrain in 2006 and 2007.
His Facebook manifesto read:
I will utilize every bit of small arms training, demolition, ordinance and survival training I’ve been given.
You have misjudged a sleeping giant.
The ‘Operation Last Resort’ video, posted Friday on the U.S. Sentencing Commission Web site, now has more than 1.38 million views at the time of writing. Still, two weeks after Anonymous took down the Web site, it remains ”under construction.”