Activist groups purloined more sensitive information from organizations worldwide than any other kind of hacker during 2011, according to data Verizon received from the Secret Service, international law enforcement agencies and its in-house investigators.
The telecommunications giant on Thursday is expected to release a study showing that, while "hacktivist" attacks accounted for a relatively small number of cases, they extracted more than 100 million records. The activists' bounty was nearly double the spoils collected by money-driven professional hackers, according to a copy of the report reviewed by Nextgov.
Chris Porter, principal for Verizon's RISK Team and the report's co-author, said, "What they did with some of the personal information, especially with some of the companies they attacked and some of the employees at companies, is something called doxing," which refers to dumping online a victim's personal data, such as emails and phone numbers, to publicly ridicule or intimidate the target.
"They would try to get hashed password lists," that are encrypted, "and then they would crack those passwords and then check to see if those passwords were being reused by any individuals" in an effort to break into the targets' other accounts, he added.
The study's caseload includes 855 breaches that compromised 174 million records. Verizon did not name the organizations victimized or attribute the breaches to specific groups. "All but one of the large breaches (over 1 million records) this year were attributed to activist groups rather than financially-motivated agents," the authors wrote.
Although activists pulled off the heftiest breaches, the frequency of their hacks was limited compared to the sheer number of swindler exploits, the report states.
Among breaches perpetrated by outsiders, 96 percent were committed by people after monetary or personal gain; 29 percent were attributed to fun, curiosity or pride; and 1 percent was prompted by a personal offense. The activists, described as driven by "disagreement or protest," accounted for 3 percent of those compromises.
Many of the activist hacks in 2011 targeted major corporations and government vendors. For example, members of the hacktivist confederacy Anonymous procured about 60,000 e-mails from computer security contractor HBGary, according to court filings. Using information in the messages, the hackers were able compromise 80,000 user accounts inside a company-run online forum, as well as "dox" an HBGary Federal executive.
Both crooks and activists lifted personal information en masse, but for different reasons, the authors noted. "We did not see any fraud that took place by activist groups," Porter said.
A Global Problem
Hackers apparently are becoming more multinational, according to the findings. Victims were spread across a record 22 countries in 2010, but 2011 witnessed incidents expand to 36 countries.
It should be noted that, for the first time, the Australian Federal Police, the Irish Reporting & Information Security Service and the London Metropolitan Police contributed to the report, joining Verizon's own computer forensics division, the Secret Service and the Dutch National High Tech Crime Unit.
The study underscores several perennial human failings that aggravated breaches in 2011. In more than half of the cases, it took months, if not years, for victims to realize their customer data, intellectual property or other private information had been compromised. Eighty-five percent of the time it took authorities weeks or longer to discover breaches in 2011, up 6 percent from the previous year.
In 97 percent of the events, the breaches would have been avoidable through simple or intermediate controls, a 1 percent increase over the prior year. Organizations were unaware they had been overtaken until a third-party notified them in 92 percent of the cases, a 6 percent increase.
The method Verizon used to exchange intelligence while protecting the identities of victims is a model for public-private information-sharing, Verizon officials said.
Government authorities submitted incident data using a standard digital questionnaire, called Verizon Enterprise Risk and Incident Sharing, or VERIS, that asks only for general demographics, such as the size of an organization's workforce, number of IT staffers and industry type. The data amassed was wiped of any information that might identify organizations or individuals before it was provided to Verizon's research team for analysis, according to Verizon officials.
"When the Secret Service sends that information over to Verizon, we don't know that it took corrective measures for ACME organization," Porter said. "We get a lean picture of what's happening without having to share information that could potentially embarrass an organization."
Every year, Verizon adds elements to the VERIS form. This year, due to the popularity of BYOD, or bring your own (mobile) device to work, the survey inserted an item asking whether the targeted devices were employee-owned or corporate-owned. Only 1 percent of cases involved BYODs, according to the report.
Researchers also threw in a question to determine the attack trajectory of malicious software.
"Last year, we had 'installed' and 'injected' combined to describe how malware got into a system," Porter said. "It's important to understand the difference. In order to install something, you have to have access to it, whereas if you're injecting something you don't have to have access already."
Public-private partnerships are at the core of a battle over long-stalled cybersecurity reforms. The debate centers on forcing companies to share network security information that some fear may tarnish their brands.
"At the root of security is secrecy," Porter said. "The framework is designed to collect the bare information that you need that, in aggregate, can help with decisionmaking."