recommended reading

Hacktivists snatch 100 million records in 2011

Petros Giannakouris/AP

Activist groups purloined more sensitive information from organizations worldwide than any other kind of hacker during 2011, according to data Verizon received from the Secret Service, international law enforcement agencies and its in-house investigators.

The telecommunications giant on Thursday is expected to release a study showing that, while "hacktivist" attacks accounted for a relatively small number of cases, they extracted more than 100 million records. The activists' bounty was nearly double the spoils collected by money-driven professional hackers, according to a copy of the report reviewed by Nextgov.

Chris Porter, principal for Verizon's RISK Team and the report's co-author, said, "What they did with some of the personal information, especially with some of the companies they attacked and some of the employees at companies, is something called doxing," which refers to dumping online a victim's personal data, such as emails and phone numbers, to publicly ridicule or intimidate the target.

"They would try to get hashed password lists," that are encrypted, "and then they would crack those passwords and then check to see if those passwords were being reused by any individuals" in an effort to break into the targets' other accounts, he added.

The study's caseload includes 855 breaches that compromised 174 million records. Verizon did not name the organizations victimized or attribute the breaches to specific groups. "All but one of the large breaches (over 1 million records) this year were attributed to activist groups rather than financially-motivated agents," the authors wrote.

Although activists pulled off the heftiest breaches, the frequency of their hacks was limited compared to the sheer number of swindler exploits, the report states.

Among breaches perpetrated by outsiders, 96 percent were committed by people after monetary or personal gain; 29 percent were attributed to fun, curiosity or pride; and 1 percent was prompted by a personal offense. The activists, described as driven by "disagreement or protest," accounted for 3 percent of those compromises.

Many of the activist hacks in 2011 targeted major corporations and government vendors. For example, members of the hacktivist confederacy Anonymous procured about 60,000 e-mails from computer security contractor HBGary, according to court filings. Using information in the messages, the hackers were able compromise 80,000 user accounts inside a company-run online forum, as well as "dox" an HBGary Federal executive.

Both crooks and activists lifted personal information en masse, but for different reasons, the authors noted. "We did not see any fraud that took place by activist groups," Porter said.

A Global Problem

Hackers apparently are becoming more multinational, according to the findings. Victims were spread across a record 22 countries in 2010, but 2011 witnessed incidents expand to 36 countries.

It should be noted that, for the first time, the Australian Federal Police, the Irish Reporting & Information Security Service and the London Metropolitan Police contributed to the report, joining Verizon's own computer forensics division, the Secret Service and the Dutch National High Tech Crime Unit.

The study underscores several perennial human failings that aggravated breaches in 2011. In more than half of the cases, it took months, if not years, for victims to realize their customer data, intellectual property or other private information had been compromised. Eighty-five percent of the time it took authorities weeks or longer to discover breaches in 2011, up 6 percent from the previous year.

In 97 percent of the events, the breaches would have been avoidable through simple or intermediate controls, a 1 percent increase over the prior year. Organizations were unaware they had been overtaken until a third-party notified them in 92 percent of the cases, a 6 percent increase.

The method Verizon used to exchange intelligence while protecting the identities of victims is a model for public-private information-sharing, Verizon officials said.

Government authorities submitted incident data using a standard digital questionnaire, called Verizon Enterprise Risk and Incident Sharing, or VERIS, that asks only for general demographics, such as the size of an organization's workforce, number of IT staffers and industry type. The data amassed was wiped of any information that might identify organizations or individuals before it was provided to Verizon's research team for analysis, according to Verizon officials.

"When the Secret Service sends that information over to Verizon, we don't know that it took corrective measures for ACME organization," Porter said. "We get a lean picture of what's happening without having to share information that could potentially embarrass an organization."

Every year, Verizon adds elements to the VERIS form. This year, due to the popularity of BYOD, or bring your own (mobile) device to work, the survey inserted an item asking whether the targeted devices were employee-owned or corporate-owned. Only 1 percent of cases involved BYODs, according to the report.

Researchers also threw in a question to determine the attack trajectory of malicious software.

"Last year, we had 'installed' and 'injected' combined to describe how malware got into a system," Porter said. "It's important to understand the difference. In order to install something, you have to have access to it, whereas if you're injecting something you don't have to have access already."

Public-private partnerships are at the core of a battle over long-stalled cybersecurity reforms. The debate centers on forcing companies to share network security information that some fear may tarnish their brands.

"At the root of security is secrecy," Porter said. "The framework is designed to collect the bare information that you need that, in aggregate, can help with decisionmaking."

Threatwatch Alert

Credential-stealing malware / User accounts compromised / Software vulnerability

Android Malware Infects More than 1M Phones, Adds 13,000 Devices a Day

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.