Hacktivism: The Short Life of LulzSec
Origins
LulzSec came onto the scene in 2011 after their first recorded hack against Fox.com's website. ‘Lulz’ stands for laughs while ‘sec’ is shorthand for security essentially meaning every time the attack, they are ‘laughing at your security’. They pulled ‘lulz’ from the pronunciation of the popular initialism ‘lols’. The founders, Hector Monsegur and Mustafa Al-Bassam were hackers in their own right before banning together to create LulzSec which at its peak only had a total of six confirmed members. Mostly, their high-profile hacks serve as a warning about security to their victims.
Mission
LulzSec often publicly shamed the networks they broke into with the intent of raising awareness about cybersecurity. Their mission seemed to be the mocking and embarrassment of company's security flaws. They didn’t attempt to steal and sell data or ransom it; they would publish information like phone numbers or email addresses with the goal of spooking companies into upping their security practices.
Members
The group has six notable members who sat at its core, likely the ones who made decisions on who to target and how. A man who went by Sabu acted as a leader of the group. He was later arrested for hacking charges and ended up working with the FBI to expose other members of LulzSec. Another member named Topiary is said to have run LulzSec’s Twitter account and media relations. He was also arrested and charged with conspiracy in 2012. Kayla/KMS, Tflow, Avunit, and Pwnsauce were all contributing members who publicly announced themselves as part of LulzSec.
Hacks
Their first hack against Fox.com focused on the site’s database and resulted in alterations to the company’s LinkedIn and Twitter profiles. They also released the personal information of around 73,000 X Factor contestants. You might be thinking that maybe this hack was a political statement or maybe a jab at big media? You would be wrong. This hack was on behalf of the rapper Common who had been recently criticized on Fox News. The group said that they were defending the famous rapper after he had been labeled as ‘vile’ by the news channel.
Their next hack, aimed at PBS, was in defense of WikiLeaks who we discussed last week. The hack came right after PBS aired a documentary called WikiSecrets, making their opinions on the controversial sight clear. In response LulzSec stole hundreds of PBS passwords. They also published a fake article on PBS’s site claiming that the rapper Tupac was still alive.
Another high-profile hack from 2011 targeted Sony after they took legal action against George Hotz, a well-known hacker, because he had been jailbreaking the PlayStation 3. Essentially jailbreaking allowed Hotz to install unauthorized games and apps as well as bypass other security restrictions. To take a stand against Sony, LulzSec published the personal passwords, e-mail addresses, birth dates, and home addresses of around 37,000 Sony account holders.
InfraGard, a non-profit affiliate of the FBI, also fell victim to a LulzSec hack when the group defaced their website and published several InfraGard employee’s email addresses along with a database of InfraGard members. LulzSec posted the message "LET IT FLOW YOU STUPID FBI BATTLESHIPS" to the company's website along with a video that shared this message:
“It has come to our unfortunate attention that NATO and our good friend Barrack Osama-Llama 24th-century Obama [sic] have recently upped the stakes with regard to hacking. They now treat hacking as an act of war. So, we just hacked an FBI affiliated website (InfraGard, specifically the Atlanta chapter) and leaked its user base. We also took complete control over the site and defaced it.”
A far less public hack led to LulzSec finding several security flaws in the British National Health Services Network. To help fix the issue, the group sent an email to administrators explaining the security problems and claiming that they ‘mean no harm.’
On June 15th of 2011 the group launched their most illegal hack yet. They launched a denial-of-service attack on the CIA website which resulted in the site being taken offline for over three hours.
That same month, LulzSec interrupted four gaming sites after launching their ‘Titanic Take-Down Tuesday’. More of a test of strength than anything, the day was spent attacking the sites of Minecraft, FinFisher (an IT company), The Escapist, Heroes of Newerth, and League of Legends. All of which were down for hours post-attack.
Their last major move as a group was to publicly partner with Anonymous, throwing their support behind the burgeoning group. Together they began declaring cyber ware fair on governments around the world by encouraging people to hack, steal, and publish the data of large corporations and governments.
Is it hacktivism
Most argue that LulzSec leaned toward real, illegal hacking more often than not. However, some say that they are an example of hacktivism because of their tendency to go after large companies or government as opposed to individuals. They also chose not to sell or ransom data like most other hackers. This could be one of the reasons for their quick demise. Without any source of funding the group only lasted a couple of years before disbanding. Most members, the ones that weren’t arrested, were absorbed into other hacking groups like Anonymous.
Arrests
The first arrest took place in Essex. The 19-year-old was an alleged but never confirmed member of LulzSec who was picked up on charges not associated with the group but his own hacking endeavors.
Next, and most notably, Ryan Clearly was arrested by British Police and later charged for a denial-of-service attack launched against Britain's Serious Organized Crime Agency. He claimed to be a member of the group, but LulzSec had already disbanded by the time he was charged.
Just after catching wind of the arrests the group quickly responded by cutting ties with each other and taking down their website, likely sensing that things would take a turn for the worse if they continued with their hacks. But soon after, the disbandment would prove to be useless seeing as most members ended up arrested and charged anyway for their own hacks unrelated to LulzSec.
