The anarchistic hacker group LulzSec formed, attacked websites around the world and announced its breakup all within two months — demonstrating the speed with which cybersecurity threats develop in the Internet age.
Since emerging in May, LulzSec has:
• Decrypted and published the login names, passwords and other personal information of members of the FBI’s private sector partnership organization Infraguard.
• Broken into NATO’s online electronic bookstore.
• Posted confidential documents from a half-dozen foreign governments.
• Briefly taken offline the websites of the CIA and Britain’s Serious Organized Crime Agency.
Last week, the group — apparently less than a dozen strong — posted hundreds of internal documents stolen from the Arizona State Police computer network, including the home addresses of several officers and their families.
Cybersecurity experts tell The Washington Times that copycat groups already are emerging all over the world, that the hacker tools they use are widely available and that LulzSec’s nihilistic mindset will continue spreading.
“It’s the idea behind it that will be picked up,” said David Marcus, director of security research for McAfee Labs, noting that LulzSec lookalikes already have been founded in Brazil and Spain. “It’s hard to fight an idea.”
The group has used the slogan, “Laughing at your security since 2011,” and derives its name from “security” and the Internet term “lulz,” which means “loads of laughs.” LulzSec also has 280,000 followers on Twitter.
The group’s objective has been “basically to laugh at you and embarrass you about your poor security,” Mr. Marcus said. “They’re very hard to categorize.”
“We like crushing things; we like inside info,” wrote a member using the name Espeon about the group’s philosophy during an internet chat with a security executive whose firm LulzSec had hacked. The group later published a purported transcript of the exchange.
LulzSec last week issued a statement saying it was disbanding out of “boredom.”
Mr. Marcus said the group “crossed a line” in posting the home addresses and phone numbers of Arizona Department of Public Safety officers and their families. “That’s not funny, that’s not ’lulzy,’ ” he said. “If you want to protest, protest. But that is putting people in danger.”
Many of the group’s attacks have used relatively simple methods, including SQL injection, in which hackers exploit very widespread and easily discoverable software security flaws to take control of websites’ databases.
Rival hackers have “accused them of using lame hacks, but that’s missing the point,” Mr. Marcus said. ” ’Hactivism’ is about the message, not the method.”
LulzSec’s success, he said, has stemmed partly from its “agility at finding which sites have which vulnerabilities they can exploit.” It also has been “very adept at media manipulation” and has picked headline-grabbing targets such as the CIA’s public website, which was taken offline for three or four hours in early June, he added.
The FBI declined to comment on any investigation of LulzSec, but one 19-year-old man has been arrested in Britain, and Mr. Marcus predicted more arrests in the coming weeks or months.
“You can’t thumb your noses at this number of intelligence and law enforcement agencies all over the world and expect to get away with it,” he said.
• Shaun Waterman can be reached at 123@example.com.
Please read our comment policy before commenting.