CIA website brought down by DDoS attack, LulzSec hackers claim responsibility

Filed Under: Denial of Service, Law & order, Vulnerability

The CIA website at cia.gov is currently inaccessible, having apparently fallen foul of a distributed denial-of-service (DDoS) attack by hackers.

CIA website down

Almost inevitably, fingers are pointing towards the notorious LulzSec hacktivist group who have made a name for themselves recently with a series of attacks against corporations, organisations and websites - sometimes forcing them offline, and on other occasions stealing personal information by exploiting security flaws.

A post to LulzSec's Twitter feed appears to confirm their participation in the attack:

LulzSec claims to be exposing security vulnerabilities in websites and organisations for "fun", but a poll conducted earlier today by Sophos discovered that many don't believe hacking and denial-of-service attacks to be a laughing matter:

There has been a long catalogue of attacks perpetrated by LulzSec in the last few weeks. For instance, earlier this month, LulzSec hacked into FBI affiliate InfraGard and exposed usernames, passwords and email addresses. The group also posted information about the US Senate's webservers earlier this week.

While some people think this is a fun game that can also help point out corporate security weaknesses, the truth is that companies and innocent customers are - in the worst cases - having their personal data exposed.

LulzSec logoThere are responsible ways to inform a business that its website is insecure, or it has not properly protected its data - you don't have to put innocent people at risk. What's disturbing is that so many internet users appear to support LulzSec as it continues to recklessly break the law.

Fortunately, the likelihood is that the attack against the CIA's website has not resulted in any sensitive information being stolen. But that's not to say that the attack is harmless. The CIA website is a primary method through which the agency communicates with the rest of the world, and it's not going to take kindly to being forced offline by hackers.

In case anyone's in any doubt, a denial of service attack, like that which appears to have hit the CIA website, is against the law.

With this new attack against the CIA website, you have to ask yourself if LulzSec has finally bitten off more than it can chew. After all, it has just poked a very grizzly bear with a pointy stick. LulzSec's cockiness may be its undoing.

Update: The CIA website is sporadically accessible again.

, , , , , ,

You might like

24 Responses to CIA website brought down by DDoS attack, LulzSec hackers claim responsibility

  1. Funny, I was just thinking the same thing.

    "With this new attack against the CIA website, you have to ask yourself if LulzSec has finally bitten off more than it can chew. After all, they've just poked a very grizzly bear with a pointy stick. LulzSec's cockiness may be their undoing."

  2. Hans Vollmer · 1233 days ago

    Why does it take hacking to point out points of weakness?

  3. german · 1233 days ago

    I'm surprised they weren't summarily arrested after the senate.gov hack, I'll be very surprised if they're not after this.

  4. patches53 · 1233 days ago

    The problem is that if they are able to arrest and or shut them down you can guarantee that there will be more to take their place and their methods will already be in the hands of others with similar intentions.
    I despair and get angry at the actions of these cretins.

  5. Bob · 1233 days ago

    Surprised? Do you know of a list of lulzsec members somewhere?

    They have to be found before they can be arrested ...

  6. echlinm · 1233 days ago

    I'm disappointed. Are these the same guys who last week grabbed databases and documents and emails? And now they are just doing DDoS?
    Either these sites were to hard to crack and they decided to just try to DDoS them (which is kind of like throwing a tantrum on finding the cookie jar empty), or they decided not to expose the deepest darkest secrets of the CIA OR it's not the same people doing the attacks.
    Now all week everyone has been boasting of the level of ability of these guys for breaking into places (why, the best they are reported to have done is sql-injection) so either the people bragging them up are wrong or it's not the same guys.
    Now they did do more than just break a few databases, although Sony made it easy on them these guys have done better in the past so I'm inclined to say either they let the junior members of the group have this one OR it's not the same people doing it. Lulz flavor of the week?
    But the news of their exploits and the coverage they have been getting has been reaching the people who need it. People are more security aware this week then they were last and while I don't condone the dumping of users passwords to the net in the overall tally what they have done has given us a positive result. (But that is just my 2 cents.)

  7. DDoS sucks. It's way too easy to achieve.

  8. They're hiding behind zombie computers in their botnet. So how do they determine who is controlling them? I wouldn't be surprised if they are using a zombie to control another zombie. No doubt all their actions are being made like this (even Twitter updates).

  9. Xalyx · 1233 days ago

    DDoSing doesn't expose any weakness, any site can be DDoS'd and it's nearly unpreventable.

  10. zzguardian · 1233 days ago

    Only one entity was ever allowed to poke a grizzly with a stick. That person was Steve Irwin. LulzSec is and never will be of Steve Irwin's caliber. That said, even with all of its failures, I'm sure the CIA has many more successes (we just don't hear about the successes). Plus the CIA has all those wonderful toys at its disposal along with the ability to ask it's buddies to join in on the fun (NSA, Darpa, etc). If the CIA screws up, we'll hear about it. If they don't, LulzSec (v1.0) will cease to function as any form of entity. Either way, the fireworks (or lack thereof) will make for good entertainment.

  11. Jim · 1233 days ago

    I teach English in a high school in Korea. My lesson today was having my students look at the CIA factbook and giver reports on certain countries. The factbook is good because of it's elementary English level, perfect for ESL students. I've had to scramble to make other plans

    The lulz have passed me by on this one.

  12. aaa · 1233 days ago

    Running ZmEu to find exploits isn't what I would consider hacking. Each of the sites they've taken down hasn't required a sophisticated attack, so, the lulz might refer to the fact that they're able to take down sites with minimal skill.

    lulz indeed.

  13. Jack Nickolson · 1233 days ago

    I still love LulzSec and i hope they hack everything possible including Sophos.

    P.S.
    CIA site is backup (and this is nothing new to them)

    Keep f'ing them up Lulz, your doing good :-)

  14. Huddy · 1233 days ago

    These pathetic hackers are cowards, nothing more. Let's not kid ourselves, they aren't performing some altruistic community service by exposing flaws in website security (although, those companies that claim to keep personal data safe should wake up!) they're simply thoughtless criminals hiding behind their monitors wreaking havoc for their own amusement.
    I truly hope the CIA, NSA, Interpol (whoever) come down hard on these misanthropes & they get what they deserve.

    • Not Huddy · 1191 days ago

      wow... haven't read the word "misanthrope" for a long time and your misuse and misunderstanding of the term is kinda amusing. especially since you use it in defense of the CIA and NSA... hilarious. what about a t-shirt that says:
      HUDDY SEZ: WAKE-UP! EXTERMINATE ALL MISANTHROPES!

  15. yawnr · 1233 days ago

    a bunch of lame-0 script-kiddies do some ddos!

    and?

    what exactly?

    yawn

  16. Lulzcow · 1233 days ago

    For the love of all that is good, stop calling lulzsec "hackers". They aren't hackers at all. They're skiddies at best who know how to packet flood. My 7 year old niece could use LOIC to packet flood someone.
    DDoSing is not hacking at all. Lrn2intllegent.

  17. The DDoS attacks appear to be some kind of PR stunt more than much else. They are making people talk about them and spread the word of them being a pain in the arse. Dont forget, these people are doing this for a laugh, no other reason.

    They are DDoS attacking various site just to wind people up, winding up gamers and governments alike.

  18. QueenLaLa · 1232 days ago

    "There are responsible ways to inform a business that its website is insecure, or it has not properly protected its data - you don't have to put innocent people at risk."

    One might argue that by not properly securing the information to begin with, it's actually the corporations getting hacked who are putting "innocent people at risk."

    Just playing devil's advocate here. But that seems like a pretty logical conclusion to me.

  19. Clash · 1232 days ago

    I can't tell the difference between the Lulz "hackers" and a bunch of miscreants that throw toilet paper at a house. Probably the same grade school mentality too, but eventually most of the kids that threw the TP grew up, too bad the same can't be said of Lulz. I guess they'll get their fifteen minutes of fame, just like Anonymous, and then be forgotten like so many others. They aren't doing anything special that merits recognition, their just riding on the coat tails of all the others before them.

  20. jnbrwn · 1049 days ago

    i once told a company their stuff was weak. never took my call again but fixed their site. screw'em i won.t call if their pants are on fire

  21. All right. LulzSec is accused of attacking government and corporations and "nnocent customers are - in the worst cases - having their personal data exposed."

    Now how about that:

    Government and corporations are accused of attacking terrorists while cutting on social benefits, censoring the internet and filming us 24/7 anytime, anywhere, exposing our personal lives. We´re getting sued for MILLIONS of dollars for sharing 20 songs, getting persecuted, arrested and extradited over petty copies of songs and movies. I buy songs and can´t transfer them to my OWN devices because I´ve reached "the maximum amount of sharing". How ridiculous is that?

    Dictatorships are hunting us down, torturing and killing internet users and activists.
    Plus: a few companies try to impose us SOPA, PIPA and ACTA to protect their interests against 1 BILLION users, instead of changing their business model and CHANGE THE JURASSIC COPYRIGHT LAW.

    And all of that with larger and larger popular support... OF COURSE. So how come that in the poll the supporters are minority? Especially considering their wild support on Facebook?

    That´s what is happening. It´s serious.

  22. Correction above: government and corporations are accused of using terrorism / war on terror as a shield to attack our civil liberties. This is the truth and reason behind all those cyber attacks.

    ++

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.