Thirteen alleged hackers labeling themselves with the Anonymous brand were indicted on Thursday on charges that they conspired to coordinate distributed denial of service (DDoS) attacks against websites that included the Recording Industry Association of America (RIAA), Visa, MasterCard, and The Motion Picture Association of America (MPAA).
The indictment, handed down by a grand jury, was filed in US district court in Alexandria, Virginia, and charged the 13 with conspiracy to intentionally cause damage to protected computers by launching the attacks.
As The Register’s John Leyden reported after the initial attacks in September 2010, Operation Payback actually started out, as its name implies, as a tit-for-tat move.
Anonymous initially launched the operation in retaliation against DDoS attacks unleashed by Aiplex Software – a firm hired by several Bollywood companies to launch DDoS attacks on sites hosting BitTorrent trackers that had failed to respond to takedown notices.
The attacks, which were carried out from September 2010 to January 2011, started as an effort to support such file-sharing sites.
They then evolved to back WikiLeaks and its founder, Julian Assange, and to take down the financial sites such as MasterCard that had cut off WikiLeaks’ funding.
The hackers’ tool of choice, Low Orbit Ion Cannon (LOIC), is apparently a favorite among those who label themselves Anonymous.
Sophos’s Vanja Svajcer wrote up this detailed analysis of LOIC back in December 2010.
In the indictment, prosecutors outlined how simple it was for the hackers organizing the operation to launch one such attack, against the MPAA.
On or about September 16, 2010, a member of the conspiracy posted a flier advertising the MPAA attack on a web bulletin board.
The flier announced:
We target the b*stard group that has thus far led this charge against our websites, like The Pirate Bay. We target MPAA.ORG! The IP is designated at [IP address], and our firing time remains THE SAME.
The flier provided the location at which co-conspirators could download the LOIC tool, and gave instructions so as to unleash the attack as “a calm, coordinated display of blood.”
The indictment names 13 hackers, but thousands more participated in the attack by simply clicking on Web links that downloaded LOIC and temporarily turned their computers into what the New York Times called “a digital fire hose aimed at each victim,” which, in this case, were the targeted websites, including Visa.com and MasterCard.com.
The 13 people charged range in age from 21 to 65 and hail from 13 different US states.
As Svajcer pointed out, participation in DDoS attacks is illegal in many countries, and anybody who accepts an invitation to partake in one runs a serious risk of having the law come down on them hard and fast.
As arrests and indictments such as this most recent one show, attackers’ source IP addresses inevitably end up in a targeted site’s log files.
After that, all that law enforcement requires is the cooperation of an internet service provider (ISP) to track down willing participants in a DDoS.
It only takes a moment to click on a link, but the payback for Operation Payback is promising to be far more onerous for those 13 and for whomever else prosecutors drag into court.