Why is it difficult to catch "Anonymous" or "Lulzsec" (groups)?

Question

I'm not security literate, and if I was, I probably wouldn't be asking this question. As a regular tech news follower, I'm really surprised by the outrage of Anonymous (hacker group), but as a critical thinker, I'm unable to control my curiosity to dig out how exactly they are doing this? Frankly, this group really scares me.

One thing that I don't understand is how they haven't been caught yet. Their IP addresses should be traceable when they DDOS, even if they spoof it or go through a proxy.

• The server with which they are spoofing should have recorded the IPs of these guys in its logs. If the govt. ask the company (which owns the server) don't they give the logs?
• Even if it is a private server owned by these guys, doesn't IANA (or whoever the organization is) have the address & credit card details of the guy who bought & registered the server?
• Even if they don't have that, can't the ISPs trace back to the place these packets originated?

I know, if it was as simple as I said, the government would have caught them already. So how exactly are they able to escape?

PS: If you feel there are any resources that would enlighten me, I'll be glad to read them.

[Update - this is equally appropriate when referring to the Lulzsec group, so have added a quick link to the Wikipedia page on them]

Answer 1

My answer pokes at the original question. What makes you think that they don't get caught?

The CIA and DoD found Osama bin Laden.

Typical means include OSINT, TECHINT, and HUMINT. Forensics can be done on Tor. Secure deletion tools such as sdelete, BCWipe, and DBAN are not perfect. Encryption tools such as GPG and Truecrypt are not perfect.

Online communications was perhaps Osama bin Laden's biggest strength (he had couriers that traveled to far away cyber-cafes using email on USB flash drives) and Anonymous/LulzSec's biggest weakness. They use unencrypted IRC usually. You think they'd at least be using OTR through Tor with an SSL proxy to the IM communications server(s) instead of a cleartext traffic through an exit node.

Their common use of utilities such as Havij and sqlmap could certainly backfire. Perhaps there is a client-side vulnerability in the Python VM. Perhaps there is a client-side buffer overflow in Havij. Perhaps there are backdoors in either.

Because of the political nature of these groups, there will be internal issues. I saw some news lately that 1 in 4 hackers are informants for the FBI.

It's not "difficult" to "catch" anyone. Another person on these forums suggested that I watch a video from a Defcon presentation where the presenter tracks down a Nigerian scammer using the advanced transform capabilities in Maltego. The OSINT capabilities of Maltego and the i2 Group Analyst's Notebook are fairly limitless. A little hint; a little OPSEC mistake -- and a reversal occurs: the hunter is now being hunted.

Answer 2

From some experience with law enforcement and forensics, I can say one of the biggest issues is that ISPs really don't want to have to track users. Once they get beyond a certain level of management they lose 'common carrier' status and become liable for an awful lot of what their customers may do.

Also, many countries do not want to pass on information to another country - especially countries which may be opposed to western culture or western interference.

And it is extremely easy to hide almost anything on the internet.

Regarding your three points:

• Server should have IP addresses - No - this is simple to spoof or erase
• Private server - Not likely, although possible - but it wouldn't be their credit card used
• ISP's trace - Not going to happen - it doesn't affect ISP's negatively, and is way too difficult

update It might happen after all - http://blogs.forbes.com/andygreenberg/2011/03/18/ex-anonymous-hackers-plan-to-out-groups-members/

Answer 3

One of the most important aspects of an attack like this is covering your tracks. There are lots of different ways to do this, as it depends on the technology. To address your specific questions:

When they DDoS: If the flood was coming from their own machines, then it would be fairly easy to track them. The problem lies in the fact that they aren't using their own machines. They are either a) taking control of someone elses without permission, or b) getting someone to do it on their behalf. The latter is what happened with the Wikileaks attacks. People signed up to to do it.

Things start getting hinky when servers are in countries that don't generally respond to requests for logs. If the company that is being attacked is in the US, it's fairly easy to get a court order if the attack can be proven to originate in the States. What happens if it's a US target, but the attack is originating in Russia or China? The same thing goes for purchase records.

As for being scared... there are quite a few of these sorts of groups out there. Most of them are (I don't want to say harmless, but...) harmless. In this particular case, someone poked the bear and the bear got pissed.

EDIT: Not that I condone their actions, blah blah blah.

Answer 4

In addition to the answers that have already been given, another reason it is so hard to catch anonymous is because anonymous can be anyone, literally. I mean this in two ways. First, hackers can use a combination of malware, spyware, and bots to access and use/loop through other peoples computers anywhere in the world; thus, making any computer, theoretically, a point from which anonymous can work. Secondly, true to the name anonymous, any hacker, anywhere, using any method or style, using any random pattern of activity, can make their attack and call themselves anonymous. Thus, it is extremely difficult for a government/authority to track activity by pattern or style or signature, because it is always changing due to the varied nature of the attacks since it can, as I said before, literally be coming from anyone.

Essentially,

Anonymous is not one person... Anonymous is not one group...

Anonymous is anywhere and everywhere... Anonymous could be everyone or no one...

Unfortunately, that is the nature, uniqueness, and genius of the name.

Answer 5

There are NUMEROUS ways for a hacker to cover their tracks..

Here is one very generalized example:

A hacker can compromise a third party machine and use it to do attacks on the hackers behalf. Because the system is compromised, the hacker can delete/modify logs. A hacker can also piggyback machines, such as, log into machine A, from machine A log into machine B, from machine B log into machine C, from machine C attack machine D, then cleanse the logs for machines C, B, then A making tracking the hacker more difficult.

This doesn't even take into account hacked internet accounts (so even if traced back they point to a different person), open proxies, etc etc etc..

I know the above isn't flawless, but like I said this is just a VERY VERY general example. There are many many ways to cover your tracks.

That said, what makes you so sure certain 3 letter agencies don't already know who many of them are, but don't make a move on them so that those individuals can lead them to others?

I'm sure others will chime in who can explain more thoroughly, but I think the ultimate lesson to be learned is to concern yourself less with specific hackers and hacking groups, and more with your own security. The fact that their latest claim to fame originated from something as TRIVIAL to fix as a SQL Injection vulnerability (which is nothing new, very well documented and understood) is a huge discredit to the unnamed "security firm" who was hacked. rant over

Answer 6

Well I responded to some posts above that had incorrect information, but I figured I should just post my own response to better explain.

Anonymous is made up of basically 2 subgroups:

1. Skiddies (script kiddies) and newbies who have only the most basic security knowledge, and just sit in their IRC and basically be the pwns for the attack. These are the people that the FBI was knocking down their doors.

2. Anonymous core leadership, a group with some hacking knowledge that owned hbgary, but also got owned recently by ninja hack squad. You won't be able to trace this subgroup unless you are a security guru.

How do they hide their tracks?

Like a previous answerers mentioned,

1. Through proxy servers like Tor
2. by compromising boxes and launching attacks from those boxes (basically masquerading as that person's IP), or
3. by using a VPN that's in a foreign country and keeps no logs. With the VPN, all your traffic is relayed through it so wherever you connect it can only track back the IP addy to the VPN itself and no further (unless the VPN is keeping logs in which case you shouldn't use it anyways).

Hope this helps clarify a bit.

Answer 7

The thing about a DDoS is that you use other people's IPs, not your own. It's relatively simple to become untraceable on the Internet -- just route your traffic though a host that is not keeping traffic logs. As someone who frequently has to try to track these people down, I can tell you what an impossible nightmare it is. Here's the pattern I frequently see:

1. Select a relatively recent exploit in some web software package (e.g. joomla extension).
2. Use google to find an appropriately vulnerable attack target
3. From some location that can't be traced to you (e.g. coffee shop), execute the attack to gain control over the vulnerable server, but don't do anything else that would draw attention to yourself. (bonus points, fix the vulnerablity so no one comes in behind you). Delete any logs that might trace back to your presumed location.
4. Repeat the above, relaying your traffic through the previously compromised server. Repeat again several times until you're removed multiple steps from the machine that will be behaving as your proxy. Ideally these servers should be located in countries like China, India, Brasil, Mexico, etc., where datacenter techs tend to be uncooperative toward investigations, and should all be located in different countries as to create jurisdiction and communication nightmares for the people trying to track you.

Congratulations, you're now anonymous on the Internet. It's a bit like Tor, except none of the nodes know they're participating. Usually these attackers set up and use backdoors on servers for which no logs or records are kept (since the backdoor presumably doesn't exist). Once the attacker disconnects, that link becomes permanently untraceable.

One hop drops your chances of detection dramatically. Two hops makes detection almost impossible. Three hops and it's not even worth the effort.

Answer 8

Maybe you should read this PDF. They are not so anonymous. The LOIC tool used for DDOS, leaks the original IP of the person using it. You can use the browser (JavaScript) version of the same tool, maybe hiding behind Tor.

HBGary Federal exposed their names and addresses in that PDF. That is why they attacked his site, email, wipe his iPad, took over his twitter etc.... Search the #hbgary hashtag on twitter for more info on that.

Answer 9

Several post discuss the technical difficulties in finding the persons behind these groups. It is not at all easy to backtrack their activity when using many machines to create a sense of anonymity.

Another very important aspect is that the police, the intelligence communities around the globe and the different counties legislation is not really constructed to handle these situations. So if you find a server in one country that has been used to hop to a server in another country it takes too long to go through the proper channels to get the local police to get hold of the information. Even if you do the information such as logs are not always kept for longer periods of time.

It's easy to unlawfully hop around the Internet, but much much slower to hop around the Internet in a lawful way. This is a very prohibiting factor when trying to find these groups.

Answer 10

Here is an article asking (and answering) just that very question from the Scientific American site posted this month. The short answer to the question is spoofing of source addresses and the use of proxies.

Answer 11

There is one thing that hasn't been mentioned yet: the human factor.

These groups do not have a hierarchy as such, instead they form around a set of ideas. Most of the time, the only idea in common is "the governments are wrong, we must do justice by hacking", which is probably a feeling that's only getting stronger, with the current pressure the US gov (itself pressured by corporations) is putting in other countries below the covers to pass draconian laws against free speech that could harm the aforementioned corporations.

So the great appeal here, especially by Anonymous, is that if you have the knowledge and hate the government (who doesn't?), you can join them by yourself and on your own account and risk.

In order to see where this thinking comes from, I recommend the movie/comic novel "V for Vendetta", from which they took that mask you see so often.

Some groups, of course, have much less heroic intentions. LulzSec was "all for the lulz".

The bottom line is that yes, they might get a few members of each group, but more will show up.

Answer 12

Hackers can be caught, Anonymous cannot. Anonymous is such a lose collective that it is not materially hurt by law enforcement striking out at its individual hackers. However, it does respond violently against any organization that attempts to do so. This means

• Its very hard to strike down Anonymous just by catching its members.
• Anonymous will make life hard on anyone who tries.

All Anonymous has to do is continue to be "not worth the effort" to go after its members en masse and it will continue to be free. However, they play a dangerous game. If the public ever decides they are a sufficient nuisance, then it will suddenly be worth the cost to track down and catch its members, enduring the counter-hacks by Anonymous as they go.