In late December a Senior Threat Researcher with McAfee, Francois Paget, raised questions regarding the relationship between purported elements of the Anonymous movement and suspected Russian cyber criminals in a post on the McAfee Labs' blog site.
Paget outlined the series of events that began with attacks on the WikiLeaks site claimed by hackitivist The Jester in late November and culminated with the distributed denial of service (DDoS) attacks against Bank of America by Anonymous.
Through analysis of the chain of events Paget noted that the infamous Heidachi.net, which he refers to as "a den of criminals", had become associated with Anonymous activities via the establishment of the anonops.ru IRC.
Paget's December analysis is as follows:
- The Anonymous group claims to have stopped DDoS attacks
- The security community sends an alert about a suspicious WikiLeaks mirror site hosted on the dangerous Heihachi.net (a den of criminals)
- Spamhaus suffers DDoS attacks but says neither LOIC nor LOIC-like tools are involved in the attacks
- In some semiprivate forums AnonOps members deny responsibility
- A new Anonymous communication network is created in Russia. Ten or so IRC servers are linked to the same Heidachi.net.
- One of these IRC servers–irc.anonops.ru–drove #operationBoA
Paget followed up his earlier assertions with an article posted Wednesday on the McAfee Labs blog site in which he outlines more evidence supporting is conclusions that there may indeed be links between hacktivists and cyber criminal networks.
Paget lists the IP addresses linked with anonops.ru and their McAfee email reputations:
- 92.241.190.202: High Risk
- 92.241.190.228: High Risk
- 88.198.135.228: Minimal Risk
- 178.162.238.112: High Risk
- 78.47.219.50: Minimal Risk
- 86.59.36.242: High Risk
- 85.17.103.23: Minimal Risk
- 109.70.3.24: High Risk
- 69.65.55.22: High Risk
- 94.102.49.200: Medium Risk
- 109.235.53.142: Unverified
- 77.91.227.233: High Risk
Paget goes on to examine other evidence, including some IRC chats and their relationship to subsequent DDoS attacks against government sites in Zimbabwe.
Rounding out his latest post, and given the weight of the available evidence, Paget again asserts that there may be organized criminal elements involved with some of the operations attributed to the Anonymous movement.
What is not known is whether the association is condoned by the original Anonymous activists, referred to by Paget as the Failship IRC team, or if the international gathering of script-kiddies has been infiltrated to some degree.
Paget states:
"Whenever a big event occurs around the world (earthquake, celebrity death, popular feast day, etc.) cybercrime jumps at the chance to exploit it. And this appears to be the case with WikiLeaks and Anonymous. What an opportunity for criminals to take advantage of a volunteer army eager to take part in a struggle!"
"Are the individuals managing anonops.ru the same as those running operations leakspin, paperstorm, black face, bling, and anonymiss?"
Sources:
http://blogs.mcafee.com/mcafee-labs/don%E2%80%99t-confuse-anonymous-with-a-russian-gang
http://blogs.mcafee.com/mcafee-labs/anonymous-hacktivists-may-have-cybercrime-link
Comments
Post a Comment