While working on several articles on the WannaCry attacks for my job as a cybersecurity journalist, I learned about LulzSec, which ranked among the most notable attacks of the 2010s. I wanted to find out more about the group that committed major cybersecurity attacks on many household-name companies over a chaotic 50 days in 2011.
The group’s impact wasn’t as immediately apparent as the impact of WannaCry, but studying what happened can teach us about threat actors’ motivations and methods. In the years since the incident, there have been a number of copycat attacks that imitate LulzSec’s, using memes, public relations, social media and other attention-getting tactics as part of their overall strategies.
Cyberattacks that insult and embarrass companies
It started in early May 2011 with Fox News criticizing the rapper Common. In response, a newly formed group of six people who referred to themselves as LulzSec hacked into Fox.com. They then leaked private information about “X Factor” contestants — more than 73,000 names and profiles, reported The Guardian. And in a style that would be a hallmark of their attacks, LulzSec sent a message: “We don’t like you very much. As such, we cordially invite you to kiss our hand-crafted crescent fresh asses.”
This first attack set the stage and made it clear that the public-facing side of these attacks would be different from many cyberattacks that came before. It started with the group’s publicly proclaimed motto: “This is the Internet, where we screw each other over for a jolt of satisfaction.” Instead of focusing on monetary gain or stealing personal information to use for fraud, these attackers seemed to want to embarrass companies by finding vulnerabilities (though that likely wasn’t much consolation for those whose information was actually compromised). The group also showboated and added insult to injury with mocking tweets and memes directed at the companies they attacked.
After stealing bank account details from over 3,100 ATMs in the UK on May 15, LulzSec hit Sony Japan on May 23 and fired off many of what would become their best-known tweets. One tweet was sent during an attack, saying, “Hey @Sony, you know we’re making off with a bunch of your internal stuff right now and you haven’t even noticed?? Slow and steady, guys.” And just in case there was any question about their motives, LulzSec explicitly stated in a tweet after their attack on Sony that they “just want to embarrass Sony some more”.
Laughing at cybersecurity
LulzSec was a small group of hackers, created as a subset of the Anonymous hacker group, who picked the name Lulz as a reference to “lol,” meaning laughing out loud, and “Sec” for security. One of the group members, referred to as Whirlpool, gave several interviews and said that the group was not looking for attention or notoriety. In an interview with Forbes, he said: “We like making people laugh. We’ve got a lot of energy to do it with.”
LulzSec used a mixture of different attack types in their efforts. Many of the incidents were denial-of-service attacks, so people could not use their credentials to gain access to corporate servers. The group also used SQL injections to find vulnerabilities that let them gain access to and steal information, such as the personal information of the X Factor contestants. However, it’s often overlooked that the group also used cross-site scripting (XSS) and remote file inclusion (RFI) attacks.
PBS, the FBI and the informant
Anonymous-affiliated hacker groups often publicly presented their activities as “retribution” for issues related to WikiLeaks or “internet freedom”. In accordance with that public agenda, LulzSec targeted PBS after the network ran a negative show about WikiLeaks. LulzSec stole PBS’s passwords and published a fake story proclaiming that instead of being dead, rappers Tupac Shakur and Biggie Smalls were very much alive in New Zealand.
After attacking Sony again — this time targeting music codes, coupons and customer information — LulzSec turned its attention to Infragard, an FBI affiliate. They took it offline, which brought more attention to their hacking spree. But the group’s leader, who went by the name Sabu, forgot to use the Tor system to disguise himself. After that mistake, he landed on the FBI’s radar.
When he was caught by the FBI and had his real identity revealed, Hector Xavier Monsegur, aka “Sabu”, decided that he would turn informant and would help the FBI catch LulzSec – possibly hoping for a reduced sentence that would make things easier on his two young nieces, for whom he was a legal guardian. Over the next few years, Monsegur ended up helping the FBI stop over 300 cyberattacks.
Hackers as vigilantes
While the FBI was monitoring and negotiating with Monsegur, LulzSec launched a number of other attacks until the first public arrest on June 21, 2011. These attacks included sharing the passwords of over 25,000 people who had accessed at least 1 of 55 pornographic websites, staging a denial-of-service attack on gaming websites and taking the CIA’s website offline for three hours. The group also won a contest where a cybersecurity firm offered $10K to anyone who could hack into the firm’s website and change a picture.
While several of these attacks are clearly malicious, around this same time LulzSec also let the British National Health Service (NHS) know that it had a vulnerability. I paused for a minute when I learned that they had written that they weren’t going to publicly shame or release information about the vulnerability, but instead wanted to help the NHS become more secure. Whether due to a true moral compass or simply for PR purposes, LulzSec positioned themselves as “vigilantes”, deciding for themselves which groups deserved compassion and which deserved ridicule and harm.
This approach continued with the group’s participation in the launch of Operation Anti-security on June 20, rallying their supporters to hack and expose government and financial information. Publicly the movement was positioned as a “revolution” seeking to expose corruption, but in practice, the attacks under this large umbrella often created real victims with real personal and financial consequences.
The end of LulzSec
The end of LulzSec was somewhat anticlimactic, especially compared to their publicly mocking messages and exceptionally active Twitter account. A number of LulzSec hackers were arrested and charged in 2013. In total, their attacks had spanned eight months in 2011. The group also publicly disbanded in the middle of June 2011, citing boredom as the reason.
In true LulzSec fashion, they announced their departure in a lengthy tweet — their 1,000th — sharing their reasons and thoughts. They emphatically denied that the disbanding was related to law enforcement, but it can’t be denied that it only came after increasing legal troubles for the group, which is believed to have possessed large amounts of sensitive and illegally obtained data when they shut down.
What did LulzSec mean for cybersecurity?
Now that I had a full understanding of what happened and why it happened, I wanted to understand how the group’s “50 days of luls” changed both cyberattacks and cybersecurity. As I read through many articles written both as the attacks were occurring and in retrospect, the overarching theme was LulzSec’s influence on “hacktivism”, or hacking with goals beyond simple monetary gain. The group’s public face and active Twitter account made it one of the most high-profile hacker organizations at the time, and its at-times confusing motivations demanded attention and vigilance from cybersecurity professionals.
In an article published in October 2011, Peter Coroneos, who was the outgoing Internet Industry Association (IIA) chief at the time, and IBRS advisor and security expert James Turner spoke about LulzSec’s influence and impact. I thought that Coroneos’s description of LulzSec as a return to bragging-rights motivation and an era of “we’re doing it because we can” was especially on point. His comment about the lack of predictability was also very interesting to me.
“Because there is no predictability — perhaps that’s a part of their point — there is the idea that they can hit anyone at any time for whatever reason,” Coroneos said. “That seems to be what they are actually trying to show: that they are not restricted to one ideology or cause.”
A complex impact
In the end, Turner’s point-blank condemnation of the LulzSec attacks as “stupid, immature vandalism” in the CSO article feels right on the money. And I might have LOLed (pun intended) at his description of “teenagers breaking windows in an abandoned warehouse”. Because breaking the law is still breaking the law even if you are protesting something, as hacktivist groups proclaim they are doing.
The fact that LulzSec’s stated motivations and chosen targets were often so wide-ranging made it harder for many in the industry to believe they were acting with a clear moral or philosophical goal. It also explains why it can be challenging to clearly pinpoint the influence that LulzSec had on the cybersecurity industry. The public and flamboyant nature of these particular attacks certainly drew attention, but the interpretation of the attacks remains a matter up to the individual observer.