Last week’s attack on the South African Department of Water Affairs is the latest sortie on the part of the hacker collective that dubs itself Anonymous, as part of its Operation Africa (#OpAfrica) campaign.
In a statement earlier this month, Anonymous said that “Operation Africa is an ongoing effort by several activists within anonymous who have begun collaborating. The focus of the operation is a disassembly of corporations and governments that enable and perpetuate corruption on the African continent.”
Ostensibly, this attack, and the concurrent one on GCIS (Government Communications and Information Systems), was a targeted offensive against the South African government, one of seven listed as targets in #OpAfrica. However, according to Mary Racter, information security consultant at MWR Infosecurity, while hacktivism can be seen in much the same light as other, more physical forms of protest, and can be exercised for the same broad array of reasons, the reality is not always that black and white.
“Anonymous does not refer to a single focused group of people, as anyone may choose to operate under the name ‘Anonymous’ at any point in time. It is not an organisation with a set mission statement and an identifiable list of members. Although there may be informal leadership by consensus, members are not under obligation to follow it. Anonymous is also only loosely cohesive, so even if there is a group of people participating in a campaign at a specified point in time, the intentions of the group cannot be assumed to be uniform across participants,” she explains.
For this reason, it is difficult to ascertain the true motives of the hacktivists, according to David Yates, information security consultant at MWR Infosecurity. “Data from such breaches has a market value, and once in the possession of groups or individuals with no accountability, could be used for personal profit.”
Personal data breaches of this nature, for example, have the potential to expose the organisation to further attacks via targeted social-engineering attacks. And, as people often re-use credentials across sites and re-use personal information to identify themselves, compromise of one set of credentials could allow attackers to compromise other accounts belonging to that person, such as their e-mail, banking, and social media accounts.
In addition, Racter points out that often an attacker does not reach the most impactful targets in a linear fashion. Rather, easy peripheral targets are often found and exploited first, with lateral movement or escalation of effort used to compromise more valuable systems.
“This would explain why the Department of Water Affairs was exposed despite the impact of its breach being small when compared to, for example, the Parliamentary databases. It also means that these peripheral breaches should not be dismissed as irrelevant, as they could form part of the intermediate steps in a higher-impact system breach. In other words, the Department of Water Affairs could potentially be a stepping stone in another attack.”
Yates points out that breaches like this are commonly accomplished through the exploitation of multiple flaws and insecurities in an organisation’s web applications and IT infrastructure, as well as human elements, for example by guessing weak user passwords. However, there are precautions that government and private organisations can employ in order to secure their digital assets – regardless of the profile of the attackers anticipated.
“Organisations can defend themselves from hacktivists by employing the same approach to security as for any other class of attacker. A robust security policy should include strategies for prevention, detection and response, the three phases in the security life-cycle. Investment in all three phases is critical.”
Yates offers some general recommendations for each phase:
* Perform security testing on web applications to catch and fix flaws which could lead to data exposure.
* Follow the principle of least privilege when deploying systems: if a system does not need to be accessed outside of the internal network, it shouldn’t be exposed on the internet.
* Involve active, skilled human actors in detection. Automated anti-virus, intrusion detection and prevention systems can be effective tools, but their outputs should be monitored by human actors who have the ability to make informed judgments on the output of these tools.
* In the event of a breach, it is necessary to assess the damage done and ensure that the attack paths which led to the breach are closed as quickly as possible, so that similar attacks cannot reoccur.
* If users’ data is breached, it is important to inform them as soon as possible so that they can protect themselves by changing any reused passwords. The black market value of a data breach immediately falls when it is publicised.