Jim Walter is manager of the McAfee Threat Intelligence Service (MTIS) for the Office of the CTO. He focuses on new ...
This post was updated on January 27. See end of file for update.
There has been a great explosion of chatter in the last day around Anonymous’ “Operation Last Resort” (a.k.a. #OpLastResort).
The entities behind the various “official” communications around this operation have a sense of humor that we must point out (especially because if you don’t catch it, you will end up wiping your disk).
In typical fashion with these events, some data suggests that the whole thing (or at least the leak) is a hoax. Regardless of what data resides in the leaked files, it is apparent that someone is having fun, via the embedded scripts in the USSC site. (See the Update section, below, for details on the Konami scripts.)
Anonymous has infiltrated specific US government systems in response to the “killing” of Aaron Swartz, who committed suicide on January 11. According to various posts and other communication channels, the operation is also tied to Barrett Brown and the law-enforcement actions against him. Ussc.gov (and others) have reportedly been compromised, and various caches of sensitive data have been exfiltrated. The first round is a .rar file (composed of multiple raw downloads). Details on how the compromise or breach took place are not clear or reliable. It is likely (though unconfirmed) that part of the initial intrusion was via SQL injection. Based on phrases in the official videos, RATS or other temporary “leakware” may have existed on compromised systems, and have been subsequently removed by the attackers. Reports suggest that the contents of this leak pertains to various U.S. Supreme Court Justices.
The file set includes an official promo video for the operation, as well as a statement:
"Still there is nothing quite as educational as a well-conducted demonstration...
Through this websites and various others that will remain unnamed, we have been conducting our own infiltration. We did not restrict ourselves like the FBI to one high-profile compromise. We are far more ambitious, and far more capable. Over the last two weeks we have wound down this operation, removed all traces of leakware from the compromised systems, and taken down the injection apparatus used to detect and exploit vulnerable machines.
We have enough fissile material for multiple warheads. Today we are launching the first of these. Operation Last Resort has begun... Warhead-US-DOJ-LEA-2013.AEE256 is primed and armed. It has been quietly distributed to numerous mirrors over the last few days and is available for download from this website now. We encourage all Anonymous to syndicate this file as widely as possible.
The contents are various and we won't ruin the speculation by revealing them. Suffice it to say, everyone has secrets, and some things are not meant to be public. At a regular interval commencing today, we will choose one media outlet and supply them with heavily redacted partial contents of the file. Any media outlets wishing to be eligible for this program must include within their reporting a means of secure communications.
We have not taken this action lightly, nor without consideration of the possible consequences. Should we be forced to reveal the trigger-key to this warhead, we understand that there will be collateral damage. We appreciate that many who work within the justice system believe in those principles that it has lost, corrupted, or abandoned, that they do not bear the full responsibility for the damages caused by their occupation.
It is our hope that this warhead need never be detonated."
This release is the referred-to “warhead”–specifically “Warhead-US-DOJ-LEA-2013.AEE256.” The “trigger key” referred to in the video is the decryption key for the content. Anonymous also indicated that they will, at some interval, release heavily redacted previews of the decrypted content. As of this writing, these have not emerged. We have, however, seen some fake decryption keys making the rounds.
Now, back to the “humor” that I alluded to earlier in this post. Some of the releases around this operation contain the following handy instructions:
If you did not catch it, at the end that’s an “rm” with force and recursion starting at the root.
What else does this operation entail? It is said that a Twitter-Storm campaign will commence on January 25.
"BEGIN THE MESSAGE OF ATTACK on January 25th at 11:59 PM EST"
Full details on this part of the operation are detailed in some of the groups PADs. This will be an interesting operation to pay attention to during the next few days.
What will the next warheads be? When will we start to see decrypted content from any of the warheads circulating? How will various governments react?
Update, January 27
Upon execution, the script provides some on-screen controls, and you can even control the various objects (including Nyan Cat) via the arrow keys.