LulzSec, the hacker group behind the recent attacks against Sony Pictures and PBS, said that it had struck again, this time at a small affiliate of the Federal Bureau of Investigation.
The FBI affiliate targeted in LulzSec’s latest cyber attack, InfraGard, is an Atlanta, Ga.-based non-profit organization that serves as an information liaison between the private sector and law enforcement, with a mission to protect against hostile threats to the U.S.
LulzSec said that the attack was in response to the U.S. government’s recent declaration that it would treat hacking as an act of war.
“It has come to our unfortunate attention that NATO and our good friend Barrack Osama-Llama 24th-century Obama have recently upped the stakes with regard to hacking. They now treat hacking as an act of war. So, we just hacked an FBI affiliated Web site and leaked its user base,” LulzSec said in a Pastebin.org blog.
As in its previous attacks, LulzSec exposed InfraGard e-mail, login credentials and other personally identifying information for about 180 employees, all of which were connected to the FBI in some way, the group said in the Pastebin blogpost.
The hackers also maintained that many of the 180 employees re-used their InfraGard passwords for other accounts, “which is heavily frowned upon in the FBI/Infragard handbook and generally everywhere else too,” LulzSec said.
The group said that, as in previous hacks, it defaced the organization's Web site. As of Monday afternoon, InfraGard’s Web site appeared to be down with a message stating that the site was under construction as the future home for the Atlanta InfraGard Member's Alliance.
The hacking group had made headlines in recent weeks with a series of attacks against a range of targets, including Sony Pictures and PBS.
Last month, LulzSec boasted that it broke into PBS’s Web site and exposed sensitive information in response to a show it aired critical of WikiLeaks and the suspected whistleblower Bradley Manning.
LulzSec’s retaliation efforts included publishing the usernames and hashed passwords for PBS Web site users and administrators, as well as login information and plain-text passwords for PBS affiliate television stations. The group also defaced the PBS.org Web site with a statement that read “All your base are belong to LulzSec” coupled with a fake story that indicating that deceased rapper Tupac Shakur, killed in 1996, was actually alive and living in New Zealand.
Most recently, LulzSec targeted Sony Pictures, posting a sampling of personal data from a pool of 1 million compromised customer accounts. The hacker group said in a Pastebin.com blog post that they expoited a security vulnerability on the Sony Pictures Web site with an SQL injection attack.
Altogether, the hackers said that they accessed personally identifying information, including passwords, e-mail addresses, home addresses, dates of birth and Sony associated opt-in data, as well as 75,000 "music codes" and 3.5 million music coupons.
Security solution providers contend that the string of LulzSec attacks highlights the pervasiveness of security vulnerabilities within the networks of most organizations.
Next: LulzSec Attacks Underscore Poor Security Posture