The Anatomy of an Anonymous Attack

Report from Imperva documents how organizations are targeted for hacking

Illustration Anonops – During 2011, Imperva witnessed an assault by the hacktivist group ‘Anonymous’ that lasted 25 days.

Our observations give insightful information on Anonymous, including a detailed analysis of hacking methods, as well as an examination of how social media provides a communications platform for recruitment and attack coordination.

Hacktivism has grown dramatically in the past year and has become a priority for security organizations worldwide. Understanding Anonymous’ attack methods will help organizations prepare if they are ever a target.

Our observation of an Anonymous campaign reveals:

  • The process used by Anonymous to pick victims as well as recruit and use needed hacking talent.
  • How Anonymous leverages social networks to recruit members and promotes hack campaigns.
  • The specific cyber reconnaissance and attack methods used by Anonymous’ hackers.

This is an excerpt from the report. For the full report see Imperva’s Hacker Intelligence Summary Report The Anatomy of an Anonymous Attack

We detail and sequence the steps Anonymous hackers deploy that cause data breaches and bring down websites.

Finally, we recommend key mitigation steps that organizations need to help protect against attacks.


This report is based on an Anonymous attack observed by the Imperva Application Defense Center. The target organization of the attack had a Web application firewall deployed which recorded and repelled the attacks. By analyzing traffic logs, we analyzed the attacks on these applications and categorized them according to the attack method, as well as identified patterns and trends within these attacks. We also analyzed Anonymous social media communications in the days leading up to and after the attack.
We believe this is the first end-to-end record of a full Anonymous attack.

The Plot

In 2011, Anonymous made headlines worldwide as it grew globally. Anonymous attacked organizations in numerous countries worldwide. Attacks fell into two categories:

  • Reactive: In this case, some incident inspired the members of Anonymous to attack a target. For example, when MasterCard, Visa and others stopped allowing payments to Wikileaks, Anonymous began Operation Payback intended to bring down websites with excessive traffic. When BART police blocked the use of cell phones in certain stations, Anonymous hacked into BART computers, exposing the data of dozens of employees.
  • Proactive: In this case, Anonymous announces an intention to attack a target. Significantly less common, there have only been a few incidents. For example, threats against Facebook and Mexican drug lords were made, but attacks either fizzled or never even materialized. It is difficult to estimate how many proactive attacks have occurred since, like terrorist attacks; only successful campaigns become public.

The attack Imperva witnessed during 2011 was the proactive variety. In this case, Anonymous hoped to disrupt an event that would take place on a specific date. A website designed to support the event enabled e-commerce and information dissemination
would become Anonymous’ target. Though we cannot identify the target, it is a large, well-known organization.

The attack occurred over a period of 25 days in three phases. The first phase, recruiting and communications, a small group of instigators elicited support and recruit for an attack, as members of Anonymous created a website rationalizing an attack on their target. Twitter and Facebook promoted traffic to this site. Additionally, YouTube videos were produced to help rationalize attacks.

Once a critical mass was achieved, the second phase, reconnaissance and application attack, could begin. During this phase, around 10 to 15 skilled hackers probed the website’s applications in an effort to identify weaknesses that could lead to a data
breach. The third and final phase was a distributed denial of service (DDoS). Having failed to expose data, hackers obtained help from Anonymous’ nontechnical members. Several hundred to a few thousand people either downloaded attack software (such as
was done in Operation Payback) or went to custom-built websites that perform DDoS attacks. When this failed, the attack ended.

For the complete report, see

How can companies prepare for an Anonymous attack?

If companies are prepared against application layer attacks and have put in place solid defenses to mitigate SQL injection, cross site scripting, local file inclusion and DDoS, then such enterprises will be well prepped against Anonymous.

What are the lessons?

Any high profile organization can be a target. There is not a lot of consistency to Anonymous’ campaigns, their targets include a wide range including religious organizations, pornography sites, consumer electronics firms, banks, Mexican drug
lords, law enforcement, and government.

The threat is real if applications are vulnerable. Using good app security standards, potential targets can reduce their risk.

See also ComputerWorld Companies should secure their websites before worrying about DDoS attacks from Anonymous

Leave a Reply