By Andrew Morse and Ian Sherr
Amid growing worries over criminal hacking attacks and
cyberwarfare, a group calling itself LulzSec is showing that
hackers pulling pranks to get attention remain a serious annoyance
and even a threat in their own right.
Since early May, the group, whose members remain unknown, has
claimed responsibility seven times for computer break-ins and the
theft of documents that it posted on a website and bragged about on
Twitter. Targets have included Japanese technology-and-media giant
Sony Corp., U.S. public broadcaster PBS, and television network
Fox, a unit of News Corp. (News Corp also owns Dow Jones & Co.,
publisher of this newswire and The Wall Street Journal.)
On Friday, LulzSec described another brazen attack, on the
website of the Atlanta chapter of InfraGard, an affiliate of the
Federal Bureau of Investigation that exchanges information with
businesses and other partners about threats to the U.S. An FBI
official acknowledged the attack and said steps were being taken to
mitigate any potential damage.
Using passwords stolen from InfraGard, LulzSec said it stole
private emails and other documents from a small computer-research
company called Unveillance. That company's founder, Karim Hijazi,
described his encounter with the attackers on his own website
Friday.
LulzSec on Friday also posted a computer file from the U.S.
operations of Nintendo Co. A spokesman for the big Japanese
videogame company acknowledged the attack.
The group's exploits follow a stream of attacks that have
targeted big companies and government agencies, triggering
investigations by law-enforcement agencies and hearings in
Congress. In most of the recent cases, the attackers seemed
motivated by a desire to steal information to make money or to
gather intelligence that could be useful to foreign
governments.
Defense contractor Lockheed Martin Corp., for example, recently
shut down remote-access systems for employees temporarily following
an intrusion affecting its networks. The company said no sensitive
information had been compromised.
Sony, meanwhile, was hit before LulzSec's attack on its movie
unit-- first by a group of Internet vigilantes called Anonymous
that tried to disrupt Sony's operations to protest its suit against
a hacker. It was later hit by attackers that stole customer data
from its PlayStation Network and Sony Online Entertainment gaming
networks.
In most cases involving data theft, perpetrators have not
claimed responsibility. LulzSec, by comparison, boldly announces
its antics and publishes private data to bolster its claims--
echoing the actions of an earlier generation of hackers that sought
to brag about their skill or taunt victims and rivals.
Security experts say such tactics are at least as troublesome,
if not more so. "The underlying motives may be different, but the
damage they can do is exponentially greater," said Craig Spiezle,
executive director of the Online Trust Alliance and a member of
InfraGard. "Effectively, they are creating disruption and doing
economic harm."
He noted that LulzSec has used stolen credentials, such as login
information, for its attacks. That's different from hackers of
years past, who often attempted to exploit security weaknesses in
company's servers. "It's not sophisticated, but it's clearly
damaging," Mr. Spiezle said.
The group's name is a combination of "lulz," an Internet term
used to describe laughter at getting someone to fall for a prank,
and security. In some of its news releases, the group uses the
motto, "Laughing at your security since 2011!"
LulzSec's home page, which appears to have been created on June
1, plays the theme from the 1970s television show "The Love Boat."
LulzSec didn't respond via its Twitter account to requests for
comment.
Unveillance's Mr. Hijazi thinks LulzSec is probably a group of
young pranksters because they behave as though they're playing a
videogame.
"They're savvy juveniles. They're young kids," Mr. Hijazi said.
"They think they're invincible."
Mr. Hijazi said Unveillance, a four-person start-up he funded,
was likely targeted because it specializes in detecting botnets--
networks of computers commandeered by hackers to send spam or used
to flood a target website with data traffic.
He said the company first noticed someone was trying to get
inside its systems. Then LulzSec reached out to him personally-- at
3:10 a.m. on May 26, via an encrypted email service called
Hushmail.
Mr. Hijazi said he woke his wife, who had recently given birth
to the couple's second child, and told her to be prepared for a
situation that could get ugly. He said he also informed the FBI and
was advised to play along with the attackers. "I didn't know who I
was dealing with," he said.
In online chat sessions with Mr. Hijazi, LulzSec boasted of
having gotten into other organizations and forced them to remain
quiet, according to transcripts of the chats.
At first, the group asked for money, but Mr. Hijazi said he was
broke. They then asked for data about the botnets Unveillance
tracked. "If you take over a big botnet," one of the members wrote
to Mr. Hijazi, "we want insider info on it."
Lulzsec, in its own news release and a Twitter posting, said it
was stringing Mr. Hijazi along to expose the "corruption" of
so-called "white-hat" security experts that work within the law,
calling its requests for money "pseudo-extortion."
"They're trying to spin something that is bizarre," Mr. Hijazi
said. "They were trying to get everything they could from me."
Along with documents from Infragard and Unveillance, LulzSec on
Friday posted what it said was a Nintendo "server configuration
file," or information used to set up a system.
Nintendo spokesman Ken Toyoda stressed that the theft didn't
include any company information or the personal data of any
customers. "We are always working to make sure our systems are
secure," he said.
Regarding the Japanese company, LulzSec said on Twitter that "we
sincerely hope Nintendo plugs the gap."
-By Andrew Morse at andrew.morse@wsj.com
--Juro Osawa and Brent Kendall contributed to this article.