Since Saturday evening, we have been experiencing multiple attacks targeting websites under gov.pl domain. Most of the attacks are DDoS, attributed to Anonymous who declared radical protests after Polish government revealed plans to sign the ACTA treaty on January 26th. Websites of the Polish Parliament, Ministry of Foreign Affairs and Internal Security Agency were among victims of these attacks. List of targets, as well as links to LOIC-based software for launching the attacks and VPN clients for anonymisation are distributed via twitter, Facebook (13000 likes as of today!) and the anonops IRC server.
When following activities on IRC, it becomes apparent that many attackers join in just to cause some turmoil, not to support any cause. In fact, they have little or no knowledge about ACTA. They seem to become quickly amused by the fact that DDoS attacks are so simple and efficient at the same time. You press a button and within seconds the website stops responding. Minutes later news portals report about the incident. In fact, news reports seem to be fuelling the attacks as they are closely monitored and taken as proof of getting the message delivered. A solid proof for motives other than the initial “STOP ACTA” cause is that new targets are proposed often and included banks, media, telcos and Polish Railways. Admittedly, all such proposals are dismissed by the channel ops but some attacks are attempted by the community nevertheless. Successful DDoS attacks unrelated to ACTA included websites of one of the petrol retailers and… Tesco stores.
The conversation above can be translated as:
<nooke> why not dos tesco because their canned food is expensive?
<tony9x9> nooke: which one
<nooke> tony9x9: does it matter?
<nooke> canned fish
<PanPremier> hehe
<tony9x9> mhm
<nooke> and any tesco will do
<tony9x9> tesco.pl
<tony9x9> ?
Indeed, after this conversation which started as a joke, tesco.pl went offline for a couple of minutes…
CERT Polska was hit by the storm a few times, mostly when it got confused with the government CERT (CERT.GOV.PL). The latter became a DDoS victim along with abw.gov.pl (Internal Security Agency) hosted on the same server.
The level of technical knowledge of the attackers varies greatly. Many of them have no clue about what a VPN is and how LOIC works. On the other hand, some of those guys know how to hide their traces. In fact, some of them proved to have ownership of botnets which obviously improves their performance with DDoS by a great extent. It seems to be fair to assume that most of the liability will be carried by the first group.
Apart from DDoS attacks, there have been at least two confirmed defacements of government websites, namely Polish Prime Minister’s and the Ministry of Defense.