Operation Invade Wall Street

Overview

Operation Invade Wall Street was a contentious hacktivist campaign launched by a faction within Anonymous with the objective of bringing down the New York Stock Exchange website through distributed denial-of-service (DDoS) attacks in support of the Occupy Wall Street protests. From the beginning, the ambitious plan was met by skepticisms regarding its authenticity and effectiveness and the proposed cyber attack never materialized.

Background

On October 2nd, 2011, YouTube channel TheAnonMessage, presumably an Anonymous affiliate, released two videos about a DDoS attack plan called "Operation Invade Wall Street," scheduled for launch on October 10th. The first video was directed toward the general populace, while the second video specifically addressed the news media. Although there were no explicit mentions of its affiliation with Occupy Wall Street protests, the announcement was reported in the news as an extended effort of the ongoing Anonymous movement.

2009 DDoS Attacks on NYSE

Prior to the eruption of Occupy Wall Street protests, New York Stock Exchange's website had been targeted by DDoS attacks on July 8th, 2009. However, the attacks didn't impact the trading and data systems of NYSE markets. According to a report published by MarketWatch^[16], the coordinated DDoS attacks also affected numerous other high-profile websites including the Washington Post, the U.S. Homeland Security and Defense (USHSD), the Federal Aviation Administration (FAA) as well as South Korean government Web sites.

Notable Developments

The D.H.S Warning

As the rumors of DDoS attacks spread across the grapevines, the U.S. Department of Homeland Security issued a warning out to financial companies to stay vigilant about a cyber security threat from Anonymous. According to a bulletin^[10] released by the department in early October 2011, the authorities suspected that the group "will continue to exploit vulnerable publicly available web servers, computer networks and other digital information mediums for the foreseeable future." The Department's warning was subsequently picked up by the Village Voice^[3], The Atlantic Wire^[11], Fox News^[12], Forbes^[13], New York Magazine^[14], and Business Insider.^[15]

Internal Division

Meanwhile, other well-known Anonymous outlets speculated ulterior motives behind the announcement of Operation Invade Wall Street.

#invadewallstreet #IWS possibly a psyop? bit.ly/oJZRHV…Don't get roped in by those who want 2 see #occupywallstreet fail.

— Anonymous (@AnonyOps) October 4, 2011

On October 4th, an anonymous message was posted to Pastebin^[2] which claimed that Operation Invade Wall Street was fake.

Operation Invade Wall Street is bullshit! It is a fake planted operation by law enforcement and cyber crime agencies in order to get you to undermine the Occupy Wall Street movement. It proposes you use depreciated tools that have known flaws such as LOIC.
Anonymous would never tell you to use LOIC – Not after the arrests and failures of Operation Payback.
Anonymous wouldn't attack NYSE on a HOLIDAY – It is debatable if Anonymous would ever even attack NYSE.

The same day, The Examiner^[7] published an article about the rumors with a reference to the Pastebin communique, which questioned whether the call to action was actually a false flag operation^[5], a type of covert disinformation tactic that uses propaganda techniques to make it appear as if actions are being planned by innocent entities.

Tuesday, a significant source for all things Anonymous, AnonNews, linked to a statement denying the authenticity of Operation Wall Street, claiming the operation is most probably a false flag operation initiated by law enforcement officials in order to undermine Occupy Wall Street.

Follow-up Communique

On October 8th, 2011, YouTube channel TheAnonMessage released a follow-up communique refuting the accusations of Operation Invade Wall Street being a subversive entrapment set up by law enforcement agencies. The video further advised its participants to use TOR at a WiFi hotspot in order to avoid leaving any digital footprint while conducting the DDoS attacks.

I am here to clarify that factions of Anonymous are going with the operation. Other factions are opposing it. A fellow Anon told me the easiest way not to get caught is to use TOR at a hot spot, whether it be a university or a library.

The video also claimed that a group of Anonymous hackers managed to bring down NYSE's website for a period of 30 minutes, although no specific details were released for security measures.

Turnout

Within minutes of the publicly scheduled attack at 3:30pm, it was reported that NYSE.com became unavailable for a very brief duration of time, from 3:35pm to 3:37pm (EST). The site returned to its normal speed within minutes and NYSE spokesperson Rich Adamonis confirmed that trading was unaffected by the downtime. The brief outage was reported by Keynote^[17], an Internet monitoring company and another tracking site called DownForEveryoneOrJustMe.com.^[18]

Planned Method of Attack

Low Orbit Ion Cannon

The Low Orbit Ion Cannon (LOIC) is an application capable of linking up with other machines to perform a distributed denial-of-service (DDoS) attack. In June of 2011, 5 people were arrested in the UK, 3 in Spain and 32 in Turkey that were suspected of using the LOIC tools. A paper written by the Design and Analysis of Communication Systems Group (DACS) from the University of Twente^[8] in the Netherlands described how it is possible to get caught using the LOIC to perform a DDoS attack:

If hacktivists use this tool directly from their own computers, instead of via anonymization networks such as Tor, the real Internet address of the attacker is included in every Internet message being transmitted, therefore making it easy to be traced back. We also found that these tools do not employ sophisticated techniques, such as IP-spoofing, in which the source address of others is used, or reflected attacks, in which attacks go via third party systems. The current attack technique can therefore be compared to overwhelming someone with letters, but putting your real home address at the back of the envelop.

Ref Ref

An application meant to replace the LOIC was released in September of 2011, and according to an interview with the developer in Hacker News^[9], it uses a SQL javascript vulnerability to make the target website use its own processing power against itself.

RefRef is a revolutionary DoS java site. Basically, by using an SQL and .js vulnerability, you can send a page request packet from your home computer with embedded .js file, because of the vulnerability in the SQL/Javascript engine on MOST websites, the site actually TEMPs the .js file on its own server. So now the .js is in place on the host of the site. Next since you still have the request, it picks up the .js file, and all of the requesting for packets power happens on the server, not the requestee. I send two packets from my iphone, and everything else happens on the server. Basically eats itself apart, because since both are on the server, its all a local connection.

The program's release was first announced by @AnonOps^[17] in early September in the days leading up to the beginning of #OccupyWallStreet protests on September 17th. According to various reports by ITworld^[18] and Geekosystem^[19], #Refref may have been previously tested on a number of websites including Pastebin and Wikileaks and it is ntended to replace the use of distributed denial-of-service (DDoS) software Low Orbit Ion Cannon. Back in July 2011, Pastebin tweeted a message in reference to someone testing software on the site.

Search Interest

External References