Anonymous OpNSA Campaign – OSINT to predict DDoS attacks on Nov 5th

Pierluigi Paganini November 01, 2013


OpNSA analyzed with OSINT techniques based on the correlation of media activities and physical protests. The analysts provided a forecast on next attacks.

Web Intelligence analysis alerts on early signs of an Anonymous cyber campaign dubbed OpNSA that as usual will address with DDoS attack principal US Government websites. Security experts don’t exclude the possibility that the group will also target subcontractors to gather information for successive attacks within OpNSA campaign.

Last September members of Anonymous hacktivist group collective, known as Anons, targeted US lawmakers who have financial collusion to intelligence contractors in their latest campaign. Different from any other Anonymous operations, OpNSA does not involve hacking, instead the operation aims to bring attention on collusion between US senators and private contractors, whom Anons allege enabled privacy violations as part of National Security Agency surveillance program.

The names of contractors include Booz Allen Hamilton, Northrop Grumman, Raytheon, Lockheed Martin, General Dynamics and many others.

Anonymous promoted the physical participation to the manifestations organized in the streets:

“Under the cover of darkness, you are invisible. Take to the streets in the dead of night and erect over 9,000 posters, banners, flags, anything to show your support for Anonymous, OpNSA, Wikileaks, Edward Snowden, Bradley Manning, or any related campaigns. Also show your contempt for the PRISM program, the FBI and any other high profile opponents of the idea represented by Anonymous. The goal is public awareness! Post as many flyers from the sources listed as you wish. **REMEMBER** Use paste instead of tape. Use the cover of darkness. Be SAFE. Have some fun.”

“We encourage the production of videos and the taking of pictures (not to be taken on smart phones, preferably, due to their traceability) showing participation in this operation. **Keep your faces covered** Remember, this is a peaceful protest. Obey all laws, do not destroy any property, and do not do anything that could give law enforcement a reason to arrest you. Comply with their demands and be sure to give citizens a positive image of anonymous. If possible, answer people’s questions in a polite fashion. Distribute propaganda whenever possible. Public awareness of the NSA’s domestic spy programs begins with YOU. The right of free citizens to maintain their privacy is INVIOLABLE. PRISM companies, defense contractors, and federal agencies have gone out of their way to invade that privacy, and Anonymous is not pleased.”

The NSA’s website was down for 11 hours on Friday October 22th , officially for problem occurred during a routine website update but not everybody believes in this motivation hyphotizing a cyber attack of hacktivists that protested against NSA surveillance activities.

I’ve found an interesting post on the use of Web Intelligence to detect early signs of OpNSA cyber campaign that allows the researchers to predict the evolution of the operation. The analysts using the web intelligence platform Recorded Future demonstrates that members of Anonymous were promoting the physical protests prior to Saturday 26th, this allowed them to raise an alert on October 11th. Previous researches have put in close relationship the public protests with an escalation of events in the cyberspace.

The dates of October 26 and November 5 have been visible in the following graph and you have to consider that the demonstration that saw the participation in thousands protest in DC on October 26th was known for weeks in advance.

Recorded Future opNSA


The above timeline shows the increase of media activities (e.g. Tweets forewarning protests) before the cyber attacks against the NSA occurred  in this past weekend. In the graph is evident another peak planned for November 5th that could be considered as a possiblen date for the next attack of Anonymous.

The OSINT analysis made possible to discover a growing number of tweets from over the weekend using the hashtags #OpNSA and #OpPRISM, a social media campaign to recruit volunteers in DDoS attacks against the agency on November 5th.

“Whether Friday’s incident was truly an internal error or actually a successful hack, more disruption is on the way.”

Let me also conclude with a reflection … State-sponsored hackers use the same techniques to analyze the targets and to discover the profitable moment to conduct an attack being anonymous. A rise of hacktivist campaigns is a privileged moment to conduct covert cyber operations for both sabotage and cyber espionage.

Pierluigi Paganini

(Security Affairs – Anonymous, OpNSA)

you might also like

leave a comment