As the notoriety of Anonymous spreads, some amateurish hackers are claiming affiliation with the group in order to bolster their own hacking bona fides.
By virtue of the loose hacking collective’s name and lack of any public membership roster, practically anyone with an Internet connection can broadcast that he is a member. Alexander Waterland and Brett Hudson did this last year when they claimed to have obtained sensitive data from the University of Pittsburgh and threatened to release it.
Waterland was last week sentenced to a year and a day in prison, followed by two years’ supervised release after pleading guilty to conspiracy to commit Internet extortion. Hudson pled guilty to the same charge and is awaiting sentencing.
Because Anonymous continues to be associated with high-profile hacks, there are more of these copycat hackers trying to hitch their wagons to the loose hacking collective, experts say.
"Anybody could say that they have their own group that was a member of Anonymous," said J. Keith Mularski, supervisory special agent in charge of the cyber squad at the Federal Bureau of Investigation’s Pittsburgh division, which oversaw the investigation of Waterland and Hudson. "Some of the big players in Anonymous instilled a lot of fear. I think that these other people, they try to instill that same fear."
Last April, on the suggestion of Hudson, Waterland downloaded student and faculty data from University of Pittsburgh server, though that information didn’t include sensitive information that would make this act a data breach, the FBI said.
The men then posted a video to a YouTube account under the name of AnonOperative13 that claimed ties with the group Anonymous, according to the agency. The video said they had sensitive data and would release it unless the University posted an apology on its main website for what they said was lax data security. The threat came at a time when the university had experienced a number of bomb threats.
"We are Anonymous, we are legion, we do not forgive, we do not forget," the computerized voice in the video said, using a slogan common to the hacking group. But as the investigation proceeded, it became clear that the men were not affiliated with any broader group, and that they hadn’t really stolen any sensitive data, said Mularski, though they were "very familiar with the groups and had done a lot of research on the groups and what they stood for."
The plot boiled down to the men being "just bored and dumb," said Warner Mariani, attorney for Hudson, who also said there was no connection with the broader Anonymous group. "It was an awful lapse of judgment, especially in light of all the bomb threats." Waterland’s attorney couldn’t be reached for comment.
When faced with a threat from someone claiming to be Anonymous, it’s not necessarily easy to gauge how sophisticated the perpetrators are until after the fact. "To the average organization or enterprise, it will be very difficult to find out who’s really behind the attack and whether they have any private information," said Ronen Kenig, director of security solutions at data-security firm Radware. "Police can do it, cyber protection groups can do it."
Still, known hacking incidents connected with sophisticated Anonymous members often have certain hallmarks, many of which a copycat attack like the one targeting the University of Pittsburgh may not have. These include announcements of the hack on multiple social-media accounts, as well as a stated political motivation that’s often left-leaning, said Gabriella Coleman, a professor at McGill University who is writing a book on Anonymous.
"The majority of [Anonymous] operations are team based. If someone’s acting totally alone, it’s probably not them," she said.