Anonymous persists with its AntiSec campaign and the latest target to fall has been Booz Allen Hamilton, one of the biggest U.S. military contractors.
According to the group’s press release, they managed to steal around 90,000 military emails and password hashes from the company’s servers that “basically had no security measures in place.” They also accessed the company software versioning and revision control system and swiped 4 GB of source code, which they then promptly deleted from the company systems.
Finally, they claim that the have found “maps and keys for various other treasure chests buried on the islands of government agencies, federal contractors and shady whitehat companies,” and that they will be sharing it with the public.
They also added a summary of Booz Allen Hamilton’s and HBGary’s involvement in various government programs of dubious legality and insinuated that Booz Allen Hamilton’s executives – who have alternated between working for the government in positions like NSA Director and Director of National Intelligence and for various government contractors – have used their standing to garner favor for these companies.
Booz Allen Hamilton tweeted that they generally do not comment on specific threats or actions taken against their systems.
Since the LulzSec absorption into the Anonymous collective and the start of the AntiSec campaign, the hacks and data dumps have become less “for the lulz” and more a form of protest against various governments’ and its contractors’ and agencies’ efforts that are deemed dangerous by Anonymous.
This release of such a great number of military emails and respective password hashes – which were, by the way, encrypted but not salted – means that all those people will have to change their passwords in order to keep their accounts safe.
But, the worst part of it is the fact that once these emails are made public, anyone can try to target its owners repeatedly with social engineering tactics, malware in attachments and malicious links.
Sooner or later, many will fall for one of these schemes, and that will give attackers access to their data and computers and the ability to use them as a staging point for further attacks into government systems.
Last week, Anonymous also managed to down FBI contractor IRC Federal’s website and breach its servers and steal a great amount of confidential data, which they gathered in a torrent and posted.
UPDATE: Despite having said they won’t be commenting on the incident, Booz Allen Hamilton has confirmed that the posted data was the result of a breach:
We are conducting a full review of the nature and extent of the attack. At this time, we do not believe that the attack extended beyond data pertaining to a learning management system for a government agency,” the company said.
Our policy and security practice is generally not to comment on such matters; however, given the publicity about this event, we believe it is important to set out our preliminary understanding of the facts. We are communicating with our clients and analyzing the nature of this attack and the data files affected.