In Attack on Vatican Website, a Glimpse of Hackers’ Tactics

John Markoff

The elusive hacker movement known as Anonymous has carried out Internet attacks on well-known organizations like Sony and PBS. In August, the group went after its most prominent target yet: the Vatican.

Gaelx | Flickr

The campaign against the Vatican, which did not receive wide attention at the time, involved hundreds of people, some with hacking skills and some without. A core group of participants openly drummed up support for the attack using YouTube, Twitter, and Facebook. Others searched for vulnerabilities on a Vatican website and, when that failed, enlisted amateur recruits to flood the site with traffic, hoping it would crash, according to a computer security firm’s report to be released this week.

The attack, albeit an unsuccessful one, provides a rare glimpse into the recruiting, reconnaissance, and warfare tactics used by the shadowy hacking collective.

Anonymous, which first gained widespread notice with an attack on the Church of Scientology in 2008, has since carried out hundreds of increasingly bold strikes, taking aim at perceived enemies, including law enforcement agencies, Internet security companies, and opponents of the whistle-blower site WikiLeaks.

The group’s attack on the Vatican was confirmed by the hackers and is detailed in a report that Imperva, a computer security company based in Redwood City, Calif., plans to release ahead of a computer security conference here this week. It may be the first end-to-end record of a full Anonymous attack.

Though Imperva declined to identify the target of the attack and kept any mention of the Vatican out of its report, two people briefed on the investigation confirmed that it had been the target. Imperva had a unique window into the situation because it had been hired by the Vatican’s security team as a subcontractor to block and record the assault.

“We have seen the tools and the techniques that were used in this attack used by other criminal groups on the web,” said Amichai Shulman, Imperva’s chief technology officer. “What set this attack apart from others is it had a clear timeline and evolution, starting from an announcement and recruitment phase that was very public.”

The Vatican declined to comment on the attack. In an email intended for a colleague, but accidentally sent to a reporter, a church official wrote: “I do not think it is convenient to respond to journalists on real or potential attacks,” adding, “the more we are silent in this area the better.”

The attack was called Operation Pharisee in a reference to the sect that Jesus called hypocrites. It was initially organized by hackers in South America and Mexico before spreading to other countries, and it was timed to coincide with Pope Benedict XVI’s visit to Madrid in August 2011 for World Youth Day, an international event held every other year that regularly attracts more than a million Catholic youths.

Hackers initially tried to take down a website set up by the church to promote the event, handle registrations and sell merchandise. Their goal — according to YouTube messages delivered by an Anonymous figure in a Guy Fawkes mask — was to disrupt the event and draw attention to child sexual abuse by priests, among other issues.

The videos, which have been viewed more than 77,000 times, include a verbal attack on the Pope and the young people who “have forgotten the abominations of the Catholic Church.” One calls on volunteers to “prepare your weapons, my dear brother, for this August 17th to Sunday August 21st, we will drop anger over the Vatican.”

Much as in a grass-roots lobbying campaign, the hackers spent weeks spreading their message through their own website and social sites like Twitter and Flickr. Their Facebook page called on volunteers to download free attack software and implored them to “stop child abuse” by joining the cause. It featured split-screen images of the Pope seated on a gilded throne on one side and starving African children on the other. And it linked to articles about sexual abuse cases and blog posts itemizing the church’s assets.

It took the hackers 18 days to recruit enough people, the report says. Then the reconnaissance began. A core group of roughly a dozen skilled hackers spent three days poking around the church’s World Youth Day site looking for common security holes that could let them inside, the report says. Probing for such loopholes used to be tedious and slow, but the advent of automated tools made it possible for hackers to do this while they slept.

In this case, the scanning software failed to turn up any gaps. So the hackers turned to a brute-force approach — a so-called distributed denial-of-service, or DDoS, attack that involves clogging a site with data requests until it crashes. Even unskilled supporters could take part in this from their computers or smartphones.

“Anonymous is a handful of geniuses surrounded by a legion of idiots,” said Cole Stryker, an author who has researched the movement. “You have four or five guys who really know what they’re doing and are able to pull off some of the more serious hacks, and then thousands of people spreading the word, or turning their computers over to participate in a DDoS attack.”

Over the course of the campaign’s final two days, Anonymous enlisted as many as a thousand people to download attack software, or directed them to custom-built websites that let them participate using their cellphones. Visiting a particular web address caused the phones to instantly start flooding the target website with hundreds of data requests each second, with no special software required, the report says.

On the first day, the denial-of-service attack resulted in 28 times the normal traffic to the church site, rising to 34 times the next day. Hackers involved in the attack, who did not identify themselves, said through a Twitter account associated with the campaign that the two-day effort succeeded in slowing the site’s performance and making the page unavailable “in several countries.” Imperva disputed that the site’s performance was affected and said its technologies had successfully siphoned the excess data away from the site.

Anonymous moved on to other targets, including an unofficial site about the Pope, which the hackers were briefly able to deface.

Imperva executives say the Vatican’s defenses held up because, unlike Sony and other hacker targets, it invested in the infrastructure needed to repel both break-ins and full-scale assaults.

Researchers who have followed Anonymous say that despite its lack of success in this and other campaigns, recent attacks show the movement is still evolving and, if anything, emboldened. Threatened attacks on the New York Stock Exchange and Facebook last autumn apparently fizzled. But the hackers appeared to regain momentum in January after federal authorities shut down Megaupload, a popular file-sharing site.

In retaliation, hackers affiliated with Anonymous briefly knocked dozens of websites offline, including those of the Federal Bureau of Investigation, the White House, and the Justice Department. At one point, they were able to eavesdrop on a conference call between the F.B.I. and Scotland Yard.

“Part of the reason ‘Op Megaupload’ was so successful is that they’ve learned from their past mistakes,” said Gabriella Coleman, an associate professor at McGill University who has studied Anonymous. Professor Coleman said the hackers had been using a new tool to better protect their anonymity. “Finally people felt safe using it,” she said. “That could explain why it was so big.”

In recent weeks, Anonymous has made increasingly bold threats, at one point promising to “shut the Internet down on March 31” by attacking servers that perform switchboard functions for the Internet.

Security experts now say that a sort of open season has begun. “Who is Anonymous?” asked Rob Rachwald, Imperva’s director of security. “Anyone can use the Anonymous umbrella to hack anyone at anytime.”

Indeed, in the last six months, hackers have attacked everything from pornography sites to the web portals of Brazilian airlines. And some hackers have been accused of trying to extort money from corporations — all under the banner of Anonymous.

“Anonymous is an idea, a global protest movement, by activists on the streets and by hackers in the network,” the hackers said through the Twitter account. “Anyone can be Anonymous, because we are an idea without leaders who defend freedom and promote free knowledge.”