A string of daring attacks in recent weeks on high-profile organisations and companies including the CIA and Sony has shone light on the exploits of a hacking collective, seen by cyberexperts as part-criminal gang and part-performance artists.
Nick Rowe | Photodisc | Getty Images
Lulz Security has said it would continue a campaign begun this week to steal classified secrets, the apex of a spree that has seen it attack the websites of the CIA and the UK's Serious Organised Crime Agency, publish tens of thousands of passwords used by Sony and other concerns and penetrate InfraGard, a joint FBI-private sector group.
The collective combines skilled hacking with a WikiLeaks-style populist appeal, said Steven Chabinsky, FBI deputy assistant director. It is this combustible mix that makes it a real threat. Typically, Lulz publicises its attacks on Twitter or elsewhere.
"These organisations have managed to use new technologies to connect to otherwise disenfranchised hackers to gather force and momentum in a way we have not seen before," Mr Chabinsky told the Financial Times last week.
"We've been under a cybercrime onslaught for some time now, but this is unprecedented," said Kimberly Peretti, former US justice department cyberchief, now with PwC, the professional services firm.
"The fact that they have avenues for instantly disclosing information is encouraging a new, very dangerous movement." One of the founders, known as Topiary, has said he is quitting his post, which includes running a prolific Twitter feed boasting of exploits.
The new de facto spokesman is Sabu, researchers say. In leaked chat logs, Sabu appears to be more concerned with internal security. "Oh well - less tweet spam now," said the group's Twitter account on Tuesday.
Lulz first grabbed mainstream headlines in late May when it broke into the website of the PBS broadcaster and inserted a bogus news story reporting that slain rapper Tupac Shakur was living in New Zealand. It then published the passwords of PBS employees.
The PBS assault was an early indication of the complex nature of Lulz. Its members include those suspected of launching disruptive but essentially mischievous political attacks.
It includes those at ease in the underground economy that exists around credit card fraud and digital identity theft. Lulz sprang from Anonymous, a larger hacking collective.
The group takes the name Lulz from 4chan slang derived from LOL, shorthand for laughing out loud, tweaked to refer to laughing at others' surprise or misery. Lulz Security says it aims to amuse, if cruelly.
"You find it funny to watch havoc unfold, and we find it funny to cause it," the group wrote on Friday. Anonymous did not boast many accomplished hackers, but in February it broke into HBGary Federal, the security company. It then published internal HBGary e-mails.
The actions "had a significant national security impact", said Charles Dodd, a cyberwarfare consultant to US intelligence agencies.
Several of those who attacked HBGary graduated to Lulz. In June, Lulz defaced the InfraGard website, later publishing e-mails from InfraGard member Unveillance, a tech security start-up.
"InfraGard really got the FBI's attention," said a private security professional. "They assigned more people to the case after that." The FBI declined to discuss specific attacks but said it was making progress.
Security professionals speak of Lulz with admiration and apprehension.
"They have the skills to be a credible threat to anybody's security, whether it is government or corporate," said Dave Marcus, director of research at big security vendor McAfee.
Experts say it does in public what organised crime groups and governments do in private.
They question if Lulz can be stopped and if its hacking exploits will lead to better security, a legal crackdown that reduces the internet freedoms it champions, or both.
Lulz "is really exposing the way cybercrime investigations can be done and the limitations", said Jeff Moss, founder of the Black Hat conferences on software vulnerabilities and a US government security adviser.
"Politicians tend to overreact, but it might actually be an inflection point to get more done."