Akamai Diversity

Akamai Security Intelligence
& Threat Research

Anonymous #OpIcarus2018

Written by Lisa Beegle


Operation #OpIcarus2018 has been announced and it encompasses several on-going campaigns, including #OpPayBack, #OpIcarus, #DeleteTheElite, and #SosNicaragua. The attack campaign(s) are being driven by actors using Anonymous iconography and ideological motives. These malicious actors have stated their intent to attack various banking institutions between June 21 through 28 2018. Targeted enterprises need to be on heightened alert leading up to these dates, as there are possible actions that will take place in advance of the stated dates.

There is no central organization to Anonymous. When a threat is issued, it can be difficult to determine whether it is the work of an individual or a larger collective. Often, it will be an individual who is attempting to gain support for the chosen cause and then build momentum from other sympathetic individuals. There is evidence that unaffiliated groups, such as organized crime, masquerade as part of the collective to hide their own activities.

Hacktivist groups, such as Anonymous, continue to cause distraction and disruption by facilitating various politically-motivated attack campaigns against governments, corporations, or even against specific individuals. In addition to attacking online, there may be in-person protests or other physical acts of protest. 



Hacktivists are considered hackers for a cause. They believe attacking websites for their cause is justified, even if it means breaking laws to do so. These groups operate under different aliases and allegiances to coordinate an attack using various methods and techniques. These attackers can be found online by their operation or "op" name. The most common types of attacks by hacktivists are DDoS and defacements.  

The cause for hacktivist groups, such as Anonymous, is often spurred by an event that they have opposition to. Support outreach is often communicated via Twitter, Facebook or IRC channels. These groups will often share tools of their choice to attack the targeted site. If there is more than one identified target associated with a named operation, as in this case, they will also share the list of targets. These lists are often posted on paste sites (ie. pastebin.com, piratepaste.com, etc.).

Although financial institutions tend to be the primary target from an historical perspective, the attackers continue to broaden their reach and participate in various operations. Key observations and trends to date are that "successful" attacks are somewhat arbitrary. They tend to focus on "softer", less well-defended targets to achieve their objective and obtain publicity toward their cause. Initial reports reveal that many  systems were compromised as a result of exploiting unpatched and insecurely configured Web sites, rather than by sophisticated techniques a more skilled attacker might use.



"#OpPayBack #OpIcarus #DeleteTheElite 2018 is led by Anonymous worldwide. and we will not stop until our demands are met" (#Operation PayBack 2018 By Anonymous Netherlands)


In this specific bulletin, Anonymous thanks others for their recent support in facilitating attacks they have claimed credit for against the Dutch Government. There are updates  to include articles referencing specific campaign attack events as well as a release of the CEHv9 Tools and Modules for Windows users. They recommend that Linux users who launch a DDoS attack use tools such as xerxes, Slowloris, Ufonet, or the Mirai botnet, warning supporters that use of other botnets such as ZEUS face higher risk of being linked to the attacker. Anonymous  instructs them to use a VPN vs. 4nomiziner as it will log activity. 

*Anonymous vehemently instructs it's participants to not use LOIC! (Low Orbit Ion Cannon)



#OpIcarus #SosNicaragua #OpNicaragua  #NicaraguaResiste #GritoporNicaragua #OpicarusNi


Banks are targeted because government monies are deposited in these banks and the organizers of the operation feel attacks against these establishments are a way to punish the government for their "crimes".  Accusations of potential money laundering, accepting money from illegal or unethical practices, as well as possible corruption associated with Nicaragua and Venezuela's oil, is the group's justification as to their cause.


Anonymous, unlike other forms of adversaries, is more interested in creating awareness and visibility of their political plight rather than truly causing lasting damage. Their tool of choice is often Denial of Services (DoS) attacks and defacement of websites. They are known to use various other methods -- such as SQL injection and local file include (LFI) web application attacks, cross site scripting (XSS), identity theft, phishing, and social engineering -- to obtain sensitive data to publicly embarrass their target. There is a very fine line between a hacktivist and a cybercriminal when the data obtained has significant value within the cybercriminal community.

As stated previously they use a relatively standard suite of tools in their attacks. These are readily available and easy to use; the intent is to minimize obstacles to allow entry of anyone that may be interested in participating in the campaign. Fortunately, the tools most often utilized are also easy to defend against.

Akamai believes such attacks are ongoing and may continue to increase in volume, duration and target based on the number of new campaigns continuing to emerge. This type of activity also falls in line with the global trend of using the Internet as voice for hacktivists with political views and agendas.


Akamai's Security Intelligence Research Team  (SIRT) recommends a heightened state of alert for any organization specifically named in an operation or associated with a targeted organization or industry vertical. Partner and associate organizations are more likely to be targets of DDoS attacks, attempts to compromise systems and efforts to expose sensitive information.  

For groups like Anonymous, the publicity they generate for their cause is almost as important as the effectiveness of the attacks themself. They will circle a target like a vulture does to its prey in hopes of obtaining screenshots of a downed website as evidence of their success. Another common practice is to probe and compromise a site weeks, or in some instances even months, before the published start date of a campaign and then post their "evidence" during the campaign itself. This technique allows the group to claim success despite the target's due diligence and defenses.  

As always, organizations should proactively look for data breach techniques, such as SQL injection, command injection, potential phishing, etc. Historically, many organizations targeted by these campaigns have opted to remain silent when an attack event does occur. On the other hand, some organizations have decided to publicly respond to these attacks. If an organization chooses to do so, it is important to respond carefully. Any public statement could potentially challenge the actor directly, and put your organization at greater risk, encouraging more attacks.

There is a high probability that these groups will facilitate attacks via different attack vectors, various techniques and new methodologies. It is recommended that organizations have multi-layered defenses in place. Review your alerts frequently and update rules as necessary. Work with your Akamai account team to ensure that any new rules are activated and all associated configurations for your account are up to date and properly set. Proactively audit and monitor your environment for any abnormal activity such as an increase in alerts, growing latency or account degradation.

Akamai encourages any organization that is the target of a hacktivist attack to communicate with  Akamai's SIRT. Providing timely and accurate attack data, Akamai can then share the anonymized intelligence, customer permitting, with law enforcement or other government agencies to assist. Akamai SIRT will continue to monitor the ongoing campaigns as well as future identified events and will issue further advisories, should it be warranted.