Lulz Security (or LulzSec), the puckish cyber marauders, burst onto the scene last month, defiling the websites of organizations as august as Sony, PBS, Fox — even the CIA and the United States Senate. And just as quickly, LulzSec has dissipated into the ether, announcing this past weekend that it was disbanding, only a week after the group announced it was joining forces with another hacker group, Anonymous, to wage war on the world’s major institutions.
A little late to this party, but have you been wondering about that strange name while reading those stories in the past month? Here’s a primer of what was — and may still be — a grade-A team of mischief makers.
What was LulzSec?
LulzSec emerged suddenly, forcefully and seemingly out of thin air last month. Early on, the group set its sights on Sony, targeting the electronics giant on multiple occasions. (It’s unclear whether LulzSec, Anonymous or another party entirely was responsible for the massive PlayStation Network hack that plagued Sony in May and exposed 70 million members’ data. But, regardless of its inolvement in that particular coup, LulzSec has continuously terrorized Sony with relish.)
The job that first propelled LulzSec into the public consciousness, however, was its attack on PBS’ website on May 30. After obtaining log-in information, the hackers infiltrated PBS’ content management system and posted an article purporting that dead rapper Tupac Shakur was hiding out in Australia, living, breathing and hanging out with the late Biggie Smalls. The job was retaliation, LulzSec said through its Twitter feed, for a documentary PBS aired that painted WikiLeaks in an unfavorable light.
On June 14, what LulzSec dubbed “Titanic Takeover Tuesday,” the group targeted a number of gaming communities, including a magazine website (the Escapist), and several games — EVE Online, Minecraft, League of Legends — as well as an IT security firm called Finfisher that “sell[s] monitoring sotware to the government.”
Later, it obtained and released 62,000 email addresses, and encouraged its Twitter followers to use the data to access accounts associated with the breached data in order to cause havoc. (You can find out if your email address was compromised here.)
LulzSec’s own tally of targets includes “PBS, Sony, Fox, porn websites, FBI, CIA, the U.S. government, Sony some more, online gaming servers (by request of callers, not by our own choice), Sony again, and of course our good friend Sony.”
And then came Operation Anti-Security, a venture that joined LulzSec with the even more notorious hacker collective Anonymous. The two announced on June 20 that they were teaming up to target the world’s governments and financial institutions. The most visible event during the week-long effort was an attack on the Arizona Department of Public Safety — a project called “chinga la migra, or “F___ the border police” — that included the release of documents not meant for public consumption.
On Saturday, in one final act of Web belligerence, the group released compromised user data from AOL, AT&T and a number of other sources. (You can find out if your information was dropped by the group here.)
Through its run, the group released sensitive data it poached from its victims through its website, and communicated with the world through its Twitter feed, “The Lulz Boat.”
Why did LulzSec disband? Did it have anything to do with that guy the British arrested?
The British arrested 19-year-old Ryan Cleary last week, a hacker with reported connections to LulzSec. While early reports claimed Cleary was the group’s leader, the Lulz Boat Twitter feed continued to churn out messages, and the group denied any links to Cleary. Some outlets, such as Gawker, reported that Cleary merely hosted the chat room where LulzSec had been organizing. And the attacks didn’t stop with the arrest. In general, though, Cleary’s actual links to the group remain unclear.
In terms of the group’s dissolution, rumors abound. Many speculated that LulzSec eventually caved to pressure from law enforcement, or from other hacker factions. But the group itself says it had always planned a short shelf life – specifically, “50 Days of Lulz.”
In an interview with the AP, one LulzSec member said:
We’re not quitting because we’re afraid of law enforcement. The press are getting bored of us, and we’re getting bored of us.
But, lest you think all is well in the world …
LulzSec has reportedly been absorbed by Anonymous, and the hacking doth continue ad infinitum.
What will LulzSec’s legacy be?
Unlike its more famous compatriot, Anonymous, LulzSec continually claimed it was mainly in it to cause trouble for the sake of trouble. In a “manifesto” released a couple of weeks ago, members said:
Yes, yes, there’s always the argument that releasing everything in full is just as evil, what with accounts being stolen and abused, but welcome to 2011. This is the lulz lizard era, where we do things just because we find it entertaining. [...]You find it funny to watch havoc unfold, and we find it funny to cause it. We release personal data so that equally evil people can entertain us with what they do with it.
Indeed, LulzSec attacks have been characterized, by and large, as random whims, as if the group has simply “spun the cannons and fired” wherever they happened to point. It appeared as if they weren’t so much interested in targeting specific companies as they were with proving the meager heft of Internet security.
In the words of security analyst Patrick Gray:
LulzSec is running around pummelling some of the world’s most powerful organisations into the ground … for laughs! For lulz! … Surely that tells you what you need to know about computer security: there isn’t any.
If LulzSec has any lasting legacy to speak of, it’s proving exactly that point.