The hacker group LulzSec claimed credit Wednesday for taking down the CIA’s Web site for a couple of hours, the latest in a string of embarrassing Web site disruptions the group has pulled off — apparently more to poke fun and highlight vulnerabilities than to cause real damage.
At 5:48 p.m., LulzSec, which dubs itself “the world’s leaders in high-quality entertainment at your expense,” posted an alert on Twitter: “Tango down — cia.gov — for the lulz.”
The site was back up by 8 p.m.
But the fact that the group could penetrate Web sites and harvest system administrators’ credentials underscores the risks of failing to secure sites, experts said.
“Web sites are the low-hanging fruit,” said Richard Stiennon, a cyber expert and author of “Surviving Cyberwar.” “But the Web sites are running on a server. Once you completely own the server that the Web site is on, you can watch the insiders log in and record their activity, and that can be a front door into the organization.”
In recent weeks, LulzSec has claimed credit for hacking or bringing down Web sites belonging to PBS, Sony, the U.S. Senate and the Atlanta chapter of InfraGard, a public-private partnership between the FBI and the private sector dedicated to sharing information and intelligence to prevent hostile acts against the United States.
In the case of InfraGard, LulzSec stole and published 180 user names, passwords and e-mail addresses of members. When it hacked the Senate site, it published the user names and passwords of system administrators — enough to show that the group had done it.
LulzSec, Stiennon said, spun off from Anonymous, another hacker group that has claimed responsibility for Web site attacks against organizations that it perceived as hostile to WikiLeaks, an anti-secrecy Web site that has published massive amounts of leaked U.S. government documents.
Anonymous, in turn, he said, spun off from users of 4chan, a collection of uncensored online message boards — a site “for hackers and geeks to hang out.”
“LulzSec’s motivation appears to be to doing it for grins and giggles,” he said. “This is a very old hacker mentality, which is if you’re vulnerable, you’re stupid and deserve to be embarrassed and taken out.”
LulzSec, which also calls itself “The Lulz Boat,” has a somewhat “anarchistic” agenda, he said. “They’re against government control of information, much as they’re against media control of music and movies.”
Last month, after PBS’s “Frontline” ran a documentary on WikiLeaks that LulzSec perceived as unfair, the group hacked into PBS’s site and posted a fake article claiming that rapper Tupac Shakur was alive and living in New Zealand.
The assault on the CIA was by denial of service, or overloading the site’s server with requests for access.
CIA spokeswoman Marie Harf said the agency is “looking into these reports.”
Similar denial-of-service attacks were carried out against Sony gaming sites last week. LulzSec claims to have 1 million user names and passwords for subscribers to these sites, Stiennon said.
As opposed to being “uber hackers working for a foreign agency,” LulzSec basically publishes its findings for entertainment, he said. One sign it might be working, he said, is that the group has more than 158,000 followers on Twitter.
Just this week, it posted a hotline number on its Twitter feed to take suggestions for what sites to hack next.
By Ellen Nakashima