UK government launched DoS attack against Anonymous hackers doing the same thing

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

LulzSecIt’s not just hackers who launch denial-of-service attacks. Sometimes it’s the people who catch the hackers who launch them too.

New documents revealed by NSA whistleblower Edward Snowden have revealed not only that UK law enforcement agencies have engaged in denial-of-service attacks which can flood websites with so much traffic that they become effectively inaccessible, but that they have attempted to disrupt hacktivists by using the same technology.

One group of denial-of-service attackers get caught and sent to jail. The other group seemingly gets away with it, because they have the approval of the British government.

In May 2013, members of the notorious LulzSec hacking gang – a splinter group from the Anonymous hacktivist movement – were imprisoned by a British court after they were found guilty of launching distributed denial-of-service (DDoS) attacks, amongst other computer-related crimes.

Sign up to our free newsletter.
Security news, advice, and tips.

Victims of the LulzSec DDoS attacks included the CIA, the UK’s Serious Organised Crime Agency, Sony, News International and the controversial Westboro Baptist Church.

CIA under DDoS attack

LulzSec’s activities have been well documented – not least because their spokesman “Topiary” was courting the world’s media on Twitter, providing a running commentary on each and every denial-of-service attack launched from the group’s “Lulz Cannon”.

Tweets from LulzSec about DDoS attack on SOCA

However, as NBC News reports, a division of the UK’s GCHQ surveillance agency known as the Joint Threat Research Intelligence Group (JTRIG) used hacking techniques to disrupt the communications and activities of Anonymous and LulzSec hackers.

Leaked slides

This included a denial-of-service attack dubbed “Rolling Thunder” designed to disrupt internet chat rooms being used by LulzSec.

NBC News says that this makes the British government “the first Western government known to have conducted such an attack.”

What’s unclear is whether GCHQ completely followed in LulzSec’s footsteps. After all, the hackers often used a botnet of innocent compromised computers to launch their attacks. We don’t know if GCHQ went that far – or preferred to use computers under their own (legitimate) control to disrupt the hacktivists’ communications.

Jake Davis, the real identity of LulzSec’s “Topiary”, who was found guilty for his involvement in LulzSec DDoS attacks was less than impressed by the news, posting the following tweet this morning:

https://twitter.com/DoubleJake/status/430977340131143680

For its part, GCHQ asserted to NBC News that it operates within the law:

“All of GCHQ’s work is carried out in accordance with a strict legal and policy framework,” said the statement, “which ensure[s] that our activities are authorized, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee. All of our operational processes rigorously support this position.”

So now you know. GCHQ launched a denial-of-service attack, and it was overseen by the British government.

You can find out much more by reading the NBC News report: “War on Anonymous: British Spies Attacked Hackers, Snowden Docs Show”


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “UK government launched DoS attack against Anonymous hackers doing the same thing”

  1. Nick

    "That our activities are authorized, necessary and proportionate, and that there is rigorous oversight"

    So much bullshit in one statement. This is a double standard. The government can do anything illegal and no one is there to arrest them for it.

    "Authorized"

    Authorized by who? The U.K government, the courts?

    "Necessary"

    The U.K government was costing the owner of the web server money and reputation, is he going to be paid back? Is it really necessary to DDOS chatrooms? Lulzsec would just move to another chatroom.

    "Rigorous Oversight"

    By who? If by rigorous oversight you mean blindfolding yourself and shooting everyone in the foot. Then sure.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.