12.11.10

Hackers’ Most Destructive Attacks

From a computer virus named for a stripper to swarming botnet attacks on the Pentagon and Microsoft, The Daily Beast lists the 10 most infamous hacks, worms, and DDoS takedowns in the last 25 years.

The unending cyber assault executed last week by a group of anonymous “hacktivists” instilled fear and loathing in the hearts of network administrators at some of the world’s most powerful governments and corporations. It was unprecedented in its scope—attracting thousands of amateur users willing to do battle in the name of free speech on the web.

But amongst the real hackers out there is a feeling of indifference. These “script kiddies”—as those using software to attack Visa, MasterCard, and PayPal are being called—weren’t the cyber warriors the media set them out to be, but amateur, talentless teens launching assaults with the click of a mouse.

Since the early days of computers, these real hackers, coders, and phreaks have been orchestrating ruthlessly damaging attacks on the networks of governments, corporations, and other large organizations. A few of them faced years in jail and thousands of dollars in fines. Others went undercover. The lucky ones launched careers; experts in the field they once sought to destruct.

Below, The Daily Beast runs through 10 of the most infamous hacks, worms, and DDoS takedowns in the last 25 years, from an computer virus named for a stripper to the mysterious 102nd caller at Los Angeles’s KIIS-FM.

10. June, 1990: Kevin Poulsen Vs. KISS-FM

Kevin Poulsen was a teenage telephone hacker—a phreak—when he hacked the phone lines to be the 102nd winning caller on Los Angeles-area radio station KIIS-FM's "Win a Porsche By Friday" contest. In the ensuing months, he also allegedly wiretapped a Hollywood actress and hacked into Army and FBI computers. After months on the run, the FBI charged Poulsen with a series of fraud and laundering offenses. He was sentenced to 51 months in prison, ordered to pay $56,000 to the burned radio stations, and banned from touching a computer for three years. Today, Poulsen is a journalist with Wired.com and runs its Threat Level blog—where, on June 6th of this year, he was first to report that Pfc. Bradley Manning was the source for Wikileaks.

9. February 2002: Adrian Lamo Vs. The New York Times 

Adrian Lamo is making headlines these days for being the hacker Pfc. Bradley Manning confessed to after leaking 400,000 stolen diplomatic cables to Wikileaks. But before this summer, Lamo—"The Homeless Hacker"—was better known for hacking into the servers of companies like the New York Times from Kinko's shops and Starbucks cafes. In February 2002, having snuck inside the Grey Lady's database, Lamo added his name to a list of Op-Ed contributors, spent endless hours searching himself on Lexis-Nexis—3,000 searches in 3 months—a "serious offense," per the Times. The FBI claimed the Lexis-Nexis searches cost the Times $300,000 and Lamo faced 15 years in jail for the breach. In the end, Lamo was sentenced to two years probation, 6 months home detention and ordered to pay $65,000. 

"Mafiaboy," a.k.a. 15-year-old Michael Calce, set out to make a name for himself in February 2000 when he launched "Project Rivolta," which took down the website of…Yahoo.

8. January 2008: Anonymous Vs. Scientology 

In Anonymous’s big “coming out party,” the now infamous group of loosely-connected “hacktivist” computer users targeted the Church of Scientology in an operation dubbed “Project Chanology.” The group’s mass-DDoS attack, coordinated using the same software program used to fight for Wikileaks this week, targeted Scientology.org, momentarily knocking it offline. Their goal: to “save people from Scientology by reversing the brainwashing." At the time, a security expert monitoring the traffic generated by the DDoS attacks said it was “in the middle of attack sizes,” noting “It's not just one or two guys hanging out in the university dorms doing this." 

7. February, 2000: Mafiaboy Vs. Yahoo, CNN, eBay, Dell, & Amazon

The first major distributed-denial of service attack (DDoS) responsible for crippling some of the internet's most popular websites was executed by the hands of a Canadian citizen not old enough to drive. "Mafiaboy," a.k.a. 15-year-old Michael Calce, set out to make a name for himself in February 2000 when he launched "Project Rivolta," which took down the website of the #1 search engine at the time—and second-most popular website—Yahoo. Thinking it may have been a fluke, he went on to batter the servers of CNN, eBay, Dell, and Amazon in a wave of highly-publicized attacks that were the first to show the world how easily one kid can knockout major websites. Calce was ultimately picked up by Canadian police—while watching Goodfellas, allegedly—and plead guilty for hacking. He faced 3 years, but was sentenced to eight months in a juvenile detention center and forced to donate $250 to charity. 

6. November 2008: Unknown Vs. Microsoft Windows (& the World) 

If there's one word that causes shudders in internet security circles, it's Conficker. Starting in late-2008, the Conficker worm exploited vulnerabilities in a number of Microsoft operating systems. Once it takes over an infected machine, it links unwilling computers together into a massive botnet that can be controlled by its authors, whomever, and wherever, they are. Since its first detection, Conficker has infected millions of computers and business networks in countries around the world, as authorities struggle to identify its authors—some say they may be military—and stamp out the threat. (Protect yourself with this Conficker Removal Tool.) 

5. August, 1999: Jonathan James Vs. U.S. Department of Defense

Jonathan James is one of history’s all-time most infamous computer hackers who, in 1999, broke into military computers at the Defense Threat Reduction Agency and intercepted thousands of confidential messages, log-in information, and $1.7 million software that controlled the living environment on the International Space Station. Once detected, his breach led NASA to shutdown their network for three weeks that fall, costing thousands of dollars in security upgrades. In 2007, James committed suicide. In his suicide note, he denied having anything to do with a recent spate of computer takes that he was being investigated for, and wrote he “lost control over this situation, and this is my only way to regain control.” 

4. August, 2009: Russia Vs. Georgian blogger “Cyxymu”

Social networking sites with hundreds of millions of users crawled to a halt for hours during the summer of 2009 as DDoS attackers operating from within Russia—it was alleged—sought to silence Georgian blogger “Cyxymu.” Maybe it was carried out by ordinary hackers but I'm certain the order came from the Russian government," he told The Guardian at the time, as Facebook’s head of security Max Kelly added “It was a simultaneous attack across a number of properties targeting him to keep his voice from being heard.”

3. March 1999: David L. Smith Vs. Microsoft Word & Excel

In 1999, New Jersey-resident David L. Smith gave a stripper in Florida the ultimate gift: a computer virus that bared her name. Using a stolen America Online account, Smith posted a Word document infected with "Melissa" to Alt.Sex, a discussion group on America Online, purporting it to be a list of usable log-in information to pornography sites. Smith's virus spread via email, forwarding itself to fifty email accounts in Microsoft Outlook on every infected computer, and which, over time, overloaded email servers and forced companies such as Microsoft, Intel, Lockheed Martin, and Lucent Technologies to shut down their email networks. In the end, Melissa performed viral lap dances on upwards of one million infected PC’s and caused $80 million dollars in damage. For unleashing the virus, Smith faced 10 years in jail, $5,000 in fines, but served just 20 months behind bars. 

2. July, 2009: Unknown Vs. United States & South Korea

For three days in July, 2009, the web sites of South Korean’s largest daily newspaper, a large-scale online auction house, a bank, the country’s president, the White House, the Pentagon and U.S. Forces Korea—to name a few—came under DDoS attack as upwards of 166,000 computers in a botnet unleashed wave after wave after wave of a data-powered onslaught. Some believed operatives at North Korea’s telecommunications ministry were to blame, using a backdoor for the infamous Mydoom worm of 2004, but this have never been proven. 

1. November, 1988: Robert Tappan Morris Vs. The World

Robert Tappan Morris created a monster. In 1988, while enrolled as a graduate student at Cornell University, Morris designed a self-replicating worm and gave it a mission: go out to determine the size of the internet. It backfired, replicating itself beyond control as it infected thousands of computers (a lot at the time!), cost millions of dollars in damage, and inspired the U.S. government to create a emergency response for computers—CERT. Morris was eventually charged under the Computer Fraud & Abuse Act for his accidental crimes and ordered to pay $10,000 and do 400 hours of community service. The source code was archived on a black 3.5-inch floppy disk now on display at the Boston Museum of Science.

Brian Ries is tech and social media editor at The Daily Beast. He lives in Brooklyn.