LONDON (Reuters) - - The rogue hackers behind brazen cyber attacks are clever online technicians but have a critical human frailty — petulant personalities prone to infighting that may spell disaster for their raids on spies, banks and companies.
At least that’s the hope among state cyber sleuths racing to track down the Lulz Security (LulzSec) hackers responsible for a wave of attacks on Western governments and multinational companies.
Britain arrested a 19-year-old man on Tuesday as part of a joint investigation with the U.S. FBI into LulzSec, which claims responsibility for computer attacks on the U.S. CIA, Britain’s Serious Organized Crime Agency (SOCA) and Sony Corp.
Britain’s top policeman called the arrest “very significant.” LulzSec rejected suggestions the teenager was a leading figure.
The young cyber vandals are so technically accomplished that relying on intelligence and security agencies to beat them would be a mistake, experts say. The alternative is to turn them against each other — a feat the Internet’s anonymity and the hackers’ self-absorption and competitiveness makes easier.
“Our best bet quite honestly is the fact that they are all attacking each other quite happily,” said Tony Dyhouse, a security expert at Britain’s ICT Knowledge Transfer Network.
He told Reuters that one tactic used by LulzSec’s opponents had been to post misleading messages in its name, and then sit back and watch tempers flare online.
“Although LulzSec is growing hugely in numbers, it seems to be fighting to keep itself as a cohesive unit.”
“This is our best hope, since groups like this, because they are all so ego-driven and want to remain anonymous, get different people (falsely) claiming to speak for them and so they lose control,” he said.
Steve Watts of computer security firm SecurEnvoy said the hackers were driven by fame and success “so like rival businesses they will fight for the top.”
But there is no room for complacency — an attitude cyber security specialists say remains prevalent in boardrooms.
“The reality is that the skills of many hackers - where they can code in multiple languages, trace and exploit any technological or insider vulnerability - will be a match for any trained security professional,” John Suffolk, a former Chief Information Officer of the British government, told Reuters.
Peter Wood, CEO of security firm First Base Technologies, said it was “all too easy to be complacent about what is perceived as ‘hacktivist culture’.”
LulzSec’s members are believed to be scattered around the world, working together by means of secret Internet chat rooms. Suspected leaders include hackers with the handles Kayla, Sabu and Topiary, security experts say. Hackers often use several personas to confuse sleuths.
LulzSec drew heightened attention when it said this week it was teaming up with the Anonymous hacker activist group to cause more serious trouble and obtain classified information.
But in addition to cooperating, hacker groups can also battle each other online.
A hacker group opposed to LulzSec called Team Web Ninjas started a blog this month to expose LulzSec, releasing what it said were logs of conversations from a private LulzSec chatroom and providing names of alleged leaders.
Then there are occasional tensions between LulzSec and the Anonymous group, of which it is believed to be an offshoot, despite their periodic collaboration in cyber raids.
LulzSec suffered what appeared to be a public rift within its own ranks on Tuesday evening, following news of the arrest.
In response to online statements that the group had hacked the results of Britain’s latest census and was about to release it online, the group put out a message saying that unless such a release was preceded by the words “Tango Down,” LulzSec would not have been the entity responsible.
Ryan Cleary, named by British media as the teenager arrested on Tuesday, was himself involved in a bustup with the broader Anonymous group in May, according to hacker websites, after which Anonymous retaliated by publishing his first name.
His mother, Rita, 44, told the Daily Mail her son suffered from agoraphobia and attention deficit disorder, and had not left his home for four years.
LulzSec wrote on its Twitter website: “Clearly the UK police are so desperate to catch us that they’ve gone and arrested someone who is, at best, mildly associated with us. Lame.”
In a comment on a hacker chatroom on Tuesday, a participant wrote: “He hasn’t gone to jail and won’t. It’s just the police trying to get information on LulzSec, which I should imagine is why they are hyping it up (60 years in jail) to get him to talk.”
LulzSec has also published the names and personal details of two individuals it says were members, in retaliation for what it said was the disclosure of information about the group to law enforcement authorities.
Dyhouse said enmities were such that it appeared that sometimes “it doesn’t need us to set them against each other.... There’s no honor amongst thieves.”
Additional reporting by Mohammed Abbas in Wickford; Editing by Peter Graff