(U//FOUO) DHS Bulletin: Anonymous Upcoming U.S. Operations Overview

This DHS National Cybersecurity and Communications Integration Center (NCCIC) bulletin was released by Anonymous as a teaser ahead of an upcoming leak. The date of the bulletin is believed to be September 1, 2011 due to the document’s metadata and references made in other NCCIC bulletins.  For other NCCIC bulletins regarding Anonymous and LulzSec, please see our collection.


  • 6 pages
  • For Official Use Only
  • September 1, 2011


(U) The loosely organized hacking collective known as “Anonymous” has announced through several mediums that they plan on conducting cyber attacks, peaceful protests, and other unspecified activity targeting a variety of organizations. The purpose of this product is to judge the likelihood of occurrence for these events, as well as the potential impact.

(U//FOUO) Occupy Wall Street (OWS): DHS/NCCIC assesses that it is likely peaceful protests will occur on Wall Street on 17 September 2011. These protests may be accompanied by malicious cyber activity conducted by Anonymous.

(U//FOUO) Operation FaceBook (OPFB): DHS/NCCIC assesses that it is unlikely that a coordinated or sophisticated cyber attack will be conducted by Anonymous (at large) targeting FaceBook.com (FB) on 5 November 2011. However, there remains the possibility that low-level or lone-wolf attempts may occur.

(U//FOUO) Project Mayhem (PM): DHS/NCCIC assesses that a combination of inconsequential physical mischief and potentially disruptive malicious cyber activity will be conducted leading up to the culmination date of 21 December 2012. At this point, specific tactics, techniques and procedures (TTP) are unknown.

(U//FOUO) Operation Halliburton: Little is known about this potential upcoming operation. DHS/NCCIC assesses that targeting US corporations is consistent with past Anonymous targets.

(U) Anonymous has devoted resources to creating new cyber attack and exploitation tools:

(U) Anonymous claimed publicly it will be deploying a new DDoS tool called #RefRef in September. There have been several publicly disclosed tools claiming to be versions of #RefRef however there has been nothing to validate these claims.

(U//FOUO) The recent release of a distributed denial of service (DDOS) tool known as “Apache Killer,” that could be leveraged by Anonymous poses a significant risk to organizations that are operating vulnerable internet facing Apache web servers.

(U//FOUO) DHS/NCCIC’S OWS ASSESSMENT: The ideologies set forth by Adbusters seem to align at a basic level with the stated intent of Anonymous’ newly adopted Hacktivist agenda. These protests are highly likely to occur due to the high level of media attention garnered by the partnership between Adbusters and Anonymous, and due to the heightened media response to the San Francisco BART protests. Though the protests will likely to be peaceful in nature, like any protest, malicious individuals may use the large crowds as cover to conduct illegal activity such as vandalism. Judging based on past behaviors by the group, Anonymous’ participation in these protests may include malicious cyber activity, likely in the form of DDOS attacks targeting financial institutions and government agencies.

(U) Several racist, homophobic, hateful, and otherwise maliciously intolerant cyber and physical incidents throughout the past decade have been attributed to Anonymous, though recently, their targets and apparent motivations have evolved to what appears to be a hacktivist agenda.

(U) Anonymous utilizes a crude target nomination procedure, outlined below, that is coordinated on one of several communications mediums – IRC, websites (#chan, etc), insurgency wiki, or anonymous meme themed website:

1. An individual on the communications medium posts an appeal to Anonymous leadership requesting members to target a victim;
2. Those individuals who agree, follow suit with vague details given as to intentions and/or tactics;
3. “Lulz ensue,” or they don’t;
4. If “lulz ensue,” go back to step 2 and see if more people join the action, or;
5. Lose interest.

(U) Anonymous utilizes several tactics to humiliate victim individuals and organizations. The most common involve:

  • “Dropping someone’s docs,” or exfiltrating information from a compromised system and posting it publicly;
  • Pranks targeting victims in real life (IRL) leveraging stolen personally identifiable information (PII), such as unwanted pizza delivery, telephone or fax machine harassment, and other tactics;
  • Defacing websites or social network profile pages to embarrass and/or annoy organizations; DOS / DDOS attacks.


Share this: