Federal contractor IRC Federal was forced to take its website offline Friday after hacktivists illegally accessed the company's networks and and posted emails and other sensitive documents.
The hack was claimed by members of the AntiSec movement, largely comprised of followers of the rogue hacktivist group Anonymous which includes the now-defunct LulzSec hackers who had previously breached multiple companies and organizations in a fifty day hacking spree.
IRC Federal is a private company that holds contracts with the Department of Defense, the Department of Justice, the U.S. military and NASA, among others.
The AntiSec group posted the emails and documents on Pastebin, claiming the breach was orchestrated using a SQL injection attack against the company's website, one of the most common exploits in the hacktivist's toolbox.
The Pastebin data dump included the following explanation of the unauthorized system access and theft of data:
Today we release the ownage of another government-contracted IT company, IRC Federal. They brag about their multi-million dollar partnership with the FBI, Army, Navy, NASA, and the Department of Justice, selling out their "skills" to the US empire. So we laid nuclear waste to their systems, owning their pathetic windows box, dropping their databases and private emails, and defaced their professional looking website.
In their emails we found various contracts, development schematics, and internal documents for various government institutions including a proposal for the FBI to develop a "Special Identities Modernization (SIM) Project" to "reduce terrorist and criminal activity by protecting all records associated with trusted individuals and revealing the identities of those individuals who may pose serious risk to the United States and its allies". We also found fingerprinting contracts for the DOJ, biometrics development for the military, and strategy contracts for the "National Nuclear Security Administration Nuclear Weapons Complex".
Additionally we found login info to various VPNs and several Department of Energy login access panels that we are dumping *live* complete with some URLs to live ASP file browser and upload backdoors - let's see how long it takes for them to remove it (don't worry we'll keep putting it back up until they pull the box ;D)
Before we begin the drop, a personal message to the employees of IRC Federal:
If you place any value on freedom, then stop working for the oligarchy and start working against it. Stop aiding the corporations and a government which uses unethical means to corner vast amounts of wealth and proceed to flagrantly abuse their power. Together, we have the power to change this world for the better.
Followers of the AntiSec movement believe that by exploiting otherwise easily mitigated vulnerabilities such as SQL injections and publicly embarrassing companies, organizations and government agencies by exposing sensitive and potentially embarrassing materials will inspire better overall security practices.
Critics counter that notifying those same organizations of security lapses and providing enough lead-time for rectification of the vulnerabilities would be enough to accomplish the same goal, and that the antics of Anonymous and the AntiSec movement are more of an exercise in self-gratification and ego enhancement than an effort to improve overall security in information systems.