Menu
Browse

Cyber Threat Actor: AnonSec

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Activist
United States of America
5 incidents
Profile

The threat actor operates under the aliases AnonSec, AnonSquad and AnonCoders, with open‑source references indicating a base of operations in the United States of America. Public reporting shows the group has been active since at least 2013, conducting a mix of data theft, website defacement and attempts to disrupt operational technology. Their self‑described motives vary from financial gain to ideological messaging, but the actor consistently distances itself from the broader Anonymous collective and claims no formal ties to state sponsors or criminal syndicates.

Targeting patterns observed in attributed incidents span several sectors and geographic regions. The actor compromised a commercial fashion gaming platform, extracting user credentials that later appeared in underground markets, indicating a financially driven data‑theft motive. Government and defense entities were also hit, including the Israel Missile Defense Association where usernames and password hashes were dumped, and NASA systems from which employee personal data, flight logs and aerial footage were exfiltrated. Media organizations such as Radio Tel Aviv and the French broadcaster TV5Monde suffered website defacements aimed at spreading political messages, while a political party site in Kentucky was altered to promote a social‑issue narrative. These examples demonstrate a focus on targets in the United States, Israel and France, with objectives ranging from profit through data sale to disruption of services and propagation of ideological content.

The actor’s tactics, techniques and procedures rely on a limited but repeatable set of methods. Initial access to NASA was obtained by purchasing credentials for a system already infected with the Gozi malware, which facilitated lateral movement to backup drives. The fashion gaming platform breach exploited unresolved SQL injection vulnerabilities, allowing the extraction of email addresses and weakly MD5‑hashed passwords. Website defacements were achieved through straightforward web‑application exploits that enabled replacement of homepage content with attacker‑supplied messages. In the NASA case the actors claimed to have altered a drone’s route file to attempt a crash, showing a willingness to manipulate operational files for disruptive effect. No advanced zero‑day exploits or custom malware families beyond the observed use of Gozi are documented in the source material.

Attribution to a state sponsor or a recognized criminal consortium has not been established in public sources; the group explicitly states it does not collaborate with Anonymous and operates independently. Representative campaigns that illustrate the actor’s range include the 2013 NASA intrusion involving data exfiltration and a drone‑interference attempt, the 2015‑2016 fashion gaming platform breach that yielded millions of credentials for underground sale, the 2015 Radio Tel Aviv defacement promoting an ideological stance, the 2015 Republican Party of Kentucky website alteration coupled with a claim of responsibility for the TV5Monde broadcast disruption, and the 2015 credential dump from the Israel Missile Defense Association. These incidents collectively reflect the actor’s reliance on credential theft, SQL injection and simple web defacement to achieve financial, disruptive and ideological outcomes.

Incidents
Attributed incidents available to members
5 incidents
Sources
Sources available to members
3 sources