screenshot, 12/8/16.“Olá, Rio de Janeiro.” So began the August 5 Facebook posting of Anonymous Brasil hours before the opening ceremony of the Olympics. The hacktivist collective then proceeded to take the Brazilian government to task for hiding the city´s widespread poverty, vicious evictions, police violence and the suppression of protesters behind the glitter of the Games.
A wave of denial of service (DDoS) attacks on state and city websites followed immediately after Anonymous delivered their statement. The group boasted taking down at least five sites, including www.brasil2016.gov.br, www.rio2016.com, www.esporte.gov.br, www.cob.org.br and www.rj.gov.br. They broadcast their exploits using the hashtags #OpOlympicHacking, #Leaked and #TangoDown, some of which were set up months ago.
Since then, website take-downs have been coming hard and fast. On August 8, six sites were knocked offline, including Rio de Janeiro’s military police department, the Institute for Public Security, municipal garbage disposal groups and a community Internet program. Anonymous provides updates on who is coming next via its Facebook newsfeed.
This is not the first time that the Brazilian government has found itself in Anonymous’ cross-hairs. During widespread public protests that swept across the country in 2013, the collective was linked to a string of attacks on official websites of government agencies and private businesses alike. Similar attacks were reported in 2014 in the lead-up to the World Cup. Using the hashtag #OpWorldCup, hackers took down the Brazilian Intelligence Agency, the Ministry of Justice, the Ministry of Sport and companies such as Emirates group, Hyundai and the Globo group.
The latest digital strike by Anonymous is arguably one of its more potent. The group appears to have hacked and leaked personal and financial details from various Brazilian sporting associations, including the Brazilian Confederation of Modern Pentathlon (pentatlo.org.br), the Brazilian Handball Confederation (brasilhandebol.com.br), the Brazilian Confederation of Boxing (cbboxe.com.br) and the Brazilian Triathlon Confederation (cbtri.org.br).
Anonymous logo.Anonymous also claims to have hacked into the private accounts of individuals it suspects of corruption. Chief among them is Rio mayor Eduardo Paes, the Governor of Rio de Janeiro state, the Secretary of Sport and a handful of businessmen. Some of them had already been targeted a few months back. This latest wave of take-downs is occurring despite the government’s assurances that it had shored up its cyber-security defenses to protect against precisely these kinds of attacks.
Anonymous is not just targeting mega-events like the Olympics and World Cup. Earlier this year, the group shut down a number of government websites after a judicial ruling temporarily blocked WhatsApp, the popular encrypted messenging service. Anonymous temporarily closed numerous government sites in the state of Sergipe (where the judicial order to block WhatsApp originated), including the website of state’s highest court. The hacktivist group stated explicitly that these actions were in retaliation for the ban. And this April, the group hacked into a database of Anatel, Brazil’s national telecom regulator, successfully exfiltrating sensitive information.
So what do Anonymous and other hacktivists like it want? The answer is not straightforward. For some, it is about sending a strong ideological and political message to government and business groups. It is an online protest message rather than a more conventional cyber-crime. Others are motivated by the “lulz” (a corruption of LOL, or “laugh out loud”). Whatever the goals of hacktivists during Rio 2016, it is clear that the (digital) games have only just begun.
Anonymous is hardly the only group involved in cyber malfeasance. Brazil is the second most affected country in the world (after Russia) when it comes to cyber fraud and malware. A recent study identified over 3,800 malicious websites using the .gov.br domain that were set up to target government bureaucrats and officials associated with the 2016 Games. It is not surprising, then, that Brazil is ratcheting-up surveillance legislation.
Opportunities for would-be cyber-criminals are not lacking. For example, Brazil has more ATMs per capita than most European countries, including France, Germany and the UK. Cash machines, as well as restaurants and shopping venues, are ground zero during the Olympics for credit card skimming, cloning scams and more sophisticated techniques such as radio frequency interception.
Not surprisingly, the Brazilian government is taking notice. Congress has pushed through a rash of cybercrime and surveillance legislation, including proposed bills which, if passed, will make it easier for prosecutors and police to access personal data without a judicial order. And Brazil’s new anti-terrorism law, used for the first time to round up 12 alleged Brazilian ISIS sympathizers last month, already grants authorities wide discretion to define and prosecute terrorism at the expense of freedom of expression and legitimate protest.
Even before these cyber-crime and anti-terrorism bills came into effect, Brazil’s surveillance architecture was considerably well developed. This was due in part to the legacy of the 1964-1985 military dictatorship. A number of government agencies already have the authority to access and monitor the personal data of citizens. Hacktivists can be certain that the authorities are using all means at their disposal to get a better handle on Anonymous’ motivations, strategy and organizational structure.
Brazilian law enforcement has been actively monitoring Anonymous and other hacktivist groups for the past few years, both online and off. Meanwhile, digital activists claim to have been visited by federal police and some protesters have been imprisoned, sometimes preemptively. Similar kinds of operations are occurring elsewhere, and not just in Brazil. The danger is that heavy-handed efforts to suppress groups like Anonymous could put everyone’s digital liberties at risk.
Facebook screenshot, 12/8/16.