The operators of the WikiLeaks Web site are in the midst of a game of virtual dodge ball, as they battle a diverse group of hackers and try to keep their stash of once confidential documents online.
The WikiLeaks site has been under attack since Sunday when it began releasing some of the more than 250,000 confidential State Department documents it has obtained. Someone portraying himself as an American patriot took credit for the first spate of disruptions to the site, a claim that security experts said was credible.
Later in the week, the organization faced more widespread attacks from armies of zombie computers in Europe, Russia and Asia that try to overwhelm Web sites with floods of requests. It is unclear who orchestrated these actions, security experts said.
WikiLeaks relies on a dispersed network of computer servers to keep its information available but sought extra computing muscle after facing so many attacks. So it turned to Amazon.com, which provides a variety of Web services to help fend off the hackers.
But on Wednesday, Amazon.com kicked WikiLeaks off its systems after inquiries from an aide to Senator Joseph I. Lieberman, independent of Connecticut. Amazon said WikiLeaks had violated its terms of service.
Continue reading the main storyThen on Thursday, WikiLeaks ran into another roadblock. It was abandoned by EveryDNS.net, which is one of many companies that manage the underlying domain name system of the Internet, and act as a directory to help people find Web sites. EveryDNS.net, which provides domain names for about 500,000 Web sites, including WikiLeaks’s, said the mass influx of traffic coming from hackers put its operations at risk.
The result was that people who tried to visit the WikiLeaks site found an error message. On Friday, WikiLeaks began a mad dash to direct users to alternative routes to its site through Web addresses based in Europe.
Given the delicate political nature of the documents released by WikiLeaks, chatter in technology circles immediately centered on the notion that a government body had spearheaded the disruptions.
But security experts cautioned that the attacks were likely to remain murky because data about them had not been made public, and because it was easy for hackers to conceal their identity. “We’re at a loss as to what individuals they are and whose behalf they might be acting on,” said Dr. Jose Nazario, senior security researcher at Arbor Networks, which provides network security technology.
Still, security experts said they could glean some information about the attacks by monitoring and analyzing network traffic from around the globe. They noted that computers in eastern Europe, Russia and Thailand have bombarded WikiLeaks’s Web sites with huge volumes of requests through a network of computers known as a botnet.
A hacker will usually try to compromise thousands of computers through malicious software programs and then issue commands to the PCs. Creating and controlling a botnet does not require great amounts of expertise, so the people controlling the systems going after WikiLeaks could range from teenagers having fun to disgruntled technophiles or governments.
“There are plenty of possible actors out there, including mercenaries for hire,” said Tom Kellermann, a vice president at Core Security Technologies, which advises organizations on how to find and fix security problems.
A hacker who calls himself The Jester — or th3j35t3r — claimed responsibility for some of the initial disruptions on his Twitter account, portraying his actions as patriotic efforts meant to keep people from looking at American secrets. A former defense operative with knowledge of Special Forces activities said the hacker was a onetime military contractor who had worked on projects for Special Operations Command.
People familiar with The Jester’s hacking exploits said his claims involving the first wave of attacks were credible, but doubted that he had much to do with the later attacks. The Jester tended to favor a software-based hack that confused computer servers and required little computing horsepower to execute. The most recent attacks on WikiLeaks came from the botnets, which pounded Web sites with high volumes of traffic. “The second round of attacks don’t appear to fit his profile or tools,” said Michael S. Menefee, the founder of Infosec Island, a popular forum for security experts.
By Friday, WikiLeaks was directing users to Web addresses in a number of European countries, including Switzerland, Germany, Finland and the Netherlands. This was WikiLeaks’s effort to solve the problems caused when EveryDNS.net dropped it.
The Swiss domain, WikiLeaks.ch, is registered to the Swiss branch of the Swedish Pirate Party, a political organization that has previously worked with Julian Assange, the founder of WikiLeaks. WikiLeaks continues to distribute information from a Web site hosted by a Swedish company, Bahnhof.
An article on Friday about a legal dispute between American sunken treasure hunters and the government of Spain, in which the treasure hunters are using some of the confidential diplomatic cables obtained by WikiLeaks, referred incorrectly to the release of those cables. WikiLeaks has 251,287 cables and has released all of them to several news organizations; it has not released all of them publicly. (According to the State Department, about 2,700 of the cables have been made public to date.) The error also appeared on Dec. 4 in an article about the cables and in an Inside The Times capsule summary for that article.)