Hackers protest Georgia’s SB 315 anti-hacking bill by allegedly hacking Georgia sites

Hackers claim to have credentials from the City of Augusta and Georgia Southern University and to have defaced the websites of an Augusta church and two restaurants. As if hacking sites will get the governor to veto a hacking bill.

Hackers protest Georgia’s anti-hacking law by hacking Georgia sites
Boston Public Library (CC BY 2.0)

As Senate Bill 315 sits on Georgia Governor Nathan Deal’s desk, awaiting either his signature of approval or a veto, a group of vigilante hackers going by SB315 have reportedly been attacking Georgia sites and threatening retaliation if the bill becomes law. It’s unclear why the group believes that a hacking spree will help convince the governor that a very vague hacking bill is a terrible idea.

According to The Augusta Chronicle, the hacking group first took credit for hacking the City of Augusta and defacing the website of Calvary Baptist Church of Augusta. The City of Augusta denied it was hacked. Shortly thereafter, the hackers claimed to have targeted Georgia Southern University and the sites for two Augusta restaurants: Blue Sky Kitchen and Soy Noodle House. The hackers, purportedly mostly from Georgia, are protesting SB 315 and attempting to “draw attention” to the “unintended consequence of that bill.”

Did the hacking group really steal cities' information?

Claiming to have breached the City of Augusta, the hacking group SB315 sent The Augusta Chronicle a list of email and password credentials. Augusta’s IT deputy director checked the credentials and said the list was bogus. “100 percent” of the passwords were invalid and half of the email addresses were for people who no longer worked for the city.

SB315 spokesperson “augustadave” claimed the group also has information stolen from other cities, “although it’s been decided that Atlanta should be avoided due to the ransomware; they have enough problems.” He added that “larger, more prominent targets have been identified and compromised in advance, in case SB 315 is still on the table. This is just a demonstration of what’s to come.”

The pastor of Calvary Baptist Church confirmed its website had been hacked. The defacement included a link to the EFF, which has warned against SB 315 several times, as well as a long statement.

Despite the list of email addresses and passwords sent to The Augusta Chronicle, Georgia Southern University claimed that “its ‘accounts have not been compromised’ and that ‘the information is not from our web site.’”

The two restaurants, however, which happen to have the same owner and use the same website designer — the same one the church used — were clearly defaced.

The group left the same message as it did on the church’s site; it included, “This vulnerability could not be ethically reported due to SB 315” and linked to a post by the EFF.

The Augusta Chronicle also reported the hacking group said:

“Up until this week, Georgia has positioned itself as a hub for cybersecurity research, with well-regarded university departments developing future experts,” the post continues, also noting the creation of the Hull McKnight Georgia Cyber Center for Innovation and Training in Augusta, although it mistakenly lists it as a $35 million investment when it is actually now more than $100 million altogether.

“Cybersecurity firms — and other tech companies — considering relocations to Georgia will likely think twice about moving to a state that is so hostile and short-sighted when it comes to security research,” the post said. “S.B. 315 is a dangerous bill with ramifications far beyond what the legislature imagined, including discouraging researchers from coming forward with vulnerabilities they discover in critical systems. It’s time for Governor Deal to step in and listen to the cybersecurity experts who keep our data safe, rather than lawmakers looking to score political points.”

How Georgia's SB 315 anti-hacking bill came to be

The anti-hacking legislation came about after a Georgia security researcher warned Kennesaw State University (KSU) that a server used by its election center was vulnerable to a data breach and millions of Georgia voter records had been exposed. KSU had failed to properly secure the machines. A year later, another security researcher discovered the voter data was still publicly available for download, as KSU had still failed to fully address the issue.

In a knee-jerk reaction, KSU reported both security researchers to the FBI. Additionally, Georgia’s attorney general asked for legislation that would criminalize “unauthorized access” to computer systems — even if its research done by white-hats that is neither malicious nor harmful.

It could criminalize security research and responsible vulnerability disclosure, sending white-hat researchers to jail for a year and fining them $5,000. It could also allow companies to “hack back.” In a letter to the governor, Tripwire CTO David Meltzer wrote, “The vague definitions of SB 315 could enable frivolous lawsuits by vendors looking to hide their security defects.”

All in all, it’s a very bad bill, but that is how SB 315 came about; the state legislature passed the bill and it is awaiting Deal’s signature or veto. Hundreds of researchers and academics have pointed out how flawed the bill is.

While the bill is horrible, it’s unclear how a group of allegedly ethical hackers would believe that breaking the law and attacking/defacing sites is a form of protest that would help the governor decide against SB 315.

NEW! Download the Winter 2018 issue of Security Smart