DOCUMENT: Internet, Crime

FBI Targets 12 In Koch Industries Online Assault

Affidavit details probe of attack on GOP benefactors


View Document

Koch Industries Attack

JULY 26--As part of its multi-front assault on “Anonymous,” the FBI has identified 12 “targets” it alleges participated in coordinated online assaults earlier this year against business web sites operated by Koch Industries, the Kansas-based conglomerate owned by billionaire brothers--and leading Republican benefactors--Charles and David Koch, The Smoking Gun has learned.

Details of the ongoing criminal investigation are contained in a confidential FBI affidavit obtained by TSG. That document, excerpted here, includes the names, addresses, and IP numbers of a dozen U.S. residents who are subjects of the federal probe of a series of distributed denial of service (DDoS) attacks on Koch Industries web sites in February and March.

FBI agents last week raided the homes of individuals suspected of engaging in the Koch Industries DDoS campaign. The bureau’s target list appears to be a mix of actual DDoS participants as well as individuals whose names appear on the accounts from which attacks were launched.

So while the list includes the names of a college student studying computer science and a systems administrator/blogger who has written negatively about the Koch brothers's views on global warming, other targets appear to be the parents or relatives of DDoS participants, like the Ohio university administrator with two sons or the 51-year-old Iowa woman who works as a project manager for an insurance company or the 83-year-old Florida grandmother. Perhaps some targets simply never bothered to password protect their wireless Internet router, in the process giving others free access to their IP address.

Since the FBI affidavit likely includes the names of individuals who had nothing to do with the Koch Industries blitz, TSG has obscured the 12 names. A review of federal court records indicates that none of the targets listed in the affidavit have been charged in connection with the illegal DDoS campaign.

The FBI identified the targets with the aid of “firewall logs” provided by Koch Industries. These records reportedly revealed the IP addresses from which “a large number of connections” were directed at one or more of the company’s web sites. According to the FBI affidavit, such a traffic bombardment was “consistent with a denial of service attack.”

For example, Koch Industries records showed that one blogger accessed the firm’s Angel Soft toilet paper web site nearly 16,000 times during one nine-minute period in March. The DDoS attacks, according to the affidavit, also involved the Koch Industries web site ( and a web site for Quilted Northern, another of the firm’s toilet paper brands.

A DDoS attack attempts to flood a site with so many requests that it leaves the site unavailable for legitimate visitors. Such a swamping of a site is often done via the “firing” of a tool known as a Low Orbit Ion Cannon. Originally developed as an open source method to test network vulnerabilities, the LOIC “can be modified to DDoS a target website by overwhelming that websites’ servers with a high volume of repeated requests until the site becomes inoperable,” according to the FBI affidavit.

Last week, the FBI arrested 14 individuals who were indicted for allegedly participating in a DDoS attack against PayPal in retaliation for the company suspending the account of Wikileaks. The 12 individuals suspected of involvement in the Koch Industries attack are being investigated for an identical federal violation, knowingly causing the transmission of “a program, information, code, or command” that intentionally causes damage to a “protected computer.”

The FBI probe of the online assault on Koch Industries began after the company contacted the bureau’s Kansas City office on February 27 to report that its Quilted Northern site was under siege. Agent Richard Thompson was assigned to the case, which quickly grew to include DDoS efforts directed at the two other Koch Industries web sites.

The affidavit reveals that three days before the first DDoS attack was launched, Koch Industries received an e-mail warning that “Anonymous” was plotting an attack on several of the company’s web properties.  Sent to from the account “[email protected],” the message carried the subject line, “URGENT: Cyberattack Planned on Koch Web Properties.” The identity of the e-mail’s author is not disclosed in the FBI affidavit, nor is it clear whether agents even know who gave the company a heads-up about the plans of “Anonymous.”

The online confederation of hackers and activists targeted the Koch brothers in connection with the pair’s support of Wisconsin Governor Scott Walker, who earlier this year launched a crackdown on public employees unions that included the elimination of collective bargaining rights for state workers. In retaliation, “Anonymous” launched Operation Wisconsin, an effort aimed at exploiting “online loopholes and vulnerabilities into the systems and servers related to” the Koch brothers and Walker.

Charles (left) and David Koch are pictured above.

The FBI alleges that “Anonymous” publicized and organized the DDoS attacks via several Internet Real Chat (IRC) channels, including “#opkochblock” and “#opeternalruin.” Additionally, “Anonymous” members referred to postings on’s /b/ board which sought individuals willing to participate in the Koch Industries attack. One IRC message referred to an attempt to recruit 4channers: “need to be ready, cause im gearing up to bring /b/ over here for some brunch DDos.”

At the outset of the Koch Industries assault, an IRC poster asked if the Quilted Northern web site was being targeted. The response, the FBI noted, was, “yes we need moar loic gunhands, please target:” Subsequent advice included, “if you need more cannons, you have to spread the word of the attack” and "spam /b/." (8 pages)