12:47 PM

LulzSec's Sabu Was Identity Thief, Not Robin Hood

Federal indictment accuses Sabu of crossing a clear line between political expression and criminal activity.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)

The hacktivist group LulzSec made a name for itself by cracking databases and servers sporting poor security, then publicizing what they'd been able to do and find. Groups as diverse as the Atlanta InfraGard chapter, Sony Pictures Entertainment, the U.S. Senate, and PBS saw their websites hacked and defaced, and sensitive information leaked.

The group portrayed itself as being a group devoted to "lulz," which is Internet slang that can be interpreted as "laughs, humor, or amusement." That definition comes from a 12-count federal indictment unsealed in federal court Tuesday against four men authorities said comprised part of the core of LulzSec: Ryan Ackroyd (aka kayla, lol, lolspoon), Jake Davis (aka topiary, atopiary), Darren Martyn (aka pwnsauce, raepsauce, networkkitten), and Donncha O'Cearrbhail (aka Palladium).

But a related 12-count indictment, also unsealed Tuesday, singled out 28-year-old Hector Xavier Monsegur (aka Sabu, Xavier DeLeon, Leon) as the LulzSec leader, in addition to being an ongoing participant in the hacktivist collective known as Anonymous. He reportedly pled guilty to all the charges leveled against him, which collectively carry a maximum prison sentence of 124 years and six months.

A post from Sabu's Twitter account Monday struck a seeming note of defiance: "The federal government is run by a bunch of [obscenity removed] cowards. Don't give in to these people. Fight back. Stay strong."

[ Learn about the newest trends and practices to help keep your company's data secure. Read 10 Lessons From RSA Security Conference. ]

The 27-page indictment against Monsegur details a striking number of exploits, some overtly political, some riffing on pop culture, and others seemingly just random. Notably, the indictment accused Monsegur of having participated in Operation Payback, which involved launching distributed denial of service (DDoS) attacks in retaliation for MasterCard, PayPal, Visa, and other payment providers cutting off funds to WikiLeaks. It also accuses him of hacking attacks against Tunisian, Zimbabwean, Algerian, and Yemini government servers. In cooperation with hacking group "Internet Feds"--of which Ackroyd, Davis, Martyn, and O'Cearrbhail were allegedly core members--Monsegur was also accused of hacking into HBGary and releasing thousands of emails.

Then there's the LulzSec band, which hacked into numerous sites and became famous for bragging about it. "Although the members of LulzSec and their co-conspirators claimed to have engaged in these attacks for humorous purposes ... LulzSec's criminal acts included, among other things, the theft of confidential information, including sensitive personal information for thousands of individuals, from their victims' computer systems; the public disclosure of that confidential information on the Internet; the defacement of Internet websites; and overwhelming victims' computers with bogus requests for information"--meaning DDoS attacks--according to the indictment.

If LulzSec built its reputation on merry pranks--such as releasing contact details for 73,000 X-Factor contestants--the indictment also accused Monsegur of outright fraud and other criminal activity.

For starters, Monsegur was accused of hacking into an automotive parts site and shipping himself four engines, worth a total of $3,450. Authorities also accused Monsegur of using stolen credit card numbers to pay off at least $1,000 in debts and sharing people's bank account, routing number, and personal information with others, meaning he engaged in identity theft.

"Those who suggest Sabu's actions were just hacktivism or 'for the lulz' need to recognize that Sabu wasn't a Robin Hood who nobly gave voice to a cause, but a thief who admitted to lining his own pockets," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.

Would the dollar values attached to those crimes, had they been conducted using a stolen credit card, have even merited an investigation by local police? Regardless, when you add in illegally accessing and defacing government websites and numerous hacks of private businesses' sites, you can expect the FBI to start investigating.

On a related note, after a 50-day hacking spree, LulzSec--without warning--bid adieu in June 2011. At the time, the group's unexpected retirement appeared to mark yet another random move from the chaos-craving band.

Thanks to the federal indictments unsealed Tuesday, however, it's now clear that Monsegur had been busted that month, after which he began cooperating with the FBI. The cooperation even went so far as using FBI-provided servers to unpack stolen information, including emails stolen from Stratfor, which were then shared with WikiLeaks.

Accordingly to the indictment, he also helped the bureau to amass evidence against other LulzSec and Anonymous participants. For example, he lured O'Cearrbhail, on an anonymous chat, into revealing which VPN service he used to obscure his identity. Investigators were then able to correlate login times with O'Cearrbhail's IP address, which they used to help positively identify the Irish citizen, who’s accused of leaking a transatlantic law enforcement conference call discussing ongoing investigations into LulzSec and Anonymous.

To protect company and customer data, we need to determine what makes it so vulnerable and appealing. We also need to understand how hackers operate, and what tools and processes they rely on. In our How (And Why) Attackers Choose Their Targets report, we explain how to ensure the best defense by thinking like an attacker and identifying the weakest link in your own corporate data chain. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/7/2012 | 6:21:00 PM
re: LulzSec's Sabu Was Identity Thief, Not Robin Hood
I believe the VPN service Sabu used was although was also used in many other attacks according to reports last September. It will be interesting to see how these VPN service providers privacy polices hold up to the law in which countries they are registered in.
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-02-26
The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connecti...

Published: 2015-02-26
Multiple cross-site scripting (XSS) vulnerabilities in the help pages in Cisco Common Services, as used in Cisco Prime LAN Management Solution (LMS) and Cisco Security Manager, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug IDs CSCuq54654 and CSCun1...

Published: 2015-02-26
Race condition in the Neighbor Discovery (ND) protocol implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service via a flood of Router Solicitation messages on the local network, aka Bug ID CSCuo67770.

Published: 2015-02-26
Cross-site request forgery (CSRF) vulnerability in the web GUI in Cisco Application Networking Manager (ANM), and Device Manager (DM) on Cisco 4710 Application Control Engine (ACE) appliances, allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuo99753.

Published: 2015-02-26
Multiple cross-site scripting (XSS) vulnerabilities in zencart-ja (aka Zen Cart Japanese edition) 1.3 jp through jp8 and 1.5 ja through 1.5.1 ja allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, related to admin/includes/init_includes/init_sanitize.php an...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.